Bug 157917

Summary: REGRESSION(201098) GuardMalloc / ASan crashes in WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: New BugsAssignee: Brady Eidson <beidson>
Status: RESOLVED FIXED    
Severity: Normal CC: alecflett, beidson, commit-queue, jsbell, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 149117, 154968    
Attachments:
Description Flags
Patch achristensen: review+

Description Ryan Haddad 2016-05-19 13:27:20 PDT
Started with <http://trac.webkit.org/changeset/201098>

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010feb513c WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply() + 44
1   com.apple.WebCore             	0x000000010f56e05a WebCore::IDBServer::IDBServer::handleTaskRepliesOnMainThread() + 106
2   com.apple.JavaScriptCore      	0x000000010e043fc7 WTF::dispatchFunctionsFromMainThread() + 519
3   com.apple.Foundation          	0x00007fff90c0efde __NSThreadPerformPerform + 279
4   com.apple.CoreFoundation      	0x00007fff894d7881 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
5   com.apple.CoreFoundation      	0x00007fff894b6fbc __CFRunLoopDoSources0 + 556
6   com.apple.CoreFoundation      	0x00007fff894b64df __CFRunLoopRun + 927
7   com.apple.CoreFoundation      	0x00007fff894b5ed8 CFRunLoopRunSpecific + 296
8   com.apple.HIToolbox           	0x00007fff8f6e1935 RunCurrentEventLoopInMode + 235
9   com.apple.HIToolbox           	0x00007fff8f6e176f ReceiveNextEventCommon + 432
10  com.apple.HIToolbox           	0x00007fff8f6e15af _BlockUntilNextEventMatchingListInModeWithFilter + 71
11  com.apple.AppKit              	0x00007fff973b9efa _DPSNextEvent + 1067
12  com.apple.AppKit              	0x00007fff973b932a -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
13  com.apple.AppKit              	0x00007fff973ade84 -[NSApplication run] + 682
14  com.apple.AppKit              	0x00007fff9737746c NSApplicationMain + 1176
15  libxpc.dylib                  	0x00007fff90afa194 _xpc_objc_main + 795
16  libxpc.dylib                  	0x00007fff90af8bbe xpc_main + 494
17  com.apple.WebKit.WebContent   	0x000000010d6747df 0x10d673000 + 6111
18  libdyld.dylib                 	0x00007fff82be85ad start + 1
Comment 1 Ryan Haddad 2016-05-19 13:27:57 PDT
<rdar://problem/26371025>
Comment 2 Brady Eidson 2016-05-19 14:59:19 PDT
This is nothing more than a missing protector ref.
Comment 3 Brady Eidson 2016-05-19 14:59:56 PDT
*** Bug 157915 has been marked as a duplicate of this bug. ***
Comment 4 Brady Eidson 2016-05-19 15:03:15 PDT
Created attachment 279437 [details]
Patch
Comment 5 Brady Eidson 2016-05-19 15:16:28 PDT
EWS is smoking something.

http://trac.webkit.org/changeset/201188
Comment 6 Darin Adler 2016-05-21 08:28:49 PDT
Comment on attachment 279437 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=279437&action=review

> Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp:1520
> +    RefPtr<UniqueIDBDatabase> protectedThis(this);

A case like this should use Ref rather than RefPtr. In fact, this is sort of the case that Kling made Ref for originally.