Issue 874256 link

Starred by 2 users

Issue metadata

Status:	Unconfirmed
Owner:	----
Cc:	morlovich@chromium.org
Components:	Internals>Headless
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug
TE-NeedsTriageHelp Via-Wizard-Other Needs-Milestone Triaged-ET

headless_shell crashes with FATAL error: Check failed: global_proxy_.IsEmpty

Reported by bio.just...@gmail.com, Aug 14

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0

Steps to reproduce the problem:
1. Build headless_shell 
2. Run headless_shell behind a proxy using the following arguments:
headless_shell --no-sandbox --dump-dom --enable-logging --disable-gpu <URL>

where URL could be any one from the list below:
https://mk.gov.lv/
https://mnpz.by/press-room/
https://mol.hu/hu/molrol/mediaszoba/kozlemenyek
https://news.rwe.com/en/
https://osp.stat.gov.lt/pradinis
https://press.cwd.go.kr/
https://remit.edfenergy.com/
http://win.dgbas.gov.tw/dgbas03/bs7/sdds/english/calendar.htm
https://www.abu.nl/over-de-branche/marktontwikkelingen
https://www.accc.gov.au/
http://www.airport.kr/co/ko/3/6/3/index.jsp
https://www.allianzgi.com/en/insights

3. Observe the FATAL error message being thrown.

What is the expected behavior?
No crash

What went wrong?
headless_shell failed with FATAL error on certain websites. Based on our tests, this occurred on about 100 out of 2000 sites we tested. 

Did this work before? N/A 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: Red Hat Enterprise Linux Server release 7.3 (Maipo)
Flash Version: Shockwave Flash 30.0 r0

Comment 1 by bio.just...@gmail.com, Aug 14

headless_shell was built from the following commit using 

import("//build/args/headless.gn")
is_debug = false
symbol_level = 0
is_component_build = false
remove_webcore_debug_symbols = true
enable_nacl = false


commit b4956c1ff92e2a16fe22139e8a3a3b638854fd20
Author: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date:   Thu Jul 26 21:44:35 2018 +0000

Comment 2 by swarnasree.mukkala@chromium.org, Aug 15

Labels: Needs-Milestone

Comment 3 by morlovich@chromium.org, Aug 17

Cc: morlovich@chromium.org
Components: Internals>Headless

Do you have the filename line number that goes with the CHECK failure?
(The ones I can find seem to be in V8 bindings stuff, though...)

Comment 4 by bio.just...@gmail.com, Aug 18

Here is a typical stack trace: 

[0817/223038.817061.1534559438:FATAL:window_proxy.cc(105)] Check failed: global_proxy_.IsEmpty(). 
#0 0x000003c7c55c base::debug::StackTrace::StackTrace()
#1 0x000003c06c30 logging::LogMessage::~LogMessage()
#2 0x000004ef4a64 blink::WindowProxy::SetGlobalProxy()
#3 0x0000053a3487 blink::WindowProxyManager::SetGlobalProxies()
#4 0x0000054d3f61 blink::WebFrame::Swap()
#5 0x000005ccbf09 content::RenderFrameImpl::SwapIn()
#6 0x000005cd7ade content::RenderFrameImpl::DidCommitProvisionalLoad()
#7 0x0000055c670f blink::LocalFrameClientImpl::DispatchDidCommitLoad()
#8 0x0000059a43c9 blink::DocumentLoader::DidCommitNavigation()
#9 0x0000059a37ce blink::DocumentLoader::InstallNewDocument()
#10 0x0000059a3528 blink::DocumentLoader::CommitNavigation()
#11 0x0000059a26f6 blink::DocumentLoader::CommitData()
#12 0x0000059a22df blink::DocumentLoader::FinishedLoading()
#13 0x0000034a6046 blink::Resource::DidAddClient()
#14 0x00000349ff5b blink::RawResource::DidAddClient()
#15 0x0000034a64dc blink::Resource::FinishPendingClients()
#16 0x000004ede080 blink::TaskHandle::Runner::Run()
#17 0x000003c0c839 base::debug::TaskAnnotator::RunTask()
#18 0x000003c3e852 base::sequence_manager::internal::ThreadControllerImpl::DoWork()
#19 0x000003c0c839 base::debug::TaskAnnotator::RunTask()
#20 0x000003c0ba22 base::MessageLoop::RunTask()
#21 0x000003c0bee7 base::MessageLoop::DoWork()
#22 0x000003c0e80a base::MessagePumpDefault::Run()
#23 0x000003c24a75 base::RunLoop::Run()
#24 0x0000064373cf content::RendererMain()
#25 0x000003bb5249 content::RunZygote()
#26 0x000003bb63e9 content::ContentMainRunnerImpl::Run()
#27 0x000004dae6eb service_manager::Main()
#28 0x000003baeef1 content::ContentMain()
#29 0x000003c9d58d headless::(anonymous namespace)::RunContentMain()
#30 0x000003c9d43e headless::RunChildProcessIfNeeded()
#31 0x000003beee55 headless::HeadlessShellMain()
#32 0x000002481184 main
#33 0x7f10e076c3d5 __libc_start_main
#34 0x00000248102a _start

Received signal 6
#0 0x000003c7c55c base::debug::StackTrace::StackTrace()
#1 0x000003c7c0c1 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f10e1e0f680 <unknown>
#3 0x7f10e0780207 __GI_raise
#4 0x7f10e07818f8 __GI_abort
#5 0x000003c7af15 base::debug::BreakDebugger()
#6 0x000003c07099 logging::LogMessage::~LogMessage()
#7 0x000004ef4a64 blink::WindowProxy::SetGlobalProxy()
#8 0x0000053a3487 blink::WindowProxyManager::SetGlobalProxies()
#9 0x0000054d3f61 blink::WebFrame::Swap()
#10 0x000005ccbf09 content::RenderFrameImpl::SwapIn()
#11 0x000005cd7ade content::RenderFrameImpl::DidCommitProvisionalLoad()
#12 0x0000055c670f blink::LocalFrameClientImpl::DispatchDidCommitLoad()
#13 0x0000059a43c9 blink::DocumentLoader::DidCommitNavigation()
#14 0x0000059a37ce blink::DocumentLoader::InstallNewDocument()
#15 0x0000059a3528 blink::DocumentLoader::CommitNavigation()
#16 0x0000059a26f6 blink::DocumentLoader::CommitData()
#17 0x0000059a22df blink::DocumentLoader::FinishedLoading()
#18 0x0000034a6046 blink::Resource::DidAddClient()
#19 0x00000349ff5b blink::RawResource::DidAddClient()
#20 0x0000034a64dc blink::Resource::FinishPendingClients()
#21 0x000004ede080 blink::TaskHandle::Runner::Run()
#22 0x000003c0c839 base::debug::TaskAnnotator::RunTask()
#23 0x000003c3e852 base::sequence_manager::internal::ThreadControllerImpl::DoWork()
#24 0x000003c0c839 base::debug::TaskAnnotator::RunTask()
#25 0x000003c0ba22 base::MessageLoop::RunTask()
#26 0x000003c0bee7 base::MessageLoop::DoWork()
#27 0x000003c0e80a base::MessagePumpDefault::Run()
#28 0x000003c24a75 base::RunLoop::Run()
#29 0x0000064373cf content::RendererMain()
#30 0x000003bb5249 content::RunZygote()
#31 0x000003bb63e9 content::ContentMainRunnerImpl::Run()
#32 0x000004dae6eb service_manager::Main()
#33 0x000003baeef1 content::ContentMain()
#34 0x000003c9d58d headless::(anonymous namespace)::RunContentMain()
#35 0x000003c9d43e headless::RunChildProcessIfNeeded()
#36 0x000003beee55 headless::HeadlessShellMain()
#37 0x000002481184 main
#38 0x7f10e076c3d5 __libc_start_main
#39 0x00000248102a _start
  r8: 00007f10e242a7c0  r9: 0000000000000030 r10: 0000000000000008 r11: 0000000000000202
 r12: 00007ffc4cef84b8 r13: 0000000000000062 r14: 00007ffc4cef84c0 r15: 00007ffc4cef84c8
  di: 0000000000007f32  si: 0000000000007f32  bp: 00007ffc4cef7e10  bx: 00007ffc4cef7e80
  dx: 0000000000000006  ax: 0000000000000000  cx: ffffffffffffffff  sp: 00007ffc4cef7cd8
  ip: 00007f10e0780207 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.

Comment 5 by morlovich@chromium.org, Aug 20

Components: Blink

Comment 6 by chrishtr@chromium.org, Aug 20

Components: -Blink

Comment 7 by marytara...@yandex-team.ru, Sep 21

The crash is reproduced when browser is run using Selenium and it tries to open page with in-process iframe.

We assume that crash may occur in other situations where remote connection to browser is used and swap frames happens.

Here is what happens.

When new frame was created, Selenium using web socket wants to capture it.
The stack in browser process:
ServerWrapper::OnWebSocketMessage ->
DevToolsHttpHandler::OnWebSocketMessage ->
DevToolsAgentHostClientImpl::OnMessage ->
DevToolsAgentHostImpl::DispatchProtocolMessage ->
DevToolsSession::DispatchProtocolMessage

The stack in renderer process:
nspectorSession::DispatchProtocolMessage ->
V8 ->
V8RuntimeAgentImpl::evaluate ->
ensureContext ->
MainThreadDebugger::ensureDefaultContextInGroup ->
ToScriptStateForMainWorld (v8_binding_for_core.h) ->
ToScriptState (v8_binding_for_core.h) ->
ToScriptStateImpl (v8_binding_for_core.h) ->
ToV8ContextEvenIfDetached (v8_binding_for_core.h) ->
LocalFrame::WindowProxy -> 
Frame::GetWindowProxy ->
WindowProxyManager::GetWindowProxy ->
WindowProxy::InitializeIfNeeded() -> 
LocalWindowProxy::Initialize()

Last function initializes global_proxy_:
if (global_proxy_.IsEmpty()) {
  global_proxy_.Set(GetIsolate(), context->Global());
  CHECK(!global_proxy_.IsEmpty());
}

When main frame renderer processes iframe, it Swaps frames: remote to local. (See stacktrace in comment above).
In swapping frames it moves global_proxies from old frame to the new one, supposing the global_proxy_ in new frame is empty.
CHECK(global_proxy_.IsEmpty()) fails because it is not.

Note:
there is a comment in ToV8ContextEvenIfDetached function:
"// TODO(yukishiino): this method probably should not force context creation,
// but it does through WindowProxy() call."

May be here is the problem.

Comment 8 by susan.boorgula@chromium.org, Oct 17

Labels: Triaged-ET TE-NeedsTriageHelp

This issue is out of scope of triaging at TE end.
Hence adding 'TE-NeedsTriageHelp' and requesting the appropriate team to look into the issue and help in further triaging.

Thanks..

►

Issue 874256 link

Issue metadata

headless_shell crashes with FATAL error: Check failed: global_proxy_.IsEmpty

Issue description

Comment 1 by bio.just...@gmail.com, Aug 14

Comment 1 Deleted

Comment 2 by swarnasree.mukkala@chromium.org, Aug 15

Comment 2 Deleted

Comment 3 by morlovich@chromium.org, Aug 17

Comment 3 Deleted

Comment 4 by bio.just...@gmail.com, Aug 18

Comment 4 Deleted

Comment 5 by morlovich@chromium.org, Aug 20

Comment 5 Deleted

Comment 6 by chrishtr@chromium.org, Aug 20

Comment 6 Deleted

Comment 7 by marytara...@yandex-team.ru, Sep 21

Comment 7 Deleted

Comment 8 by susan.boorgula@chromium.org, Oct 17

Comment 8 Deleted

Sign in to add a comment