[Webkit-unassigned] [Bug 181061] New: heap-use-after-free in in std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>::clear()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 20 15:33:05 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=181061

            Bug ID: 181061
           Summary: heap-use-after-free in in
                    std::optional<WebKit::WebServiceWorkerFetchTaskClient:
                    :BlobLoader>::clear()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Service Workers
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: youennf at gmail.com

==79588==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700015ad90 at pc 0x00010b45eb67 bp 0x7ffee743cb50 sp 0x7ffee743cb48
WRITE of size 1 at 0x60700015ad90 thread T0
==79588==WARNING: invalid path to external symbolizer!
==79588==WARNING: Failed to use and restart external symbolizer!
#0 0x10b45eb66 in std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>::clear() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcf0b66)
#1 0x10b45d0ed in std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>::operator=(std::nullopt_t) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcef0ed)
#2 0x11cc2b119 in WebCore::DocumentThreadableLoader::didFinishLoading(unsigned long) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x28f6119)
#3 0x11cd42967 in WebCore::CachedResource::checkNotify() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2a0d967)
#4 0x11cd3f6ba in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2a0a6ba)
#5 0x11ccddc2e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x29a8c2e)
#6 0x10b42382b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb582b)
#7 0x10b426b8e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb8b8e)
#8 0x10b42607f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb807f)
#9 0x10aaf07c0 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x3827c0)
#10 0x10a8a496e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x13696e)
#11 0x10a8ae486 in IPC::Connection::dispatchOneMessage() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x140486)
#12 0x12b2321a7 in WTF::RunLoop::performWork() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScrip<br> (Truncated recent description)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171220/2ed09f2d/attachment.html>

More information about the webkit-unassigned mailing list