CVE-2019-8846
A freed memory access vulnerability exists in the SVG Marker Element feature of Apple Safari’s WebKit version 13.0.2. A specially crafted HTML web page can cause a use after free, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, a specifically crafted HTML web page needs to be opened in the browser.
Safari Version 13.0.2 (15608.2.30.1.1) Webkit GIT 497221ef6a94f0603c1e8c4207094fc50e8ccf2a
https://www.apple.com/safari/ https://webkit.org/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
WebCore is the DOM rendering system for Webkit which is utilized in Safari web browser.
While rendering the supplied PoC web page, the rendering engine overwrites HTML marker element with Javascript code that is executed in Script element. The supplied PoC code was tested, with the same results, on the current release branch of Safari as well as the latest git head version of WebKit.
The bellow AddressSanitizer crash occurs when value property of baseVal property of orientAngle attribute from a SVG marker element is being accessed, or assigned a value to, in the following lines in the PoC:
zmienna3 = svg3.orientAngle;
zmienna3.baseVal.value = 1;
Disassembly of the crash with register information:
WebCore`WebCore::SVGElement::commitPropertyChange: 0x42eae7ce0 <+0>: pushq %rbp 0x42eae7ce1 <+1>: movq %rsp, %rbp 0x42eae7ce4 <+4>: subq $0x50, %rsp 0x42eae7ce8 <+8>: movq %rdi, -0x8(%rbp) 0x42eae7cec <+12>: movq %rsi, -0x10(%rbp) 0x42eae7cf0 <+16>: movq -0x8(%rbp), %rsi 0x42eae7cf4 <+20>: movq (%rsi), %rdi 0x42eae7cf7 <+23>: movq %rdi, -0x30(%rbp) 0x42eae7cfb <+27>: movq %rsi, %rdi 0x42eae7cfe <+30>: movq -0x30(%rbp), %rax 0x42eae7d02 <+34>: movq %rsi, -0x38(%rbp) 0x42eae7d06 <+38>: callq *0x4e0(%rax) 0x42eae7d0c <+44>: movq -0x10(%rbp), %rdx 0x42eae7d10 <+48>: movq (%rax), %rsi 0x42eae7d13 <+51>: leaq -0x18(%rbp), %rdi 0x42eae7d17 <+55>: movq %rsi, -0x40(%rbp) 0x42eae7d1b <+59>: movq %rax, %rsi 0x42eae7d1e <+62>: movq -0x40(%rbp), %rax ->0x42eae7d22 <+66>: callq *0x20(%rax)
(lldb) register read
General Purpose Registers:
rax = 0x000000042d24b740 WebCore`WebCore::Node::eventTargetInterface() const at Node.cpp:1947
rbx = 0x0000000000000000
rcx = 0x000000044e7f0210
rdx = 0x000000044e7f0210
rdi = 0x00007ffee1dbd4d8
rsi = 0x0000000430747400 WebCore`vtable for WebCore::Node + 16
rbp = 0x00007ffee1dbd4f0
rsp = 0x00007ffee1dbd4a0
r8 = 0x000000000000002c
r9 = 0xfffe0000000000fe
r10 = 0x0000000000000001
r11 = 0x000000044cce7e00
r12 = 0x000000044cafdb10
r13 = 0x000000044c862240
r14 = 0xfffe000000000000
r15 = 0xfffe000000000002
rip = 0x000000042eae7d22 WebCore`WebCore::SVGElement::commitPropertyChange(WebCore::SVGAnimatedProperty&) + 66 at SVGElement.cpp:549:54
Marker element is replaced with the Javascript command svg2.innerHTML = Array(130).fill("B").join(""); which changes the child of SVGPathElement (svg2) to String of B character, effectively setting m_firstChild and m_lastChild to newly created String of B:
m_firstChild = 0x000000044e6cc160
m_lastChild = 0x000000044e6cc160
Which results in memory: (lldb) x/10x 0x000000044e6cc160 0x44e6cc160: 0x0000000430749e20 0x0000000000000000 0x44e6cc170: 0x0000000100000000 0x0000000000080101 0x44e6cc180: 0x000000044d0a3580 0x000000044d0a2110 0x44e6cc190: 0x0000000000000000 0x0000000000000000 0x44e6cc1a0: 0x0000000000000000 0x0000000000000000
Which points to : (lldb) x/10x 0x0000000430749e20 0x430749e20: 0x000000042d24b740 0x000000042aceb920 0x430749e30: 0x000000042d243490 0x000000042d1ccf50 0x430749e40: 0x000000042d24c9c0 0x000000042d24cb40 0x430749e50: 0x000000042d1ced90 0x000000042d24dec0 0x430749e60: 0x000000042d1ce300 0x000000042d312800
(lldb) x/10x 0x000000042d24b740
0x42d24b740: 0xf87d8948e5894855 0x90c35d0000002fb8
0x42d24b750: 0xb0ec8148e5894855 0x48f87d8948000000
0x42d24b760: 0x48e8558948f07589 0x0fe8453b48f0458b
0x42d24b770: 0x3d8d480000004685 0x0007c0be02a37e7d
0x42d24b780: 0x02a3836a158d4800 0xe802a383ce0d8d48
In summary, in the end zmienna3.baseVal tries to access the non existent value that was created by change in child element.
=================================================================
==11242==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300003f200 at pc 0x00021aab3c33 bp 0x7ffeef157c90 sp 0x7ffeef157c88
READ of size 8 at 0x61300003f200 thread T0
==11242==WARNING: invalid path to external symbolizer!
==11242==WARNING: Failed to use and restart external symbolizer!
#0 0x21aab3c32 in WebCore::SVGElement::commitPropertyChange(WebCore::SVGAnimatedProperty&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xaf57c32)
#1 0x21b2a99e1 in WebCore::SVGAnimatedProperty::commitPropertyChange(WebCore::SVGProperty*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb74d9e1)
#2 0x21af52c35 in WebCore::SVGAnimatedValueProperty<WebCore::SVGAngle>::commitPropertyChange(WebCore::SVGProperty*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb3f6c35)
#3 0x2126979cc in WebCore::SVGProperty::commitChange() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b3b9cc)
#4 0x212697799 in WebCore::SVGAngle::setValueForBindings(float) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b3b799)
#5 0x2126975bc in WebCore::setJSSVGAngleValueSetter(JSC::CallFrame&, WebCore::JSSVGAngle&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()::operator()() const (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b3b5bc)
#6 0x2126973cb in std::__1::enable_if<!(std::is_same<void, decltype(fp1())>::value), void>::type WebCore::AttributeSetter::call<WebCore::setJSSVGAngleValueSetter(JSC::CallFrame&, WebCore::JSSVGAngle&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()>(JSC::CallFrame&, JSC::ThrowScope&, WebCore::setJSSVGAngleValueSetter(JSC::CallFrame&, WebCore::JSSVGAngle&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()&&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b3b3cb)
#7 0x2126971e3 in WebCore::setJSSVGAngleValueSetter(JSC::CallFrame&, WebCore::JSSVGAngle&, JSC::JSValue, JSC::ThrowScope&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b3b1e3)
#8 0x2125a7661 in bool WebCore::IDLAttribute<WebCore::JSSVGAngle>::set<&(WebCore::setJSSVGAngleValueSetter(JSC::CallFrame&, WebCore::JSSVGAngle&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::CallFrame&, long long, long long, char const*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2a4b661)
#9 0x2125a731b in WebCore::setJSSVGAngleValue(JSC::CallFrame*, long long, long long) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2a4b31b)
#10 0x24088196c in JSC::callCustomSetter(JSC::CallFrame*, bool (*)(JSC::CallFrame*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x415f96c)
#11 0x240881e94 in JSC::callCustomSetter(JSC::CallFrame*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x415fe94)
#12 0x240be2737 in JSC::JSObject::putInlineSlow(JSC::CallFrame*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x44c0737)
#13 0x23f5cef53 in JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::CallFrame*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2eacf53)
#14 0x23f5cdee3 in JSC::JSCell::putInline(JSC::CallFrame*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2eabee3)
#15 0x23f5d5485 in JSC::JSValue::putInline(JSC::CallFrame*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2eb3485)
#16 0x24021f8b4 in llint_slow_path_put_by_id (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3afd8b4)
#17 0x23d86d7af in llint_entry (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x114b7af)
#18 0x23d87f824 in llint_entry (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x115d824)
#19 0x23d87f824 in llint_entry (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x115d824)
#20 0x23d863171 in vmEntryToJavaScript (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1141171)
#21 0x23fe89036 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3767036)
#22 0x23fe8a0ab in JSC::Interpreter::executeCall(JSC::CallFrame*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x37680ab)
#23 0x240741634 in JSC::call(JSC::CallFrame*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x401f634)
#24 0x240741bb1 in JSC::call(JSC::CallFrame*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x401fbb1)
#25 0x24074293d in JSC::profiledCall(JSC::CallFrame*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x402093d)
#26 0x215738401 in WebCore::JSExecState::profiledCall(JSC::CallFrame*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x5bdc401)
#27 0x215782922 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x5c26922)
#28 0x2167f81c3 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x6c9c1c3)
#29 0x2167eef35 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x6c92f35)
#30 0x21845b7ac in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x88ff7ac)
#31 0x21847732f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x891b32f)
#32 0x216581e6c in WebCore::Document::dispatchWindowLoadEvent() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x6a25e6c)
#33 0x2165814f8 in WebCore::Document::implicitClose() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x6a254f8)
#34 0x2180b35de in WebCore::FrameLoader::checkCallImplicitClose() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x85575de)
#35 0x2180b2672 in WebCore::FrameLoader::checkCompleted() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8556672)
#36 0x2180ad651 in WebCore::FrameLoader::finishedParsing() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8551651)
#37 0x2165ae86f in WebCore::Document::finishedParsing() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x6a5286f)
#38 0x21770b587 in WebCore::HTMLConstructionSite::finishedParsing() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7baf587)
#39 0x2177930dd in WebCore::HTMLTreeBuilder::finished() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7c370dd)
#40 0x217728ab1 in WebCore::HTMLDocumentParser::end() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bccab1)
#41 0x217724b61 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bc8b61)
#42 0x21772479e in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bc879e)
#43 0x217728bcd in WebCore::HTMLDocumentParser::attemptToEnd() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bccbcd)
#44 0x217728d03 in WebCore::HTMLDocumentParser::finish() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bccd03)
#45 0x217fd860f in WebCore::DocumentWriter::end() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x847c60f)
#46 0x217fd6131 in WebCore::DocumentLoader::finishedLoading() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x847a131)
#47 0x217fd5866 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8479866)
#48 0x21831567f in WebCore::CachedResource::checkNotify() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x87b967f)
#49 0x21830c547 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x87b0547)
#50 0x21830ecb7 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x87b2cb7)
#51 0x2181fe1d4 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x86a21d4)
#52 0x2029b2d33 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x29b2d33)
#53 0x20370232b in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x370232b)
#54 0x203702003 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3702003)
#55 0x2036fe567 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x36fe567)
#56 0x2036fbf11 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x36fbf11)
#57 0x20298fe11 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x298fe11)
#58 0x2000fee48 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0xfee48)
#59 0x2000ebb25 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0xebb25)
#60 0x200101533 in IPC::Connection::dispatchOneIncomingMessage() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x101533)
#61 0x20014171a in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_7::operator()() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x14171a)
#62 0x200141608 in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_7, void>::call() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x141608)
#63 0x23c796bb1 in WTF::Function<void ()>::operator()() const (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x74bb1)
#64 0x23c8d6866 in WTF::RunLoop::performWork() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1b4866)
#65 0x23c8d9c97 in WTF::RunLoop::performWork(__CFMachPort*, void*, long, void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1b7c97)
#66 0x7fff38fd4d48 in __CFMachPortPerform (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x52d48)
#67 0x7fff38fd4c1e in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x52c1e)
#68 0x7fff38fd4b6e in __CFRunLoopDoSource1 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x52b6e)
#69 0x7fff38fbcacb in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x3aacb)
#70 0x7fff38fbbe12 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x39e12)
#71 0x7fff3b658cac in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1bcac)
#72 0x7fff3b658bc5 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1bbc5)
#73 0x7fff705219d5 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x269d5)
#74 0x7fff7050a7e0 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf7e0)
#75 0x7fff7050a2fb in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2fb)
#76 0x20112d3fc in WebKit::XPCServiceMain(int, char const**) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x112d3fc)
#77 0x20384d21a in WKXPCServiceMain (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x384d21a)
#78 0x100a9de31 in main (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100000e31)
#79 0x7fff702bb404 in start (/usr/lib/system/libdyld.dylib:x86_64+0x11404)
0x61300003f200 is located 0 bytes inside of 336-byte region [0x61300003f200,0x61300003f350)
freed by thread T0 here:
#0 0x20d8a889b in __sanitizer_mz_free (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/com.apple.WebKit.WebContent.xpc/Contents/Frameworks/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6189b)
#1 0x23ca8dd8f in bmalloc::DebugHeap::free(void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x36bd8f)
#2 0x23ca87224 in bmalloc::Cache::deallocateSlowCaseNullCache(bmalloc::HeapKind, void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x365224)
#3 0x20fd4473e in bmalloc::Cache::deallocate(bmalloc::HeapKind, void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1e873e)
#4 0x20fd446fa in bmalloc::api::free(void*, bmalloc::HeapKind) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1e86fa)
#5 0x21af8524c in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<336u>, WebCore::SVGMarkerElement>(bmalloc::api::IsoHeap<WebCore::SVGMarkerElement>&, void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb42924c)
#6 0x21af85086 in void bmalloc::IsoTLS::deallocateImpl<bmalloc::IsoConfig<336u>, WebCore::SVGMarkerElement>(bmalloc::api::IsoHeap<WebCore::SVGMarkerElement>&, void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb429086)
#7 0x21af84fcc in void bmalloc::IsoTLS::deallocate<WebCore::SVGMarkerElement>(bmalloc::api::IsoHeap<WebCore::SVGMarkerElement>&, void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb428fcc)
#8 0x21af1053c in bmalloc::api::IsoHeap<WebCore::SVGMarkerElement>::deallocate(void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb3b453c)
#9 0x21af1050c in WebCore::SVGMarkerElement::operator delete(void*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb3b450c)
#10 0x21af2ee71 in WebCore::SVGMarkerElement::~SVGMarkerElement() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb3d2e71)
#11 0x21692d91f in WebCore::Node::removedLastRef() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x6dd191f)
#12 0x20fbac72f in WebCore::Node::deref() const (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x5072f)
#13 0x216918c14 in WebCore::Node::derefEventTarget() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x6dbcc14)
#14 0x2108164f3 in WebCore::EventTarget::deref() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xcba4f3)
#15 0x210816460 in WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xcba460)
#16 0x2106cd964 in WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb71964)
#17 0x21139fd38 in WebCore::JSDOMWrapper<WebCore::EventTarget>::~JSDOMWrapper() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1843d38)
#18 0x21139fd14 in WebCore::JSEventTarget::~JSEventTarget() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1843d14)
#19 0x2112c86c4 in WebCore::JSEventTarget::~JSEventTarget() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x176c6c4)
#20 0x21122023c in WebCore::JSEventTarget::destroy(JSC::JSCell*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x16c423c)
#21 0x240a444ac in JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x43224ac)
#22 0x240a62a48 in void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4340a48)
#23 0x240a62b99 in void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4340b99)
#24 0x240a4d1e9 in void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x432b1e9)
#25 0x240a441c6 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x43221c6)
#26 0x240a4365e in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x432165e)
#27 0x23fb2d99b in JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x340b99b)
#28 0x23fad6f4f in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33b4f4f)
#29 0x23fab5f58 in JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3393f58)
previously allocated by thread T0 here:
#0 0x20d8a8333 in __sanitizer_mz_malloc (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/com.apple.WebKit.WebContent.xpc/Contents/Frameworks/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x61333)
#1 0x7fff704797ff in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x17ff)
#2 0x23ca8dbe2 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x36bbe2)
#3 0x23ca86ad9 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x364ad9)
#4 0x20fd29b4e in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1cdb4e)
#5 0x20fd2968a in bmalloc::api::tryMalloc(unsigned long, bmalloc::HeapKind) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1cd68a)
#6 0x21af839c4 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<336u>, WebCore::SVGMarkerElement>(bmalloc::api::IsoHeap<WebCore::SVGMarkerElement>&, bool) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb4279c4)
#7 0x21af8385e in void* bmalloc::IsoTLS::allocateImpl<bmalloc::IsoConfig<336u>, WebCore::SVGMarkerElement>(bmalloc::api::IsoHeap<WebCore::SVGMarkerElement>&, bool) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb42785e)
#8 0x21af837a4 in void* bmalloc::IsoTLS::allocate<WebCore::SVGMarkerElement>(bmalloc::api::IsoHeap<WebCore::SVGMarkerElement>&, bool) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb4277a4)
#9 0x21af104e0 in bmalloc::api::IsoHeap<WebCore::SVGMarkerElement>::allocate() (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb3b44e0)
#10 0x21af104b2 in WebCore::SVGMarkerElement::operator new(unsigned long) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb3b44b2)
#11 0x21af10577 in WebCore::SVGMarkerElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xb3b4577)
#12 0x2138766ca in WebCore::markerConstructor(WebCore::QualifiedName const&, WebCore::Document&, bool) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x3d1a6ca)
#13 0x2137b84ee in WebCore::SVGElementFactory::createElement(WebCore::QualifiedName const&, WebCore::Document&, bool) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x3c5c4ee)
#14 0x2165648b4 in WebCore::Document::createElement(WebCore::QualifiedName const&, bool) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x6a088b4)
#15 0x21771016d in WebCore::HTMLConstructionSite::createElement(WebCore::AtomicHTMLToken&, WTF::AtomString const&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bb416d)
#16 0x21770fde1 in WebCore::HTMLConstructionSite::insertForeignElement(WebCore::AtomicHTMLToken&&, WTF::AtomString const&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bb3de1)
#17 0x21777be7a in WebCore::HTMLTreeBuilder::processTokenInForeignContent(WebCore::AtomicHTMLToken&&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7c1fe7a)
#18 0x21777adf8 in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7c1edf8)
#19 0x2177277f3 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bcb7f3)
#20 0x21772701c in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bcb01c)
#21 0x217725499 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bc9499)
#22 0x217724a25 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bc8a25)
#23 0x2177286bd in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7bcc6bd)
#24 0x2165109b3 in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x69b49b3)
#25 0x217fe5b8e in WebCore::DocumentWriter::addData(char const*, unsigned long) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8489b8e)
#26 0x217fd815e in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x847c15e)
#27 0x202c4e657 in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x2c4e657)
#28 0x217fe30b5 in WebCore::DocumentLoader::commitLoad(char const*, int) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x84870b5)
#29 0x217fe2d93 in WebCore::DocumentLoader::dataReceived(char const*, int) (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8486d93)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/mt_talos/Work/Browsers/builds/webkit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xaf57c32) in WebCore::SVGElement::commitPropertyChange(WebCore::SVGAnimatedProperty&)
Shadow bytes around the buggy address:
0x1c2600007df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2600007e00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c2600007e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2600007e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2600007e30: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c2600007e40:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2600007e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2600007e60: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x1c2600007e70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c2600007e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2600007e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==11242==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 11242)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy
2019-10-24 - Vendor disclosure
2019-12-10 - Vendor patched
2019-12-11 - Public release
Discovered by Marcin Towalski of Cisco Talos.