Looks like it is related to this extensions:

https://chrome.google.com/webstore/detail/pay-by-privacycom/hmgpakheknboplhmlicfkkgjipfabmhp?hl=en-US

After disabling this, the tab doesn't crash

I can reproduce this on a build from master. Installing that extension then visiting https://mozilla.github.io/shumway/ causes the following RELEASE_ASSERT to crash the renderer, just before the page would normally start rendering Flash:

https://chromium.googlesource.com/chromium/src/+/5d6e476b1b26e86ab6b7ff2d52d84c0f4d15b0f1/third_party/WebKit/Source/wtf/typed_arrays/ArrayBuffer.h#125

ASSERTION FAILED: contents.data()
#1 0x7ff261b2e9b2 WTF::ArrayBuffer::create()
#2 0x7ff261b2b5ac blink::DOMArrayBuffer::create()
#3 0x7ff261b275fd blink::ScriptValueDeserializer::tryGetTransferredArrayBuffer()
#4 0x7ff261b240e0 blink::SerializedScriptValueReader::readWithTag()
#5 0x7ff2608af5d7 blink::SerializedScriptValueReaderForModules::read()
#6 0x7ff2608b0850 blink::ScriptValueDeserializerForModules::read()
#7 0x7ff261b28bef blink::ScriptValueDeserializer::doDeserialize()
#8 0x7ff261b28922 blink::ScriptValueDeserializer::deserialize()
#9 0x7ff2608b1644 blink::SerializedScriptValueForModulesFactory::deserialize()
#10 0x7ff261b4595a blink::SerializedScriptValueFactory::deserialize()
#11 0x7ff261b37f8d blink::SerializedScriptValue::deserialize()
#12 0x7ff261bc2b9f blink::V8MessageEvent::dataAttributeGetterCustom()
#13 0x7ff261bdd095 blink::MessageEventV8Internal::dataAttributeGetterCallback()
#14 0x7ff2710009ae v8::internal::FunctionCallbackArguments::Call()
#15 0x7ff2710844c8 v8::internal::(anonymous namespace)::HandleApiCallHelper()
#16 0x7ff271083cdb v8::internal::Builtins::InvokeApiFunction()
#17 0x7ff271464d25 v8::internal::Object::GetPropertyWithAccessor()
#18 0x7ff271463f92 v8::internal::Object::GetProperty()
#19 0x7ff2713d6a8c v8::internal::LoadIC::Load()
#20 0x7ff2713df141 v8::internal::__RT_impl_Runtime_LoadIC_Miss()
#21 0x7ff2713dee25 v8::internal::Runtime_LoadIC_Miss()
#22 0x39a2238061c7 <unknown>

FWIW there's a related console warning (whether or not the extension is installed and it crashes): [115511:115511:0627/154349:INFO:CONSOLE(6153)] "The provided value 'moz-chunked-arraybuffer' is not a valid enum value of type XMLHttpRequestResponseType.", source: https://mozilla.github.io/shumway/build/bundles/shumway.player.js (6153)

The last thing that seems to happen before the crash is a series of calls to postMessage from the /shumway/iframe/viewer.player.html iframe to the /shumway/iframe/viewer.gfx.html iframe with the following stack:

this.target.postMessage(msg, '*', transfers);
WindowTransportPeer.postAsyncMessage (shumway.player.js:6298)
WindowGFXService.update (shumway.player.js:80041)
Player.syncDisplayObject (shumway.player.js:79161)
Player._pumpDisplayListUpdates (shumway.player.js:79144)
Player._pumpUpdates (shumway.player.js:79237)
Player._eventLoopTick (shumway.player.js:79334)
tick (shumway.player.js:79260)
setTimeout (async)
tick ()
setTimeout (async)
tick ()
setTimeout (async)
tick ()
setTimeout (async)
tick ()

It doesn't crash when the messages are posted, but seems to crash just before they would be received.

If they didn't crash, the messages would be received by shumway.gfx.js:6278 where it has `this.window.addEventListener('message'` 2 lines under `Object.defineProperty(WindowTransportPeer.prototype, 'onAsyncMessage',`.

The arguments to postMessage are:

transfers = [ArrayBuffer]

msg = a complex object, containing an array of PlainObjectShapeData and one 
PlainObjectDataBuffer. The PlainObjectShapeDatas contain Uint8Arrays and Int32Arrays. The PlainObjectDataBuffer contains an ArrayBuffer, with byteLength 256, though it's accompanied by two properties, length:132 and littleEndian:true.

I've attached the JSON.stringify serialization of msg. It converted the Uint8Arrays and Int32Arrays (e.g. "commands" and "coordinates") into objects whose keys are the array indices, but it failed to stringify the ArrayBuffer.

If I set a breakpoint on the postMessage and overwrite `transfers` with [] before it gets posted each time, the page never crashes (nor does it render the Flash).

The ArrayBuffer in `transfers` is created by reading the `buffer` property of a Uint8Array in WindowGFXService.prototype.update. The length of the Uint8Array varies; sometimes for example it is 772, and hence transfers[0].byteLength is 1024 (padded with zeros at the end); at other times both lengths are 16384.

Deleted: msg.json 15.6 KB

msg.json 15.6 KB View Download

(my build from master was at 8afea8f3061288d68aac97a266ea9b2ac9bd72e6)

peria@, could you take a look?
Maybe, SerializedScriptValueReader or ScriptValueDeserializer is passing empty data to ArrayBuffer?

It reproduces on Stable Chrome (51.0.2704.106).
According to the analysis in #3, I think the array buffer passed to postMessage in sender side is broken or invalid.
So I think we should look on the dump of ArrayBuffer to be sent.

Was curious if this was fixed by the structured cloning refactor. It is not -- it still happens. Probably an issue in the array buffer transfer logic; somehow we're getting an empty ArrayBufferContents here.

Just filed  issue 721510  which may be the same problem (it's also a crash when using a postMessage with a transferred array). It has a reduced test case.

jbroman@, could you take a look again w/  issue 721510 ?

I think what's happening here is that the transferred ArrayBufferContents are being consumed by the first world to deserialize the message event data, leaving null contents for the next world to do so.

Which explains why a fairly non-specific extension with a content script suffices to trigger this. One reasonably fix might be to eagerly create the array buffers from the contents up front.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d

commit 4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d
Author: jbroman <jbroman@chromium.org>
Date: Mon May 15 19:36:49 2017

Keep materialized ArrayBuffer and ImageBitmap objects in SerializedScriptValue.

This allows a message to be received in multiple worlds, even though the
ArrayBufferContents can only be consumed once.

BUG= 623355 

Review-Url: https://codereview.chromium.org/2878053002
Cr-Commit-Position: refs/heads/master@{#471868}

[add] https://crrev.com/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d/third_party/WebKit/LayoutTests/fast/dom/Window/postmessage-transfer-isolated-world.html
[modify] https://crrev.com/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d/third_party/WebKit/Source/bindings/core/v8/serialization/SerializedScriptValue.cpp
[modify] https://crrev.com/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d/third_party/WebKit/Source/bindings/core/v8/serialization/SerializedScriptValue.h
[modify] https://crrev.com/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
[modify] https://crrev.com/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.h
[modify] https://crrev.com/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d/third_party/WebKit/Source/platform/wtf/Optional.h
[modify] https://crrev.com/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d/third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.cpp
[modify] https://crrev.com/4bcb9954c02c7dd9c7cb2a0756e4a3002ec66e5d/third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.h

 Issue 721510  has been merged into this issue.

 Issue 741079  has been merged into this issue.

Issue 696064 has been merged into this issue.