crash log for renderer (pid 4472): STDOUT: layer at (0,0) size 800x600 STDOUT: LayoutView at (0,0) size 800x600 STDOUT: layer at (0,0) size 800x600 STDOUT: LayoutSVGRoot {svg} at (0,0) size 0x0 STDOUT: LayoutSVGHiddenContainer {defs} at (0,0) size 0x0 STDOUT: LayoutSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse] STDOUT: LayoutSVGRect {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}] [x=-0.50] [y=-0.50] [width=0.10] [height=0.10] STDOUT: LayoutSVGRect {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#008000]}] [x=20.00] [y=20.00] [width=100.00] [height=100.00] STDOUT: [masker="mask"] LayoutSVGResourceMasker {mask} at (0,0) size 0x0 STDOUT: LayoutSVGText {text} at (60,45) size 21x19 contains 1 chunk(s) STDOUT: [masker="mask"] LayoutSVGResourceMasker {mask} at (0,0) size 0x0 STDOUT: LayoutSVGTSpan {tspan} at (0,0) size 21x19 STDOUT: LayoutSVGInlineText {#text} at (0,0) size 21x19 STDOUT: chunk 1 text run 1 at (60.00,60.00) startOffset 0 endOffset 4 width 21.00: "test" STDERR: ================================================================= STDERR: ==4==ERROR: AddressSanitizer: use-after-poison on address 0x26e481927960 at pc 0x000004ab9df7 bp 0x7fff40be5d90 sp 0x7fff40be5d88 STDERR: READ of size 8 at 0x26e481927960 thread T0 (content_shell) STDERR: #0 0x4ab9df6 in operator-> third_party/WebKit/Source/platform/heap/Handle.h:639:36 STDERR: #1 0x4ab9df6 in blink::FrameView::scheduleRelayoutOfSubtree(blink::LayoutObject*) third_party/WebKit/Source/core/frame/FrameView.cpp:1752:0 STDERR: #2 0x2dff0a1 in blink::LayoutObject::setNeedsLayout(char const*, blink::MarkingBehavior, blink::SubtreeLayoutScope*) third_party/WebKit/Source/core/layout/LayoutObject.h:1507:13 STDERR: #3 0x57d8eef in setNeedsLayoutAndFullPaintInvalidation third_party/WebKit/Source/core/layout/LayoutObject.h:1513:5 STDERR: #4 0x57d8eef in blink::LayoutSVGResourceContainer::markForLayoutAndParentResourceInvalidation(blink::LayoutObject*, bool) third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceContainer.cpp:283:0 STDERR: #5 0x59296fd in blink::SVGSMILElement::reset() third_party/WebKit/Source/core/svg/animation/SVGSMILElement.cpp:297:5 STDERR: #6 0x59163ba in blink::SMILTimeContainer::setElapsed(blink::SMILTime) third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:268:13 STDERR: #7 0x4a0f591 in blink::ImageResource::allClientsRemoved() third_party/WebKit/Source/core/fetch/ImageResource.cpp:186:9 STDERR: #8 0x4a33915 in blink::Resource::removeClient(blink::ResourceClient*) third_party/WebKit/Source/core/fetch/Resource.cpp:601:13 STDERR: #9 0x4de4776 in blink::ImageLoader::~ImageLoader() third_party/WebKit/Source/core/loader/ImageLoader.cpp:162:9 STDERR: #10 0x1e24b43 in finalize third_party/WebKit/Source/platform/heap/Heap.cpp:213:9 STDERR: #11 0x1e24b43 in blink::NormalPage::sweep() third_party/WebKit/Source/platform/heap/Heap.cpp:1322:0 STDERR: #12 0x1e1fa20 in sweepUnsweptPage third_party/WebKit/Source/platform/heap/Heap.cpp:473:9 STDERR: #13 0x1e1fa20 in blink::BaseHeap::completeSweep() third_party/WebKit/Source/platform/heap/Heap.cpp:514:0 STDERR: #14 0x1dca8f5 in eagerSweep third_party/WebKit/Source/platform/heap/ThreadState.cpp:1054:9 STDERR: #15 0x1dca8f5 in blink::ThreadState::preSweep() third_party/WebKit/Source/platform/heap/ThreadState.cpp:993:0 STDERR: #16 0x1e28084 in ~SafePointScope third_party/WebKit/Source/platform/heap/SafePoint.h:28:13 STDERR: #17 0x1e28084 in ~GCScope third_party/WebKit/Source/platform/heap/Heap.cpp:185:0 STDERR: #18 0x1e28084 in blink::Heap::collectGarbage(blink::ThreadState::StackState, blink::ThreadState::GCType, blink::Heap::GCReason) third_party/WebKit/Source/platform/heap/Heap.cpp:2227:0 STDERR: #19 0x1dc5e69 in blink::ThreadState::performIdleGC(double) third_party/WebKit/Source/platform/heap/ThreadState.cpp:673:5 STDERR: #20 0x745dfaf in scheduler::WebSchedulerImpl::runIdleTask(scoped_ptr >, base::TimeTicks) components/scheduler/child/web_scheduler_impl.cc:42:3 STDERR: #21 0x745f127 in Run base/bind_internal.h:157:12 STDERR: #22 0x745f127 in MakeItSo base/bind_internal.h:293:0 STDERR: #23 0x745f127 in base::internal::Invoker, base::internal::BindState >, base::TimeTicks)>, void (scoped_ptr >, base::TimeTicks), base::internal::TypeList > > > >, base::internal::TypeList > > > >, base::internal::InvokeHelper >, base::TimeTicks)>, base::internal::TypeList >, base::TimeTicks const&> >, void (base::TimeTicks const&)>::Run(base::internal::BindStateBase*, base::TimeTicks const&) base/bind_internal.h:343:0 STDERR: #24 0x74503d4 in Run base/callback.h:396:12 STDERR: #25 0x74503d4 in scheduler::SingleThreadIdleTaskRunner::RunTask(base::Callback) components/scheduler/child/single_thread_idle_task_runner.cc:75:0 STDERR: #26 0x7451088 in Run base/bind_internal.h:176:12 STDERR: #27 0x7451088 in MakeItSo base/bind_internal.h:303:0 STDERR: #28 0x7451088 in base::internal::Invoker, base::internal::BindState)>, void (scheduler::SingleThreadIdleTaskRunner*, base::Callback), base::internal::TypeList, base::Callback > >, base::internal::TypeList >, base::internal::UnwrapTraits > >, base::internal::InvokeHelper)>, base::internal::TypeList const&, base::Callback const&> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:343:0 STDERR: #29 0x6c00e7 in Run base/callback.h:396:12 STDERR: #30 0x6c00e7 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:62:0 STDERR: #31 0x74587eb in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(unsigned long, bool, base::PendingTask*) components/scheduler/child/task_queue_manager.cc:694:5 STDERR: #32 0x7456b92 in scheduler::TaskQueueManager::DoWork(bool) components/scheduler/child/task_queue_manager.cc:648:9 STDERR: #33 0x6c00e7 in Run base/callback.h:396:12 STDERR: #34 0x6c00e7 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:62:0 STDERR: #35 0x5f8aaf in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:472:3 STDERR: #36 0x5f9ae4 in DeferOrRunPendingTask base/message_loop/message_loop.cc:482:5 STDERR: #37 0x5f9ae4 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:594:0 STDERR: #38 0x5ffc30 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:34:21 STDERR: #39 0x61bc88 in base::RunLoop::Run() base/run_loop.cc:55:3 STDERR: #40 0x5f719e in base::MessageLoop::Run() base/message_loop/message_loop.cc:287:3 STDERR: #41 0x7559510 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:220:7 STDERR: #42 0x593e5a in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:308:14 STDERR: #43 0x595d0d in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:808:12 STDERR: #44 0x59348a in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 STDERR: #45 0x4e8492 in main content/shell/app/shell_main.cc:49:10 STDERR: #46 0x7f08058a576c in __libc_start_main ??:0:0 STDERR: STDERR: AddressSanitizer can not describe address in more detail (wild memory access suspected). STDERR: SUMMARY: AddressSanitizer: use-after-poison (/mnt/data/b/build/slave/WebKit_Linux_Oilpan_ASAN/build/src/out/Release/content_shell+0x4ab9df6) STDERR: Shadow bytes around the buggy address: STDERR: 0x04dd1031ced0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 STDERR: 0x04dd1031cee0: 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 STDERR: 0x04dd1031cef0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 STDERR: 0x04dd1031cf00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 STDERR: 0x04dd1031cf10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 STDERR: =>0x04dd1031cf20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 STDERR: 0x04dd1031cf30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 STDERR: 0x04dd1031cf40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 STDERR: 0x04dd1031cf50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 STDERR: 0x04dd1031cf60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 STDERR: 0x04dd1031cf70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 STDERR: Shadow byte legend (one shadow byte represents 8 application bytes): STDERR: Addressable: 00 STDERR: Partially addressable: 01 02 03 04 05 06 07 STDERR: Heap left redzone: fa STDERR: Heap right redzone: fb STDERR: Freed heap region: fd STDERR: Stack left redzone: f1 STDERR: Stack mid redzone: f2 STDERR: Stack right redzone: f3 STDERR: Stack partial redzone: f4 STDERR: Stack after return: f5 STDERR: Stack use after scope: f8 STDERR: Global redzone: f9 STDERR: Global init order: f6 STDERR: Poisoned by user: f7 STDERR: Container overflow: fc STDERR: Array cookie: ac STDERR: Intra object redzone: bb STDERR: ASan internal: fe STDERR: Left alloca redzone: ca STDERR: Right alloca redzone: cb STDERR: [4430:4460:0712/211036:5966036735:WARNING:crash_handler_host_linux.cc(290)] Could not translate tid - assuming crashing thread is thread group leader; syscall_supported=1 STDERR: ==4==ABORTING