=================================================================
==131483==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000a58a0 at pc 0x55d0b567ff8d bp 0x7f3beccca650 sp 0x7f3beccca648
READ of size 8 at 0x6080000a58a0 thread T3 (Chrome_IOThread)
    #0 0x55d0b567ff8c in storage::FileSystemOperationRunner::Truncate(storage::FileSystemURL const&, long, base::OnceCallback<void (base::File::Error)>) storage/browser/fileapi/file_system_operation_runner.cc:324:18
    #1 0x55d0b569c7a2 in storage::FileWriterImpl::Truncate(unsigned long, base::OnceCallback<void (base::File::Error)>) storage/browser/fileapi/file_writer_impl.cc:94:22
    #2 0x55d0a88df5d1 in blink::mojom::FileWriterStubDispatch::AcceptWithResponder(blink::mojom::FileWriter*, mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) gen/third_party/blink/public/mojom/filesystem/file_writer.mojom.cc:733:13
    #3 0x55d0aa07edac in blink::mojom::FileWriterStub<mojo::RawPtrImplRefTraits<blink::mojom::FileWriter> >::AcceptWithResponder(mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) gen/third_party/blink/public/mojom/filesystem/file_writer.mojom.h:177:12
    #4 0x55d0af9e7e0d in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:398:34
    #5 0x55d0af9f9ede in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
    #6 0x55d0af9f8615 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
    #7 0x55d0af9e38c9 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:476:51
    #8 0x55d0af9e51b8 in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:505:10
    #9 0x55d0afa34de1 in Run base/callback.h:129:12
    #10 0x55d0afa34de1 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273
    #11 0x55d0afa356cc in mojo::SimpleWatcher::Context::Notify(unsigned int, MojoHandleSignalsState, unsigned int) mojo/public/cpp/system/simple_watcher.cc:105:22
    #12 0x55d0afa32f1a in mojo::SimpleWatcher::Context::CallNotify(MojoTrapEvent const*) mojo/public/cpp/system/simple_watcher.cc:55:14
    #13 0x55d0a93335b0 in mojo::core::WatcherDispatcher::InvokeWatchCallback(unsigned long, unsigned int, mojo::core::HandleSignalsState const&, unsigned int) mojo/core/watcher_dispatcher.cc:90:3
    #14 0x55d0a93323f2 in mojo::core::Watch::InvokeCallback(unsigned int, mojo::core::HandleSignalsState const&, unsigned int) mojo/core/watch.cc:78:13
    #15 0x55d0a9326476 in mojo::core::RequestContext::~RequestContext() mojo/core/request_context.cc:72:20
    #16 0x55d0a9305153 in mojo::core::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::vector<mojo::PlatformHandle, std::__1::allocator<mojo::PlatformHandle> >) mojo/core/node_channel.cc:695:1
    #17 0x55d0a92d48b8 in mojo::core::Channel::OnReadComplete(unsigned long, unsigned long*) mojo/core/channel.cc:714:18
    #18 0x55d0a934378f in mojo::core::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) mojo/core/channel_posix.cc:464:14
    #19 0x55d0af9009ab in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) base/message_loop/message_pump_libevent.cc
    #20 0x55d0af919c68 in event_process_active base/third_party/libevent/event.c:381:4
    #21 0x55d0af919c68 in event_base_loop base/third_party/libevent/event.c:521
    #22 0x55d0af901001 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:214:5
    #23 0x55d0af7663e1 in base::RunLoop::Run() base/run_loop.cc:102:14
    #24 0x55d0a9c85acd in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) content/browser/browser_process_sub_thread.cc:174:11
    #25 0x55d0af82f4ea in base::Thread::ThreadMain() base/threading/thread.cc:357:3
    #26 0x55d0af8f65a4 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:80:13
    #27 0x7f3c0214e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

0x6080000a58a0 is located 0 bytes inside of 96-byte region [0x6080000a58a0,0x6080000a5900)
freed by thread T3 (Chrome_IOThread) here:
    #0 0x55d0a6e64862 in operator delete(void*) /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:167:3
    #1 0x55d0b567fbdd in operator() buildtools/third_party/libc++/trunk/include/memory:2321:5
    #2 0x55d0b567fbdd in reset buildtools/third_party/libc++/trunk/include/memory:2634
    #3 0x55d0b567fbdd in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2588
    #4 0x55d0b567fbdd in storage::FileSystemOperationRunner::Truncate(storage::FileSystemURL const&, long, base::OnceCallback<void (base::File::Error)>) storage/browser/fileapi/file_system_operation_runner.cc:317
    #5 0x55d0b569c7a2 in storage::FileWriterImpl::Truncate(unsigned long, base::OnceCallback<void (base::File::Error)>) storage/browser/fileapi/file_writer_impl.cc:94:22
    #6 0x55d0a88df5d1 in blink::mojom::FileWriterStubDispatch::AcceptWithResponder(blink::mojom::FileWriter*, mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) gen/third_party/blink/public/mojom/filesystem/file_writer.mojom.cc:733:13
    #7 0x55d0aa07edac in blink::mojom::FileWriterStub<mojo::RawPtrImplRefTraits<blink::mojom::FileWriter> >::AcceptWithResponder(mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) gen/third_party/blink/public/mojom/filesystem/file_writer.mojom.h:177:12
    #8 0x55d0af9e7e0d in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:398:34
    #9 0x55d0af9f9ede in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
    #10 0x55d0af9f8615 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
    #11 0x55d0af9e38c9 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:476:51
    #12 0x55d0af9e51b8 in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:505:10
    #13 0x55d0afa34de1 in Run base/callback.h:129:12
    #14 0x55d0afa34de1 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273
    #15 0x55d0afa356cc in mojo::SimpleWatcher::Context::Notify(unsigned int, MojoHandleSignalsState, unsigned int) mojo/public/cpp/system/simple_watcher.cc:105:22
    #16 0x55d0afa32f1a in mojo::SimpleWatcher::Context::CallNotify(MojoTrapEvent const*) mojo/public/cpp/system/simple_watcher.cc:55:14
    #17 0x55d0a93335b0 in mojo::core::WatcherDispatcher::InvokeWatchCallback(unsigned long, unsigned int, mojo::core::HandleSignalsState const&, unsigned int) mojo/core/watcher_dispatcher.cc:90:3
    #18 0x55d0a93323f2 in mojo::core::Watch::InvokeCallback(unsigned int, mojo::core::HandleSignalsState const&, unsigned int) mojo/core/watch.cc:78:13
    #19 0x55d0a9326476 in mojo::core::RequestContext::~RequestContext() mojo/core/request_context.cc:72:20
    #20 0x55d0a9305153 in mojo::core::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::vector<mojo::PlatformHandle, std::__1::allocator<mojo::PlatformHandle> >) mojo/core/node_channel.cc:695:1
    #21 0x55d0a92d48b8 in mojo::core::Channel::OnReadComplete(unsigned long, unsigned long*) mojo/core/channel.cc:714:18
    #22 0x55d0a934378f in mojo::core::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) mojo/core/channel_posix.cc:464:14
    #23 0x55d0af9009ab in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) base/message_loop/message_pump_libevent.cc
    #24 0x55d0af919c68 in event_process_active base/third_party/libevent/event.c:381:4
    #25 0x55d0af919c68 in event_base_loop base/third_party/libevent/event.c:521
    #26 0x55d0af901001 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:214:5
    #27 0x55d0af7663e1 in base::RunLoop::Run() base/run_loop.cc:102:14
    #28 0x55d0a9c85acd in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) content/browser/browser_process_sub_thread.cc:174:11
    #29 0x55d0af82f4ea in base::Thread::ThreadMain() base/threading/thread.cc:357:3
    #30 0x55d0af8f65a4 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:80:13
    #31 0x7f3c0214e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T3 (Chrome_IOThread) here:
    #0 0x55d0a6e63c22 in operator new(unsigned long) /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:106:3
    #1 0x55d0b5657446 in storage::FileSystemOperation::Create(storage::FileSystemURL const&, storage::FileSystemContext*, std::__1::unique_ptr<storage::FileSystemOperationContext, std::__1::default_delete<storage::FileSystemOperationContext> >) storage/browser/fileapi/file_system_operation_impl.cc:62:10
    #2 0x55d0b56f34cb in storage::SandboxFileSystemBackend::CreateFileSystemOperation(storage::FileSystemURL const&, storage::FileSystemContext*, base::File::Error*) const storage/browser/fileapi/sandbox_file_system_backend.cc:121:10
    #3 0x55d0b5653f4a in storage::FileSystemContext::CreateFileSystemOperation(storage::FileSystemURL const&, base::File::Error*) storage/browser/fileapi/file_system_context.cc:540:16
    #4 0x55d0b567fb56 in storage::FileSystemOperationRunner::Truncate(storage::FileSystemURL const&, long, base::OnceCallback<void (base::File::Error)>) storage/browser/fileapi/file_system_operation_runner.cc:315:29
    #5 0x55d0b569c7a2 in storage::FileWriterImpl::Truncate(unsigned long, base::OnceCallback<void (base::File::Error)>) storage/browser/fileapi/file_writer_impl.cc:94:22
    #6 0x55d0a88df5d1 in blink::mojom::FileWriterStubDispatch::AcceptWithResponder(blink::mojom::FileWriter*, mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) gen/third_party/blink/public/mojom/filesystem/file_writer.mojom.cc:733:13
    #7 0x55d0aa07edac in blink::mojom::FileWriterStub<mojo::RawPtrImplRefTraits<blink::mojom::FileWriter> >::AcceptWithResponder(mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) gen/third_party/blink/public/mojom/filesystem/file_writer.mojom.h:177:12
    #8 0x55d0af9e7e0d in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:398:34
    #9 0x55d0af9f9ede in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
    #10 0x55d0af9f8615 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
    #11 0x55d0af9e38c9 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:476:51
    #12 0x55d0af9e51b8 in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:505:10
    #13 0x55d0afa34de1 in Run base/callback.h:129:12
    #14 0x55d0afa34de1 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273
    #15 0x55d0afa356cc in mojo::SimpleWatcher::Context::Notify(unsigned int, MojoHandleSignalsState, unsigned int) mojo/public/cpp/system/simple_watcher.cc:105:22
    #16 0x55d0afa32f1a in mojo::SimpleWatcher::Context::CallNotify(MojoTrapEvent const*) mojo/public/cpp/system/simple_watcher.cc:55:14
    #17 0x55d0a93335b0 in mojo::core::WatcherDispatcher::InvokeWatchCallback(unsigned long, unsigned int, mojo::core::HandleSignalsState const&, unsigned int) mojo/core/watcher_dispatcher.cc:90:3
    #18 0x55d0a93323f2 in mojo::core::Watch::InvokeCallback(unsigned int, mojo::core::HandleSignalsState const&, unsigned int) mojo/core/watch.cc:78:13
    #19 0x55d0a9326476 in mojo::core::RequestContext::~RequestContext() mojo/core/request_context.cc:72:20
    #20 0x55d0a9305153 in mojo::core::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::vector<mojo::PlatformHandle, std::__1::allocator<mojo::PlatformHandle> >) mojo/core/node_channel.cc:695:1
    #21 0x55d0a92d48b8 in mojo::core::Channel::OnReadComplete(unsigned long, unsigned long*) mojo/core/channel.cc:714:18
    #22 0x55d0a934378f in mojo::core::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) mojo/core/channel_posix.cc:464:14
    #23 0x55d0af9009ab in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) base/message_loop/message_pump_libevent.cc
    #24 0x55d0af919c68 in event_process_active base/third_party/libevent/event.c:381:4
    #25 0x55d0af919c68 in event_base_loop base/third_party/libevent/event.c:521
    #26 0x55d0af901001 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:214:5
    #27 0x55d0af7663e1 in base::RunLoop::Run() base/run_loop.cc:102:14
    #28 0x55d0a9c85acd in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) content/browser/browser_process_sub_thread.cc:174:11
    #29 0x55d0af82f4ea in base::Thread::ThreadMain() base/threading/thread.cc:357:3
    #30 0x55d0af8f65a4 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:80:13
    #31 0x7f3c0214e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

Thread T3 (Chrome_IOThread) created by T0 (chrome) here:
    #0 0x55d0a6e1ff9d in __interceptor_pthread_create /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x55d0af8f586e in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:119:13
    #2 0x55d0af82e6e4 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:119:15
    #3 0x55d0a9c855f3 in content::BrowserProcessSubThread::CreateIOThread() content/browser/browser_process_sub_thread.cc:90:19
    #4 0x55d0ae8e4793 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:859:29
    #5 0x55d0aea0b34c in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
    #6 0x55d0ae8dfeb2 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
    #7 0x55d0a6e66d27 in ChromeMain chrome/app/chrome_main.cc:102:12
    #8 0x7f3bfaf382b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free storage/browser/fileapi/file_system_operation_runner.cc:324:18 in storage::FileSystemOperationRunner::Truncate(storage::FileSystemURL const&, long, base::OnceCallback<void (base::File::Error)>)
Shadow bytes around the buggy address:
  0x0c108000cac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108000cad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108000cae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108000caf0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108000cb00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c108000cb10: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c108000cb20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108000cb30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108000cb40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108000cb50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108000cb60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==131483==ABORTING
