Sandbox: crash when sending non-cloneable elements back via contextbridge

[bpasero]

I noticed that after a restart, I am greeted with the following dialog:

Managed to get a crash dmp:

b98c6b58-72f2-4348-9954-e7d58fc789be.dmp.zip

This does not reproduce with stable. I think this is quite bad and would block a E19 update.

Steps:

• have 1 window open, e.g. empty, no need to open a folder
• restart macOS and check the option to reopen apps
• wait until OS restarted and apps reopen
• eventually VSCode crashes

[deepak1556]

From the stack trace, the crash is caused by an JS exception being triggered when receiving some IPC message in preload and the exception does not get handled causing it to be propagated to workbench. Since we have enabled sandbox which also implies context isolation, the exception created in preload v8 context cannot be handled by workbench which lives in a different v8 context causing this abort from the runtime. I will need to investigate further on what exception is triggered and why we don't handle it in the preload script.

Operating system: Mac OS X
                  12.5.0 21G72
CPU: amd64
     family 6 model 158 stepping 13
     16 CPUs

GPU: UNKNOWN

Crash reason:  EXC_BREAKPOINT / EXC_I386_BPT
Crash address: 0x11b39651d
Process uptime: 10 seconds

Thread 0 (crashed)
 0  Electron Framework!blink::WorldSafeV8ReferenceInternal::MaybeCheckCreationContextWorld(blink::DOMWrapperWorld const&, v8::Local<v8::Value>) [world_safe_v8_reference.cc : 50 + 0x0]
    rax = 0x0000004d00204901   rdx = 0x00007fbf73844820
    rcx = 0x0000001700145340   rbx = 0x00007fbf7380cdb0
    rsi = 0x0000004d00000000   rdi = 0x0000000000000000
    rbp = 0x00007ff7b2aa5510   rsp = 0x00007ff7b2aa5500
     r8 = 0x0000004d01c80000    r9 = 0x0000004d00000000
    r10 = 0x00000000ffffff0f   r11 = 0xffffffc2feeac590
    r12 = 0x00007fbf58008000   r13 = 0x0000004d00000007
    r14 = 0x00000010002471f0   r15 = 0x00007fbf7380cdb0
    rip = 0x000000011b39651d
    Found by: given as instruction pointer in context
 1  Electron Framework!blink::V8Initializer::MessageHandlerInMainThread(v8::Local<v8::Message>, v8::Local<v8::Value>) [world_safe_v8_reference.h : 60 + 0x8]
    rbp = 0x00007ff7b2aa55a0   rsp = 0x00007ff7b2aa5520
    rip = 0x000000011b373e3d
    Found by: previous frame's frame pointer
 2  Electron Framework!v8::internal::MessageHandler::ReportMessageNoExceptions(v8::internal::Isolate*, v8::internal::MessageLocation const*, v8::internal::Handle<v8::internal::Object>, v8::Local<v8::Value>) [messages.cc : 192 + 0x6]
    rbp = 0x00007ff7b2aa5640   rsp = 0x00007ff7b2aa55b0
    rip = 0x000000011894e2c3
    Found by: previous frame's frame pointer
 3  Electron Framework!v8::internal::MessageHandler::ReportMessage(v8::internal::Isolate*, v8::internal::MessageLocation const*, v8::internal::Handle<v8::internal::JSMessageObject>) [messages.cc : 157 + 0x12]
    rbp = 0x00007ff7b2aa56e0   rsp = 0x00007ff7b2aa5650
    rip = 0x000000011894dfef
    Found by: previous frame's frame pointer
 4  Electron Framework!v8::internal::Isolate::ReportPendingMessages() [isolate.cc : 2575 + 0xe]
    rbp = 0x00007ff7b2aa5750   rsp = 0x00007ff7b2aa56f0
    rip = 0x000000011893d816
    Found by: previous frame's frame pointer
 5  Electron Framework!v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) [execution.cc : 0 + 0x8]
    rbp = 0x00007ff7b2aa58a0   rsp = 0x00007ff7b2aa5760
    rip = 0x00000001189266c2
    Found by: previous frame's frame pointer
 6  Electron Framework!v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) [api.cc : 5252 + 0x1c]
    rbp = 0x00007ff7b2aa5990   rsp = 0x00007ff7b2aa58b0
    rip = 0x0000000118818d57
    Found by: previous frame's frame pointer
 7  Electron Framework!electron::(anonymous namespace)::EmitIPCEvent(v8::Local<v8::Context>, bool, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<v8::Local<v8::Value>, std::__1::allocator<v8::Local<v8::Value> > >, v8::Local<v8::Value>, int) [electron_api_service_impl.cc : 81 + 0xe]
    rbp = 0x00007ff7b2aa5ba0   rsp = 0x00007ff7b2aa59a0
    rip = 0x00000001170b98f0
    Found by: previous frame's frame pointer
 8  Electron Framework!electron::ElectronApiServiceImpl::Message(bool, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, blink::CloneableMessage, int) [electron_api_service_impl.cc : 176 + 0x1a]
    rbp = 0x00007ff7b2aa5c20   rsp = 0x00007ff7b2aa5bb0
    rip = 0x00000001170b9632
    Found by: previous frame's frame pointer
 9  Electron Framework!electron::mojom::ElectronRendererStubDispatch::Accept(electron::mojom::ElectronRenderer*, mojo::Message*) [api.mojom.cc : 495 + 0x17]
    rbp = 0x00007ff7b2aa6010   rsp = 0x00007ff7b2aa5c30
    rip = 0x00000001197f455d
    Found by: previous frame's frame pointer
10  Electron Framework!mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) [interface_endpoint_client.cc : 922 + 0x9]
    rbp = 0x00007ff7b2aa6130   rsp = 0x00007ff7b2aa6020
    rip = 0x0000000119d57f80
    Found by: previous frame's frame pointer
11  Electron Framework!mojo::MessageDispatcher::Accept(mojo::Message*) [message_dispatcher.cc : 43 + 0x9]
    rbp = 0x00007ff7b2aa6190   rsp = 0x00007ff7b2aa6140
    rip = 0x0000000119d5c427
    Found by: previous frame's frame pointer
12  Electron Framework!mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) [interface_endpoint_client.cc : 664 + 0x5]
    rbp = 0x00007ff7b2aa62f0   rsp = 0x00007ff7b2aa61a0
    rip = 0x0000000119d59add
    Found by: previous frame's frame pointer
13  Electron Framework!mojo::internal::MultiplexRouter::Accept(mojo::Message*) [multiplex_router.cc : 1096 + 0xb]
    rbp = 0x00007ff7b2aa6560   rsp = 0x00007ff7b2aa6300
    rip = 0x0000000119d64c0d
    Found by: previous frame's frame pointer
14  Electron Framework!mojo::MessageDispatcher::Accept(mojo::Message*) [message_dispatcher.cc : 43 + 0x9]
    rbp = 0x00007ff7b2aa65c0   rsp = 0x00007ff7b2aa6570
    rip = 0x0000000119d5c427
    Found by: previous frame's frame pointer
15  Electron Framework!mojo::Connector::ReadAllAvailableMessages() [connector.cc : 561 + 0x9]
    rbp = 0x00007ff7b2aa67e0   rsp = 0x00007ff7b2aa65d0
    rip = 0x0000000119d550ce
    Found by: previous frame's frame pointer

[bpasero]

Ah yeah true, I forgot that this could also just be sandbox related and not Electron related...

[bpasero]

Confirmed it is related to sandbox and what might be related is that I always see this error:

Suggesting that resolveShellEnv is timing out after 10 seconds.

vscode/src/vs/base/parts/sandbox/electron-browser/preload.js

Lines 94 to 104 in 337d420

	const resolveShellEnv = (async () => {
	// Resolve `userEnv` from configuration and
	// `shellEnv` from the main side
	const [userEnv, shellEnv] = await Promise.all([
	(async () => (await resolveConfiguration).userEnv)(),
	ipcRenderer.invoke('vscode:fetchShellEnv')
	]);
	return { ...process.env, ...shellEnv, ...userEnv };
	})();

[bpasero]

I can confirm it is related to slow resolving shell env, so its probably reproducable even running out of sources. I had commented out this from my ~/.zshrc and it does NOT reproduce even when sandbox is on:

# export NVM_DIR="$HOME/.nvm"
# [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  # This loads nvm
# [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"  # This loads nvm bash_completion

[bpasero]

It just reproduced without OS restart, so it is unrelated to that, it was just that OS restart made it happen easily.

[bpasero]

I am fine closing this given the mitigation.

[deepak1556]

Closing as issue has been inactive for a while and not priority at the moment.