================================================================= ==16048==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x11b05b65da98 at pc 0x7ff635146a57 bp 0x00526adfda40 sp 0x00526adfda88 WRITE of size 40 at 0x11b05b65da98 thread T28 ==16048==WARNING: Failed to use and restart external symbolizer! #0 0x7ff635146a56 in __asan_memcpy C:\b\s\w\ir\cache\builder\src\third_party\llvm\compiler-rt\lib\asan\asan_interceptors_memintrinsics.cpp:22 #1 0x7ffd78fadeae in std::__1::vector >::__swap_out_circular_buffer C:\b\s\w\ir\cache\builder\src\buildtools\third_party\libc++\trunk\include\vector:954 #2 0x7ffd7935d3a1 in std::__1::vector >::__emplace_back_slow_path C:\b\s\w\ir\cache\builder\src\buildtools\third_party\libc++\trunk\include\vector:1669 #3 0x7ffd845574d6 in base::ObserverList::AddObserver C:\b\s\w\ir\cache\builder\src\base\observer_list.h:276 #4 0x7ffd8586c7c3 in viz::DCLayerOverlayProcessor::DCLayerOverlayProcessor C:\b\s\w\ir\cache\builder\src\components\viz\service\display\dc_layer_overlay.cc:396 #5 0x7ffd87d3da21 in viz::OverlayProcessorInterface::CreateOverlayProcessor C:\b\s\w\ir\cache\builder\src\components\viz\service\display\overlay_processor_interface.cc:103 #6 0x7ffd87cf4740 in viz::RootCompositorFrameSinkImpl::Create C:\b\s\w\ir\cache\builder\src\components\viz\service\frame_sinks\root_compositor_frame_sink_impl.cc:142 #7 0x7ffd8582c844 in viz::FrameSinkManagerImpl::CreateRootCompositorFrameSink C:\b\s\w\ir\cache\builder\src\components\viz\service\frame_sinks\frame_sink_manager_impl.cc:168 #8 0x7ffd7c07935c in viz::mojom::FrameSinkManagerStubDispatch::Accept C:\b\s\w\ir\cache\builder\src\out\Release_x64\gen\services\viz\privileged\mojom\compositing\frame_sink_manager.mojom.cc:1724 #9 0x7ffd839200a4 in mojo::InterfaceEndpointClient::HandleValidatedMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:869 #10 0x7ffd860a9866 in mojo::MessageDispatcher::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc:43 #11 0x7ffd83923786 in mojo::InterfaceEndpointClient::HandleIncomingMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:648 #12 0x7ffd83937627 in mojo::internal::MultiplexRouter::ProcessIncomingMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:1083 #13 0x7ffd839363b9 in mojo::internal::MultiplexRouter::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:712 #14 0x7ffd860a9866 in mojo::MessageDispatcher::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc:43 #15 0x7ffd8391ae92 in mojo::Connector::DispatchMessageW C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\connector.cc:548 #16 0x7ffd8391c6e1 in mojo::Connector::ReadAllAvailableMessages C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\connector.cc:606 #17 0x7ffd834f6e9a in base::TaskAnnotator::RunTask C:\b\s\w\ir\cache\builder\src\base\task\common\task_annotator.cc:178 #18 0x7ffd85c37df3 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:360 #19 0x7ffd85c37462 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:260 #20 0x7ffd85c0c047 in base::MessagePumpDefault::Run C:\b\s\w\ir\cache\builder\src\base\message_loop\message_pump_default.cc:39 #21 0x7ffd85c392ce in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:467 #22 0x7ffd8347c863 in base::RunLoop::Run C:\b\s\w\ir\cache\builder\src\base\run_loop.cc:134 #23 0x7ffd8353e8b9 in base::Thread::Run C:\b\s\w\ir\cache\builder\src\base\threading\thread.cc:325 #24 0x7ffd8353edd0 in base::Thread::ThreadMain C:\b\s\w\ir\cache\builder\src\base\threading\thread.cc:396 #25 0x7ffd835c431f in base::`anonymous namespace'::ThreadFunc C:\b\s\w\ir\cache\builder\src\base\threading\platform_thread_win.cc:121 #26 0x7ff635150c47 in __asan::AsanThread::ThreadStart C:\b\s\w\ir\cache\builder\src\third_party\llvm\compiler-rt\lib\asan\asan_thread.cpp:279 #27 0x7ffe5bb47033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #28 0x7ffe5cdc2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650) 0x11b05b65da98 is located 8 bytes to the left of 64-byte region [0x11b05b65daa0,0x11b05b65dae0) allocated by thread T28 here: #0 0x7ff635146fcb in malloc C:\b\s\w\ir\cache\builder\src\third_party\llvm\compiler-rt\lib\asan\asan_malloc_win.cpp:98 #1 0x7ffd9598152a in operator new d:\A01\_work\6\s\src\vctools\crt\vcstartup\src\heap\new_scalar.cpp:35 #2 0x7ffd7935d2d9 in std::__1::vector >::__emplace_back_slow_path C:\b\s\w\ir\cache\builder\src\buildtools\third_party\libc++\trunk\include\vector:1665 #3 0x7ffd845574d6 in base::ObserverList::AddObserver C:\b\s\w\ir\cache\builder\src\base\observer_list.h:276 #4 0x7ffd8586c7c3 in viz::DCLayerOverlayProcessor::DCLayerOverlayProcessor C:\b\s\w\ir\cache\builder\src\components\viz\service\display\dc_layer_overlay.cc:396 #5 0x7ffd87d3da21 in viz::OverlayProcessorInterface::CreateOverlayProcessor C:\b\s\w\ir\cache\builder\src\components\viz\service\display\overlay_processor_interface.cc:103 #6 0x7ffd87cf4740 in viz::RootCompositorFrameSinkImpl::Create C:\b\s\w\ir\cache\builder\src\components\viz\service\frame_sinks\root_compositor_frame_sink_impl.cc:142 #7 0x7ffd8582c844 in viz::FrameSinkManagerImpl::CreateRootCompositorFrameSink C:\b\s\w\ir\cache\builder\src\components\viz\service\frame_sinks\frame_sink_manager_impl.cc:168 #8 0x7ffd7c07935c in viz::mojom::FrameSinkManagerStubDispatch::Accept C:\b\s\w\ir\cache\builder\src\out\Release_x64\gen\services\viz\privileged\mojom\compositing\frame_sink_manager.mojom.cc:1724 #9 0x7ffd839200a4 in mojo::InterfaceEndpointClient::HandleValidatedMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:869 #10 0x7ffd860a9866 in mojo::MessageDispatcher::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc:43 #11 0x7ffd83923786 in mojo::InterfaceEndpointClient::HandleIncomingMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:648 #12 0x7ffd83937627 in mojo::internal::MultiplexRouter::ProcessIncomingMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:1083 #13 0x7ffd839363b9 in mojo::internal::MultiplexRouter::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:712 #14 0x7ffd860a9866 in mojo::MessageDispatcher::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc:43 #15 0x7ffd8391ae92 in mojo::Connector::DispatchMessageW C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\connector.cc:548 #16 0x7ffd8391c6e1 in mojo::Connector::ReadAllAvailableMessages C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\connector.cc:606 #17 0x7ffd834f6e9a in base::TaskAnnotator::RunTask C:\b\s\w\ir\cache\builder\src\base\task\common\task_annotator.cc:178 #18 0x7ffd85c37df3 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:360 #19 0x7ffd85c37462 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:260 #20 0x7ffd85c0c047 in base::MessagePumpDefault::Run C:\b\s\w\ir\cache\builder\src\base\message_loop\message_pump_default.cc:39 #21 0x7ffd85c392ce in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:467 #22 0x7ffd8347c863 in base::RunLoop::Run C:\b\s\w\ir\cache\builder\src\base\run_loop.cc:134 #23 0x7ffd8353e8b9 in base::Thread::Run C:\b\s\w\ir\cache\builder\src\base\threading\thread.cc:325 #24 0x7ffd8353edd0 in base::Thread::ThreadMain C:\b\s\w\ir\cache\builder\src\base\threading\thread.cc:396 #25 0x7ffd835c431f in base::`anonymous namespace'::ThreadFunc C:\b\s\w\ir\cache\builder\src\base\threading\platform_thread_win.cc:121 #26 0x7ff635150c47 in __asan::AsanThread::ThreadStart C:\b\s\w\ir\cache\builder\src\third_party\llvm\compiler-rt\lib\asan\asan_thread.cpp:279 #27 0x7ffe5bb47033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) Thread T28 created by T19 here: #0 0x7ff6351516b2 in __asan_wrap_CreateThread C:\b\s\w\ir\cache\builder\src\third_party\llvm\compiler-rt\lib\asan\asan_win.cpp:146 #1 0x7ffd835c36fe in base::`anonymous namespace'::CreateThreadInternal C:\b\s\w\ir\cache\builder\src\base\threading\platform_thread_win.cc:185 #2 0x7ffd8353db8a in base::Thread::StartWithOptions C:\b\s\w\ir\cache\builder\src\base\threading\thread.cc:200 #3 0x7ffd81a5d95c in viz::VizCompositorThreadRunnerImpl::VizCompositorThreadRunnerImpl C:\b\s\w\ir\cache\builder\src\components\viz\service\main\viz_compositor_thread_runner_impl.cc:116 #4 0x7ffd81a610b5 in viz::VizMainImpl::VizMainImpl C:\b\s\w\ir\cache\builder\src\components\viz\service\main\viz_main_impl.cc:84 #5 0x7ffd87c96bec in content::GpuChildThread::GpuChildThread C:\b\s\w\ir\cache\builder\src\content\gpu\gpu_child_thread.cc:119 #6 0x7ffd87c9712c in content::GpuChildThread::GpuChildThread C:\b\s\w\ir\cache\builder\src\content\gpu\gpu_child_thread.cc:107 #7 0x7ffd85814d50 in content::InProcessGpuThread::Init C:\b\s\w\ir\cache\builder\src\content\gpu\in_process_gpu_thread.cc:68 #8 0x7ffd8353ecf0 in base::Thread::ThreadMain C:\b\s\w\ir\cache\builder\src\base\threading\thread.cc:385 #9 0x7ffd835c431f in base::`anonymous namespace'::ThreadFunc C:\b\s\w\ir\cache\builder\src\base\threading\platform_thread_win.cc:121 #10 0x7ff635150c47 in __asan::AsanThread::ThreadStart C:\b\s\w\ir\cache\builder\src\third_party\llvm\compiler-rt\lib\asan\asan_thread.cpp:279 #11 0x7ffe5bb47033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #12 0x7ffe5cdc2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650) Thread T19 created by T0 here: #0 0x7ff6351516b2 in __asan_wrap_CreateThread C:\b\s\w\ir\cache\builder\src\third_party\llvm\compiler-rt\lib\asan\asan_win.cpp:146 #1 0x7ffd835c36fe in base::`anonymous namespace'::CreateThreadInternal C:\b\s\w\ir\cache\builder\src\base\threading\platform_thread_win.cc:185 #2 0x7ffd8353db8a in base::Thread::StartWithOptions C:\b\s\w\ir\cache\builder\src\base\threading\thread.cc:200 #3 0x7ffd7d009f90 in content::GpuProcessHost::Init C:\b\s\w\ir\cache\builder\src\content\browser\gpu\gpu_process_host.cc:890 #4 0x7ffd7d00917c in content::GpuProcessHost::Get C:\b\s\w\ir\cache\builder\src\content\browser\gpu\gpu_process_host.cc:578 #5 0x7ffd7cfd6b7c in content::BrowserGpuChannelHostFactory::EstablishRequest::Establish C:\b\s\w\ir\cache\builder\src\content\browser\gpu\browser_gpu_channel_host_factory.cc:171 #6 0x7ffd7cfd6672 in content::BrowserGpuChannelHostFactory::EstablishRequest::Create C:\b\s\w\ir\cache\builder\src\content\browser\gpu\browser_gpu_channel_host_factory.cc:134 #7 0x7ffd7cfd9d63 in content::BrowserGpuChannelHostFactory::EstablishGpuChannel C:\b\s\w\ir\cache\builder\src\content\browser\gpu\browser_gpu_channel_host_factory.cc:423 #8 0x7ffd7cfd97ab in content::BrowserGpuChannelHostFactory::EstablishGpuChannel C:\b\s\w\ir\cache\builder\src\content\browser\gpu\browser_gpu_channel_host_factory.cc:375 #9 0x7ffd7cfd88d8 in content::BrowserGpuChannelHostFactory::Initialize C:\b\s\w\ir\cache\builder\src\content\browser\gpu\browser_gpu_channel_host_factory.cc:283 #10 0x7ffd7cb9db08 in content::BrowserMainLoop::PostCreateThreadsImpl C:\b\s\w\ir\cache\builder\src\content\browser\browser_main_loop.cc:1231 #11 0x7ffd7cb9d085 in content::BrowserMainLoop::PostCreateThreads C:\b\s\w\ir\cache\builder\src\content\browser\browser_main_loop.cc:932 #12 0x7ffd7d95c7d7 in content::StartupTaskRunner::RunAllTasksNow C:\b\s\w\ir\cache\builder\src\content\browser\startup_task_runner.cc:41 #13 0x7ffd7cb9c722 in content::BrowserMainLoop::CreateStartupTasks C:\b\s\w\ir\cache\builder\src\content\browser\browser_main_loop.cc:857 #14 0x7ffd7cba4145 in content::BrowserMainRunnerImpl::Initialize C:\b\s\w\ir\cache\builder\src\content\browser\browser_main_runner_impl.cc:131 #15 0x7ffd7cb98ce8 in content::BrowserMain C:\b\s\w\ir\cache\builder\src\content\browser\browser_main.cc:43 #16 0x7ffd832077ec in content::RunBrowserProcessMain C:\b\s\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:598 #17 0x7ffd8320a148 in content::ContentMainRunnerImpl::RunBrowser C:\b\s\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:1087 #18 0x7ffd832092fe in content::ContentMainRunnerImpl::Run C:\b\s\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:956 #19 0x7ffd83206676 in content::RunContentProcess C:\b\s\w\ir\cache\builder\src\content\app\content_main.cc:386 #20 0x7ffd83206c8f in content::ContentMain C:\b\s\w\ir\cache\builder\src\content\app\content_main.cc:412 #21 0x7ffd78f9145a in ChromeMain C:\b\s\w\ir\cache\builder\src\chrome\app\chrome_main.cc:151 #22 0x7ff6350a5bb4 in MainDllLoader::Launch C:\b\s\w\ir\cache\builder\src\chrome\app\main_dll_loader_win.cc:169 #23 0x7ff6350a2be8 in main C:\b\s\w\ir\cache\builder\src\chrome\app\chrome_exe_main_win.cc:381 #24 0x7ff63548fbff in __scrt_common_main_seh d:\A01\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #25 0x7ffe5bb47033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #26 0x7ffe5cdc2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650) SUMMARY: AddressSanitizer: heap-buffer-overflow C:\b\s\w\ir\cache\builder\src\third_party\llvm\compiler-rt\lib\asan\asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy Shadow bytes around the buggy address: 0x03da66c4bb00: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x03da66c4bb10: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd 0x03da66c4bb20: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x03da66c4bb30: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x03da66c4bb40: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa =>0x03da66c4bb50: fa fa fa[fa]00 00 00 00 00 00 00 00 fa fa fa fa 0x03da66c4bb60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x03da66c4bb70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x03da66c4bb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x03da66c4bb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x03da66c4bba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==16048==ABORTING fuzz->on disconnected