RESOLVED FIXED 107377
[GTK][IndexedDB] Crash in WebCore::ScriptExecutionContext::willDestroyActiveDOMObject 
https://bugs.webkit.org/show_bug.cgi?id=107377
Summary [GTK][IndexedDB] Crash in WebCore::ScriptExecutionContext::willDestroyActiveD...
Zan Dobersek
Reported 2013-01-19 12:19:21 PST
At least these tests flakily crash in WebCore::ScriptExecutionContext::willDestroyActiveDOMObject: storage/indexeddb/keypath-basics.html storage/indexeddb/mozilla/create-index-unique.html storage/indexeddb/objectstore-basics.html storage/indexeddb/mozilla/remove-index.html storage/indexeddb/index-get-key-argument-required.html http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=storage%2Findexeddb%2Fkeypath-basics.html%2Cstorage%2Findexeddb%2Fmozilla%2Fcreate-index-unique.html%2Cstorage%2Findexeddb%2Fobjectstore-basics.html%2Cstorage%2Findexeddb%2Fmozilla%2Fremove-index.html%2Cstorage%2Findexeddb%2Findex-get-key-argument-required.html Here's the trimmed crash log: Crash log for DumpRenderTree (pid 17097): ... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'. Program terminated with signal 11, Segmentation fault. #0 0x00002af9b15d4354 in WebCore::ScriptExecutionContext::willDestroyActiveDOMObject (this=0xd3dea0, object=0xfdcb10) at ../../Source/WebCore/dom/ScriptExecutionContext.cpp:265 265 CRASH(); ...om /lib/x86_64-linux-gnu/libc.so.6 #9 0x0000000000000000 in ?? () Thread 1 (Thread 0x2af9bf70e6a0 (LWP 17097)): #0 0x00002af9b15d4354 in WebCore::ScriptExecutionContext::willDestroyActiveDOMObject (this=0xd3dea0, object=0xfdcb10) at ../../Source/WebCore/dom/ScriptExecutionContext.cpp:265 #1 0x00002af9b14b3877 in WebCore::ActiveDOMObject::~ActiveDOMObject (this=0xfdcb10, __in_chrg=<optimized out>) at ../../Source/WebCore/dom/ActiveDOMObject.cpp:58 #2 0x00002af9b24709e6 in WebCore::IDBRequest::~IDBRequest (this=0xfdcaf0, __in_chrg=<optimized out>) at ../../Source/WebCore/Modules/indexeddb/IDBRequest.cpp:89 #3 0x00002af9b2470a56 in WebCore::IDBRequest::~IDBRequest (this=0xfdcaf0, __in_chrg=<optimized out>) at ../../Source/WebCore/Modules/indexeddb/IDBRequest.cpp:92 #4 0x00002af9b18f7a2a in WTF::RefCounted<WebCore::IDBCallbacks>::deref (this=0xfdcaf8) at ../../Source/WTF/wtf/RefCounted.h:202 #5 0x00002af9b243706a in WTF::derefIfNotNull<WebCore::IDBCallbacks> (ptr=0xfdcaf0) at ../../Source/WTF/wtf/PassRefPtr.h:53 #6 0x00002af9b2436a47 in WTF::RefPtr<WebCore::IDBCallbacks>::~RefPtr (this=0xfdc680, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefPtr.h:56 #7 0x00002af9b2446b56 in WebCore::OpenCursorOperation::~OpenCursorOperation (this=0xfdc640, __in_chrg=<optimized out>) at ../../Source/WebCore/Modules/indexeddb/IDBDatabaseBackendImpl.cpp:320 #8 0x00002af9b2446bb4 in WebCore::OpenCursorOperation::~OpenCursorOperation (this=0xfdc640, __in_chrg=<optimized out>) at ../../Source/WebCore/Modules/indexeddb/IDBDatabaseBackendImpl.cpp:320 #9 0x00002af9b2436f74 in WTF::deleteOwnedPtr<WebCore::IDBTransactionBackendImpl::Operation> (ptr=0xfdc640) at ../../Source/WTF/wtf/OwnPtrCommon.h:65 #10 0x00002af9b24769ed in WTF::OwnPtr<WebCore::IDBTransactionBackendImpl::Operation>::~OwnPtr (this=0xfc18b8, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/OwnPtr.h:63 #11 0x00002af9b24795d4 in WTF::VectorDestructor<true, WTF::OwnPtr<WebCore::IDBTransactionBackendImpl::Operation> >::destruct (begin=0xfc1898, end=0xfc18c0) at ../../Source/WTF/wtf/Vector.h:52 #12 0x00002af9b247884f in WTF::VectorTypeOperations<WTF::OwnPtr<WebCore::IDBTransactionBackendImpl::Operation> >::destruct (begin=0xfc1898, end=0xfc18c0) at ../../Source/WTF/wtf/Vector.h:214 #13 0x00002af9b2477550 in WTF::Deque<WTF::OwnPtr<WebCore::IDBTransactionBackendImpl::Operation>, 0ul>::destroyAll (this=0xfba1c0) at ../../Source/WTF/wtf/Deque.h:315 #14 0x00002af9b247660a in WTF::Deque<WTF::OwnPtr<WebCore::IDBTransactionBackendImpl::Operation>, 0ul>::~Deque (this=0xfba1c0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/Deque.h:327 #15 0x00002af9b247522f in WebCore::IDBTransactionBackendImpl::~IDBTransactionBackendImpl (this=0xfba160, __in_chrg=<optimized out>) at ../../Source/WebCore/Modules/indexeddb/IDBTransactionBackendImpl.cpp:67 #16 0x00002af9b247529e in WebCore::IDBTransactionBackendImpl::~IDBTransactionBackendImpl (this=0xfba160, __in_chrg=<optimized out>) at ../../Source/WebCore/Modules/indexeddb/IDBTransactionBackendImpl.cpp:71 #17 0x00002af9b2437808 in WTF::RefCounted<WebCore::IDBTransactionBackendInterface>::deref (this=0xfba168) at ../../Source/WTF/wtf/RefCounted.h:202 #18 0x00002af9b243740e in WTF::derefIfNotNull<WebCore::IDBTransactionBackendImpl> (ptr=0xfba160) at ../../Source/WTF/wtf/PassRefPtr.h:53 #19 0x00002af9b2436bc9 in WTF::RefPtr<WebCore::IDBTransactionBackendImpl>::~RefPtr (this=0x7fff31d8f420, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefPtr.h:56 #20 0x00002af9b24756c6 in WebCore::IDBTransactionBackendImpl::abort (this=0xfba160, error=...) at ../../Source/WebCore/Modules/indexeddb/IDBTransactionBackendImpl.cpp:141 #21 0x00002af9b24753f5 in WebCore::IDBTransactionBackendImpl::abort (this=0xfba160) at ../../Source/WebCore/Modules/indexeddb/IDBTransactionBackendImpl.cpp:96 #22 0x00002af9b243b605 in WebCore::IDBDatabaseBackendImpl::abort (this=0xe74620, transactionId=7) at ../../Source/WebCore/Modules/indexeddb/IDBDatabaseBackendImpl.cpp:672 #23 0x00002af9b248389f in WebCore::IDBTransaction::abort (this=0xfa7880, ec=@0x7fff31d8f56c: 32767) at ../../Source/WebCore/Modules/indexeddb/IDBTransaction.cpp:229 #24 0x00002af9b2484775 in WebCore::IDBTransaction::stop (this=0xfa7880) at ../../Source/WebCore/Modules/indexeddb/IDBTransaction.cpp:430 #25 0x00002af9b15d40ac in WebCore::ScriptExecutionContext::stopActiveDOMObjects (this=0xd3dea0) at ../../Source/WebCore/dom/ScriptExecutionContext.cpp:235 #26 0x00002af9b14e0f37 in WebCore::Document::detach (this=0xd3de00) at ../../Source/WebCore/dom/Document.cpp:2049 #27 0x00002af9b14e1184 in WebCore::Document::prepareForDestruction (this=0xd3de00) at ../../Source/WebCore/dom/Document.cpp:2119 #28 0x00002af9b1addc20 in WebCore::Frame::setView (this=0x6a6800, view=...) at ../../Source/WebCore/page/Frame.cpp:266 #29 0x00002af9b1ae0329 in WebCore::Frame::createView (this=0x6a6800, viewportSize=..., backgroundColor=..., transparent=false, fixedLayoutSize=..., fixedVisibleContentRect=..., useFixedLayout=false, horizontalScrollbarMode=WebCore::ScrollbarAuto, horizontalLock=false, verticalScrollbarMode=WebCore::ScrollbarAuto, verticalLock=false) at ../../Source/WebCore/page/Frame.cpp:787 #30 0x00002af9b116770b in WebKit::FrameLoaderClient::transitionToCommittedForNewPage (this=0x6a5300) at ../../Source/WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:1254 #31 0x00002af9b1a0b169 in WebCore::FrameLoader::transitionToCommitted (this=0x6a6880, cachedPage=...) at ../../Source/WebCore/loader/FrameLoader.cpp:1859 #32 0x00002af9b1a0a5b6 in WebCore::FrameLoader::commitProvisionalLoad (this=0x6a6880) at ../../Source/WebCore/loader/FrameLoader.cpp:1701 #33 0x00002af9b19ecce9 in WebCore::DocumentLoader::commitIfReady (this=0x101c210) at ../../Source/WebCore/loader/DocumentLoader.cpp:277 #34 0x00002af9b19ecd04 in WebCore::DocumentLoader::finishedLoading (this=0x101c210) at ../../Source/WebCore/loader/DocumentLoader.cpp:283 #35 0x00002af9b19ef65f in WebCore::DocumentLoader::maybeLoadEmpty (this=0x101c210) at ../../Source/WebCore/loader/DocumentLoader.cpp:880 #36 0x00002af9b19ef737 in WebCore::DocumentLoader::startLoadingMainResource (this=0x101c210) at ../../Source/WebCore/loader/DocumentLoader.cpp:890 #37 0x00002af9b1a0c6ae in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x6a6880) at ../../Source/WebCore/loader/FrameLoader.cpp:2221 #38 0x00002af9b1a0f235 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x6a6880, formState=..., shouldContinue=true) at ../../Source/WebCore/loader/FrameLoader.cpp:2836 #39 0x00002af9b1a0e947 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x6a6880, request=..., formState=..., shouldContinue=true) at ../../Source/WebCore/loader/FrameLoader.cpp:2706 #40 0x00002af9b1a45d73 in WebCore::PolicyCallback::call (this=0x7fff31d8ff90, shouldContinue=true) at ../../Source/WebCore/loader/PolicyCallback.cpp:103 #41 0x00002af9b1a46ce1 in WebCore::PolicyChecker::continueAfterNavigationPolicy (this=0x6a6890, policy=WebCore::PolicyUse) at ../../Source/WebCore/loader/PolicyChecker.cpp:176 #42 0x00002af9b119177a in webkit_web_policy_decision_use (decision=0xd33f80) at ../../Source/WebKit/gtk/webkit/webkitwebpolicydecision.cpp:88 #43 0x00002af9b116434e in WebKit::FrameLoaderClient::dispatchDecidePolicyForNavigationAction (this=0x6a5300, policyFunction=(void (WebCore::PolicyChecker::*)(WebCore::PolicyChecker * const, WebCore::PolicyAction)) 0x2af9b1a46a96 <WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)>, action=..., resourceRequest=...) at ../../Source/WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:485 #44 0x00002af9b1a466e7 in WebCore::PolicyChecker::checkNavigationPolicy (this=0x6a6890, request=..., loader=0x101c210, formState=..., function=0x2af9b1a0e8f8 <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x6a6880) at ../../Source/WebCore/loader/PolicyChecker.cpp:98 #45 0x00002af9b1a08e38 in WebCore::FrameLoader::loadWithDocumentLoader (this=0x6a6880, loader=0x101c210, type=WebCore::FrameLoadTypeStandard, prpFormState=...) at ../../Source/WebCore/loader/FrameLoader.cpp:1400 #46 0x00002af9b1a08870 in WebCore::FrameLoader::load (this=0x6a6880, newDocumentLoader=0x101c210) at ../../Source/WebCore/loader/FrameLoader.cpp:1341 #47 0x00002af9b1a083cf in WebCore::FrameLoader::load (this=0x6a6880, passedRequest=...) at ../../Source/WebCore/loader/FrameLoader.cpp:1291 #48 0x00002af9b118b933 in webkit_web_frame_load_uri (frame=0x6a6060, uri=0x4ff570 "about:blank") at ../../Source/WebKit/gtk/webkit/webkitwebframe.cpp:678 #49 0x00002af9b11a4c8e in webkit_web_view_load_uri (webView=0x6402b0, uri=0x4ff570 "about:blank") at ../../Source/WebKit/gtk/webkit/webkitwebview.cpp:4114 #50 0x00002af9b11a4a44 in webkit_web_view_open (webView=0x6402b0, uri=0x4ff570 "about:blank") at ../../Source/WebKit/gtk/webkit/webkitwebview.cpp:4074 #51 0x000000000049c182 in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:791 #52 0x000000000049b721 in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:551 #53 0x000000000049ea4f in main (argc=2, argv=0x7fff31d91a38) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1510
Attachments
patch to review (4.79 KB, patch)
2013-09-12 22:52 PDT, minggang wang 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
minggang wang
Comment 1 2013-09-12 22:52:40 PDT
Created attachment 211511 [details] patch to review
Joshua Bell
Comment 2 2013-09-13 10:47:34 PDT
Comment on attachment 211511 [details] patch to review View in context: https://bugs.webkit.org/attachment.cgi?id=211511&action=review > Source/WebCore/Modules/indexeddb/IDBTransaction.cpp:234 > while (!m_requestList.isEmpty()) { FYI, it looks like we solved this in Blink by simply skipping the request list cleanup if the context is stopped, plus some other transaction/database/request lifetime management tweaks. The Blink patch was https://chromiumcodereview.appspot.com/14236002 - note the commit comment "The unit test turned up a subtle but apparently harmless quirk caused by arbitrary ordering of ActiveDOMObject::stop() calls..." - shortly after this patch in trunk we saw a crash report from beta and realized it wasn't so harmless, and backported the fix to the beta.
minggang wang
Comment 3 2013-09-17 21:13:27 PDT
I found a similar one http://code.google.com/p/chromium/issues/detail?id=247395, not sure the cause is the same as this one. If the cause is the same, maybe we can do this in webkit also.
Carlos Garcia Campos
Comment 4 2015-01-26 00:33:53 PST
All these test except storage/indexeddb/objectstore-basics.html pass for me now with the DatabaseProcess. objectstore-basics.html fails but it doesn't crash. It's currently listed in the TestExpectation files as "Blink tests that crash the WebProcess under IDBDatabase::dispatchEvent or IDBRequest::dispatchEvent (possibly all related)"
Carlos Garcia Campos
Comment 5 2015-05-25 01:21:04 PDT
These crashes no longer happen in r184850.
Csaba Osztrogonác
Comment 6 2015-09-14 10:40:14 PDT
Comment on attachment 211511 [details] patch to review Cleared review? from attachment 211511 [details] so that this bug does not appear in http://webkit.org/pending-review. If you would like this patch reviewed, please attach it to a new bug (or re-open this bug before marking it for review again).
Note You need to log in before you can comment on or make changes to this bug.