================================================================= ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x51800000e980 at pc 0x6119467a5d65 bp 0x791c8beddca0 sp 0x791c8bedd470 WRITE of size 512 at 0x51800000e980 thread T11 (Realtime AudioW) #0 0x6119467a5d64 in __asan_memset _asan_rtl_:3 #1 0x611966657287 in Zero ./../../third_party/blink/renderer/platform/audio/audio_channel.h:0:0 #2 0x611966657287 in blink::AudioBus::Zero() ./../../third_party/blink/renderer/platform/audio/audio_bus.cc:108:13 #3 0x611969d106eb in SilenceOutputs ./../../third_party/blink/renderer/modules/webaudio/audio_handler.cc:401:20 #4 0x611969d106eb in blink::AudioHandler::ProcessIfNecessary(unsigned int) ./../../third_party/blink/renderer/modules/webaudio/audio_handler.cc:336:7 #5 0x611969ddef34 in blink::DeferredTaskHandler::ProcessAutomaticPullNodes(unsigned int) ./../../third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc:198:41 #6 0x611969e4f871 in blink::RealtimeAudioDestinationHandler::Render(blink::AudioBus*, unsigned int, blink::AudioIOPosition const&, blink::AudioCallbackMetric const&, base::TimeDelta, media::AudioGlitchInfo const&) ./../../third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc:247:37 #7 0x611969e5ad42 in PullFromCallback ./../../third_party/blink/renderer/platform/audio/audio_destination.cc:589:14 #8 0x611969e5ad42 in blink::AudioDestination::ProvideResamplerInput(int, blink::AudioBus*) ./../../third_party/blink/renderer/platform/audio/audio_destination.cc:575:3 #9 0x611969e5ca7e in Invoke ./../../base/functional/bind_internal.h:738:12 #10 0x611969e5ca7e in MakeItSo > &, int, blink::AudioBus *> ./../../base/functional/bind_internal.h:930:12 #11 0x611969e5ca7e in RunImpl > &, 0UL> ./../../base/functional/bind_internal.h:1067:14 #12 0x611969e5ca7e in base::internal::Invoker, base::internal::BindState>, void (int, blink::AudioBus*)>::Run(base::internal::BindStateBase*, int, blink::AudioBus*) ./../../base/functional/bind_internal.h:987:12 #13 0x611969e0a1cf in base::RepeatingCallback::Run(int, blink::AudioBus*) const & ./../../base/functional/callback.h:344:12 #14 0x611969e0964f in Run ./../../third_party/blink/renderer/platform/wtf/functional.h:305:22 #15 0x611969e0964f in blink::MediaMultiChannelResampler::ProvideResamplerInput(int, media::AudioBus*) ./../../third_party/blink/renderer/platform/audio/media_multi_channel_resampler.cc:59:12 #16 0x611969e09f01 in Invoke ./../../base/functional/bind_internal.h:738:12 #17 0x611969e09f01 in MakeItSo > &, int, media::AudioBus *> ./../../base/functional/bind_internal.h:930:12 #18 0x611969e09f01 in RunImpl > &, 0UL> ./../../base/functional/bind_internal.h:1067:14 #19 0x611969e09f01 in base::internal::Invoker, base::internal::BindState>, void (int, media::AudioBus*)>::Run(base::internal::BindStateBase*, int, media::AudioBus*) ./../../base/functional/bind_internal.h:987:12 #20 0x6119491498bf in base::RepeatingCallback::Run(int, media::AudioBus*) const & ./../../base/functional/callback.h:344:12 #21 0x6119491ba2c6 in Invoke ./../../base/functional/bind_internal.h:738:12 #22 0x6119491ba2c6 in MakeItSo, int> &, int, float *> ./../../base/functional/bind_internal.h:930:12 #23 0x6119491ba2c6 in RunImpl, int> &, 0UL, 1UL> ./../../base/functional/bind_internal.h:1067:14 #24 0x6119491ba2c6 in base::internal::Invoker, base::internal::BindState, int>, void (int, float*)>::Run(base::internal::BindStateBase*, int, float*) ./../../base/functional/bind_internal.h:987:12 #25 0x6119491fe0df in base::RepeatingCallback::Run(int, float*) const & ./../../base/functional/callback.h:344:12 #26 0x6119491fdc15 in media::SincResampler::Resample(int, float*) ./../../media/base/sinc_resampler.cc:343:14 #27 0x611969e556f3 in blink::AudioDestination::RequestRender(unsigned long, unsigned long, base::TimeDelta, base::TimeTicks, media::AudioGlitchInfo const&) ./../../third_party/blink/renderer/platform/audio/audio_destination.cc:556:19 #28 0x611969e5bdb1 in Invoke, unsigned int, unsigned long, base::TimeDelta, base::TimeTicks, media::AudioGlitchInfo> ./../../base/functional/bind_internal.h:738:12 #29 0x611969e5bdb1 in MakeItSo, unsigned int, unsigned long, base::TimeDelta, base::TimeTicks, media::AudioGlitchInfo> > ./../../base/functional/bind_internal.h:930:12 #30 0x611969e5bdb1 in RunImpl, unsigned int, unsigned long, base::TimeDelta, base::TimeTicks, media::AudioGlitchInfo>, 0UL, 1UL, 2UL, 3UL, 4UL, 5UL> ./../../base/functional/bind_internal.h:1067:14 #31 0x611969e5bdb1 in base::internal::Invoker&&, unsigned int&&, unsigned long&&, base::TimeDelta&&, base::TimeTicks&&, media::AudioGlitchInfo&&>, base::internal::BindState, unsigned int, unsigned long, base::TimeDelta, base::TimeTicks, media::AudioGlitchInfo>, void ()>::RunOnce(base::internal::BindStateBase*) ./../../base/functional/bind_internal.h:980:12 #32 0x611958660646 in Run ./../../base/functional/callback.h:156:12 #33 0x611958660646 in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) ./../../base/task/common/task_annotator.cc:203:34 #34 0x6119586c2ad5 in RunTask<(lambda at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:486:11)> ./../../base/task/common/task_annotator.h:90:5 #35 0x6119586c2ad5 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) ./../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:484:23 #36 0x6119586c1b45 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ./../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:346:40 #37 0x6119586c37ba in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ./../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:0:0 #38 0x6119585633ca in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_default.cc:40:55 #39 0x6119586c4409 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) ./../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:654:12 #40 0x6119585f9e0e in base::RunLoop::Run(base::Location const&) ./../../base/run_loop.cc:134:14 #41 0x611955058562 in blink::scheduler::NonMainThreadImpl::SimpleThreadImpl::Run() ./../../third_party/blink/renderer/platform/scheduler/worker/non_main_thread_impl.cc:188:14 #42 0x61195878555f in base::(anonymous namespace)::ThreadFunc(void*) ./../../base/threading/platform_thread_posix.cc:101:13 #43 0x6119467a5706 in asan_thread_start(void*) _asan_rtl_:28 0x51800000e980 is located 256 bytes inside of 768-byte region [0x51800000e880,0x51800000eb80) freed by thread T0 (chrome) here: #0 0x6119467a7a46 in __interceptor_free _asan_rtl_:3 #1 0x6119491fc44c in AlignedFree ./../../base/memory/aligned_memory.h:54:3 #2 0x6119491fc44c in operator() ./../../base/memory/aligned_memory.h:62:5 #3 0x6119491fc44c in reset ./../../third_party/libc++/src/include/__memory/unique_ptr.h:468:7 #4 0x6119491fc44c in ~unique_ptr ./../../third_party/libc++/src/include/__memory/unique_ptr.h:429:71 #5 0x6119491fc44c in media::SincResampler::~SincResampler() ./../../media/base/sinc_resampler.cc:194:31 #6 0x6119491ba4d3 in operator() ./../../third_party/libc++/src/include/__memory/unique_ptr.h:67:5 #7 0x6119491ba4d3 in reset ./../../third_party/libc++/src/include/__memory/unique_ptr.h:278:7 #8 0x6119491ba4d3 in ~unique_ptr ./../../third_party/libc++/src/include/__memory/unique_ptr.h:248:71 #9 0x6119491ba4d3 in __destroy_at >, 0> ./../../third_party/libc++/src/include/__memory/construct_at.h:67:11 #10 0x6119491ba4d3 in destroy >, void, 0> ./../../third_party/libc++/src/include/__memory/allocator_traits.h:340:5 #11 0x6119491ba4d3 in __base_destruct_at_end ./../../third_party/libc++/src/include/vector:950:7 #12 0x6119491ba4d3 in __clear ./../../third_party/libc++/src/include/vector:944:5 #13 0x6119491ba4d3 in std::__Cr::vector>, std::__Cr::allocator>>>::__destroy_vector::operator()() ./../../third_party/libc++/src/include/vector:522:16 #14 0x6119491b93c7 in ~vector ./../../third_party/libc++/src/include/vector:533:67 #15 0x6119491b93c7 in ~MultiChannelResampler ./../../media/base/multi_channel_resampler.cc:47:47 #16 0x6119491b93c7 in media::MultiChannelResampler::~MultiChannelResampler() ./../../media/base/multi_channel_resampler.cc:47:47 #17 0x611969e525be in operator() ./../../third_party/libc++/src/include/__memory/unique_ptr.h:67:5 #18 0x611969e525be in reset ./../../third_party/libc++/src/include/__memory/unique_ptr.h:278:7 #19 0x611969e525be in ~unique_ptr ./../../third_party/libc++/src/include/__memory/unique_ptr.h:248:71 #20 0x611969e525be in ~MediaMultiChannelResampler ./../../third_party/blink/renderer/platform/audio/media_multi_channel_resampler.h:25:23 #21 0x611969e525be in operator() ./../../third_party/libc++/src/include/__memory/unique_ptr.h:67:5 #22 0x611969e525be in reset ./../../third_party/libc++/src/include/__memory/unique_ptr.h:278:7 #23 0x611969e525be in ~unique_ptr ./../../third_party/libc++/src/include/__memory/unique_ptr.h:248:71 #24 0x611969e525be in blink::AudioDestination::~AudioDestination() ./../../third_party/blink/renderer/platform/audio/audio_destination.cc:99:1 #25 0x611969e4e625 in DeleteInternal ./../../third_party/blink/renderer/platform/wtf/thread_safe_ref_counted.h:65:5 #26 0x611969e4e625 in Destruct ./../../third_party/blink/renderer/platform/wtf/thread_safe_ref_counted.h:45:5 #27 0x611969e4e625 in Release ./../../base/memory/ref_counted.h:416:7 #28 0x611969e4e625 in Release ./../../base/memory/scoped_refptr.h:384:8 #29 0x611969e4e625 in ~scoped_refptr ./../../base/memory/scoped_refptr.h:273:7 #30 0x611969e4e625 in operator= ./../../base/memory/scoped_refptr.h:299:3 #31 0x611969e4e625 in blink::RealtimeAudioDestinationHandler::CreatePlatformDestination() ./../../third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc:347:25 #32 0x611969e4ec8c in blink::RealtimeAudioDestinationHandler::SetChannelCount(unsigned int, blink::ExceptionState&) ./../../third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc:138:3 #33 0x6119683474ea in blink::(anonymous namespace)::v8_audio_node::ChannelCountAttributeSetCallback(v8::FunctionCallbackInfo const&) ./gen/third_party/blink/renderer/bindings/modules/v8/v8_audio_node.cc:166:17 #34 0x61194ba21a60 in v8::internal::FunctionCallbackArguments::CallOrConstruct(v8::internal::Tagged, bool) ./../../v8/src/api/api-arguments-inl.h:95:3 #35 0x61194ba1ee17 in HandleApiCallHelper ./../../v8/src/builtins/builtins-api.cc:108:36 #36 0x61194ba1ee17 in v8::internal::Builtins::InvokeApiFunction(v8::internal::Isolate*, bool, v8::internal::Handle, v8::internal::Handle, int, v8::internal::Handle*, v8::internal::Handle) ./../../v8/src/builtins/builtins-api.cc:196:10 #37 0x61194c8eb6fa in v8::internal::Object::SetPropertyWithAccessor(v8::internal::LookupIterator*, v8::internal::Handle, v8::Maybe) ./../../v8/src/objects/objects.cc:1549:5 #38 0x61194c8f0fc5 in v8::internal::Object::SetPropertyInternal(v8::internal::LookupIterator*, v8::internal::Handle, v8::Maybe, v8::internal::StoreOrigin, bool*) ./../../v8/src/objects/objects.cc:2288:16 #39 0x61194c8f08a9 in v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle, v8::internal::StoreOrigin, v8::Maybe) ./../../v8/src/objects/objects.cc:2361:9 #40 0x61194c1ac6b7 in v8::internal::StoreIC::Store(v8::internal::Handle, v8::internal::Handle, v8::internal::Handle, v8::internal::StoreOrigin) ./../../v8/src/ic/ic.cc:1948:5 #41 0x61194c1be1df in __RT_impl_Runtime_StoreIC_Miss ./../../v8/src/ic/ic.cc:2929:3 #42 0x61194c1be1df in v8::internal::Runtime_StoreIC_Miss(int, unsigned long*, v8::internal::Isolate*) ./../../v8/src/ic/ic.cc:2901:1 #43 0x61194f42eeb5 in Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit setup-isolate-deserialize.cc:0:0 #44 0x61194f519de6 in Builtins_SetNamedPropertyHandler setup-isolate-deserialize.cc:0:0 #45 0x61194f38f8a6 in Builtins_InterpreterEntryTrampoline setup-isolate-deserialize.cc:0:0 #46 0x61194f38d31b in Builtins_JSEntryTrampoline setup-isolate-deserialize.cc:0:0 #47 0x61194f38d05e in Builtins_JSEntry setup-isolate-deserialize.cc:0:0 #48 0x61194bd7a17b in Call ./../../v8/src/execution/simulator.h:187:12 #49 0x61194bd7a17b in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) ./../../v8/src/execution/execution.cc:420:22 #50 0x61194bd77cf2 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle, v8::internal::Handle, int, v8::internal::Handle*) ./../../v8/src/execution/execution.cc:506:10 #51 0x61194b94462a in v8::Function::Call(v8::Local, v8::Local, int, v8::Local*) ./../../v8/src/api/api.cc:5572:7 #52 0x6119632d5eda in blink::V8ScriptRunner::CallFunction(v8::Local, blink::ExecutionContext*, v8::Local, int, v8::Local*, v8::Isolate*) ./../../third_party/blink/renderer/bindings/core/v8/v8_script_runner.cc:870:17 #53 0x611967839e0b in CallInternal ./../../third_party/blink/renderer/bindings/core/v8/callback_invoke_helper.cc:142:12 #54 0x611967839e0b in blink::bindings::CallbackInvokeHelper::Call(int, v8::Local*) ./../../third_party/blink/renderer/bindings/core/v8/callback_invoke_helper.cc:163:10 #55 0x6119678499f0 in blink::V8EventHandlerNonNull::InvokeWithoutRunnabilityCheck(blink::bindings::V8ValueOrScriptWrappableAdapter, blink::HeapVector const&) ./gen/third_party/blink/renderer/bindings/core/v8/v8_event_handler_non_null.cc:189:13 #56 0x611963d424de in blink::JSEventHandler::InvokeInternal(blink::EventTarget&, blink::Event&, v8::Local) ./../../third_party/blink/renderer/bindings/core/v8/js_event_handler.cc:134:14 #57 0x611963c2fdf3 in blink::JSBasedEventListener::Invoke(blink::ExecutionContext*, blink::Event*) ./../../third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc:158:5 #58 0x611963c210d6 in blink::EventTarget::FireEventListeners(blink::Event&, blink::EventTargetData*, blink::HeapVector, 1u>) ./../../third_party/blink/renderer/core/dom/events/event_target.cc:1112:15 #59 0x611963c1f313 in blink::EventTarget::FireEventListeners(blink::Event&) ./../../third_party/blink/renderer/core/dom/events/event_target.cc:1031:29 previously allocated by thread T0 (chrome) here: #0 0x6119467a87a7 in ___interceptor_posix_memalign _asan_rtl_:3 #1 0x61195854d13d in base::AlignedAlloc(unsigned long, unsigned long) ./../../base/memory/aligned_memory.cc:34:13 #2 0x6119491fb6af in media::SincResampler::SincResampler(double, int, base::RepeatingCallback) ./../../media/base/sinc_resampler.cc:170:11 #3 0x6119491b8939 in make_unique > ./../../third_party/libc++/src/include/__memory/unique_ptr.h:620:30 #4 0x6119491b8939 in media::MultiChannelResampler::MultiChannelResampler(int, double, unsigned long, base::RepeatingCallback) ./../../media/base/multi_channel_resampler.cc:27:27 #5 0x611969e09200 in make_unique > ./../../third_party/libc++/src/include/__memory/unique_ptr.h:620:30 #6 0x611969e09200 in blink::MediaMultiChannelResampler::MediaMultiChannelResampler(int, double, unsigned int, WTF::CrossThreadFunction) ./../../third_party/blink/renderer/platform/audio/media_multi_channel_resampler.cc:23:16 #7 0x611969e59ddb in make_unique > ./../../third_party/libc++/src/include/__memory/unique_ptr.h:620:30 #8 0x611969e59ddb in blink::AudioDestination::AudioDestination(blink::AudioIOCallback&, blink::WebAudioSinkDescriptor const&, unsigned int, blink::WebAudioLatencyHint const&, std::__Cr::optional, unsigned int) ./../../third_party/blink/renderer/platform/audio/audio_destination.cc:427:18 #9 0x611969e52205 in blink::AudioDestination::Create(blink::AudioIOCallback&, blink::WebAudioSinkDescriptor const&, unsigned int, blink::WebAudioLatencyHint const&, std::__Cr::optional, unsigned int) ./../../third_party/blink/renderer/platform/audio/audio_destination.cc:92:11 #10 0x611969e4e579 in blink::RealtimeAudioDestinationHandler::CreatePlatformDestination() ./../../third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc:347:27 #11 0x611969e4e3fc in blink::RealtimeAudioDestinationHandler::Initialize() ./../../third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc:78:3 #12 0x611969da75cf in blink::BaseAudioContext::Initialize() ./../../third_party/blink/renderer/modules/webaudio/base_audio_context.cc:122:34 #13 0x611969cf3000 in blink::AudioContext::AudioContext(blink::LocalDOMWindow&, blink::WebAudioLatencyHint const&, std::__Cr::optional, blink::WebAudioSinkDescriptor) ./../../third_party/blink/renderer/modules/webaudio/audio_context.cc:295:3 #14 0x611969cf0e89 in Call &, blink::WebAudioSinkDescriptor &> ./../../v8/include/cppgc/allocation.h:241:32 #15 0x611969cf0e89 in MakeGarbageCollected &, blink::WebAudioSinkDescriptor &> ./../../v8/include/cppgc/allocation.h:279:7 #16 0x611969cf0e89 in MakeGarbageCollected &, blink::WebAudioSinkDescriptor &> ./../../third_party/blink/renderer/platform/heap/garbage_collected.h:37:10 #17 0x611969cf0e89 in blink::AudioContext::Create(blink::ExecutionContext*, blink::AudioContextOptions const*, blink::ExceptionState&) ./../../third_party/blink/renderer/modules/webaudio/audio_context.cc:211:33 #18 0x611968361f8b in blink::(anonymous namespace)::v8_audio_context::ConstructorCallback(v8::FunctionCallbackInfo const&) ./gen/third_party/blink/renderer/bindings/modules/v8/v8_audio_context.cc:254:23 #19 0x61194ba21a60 in v8::internal::FunctionCallbackArguments::CallOrConstruct(v8::internal::Tagged, bool) ./../../v8/src/api/api-arguments-inl.h:95:3 #20 0x61194ba1fc25 in v8::internal::MaybeHandle v8::internal::(anonymous namespace)::HandleApiCallHelper(v8::internal::Isolate*, v8::internal::Handle, v8::internal::Handle, v8::internal::Handle, unsigned long*, int) ./../../v8/src/builtins/builtins-api.cc:108:36 #21 0x61194ba1de6d in v8::internal::Builtin_Impl_HandleApiConstruct(v8::internal::BuiltinArguments, v8::internal::Isolate*) ./../../v8/src/builtins/builtins-api.cc:139:3 #22 0x61194f42edf5 in Builtins_CEntry_Return1_ArgvOnStack_BuiltinExit setup-isolate-deserialize.cc:0:0 #23 0x61194f3904ce in construct_stub_invoke_deopt_addr setup-isolate-deserialize.cc:0:0 #24 0x61194f5250d3 in Builtins_ConstructHandler setup-isolate-deserialize.cc:0:0 #25 0x61194f38f8a6 in Builtins_InterpreterEntryTrampoline setup-isolate-deserialize.cc:0:0 #26 0x61194f38f8a6 in Builtins_InterpreterEntryTrampoline setup-isolate-deserialize.cc:0:0 #27 0x61194f38d31b in Builtins_JSEntryTrampoline setup-isolate-deserialize.cc:0:0 #28 0x61194f38d05e in Builtins_JSEntry setup-isolate-deserialize.cc:0:0 #29 0x61194bd7a17b in Call ./../../v8/src/execution/simulator.h:187:12 #30 0x61194bd7a17b in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) ./../../v8/src/execution/execution.cc:420:22 #31 0x61194bd77cf2 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle, v8::internal::Handle, int, v8::internal::Handle*) ./../../v8/src/execution/execution.cc:506:10 #32 0x61194b94462a in v8::Function::Call(v8::Local, v8::Local, int, v8::Local*) ./../../v8/src/api/api.cc:5572:7 #33 0x6119632d5eda in blink::V8ScriptRunner::CallFunction(v8::Local, blink::ExecutionContext*, v8::Local, int, v8::Local*, v8::Isolate*) ./../../third_party/blink/renderer/bindings/core/v8/v8_script_runner.cc:870:17 #34 0x611967839e0b in CallInternal ./../../third_party/blink/renderer/bindings/core/v8/callback_invoke_helper.cc:142:12 #35 0x611967839e0b in blink::bindings::CallbackInvokeHelper::Call(int, v8::Local*) ./../../third_party/blink/renderer/bindings/core/v8/callback_invoke_helper.cc:163:10 #36 0x6119678499f0 in blink::V8EventHandlerNonNull::InvokeWithoutRunnabilityCheck(blink::bindings::V8ValueOrScriptWrappableAdapter, blink::HeapVector const&) ./gen/third_party/blink/renderer/bindings/core/v8/v8_event_handler_non_null.cc:189:13 #37 0x611963d424de in blink::JSEventHandler::InvokeInternal(blink::EventTarget&, blink::Event&, v8::Local) ./../../third_party/blink/renderer/bindings/core/v8/js_event_handler.cc:134:14 Thread T11 (Realtime AudioW) created by T0 (chrome) here: #0 0x61194678d511 in ___interceptor_pthread_create _asan_rtl_:3 #1 0x611958784ad9 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThreadBase::Delegate*, base::PlatformThreadHandle*, base::ThreadType, base::MessagePumpType) ./../../base/threading/platform_thread_posix.cc:146:13 #2 0x61195873af5e in base::SimpleThread::StartAsync() ./../../base/threading/simple_thread.cc:55:13 #3 0x611955056360 in blink::NonMainThread::CreateThread(blink::ThreadCreationParams const&) ./../../third_party/blink/renderer/platform/scheduler/worker/non_main_thread_impl.cc:41:11 #4 0x611966342a60 in blink::WorkerBackingThread::WorkerBackingThread(blink::ThreadCreationParams const&) ./../../third_party/blink/renderer/core/workers/worker_backing_thread.cc:133:23 #5 0x611969e6724c in make_unique ./../../third_party/libc++/src/include/__memory/unique_ptr.h:620:30 #6 0x611969e6724c in blink::RealtimeAudioWorkletThread::RealtimeAudioWorkletThread(blink::WorkerReportingProxy&, base::TimeDelta) ./../../third_party/blink/renderer/modules/webaudio/realtime_audio_worklet_thread.cc:87:30 #7 0x611969d7ef00 in make_unique ./../../third_party/libc++/src/include/__memory/unique_ptr.h:620:30 #8 0x611969d7ef00 in CreateWorkletThreadWithConstraints ./../../third_party/blink/renderer/modules/webaudio/audio_worklet_messaging_proxy.cc:131:12 #9 0x611969d7ef00 in blink::AudioWorkletMessagingProxy::CreateWorkerThread() ./../../third_party/blink/renderer/modules/webaudio/audio_worklet_messaging_proxy.cc:116:10 #10 0x61196633993b in blink::ThreadedMessagingProxyBase::InitializeWorkerThread(std::__Cr::unique_ptr>, std::__Cr::optional const&, std::__Cr::optional const> const&, std::__Cr::unique_ptr>) ./../../third_party/blink/renderer/core/workers/threaded_messaging_proxy_base.cc:77:20 #11 0x6119694f3cc5 in blink::ThreadedWorkletMessagingProxy::Initialize(blink::WorkerClients*, blink::WorkletModuleResponsesMap*, std::__Cr::optional const&, mojo::StructPtr) ./../../third_party/blink/renderer/core/workers/threaded_worklet_messaging_proxy.cc:160:3 #12 0x611969d7bf96 in blink::AudioWorklet::CreateGlobalScope() ./../../third_party/blink/renderer/modules/webaudio/audio_worklet.cc:82:10 #13 0x61196637f17e in blink::Worklet::FetchAndInvokeScript(blink::KURL const&, WTF::String const&, blink::WorkletPendingTasks*) ./../../third_party/blink/renderer/core/workers/worklet.cc:171:24 #14 0x61196637fffd in Invoke, blink::KURL, blink::V8RequestCredentials, cppgc::internal::BasicPersistent > ./../../base/functional/bind_internal.h:738:12 #15 0x61196637fffd in MakeItSo, blink::KURL, blink::V8RequestCredentials, cppgc::internal::BasicPersistent > > ./../../base/functional/bind_internal.h:930:12 #16 0x61196637fffd in RunImpl, blink::KURL, blink::V8RequestCredentials, cppgc::internal::BasicPersistent >, 0UL, 1UL, 2UL, 3UL> ./../../base/functional/bind_internal.h:1067:14 #17 0x61196637fffd in base::internal::Invoker&&, blink::KURL&&, blink::V8RequestCredentials&&, cppgc::internal::BasicPersistent&&>, base::internal::BindState, blink::KURL, blink::V8RequestCredentials, cppgc::internal::BasicPersistent>, void ()>::RunOnce(base::internal::BindStateBase*) ./../../base/functional/bind_internal.h:980:12 #18 0x611958660646 in Run ./../../base/functional/callback.h:156:12 #19 0x611958660646 in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) ./../../base/task/common/task_annotator.cc:203:34 #20 0x6119586c2ad5 in RunTask<(lambda at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:486:11)> ./../../base/task/common/task_annotator.h:90:5 #21 0x6119586c2ad5 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) ./../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:484:23 #22 0x6119586c1b45 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ./../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:346:40 #23 0x6119586c37ba in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ./../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:0:0 #24 0x6119585633ca in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_default.cc:40:55 #25 0x6119586c4409 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) ./../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:654:12 #26 0x6119585f9e0e in base::RunLoop::Run(base::Location const&) ./../../base/run_loop.cc:134:14 #27 0x61196e06e98b in content::RendererMain(content::MainFunctionParams) ./../../content/renderer/renderer_main.cc:359:16 #28 0x611955dc18d3 in content::RunZygote(content::ContentMainDelegate*) ./../../content/app/content_main_runner_impl.cc:703:14 #29 0x611955dc28a2 in content::RunOtherNamedProcessTypeMain(std::__Cr::basic_string, std::__Cr::allocator> const&, content::MainFunctionParams, content::ContentMainDelegate*) ./../../content/app/content_main_runner_impl.cc:807:12 #30 0x611955dc4d98 in content::ContentMainRunnerImpl::Run() ./../../content/app/content_main_runner_impl.cc:1175:10 #31 0x611955dbf79d in content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) ./../../content/app/content_main.cc:333:36 #32 0x611955dc0391 in content::ContentMain(content::ContentMainParams) ./../../content/app/content_main.cc:346:10 #33 0x6119467e09c4 in ChromeMain ./../../chrome/app/chrome_main.cc:222:12 #34 0x7a2d23a29d8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-use-after-free (/home/pwn11/chromium/src/out/release/chrome+0xf250d64) (BuildId: d8a8ceb32f6d1cd6) Shadow bytes around the buggy address: 0x51800000e700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51800000e780: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa 0x51800000e800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa f7 fa 0x51800000e880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51800000e900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x51800000e980:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51800000ea00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51800000ea80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51800000eb00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51800000eb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51800000ec00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa f7 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1==ADDITIONAL INFO ==1==Note: Please include this section with the ASan report. Task trace: #0 0x611969e53b70 in blink::AudioDestination::Render(base::TimeDelta, base::TimeTicks, media::AudioGlitchInfo const&, media::AudioBus*) ./../../third_party/blink/renderer/platform/audio/audio_destination.cc:204:34 Command line: `/proc/self/exe --type=renderer --crashpad-handler-pid=7860 --enable-crash-reporter=, --user-data-dir=/tmp/xx2 --no-subproc-heap-profiling --change-stack-guard-on-fork=enable --disable-databases --lang=en-US --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1722142609901048 --launch-time-ticks=130439505043 --shared-files=v8_context_snapshot_data:100 --metrics-shmem-handle=4,i,5772947552627805859,10041995947932912770,2097152 --field-trial-handle=3,i,5326344708226441918,9683426388380268125,262144 --variations-seed-version` MiraclePtr Status: MANUAL ANALYSIS REQUIRED A pointer to the same region was extracted from a raw_ptr object prior to this crash. The "use" and "free" threads don't match. This crash is likely to have been caused by a race condition that is mislabeled as a use-after-free. Make sure that the "free" is sequenced after the "use" (e.g. both are on the same sequence, or the "free" is in a task posted after the "use"). Otherwise, the crash is still exploitable with MiraclePtr. Refer to https://chromium.googlesource.com/chromium/src/+/main/base/memory/raw_ptr.md for details. ==1==END OF ADDITIONAL INFO ==1==ABORTING