164596 2016-11-10 09:01:12 -0800 IndexedDB 2.0: REGRESSION(r208467) Fix flaky crashes in IDB GC-related code. 2016-11-10 10:07:26 -0800 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 beidson beidson alecflett commit-queue jsbell oldest_to_newest 1249809 0 beidson 2016-11-10 09:01:12 -0800 IndexedDB 2.0: Fix flaky crashes in IDB GC-related code During GC sweeps we're sometimes seeing: 1 0x10ef2cc5d WTFCrash 2 0x10ea882c5 void WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::checkKey<WTF::IdentityHashTranslator<WTF::HashTraits<void*>, WTF::PtrHash<void*> >, void*>(void* const&) 3 0x10ed110ef WTF::HashTableAddResult<WTF::HashTableIterator<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> > > WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::add<WTF::IdentityHashTranslator<WTF::HashTraits<void*>, WTF::PtrHash<void*> >, void* const&, void* const&>(void* const&&&, void* const&&&) 4 0x10ed110a3 WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::add(void* const&) 5 0x10ed0fa94 WTF::HashSet<void*, WTF::PtrHash<void*>, WTF::HashTraits<void*> >::add(void* const&) 6 0x10ed0fb2f JSC::OpaqueRootSet::add(void*) 7 0x10ed0fa5d JSC::SlotVisitor::addOpaqueRoot(void*) 8 0x11731e651 WebCore::IDBTransaction::visitReferencedObjectStores(JSC::SlotVisitor&) const 9 0x116d081d5 WebCore::JSIDBTransaction::visitAdditionalChildren(JSC::SlotVisitor&) 10 0x117a7ca32 WebCore::JSIDBTransaction::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) 11 0x10ed0f450 JSC::SlotVisitor::visitChildren(JSC::JSCell const*) 12 0x10ed0f1f0 JSC::SlotVisitor::drain() ... And the reason is because in stack frame 8, we're passing a null pointer as an opaque root. Same thing happens in IDBObjectStore. The reason is that when transactions abort, we sometimes WTFMove the pointer out of the m_deletedObjects map, but leave the entry in the map, which causes this null ptr problem later. Simple solution is to remove the entry in the map, as well. 1249813 1 294378 beidson 2016-11-10 09:07:40 -0800 Created attachment 294378 Patch 1249837 2 beidson 2016-11-10 10:07:26 -0800 https://trac.webkit.org/changeset/208545 294378 2016-11-10 09:07:40 -0800 2016-11-10 09:09:21 -0800 Patch bug-164596-20161110090328.patch text/plain 3147 beidson U3VidmVyc2lvbiBSZXZpc2lvbjogMjA4NTE4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMGY2NTE3MmUyOTc4Y2Ix NTY2ZDVhOTQ3ZmI1OGRlMGY5MzE0ZTNkZS4uOGE5MzRkYzU5YTY3N2QzMjA2MjBjYzRmMjZhMTg0 NDhlMDk1OTU4MSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIxIEBACisyMDE2LTExLTEwICBCcmFk eSBFaWRzb24gIDxiZWlkc29uQGFwcGxlLmNvbT4KKworICAgICAgICBJbmRleGVkREIgMi4wOiBS RUdSRVNTSU9OKHIyMDg0NjcpIEZpeCBmbGFreSBjcmFzaGVzIGluIElEQiBHQy1yZWxhdGVkIGNv ZGUuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNjQ1 OTYKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBObyBu ZXcgdGVzdHMgKENvdmVyZWQgYnkgZXhpc3RpbmcgdGVzdHMpLgorCisgICAgICAgIFdlIGNhbid0 IGp1c3QgV1RGTW92ZSB0aGUgcG9pbnRlcnMgZnJvbSB0aGUgZGVsZXRlZC1JREJPYmplY3QgbWFw cy4uLgorICAgICAgICBXZSBuZWVkIHRvIHJlbW92ZSB0aGUgZW50cmllcywgdG9vLgorCisgICAg ICAgICogTW9kdWxlcy9pbmRleGVkZGIvSURCT2JqZWN0U3RvcmUuY3BwOgorICAgICAgICAoV2Vi Q29yZTo6SURCT2JqZWN0U3RvcmU6OnJvbGxiYWNrRm9yVmVyc2lvbkNoYW5nZUFib3J0KToKKwor ICAgICAgICAqIE1vZHVsZXMvaW5kZXhlZGRiL0lEQlRyYW5zYWN0aW9uLmNwcDoKKyAgICAgICAg KFdlYkNvcmU6OklEQlRyYW5zYWN0aW9uOjppbnRlcm5hbEFib3J0KToKKwogMjAxNi0xMS0wOSAg QnJhZHkgRWlkc29uICA8YmVpZHNvbkBhcHBsZS5jb20+CiAKICAgICAgICAgSW5kZXhlZERCIDIu MDogQ2xlYW4gdXAgc29tZSBleGNlcHRpb24gb3JkZXJpbmcuCmRpZmYgLS1naXQgYS9Tb3VyY2Uv V2ViQ29yZS9Nb2R1bGVzL2luZGV4ZWRkYi9JREJPYmplY3RTdG9yZS5jcHAgYi9Tb3VyY2UvV2Vi Q29yZS9Nb2R1bGVzL2luZGV4ZWRkYi9JREJPYmplY3RTdG9yZS5jcHAKaW5kZXggMTY4ZWM2ZmYz ODllZmNlOTFkZjRjNTE4NDM2ZThmMDAxMjg3ZDEyOS4uYWViODk0ODg3NzIzOTZhODRjYTk1YWVj N2ZjMjUwNjNhY2MzOWNkZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvTW9kdWxlcy9pbmRl eGVkZGIvSURCT2JqZWN0U3RvcmUuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL01vZHVsZXMvaW5k ZXhlZGRiL0lEQk9iamVjdFN0b3JlLmNwcApAQCAtNjE4LDEzICs2MTgsMTkgQEAgdm9pZCBJREJP YmplY3RTdG9yZTo6cm9sbGJhY2tGb3JWZXJzaW9uQ2hhbmdlQWJvcnQoKQogICAgIH0KIAogICAg IExvY2tlcjxMb2NrPiBsb2NrZXIobV9yZWZlcmVuY2VkSW5kZXhMb2NrKTsKKworICAgIFZlY3Rv cjx1aW50NjRfdD4gaWRlbnRpZmllcnNUb1JlbW92ZTsKICAgICBmb3IgKGF1dG8mIGl0ZXJhdG9y IDogbV9kZWxldGVkSW5kZXhlcykgewogICAgICAgICBpZiAobV9pbmZvLmhhc0luZGV4KGl0ZXJh dG9yLmtleSkpIHsKICAgICAgICAgICAgIGF1dG8gbmFtZSA9IGl0ZXJhdG9yLnZhbHVlLT5pbmZv KCkubmFtZSgpOwogICAgICAgICAgICAgbV9yZWZlcmVuY2VkSW5kZXhlcy5zZXQobmFtZSwgV1RG TW92ZShpdGVyYXRvci52YWx1ZSkpOworICAgICAgICAgICAgaWRlbnRpZmllcnNUb1JlbW92ZS5h cHBlbmQoaXRlcmF0b3Iua2V5KTsKICAgICAgICAgfQogICAgIH0KIAorICAgIGZvciAoYXV0byBp ZGVudGlmaWVyIDogaWRlbnRpZmllcnNUb1JlbW92ZSkKKyAgICAgICAgbV9kZWxldGVkSW5kZXhl cy5yZW1vdmUoaWRlbnRpZmllcik7CisKICAgICBmb3IgKGF1dG8mIGluZGV4IDogbV9yZWZlcmVu Y2VkSW5kZXhlcy52YWx1ZXMoKSkKICAgICAgICAgaW5kZXgtPnJvbGxiYWNrSW5mb0ZvclZlcnNp b25DaGFuZ2VBYm9ydCgpOwogfQpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvTW9kdWxlcy9p bmRleGVkZGIvSURCVHJhbnNhY3Rpb24uY3BwIGIvU291cmNlL1dlYkNvcmUvTW9kdWxlcy9pbmRl eGVkZGIvSURCVHJhbnNhY3Rpb24uY3BwCmluZGV4IDhiMDExZjdlZjE1NWJhMmM2MDY5MWJlMDZl ZDE5YjAyOGVkMGM3MjguLjM4ZGVjZDUzYjlhYjA4MTJlYjgwOWY1ZmJiM2I2YmRhMWVjOGIwMWEg MTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL01vZHVsZXMvaW5kZXhlZGRiL0lEQlRyYW5zYWN0 aW9uLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9Nb2R1bGVzL2luZGV4ZWRkYi9JREJUcmFuc2Fj dGlvbi5jcHAKQEAgLTIyNiwxMyArMjI2LDE4IEBAIHZvaWQgSURCVHJhbnNhY3Rpb246OmludGVy bmFsQWJvcnQoKQogICAgICAgICBMb2NrZXI8TG9jaz4gbG9ja2VyKG1fcmVmZXJlbmNlZE9iamVj dFN0b3JlTG9jayk7CiAKICAgICAgICAgYXV0byYgaW5mbyA9IG1fZGF0YWJhc2UtPmluZm8oKTsK KyAgICAgICAgVmVjdG9yPHVpbnQ2NF90PiBpZGVudGlmaWVyc1RvUmVtb3ZlOwogICAgICAgICBm b3IgKGF1dG8mIGl0ZXJhdG9yIDogbV9kZWxldGVkT2JqZWN0U3RvcmVzKSB7CiAgICAgICAgICAg ICBpZiAoaW5mby5pbmZvRm9yRXhpc3RpbmdPYmplY3RTdG9yZShpdGVyYXRvci5rZXkpKSB7CiAg ICAgICAgICAgICAgICAgYXV0byBuYW1lID0gaXRlcmF0b3IudmFsdWUtPmluZm8oKS5uYW1lKCk7 CiAgICAgICAgICAgICAgICAgbV9yZWZlcmVuY2VkT2JqZWN0U3RvcmVzLnNldChuYW1lLCBXVEZN b3ZlKGl0ZXJhdG9yLnZhbHVlKSk7CisgICAgICAgICAgICAgICAgaWRlbnRpZmllcnNUb1JlbW92 ZS5hcHBlbmQoaXRlcmF0b3Iua2V5KTsKICAgICAgICAgICAgIH0KICAgICAgICAgfQogCisgICAg ICAgIGZvciAoYXV0byBpZGVudGlmaWVyIDogaWRlbnRpZmllcnNUb1JlbW92ZSkKKyAgICAgICAg ICAgIG1fZGVsZXRlZE9iamVjdFN0b3Jlcy5yZW1vdmUoaWRlbnRpZmllcik7CisKICAgICAgICAg Zm9yIChhdXRvJiBvYmplY3RTdG9yZSA6IG1fcmVmZXJlbmNlZE9iamVjdFN0b3Jlcy52YWx1ZXMo KSkKICAgICAgICAgICAgIG9iamVjdFN0b3JlLT5yb2xsYmFja0ZvclZlcnNpb25DaGFuZ2VBYm9y dCgpOwogICAgIH0K