Talos Vulnerability Report

TALOS-2020-1124

Apple Safari/Webkit aboutBlankURL() code execution vulnerability

September 17, 2020
CVE Number

CVE-2020-9951

Summary

An exploitable use-after-free vulnerability exists in MacOSX Safari Version 13.0.2 (15609.2.9.1.2, 610+) Webkit GIT 44383bcbaf11c4c2aa55e1b8899ab84b1ddfccca and Ubuntu Webkit GTK GIT 44383bcbaf11c4c2aa55e1b8899ab84b1ddfccca. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.

Tested Versions

Apple Safari/Webkit 13.0.2 (15609.2.9.1.2, 610+) Webkit GIT 44383bcbaf11c4c2aa55e1b8899ab84b1ddfccca [–release]
Apple Safari/Webkit GTK GIT 44383bcbaf11c4c2aa55e1b8899ab84b1ddfccca [–release]

Product URLs

https://webkit.org/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Details

WebCore is the DOM-rendering system for Webkit utilized in the Safari web browser.

The vulnerabiliy is related with the staticBlankURL variable and the way it is handled during the document reloads. A malicious web page can trigger a race condition situation which can cause a use-after-free vulnerability and remote code execution.

Tracking an staticBlankURL object’s life cycle we can see that there is an allocation made by thread T0 - inside aboutBlankURL:

previously allocated by thread T0 here:
	#0 0x11975032d in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/11.0.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4632d)
	#1 0x7fff6a43fd79 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0xd79)
	#2 0x18c42b308 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bf308)
	#3 0x18c34aeed in WTF::StringImpl::createFromLiteral(char const*, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xdeeed)
	#4 0x18c34af51 in WTF::StringImpl::createFromLiteral(char const*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xdef51)
	#5 0x18c4166e3 in WTF::String::String(WTF::ASCIILiteral) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1aa6e3)
	#6 0x18c3a6bd0 in WTF::NeverDestroyed<WTF::URL, WTF::AnyThreadsAccessTraits>::NeverDestroyed<WTF::URL, WTF::ASCIILiteral>(WTF::URL&&, WTF::ASCIILiteral&&) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13abd0)
	#7 0x18c39230b in WTF::aboutBlankURL() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12630b)
	#8 0x17434b042 in WebCore::SecurityPolicy::shouldInheritSecurityOriginFromOwner(WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x434b042)
	#9 0x1731d7e71 in WebCore::Document::initSecurityContext() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31d7e71)
	#10 0x1731d5460 in WebCore::Document::Document(WebCore::Frame*, WTF::URL const&, unsigned int, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31d5460)
	#11 0x17375637e in WebCore::HTMLDocument::HTMLDocument(WebCore::Frame*, WTF::URL const&, unsigned char, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x375637e)
	#12 0x1731ac0f6 in WebCore::HTMLDocument::create(WebCore::Frame*, WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31ac0f6)
	#13 0x1731ac2fc in WebCore::DOMImplementation::createDocument(WTF::String const&, WebCore::Frame*, WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31ac2fc)
	#14 0x173f3c734 in WebCore::DocumentWriter::createDocument(WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f3c734)
	#15 0x173f28f1a in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f28f1a)
	#16 0x173f21099 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f21099)
	#17 0x10fd7368d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1a5268d)
	#18 0x173f28c28 in WebCore::DocumentLoader::commitLoad(char const*, int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f28c28)
	#19 0x1740c4219 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c4219)
	#20 0x1740c3e74 in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c3e74)
	#21 0x1740481e0 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40481e0)
	#22 0x174047f19 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4047f19)
	#23 0x10fc73433 in WebKit::WebResourceLoader::processReceivedData(char const*, unsigned long, long long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1952433)
	#24 0x11033c6bd in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveSharedBuffer, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferDataReference&&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferDataReference&&, long long)) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201b6bd)
	#25 0x11033bcd3 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201acd3)
	#26 0x10fc3765a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x191665a)
	#27 0x10e3a4d2e in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x83d2e)
	#28 0x10e3a59a8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x849a8)
	#29 0x10e3a650d in IPC::Connection::dispatchOneIncomingMessage() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8550d)

Further, a Worker object is created via callWorker ( and in the same way a separate thread T58) and after its code has been executed the staticBlankURL object gets deallocated:

0x6030000634f4 is located 4 bytes inside of 24-byte region [0x6030000634f0,0x603000063508)
freed by thread T58 here:
	#0 0x119750736 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/11.0.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x46736)
	#1 0x1736bb55d in WebCore::DOMURL::~DOMURL() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36bb55d)
	#2 0x1736bb63d in WebCore::DOMURL::~DOMURL() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36bb63d)
	#3 0x18e1dca63 in JSC::PreciseAllocation::sweep() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f70a63)
	#4 0x18e1bd0d6 in JSC::MarkedSpace::lastChanceToFinalize() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f510d6)
	#5 0x18e125a21 in JSC::Heap::lastChanceToFinalize() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1eb9a21)
	#6 0x18ef6dca8 in JSC::VM::~VM() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2d01ca8)
	#7 0x18cec6c1e in WTF::ThreadSafeRefCounted<JSC::VM, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc5ac1e)
	#8 0x18cea0249 in WTF::ThreadSafeRefCounted<JSC::VM, (WTF::DestructionThread)0>::deref() const (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc34249)
	#9 0x18e2db29a in WTF::RefPtr<JSC::VM, WTF::DumbPtrTraits<JSC::VM> >::operator=(std::nullptr_t) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x206f29a)
	#10 0x18ec8aeb0 in JSC::JSLockHolder::~JSLockHolder() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2a1eeb0)
	#11 0x172c3c9a3 in WebCore::WorkerScriptController::~WorkerScriptController() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c3c9a3)
	#12 0x1756d9cf2 in std::__1::default_delete<WebCore::WorkerScriptController>::operator()(WebCore::WorkerScriptController*) const (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56d9cf2)
	#13 0x1756bc749 in WebCore::WorkerRunLoop::runCleanupTasks(WebCore::WorkerGlobalScope*) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56bc749)
	#14 0x1756bbede in WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56bbede)
	#15 0x1756c19c5 in WebCore::WorkerThread::workerThread() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56c19c5)
	#16 0x18c377933 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b933)
	#17 0x18c382f28 in WTF::wtfThreadEntryPoint(void*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x116f28)
	#18 0x7fff6a48e108 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:x86_64+0x6108)
	#19 0x7fff6a489b8a in thread_start (/usr/lib/system/libsystem_pthread.dylib:x86_64+0x1b8a)

“Simultaneously” execution of the thread T0 continues which in the final result leads to a use-after-free of staticBlankURL object:

==38372==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000634f4 at pc 0x00018c272e07 bp 0x7ffee18e8380 sp 0x7ffee18e8378
READ of size 4 at 0x6030000634f4 thread T0
==38372==WARNING: invalid path to external symbolizer!
==38372==WARNING: Failed to use and restart external symbolizer!
	#0 0x18c272e06 in WTF::StringImpl::length() const (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x6e06)
	#1 0x18c35c3c3 in bool WTF::equalIgnoringASCIICaseCommon<WTF::StringImpl, WTF::StringImpl>(WTF::StringImpl const&, WTF::StringImpl const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf03c3)
	#2 0x1731d7e71 in WebCore::Document::initSecurityContext() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31d7e71)
	#3 0x1731d5460 in WebCore::Document::Document(WebCore::Frame*, WTF::URL const&, unsigned int, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31d5460)
	#4 0x17375637e in WebCore::HTMLDocument::HTMLDocument(WebCore::Frame*, WTF::URL const&, unsigned char, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x375637e)
	#5 0x1731ac0f6 in WebCore::HTMLDocument::create(WebCore::Frame*, WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31ac0f6)
	#6 0x1731ac2fc in WebCore::DOMImplementation::createDocument(WTF::String const&, WebCore::Frame*, WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31ac2fc)
	#7 0x173f3c734 in WebCore::DocumentWriter::createDocument(WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f3c734)
	#8 0x173f28f1a in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f28f1a)
	#9 0x173f21099 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f21099)
	#10 0x10fd7368d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1a5268d)
	#11 0x173f28c28 in WebCore::DocumentLoader::commitLoad(char const*, int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f28c28)
	#12 0x1740c4219 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c4219)
	#13 0x1740c3e74 in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c3e74)
	#14 0x1740481e0 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40481e0)
2020-07-08 12:05:48.563928+0200 MiniBrowser[38343:693610] [Media] WebMediaSessionManager::configurePlaybackTargetMonitoring stopping monitoring
	#15 0x174047f19 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4047f19)
	#16 0x10fc73433 in WebKit::WebResourceLoader::processReceivedData(char const*, unsigned long, long long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1952433)
	#17 0x11033c6bd in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveSharedBuffer, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferDataReference&&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferDataReference&&, long long)) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201b6bd)
	#18 0x11033bcd3 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201acd3)
	#19 0x10fc3765a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x191665a)
	#20 0x10e3a4d2e in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x83d2e)
	#21 0x10e3a59a8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x849a8)
	#22 0x10e3a650d in IPC::Connection::dispatchOneIncomingMessage() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8550d)
	#23 0x18c3328fc in WTF::RunLoop::performWork() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc68fc)
	#24 0x18c333575 in WTF::RunLoop::performWork(void*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc7575)
	#25 0x7fff3028ede1 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83de1)
	#26 0x7fff3028ed80 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83d80)
	#27 0x7fff3028eb9a in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83b9a)
	#28 0x7fff3028d8c9 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x828c9)
	#29 0x7fff3028cecd in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81ecd)
	#30 0x7fff329251c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7)
	#31 0x7fff329d7c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e)
	#32 0x7fff6a4d7519 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x16519)
	#33 0x7fff6a4d745f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1645f)
	#34 0x7fff6a4d6f92 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f92)
	#35 0x10ec5128f in WebKit::XPCServiceMain(int, char const**) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x93028f)
	#36 0x7fff6a289cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)

The vulnerability is easly triggerable on a “–asan –release” build but we did not managed to reproduce it on “–asan –debug” version which suggests that vulnerability can be related to some internal flags settings or compiler optimization. Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into a arbitrary code execution.

Crash Information

OSX

==38372==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000634f4 at pc 0x00018c272e07 bp 0x7ffee18e8380 sp 0x7ffee18e8378
READ of size 4 at 0x6030000634f4 thread T0
==38372==WARNING: invalid path to external symbolizer!
==38372==WARNING: Failed to use and restart external symbolizer!
	#0 0x18c272e06 in WTF::StringImpl::length() const (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x6e06)
	#1 0x18c35c3c3 in bool WTF::equalIgnoringASCIICaseCommon<WTF::StringImpl, WTF::StringImpl>(WTF::StringImpl const&, WTF::StringImpl const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf03c3)
	#2 0x1731d7e71 in WebCore::Document::initSecurityContext() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31d7e71)
	#3 0x1731d5460 in WebCore::Document::Document(WebCore::Frame*, WTF::URL const&, unsigned int, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31d5460)
	#4 0x17375637e in WebCore::HTMLDocument::HTMLDocument(WebCore::Frame*, WTF::URL const&, unsigned char, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x375637e)
	#5 0x1731ac0f6 in WebCore::HTMLDocument::create(WebCore::Frame*, WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31ac0f6)
	#6 0x1731ac2fc in WebCore::DOMImplementation::createDocument(WTF::String const&, WebCore::Frame*, WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31ac2fc)
	#7 0x173f3c734 in WebCore::DocumentWriter::createDocument(WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f3c734)
	#8 0x173f28f1a in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f28f1a)
	#9 0x173f21099 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f21099)
	#10 0x10fd7368d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1a5268d)
	#11 0x173f28c28 in WebCore::DocumentLoader::commitLoad(char const*, int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f28c28)
	#12 0x1740c4219 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c4219)
	#13 0x1740c3e74 in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c3e74)
	#14 0x1740481e0 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40481e0)
2020-07-08 12:05:48.563928+0200 MiniBrowser[38343:693610] [Media] WebMediaSessionManager::configurePlaybackTargetMonitoring stopping monitoring
	#15 0x174047f19 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4047f19)
	#16 0x10fc73433 in WebKit::WebResourceLoader::processReceivedData(char const*, unsigned long, long long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1952433)
	#17 0x11033c6bd in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveSharedBuffer, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferDataReference&&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferDataReference&&, long long)) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201b6bd)
	#18 0x11033bcd3 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201acd3)
	#19 0x10fc3765a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x191665a)
	#20 0x10e3a4d2e in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x83d2e)
	#21 0x10e3a59a8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x849a8)
	#22 0x10e3a650d in IPC::Connection::dispatchOneIncomingMessage() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8550d)
	#23 0x18c3328fc in WTF::RunLoop::performWork() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc68fc)
	#24 0x18c333575 in WTF::RunLoop::performWork(void*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc7575)
	#25 0x7fff3028ede1 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83de1)
	#26 0x7fff3028ed80 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83d80)
	#27 0x7fff3028eb9a in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83b9a)
	#28 0x7fff3028d8c9 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x828c9)
	#29 0x7fff3028cecd in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81ecd)
	#30 0x7fff329251c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7)
	#31 0x7fff329d7c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e)
	#32 0x7fff6a4d7519 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x16519)
	#33 0x7fff6a4d745f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1645f)
	#34 0x7fff6a4d6f92 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f92)
	#35 0x10ec5128f in WebKit::XPCServiceMain(int, char const**) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x93028f)
	#36 0x7fff6a289cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)

0x6030000634f4 is located 4 bytes inside of 24-byte region [0x6030000634f0,0x603000063508)
freed by thread T58 here:
	#0 0x119750736 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/11.0.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x46736)
	#1 0x1736bb55d in WebCore::DOMURL::~DOMURL() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36bb55d)
	#2 0x1736bb63d in WebCore::DOMURL::~DOMURL() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36bb63d)
	#3 0x18e1dca63 in JSC::PreciseAllocation::sweep() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f70a63)
	#4 0x18e1bd0d6 in JSC::MarkedSpace::lastChanceToFinalize() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f510d6)
	#5 0x18e125a21 in JSC::Heap::lastChanceToFinalize() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1eb9a21)
	#6 0x18ef6dca8 in JSC::VM::~VM() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2d01ca8)
	#7 0x18cec6c1e in WTF::ThreadSafeRefCounted<JSC::VM, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc5ac1e)
	#8 0x18cea0249 in WTF::ThreadSafeRefCounted<JSC::VM, (WTF::DestructionThread)0>::deref() const (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc34249)
	#9 0x18e2db29a in WTF::RefPtr<JSC::VM, WTF::DumbPtrTraits<JSC::VM> >::operator=(std::nullptr_t) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x206f29a)
	#10 0x18ec8aeb0 in JSC::JSLockHolder::~JSLockHolder() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2a1eeb0)
	#11 0x172c3c9a3 in WebCore::WorkerScriptController::~WorkerScriptController() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c3c9a3)
	#12 0x1756d9cf2 in std::__1::default_delete<WebCore::WorkerScriptController>::operator()(WebCore::WorkerScriptController*) const (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56d9cf2)
	#13 0x1756bc749 in WebCore::WorkerRunLoop::runCleanupTasks(WebCore::WorkerGlobalScope*) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56bc749)
	#14 0x1756bbede in WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56bbede)
	#15 0x1756c19c5 in WebCore::WorkerThread::workerThread() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56c19c5)
	#16 0x18c377933 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b933)
	#17 0x18c382f28 in WTF::wtfThreadEntryPoint(void*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x116f28)
	#18 0x7fff6a48e108 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:x86_64+0x6108)
	#19 0x7fff6a489b8a in thread_start (/usr/lib/system/libsystem_pthread.dylib:x86_64+0x1b8a)

previously allocated by thread T0 here:
	#0 0x11975032d in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/11.0.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4632d)
	#1 0x7fff6a43fd79 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0xd79)
	#2 0x18c42b308 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bf308)
	#3 0x18c34aeed in WTF::StringImpl::createFromLiteral(char const*, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xdeeed)
	#4 0x18c34af51 in WTF::StringImpl::createFromLiteral(char const*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xdef51)
	#5 0x18c4166e3 in WTF::String::String(WTF::ASCIILiteral) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1aa6e3)
	#6 0x18c3a6bd0 in WTF::NeverDestroyed<WTF::URL, WTF::AnyThreadsAccessTraits>::NeverDestroyed<WTF::URL, WTF::ASCIILiteral>(WTF::URL&&, WTF::ASCIILiteral&&) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13abd0)
	#7 0x18c39230b in WTF::aboutBlankURL() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12630b)
	#8 0x17434b042 in WebCore::SecurityPolicy::shouldInheritSecurityOriginFromOwner(WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x434b042)
	#9 0x1731d7e71 in WebCore::Document::initSecurityContext() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31d7e71)
	#10 0x1731d5460 in WebCore::Document::Document(WebCore::Frame*, WTF::URL const&, unsigned int, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31d5460)
	#11 0x17375637e in WebCore::HTMLDocument::HTMLDocument(WebCore::Frame*, WTF::URL const&, unsigned char, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x375637e)
	#12 0x1731ac0f6 in WebCore::HTMLDocument::create(WebCore::Frame*, WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31ac0f6)
	#13 0x1731ac2fc in WebCore::DOMImplementation::createDocument(WTF::String const&, WebCore::Frame*, WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31ac2fc)
	#14 0x173f3c734 in WebCore::DocumentWriter::createDocument(WTF::URL const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f3c734)
	#15 0x173f28f1a in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f28f1a)
	#16 0x173f21099 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f21099)
	#17 0x10fd7368d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1a5268d)
	#18 0x173f28c28 in WebCore::DocumentLoader::commitLoad(char const*, int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f28c28)
	#19 0x1740c4219 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c4219)
	#20 0x1740c3e74 in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c3e74)
	#21 0x1740481e0 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40481e0)
	#22 0x174047f19 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4047f19)
	#23 0x10fc73433 in WebKit::WebResourceLoader::processReceivedData(char const*, unsigned long, long long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1952433)
	#24 0x11033c6bd in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveSharedBuffer, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferDataReference&&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferDataReference&&, long long)) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201b6bd)
	#25 0x11033bcd3 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201acd3)
	#26 0x10fc3765a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x191665a)
	#27 0x10e3a4d2e in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x83d2e)
	#28 0x10e3a59a8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x849a8)
	#29 0x10e3a650d in IPC::Connection::dispatchOneIncomingMessage() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8550d)

Thread T58 created by T0 here:
	#0 0x119749b8a in wrap_pthread_create (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/11.0.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x3fb8a)
	#1 0x18c382e03 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, WTF::Optional<unsigned long>) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x116e03)
	#2 0x18c377c1d in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10bc1d)
	#3 0x1756c1470 in WebCore::WorkerThread::start(WTF::Function<void (WTF::String const&)>&&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56c1470)
	#4 0x1756b955a in WebCore::DedicatedWorkerThread::start() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56b955a)
	#5 0x1756b8cff in WebCore::WorkerMessagingProxy::startWorkerGlobalScope(WTF::URL const&, WTF::String const&, WTF::String const&, bool, WTF::String const&, WebCore::ContentSecurityPolicyResponseHeaders const&, bool, WTF::MonotonicTime, WebCore::ReferrerPolicy, JSC::RuntimeFlags) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56b8cff)
	#6 0x1756a2d69 in WebCore::Worker::notifyFinished() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56a2d69)
	#7 0x1756bfefd in WebCore::WorkerScriptLoader::didFinishLoading(unsigned long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56bfefd)
	#8 0x173f3b371 in WebCore::DocumentThreadableLoader::didFinishLoading(unsigned long) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f3b371)
	#9 0x1740c874f in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c874f)
	#10 0x1740c45bb in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40c45bb)
	#11 0x174043547 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4043547)
	#12 0x10fc73976 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1952976)
	#13 0x11033c886 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201b886)
	#14 0x11033bd03 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x201ad03)
	#15 0x10fc3765a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x191665a)
	#16 0x10e3a4d2e in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x83d2e)
	#17 0x10e3a59a8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x849a8)
	#18 0x10e3a650d in IPC::Connection::dispatchOneIncomingMessage() (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8550d)
	#19 0x18c3328fc in WTF::RunLoop::performWork() (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc68fc)
	#20 0x18c333575 in WTF::RunLoop::performWork(void*) (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc7575)
	#21 0x7fff3028ede1 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83de1)
	#22 0x7fff3028ed80 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83d80)
	#23 0x7fff3028eb9a in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83b9a)
	#24 0x7fff3028d8c9 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x828c9)
	#25 0x7fff3028cecd in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81ecd)
	#26 0x7fff329251c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7)
	#27 0x7fff329d7c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e)
	#28 0x7fff6a4d7519 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x16519)
	#29 0x7fff6a4d745f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1645f)
	#30 0x7fff6a4d6f92 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f92)
	#31 0x10ec5128f in WebKit::XPCServiceMain(int, char const**) (/Users/icewall/projects/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x93028f)
	#32 0x7fff6a289cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/icewall/projects/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x6e06) in WTF::StringImpl::length() const
Shadow bytes around the buggy address:
  0x1c060000c640: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x1c060000c650: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x1c060000c660: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x1c060000c670: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x1c060000c680: fa fa fa fa fa fa 00 00 00 fa fa fa 00 00 00 07
=>0x1c060000c690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fd]fd
  0x1c060000c6a0: fd fa fa fa 00 00 00 00 fa fa fa fa fa fa fa fa
  0x1c060000c6b0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 01
  0x1c060000c6c0: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa 00 00
  0x1c060000c6d0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x1c060000c6e0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==38372==ABORTING


Linux:

==125375==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000212cb0 at pc 0x7f1d4f2b0445 bp 0x7f1ca4863070 sp 0x7f1ca4863068
READ of size 4 at 0x603000212cb0 thread T149 (WebCore: Worker)
	#0 0x7f1d4f2b0444 in WebCore::DOMURL::~DOMURL() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5543444)
	#1 0x7f1d4f2b0528 in WebCore::DOMURL::~DOMURL() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5543528)
	#2 0x7f1d46d06837 in JSC::PreciseAllocation::lastChanceToFinalize() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x2672837)
	#3 0x7f1d46ceb8d7 in JSC::MarkedSpace::lastChanceToFinalize() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x26578d7)
	#4 0x7f1d46c59630 in JSC::Heap::lastChanceToFinalize() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x25c5630)
	#5 0x7f1d4825d5d1 in JSC::VM::~VM() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x3bc95d1)
	#6 0x7f1d47d7fa3a in JSC::JSLockHolder::~JSLockHolder() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x36eba3a)
	#7 0x7f1d4e3ac6c8 in WebCore::WorkerScriptController::~WorkerScriptController() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x463f6c8)
	#8 0x7f1d51a805fd in WTF::Detail::CallableWrapper<WebCore::WorkerThread::stop(WTF::Function<void ()>&&)::$_21::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&), void, WebCore::ScriptExecutionContext&>::call(WebCore::ScriptExecutionContext&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d135fd)
	#9 0x7f1d51a6df31 in WebCore::WorkerRunLoop::runCleanupTasks(WebCore::WorkerGlobalScope*) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d00f31)
	#10 0x7f1d51a6c8de in WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7cff8de)
	#11 0x7f1d51a78171 in WebCore::WorkerThread::workerThread() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d0b171)
	#12 0x7f1d48c4ede7 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x45bade7)
	#13 0x7f1d48d9aaa5 in WTF::wtfThreadEntryPoint(void*) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x4706aa5)
	#14 0x7f1d39c446da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
	#15 0x7f1d3954da3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x603000212cb0 is located 0 bytes inside of 24-byte region [0x603000212cb0,0x603000212cc8)
freed by thread T13 (WebCore: Worker) here:
	#0 0x49494d in free (/home/icewall/projects/webkit/build/bin/WebKitWebProcess+0x49494d)
	#1 0x7f1d4f2b0528 in WebCore::DOMURL::~DOMURL() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5543528)
	#2 0x7f1d4825d5d1 in JSC::VM::~VM() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x3bc95d1)

previously allocated by thread T0 here:
	#0 0x494bcd in malloc (/home/icewall/projects/webkit/build/bin/WebKitWebProcess+0x494bcd)
	#1 0x7f1d48db408a in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x472008a)
	#2 0x7f1d48c6b737 in WTF::aboutBlankURL() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x45d7737)
	#3 0x7f1d502b0ab3 in WebCore::SecurityPolicy::shouldInheritSecurityOriginFromOwner(WTF::URL const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x6543ab3)
	#4 0x7f1d4ebb5991 in WebCore::Document::Document(WebCore::Frame*, WTF::URL const&, unsigned int, unsigned int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x4e48991)
	#5 0x7f1d4f35491e in WebCore::HTMLDocument::HTMLDocument(WebCore::Frame*, WTF::URL const&, unsigned char, unsigned int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x55e791e)
	#6 0x7f1d4fd8e2de in WebCore::DocumentWriter::createDocument(WTF::URL const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x60212de)
	#7 0x7f1d4fd8b3ca in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x601e3ca)
	#8 0x7f1d4fd3b800 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5fce800)
	#9 0x7f1d4c3ef9dd in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x26829dd)
	#10 0x7f1d4fd4abd6 in WebCore::DocumentLoader::commitLoad(char const*, int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5fddbd6)
	#11 0x7f1d4ff5988d in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61ec88d)
	#12 0x7f1d4ff5928d in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61ec28d)
	#13 0x7f1d4feb903c in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x614c03c)
	#14 0x7f1d4feb8cbb in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x614bcbb)
	#15 0x7f1d4b14240d in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x13d540d)
	#16 0x7f1d4b696ad2 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x1929ad2)
	#17 0x7f1d4b697119 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x192a119)

Thread T149 (WebCore: Worker) created by T0 here:
	#0 0x47f35a in pthread_create (/home/icewall/projects/webkit/build/bin/WebKitWebProcess+0x47f35a)
	#1 0x7f1d48d9a952 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, WTF::Optional<unsigned long>) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x4706952)
	#2 0x7f1d48c4f592 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x45bb592)
	#3 0x7f1d51a77063 in WebCore::WorkerThread::start(WTF::Function<void (WTF::String const&)>&&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d0a063)
	#4 0x7f1d51a6590b in WebCore::WorkerMessagingProxy::startWorkerGlobalScope(WTF::URL const&, WTF::String const&, WTF::String const&, bool, WTF::String const&, WebCore::ContentSecurityPolicyResponseHeaders const&, bool, WTF::MonotonicTime, WebCore::ReferrerPolicy, JSC::RuntimeFlags) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7cf890b)
	#5 0x7f1d51a4acef in WebCore::Worker::notifyFinished() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7cddcef)
	#6 0x7f1d51a74c15 in WebCore::WorkerScriptLoader::didFinishLoading(unsigned long) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d07c15)
	#7 0x7f1d4fd89687 in WebCore::DocumentThreadableLoader::didFinishLoading(unsigned long) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x601c687)
	#8 0x7f1d4ff619e9 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61f49e9)
	#9 0x7f1d4ff5a0e7 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61ed0e7)
	#10 0x7f1d4feaff9a in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x6142f9a)
	#11 0x7f1d4c29869d in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x252b69d)
	#12 0x7f1d4b142810 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x13d5810)
	#13 0x7f1d4b696ad2 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x1929ad2)
	#14 0x7f1d4b697119 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x192a119)

Thread T13 (WebCore: Worker) created by T0 here:
	#0 0x47f35a in pthread_create (/home/icewall/projects/webkit/build/bin/WebKitWebProcess+0x47f35a)
	#1 0x7f1d48d9a952 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, WTF::Optional<unsigned long>) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x4706952)
	#2 0x7f1d48c4f592 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x45bb592)
	#3 0x7f1d51a77063 in WebCore::WorkerThread::start(WTF::Function<void (WTF::String const&)>&&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d0a063)
	#4 0x7f1d51a6590b in WebCore::WorkerMessagingProxy::startWorkerGlobalScope(WTF::URL const&, WTF::String const&, WTF::String const&, bool, WTF::String const&, WebCore::ContentSecurityPolicyResponseHeaders const&, bool, WTF::MonotonicTime, WebCore::ReferrerPolicy, JSC::RuntimeFlags) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7cf890b)
	#5 0x7f1d51a4acef in WebCore::Worker::notifyFinished() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7cddcef)
	#6 0x7f1d51a74c15 in WebCore::WorkerScriptLoader::didFinishLoading(unsigned long) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d07c15)
	#7 0x7f1d4fd89687 in WebCore::DocumentThreadableLoader::didFinishLoading(unsigned long) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x601c687)
	#8 0x7f1d4ff619e9 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61f49e9)
	#9 0x7f1d4ff5a0e7 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61ed0e7)
	#10 0x7f1d4feaff9a in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x6142f9a)
	#11 0x7f1d4c29869d in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x252b69d)
	#12 0x7f1d4b142810 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x13d5810)
	#13 0x7f1d4b696ad2 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x1929ad2)
	#14 0x7f1d4b697119 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x192a119)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5543444) in WebCore::DOMURL::~DOMURL()
Shadow bytes around the buggy address:
  0x0c068003a540: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c068003a550: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c068003a560: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c068003a570: fa fa 00 00 00 00 fa fa 00 00 00 03 fa fa 00 00
  0x0c068003a580: 00 fa fa fa 00 00 00 05 fa fa 00 00 00 01 fa fa
=>0x0c068003a590: 00 00 00 02 fa fa[fd]fd fd fa fa fa 00 00 05 fa
  0x0c068003a5a0: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 00 00
  0x0c068003a5b0: 07 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c068003a5c0: 00 00 00 fa fa fa 00 00 00 05 fa fa 00 00 00 02
  0x0c068003a5d0: fa fa 00 00 07 fa fa fa 00 00 00 02 fa fa fd fd
  0x0c068003a5e0: fd fa fa fa fd fd fd fa fa fa 00 00 00 01 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==125375==ABORTING



OR



==72167==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000212ef4 at pc 0x7ff88158f65e bp 0x7ffde22b3230 sp 0x7ffde22b3228
READ of size 4 at 0x603000212ef4 thread T0
	#0 0x7ff88158f65d in WTF::equal(WTF::StringImpl const*, WTF::StringImpl const*) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x46b265d)
	#1 0x7ff887456406 in WebCore::Document::completeURL(WTF::String const&, WTF::URL const&, WebCore::ScriptExecutionContext::ForceUTF8) const (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x4ea0406)
	#2 0x7ff887436b32 in WebCore::Document::completeURL(WTF::String const&, WebCore::ScriptExecutionContext::ForceUTF8) const (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x4e80b32)
	#3 0x7ff8876c9946 in WebCore::ScriptElement::requestClassicScript(WTF::String const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5113946)
	#4 0x7ff8876c4f0e in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x510ef0e)
	#5 0x7ff8880fe81c in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5b4881c)
	#6 0x7ff8880fe325 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::DumbPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5b48325)
	#7 0x7ff8880cd26c in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5b1726c)
	#8 0x7ff8880ce052 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5b18052)
	#9 0x7ff8880cc1c4 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5b161c4)
	#10 0x7ff8880d1d16 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5b1bd16)
	#11 0x7ff8880d2621 in WebCore::HTMLDocumentParser::notifyFinished(WebCore::PendingScript&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5b1c621)
	#12 0x7ff88765adfd in WebCore::PendingScript::notifyClientFinished() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x50a4dfd)
	#13 0x7ff8875d7b9a in WebCore::LoadableScript::notifyClientFinished() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5021b9a)
	#14 0x7ff8875d6a10 in WebCore::LoadableClassicScript::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5020a10)
	#15 0x7ff8887aa9e9 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61f49e9)
	#16 0x7ff8886f8f9a in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x6142f9a)
	#17 0x7ff884ae169d in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x252b69d)
	#18 0x7ff88398b810 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x13d5810)
	#19 0x7ff883edfad2 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x1929ad2)
	#20 0x7ff883ee0119 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x192a119)
	#21 0x7ff883ee0c31 in IPC::Connection::dispatchOneIncomingMessage() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x192ac31)
	#22 0x7ff881491704 in WTF::RunLoop::performWork() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x45b4704)
	#23 0x7ff8815deab5 in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x4701ab5)
	#24 0x7ff875ab1284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
	#25 0x7ff875ab164f  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64f)
	#26 0x7ff875ab1961 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c961)
	#27 0x7ff8815ddcb6 in WTF::RunLoop::run() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x4700cb6)
	#28 0x7ff884d7a80c in int WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMainGtk>(int, char**) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x27c480c)
	#29 0x7ff871c96b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
	#30 0x41ccc9 in _start (/home/icewall/projects/webkit/build/bin/WebKitWebProcess+0x41ccc9)

0x603000212ef4 is located 4 bytes inside of 24-byte region [0x603000212ef0,0x603000212f08)
freed by thread T143 (WebCore: Worker) here:
	#0 0x49494d in free (/home/icewall/projects/webkit/build/bin/WebKitWebProcess+0x49494d)
	#1 0x7ff887af9528 in WebCore::DOMURL::~DOMURL() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5543528)
	#2 0x7ff880aa65d1 in JSC::VM::~VM() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x3bc95d1)

previously allocated by thread T0 here:
	#0 0x494bcd in malloc (/home/icewall/projects/webkit/build/bin/WebKitWebProcess+0x494bcd)
	#1 0x7ff8815fd08a in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x472008a)
	#2 0x7ff8814b4737 in WTF::aboutBlankURL() (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x45d7737)
	#3 0x7ff888af9ab3 in WebCore::SecurityPolicy::shouldInheritSecurityOriginFromOwner(WTF::URL const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x6543ab3)
	#4 0x7ff8873fe991 in WebCore::Document::Document(WebCore::Frame*, WTF::URL const&, unsigned int, unsigned int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x4e48991)
	#5 0x7ff887b9d91e in WebCore::HTMLDocument::HTMLDocument(WebCore::Frame*, WTF::URL const&, unsigned char, unsigned int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x55e791e)
	#6 0x7ff8885d72de in WebCore::DocumentWriter::createDocument(WTF::URL const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x60212de)
	#7 0x7ff8885d43ca in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x601e3ca)
	#8 0x7ff888584800 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5fce800)
	#9 0x7ff884c389dd in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x26829dd)
	#10 0x7ff888593bd6 in WebCore::DocumentLoader::commitLoad(char const*, int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x5fddbd6)
	#11 0x7ff8887a288d in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61ec88d)
	#12 0x7ff8887a228d in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61ec28d)
	#13 0x7ff88870203c in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x614c03c)
	#14 0x7ff888701cbb in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x614bcbb)
	#15 0x7ff88398b40d in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x13d540d)
	#16 0x7ff883edfad2 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x1929ad2)
	#17 0x7ff883ee0119 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x192a119)

Thread T143 (WebCore: Worker) created by T0 here:
	#0 0x47f35a in pthread_create (/home/icewall/projects/webkit/build/bin/WebKitWebProcess+0x47f35a)
	#1 0x7ff8815e3952 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, WTF::Optional<unsigned long>) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x4706952)
	#2 0x7ff881498592 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType) (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x45bb592)
	#3 0x7ff88a2c0063 in WebCore::WorkerThread::start(WTF::Function<void (WTF::String const&)>&&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d0a063)
	#4 0x7ff88a2ae90b in WebCore::WorkerMessagingProxy::startWorkerGlobalScope(WTF::URL const&, WTF::String const&, WTF::String const&, bool, WTF::String const&, WebCore::ContentSecurityPolicyResponseHeaders const&, bool, WTF::MonotonicTime, WebCore::ReferrerPolicy, JSC::RuntimeFlags) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7cf890b)
	#5 0x7ff88a293cef in WebCore::Worker::notifyFinished() (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7cddcef)
	#6 0x7ff88a2bdc15 in WebCore::WorkerScriptLoader::didFinishLoading(unsigned long) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x7d07c15)
	#7 0x7ff8885d2687 in WebCore::DocumentThreadableLoader::didFinishLoading(unsigned long) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x601c687)
	#8 0x7ff8887aa9e9 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61f49e9)
	#9 0x7ff8887a30e7 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x61ed0e7)
	#10 0x7ff8886f8f9a in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x6142f9a)
	#11 0x7ff884ae169d in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x252b69d)
	#12 0x7ff88398b810 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x13d5810)
	#13 0x7ff883edfad2 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x1929ad2)
	#14 0x7ff883ee0119 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (/home/icewall/projects/webkit/build/lib/libwebkit2gtk-4.0.so.37+0x192a119)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/icewall/projects/webkit/build/lib/libjavascriptcoregtk-4.0.so.18+0x46b265d) in WTF::equal(WTF::StringImpl const*, WTF::StringImpl const*)
Shadow bytes around the buggy address:
  0x0c068003a580: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c068003a590: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c068003a5a0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c068003a5b0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c068003a5c0: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 05
=>0x0c068003a5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fd]fd
  0x0c068003a5e0: fd fa fa fa fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c068003a5f0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
  0x0c068003a600: fa fa fa fa fa fa fa fa fd fd fd fa fa fa fd fd
  0x0c068003a610: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068003a620: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==72167==ABORTING	

Exploit Proof of Concept

Tested on OSX. 1. Download the latest webkit 2. Build webkit with the following settings: ./Tools/Scripts/set-webkit-configuration --asan --release ./Tools/Scripts/build-webkit 3. Execute minibrowser via : ./Tools/Script/debug-minibrowser 4. On the next tab unzip standalone_poc.zip 5. Execute web server serving PoC code via : python server.py (install Flask) 6. Navigate to start page pointed by server.py script e.g: URL : http://127.0.0.1:28029/start

Wait for the crash. If the vulnerability wont’t kick in, in ~2 min. Restart server.py script and minibrowser and repeat necessary steps. This might be necessary because the bug is a UAF via a race-condition.

Timeline

2020-07-17 - Initial contact

2020-07-20 - Vendor acknowledged
2020-09-16 - Vendor released
2020-09-17 - Public release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.