(cache)Crash when calling contentWindow.open on an iframe when automation is attached [340836884]

Bug

Status Update

No update yet.

Description

al...@google.com

created issue #1

May 15, 2024 09:51PM

Run the following script (update executable path to your chrome binary):

```
const puppeteer = require("puppeteer");

async function main() {
const browser = await puppeteer.launch({
executablePath: '/usr/local/google/home/alexrudenko/chromium/src/out/Release/chrome',
dumpio: true,
headless: false,
});
console.log("Browser is created.");
const pages = await browser.pages();
const page = pages[0];
await page.evaluate(() => {
const f = document.createElement("iframe");
f.src = "data:text/html;charset=utf-8,<p></p>",
document.body.appendChild(f),
console.log("fire"),
f.contentWindow.open("", "", "top=9999,left=9999,width=100,height=100")
});
}

main();
```

Expected:
no crash, a popup is opened.

Actual:
Browser crashes.

```
[0515/124625.088885:ERROR:file_io_posix.cc(145)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq: No such file or directory (2)
[0515/124625.089033:ERROR:file_io_posix.cc(145)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq: No such file or directory (2)
Received signal 11 SEGV_MAPERR 000000000020
#0 0x7ff9d10d0992 base::debug::CollectStackTrace() [../../base/debug/stack_trace_posix.cc:1043:7]
#1 0x7ff9d10b639e base::debug::StackTrace::StackTrace() [../../base/debug/stack_trace.cc:241:20]
#2 0x7ff9d10d0391 base::debug::(anonymous namespace)::StackDumpSignalHandler() [../../base/debug/stack_trace_posix.cc:462:3]
#3 0x7ff9bedca510 (/usr/lib/x86_64-linux-gnu/libc.so.6+0x3c50f)
#4 0x7ff9c40847a0 (/usr/local/google/home/alexrudenko/chromium/src/out/Release/libblink_core.so+0x148479f)
#5 0x7ff9c409e8a2 blink::LocalDOMWindow::open() [../../third_party/blink/renderer/core/frame/local_dom_window.cc:2302:47]
#6 0x7ff9c0a52318 blink::(anonymous namespace)::v8_window::OpenOperationCallback() [gen/third_party/blink/renderer/bindings/modules/v8/v8_window.cc:15737:39]
#7 0x7ff9c5a6944f Builtins_CallApiCallbackGeneric
r8: 0000000000000000 r9: 0000050001081040 r10: 00007ff9c2ae84a8 r11: 00007ff9c2b75820
r12: 0000291f002271b0 r13: 0000000000000001 r14: 00007ff9c6ea6f00 r15: 00007ffcf569c3b8
di: 0000000000000000 si: 0000000000000000 bp: 00007ffcf569c0c0 bx: 0000291f00223070
dx: 0000000000000000 ax: fdb2eb1f1f826700 cx: 0000000000000000 sp: 00007ffcf569b4e8
ip: 00007ff9c40847a0 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000020
[end of stack trace]
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall nr=0x25 arg1=0x5 arg2=0x7ffcf56999f0 arg3=0x0 arg4=0x7ff9beda85a8
```

I logged the GetFrame result and it appears to be a nullptr:

```
[3783676:1:0515/124625.010670:ERROR:local_dom_window.cc(2301)] (nil)
```

Crash ID: b180583f32e07283

Originally reported in

https://github.com/puppeteer/puppeteer/issues/12439

The issue does not seem to reproduce if an automation client such as Puppeteer is attached (the exact pre-condition is not clear yet).

Comments

re...@gmail.com <re...@gmail.com> #2Sep 29, 2024 05:05PM

I reproduce the problem with Playwright.

import { chromium, firefox, webkit } from "playwright";

const browser = await chromium.launch({ headless: false });
const context = await browser.newContext();
const page = await context.newPage();
await page.evaluate(() => {
    const iframe = document.createElement("iframe");
    iframe.src = "data:text/html,<body></body>";
    document.body.appendChild(iframe);
    iframe.contentWindow.open("", "", "top=9999");
});

Received signal 11 SEGV_MAPERR 000000000020 +833ms
#0 0x5b4483191cd2 base::debug::CollectStackTrace() +30ms
#1 0x5b448317eeae base::debug::StackTrace::StackTrace() +26ms
#2 0x5b44831916e1 base::debug::(anonymous namespace)::StackDumpSignalHandler() +52ms
#3 0x75ba13245320 (/usr/lib/x86_64-linux-gnu/libc.so.6+0x4531f) +0ms
#4 0x5b4486be7510 (/home/regseb/.cache/ms-playwright/chromium-1134/chrome-linux/chrome+0xcb4b50f) +49ms
#5 0x5b4486bf6ce6 blink::LocalDOMWindow::open() +34ms
#6 0x5b4487d531b8 blink::(anonymous namespace)::v8_window::OpenOperationCallback() +35ms
#7 0x5b44807ce9de Builtins_CallApiCallbackGeneric +7ms
  r8: 0000000000000000  r9: 0000000000000000 r10: 0000000000004000 r11: 0000000000000246 +1ms
 r12: 000014e40022aab0 r13: 000000003bcfff01 r14: 000014e400157e20 r15: 00005b448a32c2c0 +0ms
  di: 0000000000000000  si: 8000000000000000  bp: 00007ffc55a4a560  bx: 000014e4002267f0 +0ms
  dx: 0000000000000001  ax: 0000000000000b00  cx: 0000000000000bff  sp: 00007ffc55a49988 +0ms
  ip: 00005b4486be7510 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004 +0ms
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000020 +0ms
[end of stack trace] +

It works with firefox and webkit. And if I manually open Chromium and run the code in evaluate(() { ... }): the popup opens.

Issue 340836884

Description

Issue summary

Comments

re...@gmail.com <re...@gmail.com> #2Sep 29, 2024 05:05PM

Add comment

Issue metadata