WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
305680
[TestWebKitAPI] WTF_RunLoop.Create: AddressSanitizer detects heap-use-after-free
https://bugs.webkit.org/show_bug.cgi?id=305680
Summary
[TestWebKitAPI] WTF_RunLoop.Create: AddressSanitizer detects heap-use-after-free
Fujii Hironori
Reported
2026-01-16 17:07:29 PST
$ ./WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF --gtest_filter=WTF_RunLoop.Create ================================================================= ==771454==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d0000005f0 at pc 0x55cfa85323a0 bp 0x7ffe5a2a0040 sp 0x7ffe5a2a0038 READ of size 8 at 0x50d0000005f0 thread T0 #0 0x55cfa853239f in bool WTF::ThreadSafeWeakHashSet<WTF::Thread>::contains<WTF::Thread>(WTF::Thread const&) const requires std::is_convertible_v<TL0_*, WTF::Thread*> RunLoop.cpp #1 0x55cfa85316a4 in TestWebKitAPI::WTF_RunLoop_Create_Test::TestBody() RunLoop.cpp #2 0x7fee3a105c21 in testing::Test::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x7ec21) (BuildId: b2adffd6359f821c) #3 0x7fee3a108532 in testing::TestInfo::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x81532) (BuildId: b2adffd6359f821c) #4 0x7fee3a10a601 in testing::TestSuite::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x83601) (BuildId: b2adffd6359f821c) #5 0x7fee3a13096c in testing::internal::UnitTestImpl::RunAllTests() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa996c) (BuildId: b2adffd6359f821c) #6 0x7fee3a12efdc in testing::UnitTest::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa7fdc) (BuildId: b2adffd6359f821c) #7 0x55cfa7b5d190 in TestWebKitAPI::TestsController::run(int, char**) TestsController.cpp #8 0x55cfa8a1267f in main main.cpp #9 0x7fee374fe1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #10 0x7fee374fe28a in __libc_start_main csu/../csu/libc-start.c:360:3 #11 0x55cfa7a8d334 in _start (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x585334) (BuildId: 50714896e1c60e4c) 0x50d0000005f0 is located 0 bytes inside of 144-byte region [0x50d0000005f0,0x50d000000680) freed by thread T1 (reateTestThread) here: #0 0x55cfa7b260fa in free (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x61e0fa) (BuildId: 50714896e1c60e4c) #1 0x55cfa8daf6e0 in pas_system_heap_free (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x18a76e0) (BuildId: 50714896e1c60e4c) #2 0x55cfa8df1c89 in pas_try_deallocate_slow_no_cache (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x18e9c89) (BuildId: 50714896e1c60e4c) #3 0x55cfa8a28709 in WTF::fastFree(void*) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x1520709) (BuildId: 50714896e1c60e4c) #4 0x55cfa7d2cf0b in void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WTF::Thread, (WTF::DestructionThread)0>() const CompletionHandlerTests.cpp #5 0x55cfa8dab89d in WTF::Thread::destructTLS(void*) ThreadingPOSIX.cpp #6 0x7fee3756d33f in __GI___nptl_deallocate_tsd nptl/nptl_deallocate_tsd.c:73:29 #7 0x7fee3756d33f in __GI___nptl_deallocate_tsd nptl/nptl_deallocate_tsd.c:22:1 #8 0x7fee3757088f in start_thread nptl/pthread_create.c:455:3 previously allocated by thread T0 here: #0 0x55cfa7b26393 in malloc (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x61e393) (BuildId: 50714896e1c60e4c) #1 0x55cfa8daf180 in pas_system_heap_malloc (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x18a7180) (BuildId: 50714896e1c60e4c) #2 0x55cfa8db1ac4 in pas_system_heap_allocate(unsigned long, unsigned long, pas_allocation_mode) bmalloc_heap.c #3 0x55cfa8db1874 in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long, pas_allocation_mode) bmalloc_heap.c #4 0x55cfa8db1348 in bmalloc_allocate_casual (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x18a9348) (BuildId: 50714896e1c60e4c) #5 0x55cfa8a25efa in WTF::fastMalloc(unsigned long) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x151defa) (BuildId: 50714896e1c60e4c) #6 0x55cfa8cdb7a6 in WTF::Thread::create(WTF::ASCIILiteral, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x17d37a6) (BuildId: 50714896e1c60e4c) #7 0x55cfa8a6a887 in WTF::RunLoop::create(WTF::ASCIILiteral, WTF::ThreadType, WTF::Thread::QOS) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x1562887) (BuildId: 50714896e1c60e4c) #8 0x55cfa853119d in TestWebKitAPI::WTF_RunLoop_Create_Test::TestBody() RunLoop.cpp #9 0x7fee3a105c21 in testing::Test::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x7ec21) (BuildId: b2adffd6359f821c) #10 0x7fee3a108532 in testing::TestInfo::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x81532) (BuildId: b2adffd6359f821c) #11 0x7fee3a10a601 in testing::TestSuite::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x83601) (BuildId: b2adffd6359f821c) #12 0x7fee3a13096c in testing::internal::UnitTestImpl::RunAllTests() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa996c) (BuildId: b2adffd6359f821c) #13 0x7fee3a12efdc in testing::UnitTest::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa7fdc) (BuildId: b2adffd6359f821c) #14 0x55cfa7b5d190 in TestWebKitAPI::TestsController::run(int, char**) TestsController.cpp #15 0x55cfa8a1267f in main main.cpp #16 0x7fee374fe1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #17 0x7fee374fe28a in __libc_start_main csu/../csu/libc-start.c:360:3 #18 0x55cfa7a8d334 in _start (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x585334) (BuildId: 50714896e1c60e4c) Thread T1 (reateTestThread) created by T0 here: #0 0x55cfa7b0bd65 in pthread_create (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x603d65) (BuildId: 50714896e1c60e4c) #1 0x55cfa8daa70a in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext&, std::optional<unsigned long>, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) ThreadingPOSIX.cpp #2 0x55cfa8cdbc4c in WTF::Thread::create(WTF::ASCIILiteral, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x17d3c4c) (BuildId: 50714896e1c60e4c) #3 0x55cfa8a6a887 in WTF::RunLoop::create(WTF::ASCIILiteral, WTF::ThreadType, WTF::Thread::QOS) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x1562887) (BuildId: 50714896e1c60e4c) #4 0x55cfa853119d in TestWebKitAPI::WTF_RunLoop_Create_Test::TestBody() RunLoop.cpp #5 0x7fee3a105c21 in testing::Test::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x7ec21) (BuildId: b2adffd6359f821c) #6 0x7fee3a108532 in testing::TestInfo::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x81532) (BuildId: b2adffd6359f821c) #7 0x7fee3a10a601 in testing::TestSuite::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x83601) (BuildId: b2adffd6359f821c) #8 0x7fee3a13096c in testing::internal::UnitTestImpl::RunAllTests() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa996c) (BuildId: b2adffd6359f821c) #9 0x7fee3a12efdc in testing::UnitTest::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa7fdc) (BuildId: b2adffd6359f821c) #10 0x55cfa7b5d190 in TestWebKitAPI::TestsController::run(int, char**) TestsController.cpp #11 0x55cfa8a1267f in main main.cpp #12 0x7fee374fe1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #13 0x7fee374fe28a in __libc_start_main csu/../csu/libc-start.c:360:3 #14 0x55cfa7a8d334 in _start (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x585334) (BuildId: 50714896e1c60e4c) SUMMARY: AddressSanitizer: heap-use-after-free RunLoop.cpp in bool WTF::ThreadSafeWeakHashSet<WTF::Thread>::contains<WTF::Thread>(WTF::Thread const&) const requires std::is_convertible_v<TL0_*, WTF::Thread*> Shadow bytes around the buggy address: 0x50d000000300: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x50d000000380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x50d000000400: fd fd fa fa fa fa fa fa fa fa 00 00 00 00 00 00 0x50d000000480: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x50d000000500: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x50d000000580: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa[fd]fd 0x50d000000600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x50d000000680: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x50d000000700: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa 0x50d000000780: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x50d000000800: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==771454==ABORTING
Attachments
Add attachment
proposed patch, testcase, etc.
Fujii Hironori
Comment 1
2026-01-16 17:19:16 PST
Pull request:
https://github.com/WebKit/WebKit/pull/56750
EWS
Comment 2
2026-01-19 05:04:17 PST
Committed
305821@main
(f5aeb1861506): <
https://commits.webkit.org/305821@main
> Reviewed commits have been landed. Closing PR #56750 and removing active labels.
Radar WebKit Bug Importer
Comment 3
2026-01-19 05:05:15 PST
<
rdar://problem/168444749
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug