=================================================================
==23508==ERROR: AddressSanitizer: heap-use-after-free on address 0x11a10f148488 at pc 0x7ffb102dee9f bp 0x001abd7efd80 sp 0x001abd7efdc8
READ of size 8 at 0x11a10f148488 thread T0
==23508==*** WARNING: Failed to initialize DbgHelp!              ***
==23508==*** Most likely this means that the app is already      ***
==23508==*** using DbgHelp, possibly with incompatible flags.    ***
==23508==*** Due to technical reasons, symbolization might crash ***
==23508==*** or produce wrong results.                           ***
    #0 0x7ffb102dee9e in blink::BaseRenderingContext2D::ResetInternal D:\chromium\src\third_party\blink\renderer\modules\canvas\canvas2d\base_rendering_context_2d.cc:468
    #1 0x1630f0fffff  (<unknown module>)

0x11a10f148488 is located 8 bytes inside of 3384-byte region [0x11a10f148480,0x11a10f1491b8)
freed by thread T0 here:
    #0 0x7ffb66ae055d in operator delete+0x8d (D:\chromium\src\out\asan\clang_rt.asan_dynamic-x86_64.dll+0x18005055d)
    #1 0x7ffb16224049 in blink::CanvasResourceProvider::~CanvasResourceProvider D:\chromium\src\third_party\blink\renderer\platform\graphics\canvas_resource_provider.cc:1318
    #2 0x7ffb162208b5 in blink::CanvasResourceProviderSharedImage::~CanvasResourceProviderSharedImage D:\chromium\src\third_party\blink\renderer\platform\graphics\canvas_resource_provider.cc:264
    #3 0x7ffb1621c4cf in blink::CanvasResourceProviderSharedImage::~CanvasResourceProviderSharedImage D:\chromium\src\third_party\blink\renderer\platform\graphics\canvas_resource_provider.cc:258
    #4 0x7ffb1d70d3f1 in blink::OffscreenCanvas::CheckForGpuContextLost D:\chromium\src\third_party\blink\renderer\core\offscreencanvas\offscreen_canvas.cc:609
    #5 0x7ffb1038a09a in blink::OffscreenCanvasRenderingContext2D::GetOrCreateCanvasResourceProvider D:\chromium\src\third_party\blink\renderer\modules\canvas\offscreencanvas2d\offscreen_canvas_rendering_context_2d.cc:194
    #6 0x7ffb103890e4 in blink::OffscreenCanvasRenderingContext2D::FinalizeFrame D:\chromium\src\third_party\blink\renderer\modules\canvas\offscreencanvas2d\offscreen_canvas_rendering_context_2d.cc:156
    #7 0x7ffb1038ab3d in blink::OffscreenCanvasRenderingContext2D::PushFrame D:\chromium\src\third_party\blink\renderer\modules\canvas\offscreencanvas2d\offscreen_canvas_rendering_context_2d.cc:232
    #8 0x7ffb1d70c206 in blink::OffscreenCanvas::PushFrameIfNeeded D:\chromium\src\third_party\blink\renderer\core\offscreencanvas\offscreen_canvas.cc:546
    #9 0x7ffb1038bcf3 in blink::OffscreenCanvasRenderingContext2D::WillDraw D:\chromium\src\third_party\blink\renderer\modules\canvas\offscreencanvas2d\offscreen_canvas_rendering_context_2d.cc:342
    #10 0x7ffb102de729 in blink::BaseRenderingContext2D::ResetInternal D:\chromium\src\third_party\blink\renderer\modules\canvas\canvas2d\base_rendering_context_2d.cc:465
    #11 0x7ffabfe10619  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7ffb66adfd3d in operator new+0x8d (D:\chromium\src\out\asan\clang_rt.asan_dynamic-x86_64.dll+0x18004fd3d)
    #1 0x7ffb1620e611 in blink::CanvasResourceProvider::CanvasResourceProvider D:\chromium\src\third_party\blink\renderer\platform\graphics\canvas_resource_provider.cc:1293
    #2 0x7ffb1621bc41 in blink::CanvasResourceProviderSharedImage::CanvasResourceProviderSharedImage D:\chromium\src\third_party\blink\renderer\platform\graphics\canvas_resource_provider.cc:238
    #3 0x7ffb1620aa76 in std::__Cr::make_unique<blink::CanvasResourceProviderSharedImage,SkImageInfo &,cc::PaintFlags::FilterQuality &,base::WeakPtr<blink::WebGraphicsContext3DProviderWrapper> &,const bool &,const bool &,unsigned int &,blink::CanvasResourceHost *&> D:\chromium\src\third_party\libc++\src\include\__memory\unique_ptr.h:597
    #4 0x7ffb16209dc8 in blink::CanvasResourceProvider::CreateSharedImageProvider D:\chromium\src\third_party\blink\renderer\platform\graphics\canvas_resource_provider.cc:1040
    #5 0x7ffb1d70b4c0 in blink::OffscreenCanvas::GetOrCreateResourceProvider D:\chromium\src\third_party\blink\renderer\core\offscreencanvas\offscreen_canvas.cc:470
    #6 0x7ffb1038ba11 in blink::OffscreenCanvasRenderingContext2D::GetOrCreatePaintCanvas D:\chromium\src\third_party\blink\renderer\modules\canvas\offscreencanvas2d\offscreen_canvas_rendering_context_2d.cc:308
    #7 0x7ffb102eb3c1 in blink::BaseRenderingContext2D::Draw<0,`lambda at ..\..\third_party\blink\renderer\modules\canvas\canvas2d\base_rendering_context_2d.cc:1226:7',`lambda at ..\..\third_party\blink\renderer\modules\canvas\canvas2d\base_rendering_context_2d.cc:1229:7'> D:\chromium\src\third_party\blink\renderer\modules\canvas\canvas2d\base_rendering_context_2d.h:941
    #8 0x7ffb102ea4f2 in blink::BaseRenderingContext2D::DrawPathInternal D:\chromium\src\third_party\blink\renderer\modules\canvas\canvas2d\base_rendering_context_2d.cc:1225
    #9 0x7ffb102eb801 in blink::BaseRenderingContext2D::fill D:\chromium\src\third_party\blink\renderer\modules\canvas\canvas2d\base_rendering_context_2d.cc:1253
    #10 0x7ffb0f877357 in blink::`anonymous namespace'::v8_offscreen_canvas_rendering_context_2d::FillOperationOverload1 D:\chromium\src\out\asan\gen\third_party\blink\renderer\bindings\modules\v8\v8_offscreen_canvas_rendering_context_2d.cc:2765
    #11 0x7ffabfe10619  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free D:\chromium\src\third_party\blink\renderer\modules\canvas\canvas2d\base_rendering_context_2d.cc:468 in blink::BaseRenderingContext2D::ResetInternal
Shadow bytes around the buggy address:
  0x11a10f148200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x11a10f148280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x11a10f148300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x11a10f148380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x11a10f148400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa f7 fa
=>0x11a10f148480: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x11a10f148500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x11a10f148580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x11a10f148600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x11a10f148680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x11a10f148700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

==23508==ADDITIONAL INFO

==23508==Note: Please include this section with the ASan report.
Task trace:
    #0 0x7ffb8fe0e841 in IPC::ChannelAssociatedGroupController::Accept D:\chromium\src\ipc\ipc_mojo_bootstrap.cc:1119


MiraclePtr Status: NOT PROTECTED
No raw_ptr<T> access to this region was detected prior to this crash.
This crash is still exploitable with MiraclePtr.
Refer to https://chromium.googlesource.com/chromium/src/+/main/base/memory/raw_ptr.md for details.

==23508==END OF ADDITIONAL INFO
==23508==ABORTING