Bug 141094

Summary: Crash in MemoryCache::removeRequestFromSessionCaches()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Page LoadingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, ap, mhock
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Chris Dumez 2015-01-30 13:06:40 PST 
Crash in MemoryCache::removeRequestFromSessionCaches() sometimes happens when running fast/files/workers/worker-apply-blob-url-to-xhr.html:
https://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r179403%20(10178)/fast/files/workers/worker-apply-blob-url-to-xhr-crash-log.txt

The reason is that we remove items from m_sessionResources as we are iterating over it, thus invalidating our iterator.
Comment 1 Chris Dumez 2015-01-30 13:48:22 PST 
r179403 is calling HashTable::add() which invalidates all iterators, even if we don't end up actually adding anything to the HashTable. The previous code was calling get() (which would not invalidate iterators) and then call add() only if the item is not in the HashMap. From this call site, we know the sessionID is in the HashMap so it is actually safe but we hit the assertion in HashTableIterator anyway.

A clean solution would be to have 2 separate sessionResources() getters: a getOrCreate() one and a getOnlyIfExists() one.
Comment 2 Chris Dumez 2015-01-30 14:00:38 PST 
Rolled out in <http://trac.webkit.org/changeset/179410>.