Bug 167576

Summary:

IndexedDB: Several test crash in when destroying a IDBKeyData

Product:

WebKit

Reporter:

Carlos Garcia Campos <cgarcia>

Component:

WebKit2

Assignee:

Fujii Hironori <Hironori.Fujii>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, alecflett, beidson, bugs-noreply, commit-queue, csaavedra, ews-watchlist, Hironori.Fujii, jsbell, mcatanzaro, webkit-bug-importer, zan

Priority:

Keywords:

InRadar, LayoutTestFailure

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

160306

Attachments:

Description	Flags
debug patch	none
Patch	none

Description Carlos Garcia Campos 2017-01-30 00:20:18 PST

I've seen this in the GTK+ bots, but it doesn't look like a GTk+ specific problem. See:

https://build.webkit.org/results/GTK%20Linux%2064-bit%20Release%20(Tests)/r211357%20(20510)/storage/indexeddb/modern/index-3-private-crash-log.txt
https://build.webkit.org/results/GTK%20Linux%2064-bit%20Release%20(Tests)/r211357%20(20510)/imported/w3c/IndexedDB-private-browsing/idbcursor_iterating_index-crash-log.txt
https://build.webkit.org/results/GTK%20Linux%2064-bit%20Release%20(Tests)/r211357%20(20510)/imported/w3c/IndexedDB-private-browsing/idbcursor_iterating-crash-log.txt

Slightly different bts, but all of them end up deleting the IDBKeyData:

Thread 1 (Thread 0x7fbb837ff700 (LWP 1368)):
#0  0x00007fbd23d15478 in void WTF::__destroy_op_table<WTF::Variant<WTF::Vector<WebCore::IDBKeyData, 0ul, WTF::CrashOnOverflow, 16ul>, WTF::String, double, WebCore::ThreadSafeDataBuffer>, WTF::__index_sequence<0l, 1l, 2l, 3l> >::__destroy_func<0l>(WTF::Variant<WTF::Vector<WebCore::IDBKeyData, 0ul, WTF::CrashOnOverflow, 16ul>, WTF::String, double, WebCore::ThreadSafeDataBuffer>*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#1  0x00007fbd24196f14 in std::enable_if<!WTF::HashTraitHasCustomDelete<WebCore::IDBKeyDataHashTraits, WebCore::IDBKeyData>::value, void>::type WTF::hashTraitsDeleteBucket<WebCore::IDBKeyDataHashTraits, WebCore::IDBKeyData>(WebCore::IDBKeyData&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#2  0x00007fbd24195588 in WebCore::IDBServer::IndexValueStore::removeRecord(WebCore::IDBKeyData const&, WebCore::IDBKeyData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#3  0x00007fbd241a68c0 in WebCore::IDBServer::MemoryIndex::removeRecord(WebCore::IDBKeyData const&, WebCore::IndexKey const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#4  0x00007fbd241ae4f3 in WebCore::IDBServer::MemoryObjectStore::updateIndexesForPutRecord(WebCore::IDBKeyData const&, WebCore::ThreadSafeDataBuffer const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#5  0x00007fbd241af5c3 in WebCore::IDBServer::MemoryObjectStore::addRecord(WebCore::IDBServer::MemoryBackingStoreTransaction&, WebCore::IDBKeyData const&, WebCore::IDBValue const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#6  0x00007fbd241a022c in WebCore::IDBServer::MemoryIDBBackingStore::addRecord(WebCore::IDBResourceIdentifier const&, WebCore::IDBObjectStoreInfo const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#7  0x00007fbd241d27b0 in WebCore::IDBServer::UniqueIDBDatabase::performPutOrAdd(unsigned long, WebCore::IDBResourceIdentifier const&, unsigned long, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007fbd241d3ead in WTF::Function<void ()>::CallableWrapper<WTF::CrossThreadTask WTF::createCrossThreadTask<WebCore::IDBServer::UniqueIDBDatabase, unsigned long, WebCore::IDBResourceIdentifier const&, unsigned long, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode, unsigned long, WebCore::IDBResourceIdentifier, unsigned long, WebCore::IDBKeyData, WebCore::IDBValue, WebCore::IndexedDB::ObjectStoreOverwriteMode>(WebCore::IDBServer::UniqueIDBDatabase&, void (WebCore::IDBServer::UniqueIDBDatabase::*)(unsigned long, WebCore::IDBResourceIdentifier const&, unsigned long, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode), unsigned long const&, WebCore::IDBResourceIdentifier const&, unsigned long const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode const&)::{lambda()#1}>::call() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007fbd241cc33d in WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTask() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#10 0x00007fbd2418cb82 in WebCore::IDBServer::IDBServer::databaseRunLoop() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#11 0x00007fbd21d29345 in WTF::threadEntryPoint(void*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#12 0x00007fbd21d5e0ba in WTF::wtfThreadEntryPoint(void*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#13 0x00007fbd1eed50a4 in start_thread (arg=0x7fbb837ff700) at pthread_create.c:309
#14 0x00007fbd1b1c387d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7f234bfff700 (LWP 7776)):
#0  0x00007f23b1604478 in void WTF::__destroy_op_table<WTF::Variant<WTF::Vector<WebCore::IDBKeyData, 0ul, WTF::CrashOnOverflow, 16ul>, WTF::String, double, WebCore::ThreadSafeDataBuffer>, WTF::__index_sequence<0l, 1l, 2l, 3l> >::__destroy_func<0l>(WTF::Variant<WTF::Vector<WebCore::IDBKeyData, 0ul, WTF::CrashOnOverflow, 16ul>, WTF::String, double, WebCore::ThreadSafeDataBuffer>*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#1  0x00007f23b1a85f14 in std::enable_if<!WTF::HashTraitHasCustomDelete<WebCore::IDBKeyDataHashTraits, WebCore::IDBKeyData>::value, void>::type WTF::hashTraitsDeleteBucket<WebCore::IDBKeyDataHashTraits, WebCore::IDBKeyData>(WebCore::IDBKeyData&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#2  0x00007f23b1a9ea55 in WebCore::IDBServer::MemoryObjectStore::deleteRecord(WebCore::IDBKeyData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#3  0x00007f23b1a9ee1c in WebCore::IDBServer::MemoryObjectStore::deleteRange(WebCore::IDBKeyRangeData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#4  0x00007f23b1a8f527 in WebCore::IDBServer::MemoryIDBBackingStore::deleteRange(WebCore::IDBResourceIdentifier const&, unsigned long, WebCore::IDBKeyRangeData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#5  0x00007f23b1ac1dba in WebCore::IDBServer::UniqueIDBDatabase::performDeleteRecord(unsigned long, WebCore::IDBResourceIdentifier const&, unsigned long, WebCore::IDBKeyRangeData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#6  0x00007f23b1abb33d in WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTask() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#7  0x00007f23b1a7bb82 in WebCore::IDBServer::IDBServer::databaseRunLoop() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007f23af618345 in WTF::threadEntryPoint(void*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#9  0x00007f23af64d0ba in WTF::wtfThreadEntryPoint(void*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#10 0x00007f23ac7c40a4 in start_thread (arg=0x7f234bfff700) at pthread_create.c:309
#11 0x00007f23a8ab287d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7fdba77fe700 (LWP 7394)):
#0  0x00007fdc50f56478 in void WTF::__destroy_op_table<WTF::Variant<WTF::Vector<WebCore::IDBKeyData, 0ul, WTF::CrashOnOverflow, 16ul>, WTF::String, double, WebCore::ThreadSafeDataBuffer>, WTF::__index_sequence<0l, 1l, 2l, 3l> >::__destroy_func<0l>(WTF::Variant<WTF::Vector<WebCore::IDBKeyData, 0ul, WTF::CrashOnOverflow, 16ul>, WTF::String, double, WebCore::ThreadSafeDataBuffer>*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#1  0x00007fdc513d7f14 in std::enable_if<!WTF::HashTraitHasCustomDelete<WebCore::IDBKeyDataHashTraits, WebCore::IDBKeyData>::value, void>::type WTF::hashTraitsDeleteBucket<WebCore::IDBKeyDataHashTraits, WebCore::IDBKeyData>(WebCore::IDBKeyData&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#2  0x00007fdc513d68a8 in WebCore::IDBServer::IndexValueStore::removeEntriesWithValueKey(WebCore::IDBServer::MemoryIndex&, WebCore::IDBKeyData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#3  0x00007fdc513ed3a1 in WebCore::IDBServer::MemoryObjectStore::updateIndexesForDeleteRecord(WebCore::IDBKeyData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#4  0x00007fdc513f0b48 in WebCore::IDBServer::MemoryObjectStore::deleteRecord(WebCore::IDBKeyData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#5  0x00007fdc513f0e1c in WebCore::IDBServer::MemoryObjectStore::deleteRange(WebCore::IDBKeyRangeData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#6  0x00007fdc513e1527 in WebCore::IDBServer::MemoryIDBBackingStore::deleteRange(WebCore::IDBResourceIdentifier const&, unsigned long, WebCore::IDBKeyRangeData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#7  0x00007fdc51413dba in WebCore::IDBServer::UniqueIDBDatabase::performDeleteRecord(unsigned long, WebCore::IDBResourceIdentifier const&, unsigned long, WebCore::IDBKeyRangeData const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007fdc5140d33d in WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTask() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007fdc513cdb82 in WebCore::IDBServer::IDBServer::databaseRunLoop() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#10 0x00007fdc4ef6a345 in WTF::threadEntryPoint(void*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#11 0x00007fdc4ef9f0ba in WTF::wtfThreadEntryPoint(void*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#12 0x00007fdc4c1160a4 in start_thread (arg=0x7fdba77fe700) at pthread_create.c:309
#13 0x00007fdc4840487d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Comment 1 Claudio Saavedra 2017-06-14 04:07:48 PDT

Same issue with the WPE port:

  imported/w3c/IndexedDB-private-browsing/idbcursor_iterating.html [ Crash ]
  imported/w3c/IndexedDB-private-browsing/idbcursor_iterating_index.html [ Crash ]

Pretty much the same stacktraces.

Comment 2 Zan Dobersek 2017-06-18 12:17:37 PDT

This might be an issue in the GCC compiler:
- doesn't occur in "-O -DNDEBUG" builds (i.e. release builds with optimizations disabled),
- doesn't occur when building with Clang.

Comment 3 Claudio Saavedra 2017-06-20 03:10:14 PDT

Could this have been fixed by r218516 ?

Comment 4 Zan Dobersek 2017-06-20 07:14:23 PDT

Quite possible. Let's see how these tests behave in the next few days and act accordingly.

Comment 5 Michael Catanzaro 2017-06-23 18:18:34 PDT

(In reply to Claudio Saavedra from comment #3)
> Could this have been fixed by r218516 ?

Sadly the tests are still crashing.

Comment 6 Brady Eidson 2017-06-23 21:56:37 PDT

(In reply to Michael Catanzaro from comment #5)
> (In reply to Claudio Saavedra from comment #3)
> > Could this have been fixed by r218516 ?
> 
> Sadly the tests are still crashing.

:(

Comment 7 Fujii Hironori 2018-02-06 02:22:49 PST

Created attachment 333160 [details]
debug patch

An instance of IDBKeyData seems broken.
If you apply this debug patch, you can observe the broken value even in debug build.
I think this bug is *not* a GCC optimizer bug.

Comment 8 Fujii Hironori 2018-02-06 18:23:26 PST

> struct IDBKeyDataHashTraits : public WTF::CustomHashTraits<IDBKeyData> {
> [...]
>     static void constructDeletedValue(IDBKeyData& key)
>     {
>         key = IDBKeyData::deletedValue();
>     }
> 

constructDeletedValue is using operator= to assign deleteValue.

> template<typename Traits, typename T>
> typename std::enable_if<!HashTraitHasCustomDelete<Traits, T>::value>::type
> hashTraitsDeleteBucket(T& value)
> {
>     value.~T();
>     Traits::constructDeletedValue(value);
> }

But, the value is destructed just before calling constructDeletedValue.
You can't use operator= for a destructed value.

Comment 9 Fujii Hironori 2018-02-06 18:31:45 PST

Created attachment 333249 [details]
Patch

Comment 10 Michael Catanzaro 2018-02-07 05:34:16 PST

Comment on attachment 333249 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=333249&action=review

> Source/WebCore/Modules/indexeddb/IDBKeyData.h:211
> +        new (&key) IDBKeyData;

Again, I'll wait a couple days for Brady to review it first, but it looks right. Thanks Fujii!

Comment 11 WebKit Commit Bot 2018-02-16 09:41:16 PST

Comment on attachment 333249 [details]
Patch

Clearing flags on attachment: 333249

Committed r228560: <https://trac.webkit.org/changeset/228560>

Comment 12 WebKit Commit Bot 2018-02-16 09:41:18 PST

All reviewed patches have been landed.  Closing bug.

Comment 13 Radar WebKit Bug Importer 2018-02-16 09:42:25 PST

<rdar://problem/37608014>