Skip to content

ASAN: heap-use-after-free in canvas_traits::webgl::WebGLMsgSender::send: on jingdong.com #40655

Closed
#40725
Closed
ASAN: heap-use-after-free in canvas_traits::webgl::WebGLMsgSender::send: on jingdong.com#40655
#40725
Labels
A-content/webgl3d canvas APII-safetySome piece of code violates memory safety guarantees.
@jschwe

Description

@jschwe
jschwe
opened on Nov 15, 2025

Describe the bug:
SUMMARY: AddressSanitizer: heap-use-after-free (servo:arm64+0x10417587c) in canvas_traits::webgl::WebGLMsgSender::send::h52a40dca4e14149b+0x164

==90062==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000300098 at pc 0x000104359880 bp 0x000316e1bf50 sp 0x000316e1bf48
READ of size 8 at 0x618000300098 thread T86    
 #0 0x00010435987c in canvas_traits::webgl::WebGLMsgSender::send::h52a40dca4e14149b+0x164 (servo:arm64+0x10417587c)
    #1 0x000103a68cb4 in script::dom::webgl::webglrenderingcontext::WebGLRenderingContext::send_command_ignored::h69e6f3581dd4f3c5+0x1d0 (servo:arm64+0x103884cb4)
    #2 0x0001061b55d8 in script::dom::webgl::webglprogram::WebGLProgram::mark_for_deletion::h283fb8f84b8e8e04+0x2f0 (servo:arm64+0x105fd15d8)
    #3 0x00010793ed7c in _$LT$script..dom..webgl..webglprogram..WebGLProgram$u20$as$u20$core..ops..drop..Drop$GT$::drop::ha92dbe6830d2c818+0x34 (servo:arm64+0x10775ad7c)
    #4 0x0001077f54e4 in core::ptr::drop_in_place$LT$script..dom..webgl..webglprogram..WebGLProgram$GT$::hf8cb6f879be8d493+0x14 (servo:arm64+0x1076114e4)
    #5 0x0001078193cc in core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$script..dom..webgl..webglprogram..WebGLProgram$GT$$GT$::h205026d6c7c3f4af+0x4c (servo:arm64+0x1076353cc)
    #6 0x000103e7bad8 in script_bindings::finalize::finalize_common::he94bd8857837c268+0x228 (servo:arm64+0x103c97ad8)
    #7 0x000106f1cca0 in script_bindings::codegen::GenericBindings::WebGLProgramBinding::WebGLProgram_Binding::_finalize::_$u7b$$u7b$closure$u7d$$u7d$::h9c58d82622fc4706+0xec (servo:arm64+0x106d38ca0)
    #8 0x000109cab7b0 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::h375308c183078636+0x5c (servo:arm64+0x109ac77b0)
    #9 0x000109cb701c in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb7b55c5af8a7a21e+0x1c (servo:arm64+0x109ad301c)
    #10 0x000109cb8680 in std::panicking::catch_unwind::do_call::h0a0401b6c327ff98+0x70 (servo:arm64+0x109ad4680)
    #11 0x000109cbf1f4 in __rust_try+0x1c (servo:arm64+0x109adb1f4)
    #12 0x000109cb8548 in std::panicking::catch_unwind::h969cc1d7bb1869e4+0x150 (servo:arm64+0x109ad4548)
    #13 0x000109cbfda4 in std::panic::catch_unwind::hfbf432260c8afb02+0x1c (servo:arm64+0x109adbda4)
    #14 0x000109cb4718 in mozjs::panic::wrap_panic::h1c9e4a9a86c8c68c+0x1c (servo:arm64+0x109ad0718)
    #15 0x000106f1cb18 in script_bindings::codegen::GenericBindings::WebGLProgramBinding::WebGLProgram_Binding::_finalize::h6e1818846677bfd5+0x168 (servo:arm64+0x106d38b18)
    #16 0x00010a0c4994 in unsigned long js::gc::Arena::finalize<JSObject, (js::gc::FinalizeKind)1>(JS::GCContext*, js::gc::AllocKind, unsigned long)+0x1cc (servo:arm64+0x109ee0994)
    #17 0x00010a0bb13c in bool FinalizeArenas<(js::gc::ReleaseEmpty)0>(JS::GCContext*, js::gc::ArenaList&, js::gc::SortedArenaList&, js::gc::AllocKind, JS::SliceBudget&)+0x2844 (servo:arm64+0x109ed713c)
    #18 0x00010a0b8618 in js::gc::ArenaLists::foregroundFinalize(JS::GCContext*, js::gc::AllocKind, JS::SliceBudget&, js::gc::SortedArenaList&)+0x54 (servo:arm64+0x109ed4618)
    #19 0x00010a0bcb48 in js::gc::GCRuntime::finalizeAllocKind(JS::GCContext*, JS::SliceBudget&)+0x8c (servo:arm64+0x109ed8b48)
    #20 0x00010a0c309c in sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind, unsigned long long>>, mozilla::EnumSet<js::gc::AllocKind, unsigned long long>>::run(js::gc::SweepAction::Args&)+0xa4 (servo:arm64+0x109edf09c)
    #21 0x00010a0c7f10 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&)+0x54 (servo:arm64+0x109ee3f10)
    #22 0x00010a0c2ee8 in sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*>::run(js::gc::SweepAction::Args&)+0x6c (servo:arm64+0x109edeee8)
    #23 0x00010a0c7f10 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&)+0x54 (servo:arm64+0x109ee3f10)
    #24 0x00010a0c2d2c in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&)+0x5c (servo:arm64+0x109eded2c)
    #25 0x00010a0bd034 in js::gc::GCRuntime::performSweepActions(JS::SliceBudget&)+0x9c (servo:arm64+0x109ed9034)
    #26 0x00010a086918 in js::gc::GCRuntime::incrementalSlice(JS::SliceBudget&, JS::GCReason, bool)+0x290 (servo:arm64+0x109ea2918)
    #27 0x00010a087ba4 in js::gc::GCRuntime::gcCycle(bool, JS::SliceBudget const&, JS::GCReason)+0x3c4 (servo:arm64+0x109ea3ba4)
    #28 0x00010a088338 in js::gc::GCRuntime::collect(bool, JS::SliceBudget const&, JS::GCReason)+0x250 (servo:arm64+0x109ea4338)
    #29 0x00010a088510 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason)+0x54 (servo:arm64+0x109ea4510)
    #30 0x00010856de08 in _$LT$script..dom..window..Window$u20$as$u20$script_bindings..codegen..GenericBindings..WindowBinding..Window_Binding..WindowMethods$LT$script..dom..bindings..codegen..DomTypeHolder..DomTypeHolder$GT$$GT$::Gc::h5d0d32db7e0802ee+0x158 (servo:arm64+0x108389e08)
    #31 0x00010859d340 in script::dom::window::Window::suspend::h3819d18c38c4cc13+0x2fc (servo:arm64+0x1083b9340)
    #32 0x000104bacd00 in script::dom::document::Document::set_activity::h8c2a012db0b9ad78+0x6bc (servo:arm64+0x1049c8d00)
    #33 0x000104d127fc in script::script_thread::ScriptThread::handle_set_document_activity_msg::hc05489f60cb4b818+0x7f4 (servo:arm64+0x104b2e7fc)
    #34 0x000104d0a8d4 in script::script_thread::ScriptThread::handle_msg_from_constellation::h7e3ff657c8e7f23b+0x1240 (servo:arm64+0x104b268d4)
    #35 0x0001084de050 in script::script_thread::ScriptThread::handle_msgs::_$u7b$$u7b$closure$u7d$$u7d$::h06f1ac359eb54ad9+0x454 (servo:arm64+0x1082fa050)
    #36 0x0001084e7c14 in script::script_thread::ScriptThread::profile_event::hda5ff43ee3b14314+0xfbc (servo:arm64+0x108303c14)
    #37 0x000104ce2aa0 in script::script_thread::ScriptThread::handle_msgs::h3a1c1a909c8bef2a+0x201c (servo:arm64+0x104afeaa0)
    #38 0x000104d1f218 in script::script_thread::ScriptThread::start::h6c51f7558e54dd3a+0x3e8 (servo:arm64+0x104b3b218)
    #39 0x00010851bd18 in _$LT$script..script_thread..ScriptThread$u20$as$u20$layout_api..ScriptThreadFactory$GT$::create::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h15151ba322f97a2d+0x1c (servo:arm64+0x108337d18)
    #40 0x00010712f2a4 in profile_traits::mem::ProfilerChan::run_with_memory_reporting::h07069dc34b9c2a8c+0x178 (servo:arm64+0x106f4b2a4)
    #41 0x00010851baf8 in _$LT$script..script_thread..ScriptThread$u20$as$u20$layout_api..ScriptThreadFactory$GT$::create::_$u7b$$u7b$closure$u7d$$u7d$::hd20169d9c1351a8f+0xa34 (servo:arm64+0x108337af8)
    #42 0x0001055aba28 in std::sys::backtrace::__rust_begin_short_backtrace::hd741210d1670f494+0xc (servo:arm64+0x1053c7a28)
    #43 0x000106f61b60 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h965b60b6e5327eb7+0x1d8 (servo:arm64+0x106d7db60)
    #44 0x000105b73bf8 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb9a7508dd2c3fa0e+0x148 (servo:arm64+0x10598fbf8)
    #45 0x00010428943c in std::panicking::catch_unwind::do_call::hd1e0566c7c89c39e+0x168 (servo:arm64+0x1040a543c)
    #46 0x0001042b5b5c in __rust_try+0x1c (servo:arm64+0x1040d1b5c)
    #47 0x0001042886c0 in std::panicking::catch_unwind::h6277161838d91ebe+0x178 (servo:arm64+0x1040a46c0)
    #48 0x0001061426cc in std::panic::catch_unwind::hd8156144afc2bdfe+0x8 (servo:arm64+0x105f5e6cc)
    #49 0x000106f5c970 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h0f3bff81c04f652d+0x498 (servo:arm64+0x106d78970)
    #50 0x0001075ad5f4 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h4f536642f2173800+0x14 (servo:arm64+0x1073c95f4)
    #51 0x000115aecd84 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hfcf4c7e0ab37864f+0x168 (servo:arm64+0x115908d84)
    #52 0x000115c3e528 in std::sys::thread::unix::Thread::new::thread_start::h8a3050efa7f0ff2f+0x31c (servo:arm64+0x115a5a528)
    #53 0x000132b5e7d0 in asan_thread_start(void*)+0x48 (librustc-stable_rt.asan.dylib:arm64+0x4e7d0)
    #54 0x000197779c04 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x6c04)
    #55 0x000197774ba4 in thread_start+0x4 (libsystem_pthread.dylib:arm64+0x1ba4)

0x618000300098 is located 24 bytes inside of 824-byte region [0x618000300080,0x6180003003b8)
freed by thread T86 here:                                                                                                                                                                                        
    #0 0x000132b61958 in free+0x70 (librustc-stable_rt.asan.dylib:arm64+0x51958)
    #1 0x000111e8c3bc in std::sys::alloc::unix::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::dealloc::h6a7de2248ebcade2+0x28 (servo:arm64+0x111ca83bc)
    #2 0x000111e8c6f0 in _RNvCsj3IbkTTFM3W_7___rustc14___rust_dealloc+0x48 (servo:arm64+0x111ca86f0)
    #3 0x000107011b70 in alloc::alloc::dealloc::hfd7a8fab514c78ac+0x140 (servo:arm64+0x106e2db70)
    #4 0x000107013ce8 in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::deallocate::h9dfacfa2ff8a8fcb+0x154 (servo:arm64+0x106e2fce8)
    #5 0x00010788b918 in _$LT$alloc..boxed..Box$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h72bf136acea6d341+0x18c (servo:arm64+0x1076a7918)
    #6 0x0001077567d8 in core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$script..dom..webgl..webglrenderingcontext..WebGLRenderingContext$GT$$GT$::he963d35033ea3d53+0x74 (servo:arm64+0x1075727d8)
    #7 0x000103e77008 in script_bindings::finalize::finalize_common::hdfc87b540454f2b5+0x228 (servo:arm64+0x103c93008)
    #8 0x000103e8fe04 in script_bindings::finalize::finalize_weak_referenceable::h4edfa4930154b141+0x480 (servo:arm64+0x103cabe04)
    #9 0x000108d36544 in script_bindings::codegen::GenericBindings::WebGLRenderingContextBinding::WebGLRenderingContext_Binding::_finalize::_$u7b$$u7b$closure$u7d$$u7d$::h1f82352aefb4bffb+0x154 (servo:arm64+0x108b52544)
    #10 0x000109cab7b0 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::h375308c183078636+0x5c (servo:arm64+0x109ac77b0)
    #11 0x000109cb701c in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb7b55c5af8a7a21e+0x1c (servo:arm64+0x109ad301c)
    #12 0x000109cb8680 in std::panicking::catch_unwind::do_call::h0a0401b6c327ff98+0x70 (servo:arm64+0x109ad4680)
    #13 0x000109cbf1f4 in __rust_try+0x1c (servo:arm64+0x109adb1f4)
    #14 0x000109cb8548 in std::panicking::catch_unwind::h969cc1d7bb1869e4+0x150 (servo:arm64+0x109ad4548)
    #15 0x000109cbfda4 in std::panic::catch_unwind::hfbf432260c8afb02+0x1c (servo:arm64+0x109adbda4)
    #16 0x000109cb4718 in mozjs::panic::wrap_panic::h1c9e4a9a86c8c68c+0x1c (servo:arm64+0x109ad0718)
    #17 0x000108d36354 in script_bindings::codegen::GenericBindings::WebGLRenderingContextBinding::WebGLRenderingContext_Binding::_finalize::hffd4ca6695bf2d89+0x168 (servo:arm64+0x108b52354)
    #18 0x00010a0c4994 in unsigned long js::gc::Arena::finalize<JSObject, (js::gc::FinalizeKind)1>(JS::GCContext*, js::gc::AllocKind, unsigned long)+0x1cc (servo:arm64+0x109ee0994)
    #19 0x00010a0bb13c in bool FinalizeArenas<(js::gc::ReleaseEmpty)0>(JS::GCContext*, js::gc::ArenaList&, js::gc::SortedArenaList&, js::gc::AllocKind, JS::SliceBudget&)+0x2844 (servo:arm64+0x109ed713c)
    #20 0x00010a0b8618 in js::gc::ArenaLists::foregroundFinalize(JS::GCContext*, js::gc::AllocKind, JS::SliceBudget&, js::gc::SortedArenaList&)+0x54 (servo:arm64+0x109ed4618)
    #21 0x00010a0bcb48 in js::gc::GCRuntime::finalizeAllocKind(JS::GCContext*, JS::SliceBudget&)+0x8c (servo:arm64+0x109ed8b48)
    #22 0x00010a0c309c in sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind, unsigned long long>>, mozilla::EnumSet<js::gc::AllocKind, unsigned long long>>::run(js::gc::SweepAction::Args&)+0xa4 (servo:arm64+0x109edf09c)
    #23 0x00010a0c7f10 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&)+0x54 (servo:arm64+0x109ee3f10)
    #24 0x00010a0c2ee8 in sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*>::run(js::gc::SweepAction::Args&)+0x6c (servo:arm64+0x109edeee8)
    #25 0x00010a0c7f10 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&)+0x54 (servo:arm64+0x109ee3f10)
    #26 0x00010a0c2d2c in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&)+0x5c (servo:arm64+0x109eded2c)
    #27 0x00010a0bd034 in js::gc::GCRuntime::performSweepActions(JS::SliceBudget&)+0x9c (servo:arm64+0x109ed9034)
    #28 0x00010a086918 in js::gc::GCRuntime::incrementalSlice(JS::SliceBudget&, JS::GCReason, bool)+0x290 (servo:arm64+0x109ea2918)
    #29 0x00010a087ba4 in js::gc::GCRuntime::gcCycle(bool, JS::SliceBudget const&, JS::GCReason)+0x3c4 (servo:arm64+0x109ea3ba4)

previously allocated by thread T86 here:
    #0 0x000132b6186c in malloc+0x6c (librustc-stable_rt.asan.dylib:arm64+0x5186c)
    #1 0x000111e8c2f0 in std::sys::alloc::unix::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::alloc::he3cb98b52f5c8c68+0x184 (servo:arm64+0x111ca82f0)
    #2 0x000111e8c698 in _RNvCsj3IbkTTFM3W_7___rustc12___rust_alloc+0x34 (servo:arm64+0x111ca8698)
    #3 0x000107011748 in alloc::alloc::alloc::hdab17f5daa696d84+0x138 (servo:arm64+0x106e2d748)
    #4 0x000107011930 in alloc::alloc::Global::alloc_impl::h2b1967df6700d517+0x178 (servo:arm64+0x106e2d930)
    #5 0x0001070142a8 in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::allocate::he15d52b8d095ae1b+0x24 (servo:arm64+0x106e302a8)
    #6 0x0001070115bc in alloc::alloc::exchange_malloc::hdc1b2884902453c2+0x40 (servo:arm64+0x106e2d5bc)
    #7 0x000103a6f1d0 in script::dom::webgl::webglrenderingcontext::WebGLRenderingContext::new::h9a9ce81e4a496bfb+0x400 (servo:arm64+0x10388b1d0)
    #8 0x000104c17a58 in script::dom::html::htmlcanvaselement::HTMLCanvasElement::get_or_init_webgl_context::hd46a04d4e1c9413b+0x5d4 (servo:arm64+0x104a33a58)
    #9 0x000104c02db0 in _$LT$script..dom..html..htmlcanvaselement..HTMLCanvasElement$u20$as$u20$script_bindings..codegen..GenericBindings..HTMLCanvasElementBinding..HTMLCanvasElement_Binding..HTMLCanvasElementMethods$LT$script..dom..bindings..codegen..DomTypeHolder..DomTypeHolder$GT$$GT$::GetContext::hd4dbfcad75a5417e+0x51c (servo:arm64+0x104a1edb0)
    #10 0x0001044b1914 in script_bindings::codegen::GenericBindings::HTMLCanvasElementBinding::HTMLCanvasElement_Binding::getContext::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3b81e550fbffca51+0x858 (servo:arm64+0x1042cd914)
    #11 0x0001044b0fa0 in script_bindings::codegen::GenericBindings::HTMLCanvasElementBinding::HTMLCanvasElement_Binding::getContext::_$u7b$$u7b$closure$u7d$$u7d$::h3f4574f482a187f6+0x1d0 (servo:arm64+0x1042ccfa0)
    #12 0x000109cab7b0 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_once::h375308c183078636+0x5c (servo:arm64+0x109ac77b0)
    #13 0x000109cb701c in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb7b55c5af8a7a21e+0x1c (servo:arm64+0x109ad301c)
    #14 0x000109cb8680 in std::panicking::catch_unwind::do_call::h0a0401b6c327ff98+0x70 (servo:arm64+0x109ad4680)
    #15 0x000109cbf1f4 in __rust_try+0x1c (servo:arm64+0x109adb1f4)
    #16 0x000109cb8548 in std::panicking::catch_unwind::h969cc1d7bb1869e4+0x150 (servo:arm64+0x109ad4548)
    #17 0x000109cbfda4 in std::panic::catch_unwind::hfbf432260c8afb02+0x1c (servo:arm64+0x109adbda4)
    #18 0x000109cb4718 in mozjs::panic::wrap_panic::h1c9e4a9a86c8c68c+0x1c (servo:arm64+0x109ad0718)
    #19 0x0001044b0d00 in script_bindings::codegen::GenericBindings::HTMLCanvasElementBinding::HTMLCanvasElement_Binding::getContext::h87c71fb89cd43c1d+0x2ac (servo:arm64+0x1042ccd00)
    #20 0x00010a77abd4 in CallJitMethodOp+0x10c (servo:arm64+0x10a596bd4)
    #21 0x000109a46a68 in script_bindings::utils::generic_call::hc339d6bf6f45a332+0xc30 (servo:arm64+0x109862a68)
    #22 0x00010467fdc4 in script_bindings::utils::generic_method::h90517d1806ee1a71+0x50 (servo:arm64+0x10449bdc4)
    #23 0x000109ce347c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x194 (servo:arm64+0x109aff47c)
    #24 0x000109cea6f4 in js::Interpret(JSContext*, js::RunState&)+0x4f44 (servo:arm64+0x109b066f4)
    #25 0x000109ce3228 in js::RunScript(JSContext*, js::RunState&)+0x118 (servo:arm64+0x109aff228)
    #26 0x000109ce3744 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x45c (servo:arm64+0x109aff744)
    #27 0x000109ce3b90 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)+0xd8 (servo:arm64+0x109affb90)
    #28 0x00010a1e1760 in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)+0x290 (servo:arm64+0x109ffd760)
    #29 0x00010a1e1a10 in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*)+0xa8 (servo:arm64+0x109ffda10)

Thread T86 created by T42 here:
    #0 0x000132b59600 in pthread_create+0x58 (librustc-stable_rt.asan.dylib:arm64+0x49600)
    #1 0x000115c3ed4c in std::sys::thread::unix::Thread::new::h70823b07c5c6679a+0x6e8 (servo:arm64+0x115a5ad4c)
    #2 0x000106f57af4 in std::thread::Builder::spawn_unchecked_::h4bbbbbc9a7389e51+0x960 (servo:arm64+0x106d73af4)
    #3 0x000106f551ac in std::thread::Builder::spawn_unchecked::ha913c1462ee961a5+0x174 (servo:arm64+0x106d711ac)
    #4 0x000106f64250 in std::thread::Builder::spawn::hcdfbe8e1732fae16+0x8 (servo:arm64+0x106d80250)
    #5 0x000104d26a48 in _$LT$script..script_thread..ScriptThread$u20$as$u20$layout_api..ScriptThreadFactory$GT$::create::h3d2b007de9faf30e+0x68c (servo:arm64+0x104b42a48)
    #6 0x000101c6df9c in constellation::pipeline::Pipeline::spawn::h3906887868c89a38+0x1c00 (servo:arm64+0x101a89f9c)
    #7 0x000101a018dc in constellation::constellation::Constellation$LT$STF$C$SWF$GT$::new_pipeline::h0ca2b8770080318f+0x222c (servo:arm64+0x10181d8dc)
    #8 0x000101a69724 in constellation::constellation::Constellation$LT$STF$C$SWF$GT$::load_url::h7fe578d05f04c560+0x1a8c (servo:arm64+0x101885724)
    #9 0x000101a4b4f0 in constellation::constellation::Constellation$LT$STF$C$SWF$GT$::handle_request_from_compositor::h77f30d87b8ab6fd5+0x2c28 (servo:arm64+0x1018674f0)
    #10 0x000101a069e8 in constellation::constellation::Constellation$LT$STF$C$SWF$GT$::handle_request::haca5ebd942db3660+0xe5c (servo:arm64+0x1018229e8)
    #11 0x000101a5ffe0 in constellation::constellation::Constellation$LT$STF$C$SWF$GT$::run::hac51243147bc47c7+0x2f0 (servo:arm64+0x10187bfe0)
    #12 0x000101a66ed4 in constellation::constellation::Constellation$LT$STF$C$SWF$GT$::start::_$u7b$$u7b$closure$u7d$$u7d$::heb63a2df600b1729+0x2b20 (servo:arm64+0x101882ed4)
    #13 0x0001019221f8 in std::sys::backtrace::__rust_begin_short_backtrace::hf4ae49f34d55a208+0xc (servo:arm64+0x10173e1f8)
    #14 0x000101c86770 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::heeb5ad4b13613158+0x228 (servo:arm64+0x101aa2770)
    #15 0x000101aab7bc in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hed28be38ddbca3a5+0x1a0 (servo:arm64+0x1018c77bc)
    #16 0x0001019389d4 in std::panicking::catch_unwind::do_call::h42964267616901b4+0x16c (servo:arm64+0x1017549d4)
    #17 0x000101938ecc in __rust_try+0x1c (servo:arm64+0x101754ecc)
    #18 0x000101938528 in std::panicking::catch_unwind::hef5073395848855c+0x1d0 (servo:arm64+0x101754528)
    #19 0x00010196ea5c in std::panic::catch_unwind::h6771ffef5715929e+0x8 (servo:arm64+0x10178aa5c)
    #20 0x000101c85460 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::h2d825af64adb576c+0x5b8 (servo:arm64+0x101aa1460)
    #21 0x000101be3100 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h98899569fa8a407d+0x14 (servo:arm64+0x1019ff100)
    #22 0x000115aecd84 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hfcf4c7e0ab37864f+0x168 (servo:arm64+0x115908d84)
    #23 0x000115c3e528 in std::sys::thread::unix::Thread::new::thread_start::h8a3050efa7f0ff2f+0x31c (servo:arm64+0x115a5a528)
    #24 0x000132b5e7d0 in asan_thread_start(void*)+0x48 (librustc-stable_rt.asan.dylib:arm64+0x4e7d0)
    #25 0x000197779c04 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x6c04)
    #26 0x000197774ba4 in thread_start+0x4 (libsystem_pthread.dylib:arm64+0x1ba4)

Thread T42 created by T0 here:
    #0 0x000132b59600 in pthread_create+0x58 (librustc-stable_rt.asan.dylib:arm64+0x49600)
    #1 0x000115c3ed4c in std::sys::thread::unix::Thread::new::h70823b07c5c6679a+0x6e8 (servo:arm64+0x115a5ad4c)
    #2 0x000101c844a0 in std::thread::Builder::spawn_unchecked_::he2eeb6a5cdd99856+0xaf4 (servo:arm64+0x101aa04a0)
    #3 0x000101c829f4 in std::thread::Builder::spawn_unchecked::h120267fbc6d81347+0x174 (servo:arm64+0x101a9e9f4)
    #4 0x000101c86f78 in std::thread::Builder::spawn::h29dcb381aff11212+0x8 (servo:arm64+0x101aa2f78)
    #5 0x000101a63f98 in constellation::constellation::Constellation$LT$STF$C$SWF$GT$::start::h67efbd400dd32287+0xab0 (servo:arm64+0x10187ff98)
    #6 0x000101b1d734 in servo::create_constellation::hf94945a2c998deea+0x13f4 (servo:arm64+0x101939734)
    #7 0x000101b2e898 in servo::Servo::new::h84345c2bec604223+0x1948 (servo:arm64+0x10194a898)
    #8 0x000101b1aaf8 in servo::ServoBuilder::build::h6cf0bb1587ca0d12+0x8 (servo:arm64+0x101936af8)
    #9 0x0001002dc840 in servoshell::desktop::app::App::init::h5c22859a270bf41e+0x16e0 (servo:arm64+0x1000f8840)
    #10 0x0001002dff48 in _$LT$servoshell..desktop..app..App$u20$as$u20$winit..application..ApplicationHandler$LT$servoshell..desktop..events_loop..AppEvent$GT$$GT$::resumed::hb8f86db7ed618e3e+0x1c (servo:arm64+0x1000fbf48)
    #11 0x00010022f154 in winit::event_loop::EventLoop$LT$T$GT$::run_app::_$u7b$$u7b$closure$u7d$$u7d$::h30e8b3b30a87cbfd+0x3ec (servo:arm64+0x10004b154)
    #12 0x00010034881c in winit::platform_impl::macos::event_loop::map_user_event::_$u7b$$u7b$closure$u7d$$u7d$::ha57abe37160fa20a+0x2e0 (servo:arm64+0x10016481c)
    #13 0x00010179a4b4 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnMut$LT$Args$GT$$GT$::call_mut::he6477441bfd0d152+0x1ec (servo:arm64+0x1015b64b4)
    #14 0x0001017bbca0 in winit::platform_impl::macos::event_handler::EventHandler::handle_event::h589356708df2202e+0x590 (servo:arm64+0x1015d7ca0)
    #15 0x0001018417f0 in winit::platform_impl::macos::app_state::ApplicationDelegate::handle_event::h006b1e5b6f84937f+0x21c (servo:arm64+0x10165d7f0)
    #16 0x000101844f98 in winit::platform_impl::macos::app_state::ApplicationDelegate::dispatch_init_events::hd29664fb856db9d9+0x208 (servo:arm64+0x101660f98)
    #17 0x000101844b78 in winit::platform_impl::macos::app_state::ApplicationDelegate::did_finish_launching::hc55a5f6bff72d9cd+0x628 (servo:arm64+0x101660b78)
    #18 0x0001018450e0 in winit::platform_impl::macos::app_state::ApplicationDelegate::app_did_finish_launching::h115945a88f3047c0+0x4c (servo:arm64+0x1016610e0)
    #19 0x00019780f480 in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x56480)
    #20 0x000197873f30 in ___CFXRegistrationPost_block_invoke+0x58 (CoreFoundation:arm64+0xbaf30)
    #21 0x000197873e74 in _CFXRegistrationPost+0x1b0 (CoreFoundation:arm64+0xbae74)
    #22 0x0001977edf98 in _CFXNotificationPost+0x2e0 (CoreFoundation:arm64+0x34f98)
    #23 0x000199a0f304 in -[NSNotificationCenter postNotificationName:object:userInfo:]+0x54 (Foundation:arm64+0xa0c304)
    #24 0x00019bc26e70 in -[NSApplication _postDidFinishNotification]+0x118 (AppKit:arm64+0x24e70)
    #25 0x00019bc26c20 in -[NSApplication _sendFinishLaunchingNotification]+0xa8 (AppKit:arm64+0x24c20)
    #26 0x00019c19e568 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:]+0x1e4 (AppKit:arm64+0x59c568)
    #27 0x00019c1a1d6c in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:]+0x1e4 (AppKit:arm64+0x59fd6c)
    #28 0x00019995c724 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:]+0x138 (Foundation:arm64+0x959724)
    #29 0x00019901b684 in _NSAppleEventManagerGenericHandler+0x4c (Foundation:arm64+0x18684)
    #30 0x00019fa340f0  (AE:arm64+0xb0f0)
    #31 0x00019fa33a30  (AE:arm64+0xaa30)
    #32 0x00019fa2d0e4 in aeProcessAppleEvent+0x1e0 (AE:arm64+0x40e4)
    #33 0x0001a42297b4 in AEProcessAppleEvent+0x40 (HIToolbox:arm64+0x167b4)
    #34 0x00019bc220f4 in _DPSNextEvent+0x50c (AppKit:arm64+0x200f4)
    #35 0x00019c6eff40 in -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x2ac (AppKit:arm64+0xaedf40)
    #36 0x00019c6efc4c in -[NSApplication(NSEventRouting) nextEventMatchingMask:untilDate:inMode:dequeue:]+0x44 (AppKit:arm64+0xaedc4c)
    #37 0x00019bc1a77c in -[NSApplication run]+0x16c (AppKit:arm64+0x1877c)
    #38 0x00010189df40 in _$LT$$LP$$RP$$u20$as$u20$objc2..encode..EncodeArguments$GT$::__invoke::hf7c0dba61c8066e6+0x30 (servo:arm64+0x1016b9f40)
    #39 0x0001018a42ac in objc2::runtime::message_receiver::msg_send_primitive::send::h29f8ca68ad9a4cf0+0x38 (servo:arm64+0x1016c02ac)
    #40 0x00010188e6d0 in objc2::runtime::message_receiver::MessageReceiver::send_message::hd4aa3639bb93d1b0+0xac (servo:arm64+0x1016aa6d0)
    #41 0x0001018707a0 in objc2::__macro_helpers::msg_send::MsgSend::send_message::h601c799a6f166591+0xa8 (servo:arm64+0x10168c7a0)
    #42 0x00010186fc34 in objc2_app_kit::generated::__NSApplication::NSApplication::run::heafff6120e1f9ab8+0x40 (servo:arm64+0x10168bc34)
    #43 0x000100349374 in winit::platform_impl::macos::event_loop::EventLoop$LT$T$GT$::run_on_demand::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h8d82f338b12ea93a+0x1f0 (servo:arm64+0x100165374)
    #44 0x00010042cce8 in objc2::rc::autorelease::autoreleasepool::h882a1d32a65c2fbb+0x1ec (servo:arm64+0x100248ce8)
    #45 0x0001003490f0 in winit::platform_impl::macos::event_loop::EventLoop$LT$T$GT$::run_on_demand::_$u7b$$u7b$closure$u7d$$u7d$::h5faf10c88d35c1c4+0x1c8 (servo:arm64+0x1001650f0)
    #46 0x000100308d78 in winit::platform_impl::macos::event_handler::EventHandler::set::h4319dab6164f9a48+0x5d0 (servo:arm64+0x100124d78)
    #47 0x0001003547ec in winit::platform_impl::macos::app_state::ApplicationDelegate::set_event_handler::hdd9f59f5c1460ee6+0x1f4 (servo:arm64+0x1001707ec)
    #48 0x000100348da0 in winit::platform_impl::macos::event_loop::EventLoop$LT$T$GT$::run_on_demand::hadf4d411c101daff+0x240 (servo:arm64+0x100164da0)
    #49 0x000100349da8 in winit::platform_impl::macos::event_loop::EventLoop$LT$T$GT$::run::hbe80e96e16ddbeac+0x18 (servo:arm64+0x100165da8)
    #50 0x00010022ecc8 in winit::event_loop::EventLoop$LT$T$GT$::run_app::h18dcd9bad2f4691e+0x154 (servo:arm64+0x10004acc8)
    #51 0x000100353604 in servoshell::desktop::events_loop::EventsLoop::run_app::he18b976584d4fd8a+0x21c (servo:arm64+0x10016f604)
    #52 0x0001001f3f18 in servoshell::desktop::cli::main::hf644f0332718231e+0x99c (servo:arm64+0x10000ff18)
    #53 0x0001002c59e4 in servoshell::main::ha23bd328d74e62bf+0x8 (servo:arm64+0x1000e19e4)
    #54 0x0001001e5cb4 in servo::main::h4831468dd4e44d5d main.rs:26
    #55 0x0001001e5650 in core::ops::function::FnOnce::call_once::h06a80d5361c21501 function.rs:250
    #56 0x0001001e5514 in std::sys::backtrace::__rust_begin_short_backtrace::h824d117833219a59 backtrace.rs:158
    #57 0x0001001e5c0c in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h1c290b7d39db66a9 rt.rs:206
    #58 0x000115aa5078 in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h756f6935ec9f14fd+0x5c (servo:arm64+0x1158c1078)
    #59 0x000115b43e18 in std::panicking::catch_unwind::do_call::hb14e7a47ce7ee4a4+0x90 (servo:arm64+0x11595fe18)
    #60 0x000115b638f8 in __rust_try+0x1c (servo:arm64+0x11597f8f8)
    #61 0x000115b433c0 in std::panicking::catch_unwind::h6d35724766069a11+0x154 (servo:arm64+0x11595f3c0)
    #62 0x000115ca3710 in std::panic::catch_unwind::ha43ad12fa8a28007+0x1c (servo:arm64+0x115abf710)
    #63 0x000115acc97c in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h50fe17f24c93d7ff+0x23c (servo:arm64+0x1158e897c)
    #64 0x000115b4401c in std::panicking::catch_unwind::do_call::hb55f6c35ffa509c9+0x184 (servo:arm64+0x11596001c)
    #65 0x000115b638f8 in __rust_try+0x1c (servo:arm64+0x11597f8f8)
    #66 0x000115b43ad4 in std::panicking::catch_unwind::hcd5c5a34fc39a9e3+0x16c (servo:arm64+0x11595fad4)
    #67 0x000115ca36e8 in std::panic::catch_unwind::h8accaf7b7667acc4+0x8 (servo:arm64+0x115abf6e8)
    #68 0x000115acc670 in std::rt::lang_start_internal::h1eea90c872e46358+0x1a0 (servo:arm64+0x1158e8670)
    #69 0x0001001e5b40 in std::rt::lang_start::h67f7da8a201965b8 rt.rs:205
    #70 0x0001001e5ce0 in main+0x20 (servo:arm64+0x100001ce0)
    #71 0x0001973b1d50  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free (servo:arm64+0x10417587c) in canvas_traits::webgl::WebGLMsgSender::send::h52a40dca4e14149b+0x164
Shadow bytes around the buggy address:
  0x6180002ffe00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x6180002ffe80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x6180002fff00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x6180002fff80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x618000300000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x618000300080: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x618000300100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x618000300180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x618000300200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x618000300280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x618000300300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==90062==ABORTING

To Reproduce:

Patch stylo to use this PR servo/stylo#269 (otherwise ASAN builds always run out of stack space in stylo)

./mach build --with-asan
./mach run --with-asan  https://global.jd.com
# Wait for the page to finish loading, and then click around on the page, e.g. the phone section.

Platform:
Specify OS, distribution, and hardware platform.

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-content/webgl3d canvas APII-safetySome piece of code violates memory safety guarantees.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions