Bug 195214

<rdar://problem/48461116>

Created attachment 363346 [details]
Patch

Looks like this passed EWS. Ping for reviewers.

Comment on attachment 363346 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363346&action=review

> Source/WebCore/Modules/indexeddb/client/TransactionOperation.h:105
> +        if (m_completeFunction) {
> +            m_completeFunction(data);
> +            // m_completeFunction might be holding the last ref to this TransactionOperation,
> +            // so we need to do this trick to null it out without first destroying it.
> +            Function<void(const IDBResultData&)> oldCompleteFunction;
> +            std::swap(m_completeFunction, oldCompleteFunction);
> +        }
>          m_transaction->operationCompletedOnClient(*this);

It seems like a bug that you reference m_transaction after this may have been deleted (by destroying m_completeFunction, which holds the last ref to this TransactionOperation.)

Probably the best solution is to use "auto protect = makeRef(this)" at the top of the function.

Comment on attachment 363346 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363346&action=review

>> Source/WebCore/Modules/indexeddb/client/TransactionOperation.h:105
>>          m_transaction->operationCompletedOnClient(*this);
> 
> It seems like a bug that you reference m_transaction after this may have been deleted (by destroying m_completeFunction, which holds the last ref to this TransactionOperation.)
> 
> Probably the best solution is to use "auto protect = makeRef(this)" at the top of the function.

In an expected case, operationCompletedOnClient should clear the last ref of a TransactionOperation by removing it from m_transactionOperationMap.

I think "the last ref" means if we don't clear the completeFunction here, completeFunction can hold the last ref of TransactionOperation after operationCompletedOnClient.

Comment on attachment 363346 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363346&action=review

>>> Source/WebCore/Modules/indexeddb/client/TransactionOperation.h:105
>>>          m_transaction->operationCompletedOnClient(*this);
>> 
>> It seems like a bug that you reference m_transaction after this may have been deleted (by destroying m_completeFunction, which holds the last ref to this TransactionOperation.)
>> 
>> Probably the best solution is to use "auto protect = makeRef(this)" at the top of the function.
> 
> In an expected case, operationCompletedOnClient should clear the last ref of a TransactionOperation by removing it from m_transactionOperationMap.
> 
> I think "the last ref" means if we don't clear the completeFunction here, completeFunction can hold the last ref of TransactionOperation after operationCompletedOnClient.

Previously, this function deallocated m_completeFunction *after* loading and using this->m_transaction. This patch makes a change to deallocate m_completeFunction *before* loading and using this->m_transaction. If deallocating m_completeFunction might delete 'this', then this patch introduces a use of this->m_transaction after free.

Created attachment 363714 [details]
Patch

Comment on attachment 363714 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363714&action=review

r=me

> Source/WebCore/Modules/indexeddb/client/TransactionOperation.h:144
> +    bool m_doneComplete { false };

We usually use 'did' instead of 'done'. So, I would name this 'm_didComplete'.

Created attachment 363912 [details]
Patch for landing

The commit-queue encountered the following flaky tests while processing attachment 363912 [details]:

legacy-animation-engine/fast/layers/no-clipping-overflow-hidden-hardware-acceleration.html bug 195431 (authors: dino@apple.com and graouts@apple.com)
The commit-queue is continuing to process your patch.

Comment on attachment 363912 [details]
Patch for landing

Clearing flags on attachment: 363912

Committed r242608: <https://trac.webkit.org/changeset/242608>

All reviewed patches have been landed.  Closing bug.