New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 807838 link

Starred by 1 user
Status: Started
Owner:
falken@chromium.org
Cc:
falken@chromium.org
andypaicu@chromium.org
nhiroki@chromium.org
fmea...@chromium.org
shimazu@chromium.org
mek@chromium.org
bashi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug


Participants' hotlists:
Worker-Reliability


Sign in to add a comment

Crash on creating a dedicated worker from an iframe sandboxed by CSP header

Project Member Reported by shimazu@chromium.org, Feb 1 2018 
A test added in crrev.com/c/895165 crashes when creating a dedicated worker inside of an iframe with CSP: sandbox header.

Here is the crash trace from the test result:
--
crash log for renderer (pid <unknown>):
STDOUT: #CRASHED - renderer
STDERR: 
STDERR: DevTools listening on ws://127.0.0.1:46805/devtools/browser/585cabfd-6c64-48f6-8d1a-39f68ee87107
STDERR: CONSOLE ERROR: Failed to load https://web-platform.test:8444/service-workers/service-worker/resources/sandboxed-iframe-fetch-event-iframe.py?script_fetch_cors: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
STDERR: [1:22:0201/105012.587235:FATAL:StdLibExtras.h(128)] Check failed: IsNotRacy(allow_cross_thread_use). 
STDERR: #0 0x7f95d044063c base::debug::StackTrace::StackTrace()
STDERR: #1 0x7f95d046aa3c logging::LogMessage::~LogMessage()
STDERR: #2 0x7f95cc8e639d blink::SpaceSplitString::SharedDataMap()
STDERR: #3 0x7f95cc8e5c8c blink::SpaceSplitString::Data::Create()
STDERR: #4 0x7f95cc8e643d blink::SpaceSplitString::Set()
STDERR: #5 0x7f95ccba592f blink::CSPDirectiveList::ApplySandboxPolicy()
STDERR: #6 0x7f95ccba4d31 blink::CSPDirectiveList::AddDirective()
STDERR: #7 0x7f95ccb9f479 blink::CSPDirectiveList::Parse()
STDERR: #8 0x7f95ccb9f1ba blink::CSPDirectiveList::Create()
STDERR: #9 0x7f95ccbadac9 blink::ContentSecurityPolicy::AddPolicyFromHeaderValue()
STDERR: #10 0x7f95ccbad0ad blink::ContentSecurityPolicy::AddAndReportPolicyFromHeaderValue()
STDERR: #11 0x7f95ccbad59e blink::ContentSecurityPolicy::DidReceiveHeader()
STDERR: #12 0x7f95cd384510 blink::WorkerOrWorkletGlobalScope::ApplyContentSecurityPolicyFromVector()
STDERR: #13 0x7f95cd37e50a blink::WorkerGlobalScope::WorkerGlobalScope()
STDERR: #14 0x7f95cd36ae35 blink::DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope()
STDERR: #15 0x7f95cd36f0b0 blink::DedicatedWorkerThread::CreateWorkerGlobalScope()
STDERR: #16 0x7f95cd388357 blink::WorkerThread::InitializeOnWorkerThread()
STDERR: #17 0x7f95cd38c5a3 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink12WorkerThreadEFvNSt3__110unique_ptrINS3_25GlobalScopeCreationParamsENS5_14default_deleteIS7_EEEERKNS_8OptionalINS3_30WorkerBackingThreadStartupDataEEENS3_20WorkerInspectorProxy18PauseOnWorkerStartEEJN3WTF28CrossThreadUnretainedWrapperIS4_EENSK_13PassedWrapperISA_EESD_SH_EEEFvvEE3RunEPNS0_13BindStateBaseE
STDERR: #18 0x7f95cb2aac11 blink::(anonymous namespace)::RunCrossThreadClosure()
STDERR: #19 0x7f95cb2ab745 _ZN4base8internal7InvokerINS0_9BindStateIPFvN3WTF19CrossThreadFunctionIFvvEEEEJS6_EEES5_E7RunOnceEPNS0_13BindStateBaseE
STDERR: #20 0x7f95d0440f5a base::debug::TaskAnnotator::RunTask()
STDERR: #21 0x7f95cb59a8ec blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
STDERR: #22 0x7f95cb599e27 blink::scheduler::TaskQueueManager::DoWork()
STDERR: #23 0x7f95cb59ebd8 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvNS4_8internal8Sequence8WorkTypeEEJNS_7WeakPtrIS5_EES8_EEEFvvEE3RunEPNS0_13BindStateBaseE
STDERR: #24 0x7f95d0440f5a base::debug::TaskAnnotator::RunTask()
STDERR: #25 0x7f95cb5a0d78 blink::scheduler::internal::ThreadControllerImpl::DoWork()
STDERR: #26 0x7f95cb59ebd8 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvNS4_8internal8Sequence8WorkTypeEEJNS_7WeakPtrIS5_EES8_EEEFvvEE3RunEPNS0_13BindStateBaseE
STDERR: #27 0x7f95d0440f5a base::debug::TaskAnnotator::RunTask()
STDERR: #28 0x7f95d0475516 base::internal::IncomingTaskQueue::RunTask()
STDERR: #29 0x7f95d04797f7 base::MessageLoop::RunTask()
STDERR: #30 0x7f95d0479c14 base::MessageLoop::DeferOrRunPendingTask()
STDERR: #31 0x7f95d0479ed8 base::MessageLoop::DoWork()
STDERR: #32 0x7f95d047b370 base::MessagePumpDefault::Run()
STDERR: #33 0x7f95d047904c base::MessageLoop::Run()
STDERR: #34 0x7f95d04b0cb6 base::RunLoop::Run()
STDERR: #35 0x7f95d04f452a base::Thread::Run()
STDERR: #36 0x7f95d04f4b23 base::Thread::ThreadMain()
STDERR: #37 0x7f95d04eaf6f base::(anonymous namespace)::ThreadFunc()
STDERR: #38 0x7f95d26ca494 start_thread
STDERR: #39 0x7f95c9096a8f clone
STDERR:

Comment 1 by shimazu@chromium.org, Feb 1 2018 

This seems likely to happen when the worker is created from a blob URL, but I'm not confident why it happens.
I suspect that SpaceSplitString used in ContentSecurityPolicy needs to be used on the main thread, but it needs more investigation.

Comment 2 by shimazu@chromium.org, Jun 12 2018

Cc: bashi@chromium.org

Comment 3 by shimazu@chromium.org, Jun 12 2018

Cc: -nhiroki@chromium.org shimazu@chromium.org
Owner: nhiroki@chromium.org
Let me pass this to nhiroki since you are more familiar with these code.
Could you triage this issue?

Comment 4 by bashi@chromium.org, Jun 12 2018 

Probably an easy fix is to make SpaceSplitString::DataMap thread-safe (by using DEFINE_THREAD_SAFE_STATIC_LOCAL and a lock?) but I'm not sure performance implications.

Comment 5 by shimazu@chromium.org, Jun 22 2018

Cc: mek@chromium.org nhiroki@chromium.org
Components: Blink>SecurityFeature>ContentSecurityPolicy
Owner: andypaicu@chromium.org
Updated the owner to inherit it from 855275

Comment 6 by falken@chromium.org, Jun 22 2018

Labels: allpublic
I guess this can be public since the other bug was.

Comment 7 by falken@chromium.org, Jun 22 2018

Labels: -Restrict-View-SecurityTeam

Comment 8 by falken@chromium.org, Jun 22 2018

Labels: WorkerBacklog
Adding WorkerBacklog for more visibility, seems like Worker team could also take this if Andy doesn't mind.

Comment 9 by mek@chromium.org, Jun 22 2018 

Ah, sorry, didn't mean to file a duplicate bug... It does seem like something went pretty wrong here with triaging/fixing though if we have a P1 bug with zero progress after 5 months...

Comment 10 by falken@chromium.org, Jun 25 2018 

mek: No worries, you probably wouldn't have found the bug since it was security restricted. Fair point about triaging/fixing. We should figure out what happened here. Our triage process focuses on particular P1 bugs (security, regression, crash) since we have too many P1s. I suspect this didn't count as security since Type=Security wasn't set.

Comment 11 by falken@chromium.org, Jun 25 2018

Cc: andypaicu@chromium.org
Labels: Stability-Crash
Owner: fmea...@chromium.org
Fadi: Would you be interested in taking this bug as you've looked at Worker + CSP recently? If not, feel free to kick back to me.

See also context on  issue 855275 , monorail doesn't seem to link to it.

Comment 12 by falken@chromium.org, Jun 25 2018

Labels: -Pri-1 Target-70 Pri-2

Comment 13 by fmea...@chromium.org, Jun 25 2018 

I will take a look.

Comment 14 by fmea...@chromium.org, Jul 13

Cc: fmea...@chromium.org
Owner: ----
Status: Available (was: Assigned)
I did not get a chance to work on this. Marking it available.

Comment 15 by falken@chromium.org, Today (7 hours ago)

Owner: falken@chromium.org
Status: Started (was: Available)
i'll try to fix this

Sign in to add a comment