Observed in all versions of Chrome since at least 23.

Also doesn't work with the upcoming native extensions bindings.
There's no crash, only an error is displayed:
Error at parameter 'details': Missing required property 'tabId'.
To enable the new bindings, add "--enable-features=NativeCrxBindings" to chrome's command line.

FWIW attaching a crash dump.

>	chrome_elf.dll!crash_reporter::DumpWithoutCrashing(void)
 	chrome.dll!base::debug::DumpWithoutCrashing(void)
 	chrome.dll!content::RenderProcessHostImpl::ShutdownForBadMessage(enum content::RenderProcessHost::CrashReportMode)
 	chrome.dll!extensions::bad_message::ReceivedBadMessage(class content::RenderProcessHost *,enum extensions::bad_message::BadMessageReason)
 	chrome.dll!UIThreadExtensionFunction::SetBadMessage(void)
 	chrome.dll!ExtensionFunction::ValidationFailure(class ExtensionFunction *)
 	chrome.dll!extensions::WebNavigationGetAllFramesFunction::Run(void)

Deleted: r550591-crashdump.zip 628 KB

r550591-crashdump.zip 628 KB Download

As per comment#2 and #3 marking this issue as Untriaged. Could someone from Platform>Extensions team please have a look at the crashlog attached in comment#3.

Thanks!

This is a failing assertion.

A release build just crashes with:
[19104:19104:0419/225622.472399:ERROR:extension_function.cc(472)] Bad extension message webNavigation.getAllFrames

A debug build crashes with:
[19493:19493:0419/225723.354308:FATAL:web_navigation_api.cc(515)] Check failed: params.get(). 
#0 0x7f1815ee8bad base::debug::StackTrace::StackTrace()
#1 0x7f1815ee6fec base::debug::StackTrace::StackTrace()
#2 0x7f1815f6defa logging::LogMessage::~LogMessage()
#3 0x563cc608d0ab extensions::WebNavigationGetAllFramesFunction::Run()
#4 0x563cc29dec21 ExtensionFunction::RunWithValidation()
#5 0x563cc29e5d99 extensions::ExtensionFunctionDispatcher::DispatchWithCallbackInternal()
#6 0x563cc29e4e04 extensions::ExtensionFunctionDispatcher::Dispatch()
#7 0x563cc2a4d6cc extensions::ExtensionWebContentsObserver::OnRequest()
#8 0x563cc2963d02 _ZN3IPC20DispatchToMethodImplIN10extensions21AppWindowContentsImplEMS2_FvPN7content15RenderFrameHostERKNSt3__16vectorINS1_15DraggableRegionENS6_9allocatorIS8_EEEEES4_NS6_5tupleIJSB_EEEJLm0EEEEvPT_T0_PT1_OT2_NS6_16integer_sequenceImJXspT3_EEEE
#9 0x563cc2963c30 _ZN3IPC16DispatchToMethodIN10extensions21AppWindowContentsImplEN7content15RenderFrameHostEJRKNSt3__16vectorINS1_15DraggableRegionENS5_9allocatorIS7_EEEEENS5_5tupleIJSA_EEEEENS5_9enable_ifIXeqsZT1_sr3std10tuple_sizeINS5_5decayIT2_E4typeEEE5valueEvE4typeEPT_MSM_FvPT0_DpT1_ESP_OSH_
#10 0x563cc2a4de51 _ZN3IPC8MessageTI29ExtensionHostMsg_Request_MetaNSt3__15tupleIJ31ExtensionHostMsg_Request_ParamsEEEvE8DispatchIN10extensions28ExtensionWebContentsObserverES9_N7content15RenderFrameHostEMS9_FvPSB_RKS4_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#11 0x563cc2a4d63c extensions::ExtensionWebContentsObserver::OnMessageReceived()
#12 0x563cc63f187a extensions::ChromeExtensionWebContentsObserver::OnMessageReceived()
#13 0x7f1810c3b0e9 content::WebContentsImpl::OnMessageReceived()
#14 0x7f18103912f1 content::RenderFrameHostImpl::OnMessageReceived()
#15 0x7f1810925699 content::RenderProcessHostImpl::OnMessageReceived()
#16 0x7f18142b7998 IPC::ChannelProxy::Context::OnDispatchMessage()

This occurs when a mandatory property is present but non-enumerable.

Here is another example:

// Does not crash:
chrome.tabs.highlight(Object.create(null, {tabs: {value:[], enumerable:true}}));

// Crashes (enumerable:false) :
chrome.tabs.highlight(Object.create(null, {tabs: {value:[]}}));



Since this error only occurs with non-native bindings, I guess that the JS-based schema validator is accessing properties with someobject[somepropname] and/or using $Object.hasOwnProperty for validation (which detects non-enumerable properties),
and $Object.keys or a for(..in..) loop to create an object to serialize and send over IPC (which does not include non-enumerable properties).

Assigning to Devlin, since this is related to JS bindings.

Fun!

Rob's on the right track.  JS bindings perform validation using Object.hasOwnProperty, which includes these non-enumerable properties.  When parsing the value to pass to the browser process, we serialize it using V8ValueConverter, which uses v8::Object::GetOwnPropertyNames().  The native bindings do these steps at the same time (validating and converting along the way), and also use v8::Object::GetOwnPropertyNames().

We've never really defined which traits we require properties to have, but we should at least be consistent, and should certainly not crash.

One thing that I find particularly surprising: v8::Object::GetOwnPropertyNames() does *not* include non-enumerable properties (it specifies returning the same properties as a for .. in, modulo those on the prototype), but this is very different from Object.getOwnPropertyNames(), which includes non-enumerable properties.  Is this difference intentional, jbroman@?  It seems odd to have an identically-named function that doesn't behave as the spec'd function...

I don't know the history (you'd have to dig and ask the V8 folk), but I suspect it's unintentional (but difficult to change without breaking other API consumers). I believe you can construct a PropertyFilter that includes or excludes non-enumerable properties as you would like.