Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User after free on MacOS in select() #358

Closed
webbeef opened this issue Sep 19, 2024 · 2 comments
Closed

User after free on MacOS in select() #358

webbeef opened this issue Sep 19, 2024 · 2 comments

Comments

@webbeef
Copy link
Contributor

webbeef commented Sep 19, 2024

Found while running a Servo ASAN build:

FONT: Local(LocalFontIdentifier { postscript_name: Atom('LucidaGrande' type=dynamic), path: Atom('/System/Library/Fonts/LucidaGrande.ttc' type=dynamic) })
FONT: Local(LocalFontIdentifier { postscript_name: Atom('LucidaGrande' type=dynamic), path: Atom('/System/Library/Fonts/LucidaGrande.ttc' type=dynamic) })
2024-09-19 13:58:00.835809-0700 servo[91952:27864500] [miscellany] FAULT: <NSRemoteView: 0x616000151e80 com.apple.TextInputUI.xpc.CursorUIViewService TUICursorUIViewService> determined it was necessary to configure <TUINSWindow: 0x615000017c80> to support remote view vibrancy
FONT: Local(LocalFontIdentifier { postscript_name: Atom('LucidaGrande-Bold' type=dynamic), path: Atom('/System/Library/Fonts/LucidaGrande.ttc' type=dynamic) })
FONT: Local(LocalFontIdentifier { postscript_name: Atom('LucidaGrande' type=dynamic), path: Atom('/System/Library/Fonts/LucidaGrande.ttc' type=dynamic) })
=================================================================
==91952==ERROR: AddressSanitizer: heap-use-after-free on address 0x6220001ad104 at pc 0x00010fcf6db0 bp 0x000170e7bd10 sp 0x000170e7bd08
READ of size 4 at 0x6220001ad104 thread T10
    #0 0x10fcf6dac in ipc_channel::platform::macos::select::h1593b22d4ac83e2b+0x534 (servo:arm64+0x10fcf6dac)
    #1 0x10fcf6228 in ipc_channel::platform::macos::OsIpcReceiverSet::select::h6366c1ea42d4dc24+0x1ac (servo:arm64+0x10fcf6228)
    #2 0x10fd26d20 in ipc_channel::ipc::IpcReceiverSet::select::h74ebda4018d57c64+0x1f4 (servo:arm64+0x10fd26d20)
    #3 0x10fd80b7c in ipc_channel::router::Router::run::h4b04188d58da2c2c+0x30c (servo:arm64+0x10fd80b7c)
    #4 0x10fd7eaa8 in ipc_channel::router::RouterProxy::new::_$u7b$$u7b$closure$u7d$$u7d$::h1766c23d7f4d3ae2+0x20c (servo:arm64+0x10fd7eaa8)
    #5 0x10fd2ac0c in std::sys_common::backtrace::__rust_begin_short_backtrace::h777b7ae3ed33c2d3+0xc (servo:arm64+0x10fd2ac0c)
    #6 0x10fd635bc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hb150aab763f87ebe+0x130 (servo:arm64+0x10fd635bc)
    #7 0x10fd488f8 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2c4826d30c8d0210+0x130 (servo:arm64+0x10fd488f8)
    #8 0x10fd82340 in std::panicking::try::do_call::hc4de2eeffe9a8943+0x12c (servo:arm64+0x10fd82340)
    #9 0x10fd893bc in __rust_try+0x1c (servo:arm64+0x10fd893bc)
    #10 0x10fd81ef4 in std::panicking::try::h049cc3800dd92249+0x164 (servo:arm64+0x10fd81ef4)
    #11 0x10fd2bc48 in std::panic::catch_unwind::h6b401eaeafe00c4b+0x8 (servo:arm64+0x10fd2bc48)
    #12 0x10fd62dfc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::he3e421cd34448d20+0x390 (servo:arm64+0x10fd62dfc)
    #13 0x10fd3eb64 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h29f1d11768caa1e2+0x14 (servo:arm64+0x10fd3eb64)
    #14 0x110171ac0 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h736a1399eefc896d+0x168 (servo:arm64+0x110171ac0)
    #15 0x110171d64 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf8e8449fc5ccbc55+0x17c (servo:arm64+0x110171d64)
    #16 0x1102fcc14 in std::sys::pal::unix::thread::Thread::new::thread_start::ha95d0c8e3290deba+0x140 (servo:arm64+0x1102fcc14)
    #17 0x12666fec8 in asan_thread_start(void*)+0x48 (librustc-stable_rt.asan.dylib:arm64+0x4bec8)
    #18 0x185022030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x7030)
    #19 0x9a7a80018501ce38  (<unknown module>)

0x6220001ad104 is located 4 bytes inside of 5548-byte region [0x6220001ad100,0x6220001ae6ac)
freed by thread T10 here:
    #0 0x126672f90 in free+0x70 (librustc-stable_rt.asan.dylib:arm64+0x4ef90)
    #1 0x10fcf6ff0 in ipc_channel::platform::macos::select::h1593b22d4ac83e2b+0x778 (servo:arm64+0x10fcf6ff0)
    #2 0x10fcf6228 in ipc_channel::platform::macos::OsIpcReceiverSet::select::h6366c1ea42d4dc24+0x1ac (servo:arm64+0x10fcf6228)
    #3 0x10fd26d20 in ipc_channel::ipc::IpcReceiverSet::select::h74ebda4018d57c64+0x1f4 (servo:arm64+0x10fd26d20)
    #4 0x10fd80b7c in ipc_channel::router::Router::run::h4b04188d58da2c2c+0x30c (servo:arm64+0x10fd80b7c)
    #5 0x10fd7eaa8 in ipc_channel::router::RouterProxy::new::_$u7b$$u7b$closure$u7d$$u7d$::h1766c23d7f4d3ae2+0x20c (servo:arm64+0x10fd7eaa8)
    #6 0x10fd2ac0c in std::sys_common::backtrace::__rust_begin_short_backtrace::h777b7ae3ed33c2d3+0xc (servo:arm64+0x10fd2ac0c)
    #7 0x10fd635bc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hb150aab763f87ebe+0x130 (servo:arm64+0x10fd635bc)
    #8 0x10fd488f8 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2c4826d30c8d0210+0x130 (servo:arm64+0x10fd488f8)
    #9 0x10fd82340 in std::panicking::try::do_call::hc4de2eeffe9a8943+0x12c (servo:arm64+0x10fd82340)
    #10 0x10fd893bc in __rust_try+0x1c (servo:arm64+0x10fd893bc)
    #11 0x10fd81ef4 in std::panicking::try::h049cc3800dd92249+0x164 (servo:arm64+0x10fd81ef4)
    #12 0x10fd2bc48 in std::panic::catch_unwind::h6b401eaeafe00c4b+0x8 (servo:arm64+0x10fd2bc48)
    #13 0x10fd62dfc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::he3e421cd34448d20+0x390 (servo:arm64+0x10fd62dfc)
    #14 0x10fd3eb64 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h29f1d11768caa1e2+0x14 (servo:arm64+0x10fd3eb64)
    #15 0x110171ac0 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h736a1399eefc896d+0x168 (servo:arm64+0x110171ac0)
    #16 0x110171d64 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf8e8449fc5ccbc55+0x17c (servo:arm64+0x110171d64)
    #17 0x1102fcc14 in std::sys::pal::unix::thread::Thread::new::thread_start::ha95d0c8e3290deba+0x140 (servo:arm64+0x1102fcc14)
    #18 0x12666fec8 in asan_thread_start(void*)+0x48 (librustc-stable_rt.asan.dylib:arm64+0x4bec8)
    #19 0x185022030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x7030)
    #20 0x9a7a80018501ce38  (<unknown module>)

previously allocated by thread T10 here:
    #0 0x126672ea4 in malloc+0x6c (librustc-stable_rt.asan.dylib:arm64+0x4eea4)
    #1 0x10fcf6e04 in ipc_channel::platform::macos::select::h1593b22d4ac83e2b+0x58c (servo:arm64+0x10fcf6e04)
    #2 0x10fcf6228 in ipc_channel::platform::macos::OsIpcReceiverSet::select::h6366c1ea42d4dc24+0x1ac (servo:arm64+0x10fcf6228)
    #3 0x10fd26d20 in ipc_channel::ipc::IpcReceiverSet::select::h74ebda4018d57c64+0x1f4 (servo:arm64+0x10fd26d20)
    #4 0x10fd80b7c in ipc_channel::router::Router::run::h4b04188d58da2c2c+0x30c (servo:arm64+0x10fd80b7c)
    #5 0x10fd7eaa8 in ipc_channel::router::RouterProxy::new::_$u7b$$u7b$closure$u7d$$u7d$::h1766c23d7f4d3ae2+0x20c (servo:arm64+0x10fd7eaa8)
    #6 0x10fd2ac0c in std::sys_common::backtrace::__rust_begin_short_backtrace::h777b7ae3ed33c2d3+0xc (servo:arm64+0x10fd2ac0c)
    #7 0x10fd635bc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hb150aab763f87ebe+0x130 (servo:arm64+0x10fd635bc)
    #8 0x10fd488f8 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2c4826d30c8d0210+0x130 (servo:arm64+0x10fd488f8)
    #9 0x10fd82340 in std::panicking::try::do_call::hc4de2eeffe9a8943+0x12c (servo:arm64+0x10fd82340)
    #10 0x10fd893bc in __rust_try+0x1c (servo:arm64+0x10fd893bc)
    #11 0x10fd81ef4 in std::panicking::try::h049cc3800dd92249+0x164 (servo:arm64+0x10fd81ef4)
    #12 0x10fd2bc48 in std::panic::catch_unwind::h6b401eaeafe00c4b+0x8 (servo:arm64+0x10fd2bc48)
    #13 0x10fd62dfc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::he3e421cd34448d20+0x390 (servo:arm64+0x10fd62dfc)
    #14 0x10fd3eb64 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h29f1d11768caa1e2+0x14 (servo:arm64+0x10fd3eb64)
    #15 0x110171ac0 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h736a1399eefc896d+0x168 (servo:arm64+0x110171ac0)
    #16 0x110171d64 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf8e8449fc5ccbc55+0x17c (servo:arm64+0x110171d64)
    #17 0x1102fcc14 in std::sys::pal::unix::thread::Thread::new::thread_start::ha95d0c8e3290deba+0x140 (servo:arm64+0x1102fcc14)
    #18 0x12666fec8 in asan_thread_start(void*)+0x48 (librustc-stable_rt.asan.dylib:arm64+0x4bec8)
    #19 0x185022030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x7030)
    #20 0x9a7a80018501ce38  (<unknown module>)

Thread T10 created by T0 here:
    #0 0x12666ad88 in pthread_create+0x58 (librustc-stable_rt.asan.dylib:arm64+0x46d88)
    #1 0x1102fc700 in std::sys::pal::unix::thread::Thread::new::h53f4880a8315fb61+0x4cc (servo:arm64+0x1102fc700)
    #2 0x10fd62160 in std::thread::Builder::spawn_unchecked_::hab1a15639e5050c4+0x830 (servo:arm64+0x10fd62160)
    #3 0x10fd617c4 in std::thread::Builder::spawn_unchecked::h3a1b99f7c82cd842+0x178 (servo:arm64+0x10fd617c4)
    #4 0x10fd63804 in std::thread::Builder::spawn::h4a3c6d895209f727+0x8 (servo:arm64+0x10fd63804)
    #5 0x10fd61460 in std::thread::spawn::hf9b5ee486ae922c7+0x1e8 (servo:arm64+0x10fd61460)
    #6 0x10fd7e628 in ipc_channel::router::RouterProxy::new::hc35a866c69da36de+0x3f8 (servo:arm64+0x10fd7e628)
    #7 0x10fd3fb00 in core::ops::function::FnOnce::call_once::hc5d71ed90dc39334+0xc (servo:arm64+0x10fd3fb00)
    #8 0x10fd819f4 in lazy_static::lazy::Lazy$LT$T$GT$::get::_$u7b$$u7b$closure$u7d$$u7d$::h0fa649a7cd177016+0x19c (servo:arm64+0x10fd819f4)
    #9 0x10fd36d30 in std::sync::once::Once::call_once::_$u7b$$u7b$closure$u7d$$u7d$::ha82ae37f550c6941+0x7c (servo:arm64+0x10fd36d30)
    #10 0x1106b7a40 in std::sys::sync::once::queue::Once::call::h7498f9b78b691eab+0x3e4 (servo:arm64+0x1106b7a40)
    #11 0x10fd367e8 in std::sync::once::Once::call_once::h186bdb4da57f6502+0x1e8 (servo:arm64+0x10fd367e8)
    #12 0x10fd81740 in _$LT$ipc_channel..router..ROUTER$u20$as$u20$core..ops..deref..Deref$GT$::deref::hb31cc5fc34fe4274+0x11c (servo:arm64+0x10fd81740)
    #13 0x101f3d668 in profile::mem::Profiler::create::ha6b3a087682421c8+0x9bc (servo:arm64+0x101f3d668)
    #14 0x1001f759c in servo::Servo$LT$Window$GT$::new::hdf31a2e8fa99a2da+0x3fac (servo:arm64+0x1001f759c)
    #15 0x10016c460 in servoshell::desktop::app::App::run::_$u7b$$u7b$closure$u7d$$u7d$::hfb34cf110de45a1f+0x1d7c (servo:arm64+0x10016c460)
    #16 0x100174934 in servoshell::desktop::events_loop::EventsLoop::run_forever::_$u7b$$u7b$closure$u7d$$u7d$::hfa00486b5cbb51f4+0x240 (servo:arm64+0x100174934)
    #17 0x10015e02c in _$LT$winit..platform_impl..platform..app_state..EventLoopHandler$LT$T$GT$$u20$as$u20$winit..platform_impl..platform..app_state..EventHandler$GT$::handle_nonuser_event::_$u7b$$u7b$closure$u7d$$u7d$::h510a5ab0901be197+0x36c (servo:arm64+0x10015e02c)
    #18 0x10015ea9c in winit::platform_impl::platform::app_state::EventLoopHandler$LT$T$GT$::with_callback::ha562467cb295362c+0x3ec (servo:arm64+0x10015ea9c)
    #19 0x10015dc08 in _$LT$winit..platform_impl..platform..app_state..EventLoopHandler$LT$T$GT$$u20$as$u20$winit..platform_impl..platform..app_state..EventHandler$GT$::handle_nonuser_event::hc05f3e8ccf6a5a17+0x170 (servo:arm64+0x10015dc08)
    #20 0x100d10aa4 in winit::platform_impl::platform::app_state::Handler::handle_nonuser_event::h837f376adfa39331+0x428 (servo:arm64+0x100d10aa4)
    #21 0x100d126bc in winit::platform_impl::platform::app_state::AppState::dispatch_init_events::hf37416f96f616250+0x1dc (servo:arm64+0x100d126bc)
    #22 0x100d12840 in winit::platform_impl::platform::app_state::AppState::start_running::h37f3b4fc99e06db6+0x58 (servo:arm64+0x100d12840)
    #23 0x100d12ad8 in winit::platform_impl::platform::app_state::AppState::launched::ha6023beb53ed3901+0x28c (servo:arm64+0x100d12ad8)
    #24 0x100ce3538 in winit::platform_impl::platform::app_delegate::ApplicationDelegate::did_finish_launching::ha675eb527cf82201+0x29c (servo:arm64+0x100ce3538)
    #25 0x1850f456c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7256c)
    #26 0xb463800185188658  (<unknown module>)
    #27 0xf7398001851885a0  (<unknown module>)
    #28 0x37118001850c31d8  (<unknown module>)
    #29 0x135e8001861b5fec  (<unknown module>)
    #30 0x34288001888e227c  (<unknown module>)
    #31 0x62658001888e202c  (<unknown module>)
    #32 0x2a0d8001888e0574  (<unknown module>)
    #33 0xce148001888e0170  (<unknown module>)
    #34 0x184f0001861de410  (<unknown module>)
    #35 0xd3570001861de204  (<unknown module>)
    #36 0x7f1f00018c054dbc  (<unknown module>)
    #37 0x7a4d80018c0546e4  (<unknown module>)
    #38 0x700980018c04dcf4  (<unknown module>)
    #39 0xab2b80018f6bc2d0  (<unknown module>)
    #40 0xe9138001888dabac  (<unknown module>)
    #41 0xf83c8001890b497c  (<unknown module>)
    #42 0x6b118001888cdd4c  (<unknown module>)
    #43 0x2164000100e0d808  (<unknown module>)
    #44 0x100dd3370 in objc2::message::platform::send_unverified::h5bc68716d7ac22db+0x38 (servo:arm64+0x100dd3370)
    #45 0x100d1fc48 in objc2::message::MessageReceiver::send_message::h8edb371e332d76aa+0xac (servo:arm64+0x100d1fc48)
    #46 0x100d24fa4 in winit::platform_impl::platform::appkit::application::NSApplication::run::h50bd1dabf449909c+0x40 (servo:arm64+0x100d24fa4)
    #47 0x10020ae00 in winit::platform_impl::platform::event_loop::EventLoop$LT$T$GT$::run_on_demand::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h4fd9feeee17fcc8f+0x184 (servo:arm64+0x10020ae00)
    #48 0x10013b87c in core::ops::function::FnOnce::call_once::h7055e61263f01ea7+0x110 (servo:arm64+0x10013b87c)
    #49 0x1002e0410 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb1534b5df4e2605b+0x1c (servo:arm64+0x1002e0410)
    #50 0x100043924 in std::panicking::try::do_call::hdd00220db29cee06+0x38 (servo:arm64+0x100043924)
    #51 0x100043f48 in __rust_try+0x1c (servo:arm64+0x100043f48)
    #52 0x100042588 in std::panicking::try::h03c77cb522451eec+0x150 (servo:arm64+0x100042588)
    #53 0x1002e60d0 in std::panic::catch_unwind::h7f45104f0a4b5f2d+0x1c (servo:arm64+0x1002e60d0)
    #54 0x10020a9e8 in winit::platform_impl::platform::event_loop::EventLoop$LT$T$GT$::run_on_demand::_$u7b$$u7b$closure$u7d$$u7d$::h13682c98b1719641+0x418 (servo:arm64+0x10020a9e8)
    #55 0x100267264 in objc2::rc::autorelease::autoreleasepool::he369f8652d201420+0x20c (servo:arm64+0x100267264)
    #56 0x10020a460 in winit::platform_impl::platform::event_loop::EventLoop$LT$T$GT$::run_on_demand::ha23c5965a7b18618+0x4c8 (servo:arm64+0x10020a460)
    #57 0x10020b960 in winit::platform_impl::platform::event_loop::EventLoop$LT$T$GT$::run::hc2272fff232f39c3+0x10 (servo:arm64+0x10020b960)
    #58 0x10008938c in winit::event_loop::EventLoop$LT$T$GT$::run::h15ac395ea6f10120+0x160 (servo:arm64+0x10008938c)
    #59 0x10017409c in servoshell::desktop::events_loop::EventsLoop::run_forever::h4d25c10936664536+0x394 (servo:arm64+0x10017409c)
    #60 0x1001797dc in servoshell::desktop::app::App::run::h6ca7fa4758a71ceb+0x22e8 (servo:arm64+0x1001797dc)
    #61 0x100086148 in servoshell::desktop::cli::main::h8f56ce5b6e9f5c76+0xe04 (servo:arm64+0x100086148)
    #62 0x10012e190 in servoshell::main::hc09ba5da62040d8d+0x8 (servo:arm64+0x10012e190)
    #63 0x100001760 in servo::main::h7be38ead93409bfa main.rs:26
    #64 0x100001b68 in core::ops::function::FnOnce::call_once::h225b1a1d8d04839d function.rs:250
    #65 0x100001d8c in std::sys_common::backtrace::__rust_begin_short_backtrace::h403032fd287f24b7 backtrace.rs:155
    #66 0x100001a4c in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h29be42f40bf99b26 rt.rs:159
    #67 0x1101586fc in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h6e63f61da97043c4+0x5c (servo:arm64+0x1101586fc)
    #68 0x1102e9edc in std::panicking::try::do_call::h979c61fd6aafb03f+0x4c (servo:arm64+0x1102e9edc)
    #69 0x110301ce8 in __rust_try+0x1c (servo:arm64+0x110301ce8)
    #70 0x1102e98f8 in std::panicking::try::h5de2247cc3e78fa8+0x154 (servo:arm64+0x1102e98f8)
    #71 0x110289498 in std::panic::catch_unwind::h88346d5b4e5fde37+0x1c (servo:arm64+0x110289498)
    #72 0x1101d4058 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::ha3d6a33fad2f0b31+0x120 (servo:arm64+0x1101d4058)
    #73 0x1102e9fd4 in std::panicking::try::do_call::hf6f6776d49f1dcdf+0x4c (servo:arm64+0x1102e9fd4)
    #74 0x110301ce8 in __rust_try+0x1c (servo:arm64+0x110301ce8)
    #75 0x1102e961c in std::panicking::try::h42c6eaed945bad42+0x154 (servo:arm64+0x1102e961c)
    #76 0x11028946c in std::panic::catch_unwind::h7592dd34b96b2409+0x1c (servo:arm64+0x11028946c)
    #77 0x1101d3bc0 in std::rt::lang_start_internal::h4b4b4ec4e8ca3f45+0x1b0 (servo:arm64+0x1101d3bc0)
    #78 0x100001974 in std::rt::lang_start::hfe8e0748a9cfd3ff rt.rs:158
    #79 0x10000178c in main+0x20 (servo:arm64+0x10000178c)
    #80 0x184ca10dc  (<unknown module>)
    #81 0xa7397ffffffffffc  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free (servo:arm64+0x10fcf6dac) in ipc_channel::platform::macos::select::h1593b22d4ac83e2b+0x534
Shadow bytes around the buggy address:
  0x6220001ace80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x6220001acf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x6220001acf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x6220001ad000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x6220001ad080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x6220001ad100:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x6220001ad180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x6220001ad200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x6220001ad280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x6220001ad300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x6220001ad380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
2024-09-19 13:58:12.533013-0700 servo[91952:27864983] =================================================================
2024-09-19 13:58:12.533036-0700 servo[91952:27864983] ==91952==ERROR: AddressSanitizer: heap-use-after-free on address 0x6220001ad104 at pc 0x00010fcf6db0 bp 0x000170e7bd10 sp 0x000170e7bd08
2024-09-19 13:58:12.533041-0700 servo[91952:27864983] READ of size 4 at 0x6220001ad104 thread T10
2024-09-19 13:58:12.533047-0700 servo[91952:27864983]     #0 0x10fcf6dac in ipc_channel::platform::macos::select::h1593b22d4ac83e2b+0x534 (servo:arm64+0x10fcf6dac)
2024-09-19 13:58:12.533051-0700 servo[91952:27864983]     #1 0x10fcf6228 in ipc_channel::platform::macos::OsIpcReceiverSet::select::h6366c1ea42d4dc24+0x1ac (servo:arm64+0x10fcf6228)
2024-09-19 13:58:12.533056-0700 servo[91952:27864983]     #2 0x10fd26d20 in ipc_channel::ipc::IpcReceiverSet::select::h74ebda4018d57c64+0x1f4 (servo:arm64+0x10fd26d20)
2024-09-19 13:58:12.533062-0700 servo[91952:27864983]     #3 0x10fd80b7c in ipc_channel::router::Router::run::h4b04188d58da2c2c+0x30c (servo:arm64+0x10fd80b7c)
2024-09-19 13:58:12.533087-0700 servo[91952:27864983]     #4 0x10fd7eaa8 in ipc_channel::router::RouterProxy::new::_$u7b$$u7b$closure$u7d$$u7d$::h1766c23d7f4d3ae2+0x20c (servo:arm64+0x10fd7eaa8)
2024-09-19 13:58:12.533097-0700 servo[91952:27864983]     #5 0x10fd2ac0c in std::sys_common::backtrace::__rust_begin_short_backtrace::h777b7ae3ed33c2d3+0xc (servo:arm64+0x10fd2ac0c)
2024-09-19 13:58:12.533103-0700 servo[91952:27864983]     #6 0x10fd635bc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hb150aab763f87ebe+0x130 (servo:arm64+0x10fd635bc)
2024-09-19 13:58:12.533107-0700 servo[91952:27864983]     #7 0x10fd488f8 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2c4826d30c8d0210+0x130 (servo:arm64+0x10fd488f8)
2024-09-19 13:58:12.533111-0700 servo[91952:27864983]     #8 0x10fd82340 in std::panicking::try::do_call::hc4de2eeffe9a8943+0x12c (servo:arm64+0x10fd82340)
2024-09-19 13:58:12.533120-0700 servo[91952:27864983]     #9 0x10fd893bc in __rust_try+0x1c (servo:arm64+0x10fd893bc)
2024-09-19 13:58:12.533125-0700 servo[91952:27864983]     #10 0x10fd81ef4 in std::panicking::try::h049cc3800dd92249+0x164 (servo:arm64+0x10fd81ef4)
2024-09-19 13:58:12.533129-0700 servo[91952:27864983]     #11 0x10fd2bc48 in std::panic::catch_unwind::h6b401eaeafe00c4b+0x8 (servo:arm64+0x10fd2bc48)
2024-09-19 13:58:12.533140-0700 servo[91952:27864983]     #12 0x10fd62dfc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::he3e421cd34448d20+0x390 (servo:arm64+0x10fd62dfc)
2024-09-19 13:58:12.533147-0700 servo[91952:27864983]     #13 0x10fd3eb64 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h29f1d11768caa1e2+0x14 (servo:arm64+0x10fd3eb64)
2024-09-19 13:58:12.533150-0700 servo[91952:27864983]     #14 0x110171ac0 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h736a1399eefc896d+0x168 (servo:arm64+0x110171ac0)
2024-09-19 13:58:12.533154-0700 servo[91952:27864983]     #15 0x110171d64 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf8e8449fc5ccbc55+0x17c (servo:arm64+0x110171d64)
2024-09-19 13:58:12.533158-0700 servo[91952:27864983]     #16 0x1102fcc14 in std::sys::pal::unix::thread::Thread::new::thread_start::ha95d0c8e3290deba+0x140 (servo:arm64+0x1102fcc14)
2024-09-19 13:58:12.533162-0700 servo[91952:27864983]     #17 0x12666fec8 in asan_thread_start(void*)+0x48 (librustc-stable_rt.asan.dylib:arm64+0x4bec8)
2024-09-19 13:58:12.533166-0700 servo[91952:27864983]     #18 0x185022030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x7030)
2024-09-19 13:58:12.533170-0700 servo[91952:27864983]     #19 0x9a7a80018501ce38  (<unknown module>)
2024-09-19 13:58:12.533174-0700 servo[91952:27864983]
2024-09-19 13:58:12.533180-0700 servo[91952:27864983] 0x6220001ad104 is located 4 bytes inside of 5548-byte region [0x6220001ad100,0x6220001ae6ac)
2024-09-19 13:58:12.533185-0700 servo[91952:27864983] freed by thread T10 here:
2024-09-19 13:58:12.533191-0700 servo[91952:27864983]     #0 0x126672f90 in free+0x70 (librustc-stable_rt.asan.dylib:arm64+0x4ef90)
2024-09-19 13:58:12.533195-0700 servo[91952:27864983]     #1 0x10fcf6ff0 in ipc_channel::platform::macos::select::h1593b22d4ac83e2b+0x778 (servo:arm64+0x10fcf6ff0)
2024-09-19 13:58:12.533199-0700 servo[91952:27864983]     #2 0x10fcf6228 in ipc_channel::platform::macos::OsIpcReceiverSet::select::h6366c1ea42d4dc24+0x1ac (servo:arm64+0x10fcf6228)
2024-09-19 13:58:12.533203-0700 servo[91952:27864983]     #3 0x10fd26d20 in ipc_channel::ipc::IpcReceiverSet::select::h74ebda4018d57c64+0x1f4 (servo:arm64+0x10fd26d20)
2024-09-19 13:58:12.533207-0700 servo[91952:27864983]     #4 0x10fd80b7c in ipc_channel::router::Router::run::h4b04188d58da2c2c+0x30c (servo:arm64+0x10fd80b7c)
2024-09-19 13:58:12.533210-0700 servo[91952:27864983]     #5 0x10fd7eaa8 in ipc_channel::router::RouterProxy::new::_$u7b$$u7b$closure$u7d$$u7d$::h1766c23d7f4d3ae2+0x20c (servo:arm64+0x10fd7eaa8)
2024-09-19 13:58:12.533217-0700 servo[91952:27864983]     #6 0x10fd2ac0c in std::sys_common::backtrace::__rust_begin_short_backtrace::h777b7ae3ed33c2d3+0xc (servo:arm64+0x10fd2ac0c)
2024-09-19 13:58:12.533221-0700 servo[91952:27864983]     #7 0x10fd635bc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hb150aab763f87ebe+0x130 (servo:arm64+0x10fd635bc)
2024-09-19 13:58:12.533225-0700 servo[91952:27864983]     #8 0x10fd488f8 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2c4826d30c8d0210+0x130 (servo:arm64+0x10fd488f8)
2024-09-19 13:58:12.533229-0700 servo[91952:27864983]     #9 0x10fd82340 in std::panicking::try::do_call::hc4de2eeffe9a8943+0x12c (servo:arm64+0x10fd82340)
2024-09-19 13:58:12.533233-0700 servo[91952:27864983]     #10 0x10fd893bc in __rust_try+0x1c (servo:arm64+0x10fd893bc)
2024-09-19 13:58:12.533236-0700 servo[91952:27864983]     #11 0x10fd81ef4 in std::panicking::try::h049cc3800dd92249+0x164 (servo:arm64+0x10fd81ef4)
2024-09-19 13:58:12.533241-0700 servo[91952:27864983]     #12 0x10fd2bc48 in std::panic::catch_unwind::h6b401eaeafe00c4b+0x8 (servo:arm64+0x10fd2bc48)
2024-09-19 13:58:12.533245-0700 servo[91952:27864983]     #13 0x10fd62dfc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::he3e421cd34448d20+0x390 (servo:arm64+0x10fd62dfc)
2024-09-19 13:58:12.533249-0700 servo[91952:27864983]     #14 0x10fd3eb64 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h29f1d11768caa1e2+0x14 (servo:arm64+0x10fd3eb64)
2024-09-19 13:58:12.533259-0700 servo[91952:27864983]     #15 0x110171ac0 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h736a1399eefc896d+0x168 (servo:arm64+0x110171ac0)
2024-09-19 13:58:12.533268-0700 servo[91952:27864983]     #16 0x110171d64 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf8e8449fc5ccbc55+0x17c (servo:arm64+0x110171d64)
2024-09-19 13:58:12.533273-0700 servo[91952:27864983]     #17 0x1102fcc14 in std::sys::pal::unix::thread::Thread::new::thread_start::ha95d0c8e3290deba+0x140 (servo:arm64+0x1102fcc14)
2024-09-19 13:58:12.533277-0700 servo[91952:27864983]     #18 0x12666fec8 in asan_thread_start(void*)+0x48 (librustc-stable_rt.asan.dylib:arm64+0x4bec8)
2024-09-19 13:58:12.533281-0700 servo[91952:27864983]     #19 0x185022030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x7030)
2024-09-19 13:58:12.533287-0700 servo[91952:27864983]     #20 0x9a7a80018501ce38  (<unknown module>)
2024-09-19 13:58:12.533292-0700 servo[91952:27864983]
2024-09-19 13:58:12.533296-0700 servo[91952:27864983] previously allocated by thread T10 here:
2024-09-19 13:58:12.533300-0700 servo[91952:27864983]     #0 0x126672ea4 in malloc+0x6c (librustc-stable_rt.asan.dylib:arm64+0x4eea4)
2024-09-19 13:58:12.533306-0700 servo[91952:27864983]     #1 0x10fcf6e04 in ipc_channel::platform::macos::select::h1593b22d4ac83e2b+0x58c (servo:arm64+0x10fcf6e04)
2024-09-19 13:58:12.533310-0700 servo[91952:27864983]     #2 0x10fcf6228 in ipc_channel::platform::macos::OsIpcReceiverSet::select::h6366c1ea42d4dc24+0x1ac (servo:arm64+0x10fcf6228)
2024-09-19 13:58:12.533314-0700 servo[91952:27864983]     #3 0x10fd26d20 in ipc_channel::ipc::IpcReceiverSet::select::h74ebda4018d57c64+0x1f4 (servo:arm64+0x10fd26d20)
2024-09-19 13:58:12.533319-0700 servo[91952:27864983]     #4 0x10fd80b7c in ipc_channel::router::Router::run::h4b04188d58da2c2c+0x30c (servo:arm64+0x10fd80b7c)
2024-09-19 13:58:12.533326-0700 servo[91952:27864983]     #5 0x10fd7eaa8 in ipc_channel::router::RouterProxy::new::_$u7b$$u7b$closure$u7d$$u7d$::h1766c23d7f4d3ae2+0x20c (servo:arm64+0x10fd7eaa8)
2024-09-19 13:58:12.533330-0700 servo[91952:27864983]     #6 0x10fd2ac0c in std::sys_common::backtrace::__rust_begin_short_backtrace::h777b7ae3ed33c2d3+0xc (servo:arm64+0x10fd2ac0c)
2024-09-19 13:58:12.533334-0700 servo[91952:27864983]     #7 0x10fd635bc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hb150aab763f87ebe+0x130 (servo:arm64+0x10fd635bc)
2024-09-19 13:58:12.533340-0700 servo[91952:27864983]     #8 0x10fd488f8 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h2c4826d30c8d0210+0x130 (servo:arm64+0x10fd488f8)
2024-09-19 13:58:12.533344-0700 servo[91952:27864983]     #9 0x10fd82340 in std::panicking::try::do_call::hc4de2eeffe9a8943+0x12c (servo:arm64+0x10fd82340)
2024-09-19 13:58:12.533348-0700 servo[91952:27864983]     #10 0x10fd893bc in __rust_try+0x1c (servo:arm64+0x10fd893bc)
2024-09-19 13:58:12.533355-0700 servo[91952:27864983]     #11 0x10fd81ef4 in std::panicking::try::h049cc3800dd92249+0x164 (servo:arm64+0x10fd81ef4)
2024-09-19 13:58:12.533359-0700 servo[91952:27864983]     #12 0x10fd2bc48 in std::panic::catch_unwind::h6b401eaeafe00c4b+0x8 (servo:arm64+0x10fd2bc48)
2024-09-19 13:58:12.533365-0700 servo[91952:27864983]     #13 0x10fd62dfc in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::he3e421cd34448d20+0x390 (servo:arm64+0x10fd62dfc)
2024-09-19 13:58:12.533369-0700 servo[91952:27864983]     #14 0x10fd3eb64 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h29f1d11768caa1e2+0x14 (servo:arm64+0x10fd3eb64)
2024-09-19 13:58:12.533372-0700 servo[91952:27864983]     #15 0x110171ac0 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h736a1399eefc896d+0x168 (servo:arm64+0x110171ac0)
2024-09-19 13:58:12.533377-0700 servo[91952:27864983]     #16 0x110171d64 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf8e8449fc5ccbc55+0x17c (servo:arm64+0x110171d64)
2024-09-19 13:58:12.533390-0700 servo[91952:27864983]     #17 0x1102fcc14 in std::sys::pal::unix::thread::Thread::new::thread_start::ha95d0c8e3290deba+0x140 (servo:arm64+0x1102fcc14)
2024-09-19 13:58:12.533397-0700 servo[91952:27864983]     #18 0x12666fec8 in asan_thread_start(void*)+0x48 (librustc-stable_rt.asan.dylib:arm64+0x4bec8)
2024-09-19 13:58:12.533400-0700 servo[91952:27864983]     #19 0x185022030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x7030)
2024-09-19 13:58:12.533404-0700 servo[91952:27864983]     #20 0x9a7a80018501ce38  (<unknown module>)
2024-09-19 13:58:12.533407-0700 servo[91952:27864983]
2024-09-19 13:58:12.533412-0700 servo[91952:27864983] Thread T10 created by T0 here:
2024-09-19 13:58:12.533416-0700 servo[91952:27864983]     #0 0x12666ad88 in pthread_create+0x58 (librustc-stable_rt.asan.dylib:arm64+0x46d88)
2024-09-19 13:58:12.533423-0700 servo[91952:27864983]     #1 0x1102fc700 in std::sys::pal::unix::thread::Thread::new::h53f4880a8315fb61+0x4cc (servo:arm64+0x1102fc700)
2024-09-19 13:58:12.533428-0700 servo[91952:27864983]     #2 0x10fd62160 in std::thread::Builder::spawn_unchecked_::hab1a15639e5050c4+0x830 (servo:arm64+0x10fd62160)
2024-09-19 13:58:12.533436-0700 servo[91952:27864983]     #3 0x10fd617c4 in std::thread::Builder::spawn_unchecked::h3a1b99f7c82cd842+0x178 (servo:arm64+0x10fd617c4)
2024-09-19 13:58:12.533440-0700 servo[91952:27864983]     #4 0x10fd63804 in std::thread::Builder::spawn::h4a3c6d895209f727+0x8 (servo:arm64+0x10fd63804)
2024-09-19 13:58:12.533449-0700 servo[91952:27864983]     #5 0x10fd61460 in std::thread::spawn::hf9b5ee486ae922c7+0x1e8 (servo:arm64+0x10fd61460)
2024-09-19 13:58:12.533454-0700 servo[91952:27864983]     #6 0x10fd7e628 in ipc_channel::router::RouterProxy::new::hc35a866c69da36de+0x3f8 (servo:arm64+0x10fd7e628)
2024-09-19 13:58:12.533459-0700 servo[91952:27864983]     #7 0x10fd3fb00 in core::ops::function::FnOnce::call_once::hc5d71ed90dc39334+0xc (servo:arm64+0x10fd3fb00)
2024-09-19 13:58:12.533463-0700 servo[91952:27864983]     #8 0x10fd819f4 in lazy_static::lazy::Lazy$LT$T$GT$::get::_$u7b$$u7b$closure$u7d$$u7d$::h0fa649a7cd177016+0x19c (servo:arm64+0x10fd819f4)
2024-09-19 13:58:12.533466-0700 servo[91952:27864983]     #9 0x10fd36d30 in std::sync::once::Once::call_once::_$u7b$$u7b$closure$u7d$$u7d$::ha82ae37f550c6941+0x7c (servo:arm64+0x10fd36d30)
2024-09-19 13:58:12.533471-0700 servo[91952:27864983]     #10 0x1106b7a40 in std::sys::sync::once::queue::Once::call::h7498f9b78b691eab+0x3e4 (servo:arm64+0x1106b7a40)
2024-09-19 13:58:12.533477-0700 servo[91952:27864983]     #11 0x10fd367e8 in std::sync::once::Once::call_once::h186bdb4da57f6502+0x1e8 (servo:arm64+0x10fd367e8)
2024-09-19 13:58:12.533481-0700 servo[91952:27864983]     #12 0x10fd81740 in _$LT$ipc_channel..router..ROUTER$u20$as$u20$core..ops..deref..Deref$GT$::deref::hb31cc5fc34fe4274+0x11c (servo:arm64+0x10fd81740)
2024-09-19 13:58:12.533488-0700 servo[91952:27864983]     #13 0x101f3d668 in profile::mem::Profiler::create::ha6b3a087682421c8+0x9bc (servo:arm64+0x101f3d668)
2024-09-19 13:58:12.533493-0700 servo[91952:27864983]     #14 0x1001f759c in servo::Servo$LT$Window$GT$::new::hdf31a2e8fa99a2da+0x3fac (servo:arm64+0x1001f759c)
2024-09-19 13:58:12.533500-0700 servo[91952:27864983]     #15 0x10016c460 in servoshell::desktop::app::App::run::_$u7b$$u7b$closure$u7d$$u7d$::hfb34cf110de45a1f+0x1d7c (servo:arm64+0x10016c460)
2024-09-19 13:58:12.533504-0700 servo[91952:27864983]     #16 0x100174934 in servoshell::desktop::events_loop::EventsLoop::run_forever::_$u7b$$u7b$closure$u7d$$u7d$::hfa00486b5cbb51f4+0x240 (servo:arm64+0x100174934)
2024-09-19 13:58:12.533509-0700 servo[91952:27864983]     #17 0x10015e02c in _$LT$winit..platform_impl..platform..app_state..EventLoopHandler$LT$T$GT$$u20$as$u20$winit..platform_impl..platform..app_state..EventHandler$GT$::handle_nonuser_event::_$u7b$$u7b$closure$u7d$$u7d$::h510a5ab0901be197+0x36c (servo:arm64+0x10015e02c)
2024-09-19 13:58:12.533515-0700 servo[91952:27864983]     #18 0x10015ea9c in winit::platform_impl::platform::app_state::EventLoopHandler$LT$T$GT$::with_callback::ha562467cb295362c+0x3ec (servo:arm64+0x10015ea9c)
2024-09-19 13:58:12.533524-0700 servo[91952:27864983]     #19 0x10015dc08 in _$LT$winit..platform_impl..platform..app_state..EventLoopHandler$LT$T$GT$$u20$as$u20$winit..platform_impl..platform..app_state..EventHandler$GT$::handle_nonuser_event::hc05f3e8ccf6a5a17+0x170 (servo:arm64+0x10015dc08)
2024-09-19 13:58:12.533533-0700 servo[91952:27864983]     #20 0x100d10aa4 in winit::platform_impl::platform::app_state::Handler::handle_nonuser_event::h837f376adfa39331+0x428 (servo:arm64+0x100d10aa4)
2024-09-19 13:58:12.533539-0700 servo[91952:27864983]     #21 0x100d126bc in winit::platform_impl::platform::app_state::AppState::dispatch_init_events::hf37416f96f616250+0x1dc (servo:arm64+0x100d126bc)
2024-09-19 13:58:12.533545-0700 servo[91952:27864983]     #22 0x100d12840 in winit::platform_impl::platform::app_state::AppState::start_running::h37f3b4fc99e06db6+0x58 (servo:arm64+0x100d12840)
2024-09-19 13:58:12.533552-0700 servo[91952:27864983]     #23 0x100d12ad8 in winit::platform_impl::platform::app_state::AppState::launched::ha6023beb53ed3901+0x28c (servo:arm64+0x100d12ad8)
2024-09-19 13:58:12.533559-0700 servo[91952:27864983]     #24 0x100ce3538 in winit::platform_impl::platform::app_delegate::ApplicationDelegate::did_finish_launching::ha675eb527cf82201+0x29c (servo:arm64+0x100ce3538)
2024-09-19 13:58:12.533565-0700 servo[91952:27864983]     #25 0x1850f456c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7256c)
2024-09-19 13:58:12.533569-0700 servo[91952:27864983]     #26 0xb463800185188658  (<unknown module>)
2024-09-19 13:58:12.533573-0700 servo[91952:27864983]     #27 0xf7398001851885a0  (<unknown module>)
2024-09-19 13:58:12.533577-0700 servo[91952:27864983]     #28 0x37118001850c31d8  (<unknown module>)
2024-09-19 13:58:12.533581-0700 servo[91952:27864983]     #29 0x135e8001861b5fec  (<unknown module>)
2024-09-19 13:58:12.533585-0700 servo[91952:27864983]     #30 0x34288001888e227c  (<unknown module>)
2024-09-19 13:58:12.533592-0700 servo[91952:27864983]     #31 0x62658001888e202c  (<unknown module>)
2024-09-19 13:58:12.533595-0700 servo[91952:27864983]     #32 0x2a0d8001888e0574  (<unknown module>)
2024-09-19 13:58:12.533598-0700 servo[91952:27864983]     #33 0xce148001888e0170  (<unknown module>)
2024-09-19 13:58:12.533602-0700 servo[91952:27864983]     #34 0x184f0001861de410  (<unknown module>)
2024-09-19 13:58:12.533605-0700 servo[91952:27864983]     #35 0xd3570001861de204  (<unknown module>)
2024-09-19 13:58:12.533609-0700 servo[91952:27864983]     #36 0x7f1f00018c054dbc  (<unknown module>)
2024-09-19 13:58:12.533613-0700 servo[91952:27864983]     #37 0x7a4d80018c0546e4  (<unknown module>)
2024-09-19 13:58:12.533616-0700 servo[91952:27864983]     #38 0x700980018c04dcf4  (<unknown module>)
2024-09-19 13:58:12.533620-0700 servo[91952:27864983]     #39 0xab2b80018f6bc2d0  (<unknown module>)
2024-09-19 13:58:12.533625-0700 servo[91952:27864983]     #40 0xe9138001888dabac  (<unknown module>)
2024-09-19 13:58:12.533629-0700 servo[91952:27864983]     #41 0xf83c8001890b497c  (<unknown module>)
2024-09-19 13:58:12.533633-0700 servo[91952:27864983]     #42 0x6b118001888cdd4c  (<unknown module>)
2024-09-19 13:58:12.533637-0700 servo[91952:27864983]     #43 0x2164000100e0d808  (<unknown module>)
2024-09-19 13:58:12.533642-0700 servo[91952:27864983]     #44 0x100dd3370 in objc2::message::platform::send_unverified::h5bc68716d7ac22db+0x38 (servo:arm64+0x100dd3370)
2024-09-19 13:58:12.533647-0700 servo[91952:27864983]     #45 0x100d1fc48 in objc2::message::MessageReceiver::send_message::h8edb371e332d76aa+0xac (servo:arm64+0x100d1fc48)
2024-09-19 13:58:12.533651-0700 servo[91952:27864983]     #46 0x100d24fa4 in winit::platform_impl::platform::appkit::application::NSApplication::run::h50bd1dabf449909c+0x40 (servo:arm64+0x100d24fa4)
2024-09-19 13:58:12.533658-0700 servo[91952:27864983]     #47 0x10020ae00 in winit::platform_impl::platform::event_loop::EventLoop$LT$T$GT$::run_on_demand::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h4fd9feeee17fcc8f+0x184 (servo:arm64+0x10020ae00)
2024-09-19 13:58:12.533662-0700 servo[91952:27864983]     #48 0x10013b87c in core::ops::function::FnOnce::call_once::h7055e61263f01ea7+0x110 (servo:arm64+0x10013b87c)
2024-09-19 13:58:12.533669-0700 servo[91952:27864983]     #49 0x1002e0410 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb1534b5df4e2605b+0x1c (servo:arm64+0x1002e0410)
2024-09-19 13:58:12.533685-0700 servo[91952:27864983]     #50 0x100043924 in std::panicking::try::do_call::hdd00220db29cee06+0x38 (servo:arm64+0x100043924)
2024-09-19 13:58:12.533690-0700 servo[91952:27864983]     #51 0x100043f48 in __rust_try+0x1c (servo:arm64+0x100043f48)
2024-09-19 13:58:12.533696-0700 servo[91952:27864983]     #52 0x100042588 in std::panicking::try::h03c77cb522451eec+0x150 (servo:arm64+0x100042588)
2024-09-19 13:58:12.533701-0700 servo[91952:27864983]     #53 0x1002e60d0 in std::panic::catch_unwind::h7f45104f0a4b5f2d+0x1c (servo:arm64+0x1002e60d0)
2024-09-19 13:58:12.533705-0700 servo[91952:27864983]     #54 0x10020a9e8 in winit::platform_impl::platform::event_loop::EventLoop$LT$T$GT$::run_on_demand::_$u7b$$u7b$closure$u7d$$u7d$::h13682c98b1719641+0x418 (servo:arm64+0x10020a9e8)
2024-09-19 13:58:12.533713-0700 servo[91952:27864983]     #55 0x100267264 in objc2::rc::autorelease::autoreleasepool::he369f8652d201420+0x20c (servo:arm64+0x100267264)
2024-09-19 13:58:12.533716-0700 servo[91952:27864983]     #56 0x10020a460 in winit::platform_impl::platform::event_loop::EventLoop$LT$T$GT$::run_on_demand::ha23c5965a7b18618+0x4c8 (servo:arm64+0x10020a460)
2024-09-19 13:58:12.533720-0700 servo[91952:27864983]     #57 0x10020b960 in winit::platform_impl::platform::event_loop::EventLoop$LT$T$GT$::run::hc2272fff232f39c3+0x10 (servo:arm64+0x10020b960)
2024-09-19 13:58:12.533725-0700 servo[91952:27864983]     #58 0x10008938c in winit::event_loop::EventLoop$LT$T$GT$::run::h15ac395ea6f10120+0x160 (servo:arm64+0x10008938c)
2024-09-19 13:58:12.533728-0700 servo[91952:27864983]     #59 0x10017409c in servoshell::desktop::events_loop::EventsLoop::run_forever::h4d25c10936664536+0x394 (servo:arm64+0x10017409c)
2024-09-19 13:58:12.533745-0700 servo[91952:27864983]     #60 0x1001797dc in servoshell::desktop::app::App::run::h6ca7fa4758a71ceb+0x22e8 (servo:arm64+0x1001797dc)
2024-09-19 13:58:12.533755-0700 servo[91952:27864983]     #61 0x100086148 in servoshell::desktop::cli::main::h8f56ce5b6e9f5c76+0xe04 (servo:arm64+0x100086148)
2024-09-19 13:58:12.533761-0700 servo[91952:27864983]     #62 0x10012e190 in servoshell::main::hc09ba5da62040d8d+0x8 (servo:arm64+0x10012e190)
2024-09-19 13:58:12.533765-0700 servo[91952:27864983]     #63 0x100001760 in servo::main::h7be38ead93409bfa main.rs:26
2024-09-19 13:58:12.533769-0700 servo[91952:27864983]     #64 0x100001b68 in core::ops::function::FnOnce::call_once::h225b1a1d8d04839d function.rs:250
2024-09-19 13:58:12.533773-0700 servo[91952:27864983]     #65 0x100001d8c in std::sys_common::backtrace::__rust_begin_short_backtrace::h403032fd287f24b7 backtrace.rs:155
2024-09-19 13:58:12.533777-0700 servo[91952:27864983]     #66 0x100001a4c in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h29be42f40bf99b26 rt.rs:159
2024-09-19 13:58:12.533783-0700 servo[91952:27864983]     #67 0x1101586fc in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h6e63f61da97043c4+0x5c (servo:arm64+0x1101586fc)
2024-09-19 13:58:12.533788-0700 servo[91952:27864983]     #68 0x1102e9edc in std::panicking::try::do_call::h979c61fd6aafb03f+0x4c (servo:arm64+0x1102e9edc)
2024-09-19 13:58:12.533795-0700 servo[91952:27864983]     #69 0x110301ce8 in __rust_try+0x1c (servo:arm64+0x110301ce8)
2024-09-19 13:58:12.533799-0700 servo[91952:27864983]     #70 0x1102e98f8 in std::panicking::try::h5de2247cc3e78fa8+0x154 (servo:arm64+0x1102e98f8)
2024-09-19 13:58:12.533802-0700 servo[91952:27864983]     #71 0x110289498 in std::panic::catch_unwind::h88346d5b4e5fde37+0x1c (servo:arm64+0x110289498)
2024-09-19 13:58:12.533808-0700 servo[91952:27864983]     #72 0x1101d4058 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::ha3d6a33fad2f0b31+0x120 (servo:arm64+0x1101d4058)
2024-09-19 13:58:12.533812-0700 servo[91952:27864983]     #73 0x1102e9fd4 in std::panicking::try::do_call::hf6f6776d49f1dcdf+0x4c (servo:arm64+0x1102e9fd4)
2024-09-19 13:58:12.533815-0700 servo[91952:27864983]     #74 0x110301ce8 in __rust_try+0x1c (servo:arm64+0x110301ce8)
2024-09-19 13:58:12.533819-0700 servo[91952:27864983]     #75 0x1102e961c in std::panicking::try::h42c6eaed945bad42+0x154 (servo:arm64+0x1102e961c)
2024-09-19 13:58:12.533830-0700 servo[91952:27864983]     #76 0x11028946c in std::panic::catch_unwind::h7592dd34b96b2409+0x1c (servo:arm64+0x11028946c)
2024-09-19 13:58:12.533835-0700 servo[91952:27864983]     #77 0x1101d3bc0 in std::rt::lang_start_internal::h4b4b4ec4e8ca3f45+0x1b0 (servo:arm64+0x1101d3bc0)
2024-09-19 13:58:12.533839-0700 servo[91952:27864983]     #78 0x100001974 in std::rt::lang_start::hfe8e0748a9cfd3ff rt.rs:158
2024-09-19 13:58:12.533844-0700 servo[91952:27864983]     #79 0x10000178c in main+0x20 (servo:arm64+0x10000178c)
2024-09-19 13:58:12.533847-0700 servo[91952:27864983]     #80 0x184ca10dc  (<unknown module>)
2024-09-19 13:58:12.533851-0700 servo[91952:27864983]     #81 0xa7397ffffffffffc  (<unknown module>)
2024-09-19 13:58:12.533854-0700 servo[91952:27864983]
2024-09-19 13:58:12.533857-0700 servo[91952:27864983] SUMMARY: AddressSanitizer: heap-use-after-free (servo:arm64+0x10fcf6dac) in ipc_channel::platform::macos::select::h1593b22d4ac83e2b+0x534
2024-09-19 13:58:12.533860-0700 servo[91952:27864983] Shadow bytes around the buggy address:
2024-09-19 13:58:12.533864-0700 servo[91952:27864983]   0x6220001ace80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2024-09-19 13:58:12.533867-0700 servo[91952:27864983]   0x6220001acf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2024-09-19 13:58:12.533871-0700 servo[91952:27864983]   0x6220001acf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2024-09-19 13:58:12.533874-0700 servo[91952:27864983]   0x6220001ad000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2024-09-19 13:58:12.533878-0700 servo[91952:27864983]   0x6220001ad080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2024-09-19 13:58:12.533882-0700 servo[91952:27864983] =>0x6220001ad100:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2024-09-19 13:58:12.533886-0700 servo[91952:27864983]   0x6220001ad180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2024-09-19 13:58:12.533889-0700 servo[91952:27864983]   0x6220001ad200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2024-09-19 13:58:12.533892-0700 servo[91952:27864983]   0x6220001ad280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2024-09-19 13:58:12.533896-0700 servo[91952:27864983]   0x6220001ad300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2024-09-19 13:58:12.533900-0700 servo[91952:27864983]   0x6220001ad380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2024-09-19 13:58:12.533903-0700 servo[91952:27864983] Shadow byte legend (one shadow byte represents 8 application bytes):
2024-09-19 13:58:12.533907-0700 servo[91952:27864983]   Addressable:           00
2024-09-19 13:58:12.533910-0700 servo[91952:27864983]   Partially addressable: 01 02 03 04 05 06 07
2024-09-19 13:58:12.533916-0700 servo[91952:27864983]   Heap left redzone:       fa
2024-09-19 13:58:12.533920-0700 servo[91952:27864983]   Freed heap region:       fd
2024-09-19 13:58:12.533923-0700 servo[91952:27864983]   Stack left redzone:      f1
2024-09-19 13:58:12.533928-0700 servo[91952:27864983]   Stack mid redzone:       f2
2024-09-19 13:58:12.533931-0700 servo[91952:27864983]   Stack right redzone:     f3
2024-09-19 13:58:12.533934-0700 servo[91952:27864983]   Stack after return:      f5
2024-09-19 13:58:12.533940-0700 servo[91952:27864983]   Stack use after scope:   f8
2024-09-19 13:58:12.533946-0700 servo[91952:27864983]   Global redzone:          f9
2024-09-19 13:58:12.533950-0700 servo[91952:27864983]   Global init order:       f6
2024-09-19 13:58:12.533953-0700 servo[91952:27864983]   Poisoned by user:        f7
2024-09-19 13:58:12.533957-0700 servo[91952:27864983]   Container overflow:      fc
2024-09-19 13:58:12.533961-0700 servo[91952:27864983]   Array cookie:            ac
2024-09-19 13:58:12.533965-0700 servo[91952:27864983]   Intra object redzone:    bb
2024-09-19 13:58:12.533969-0700 servo[91952:27864983]   ASan internal:           fe
2024-09-19 13:58:12.533973-0700 servo[91952:27864983]   Left alloca redzone:     ca
2024-09-19 13:58:12.533978-0700 servo[91952:27864983]   Right alloca redzone:    cb
==91952==ABORTING
Process 91952 stopped
* thread #12, stop reason = signal SIGABRT
    frame #0: 0x0000000184fea0dc libsystem_kernel.dylib`__pthread_kill + 8
libsystem_kernel.dylib`__pthread_kill:
->  0x184fea0dc <+8>:  b.lo   0x184fea0fc    ; <+40>
    0x184fea0e0 <+12>: pacibsp
    0x184fea0e4 <+16>: stp    x29, x30, [sp, #-0x10]!
    0x184fea0e8 <+20>: mov    x29, sp
Target 0: (servo) stopped.
(lldb)
@webbeef
Copy link
Contributor Author

webbeef commented Sep 19, 2024

This is because we reuse message in the loop after at

ipc-channel/src/platform/macos/mod.rs

Line 730 in 862b0e2

let actual_size = (*message).header.msgh_size + max_trailer_size;
the free() in this case:

ipc-channel/src/platform/macos/mod.rs

Line 751 in 862b0e2

libc::free(allocated_buffer.unwrap() as *mut _);

I have a patch to submit that fixes the issue.

@jdm
Copy link
Member

jdm commented Sep 26, 2024

Fixed by #359.

@jdm jdm closed this as completed Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jdm @webbeef