Bug 108285

Summary:

Crashed while ref'ing DatabaseContext in DatabaseManager::interruptAllDatabasesForContext()

Product:

WebKit

Reporter:

Keishi Hattori <keishi>

Component:

Tools / Tests

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

alancutter, ap, beidson, ggaren, levin, levin+threading, mark.lam, sam, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
The fix.	ap: review+

Keishi Hattori

Reported 2013-01-29 19:35:11 PST

crash log for DumpRenderTree (pid 3449): STDOUT: <empty> STDERR: ASSERTION FAILED: m_verifier.isSafeToUse() STDERR: ../../third_party/WebKit/Source/WTF/wtf/RefCounted.h(58) : void WTF::RefCountedBase::ref() STDERR: 1 0x362f91e7 WTF::RefCountedBase::ref() STDERR: 2 0x388a3ee1 WebCore::DatabaseManager::existingDatabaseContextFor(WebCore::ScriptExecutionContext*) STDERR: 3 0x388a5303 WebCore::DatabaseManager::interruptAllDatabasesForContext(WebCore::ScriptExecutionContext*) STDERR: 4 0x394bdaa1 WebCore::WorkerThread::stop() STDERR: 5 0x394af01c WebCore::WorkerMessagingProxy::terminateWorkerContext() STDERR: 6 0x36550752 WebKit::WebWorkerClientImpl::terminateWorkerContext() STDERR: 7 0x3949c9c4 WebCore::Worker::terminate() STDERR: 8 0x3949ca5b WebCore::Worker::stop() STDERR: 9 0x372267aa WebCore::ScriptExecutionContext::stopActiveDOMObjects() STDERR: 10 0x3704cb73 WebCore::Document::detach() STDERR: 11 0x3704d231 WebCore::Document::prepareForDestruction() STDERR: 12 0x39361aa0 WebCore::Frame::setView(WTF::PassRefPtr<WebCore::FrameView>) STDERR: 13 0x393653e6 WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) STDERR: 14 0x36474b49 WebKit::WebFrameImpl::createFrameView() STDERR: 15 0x363a48ce WebKit::FrameLoaderClientImpl::makeDocumentView() STDERR: 16 0x363aa3db WebKit::FrameLoaderClientImpl::transitionToCommittedForNewPage() STDERR: 17 0x391db843 WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>) STDERR: 18 0x391daa22 WebCore::FrameLoader::commitProvisionalLoad() STDERR: 19 0x391917fd WebCore::DocumentLoader::commitIfReady() STDERR: 20 0x39191f73 WebCore::DocumentLoader::commitLoad(char const*, int) STDERR: 21 0x3919274d WebCore::DocumentLoader::receivedData(char const*, int) STDERR: 22 0x39201008 WebCore::MainResourceLoader::dataReceived(WebCore::CachedResource*, char const*, int) STDERR: 23 0x3926d121 WebCore::CachedRawResource::data(WTF::PassRefPtr<WebCore::ResourceBuffer>, bool) STDERR: 24 0x3922fbed WebCore::SubresourceLoader::sendDataToResource(char const*, int) STDERR: 25 0x3922ff47 WebCore::SubresourceLoader::didReceiveData(char const*, int, long long, bool) STDERR: 26 0x39228257 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) STDERR: 27 0x36bae7c2 WebCore::ResourceHandleInternal::didReceiveData(WebKit::WebURLLoader*, char const*, int, int) STDERR: 28 0x317d49dc webkit_glue::WebURLLoaderImpl::Context::OnReceivedData(char const*, int, int) STDERR: 29 0x3102a54f (anonymous namespace)::RequestProxy::NotifyReceivedData(int) STDERR: 30 0x3102ac02 base::internal::RunnableAdapter<void ((anonymous namespace)::RequestProxy::*)(int)>::Run((anonymous namespace)::RequestProxy*, int const&) STDERR: 31 0x3102ab2f base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void ((anonymous namespace)::RequestProxy::*)(int)>, void ()((anonymous namespace)::RequestProxy* const&, int const&)>::MakeItSo(base::internal::RunnableAdapter<void ((anonymous namespace)::RequestProxy::*)(int)>, (anonymous namespace)::RequestProxy* const&, int const&) STDERR: Received signal 11 SEGV_MAPERR 0000bbadbeef STDERR: [0x000034c5601f] STDERR: [0x000034c55fbb] STDERR: [0x000034c55c4b] STDERR: [0x000097bb505b] STDERR: [0x0000ffffffff] STDERR: [0x0000388a3ee1] STDERR: [0x0000388a5303] STDERR: [0x0000394bdaa1] STDERR: [0x0000394af01c] STDERR: [0x000036550752] STDERR: [0x00003949c9c4] STDERR: [0x00003949ca5b] STDERR: [0x0000372267aa] STDERR: [0x00003704cb73] STDERR: [0x00003704d231] STDERR: [0x000039361aa0] STDERR: [0x0000393653e6] STDERR: [0x000036474b49] STDERR: [0x0000363a48ce] STDERR: [0x0000363aa3db] STDERR: [0x0000391db843] STDERR: [0x0000391daa22] STDERR: [0x0000391917fd] STDERR: [0x000039191f73] STDERR: [0x00003919274d] STDERR: [0x000039201008] STDERR: [0x00003926d121] STDERR: [0x00003922fbed] STDERR: [0x00003922ff47] STDERR: [0x000039228257] STDERR: [0x000036bae7c2] STDERR: [0x0000317d49dc] STDERR: [0x00003102a54f] STDERR: [0x00003102ac02] STDERR: [0x00003102ab2f] STDERR: [0x00003102aaa4] STDERR: [0x000034c41c1b] STDERR: [0x000034cd372b] STDERR: [0x000034cd3bf2] STDERR: [0x000034cd3df2] STDERR: [0x000034c1d7eb] STDERR: [0x000034c1cfa2] STDERR: [0x000098caa42b] STDERR: [0x000098ca7eef] STDERR: [0x000098ca73c4] STDERR: [0x000098ca71f1] STDERR: [0x000096fe5e04] STDERR: [0x000096fe5bb9] STDERR: [0x000096fe5a3e] STDERR: [0x000093429595] STDERR: [0x000093428dd6] STDERR: [0x0000933eb1f3] STDERR: [0x000034c1e71e] STDERR: [0x000034c1d558] STDERR: [0x000034cd2f72] STDERR: [0x000034cd2e2b] STDERR: [0x000034d3fe88] STDERR: [0x000034cd2226] STDERR: [0x00003105d6b7] STDERR: [0x000030efe9e9] STDERR: [0x000030ee9f87] STDERR: [0x000030eb6258] STDERR: ax: bbadbeef, bx: 0, cx: e022b7cb, dx: e022b7cb STDERR: di: 3957cd2c, si: 3957cfbe, bp: bfffc648, sp: bfffc610, ss: 23, flags: 10282 STDERR: ip: 362f91f1, cs: 1b, ds: 23, es: 23, fs: 0, gs: f

Attachments
The fix. (4.63 KB, patch) 2013-01-30 14:12 PST, Mark Lam	ap: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2013-01-30 09:36:43 PST

WebCore::DatabaseManager::interruptAllDatabasesForContext() is the only API that can access another thread's DatabaseContext. Since DatabaseContext is ref counted and can be ref'ed by another thread (in the interrupt case), it should extend ThreadSafeRefCounted instead of the RefCounted. Investigating the fix right now.

Mark Lam

Comment 2 2013-01-30 14:12:30 PST

Created attachment 185565 [details] The fix.

Mark Lam

Comment 3 2013-01-30 14:14:06 PST

Comment on attachment 185565 [details] The fix. View in context: https://bugs.webkit.org/attachment.cgi?id=185565&action=review > Source/WebCore/ChangeLog:14 > + This reflects the contract that another thread (calling doing the Typo in comment. Will remove "calling".

Alexey Proskuryakov

Comment 4 2013-01-30 14:34:29 PST

Comment on attachment 185565 [details] The fix. View in context: https://bugs.webkit.org/attachment.cgi?id=185565&action=review r=me on ThreadSafeRefCounted part. > Source/WebCore/Modules/webdatabase/DatabaseManager.cpp:353 > -void DatabaseManager::interruptAllDatabasesForContext(ScriptExecutionContext* context) > +void DatabaseManager::interruptAllDatabasesForContext(const ScriptExecutionContext* context) I do not think that we should be using "const ScriptExecutionContext*" here, or anywhere. These are huge "world" objects that are never actually immutable, and saying that they are constant for the purposes of a particular function does not have any semantic meaning that I could catch. For example, you are passing context as constant here. But interrupting all databases for context modifies the context in a very noticeable way!

Mark Lam

Comment 5 2013-01-30 14:47:55 PST

Removed "const" changes. Landed in r141320: <http://trac.webkit.org/changeset/141320>.

Alan Cutter

Comment 6 2013-01-30 23:07:45 PST

Thanks Mark, the Chromium debug tests are happily passing again. Chromium expectations updated on: http://trac.webkit.org/changeset/141365

Note You need to log in before you can comment on or make changes to this bug.