C:\src\chromium\src [(e0a13a7...)]> .\out\Asan\chrome.exe --no-sandbox C:\src\pocs\1252878\min_poc.html
=================================================================
==544==ERROR: AddressSanitizer: use-after-poison on address 0x7ea7001296f4 at pc 0x7ffe20250056 bp 0x00a4fc1fd430 sp 0x00a4fc1fd478
READ of size 4 at 0x7ea7001296f4 thread T0
    #0 0x7ffe20250055 in WTF::Vector<std::__1::pair<WTF::AtomicString,cppgc::internal::BasicMember<blink::HeapVector<blink::RegisteredEventListener,1>,cppgc::internal::StrongMemberTag,cppgc::internal::DijkstraWriteBarrierPolicy,cppgc::internal::DisabledCheckingPolicy> >,2,blink::HeapAllocator>::size C:\src\chromium\src\third_party\blink\renderer\platform\wtf\vector.h:1184
    #1 0x7ffe20250055 in blink::EventListenerMap::Remove(class WTF::AtomicString const &, class blink::EventListener const *, class blink::EventListenerOptions const *, unsigned int *, class blink::RegisteredEventListener *) C:\src\chromium\src\third_party\blink\renderer\core\dom\events\event_listener_map.cc:192:1
    #2 0x7ffe1c0168a9 in blink::EventTarget::RemoveEventListenerInternal(class WTF::AtomicString const &, class blink::EventListener const *, class blink::EventListenerOptions const *) C:\src\chromium\src\third_party\blink\renderer\core\dom\events\event_target.cc:604:30
    #3 0x7ffe248d7b58 in blink::MediaCustomControlsFullscreenDetector::Detach(void) C:\src\chromium\src\third_party\blink\renderer\core\html\media\media_custom_controls_fullscreen_detector.cc:125:18
    #4 0x7ffe1fd1f035 in blink::HTMLVideoElement::ContextDestroyed(void) C:\src\chromium\src\third_party\blink\renderer\core\html\media\html_video_element.cc:141:41
    #5 0x7ffe18ce2bc8 in blink::ContextLifecycleObserver::NotifyContextDestroyed(void) C:\src\chromium\src\third_party\blink\renderer\platform\context_lifecycle_observer.cc:46:3
    #6 0x7ffe204f020d in blink::ContextLifecycleNotifier::NotifyContextDestroyed::<lambda_0>::operator() C:\src\chromium\src\third_party\blink\renderer\platform\context_lifecycle_notifier.cc:33
    #7 0x7ffe204f020d in blink::HeapObserverSet<blink::ContextLifecycleObserver>::ForEachObserver C:\src\chromium\src\third_party\blink\renderer\platform\heap_observer_set.h:67
    #8 0x7ffe204f020d in blink::ContextLifecycleNotifier::NotifyContextDestroyed(void) C:\src\chromium\src\third_party\blink\renderer\platform\context_lifecycle_notifier.cc:32:14
    #9 0x7ffe1be1f4ca in blink::LocalDOMWindow::FrameDestroyed(void) C:\src\chromium\src\third_party\blink\renderer\core\frame\local_dom_window.cc:903:3
    #10 0x7ffe1be1fb92 in blink::LocalDOMWindow::Reset(void) C:\src\chromium\src\third_party\blink\renderer\core\frame\local_dom_window.cc:916:3
    #11 0x7ffe1bb24409 in blink::LocalFrame::SetDOMWindow(class blink::LocalDOMWindow *) C:\src\chromium\src\third_party\blink\renderer\core\frame\local_frame.cc:794:18
    #12 0x7ffe1c20c983 in blink::DocumentLoader::InitializeWindow(class blink::Document *) C:\src\chromium\src\third_party\blink\renderer\core\loader\document_loader.cc:2094:13
    #13 0x7ffe1c2104c0 in blink::DocumentLoader::CommitNavigation(void) C:\src\chromium\src\third_party\blink\renderer\core\loader\document_loader.cc:2206:3
    #14 0x7ffe1be83cc2 in blink::FrameLoader::CommitDocumentLoader(class blink::DocumentLoader *, class absl::optional<struct blink::Document::UnloadEventTiming> const &, class blink::HistoryItem *, enum blink::CommitReason) C:\src\chromium\src\third_party\blink\renderer\core\loader\frame_loader.cc:1248:21
    #15 0x7ffe1be8f570 in blink::FrameLoader::CommitNavigation(class std::__1::unique_ptr<struct blink::WebNavigationParams, struct std::__1::default_delete<struct blink::WebNavigationParams>>, class std::__1::unique_ptr<class blink::WebDocumentLoader::ExtraData, struct std::__1::default_delete<class blink::WebDocumentLoader::ExtraData>>, enum blink::CommitReason) C:\src\chromium\src\third_party\blink\renderer\core\loader\frame_loader.cc:1087:3
    #16 0x7ffe18c7ba2b in blink::WebLocalFrameImpl::CommitNavigation(class std::__1::unique_ptr<struct blink::WebNavigationParams, struct std::__1::default_delete<struct blink::WebNavigationParams>>, class std::__1::unique_ptr<class blink::WebDocumentLoader::ExtraData, struct std::__1::default_delete<class blink::WebDocumentLoader::ExtraData>>) C:\src\chromium\src\third_party\blink\renderer\core\frame\web_local_frame_impl.cc:2328:24
    #17 0x7ffe18e53d83 in content::RenderFrameImpl::CommitNavigationWithParams(class mojo::StructPtr<class blink::mojom::CommonNavigationParams>, class mojo::StructPtr<class blink::mojom::CommitNavigationParams>, class std::__1::unique_ptr<class blink::PendingURLLoaderFactoryBundle, struct std::__1::default_delete<class blink::PendingURLLoaderFactoryBundle>>, class absl::optional<class std::__1::vector<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>, class std::__1::allocator<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>>>>, class mojo::StructPtr<class blink::mojom::ControllerServiceWorkerInfo>, class mojo::StructPtr<class blink::mojom::ServiceWorkerContainerInfoForClient>, class mojo::PendingRemote<class network::mojom::URLLoaderFactory>, class mojo::PendingRemote<class blink::mojom::CodeCacheHost>, class mojo::StructPtr<class content::mojom::CookieManagerInfo>, class mojo::StructPtr<class content::mojom::StorageInfo>, class std::__1::unique_ptr<class content::DocumentState, struct std::__1::default_delete<class content::DocumentState>>, class std::__1::unique_ptr<struct blink::WebNavigationParams, struct std::__1::default_delete<struct blink::WebNavigationParams>>) C:\src\chromium\src\content\renderer\render_frame_impl.cc:2941:11
    #18 0x7ffe18ea5116 in ??@33df70ff2945c5c75adf4045c681cae8@ C:\src\chromium\src\base\bind_internal.h:509:12
    #19 0x7ffe18ea4b24 in base::internal::InvokeHelper<1,void>::MakeItSo C:\src\chromium\src\base\bind_internal.h:665
    #20 0x7ffe18ea4b24 in base::internal::Invoker<base::internal::BindState<void (content::RenderFrameImpl::*)(mojo::StructPtr<blink::mojom::CommonNavigationParams>, mojo::StructPtr<blink::mojom::CommitNavigationParams>, std::__1::unique_ptr<blink::PendingURLLoaderFactoryBundle,std::__1::default_delete<blink::PendingURLLoaderFactoryBundle> >, absl::optional<std::__1::vector<mojo::StructPtr<blink::mojom::TransferrableURLLoader>,std::__1::allocator<mojo::StructPtr<blink::mojom::TransferrableURLLoader> > > >, mojo::StructPtr<blink::mojom::ControllerServiceWorkerInfo>, mojo::StructPtr<blink::mojom::ServiceWorkerContainerInfoForClient>, mojo::PendingRemote<network::mojom::URLLoaderFactory>, mojo::PendingRemote<blink::mojom::CodeCacheHost>, mojo::StructPtr<content::mojom::CookieManagerInfo>, mojo::StructPtr<content::mojom::StorageInfo>, std::__1::unique_ptr<content::DocumentState,std::__1::default_delete<content::DocumentState> >, std::__1::unique_ptr<blink::WebNavigationParams,std::__1::default_delete<blink::WebNavigationParams> >),base::WeakPtr<content::RenderFrameImpl>,mojo::StructPtr<blink::mojom::CommonNavigationParams>,mojo::StructPtr<blink::mojom::CommitNavigationParams>,std::__1::unique_ptr<blink::PendingURLLoaderFactoryBundle,std::__1::default_delete<blink::PendingURLLoaderFactoryBundle> >,absl::optional<std::__1::vector<mojo::StructPtr<blink::mojom::TransferrableURLLoader>,std::__1::allocator<mojo::StructPtr<blink::mojom::TransferrableURLLoader> > > >,mojo::StructPtr<blink::mojom::ControllerServiceWorkerInfo>,mojo::StructPtr<blink::mojom::ServiceWorkerContainerInfoForClient>,mojo::PendingRemote<network::mojom::URLLoaderFactory>,mojo::PendingRemote<blink::mojom::CodeCacheHost>,mojo::StructPtr<content::mojom::CookieManagerInfo>,mojo::StructPtr<content::mojom::StorageInfo>,std::__1::unique_ptr<content::DocumentState,std::__1::default_delete<content::DocumentState> > >,void (std::__1::unique_ptr<blink::WebNavigationParams,std::__1::default_delete<blink::WebNavigationParams> >)>::RunImpl C:\src\chromium\src\base\bind_internal.h:721
    #21 0x7ffe18ea4b24 in base::internal::Invoker<struct base::internal::BindState<void (__cdecl content::RenderFrameImpl::*)(class mojo::StructPtr<class blink::mojom::CommonNavigationParams>, class mojo::StructPtr<class blink::mojom::CommitNavigationParams>, class std::__1::unique_ptr<class blink::PendingURLLoaderFactoryBundle, struct std::__1::default_delete<class blink::PendingURLLoaderFactoryBundle>>, class absl::optional<class std::__1::vector<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>, class std::__1::allocator<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>>>>, class mojo::StructPtr<class blink::mojom::ControllerServiceWorkerInfo>, class mojo::StructPtr<class blink::mojom::ServiceWorkerContainerInfoForClient>, class mojo::PendingRemote<class network::mojom::URLLoaderFactory>, class mojo::PendingRemote<class blink::mojom::CodeCacheHost>, class mojo::StructPtr<class content::mojom::CookieManagerInfo>, class mojo::StructPtr<class content::mojom::StorageInfo>, class std::__1::unique_ptr<class content::DocumentState, struct std::__1::default_delete<class content::DocumentState>>, class std::__1::unique_ptr<struct blink::WebNavigationParams, struct std::__1::default_delete<struct blink::WebNavigationParams>>), class base::WeakPtr<class content::RenderFrameImpl>, class mojo::StructPtr<class blink::mojom::CommonNavigationParams>, class mojo::StructPtr<class blink::mojom::CommitNavigationParams>, class std::__1::unique_ptr<class blink::PendingURLLoaderFactoryBundle, struct std::__1::default_delete<class blink::PendingURLLoaderFactoryBundle>>, class absl::optional<class std::__1::vector<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>, class std::__1::allocator<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>>>>, class mojo::StructPtr<class blink::mojom::ControllerServiceWorkerInfo>, class mojo::StructPtr<class blink::mojom::ServiceWorkerContainerInfoForClient>, class mojo::PendingRemote<class network::mojom::URLLoaderFactory>, class mojo::PendingRemote<class blink::mojom::CodeCacheHost>, class mojo::StructPtr<class content::mojom::CookieManagerInfo>, class mojo::StructPtr<class content::mojom::StorageInfo>, class std::__1::unique_ptr<class content::DocumentState, struct std::__1::default_delete<class content::DocumentState>>>, (class std::__1::unique_ptr<struct blink::WebNavigationParams, struct std::__1::default_delete<struct blink::WebNavigationParams>>)>::RunOnce(class base::internal::BindStateBase *, class std::__1::unique_ptr<struct blink::WebNavigationParams, struct std::__1::default_delete<struct blink::WebNavigationParams>> &&) C:\src\chromium\src\base\bind_internal.h:690:12
    #22 0x7ffe18e503ba in base::OnceCallback<void (std::__1::unique_ptr<blink::WebNavigationParams,std::__1::default_delete<blink::WebNavigationParams> >)>::Run C:\src\chromium\src\base\callback.h:100
    #23 0x7ffe18e503ba in content::RenderFrameImpl::CommitNavigation(class mojo::StructPtr<class blink::mojom::CommonNavigationParams>, class mojo::StructPtr<class blink::mojom::CommitNavigationParams>, class mojo::StructPtr<class network::mojom::URLResponseHead>, class mojo::ScopedHandleBase<class mojo::DataPipeConsumerHandle>, class mojo::StructPtr<class network::mojom::URLLoaderClientEndpoints>, class std::__1::unique_ptr<class blink::PendingURLLoaderFactoryBundle, struct std::__1::default_delete<class blink::PendingURLLoaderFactoryBundle>>, class absl::optional<class std::__1::vector<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>, class std::__1::allocator<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>>>>, class mojo::StructPtr<class blink::mojom::ControllerServiceWorkerInfo>, class mojo::StructPtr<class blink::mojom::ServiceWorkerContainerInfoForClient>, class mojo::PendingRemote<class network::mojom::URLLoaderFactory>, class base::UnguessableToken const &, class mojo::StructPtr<class blink::mojom::PolicyContainer>, class mojo::PendingRemote<class blink::mojom::CodeCacheHost>, class mojo::StructPtr<class content::mojom::CookieManagerInfo>, class mojo::StructPtr<class content::mojom::StorageInfo>, class base::OnceCallback<(class mojo::StructPtr<class content::mojom::DidCommitProvisionalLoadParams>, class mojo::StructPtr<class content::mojom::DidCommitProvisionalLoadInterfaceParams>)>) C:\src\chromium\src\content\renderer\render_frame_impl.cc:2802:33
    #24 0x7ffe1c70f3f3 in content::NavigationClient::CommitNavigation(class mojo::StructPtr<class blink::mojom::CommonNavigationParams>, class mojo::StructPtr<class blink::mojom::CommitNavigationParams>, class mojo::StructPtr<class network::mojom::URLResponseHead>, class mojo::ScopedHandleBase<class mojo::DataPipeConsumerHandle>, class mojo::StructPtr<class network::mojom::URLLoaderClientEndpoints>, class std::__1::unique_ptr<class blink::PendingURLLoaderFactoryBundle, struct std::__1::default_delete<class blink::PendingURLLoaderFactoryBundle>>, class absl::optional<class std::__1::vector<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>, class std::__1::allocator<class mojo::StructPtr<class blink::mojom::TransferrableURLLoader>>>>, class mojo::StructPtr<class blink::mojom::ControllerServiceWorkerInfo>, class mojo::StructPtr<class blink::mojom::ServiceWorkerContainerInfoForClient>, class mojo::PendingRemote<class network::mojom::URLLoaderFactory>, class base::UnguessableToken const &, class mojo::StructPtr<class blink::mojom::PolicyContainer>, class mojo::PendingRemote<class blink::mojom::CodeCacheHost>, class mojo::StructPtr<class content::mojom::CookieManagerInfo>, class mojo::StructPtr<class content::mojom::StorageInfo>, class base::OnceCallback<(class mojo::StructPtr<class content::mojom::DidCommitProvisionalLoadParams>, class mojo::StructPtr<class content::mojom::DidCommitProvisionalLoadInterfaceParams>)>) C:\src\chromium\src\content\renderer\navigation_client.cc:46:18
    #25 0x7ffe0ca876e9 in content::mojom::NavigationClientStubDispatch::AcceptWithResponder(class content::mojom::NavigationClient *, class mojo::Message *, class std::__1::unique_ptr<class mojo::MessageReceiverWithStatus, struct std::__1::default_delete<class mojo::MessageReceiverWithStatus>>) C:\src\chromium\src\out\Asan\gen\content\common\navigation_client.mojom.cc:1315:13
    #26 0x7ffe1c7108b6 in content::mojom::NavigationClientStub<struct mojo::RawPtrImplRefTraits<class content::mojom::NavigationClient>>::AcceptWithResponder(class mojo::Message *, class std::__1::unique_ptr<class mojo::MessageReceiverWithStatus, struct std::__1::default_delete<class mojo::MessageReceiverWithStatus>>) C:\src\chromium\src\out\Asan\gen\content\common\navigation_client.mojom.h:192:12
    #27 0x7ffe16779189 in mojo::InterfaceEndpointClient::HandleValidatedMessage(class mojo::Message *) C:\src\chromium\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:862:56
    #28 0x7ffe1967a244 in mojo::MessageDispatcher::Accept(class mojo::Message *) C:\src\chromium\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc:43:19
    #29 0x7ffe1677d108 in mojo::InterfaceEndpointClient::HandleIncomingMessage(class mojo::Message *) C:\src\chromium\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:657:20
    #30 0x7ffe171fba68 in IPC::`anonymous namespace'::ChannelAssociatedGroupController::AcceptOnEndpointThread C:\src\chromium\src\ipc\ipc_mojo_bootstrap.cc:981:24
    #31 0x7ffe171f3bad in base::internal::FunctorTraits<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message),void>::Invoke C:\src\chromium\src\base\bind_internal.h:509
    #32 0x7ffe171f3bad in base::internal::InvokeHelper<0,void>::MakeItSo C:\src\chromium\src\base\bind_internal.h:648
    #33 0x7ffe171f3bad in base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,mojo::Message>,void ()>::RunImpl C:\src\chromium\src\base\bind_internal.h:721
    #34 0x7ffe171f3bad in base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,mojo::Message>,void ()>::RunOnce C:\src\chromium\src\base\bind_internal.h:690:12
    #35 0x7ffe16392eb0 in base::OnceCallback<void ()>::Run C:\src\chromium\src\base\callback.h:100
    #36 0x7ffe16392eb0 in base::TaskAnnotator::RunTask(char const *, struct base::PendingTask *) C:\src\chromium\src\base\task\common\task_annotator.cc:178:33
    #37 0x7ffe194f34f3 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(class base::sequence_manager::LazyNow *) C:\src\chromium\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:357:23
    #38 0x7ffe194f2a01 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork(void) C:\src\chromium\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:260:30
    #39 0x7ffe194c01e9 in base::MessagePumpDefault::Run(class base::MessagePump::Delegate *) C:\src\chromium\src\base\message_loop\message_pump_default.cc:38:55
    #40 0x7ffe194f4d73 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, class base::TimeDelta) C:\src\chromium\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:462:12
    #41 0x7ffe162ee2ed in base::RunLoop::Run(class base::Location const &) C:\src\chromium\src\base\run_loop.cc:134:14
    #42 0x7ffe18eb36d5 in content::RendererMain(struct content::MainFunctionParams const &) C:\src\chromium\src\content\renderer\renderer_main.cc:265:16
    #43 0x7ffe1108af0b in content::ContentMainRunnerImpl::Run(bool) C:\src\chromium\src\content\app\content_main_runner_impl.cc:974:10
    #44 0x7ffe11086c5a in content::RunContentProcess(struct content::ContentMainParams const &, class content::ContentMainRunner *) C:\src\chromium\src\content\app\content_main.cc:390:36
    #45 0x7ffe11088028 in content::ContentMain(struct content::ContentMainParams const &) C:\src\chromium\src\content\app\content_main.cc:418:10
    #46 0x7ffe08f01576 in ChromeMain C:\src\chromium\src\chrome\app\chrome_main.cc:172:12
    #47 0x7ff779866958 in MainDllLoader::Launch(struct HINSTANCE__*, class base::TimeTicks) C:\src\chromium\src\chrome\app\main_dll_loader_win.cc:169:12
    #48 0x7ff779863216 in main C:\src\chromium\src\chrome\app\chrome_exe_main_win.cc:382:20
    #49 0x7ff779ce28ff in invoke_main d:\A01\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #50 0x7ff779ce28ff in __scrt_common_main_seh d:\A01\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #51 0x7ffe9fe07033  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
    #52 0x7ffea14e2650  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)

Address 0x7ea7001296f4 is a wild pointer inside of access range of size 0x000000000004.
SUMMARY: AddressSanitizer: use-after-poison C:\src\chromium\src\third_party\blink\renderer\platform\wtf\vector.h:1184 in WTF::Vector<std::__1::pair<WTF::AtomicString,cppgc::internal::BasicMember<blink::HeapVector<blink::RegisteredEventListener,1>,cppgc::internal::StrongMemberTag,cppgc::internal::DijkstraWriteBarrierPolicy,cppgc::internal::DisabledCheckingPolicy> >,2,blink::HeapAllocator>::size
Shadow bytes around the buggy address:
  0x123218ea5280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x123218ea5290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x123218ea52a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x123218ea52b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x123218ea52c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x123218ea52d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f7]f7
  0x123218ea52e0: f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00
  0x123218ea52f0: 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x123218ea5300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x123218ea5310: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x123218ea5320: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==544==ABORTING