Issue 667429 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	kozy@chromium.org
Closed:	Dec 2017
Cc:	dgozman@chromium.org wfh@chromium.org creis@chromium.org
Components:	Internals>Sandbox>SiteIsolation Platform>DevTools
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	2
Type:	Bug

Blocking:
issue 652783

Inspecting |event.source| in DevTools crashes renderer when the source is out of process.

Project Member Reported by ekaramad@chromium.org, Nov 21 2016

Issue description

Version: 57.0.2926.1 (Official Build) canary SyzyASan (32-bit)
OS: All

What steps will reproduce the problem?
(1) Create a page with an out of process <iframe>.
(2) Add a message handler to the page:
window.addEventListener('message', function(e) {
 console.log(JSON.stringify(e.data));
};
(3) Open DevTools for the page and put a break point inside the message handler.
(4) Open another DevTools window inside <iframe> and type:
window.parent.postMessage({}, '*');
Alternatively, find another way that the <iframe> will post message to its parent.
(5) When the breakpoint hits, type e.source in console.

e.source| inside console.

What is the expected result?
The source should be shown as some type of Window object.

What happens instead?
The renderer crashes.

Typing 'e' alone is fine and it shows it has a window attribute.

Comment 1 by ekaramad@chromium.org, Nov 21 2016

Stack trace from crash reports:
	0x10601de0	(chrome_child.dll -hashtable.h:1001 )	WTF::HashTable<blink::ScriptWrappable *,WTF::KeyValuePair<blink::ScriptWrappable *,unsigned int>,WTF::KeyValuePairKeyExtractor,WTF::PtrHash<blink::ScriptWrappable>,WTF::HashMapValueTraits<WTF::HashTraits<blink::ScriptWrappable *>,WTF::HashTraits<unsigned int> >,WTF::HashTraits<blink::ScriptWrappable *>,WTF::PartitionAllocator>::lookup<WTF::IdentityHashTranslator<WTF::PtrHash<blink::ScriptWrappable> >,blink::ScriptWrappable *>(blink::ScriptWrappable * const &)
0x10807537	(chrome_child.dll -supplementable.h:105 )	blink::Supplement<blink::Document>::from(blink::Supplementable<blink::Document> &,char const *)
0x11fe9050	(chrome_child.dll -domwindowspeechsynthesis.cpp:50 )	blink::DOMWindowSpeechSynthesis::from(blink::LocalDOMWindow &)
0x11fe90e5	(chrome_child.dll -domwindowspeechsynthesis.cpp:60 )	blink::DOMWindowSpeechSynthesis::speechSynthesis(blink::DOMWindow &)
0x1180bf8b	(chrome_child.dll -v8windowpartial.cpp:654 )	blink::DOMWindowPartialV8Internal::speechSynthesisAttributeGetter
0x1180c046	(chrome_child.dll -v8windowpartial.cpp:670 )	blink::DOMWindowPartialV8Internal::speechSynthesisAttributeGetterCallback(v8::Local<v8::Name>,v8::PropertyCallbackInfo<v8::Value> const &)
0x0fec030b	(chrome_child.dll -api-arguments-inl.h:32 )	v8::internal::PropertyCallbackArguments::Call(void (*)(v8::Local<v8::Name>,v8::PropertyCallbackInfo<v8::Value> const &),v8::internal::Handle<v8::internal::Name>)
0x0ff26e2d	(chrome_child.dll -objects.cc:1353 )	v8::internal::Object::GetPropertyWithAccessor(v8::internal::LookupIterator *)
0x0ff25ff9	(chrome_child.dll -objects.cc:999 )	v8::internal::Object::GetProperty(v8::internal::LookupIterator *)
0x0ff3778f	(chrome_child.dll -objects.cc:7442 )	v8::internal::JSReceiver::GetOwnPropertyDescriptor(v8::internal::LookupIterator *,v8::internal::PropertyDescriptor *)
0x0fc3e390	(chrome_child.dll -builtins-object.cc:819 )	v8::internal::Builtin_Impl_ObjectGetOwnPropertyDescriptor
0x0fc3e2b1	(chrome_child.dll -builtins-object.cc:804 )	v8::internal::Builtin_ObjectGetOwnPropertyDescriptor(int,v8::internal::Object * *,v8::internal::Isolate *)
0x293860dd		
0x293ea553		
0x293dc49a		
0x293be02e		
0x29387595		
0x293ea553		
0x293dc49a		
0x293be02e		
0x29387595		
0x293ea553		
0x293dc49a		
0x293ea553		
0x293dc49a		
0x1c8457b9		
0x29387314		
0x293eb77c		
0x293dc49a		
0x29387595		
0x1c844ef9		
0x293dbc5d		
0x293af797		
0x0fe4daef	(chrome_child.dll -execution.cc:139 )	v8::internal::`anonymous namespace'::Invoke
0x0fe4dc4c	(chrome_child.dll -execution.cc:176 )	v8::internal::Execution::Call(v8::internal::Isolate *,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,int,v8::internal::Handle<v8::internal::Object> * const)
0x0fbbcb92	(chrome_child.dll -api.cc:4976 )	v8::Function::Call(v8::Local<v8::Context>,v8::Local<v8::Value>,int,v8::Local<v8::Value> * const)
0x101a1645	(chrome_child.dll -v8-function-call.cc:99 )	v8_inspector::V8FunctionCall::callWithoutExceptionHandling()
0x101a14cc	(chrome_child.dll -v8-function-call.cc:71 )	v8_inspector::V8FunctionCall::call(bool &,bool)
0x10186b1d	(chrome_child.dll -injected-script.cc:240 )	v8_inspector::InjectedScript::wrapValue(v8::Local<v8::Value>,v8_inspector::String16 const &,bool,bool,v8::Local<v8::Value> *)
0x1018639d	(chrome_child.dll -injected-script.cc:178 )	v8_inspector::InjectedScript::wrapObject(v8::Local<v8::Value>,v8_inspector::String16 const &,bool,bool,std::unique_ptr<v8_inspector::protocol::Runtime::RemoteObject,std::default_delete<v8_inspector::protocol::Runtime::RemoteObject> > *)
0x10187a2a	(chrome_child.dll -injected-script.cc:387 )	v8_inspector::InjectedScript::wrapEvaluateResult(v8::MaybeLocal<v8::Value>,v8::TryCatch const &,v8_inspector::String16 const &,bool,bool,std::unique_ptr<v8_inspector::protocol::Runtime::RemoteObject,std::default_delete<v8_inspector::protocol::Runtime::RemoteObject> > *,v8_inspector::protocol::Maybe<v8_inspector::protocol::Runtime::ExceptionDetails> *)
0x1019762f	(chrome_child.dll -v8-debugger-agent-impl.cc:748 )	v8_inspector::V8DebuggerAgentImpl::evaluateOnCallFrame(v8_inspector::String16 const &,v8_inspector::String16 const &,v8_inspector::protocol::Maybe<v8_inspector::String16>,v8_inspector::protocol::Maybe<bool>,v8_inspector::protocol::Maybe<bool>,v8_inspector::protocol::Maybe<bool>,v8_inspector::protocol::Maybe<bool>,std::unique_ptr<v8_inspector::protocol::Runtime::RemoteObject,std::default_delete<v8_inspector::protocol::Runtime::RemoteObject> > *,v8_inspector::protocol::Maybe<v8_inspector::protocol::Runtime::ExceptionDetails> *)
0x10170267	(chrome_child.dll -debugger.cpp:1002 )	v8_inspector::protocol::Debugger::DispatcherImpl::evaluateOnCallFrame(int,std::unique_ptr<v8_inspector::protocol::DictionaryValue,std::default_delete<v8_inspector::protocol::DictionaryValue> >,v8_inspector::protocol::ErrorSupport *)
0x10167daf	(chrome_child.dll -console.cpp:156 )	v8_inspector::protocol::Console::DispatcherImpl::dispatch(int,v8_inspector::String16 const &,std::unique_ptr<v8_inspector::protocol::DictionaryValue,std::default_delete<v8_inspector::protocol::DictionaryValue> >)
0x101633d9	(chrome_child.dll -protocol.cpp:736 )	v8_inspector::protocol::UberDispatcher::dispatch(std::unique_ptr<v8_inspector::protocol::Value,std::default_delete<v8_inspector::protocol::Value> >)
0x101a86b8	(chrome_child.dll -v8-inspector-session-impl.cc:308 )	v8_inspector::V8InspectorSessionImpl::dispatchProtocolMessage(v8_inspector::StringView const &)
0x10b5bbe6	(chrome_child.dll -inspectorsession.cpp:82 )	blink::InspectorSession::dispatchProtocolMessage(WTF::String const &,WTF::String const &)
0x116dab41	(chrome_child.dll -webdevtoolsagentimpl.cpp:588 )	blink::WebDevToolsAgentImpl::dispatchMessageFromFrontend(int,WTF::String const &,WTF::String const &)
0x116daba3	(chrome_child.dll -webdevtoolsagentimpl.cpp:578 )	blink::WebDevToolsAgentImpl::dispatchOnInspectorBackend(int,int,blink::WebString const &,blink::WebString const &)
0x118ac0f4	(chrome_child.dll -devtools_agent.cc:266 )	content::DevToolsAgent::OnDispatchOnInspectorBackend(int,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x118ab9bf	(chrome_child.dll -ipc_message_templates.h:26 )	IPC::DispatchToMethod<content::DevToolsAgent,void ( content::DevToolsAgent::*)(int,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &),void,std::tuple<int,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >(content::DevToolsAgent *,void ( content::DevToolsAgent::*)(int,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &),void *,std::tuple<int,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > const &)
0x118ab7d0	(chrome_child.dll -ipc_message_templates.h:121 )	IPC::MessageT<DevToolsAgentMsg_DispatchOnInspectorBackend_Meta,std::tuple<int,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,void>::Dispatch<content::DevToolsAgent,content::DevToolsAgent,void,void ( content::DevToolsAgent::*)(int,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>(IPC::Message const *,content::DevToolsAgent *,content::DevToolsAgent *,void *,void ( content::DevToolsAgent::*)(int,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &))
0x118ac2c2	(chrome_child.dll -devtools_agent.cc:107 )	content::DevToolsAgent::OnMessageReceived(IPC::Message const &)
0x118745a7	(chrome_child.dll -render_frame_impl.cc:1488 )	content::RenderFrameImpl::OnMessageReceived(IPC::Message const &)
0x11b8af4f	(chrome_child.dll -message_router.cc:56 )	IPC::MessageRouter::RouteMessage(IPC::Message const &)
0x11b8af1b	(chrome_child.dll -message_router.cc:48 )	IPC::MessageRouter::OnMessageReceived(IPC::Message const &)
0x116057c6	(chrome_child.dll -child_thread_impl.cc:795 )	content::ChildThreadImpl::OnMessageReceived(IPC::Message const &)
0x111e0f1e	(chrome_child.dll -ipc_channel_proxy.cc:340 )	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x118f14e6	(chrome_child.dll -bind_internal.h:339 )	base::internal::Invoker<base::internal::BindState<void ( content::CompositorForwardingMessageFilter::*)(IPC::Message const &),scoped_refptr<content::CompositorForwardingMessageFilter>,IPC::Message>,void >::Run(base::internal::BindStateBase *)
0x1027c2fd	(chrome_child.dll -task_annotator.cc:52 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x1168df42	(chrome_child.dll -task_queue_manager.cc:358 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *)
0x1168d6ab	(chrome_child.dll -task_queue_manager.cc:250 )	blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks,bool)
0x1168cafb	(chrome_child.dll -bind_internal.h:214 )	base::internal::FunctorTraits<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),void>::Invoke<base::WeakPtr<blink::scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &>(void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &)
0x1168cb41	(chrome_child.dll -bind_internal.h:305 )	base::internal::InvokeHelper<1,void>::MakeItSo<void ( blink::scheduler::TaskQueueManager::*const &)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &>(void ( blink::scheduler::TaskQueueManager::*const &)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &)
0x1168cb5d	(chrome_child.dll -bind_internal.h:361 )	base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void >::RunImpl<void ( blink::scheduler::TaskQueueManager::*const &)(base::TimeTicks,bool),std::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool> const &,0,1,2>(void ( blink::scheduler::TaskQueueManager::*const &)(base::TimeTicks,bool),std::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool> const &,base::IndexSequence<0,1,2>)
0x1168e15a	(chrome_child.dll -bind_internal.h:339 )	base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void >::Run(base::internal::BindStateBase *)
0x1027c2fd	(chrome_child.dll -task_annotator.cc:52 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x102488e8	(chrome_child.dll -message_loop.cc:413 )	base::MessageLoop::RunTask(base::PendingTask *)
0x10249367	(chrome_child.dll -message_loop.cc:515 )	base::MessageLoop::DoWork()
0x1027d746	(chrome_child.dll -message_pump_default.cc:35 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x102554cc	(chrome_child.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x118ac7bf	(chrome_child.dll -devtools_agent.cc:63 )	content::`anonymous namespace'::WebKitClientMessageLoopImpl::run
0x116db927	(chrome_child.dll -webdevtoolsagentimpl.cpp:212 )	blink::ClientMessageLoopAdapter::runLoop(blink::WebLocalFrameImpl *)
0x116db687	(chrome_child.dll -webdevtoolsagentimpl.cpp:162 )	blink::ClientMessageLoopAdapter::run(blink::LocalFrame *)
0x10b62d9b	(chrome_child.dll -mainthreaddebugger.cpp:249 )	blink::MainThreadDebugger::runMessageLoopOnPause(int)
0x1019eba7	(chrome_child.dll -v8-debugger.cc:517 )	v8_inspector::V8Debugger::handleProgramBreak(v8::Local<v8::Context>,v8::Local<v8::Object>,v8::Local<v8::Value>,v8::Local<v8::Array>,bool,bool)
0x1019f0b5	(chrome_child.dll -v8-debugger.cc:616 )	v8_inspector::V8Debugger::handleV8DebugEvent(v8::DebugInterface::EventDetails const &)
0x1019ecd4	(chrome_child.dll -v8-debugger.cc:539 )	v8_inspector::V8Debugger::v8DebugEventCallback(v8::DebugInterface::EventDetails const &)
0x0fe262be	(chrome_child.dll -debug.cc:1902 )	v8::internal::Debug::CallEventCallback(v8::DebugEvent,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::Debug::ClientData *)
0x0fe2620d	(chrome_child.dll -debug.cc:1878 )	v8::internal::Debug::ProcessDebugEvent(v8::DebugEvent,v8::internal::Handle<v8::internal::JSObject>,bool)
0x0fe26095	(chrome_child.dll -debug.cc:1815 )	v8::internal::Debug::OnDebugBreak(v8::internal::Handle<v8::internal::Object>,bool)
0x0fe22fa5	(chrome_child.dll -debug.cc:528 )	v8::internal::Debug::Break(v8::internal::JavaScriptFrame *)
0x0ffe02d7	(chrome_child.dll -runtime-debug.cc:25 )	v8::internal::Runtime_DebugBreak(int,v8::internal::Object * *,v8::internal::Isolate *)
0x0fe4daef	(chrome_child.dll -execution.cc:139 )	v8::internal::`anonymous namespace'::Invoke

Comment 2 by nick@chromium.org, Nov 21 2016

I was able to repro this using Windows Canary and  http://csreis.github.io/tests/post-message.html :

0. Enable --site-per-process
1. Load http://csreis.github.io/tests/post-message.html
2. Click "load cross-site iframe"
3. Right click and inspect the iframe.
4. On the "Sources" tab in devtools, open the 'post-message-subframe' document, and set a breakpoint on line 21, [var msg = "bar";].
5. In the original page, click the "postMessage to subframe" button.
6. In the debugger window, the breakpoint should be hit.
7. Type |e.source| and hit enter.
8. Receive crash.

Comment 3 by ekaramad@chromium.org, Nov 21 2016

I noted that the crash happens for out of process sources. So it does not only affect OOPIFs.

In fact, I tried it on 53.0.2773.0 (Developer Build) (64-bit) with the following steps:
1) Open a page with embedded PDF (<embed src="PDF_URL"></embed>).
2) Add message handler to the page like above.
3) In DevTools for the page type: document.querySelector('embed').postMessage({}).
4) There will be a message from the PDF (type: 'documentLoaded').
5) Type e.source in console.

Comment 4 by ekaramad@chromium.org, Nov 21 2016

Owner: dgozman@chromium.org

Assigning the bug to dgozman@ following nasko@'s suggestion.

Comment 5 by dgozman@chromium.org, Nov 22 2016

Cc: dgozman@chromium.org
Owner: kozyatinskiy@chromium.org
Status: Assigned (was: Untriaged)

Comment 6 by dgozman@chromium.org, Jan 4 2017

Blocking: 652783

Comment 7 by kozyatinskiy@chromium.org, Oct 16 2017

Owner: kozy@chromium.org

Comment 8 by kozy@chromium.org, Dec 12 2017

Status: Fixed (was: Assigned)

Looks like it is not crashing any more.
Please reopen this one if it is still an issue.

►

Issue 667429 link

Issue metadata

Inspecting |event.source| in DevTools crashes renderer when the source is out of process.

Issue description

Comment 1 by ekaramad@chromium.org, Nov 21 2016

Comment 1 Deleted

Comment 2 by nick@chromium.org, Nov 21 2016

Comment 2 Deleted

Comment 3 by ekaramad@chromium.org, Nov 21 2016

Comment 3 Deleted

Comment 4 by ekaramad@chromium.org, Nov 21 2016

Comment 4 Deleted

Comment 5 by dgozman@chromium.org, Nov 22 2016

Comment 5 Deleted

Comment 6 by dgozman@chromium.org, Jan 4 2017

Comment 6 Deleted

Comment 7 by kozyatinskiy@chromium.org, Oct 16 2017

Comment 7 Deleted

Comment 8 by kozy@chromium.org, Dec 12 2017

Comment 8 Deleted

Sign in to add a comment