141094 – Crash in MemoryCache::removeRequestFromSessionCaches()

Bug 141094 - Crash in MemoryCache::removeRequestFromSessionCaches()

Summary: Crash in MemoryCache::removeRequestFromSessionCaches()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-30 13:06 PST by Chris Dumez
Modified:	2015-01-30 14:00 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2015-01-30 13:06:40 PST

Crash in MemoryCache::removeRequestFromSessionCaches() sometimes happens when running fast/files/workers/worker-apply-blob-url-to-xhr.html:
https://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r179403%20(10178)/fast/files/workers/worker-apply-blob-url-to-xhr-crash-log.txt

The reason is that we remove items from m_sessionResources as we are iterating over it, thus invalidating our iterator.

Comment 1 Chris Dumez 2015-01-30 13:48:22 PST

r179403 is calling HashTable::add() which invalidates all iterators, even if we don't end up actually adding anything to the HashTable. The previous code was calling get() (which would not invalidate iterators) and then call add() only if the item is not in the HashMap. From this call site, we know the sessionID is in the HashMap so it is actually safe but we hit the assertion in HashTableIterator anyway.

A clean solution would be to have 2 separate sessionResources() getters: a getOrCreate() one and a getOnlyIfExists() one.

Comment 2 Chris Dumez 2015-01-30 14:00:38 PST

Rolled out in <http://trac.webkit.org/changeset/179410>.