[Bug]: Browser crashes when a navigational request is aborted using --single-process flag

[heaven]

Minimal, reproducible example

import puppeteer from 'puppeteer';

const args = [
  '--allow-pre-commit-input',
  '--disable-background-networking',
  '--disable-background-timer-throttling',
  '--disable-backgrounding-occluded-windows',
  '--disable-breakpad',
  '--disable-client-side-phishing-detection',
  '--disable-component-extensions-with-background-pages',
  '--disable-component-update',
  '--disable-default-apps',
  '--disable-dev-shm-usage',
  '--disable-extensions',
  '--disable-hang-monitor',
  '--disable-ipc-flooding-protection',
  '--disable-popup-blocking',
  '--disable-prompt-on-repost',
  '--disable-renderer-backgrounding',
  '--disable-sync',
  '--enable-automation',
  '--enable-blink-features=IdleDetection',
  '--export-tagged-pdf',
  '--force-color-profile=srgb',
  '--metrics-recording-only',
  '--no-first-run',
  '--password-store=basic',
  '--use-mock-keychain',
  '--disable-domain-reliability',
  '--disable-print-preview',
  '--disable-speech-api',
  '--disk-cache-size=33554432',
  '--mute-audio',
  '--no-default-browser-check',
  '--no-pings',
  '--single-process',
  '--font-render-hinting=none',
  '--disable-features=Translate,BackForwardCache,AcceptCHFrame,MediaRouter,OptimizationHints,AudioServiceOutOfProcess,IsolateOrigins,site-per-process',
  '--enable-features=NetworkServiceInProcess2,SharedArrayBuffer',
  '--hide-scrollbars',
  '--ignore-gpu-blocklist',
  '--in-process-gpu',
  '--disable-webgl',
  '--allow-running-insecure-content',
  '--disable-setuid-sandbox',
  '--disable-site-isolation-trials',
  '--disable-web-security',
  '--no-sandbox',
  '--no-zygote',
  "--headless='chrome-headless-shell'",
  "--disk-cache-size=268435456",
  "--window-size=1366,4608",
  "--ignore-certificate-errors",
  "--user-data-dir=/tmp/chrome-user-data"
]

(async () => {
  // Launch the browser and open a new blank page
  const browser = await puppeteer.launch({
    args:              args,
    defaultViewport:   { width: 1366, height: 4608 },
    headless:          "chrome-headless-shell",
    dumpio:            true
  });

  const page = await browser.newPage();

  // Enable request interceptions
  await page.setRequestInterception(true);

  // do not load images and fonts
  await page.on("request", (request) => {
    if (request.isInterceptResolutionHandled()) return;

    if (request.isNavigationRequest())
      request.abort("blockedbyclient");
    else
      request.continue();
  });

  // Navigate the page to a URL
  await page.goto('https://developer.chrome.com/');

  await browser.close();
})();

Error string

bad_message.cc(29)] Terminating renderer for bad IPC message, reason 205

Bug behavior

• Flaky
• PDF

Background

This upstream bug happens when the single-process option is set. In this case, when a navigational request is being aborted the renderer is being killed, which leads to browsed death. This shouldn't happen in a single process mode I believe.

I was able to reproduce this with response interceptions as well https://stackoverflow.com/a/78263262/4846702

More details about what is happening https://issues.chromium.org/issues/40058380

Expectation

The browser should keep running when a navigational request is aborted.

Reality

The browser process dies along with the renderer.

Puppeteer configuration file (if used)

No response

Puppeteer version

22.4.1

Node version

20.11.1

Package manager

npm

Package manager version

10.2.4

Operating system

Linux

[github-actions]

This issue has an outdated Puppeteer version: 22.4.1. Please verify your issue on the latest 22.6.2 version. Then update the form accordingly.

---

Analyzer run

[OrKoN]

'--single-process' is not really a flag that is officially supported. Are you sure https://issues.chromium.org/issues/40058380 is the right issue? (seems to be unrelated)

[OrKoN]

See https://groups.google.com/a/chromium.org/g/chromium-dev/c/9Nmw91P45wM w.r.t to the discussion about --single-process

[heaven]

This part is causing the issue

  // Commits in the error page process must only be failures, otherwise
  // successful navigations could commit documents from origins different
  // than the chrome-error://chromewebdata/ one and violate expectations.
  if (should_commit_error_page &&
      (navigation_request && !navigation_request->DidEncounterError())) {
    DEBUG_ALIAS_FOR_ORIGIN(origin_debug_alias, params->origin);
    bad_message::ReceivedBadMessage(
        process, bad_message::RFH_ERROR_PROCESS_NON_ERROR_COMMIT);
    return false;
  }

Well, probably not this part exactly, that's where my digging skills ended up ;)

The original error message I'm getting says bad_message.cc(29)] Terminating renderer for bad IPC message, reason 205. I was able to track that message down here https://chromium.googlesource.com/chromium/src/+/master/content/browser/bad_message.h

The RFH_ERROR_PROCESS_NON_ERROR_COMMIT in particular.

[heaven]

See https://groups.google.com/a/chromium.org/g/chromium-dev/c/9Nmw91P45wM w.r.t to the discussion about --single-process

It seems a must for us, otherwise chromium just won't start in an environment such as Lambda. I tried to but failed.

[OrKoN]

We can keep the issue open but it is up to the Chromium team to decide if they will support/fix it. Lambda is not really a target environment for the browser.

[OrKoN]

I believe headless: "chrome-headless-shell" should be shell if you want to launch chrome-headless-shell

[OrKoN]

@heaven would you mind filing a new crbug.com issue with a reproducible example and mentioning the --single-process bug? it looks like the previous was fixed/closed.

[heaven]

Submitted to https://issues.chromium.org/issues/332736061

[OrKoN]

Got to my Linux machine but I am not able to reproduce this crash on a Linux. Is it only happening on a Lambda?

[heaven]

I feel bad already each time I hear the word Lambda 🙂 But yes, that's where I see this.

[dstapp]

I also have this in a Docker container using node:21 base image with Debian-packaged Chromium (123.0.6312.86) and (sightly outdated) puppeteer-core ^21.1.1. Using an older image with Chromium 121.0.6167.160 and the same puppeteer version, it seems to work. No Lambda ;P

[OrKoN]

@dstapp please provide a reproducible example (Dockerfile?) in the upstream issue. Since puppeteer-core version is the same it is clearly the browser issue.

[OrKoN]

Could you try with the latest version (or without the NetworkServiceInProcess2 feature flag)? in another issue, we found that NetworkServiceInProcess2 might cause crashes for some websites.