Bug 157917 - REGRESSION(201098) GuardMalloc / ASan crashes in WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply
Summary: REGRESSION(201098) GuardMalloc / ASan crashes in WebCore::IDBServer::UniqueID...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Brady Eidson
URL:
Keywords: InRadar
: 157915 (view as bug list)
Depends on:
Blocks: 149117 154968
  Show dependency treegraph
 
Reported: 2016-05-19 13:27 PDT by Ryan Haddad
Modified: 2016-05-21 08:28 PDT (History)
5 users (show)

See Also:


Attachments
Patch (2.28 KB, patch)
2016-05-19 15:03 PDT, Brady Eidson
achristensen: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Haddad 2016-05-19 13:27:20 PDT
Started with <http://trac.webkit.org/changeset/201098>

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010feb513c WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply() + 44
1   com.apple.WebCore             	0x000000010f56e05a WebCore::IDBServer::IDBServer::handleTaskRepliesOnMainThread() + 106
2   com.apple.JavaScriptCore      	0x000000010e043fc7 WTF::dispatchFunctionsFromMainThread() + 519
3   com.apple.Foundation          	0x00007fff90c0efde __NSThreadPerformPerform + 279
4   com.apple.CoreFoundation      	0x00007fff894d7881 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
5   com.apple.CoreFoundation      	0x00007fff894b6fbc __CFRunLoopDoSources0 + 556
6   com.apple.CoreFoundation      	0x00007fff894b64df __CFRunLoopRun + 927
7   com.apple.CoreFoundation      	0x00007fff894b5ed8 CFRunLoopRunSpecific + 296
8   com.apple.HIToolbox           	0x00007fff8f6e1935 RunCurrentEventLoopInMode + 235
9   com.apple.HIToolbox           	0x00007fff8f6e176f ReceiveNextEventCommon + 432
10  com.apple.HIToolbox           	0x00007fff8f6e15af _BlockUntilNextEventMatchingListInModeWithFilter + 71
11  com.apple.AppKit              	0x00007fff973b9efa _DPSNextEvent + 1067
12  com.apple.AppKit              	0x00007fff973b932a -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
13  com.apple.AppKit              	0x00007fff973ade84 -[NSApplication run] + 682
14  com.apple.AppKit              	0x00007fff9737746c NSApplicationMain + 1176
15  libxpc.dylib                  	0x00007fff90afa194 _xpc_objc_main + 795
16  libxpc.dylib                  	0x00007fff90af8bbe xpc_main + 494
17  com.apple.WebKit.WebContent   	0x000000010d6747df 0x10d673000 + 6111
18  libdyld.dylib                 	0x00007fff82be85ad start + 1
Comment 1 Ryan Haddad 2016-05-19 13:27:57 PDT
<rdar://problem/26371025>
Comment 2 Brady Eidson 2016-05-19 14:59:19 PDT
This is nothing more than a missing protector ref.
Comment 3 Brady Eidson 2016-05-19 14:59:56 PDT
*** Bug 157915 has been marked as a duplicate of this bug. ***
Comment 4 Brady Eidson 2016-05-19 15:03:15 PDT
Created attachment 279437 [details]
Patch
Comment 5 Brady Eidson 2016-05-19 15:16:28 PDT
EWS is smoking something.

http://trac.webkit.org/changeset/201188
Comment 6 Darin Adler 2016-05-21 08:28:49 PDT
Comment on attachment 279437 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=279437&action=review

> Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp:1520
> +    RefPtr<UniqueIDBDatabase> protectedThis(this);

A case like this should use Ref rather than RefPtr. In fact, this is sort of the case that Kling made Ref for originally.