[Bug]: Segmentation fault when using loadExtension and using updater

[David-Development]

Preflight Checklist

• I have read the Contributing Guidelines for this project.
• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Electron Version

16.0.5

What operating system are you using?

macOS

Operating System Version

MacOS Monterey 12.0.1

What arch are you using?

x64

Last Known Working Electron version

No response

Expected Behavior

The Electron App should not crash when the updater tries to fetch updates

Actual Behavior

The app crashes (Segmentation fault) as soon as the electron-updater triggers an update. Interestingly enough, the crash only happens in case the loaded chrome extension uses the webRequest permission. If you remove the webRequest permission the application runs just fine. The crash also only happens in the packaged / release build - probably due to the fact, that the updater doesn't make any request during development.

I created a minimal example to reproduce the error. If you run the example app you should see the app starting properly and then it'll crash after about 5 seconds (once the updater makes a network request).

git clone https://github.com/David-Development/electron-quick-start.git
cd electron-quick-start
npm i
npm run pack 
open ./dist/mac/electron-quick-start.app/Contents/MacOS/electron-quick-start

If you remove the webRequest permission from the extensions manifest file it works just fine.

I think this might be related to #32258 however the error is different (EXC_BREAKPOINT vs EXC_BAD_ACCESS) therefore I opened a new issue in order not to hijack the thread.

Testcase Gist URL

No response

Additional Information

Process:               electron-quick-start [6394]
Path:                  /Users/USER/*/electron-quick-start.app/Contents/MacOS/electron-quick-start
Identifier:            de.luhmer.test
Version:               1.0.0 (1.0.0)
Code Type:             X86-64 (Native)
Parent Process:        zsh [6368]
Responsible:           Terminal [64202]
User ID:               501

Date/Time:             2021-12-22 08:52:19.5940 +0100
OS Version:            macOS 12.0.1 (21A559)
Report Version:        12
Bridge OS Version:     6.0 (19P548)
Anonymous UUID:        A3244D7D-4449-B691-97DC-81AC26A6E1A3

Sleep/Wake UUID:       EEA2F496-B04D-487D-A4F7-9CC0EC140EA3

Time Awake Since Boot: 1400000 seconds
Time Since Wake:       7894 seconds

System Integrity Protection: enabled

Crashed Thread:        0  CrBrowserMain  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Codes:       0x0000000000000001, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [6394]

VM Region Info: 0 is not in any region.  Bytes before following region: 4325986304
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      101d95000-101dd2000    [  244K] r-x/r-x SM=COW  ...n-quick-start
...

[codebytere]

Pulled out a stacktrace:

stacktrace

electron-quick-start on git:master ❯ e start .                              8:53AM
Running "/Users/codebytere/Developer/electron-gn/src/out/Testing/Electron.app/Contents/MacOS/Electron ."
autoUpdater.channel null
autoUpdater.currentVersion 1.0.0
[43423:0106/085444.379612:ERROR:native_widget_mac.mm(410)] Not implemented reached in virtual const gfx::ImageSkia *views::NativeWidgetMac::GetWindowIcon()
[43423:0106/085444.379674:ERROR:native_widget_mac.mm(414)] Not implemented reached in virtual const gfx::ImageSkia *views::NativeWidgetMac::GetWindowAppIcon()
Loading extension from path: /Users/codebytere/Developer/repros/electron-quick-start/extensions/test-extension/
Extension loaded! lhohgdfpgonmejnogkgdmkdnnfokinin - Test Extension@1.0
let it crash!
Checking for update
[43423:0106/085448.990266:FATAL:web_request_api.cc(726)] Check failed: frame.
0   Electron Framework                  0x0000000111d0d959 base::debug::CollectStackTrace(void**, unsigned long) + 9
1   Electron Framework                  0x0000000111c33673 base::debug::StackTrace::StackTrace() + 19
2   Electron Framework                  0x0000000111c4d8af logging::LogMessage::~LogMessage() + 175
3   Electron Framework                  0x0000000111c4e87e logging::LogMessage::~LogMessage() + 14
4   Electron Framework                  0x00000001119ba50f extensions::WebRequestAPI::MaybeProxyURLLoaderFactory(content::BrowserContext*, content::RenderFrameHost*, int, content::ContentBrowserClient::URLLoaderFactoryType, absl::optional<long long>, ukm::SourceIdObj, mojo::PendingReceiver<network::mojom::URLLoaderFactory>*, mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>*) + 671
5   Electron Framework                  0x000000010d7a94f5 electron::ElectronBrowserClient::WillCreateURLLoaderFactory(content::BrowserContext*, content::RenderFrameHost*, int, content::ContentBrowserClient::URLLoaderFactoryType, url::Origin const&, absl::optional<long long>, ukm::SourceIdObj, mojo::PendingReceiver<network::mojom::URLLoaderFactory>*, mojo::PendingRemote<network::mojom::TrustedURLLoaderHeaderClient>*, bool*, bool*, mojo::StructPtr<network::mojom::URLLoaderFactoryOverride>*) + 309
6   Electron Framework                  0x000000010d7b1b1c electron::ElectronBrowserContext::GetURLLoaderFactory() + 220
7   Electron Framework                  0x000000010d7474db electron::api::SimpleURLLoaderWrapper::Create(gin::Arguments*) + 3195
8   Electron Framework                  0x000000010d70e941 void gin_helper::Invoker<gin_helper::IndicesHolder<0ul>, gin::Arguments*>::DispatchToCallback<gin::Handle<electron::api::SimpleURLLoaderWrapper> >(base::RepeatingCallback<gin::Handle<electron::api::SimpleURLLoaderWrapper> (gin::Arguments*)>) + 129
9   Electron Framework                  0x000000010d70e82a gin_helper::Dispatcher<gin::Handle<electron::api::SimpleURLLoaderWrapper> (gin::Arguments*)>::DispatchToCallback(v8::FunctionCallbackInfo<v8::Value> const&) + 250
10  Electron Framework                  0x000000010f029b8b v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) + 811
11  Electron Framework                  0x000000010f027b34 v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) + 1748
12  Electron Framework                  0x000000010f025793 v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) + 483
13  Electron Framework                  0x000000010f02531d v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) + 109
14  ???                                 0x0000003407edeab8 0x0 + 223471332024
15  ???                                 0x0000003407e4f622 0x0 + 223470745122
16  ???                                 0x0000003407e4f622 0x0 + 223470745122
17  ???                                 0x0000003407e4f622 0x0 + 223470745122
18  ???                                 0x0000003407e4f622 0x0 + 223470745122
Task trace:
0   Electron Framework                  0x000000010d871b15 electron::NodeBindings::WakeupMainThread() + 165
Crash keys:
  "ui_scheduler_async_stack" = "0x10D871B15 0x0"
  "io_scheduler_async_stack" = "0x1108DCE1A 0x10D871B15"
  "platform" = "darwin"
  "process_type" = "browser"

I'll try to dig around more soon. @David-Development do you know if this worked in a previous version?

[codebytere]

@sentialx you may have some thoughts here - this is happening bc

electron/shell/browser/electron_browser_client.cc

Lines 1368 to 1371 in bd10b19

	bool use_proxy_for_web_request =
	web_request_api->MaybeProxyURLLoaderFactory(
	browser_context, frame_host, render_process_id, type, navigation_id,
	ukm_source_id, factory_receiver, header_client);

is being called with a null frame_host - this frame_host however would always be null since we explicitly call it with nullptr:

electron/shell/browser/electron_browser_context.cc

Lines 331 to 336 in d6de243

	static_cast<content::ContentBrowserClient*>(ElectronBrowserClient::Get())
	->WillCreateURLLoaderFactory(
	this, nullptr, -1,
	content::ContentBrowserClient::URLLoaderFactoryType::kNavigation,
	url::Origin(), absl::nullopt, ukm::kInvalidSourceIdObj,
	&factory_receiver, &header_client, nullptr, nullptr, nullptr);

(this code was added in #22655)

[David-Development]

@codebytere Thank you for looking into it! I am not aware that it worked in a previous version. I only tested it on Electron 15 and 16 I believe.

[sentialx]

@codebytere Is that the only code path that's calling the webRequest API? If it is, then that's a problem, but if not, then we might want to just add a null check.

[codebytere]

@sentialx i think it might be a little more complex then that because if i add a check for type == content::ContentBrowserClient::URLLoaderFactoryType::kNavigation && !frame_host before proceeding in that codeblock it stops loading......anything

[sentialx]

@codebytere Maybe this could work?

if (!web_request->HasListener() && frame_host) {

[codebytere]

Looks like this has been fixed - no longer reproduces in latest versions. Happy to re-open if begins happening again!