================================================================= ==3574502==ERROR: AddressSanitizer: heap-use-after-free on address 0x768d5c24f330 at pc 0x58b0734e079c bp 0x7ffd407fb7a0 sp 0x7ffd407fb798 READ of size 1 at 0x768d5c24f330 thread T0 (chrome) #0 0x58b0734e079b in has_value third_party/libc++/src/include/optional:353:82 #1 0x58b0734e079b in operator* third_party/libc++/src/include/optional:800:5 #2 0x58b0734e079b in document_associated_data content/browser/renderer_host/render_frame_host_impl.h:2575:12 #3 0x58b0734e079b in content::internal::GetDocumentUserData(content::RenderFrameHost const*, void const*) content/public/browser/document_user_data.cc:14:9 #4 0x58b07f1fca5b in GetForCurrentDocument content/public/browser/document_user_data.h:111:28 #5 0x58b07f1fca5b in content::DocumentUserData::GetOrCreateForCurrentDocument(content::RenderFrameHost*) content/public/browser/document_user_data.h:122:22 #6 0x58b07f1fc955 in AIContextBoundObjectSet::GetFromContext(std::__Cr::variant) chrome/browser/ai/ai_context_bound_object_set.cc:137:12 #7 0x58b07f201034 in AIManagerKeyedService::CreateTextSession(mojo::PendingReceiver, mojo::InlinedStructPtr, std::__Cr::optional, std::__Cr::allocator>> const&, std::__Cr::vector, std::__Cr::allocator>>, base::OnceCallback)>) chrome/browser/ai/ai_manager_keyed_service.cc:368:7 #8 0x58b072b15675 in blink::mojom::AIManagerStubDispatch::AcceptWithResponder(blink::mojom::AIManager*, mojo::Message*, std::__Cr::unique_ptr>) gen/third_party/blink/public/mojom/ai/ai_manager.mojom.cc:1917:13 #9 0x58b0817a8c9c in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:1005:56 #10 0x58b0817c4b0d in mojo::MessageDispatcher::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/message_dispatcher.cc:48:24 #11 0x58b0817ae5f5 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:724:20 #12 0x58b0817d35f1 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:1121:42 #13 0x58b0817d186b in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:734:7 #14 0x58b0817c4c0a in mojo::MessageDispatcher::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/message_dispatcher.cc:43:19 #15 0x58b08179ff81 in mojo::Connector::DispatchMessage(mojo::ScopedHandleBase) mojo/public/cpp/bindings/lib/connector.cc:562:49 #16 0x58b0817a18c0 in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:620:14 #17 0x58b0817a12e9 in OnHandleReadyInternal mojo/public/cpp/bindings/lib/connector.cc:452:3 #18 0x58b0817a12e9 in mojo::Connector::OnWatcherHandleReady(char const*, unsigned int) mojo/public/cpp/bindings/lib/connector.cc:418:3 #19 0x58b0817a2bea in Invoke base/functional/bind_internal.h:738:12 #20 0x58b0817a2bea in MakeItSo, base::internal::UnretainedWrapper > &, unsigned int> base/functional/bind_internal.h:930:12 #21 0x58b0817a2bea in RunImpl, base::internal::UnretainedWrapper > &, 0UL, 1UL> base/functional/bind_internal.h:1067:14 #22 0x58b0817a2bea in base::internal::Invoker, base::internal::BindState, base::internal::UnretainedWrapper>, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) base/functional/bind_internal.h:987:12 #23 0x58b0730a6ba3 in base::RepeatingCallback::Run(unsigned int) const & base/functional/callback.h:344:12 #24 0x58b0730a692f in Invoke &, unsigned int, const mojo::HandleSignalsState &), const base::RepeatingCallback &, unsigned int, const mojo::HandleSignalsState &> base/functional/bind_internal.h:671:12 #25 0x58b0730a692f in MakeItSo &, unsigned int, const mojo::HandleSignalsState &), const std::__Cr::tuple > &, unsigned int, const mojo::HandleSignalsState &> base/functional/bind_internal.h:930:12 #26 0x58b0730a692f in RunImpl &, unsigned int, const mojo::HandleSignalsState &), const std::__Cr::tuple > &, 0UL> base/functional/bind_internal.h:1067:14 #27 0x58b0730a692f in base::internal::Invoker const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback const&>, base::internal::BindState const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback>, void (unsigned int, mojo::HandleSignalsState const&)>::Run(base::internal::BindStateBase*, unsigned int, mojo::HandleSignalsState const&) base/functional/bind_internal.h:987:12 #28 0x58b08248eccb in base::RepeatingCallback::Run(unsigned int, mojo::HandleSignalsState const&) const & base/functional/callback.h:344:12 #29 0x58b08248e5f3 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:278:14 #30 0x58b08248f834 in Invoke &, int, unsigned int, mojo::HandleSignalsState> base/functional/bind_internal.h:738:12 #31 0x58b08248f834 in MakeItSo, int, unsigned int, mojo::HandleSignalsState> > base/functional/bind_internal.h:954:5 #32 0x58b08248f834 in void base::internal::Invoker&&, int&&, unsigned int&&, mojo::HandleSignalsState&&>, base::internal::BindState, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl, int, unsigned int, mojo::HandleSignalsState>, 0ul, 1ul, 2ul, 3ul>(void (mojo::SimpleWatcher::*&&)(int, unsigned int, mojo::HandleSignalsState const&), std::__Cr::tuple, int, unsigned int, mojo::HandleSignalsState>&&, std::__Cr::integer_sequence) base/functional/bind_internal.h:1067:14 #33 0x58b0819a3a34 in Run base/functional/callback.h:156:12 #34 0x58b0819a3a34 in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) base/task/common/task_annotator.cc:203:34 #35 0x58b081a0bdc3 in RunTask<(lambda at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:472:11)> base/task/common/task_annotator.h:90:5 #36 0x58b081a0bdc3 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:470:23 #37 0x58b081a0ab6a in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:332:40 #38 0x58b081a0cb0a in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() base/task/sequence_manager/thread_controller_with_message_pump_impl.cc #39 0x58b081b64232 in base::MessagePumpGlib::HandleDispatch() base/message_loop/message_pump_glib.cc:649:46 #40 0x58b081b67028 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:274:43 #41 0x786d5edcbd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241) 0x768d5c24f330 is located 4656 bytes inside of 5568-byte region [0x768d5c24e100,0x768d5c24f6c0) freed by thread T0 (chrome) here: #0 0x58b06e0acdad in operator delete(void*) /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:143:3 #1 0x58b07951c994 in operator() third_party/libc++/src/include/__memory/unique_ptr.h:69:5 #2 0x58b07951c994 in reset third_party/libc++/src/include/__memory/unique_ptr.h:281:7 #3 0x58b07951c994 in ~unique_ptr third_party/libc++/src/include/__memory/unique_ptr.h:250:71 #4 0x58b07951c994 in content::RenderFrameHostManager::~RenderFrameHostManager() content/browser/renderer_host/render_frame_host_manager.cc:568:3 #5 0x58b07910fb54 in content::FrameTreeNode::~FrameTreeNode() content/browser/renderer_host/frame_tree_node.cc:305:1 #6 0x58b079111163 in content::FrameTreeNode::~FrameTreeNode() content/browser/renderer_host/frame_tree_node.cc:203:33 #7 0x58b0794343e9 in operator() third_party/libc++/src/include/__memory/unique_ptr.h:69:5 #8 0x58b0794343e9 in reset third_party/libc++/src/include/__memory/unique_ptr.h:281:7 #9 0x58b0794343e9 in content::RenderFrameHostImpl::RemoveChild(content::FrameTreeNode*) content/browser/renderer_host/render_frame_host_impl.cc:5020:22 #10 0x58b07943676d in PendingDeletionCheckCompleted content/browser/renderer_host/render_frame_host_impl.cc:10969:16 #11 0x58b07943676d in content::RenderFrameHostImpl::PendingDeletionCheckCompletedOnSubtree() content/browser/renderer_host/render_frame_host_impl.cc:10982:5 #12 0x58b07299a0b4 in blink::mojom::LocalFrameHostStubDispatch::Accept(blink::mojom::LocalFrameHost*, mojo::Message*) gen/third_party/blink/public/mojom/frame/frame.mojom.cc #13 0x58b0817a8b9a in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:1051:54 #14 0x58b0817c4b0d in mojo::MessageDispatcher::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/message_dispatcher.cc:48:24 #15 0x58b0817ae5f5 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:724:20 #16 0x58b083c3f77e in IPC::ChannelAssociatedGroupController::AcceptOnEndpointThread(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification) ipc/ipc_mojo_bootstrap.cc:1216:24 #17 0x58b083c415d7 in Invoke, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification> base/functional/bind_internal.h:738:12 #18 0x58b083c415d7 in MakeItSo, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification> > base/functional/bind_internal.h:930:12 #19 0x58b083c415d7 in RunImpl, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification>, 0UL, 1UL, 2UL> base/functional/bind_internal.h:1067:14 #20 0x58b083c415d7 in base::internal::Invoker, base::internal::BindState, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification>, void ()>::RunOnce(base::internal::BindStateBase*) base/functional/bind_internal.h:980:12 #21 0x58b0819a3a34 in Run base/functional/callback.h:156:12 #22 0x58b0819a3a34 in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) base/task/common/task_annotator.cc:203:34 #23 0x58b081a0bdc3 in RunTask<(lambda at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:472:11)> base/task/common/task_annotator.h:90:5 #24 0x58b081a0bdc3 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:470:23 #25 0x58b081a0ab6a in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:332:40 #26 0x58b081a0cb0a in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() base/task/sequence_manager/thread_controller_with_message_pump_impl.cc #27 0x58b081b64232 in base::MessagePumpGlib::HandleDispatch() base/message_loop/message_pump_glib.cc:649:46 #28 0x58b081b67028 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:274:43 #29 0x786d5edcbd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241) previously allocated by thread T0 (chrome) here: #0 0x58b06e0ac54d in operator new(unsigned long) /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:86:3 #1 0x58b07940072d in operator new content/public/browser/render_frame_host.h:146:3 #2 0x58b07940072d in content::RenderFrameHostFactory::Create(content::SiteInstance*, scoped_refptr, content::RenderFrameHostDelegate*, content::FrameTree*, content::FrameTreeNode*, int, mojo::PendingAssociatedRemote, base::TokenType const&, base::TokenType const&, base::UnguessableToken, bool, content::RenderFrameHostImpl::LifecycleStateImpl, scoped_refptr) content/browser/renderer_host/render_frame_host_factory.cc:39:27 #3 0x58b07951eca8 in content::RenderFrameHostManager::CreateRenderFrameHost(content::RenderFrameHostManager::CreateFrameCase, content::SiteInstanceImpl*, int, mojo::PendingAssociatedRemote, base::TokenType const&, base::TokenType const&, base::UnguessableToken, bool, scoped_refptr) content/browser/renderer_host/render_frame_host_manager.cc:3919:10 #4 0x58b07951fc91 in content::RenderFrameHostManager::InitChild(content::SiteInstanceImpl*, int, mojo::PendingAssociatedRemote, base::TokenType const&, base::TokenType const&, base::UnguessableToken const&, blink::FramePolicy, std::__Cr::basic_string, std::__Cr::allocator>, std::__Cr::basic_string, std::__Cr::allocator>) content/browser/renderer_host/render_frame_host_manager.cc:653:22 #5 0x58b079433ac6 in content::RenderFrameHostImpl::AddChild(std::__Cr::unique_ptr>, int, mojo::PendingAssociatedRemote, base::TokenType const&, base::TokenType const&, base::UnguessableToken, blink::FramePolicy const&, std::__Cr::basic_string, std::__Cr::allocator>, std::__Cr::basic_string, std::__Cr::allocator>) content/browser/renderer_host/render_frame_host_impl.cc:4929:28 #6 0x58b0790fe573 in content::FrameTree::AddFrame(content::RenderFrameHostImpl*, int, int, mojo::PendingAssociatedRemote, mojo::PendingReceiver, mojo::StructPtr, mojo::PendingAssociatedReceiver, blink::mojom::TreeScopeType, std::__Cr::basic_string, std::__Cr::allocator> const&, std::__Cr::basic_string, std::__Cr::allocator> const&, bool, base::TokenType const&, base::UnguessableToken const&, base::TokenType const&, blink::FramePolicy const&, blink::mojom::FrameOwnerProperties const&, bool, blink::FrameOwnerElementType, bool) content/browser/renderer_host/frame_tree.cc:431:39 #7 0x58b07942d3b4 in content::RenderFrameHostImpl::OnCreateChildFrame(int, mojo::PendingAssociatedRemote, mojo::PendingReceiver, mojo::StructPtr, mojo::PendingAssociatedReceiver, blink::mojom::TreeScopeType, std::__Cr::basic_string, std::__Cr::allocator> const&, std::__Cr::basic_string, std::__Cr::allocator> const&, bool, base::TokenType const&, base::UnguessableToken const&, base::TokenType const&, blink::FramePolicy const&, blink::mojom::FrameOwnerProperties const&, blink::FrameOwnerElementType, long) content/browser/renderer_host/render_frame_host_impl.cc:4275:53 #8 0x58b07942df6e in content::RenderFrameHostImpl::CreateChildFrame(base::TokenType const&, mojo::PendingAssociatedRemote, mojo::PendingReceiver, mojo::StructPtr, mojo::PendingAssociatedReceiver, blink::mojom::TreeScopeType, std::__Cr::basic_string, std::__Cr::allocator> const&, std::__Cr::basic_string, std::__Cr::allocator> const&, bool, blink::FramePolicy const&, mojo::StructPtr, blink::FrameOwnerElementType, long) content/browser/renderer_host/render_frame_host_impl.cc:4344:3 #9 0x58b0738459f2 in content::mojom::FrameHostStubDispatch::Accept(content::mojom::FrameHost*, mojo::Message*) gen/content/common/frame.mojom.cc:5301:13 #10 0x58b0817a8b9a in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:1051:54 #11 0x58b0817c4b0d in mojo::MessageDispatcher::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/message_dispatcher.cc:48:24 #12 0x58b0817ae5f5 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:724:20 #13 0x58b083c3f77e in IPC::ChannelAssociatedGroupController::AcceptOnEndpointThread(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification) ipc/ipc_mojo_bootstrap.cc:1216:24 #14 0x58b083c415d7 in Invoke, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification> base/functional/bind_internal.h:738:12 #15 0x58b083c415d7 in MakeItSo, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification> > base/functional/bind_internal.h:930:12 #16 0x58b083c415d7 in RunImpl, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification>, 0UL, 1UL, 2UL> base/functional/bind_internal.h:1067:14 #17 0x58b083c415d7 in base::internal::Invoker, base::internal::BindState, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification>, void ()>::RunOnce(base::internal::BindStateBase*) base/functional/bind_internal.h:980:12 #18 0x58b0819a3a34 in Run base/functional/callback.h:156:12 #19 0x58b0819a3a34 in base::TaskAnnotator::RunTaskImpl(base::PendingTask&) base/task/common/task_annotator.cc:203:34 #20 0x58b081a0bdc3 in RunTask<(lambda at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:472:11)> base/task/common/task_annotator.h:90:5 #21 0x58b081a0bdc3 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:470:23 #22 0x58b081a0ab6a in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:332:40 #23 0x58b081a0cb0a in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() base/task/sequence_manager/thread_controller_with_message_pump_impl.cc #24 0x58b081b64b69 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:694:48 #25 0x58b081a0d75a in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:640:12 #26 0x58b08193216f in base::RunLoop::Run(base::Location const&) base/run_loop.cc:134:14 #27 0x58b078209ca2 in content::BrowserMainLoop::RunMainMessageLoop() content/browser/browser_main_loop.cc:1102:18 #28 0x58b0782114ac in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:156:15 #29 0x58b0782008d8 in content::BrowserMain(content::MainFunctionParams) content/browser/browser_main.cc:34:28 #30 0x58b07ee33c6f in content::RunBrowserProcessMain(content::MainFunctionParams, content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:732:10 #31 0x58b07ee37248 in content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams, bool) content/app/content_main_runner_impl.cc:1311:10 #32 0x58b07ee3692c in content::ContentMainRunnerImpl::Run() content/app/content_main_runner_impl.cc:1162:12 #33 0x58b07ee31625 in content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) content/app/content_main.cc:356:36 #34 0x58b07ee31c3b in content::ContentMain(content::ContentMainParams) content/app/content_main.cc:369:10 #35 0x58b06e0aed93 in ChromeMain chrome/app/chrome_main.cc:231:12 SUMMARY: AddressSanitizer: heap-use-after-free third_party/libc++/src/include/optional:353:82 in has_value Shadow bytes around the buggy address: 0x768d5c24f080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x768d5c24f100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x768d5c24f180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x768d5c24f200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x768d5c24f280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x768d5c24f300: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd 0x768d5c24f380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x768d5c24f400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x768d5c24f480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x768d5c24f500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x768d5c24f580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3574502==ADDITIONAL INFO ==3574502==Note: Please include this section with the ASan report. Task trace: #0 0x58b08248f1d7 in mojo::SimpleWatcher::Context::Notify(unsigned int, MojoHandleSignalsState, unsigned int) mojo/public/cpp/system/simple_watcher.cc:102:13 Command line: `./chrome --no-sandbox --user-data-dir=/tmp/x --enable-blink-features=MojoJS,MojoJSTest --flag-switches-begin --flag-switches-end http://localhost/poc` MiraclePtr Status: NOT PROTECTED No raw_ptr access to this region was detected prior to this crash. This crash is still exploitable with MiraclePtr. Refer to https://chromium.googlesource.com/chromium/src/+/main/base/memory/raw_ptr.md for details. ==3574502==END OF ADDITIONAL INFO ==3574502==ABORTING