If the IDB front IDBDatabaseBackendImpl, IDBRequest and IDBDatabase objects are communicating asynchronously (e.g. Chromium port), then there is a race condition: A normal connection opens - note the two phase openConnection() / registerFrontendCallbacks() * IDBRequest req1 = IDBFactory::open() * which async invokes IDBDatabaseBackendImpl::openConnection() * which async invokes IDBRequest::OnSuccess() on req1, which creates IDBDatabase connection1 * which async invokes IDBDatabaseBackendImpl::registerFrontendCallbacks(IDBDatabase), which "registers" connection1 Now a second connection opens, where * IDBRequest req2 = IDBFactory::open() * which async invokes IDBDatabaseBackendImpl::openConnection() * which async invokes IDBRequest::OnSuccess() on req2, which creates IDBDatabase connection2 * which async invokes IDBDatabaseBackendImpl::registerFrontendCallbacks(IDBDatabase)... * INTERRUPT: * connection1 async invokes IDBDatabase::close() which calls IDBDatabaseBackendImpl::close() * at this point there are no registered callbacks, so it releases its backing store and drops itself from the factory * RESUME: * IDBDatabaseBackendImpl::registerFrontendCallbacks(IDBDatabase) "registers" connection2 * connection2.setVersion() is called, but the backing store ref has been released. *boom* So the bug is that IDBDatabaseBackendImpl::close should not close itself if there are pending connections in the limbo state between openConnection() and registerFrontendCallbacks(). The correct long term fix is probably to eliminate this limbo state entirely.
Created attachment 148432 [details] Patch
+vsevik@ for the inspector changes. This patch requires that the second phase of database connections is processed.
tony@ can you take a look?
Comment on attachment 148432 [details] Patch LGTM
dgrogan@, can you take a look too since we were discussing this and how it would relate to your upcoming patch?
Comment on attachment 148432 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=148432&action=review LGTM > Source/WebCore/Modules/indexeddb/IDBDatabaseBackendImpl.cpp:347 > + RefPtr<IDBDatabaseBackendImpl> self = this; What scenario does this prevent?
I didn't look at the inspector part at all.
Comment on attachment 148432 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=148432&action=review >> Source/WebCore/Modules/indexeddb/IDBDatabaseBackendImpl.cpp:347 >> + RefPtr<IDBDatabaseBackendImpl> self = this; > > What scenario does this prevent? Whoops, good catch. That's just residue from early debugging.
Created attachment 148474 [details] Patch for landing
Comment on attachment 148474 [details] Patch for landing Clearing flags on attachment: 148474 Committed r120828: <http://trac.webkit.org/changeset/120828>
All reviewed patches have been landed. Closing bug.