crash log for renderer (pid 30508): STDOUT: #CRASHED - renderer (pid 30508) STDERR: ================================================================= STDERR: ==5==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000b7108 at pc 0x00000450265b bp 0x7ffff1e1e370 sp 0x7ffff1e1e368 STDERR: READ of size 8 at 0x60b0000b7108 thread T0 (content_shell) STDERR: #0 0x450265a in blink::SVGImageChromeClient::animationTimerFired(blink::Timer*) third_party/WebKit/Source/core/svg/graphics/SVGImageChromeClient.cpp:90:5 STDERR: #1 0x7bc0b54 in blink::ThreadTimers::sharedTimerFiredInternal() third_party/WebKit/Source/platform/ThreadTimers.cpp:137:9 STDERR: #2 0x7bc03d7 in blink::ThreadTimers::sharedTimerFired() third_party/WebKit/Source/platform/ThreadTimers.cpp:107:5 STDERR: #3 0x6e3a330 in Run base/callback.h:396:12 STDERR: #4 0x6e3a330 in base::Timer::RunScheduledTask() base/timer/timer.cc:211:0 STDERR: #5 0x6f7886 in Run base/callback.h:396:12 STDERR: #6 0x6f7886 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0 STDERR: #7 0x6486098 in ProcessTaskFromWorkQueue content/renderer/scheduler/task_queue_manager.cc:407:5 STDERR: #8 0x6486098 in content::TaskQueueManager::DoWork(bool) content/renderer/scheduler/task_queue_manager.cc:380:0 STDERR: #9 0x6f7886 in Run base/callback.h:396:12 STDERR: #10 0x6f7886 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0 STDERR: #11 0x6457dc in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:458:3 STDERR: #12 0x646647 in DeferOrRunPendingTask base/message_loop/message_loop.cc:468:5 STDERR: #13 0x646647 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:580:0 STDERR: #14 0x649fc1 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:32:21 STDERR: #15 0x66564a in base::RunLoop::Run() base/run_loop.cc:55:3 STDERR: #16 0x6441b1 in base::MessageLoop::Run() base/message_loop/message_loop.cc:317:3 STDERR: #17 0x64757e5 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:228:7 STDERR: #18 0x5f4145 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:347:14 STDERR: #19 0x5f61b8 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:803:12 STDERR: #20 0x5f37ca in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 STDERR: #21 0x4ba306 in main content/shell/app/shell_main.cc:49:10 STDERR: #22 0x7f6e59e6f76c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226:0 STDERR: STDERR: 0x60b0000b7108 is located 8 bytes inside of 104-byte region [0x60b0000b7100,0x60b0000b7168) STDERR: freed by thread T0 (content_shell) here: STDERR: #0 0x49be49 in __interceptor_free ??:0:0 STDERR: #1 0x44fa438 in deletePtr third_party/WebKit/Source/wtf/OwnPtrCommon.h:52:9 STDERR: #2 0x44fa438 in ~OwnPtr third_party/WebKit/Source/wtf/OwnPtr.h:54:0 STDERR: #3 0x44fa438 in ~SVGImage third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp:80:0 STDERR: #4 0x44fa438 in blink::SVGImage::~SVGImage() third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp:70:0 STDERR: #5 0x374d790 in deref third_party/WebKit/Source/wtf/RefCounted.h:172:13 STDERR: #6 0x374d790 in derefIfNotNull third_party/WebKit/Source/wtf/PassRefPtr.h:57:0 STDERR: #7 0x374d790 in clear third_party/WebKit/Source/wtf/RefPtr.h:97:0 STDERR: #8 0x374d790 in clearImage third_party/WebKit/Source/core/fetch/ImageResource.cpp:348:0 STDERR: #9 0x374d790 in blink::ImageResource::~ImageResource() third_party/WebKit/Source/core/fetch/ImageResource.cpp:83:0 STDERR: #10 0x1b2a783 in finalize third_party/WebKit/Source/platform/heap/Heap.cpp:461:9 STDERR: #11 0x1b2a783 in blink::HeapPage::sweep() third_party/WebKit/Source/platform/heap/Heap.cpp:1584:0 STDERR: #12 0x1b2b237 in blink::ThreadHeap::completeSweep() third_party/WebKit/Source/platform/heap/Heap.cpp:826:13 STDERR: #13 0x1b34b6a in blink::ThreadState::completeSweep() third_party/WebKit/Source/platform/heap/ThreadState.cpp:846:13 STDERR: #14 0x1b28094 in blink::ThreadHeap::outOfLineAllocate(unsigned long, unsigned long) third_party/WebKit/Source/platform/heap/Heap.cpp:652:5 STDERR: #15 0x2a1ae5e in allocateObject third_party/WebKit/Source/platform/heap/Heap.h:1357:12 STDERR: #16 0x2a1ae5e in allocate third_party/WebKit/Source/platform/heap/Heap.h:1362:0 STDERR: #17 0x2a1ae5e in allocateOnHeapIndex > third_party/WebKit/Source/platform/heap/Heap.h:1385:0 STDERR: #18 0x2a1ae5e in allocateVectorBacking > third_party/WebKit/Source/platform/heap/Heap.h:1441:0 STDERR: #19 0x2a1ae5e in allocateBuffer third_party/WebKit/Source/wtf/Vector.h:297:0 STDERR: #20 0x2a1ae5e in WTF::Vector, 0ul, blink::HeapAllocator>::reserveCapacity(unsigned long) third_party/WebKit/Source/wtf/Vector.h:991:0 STDERR: #21 0x2a1ab85 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:924:9 STDERR: #22 0x2a1ab85 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:942:0 STDERR: #23 0x2a1ab85 in void WTF::Vector, 0ul, blink::HeapAllocator>::appendSlowCase(blink::Document* const&) third_party/WebKit/Source/wtf/Vector.h:1068:0 STDERR: #24 0x3abad9f in append third_party/WebKit/Source/wtf/Vector.h:1059:9 STDERR: #25 0x3abad9f in append third_party/WebKit/Source/platform/heap/Heap.h:1701:0 STDERR: #26 0x3abad9f in blink::PageAnimator::serviceScriptedAnimations(double) third_party/WebKit/Source/core/page/PageAnimator.cpp:46:0 STDERR: #27 0x45025b8 in blink::SVGImageChromeClient::animationTimerFired(blink::Timer*) third_party/WebKit/Source/core/svg/graphics/SVGImageChromeClient.cpp:89:5 STDERR: #28 0x7bc0b54 in blink::ThreadTimers::sharedTimerFiredInternal() third_party/WebKit/Source/platform/ThreadTimers.cpp:137:9 STDERR: #29 0x7bc03d7 in blink::ThreadTimers::sharedTimerFired() third_party/WebKit/Source/platform/ThreadTimers.cpp:107:5 STDERR: #30 0x6e3a330 in Run base/callback.h:396:12 STDERR: #31 0x6e3a330 in base::Timer::RunScheduledTask() base/timer/timer.cc:211:0 STDERR: #32 0x6f7886 in Run base/callback.h:396:12 STDERR: #33 0x6f7886 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0 STDERR: #34 0x6486098 in ProcessTaskFromWorkQueue content/renderer/scheduler/task_queue_manager.cc:407:5 STDERR: #35 0x6486098 in content::TaskQueueManager::DoWork(bool) content/renderer/scheduler/task_queue_manager.cc:380:0 STDERR: #36 0x6f7886 in Run base/callback.h:396:12 STDERR: #37 0x6f7886 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0 STDERR: #38 0x6457dc in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:458:3 STDERR: #39 0x646647 in DeferOrRunPendingTask base/message_loop/message_loop.cc:468:5 STDERR: #40 0x646647 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:580:0 STDERR: #41 0x649fc1 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:32:21 STDERR: #42 0x66564a in base::RunLoop::Run() base/run_loop.cc:55:3 STDERR: #43 0x6441b1 in base::MessageLoop::Run() base/message_loop/message_loop.cc:317:3 STDERR: #44 0x64757e5 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:228:7 STDERR: #45 0x5f4145 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:347:14 STDERR: #46 0x5f61b8 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:803:12 STDERR: #47 0x5f37ca in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 STDERR: #48 0x4ba306 in main content/shell/app/shell_main.cc:49:10 STDERR: #49 0x7f6e59e6f76c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226:0 STDERR: STDERR: previously allocated by thread T0 (content_shell) here: STDERR: #0 0x49c109 in __interceptor_malloc ??:0:0 STDERR: #1 0x1a42aca in partitionAllocGenericFlags third_party/WebKit/Source/wtf/PartitionAlloc.h:541:20 STDERR: #2 0x1a42aca in partitionAllocGeneric third_party/WebKit/Source/wtf/PartitionAlloc.h:557:0 STDERR: #3 0x1a42aca in WTF::fastMalloc(unsigned long) third_party/WebKit/Source/wtf/FastMalloc.cpp:74:0 STDERR: #4 0x44fee35 in operator new third_party/WebKit/Source/core/svg/graphics/SVGImageChromeClient.h:40:49 STDERR: #5 0x44fee35 in blink::SVGImage::dataChanged(bool) third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp:415:0 STDERR: #6 0x7ccfa0e in blink::Image::setData(WTF::PassRefPtr, bool) third_party/WebKit/Source/platform/graphics/Image.cpp:92:12 STDERR: #7 0x3751362 in blink::ImageResource::updateImage(bool) third_party/WebKit/Source/core/fetch/ImageResource.cpp:371:25 STDERR: #8 0x375186f in blink::ImageResource::finishOnePart() third_party/WebKit/Source/core/fetch/ImageResource.cpp:407:5 STDERR: #9 0x37631ed in blink::Resource::finish() third_party/WebKit/Source/core/fetch/Resource.cpp:272:5 STDERR: #10 0x3790936 in blink::ResourceLoader::didFinishLoading(blink::WebURLLoader*, double, long) third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:451:5 STDERR: #11 0x632012a in content::WebURLLoaderImpl::Context::OnCompletedRequest(int, bool, bool, std::__1::basic_string, std::__1::allocator > const&, base::TimeTicks const&, long) content/child/web_url_loader_impl.cc:762:9 STDERR: #12 0x6308ee4 in content::ResourceDispatcher::OnRequestComplete(int, ResourceMsg_RequestCompleteData const&) content/child/resource_dispatcher.cc:583:3 STDERR: #13 0x6303f03 in DispatchToMethodImpl base/tuple.h:246:3 STDERR: #14 0x6303f03 in DispatchToMethod base/tuple.h:253:0 STDERR: #15 0x6303f03 in Dispatch content/common/resource_messages.h:349:0 STDERR: #16 0x6303f03 in content::ResourceDispatcher::DispatchMessage(IPC::Message const&) content/child/resource_dispatcher.cc:729:0 STDERR: #17 0x63026a8 in content::ResourceDispatcher::OnMessageReceived(IPC::Message const&) content/child/resource_dispatcher.cc:342:3 STDERR: #18 0x6f7886 in Run base/callback.h:396:12 STDERR: #19 0x6f7886 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0 STDERR: #20 0x6486098 in ProcessTaskFromWorkQueue content/renderer/scheduler/task_queue_manager.cc:407:5 STDERR: #21 0x6486098 in content::TaskQueueManager::DoWork(bool) content/renderer/scheduler/task_queue_manager.cc:380:0 STDERR: #22 0x6f7886 in Run base/callback.h:396:12 STDERR: #23 0x6f7886 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0 STDERR: #24 0x6457dc in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:458:3 STDERR: #25 0x646647 in DeferOrRunPendingTask base/message_loop/message_loop.cc:468:5 STDERR: #26 0x646647 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:580:0 STDERR: #27 0x649fc1 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:32:21 STDERR: #28 0x66564a in base::RunLoop::Run() base/run_loop.cc:55:3 STDERR: #29 0x6441b1 in base::MessageLoop::Run() base/message_loop/message_loop.cc:317:3 STDERR: #30 0x64757e5 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:228:7 STDERR: #31 0x5f4145 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:347:14 STDERR: #32 0x5f61b8 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:803:12 STDERR: #33 0x5f37ca in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 STDERR: #34 0x4ba306 in main content/shell/app/shell_main.cc:49:10 STDERR: #35 0x7f6e59e6f76c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226:0 STDERR: STDERR: SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? STDERR: Shadow bytes around the buggy address: STDERR: 0x0c168000edd0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd STDERR: 0x0c168000ede0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa STDERR: 0x0c168000edf0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd STDERR: 0x0c168000ee00: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd STDERR: 0x0c168000ee10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa STDERR: =>0x0c168000ee20: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fa fa fa STDERR: 0x0c168000ee30: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd STDERR: 0x0c168000ee40: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd STDERR: 0x0c168000ee50: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa STDERR: 0x0c168000ee60: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd STDERR: 0x0c168000ee70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd STDERR: Shadow byte legend (one shadow byte represents 8 application bytes): STDERR: Addressable: 00 STDERR: Partially addressable: 01 02 03 04 05 06 07 STDERR: Heap left redzone: fa STDERR: Heap right redzone: fb STDERR: Freed heap region: fd STDERR: Stack left redzone: f1 STDERR: Stack mid redzone: f2 STDERR: Stack right redzone: f3 STDERR: Stack partial redzone: f4 STDERR: Stack after return: f5 STDERR: Stack use after scope: f8 STDERR: Global redzone: f9 STDERR: Global init order: f6 STDERR: Poisoned by user: f7 STDERR: Container overflow: fc STDERR: Array cookie: ac STDERR: Intra object redzone: bb STDERR: ASan internal: fe STDERR: Left alloca redzone: ca STDERR: Right alloca redzone: cb STDERR: ==5==ABORTING