Bug 94618 - IndexedDB: IDBRequest can be destructed during abort
Summary: IndexedDB: IDBRequest can be destructed during abort
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 523.x (Safari 3)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Joshua Bell
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-21 11:11 PDT by Joshua Bell
Modified: 2012-08-22 15:28 PDT (History)
4 users (show)

See Also:


Attachments
Patch (2.19 KB, patch)
2012-08-21 11:36 PDT, Joshua Bell
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joshua Bell 2012-08-21 11:11:22 PDT
If all script references to an IDBRequest have been dropped, it's possible the only thing keeping a request alive is an en-queued event. If that's the case, then if the request is abort()ed the destructor can run in the middle of the abort() method, and asserts.

Abbreviated stack trace:

ASSERTION FAILED: m_readyState == DONE || m_readyState == EarlyDeath || !scriptExecutionContext()
../../third_party/WebKit/Source/WebCore/Modules/indexeddb/IDBRequest.cpp(83) : virtual WebCore::IDBRequest::~IDBRequest()
1   WebCore::IDBRequest::~IDBRequest()
...
7   WebCore::EventTarget::deref()
...
13  WebCore::Event::~Event()
...
22  WTF::Vector<WTF::RefPtr<WebCore::Event>, 0ul>::clear()
23  WebCore::IDBRequest::abort()
24  WebCore::IDBTransaction::abort(int&)
25  WebCore::IDBTransaction::stop()
26  non-virtual thunk to WebCore::IDBTransaction::stop()
27  WebCore::ScriptExecutionContext::stopActiveDOMObjects()
28  WebCore::Document::detach()
29  WebCore::Document::prepareForDestruction()
Comment 1 Joshua Bell 2012-08-21 11:36:49 PDT
Created attachment 159729 [details]
Patch
Comment 2 Alec Flett 2012-08-21 12:01:37 PDT
lgtm
Comment 3 Joshua Bell 2012-08-21 12:09:15 PDT
Link to Chromium test flake report: http://code.google.com/p/chromium/issues/detail?id=143855
Comment 4 Joshua Bell 2012-08-21 12:09:31 PDT
tony@ - r?
Comment 5 Tony Chang 2012-08-21 13:38:03 PDT
Comment on attachment 159729 [details]
Patch

If there's a way to reliably hit the assert, it would be nice to add a test case for it.
Comment 6 WebKit Review Bot 2012-08-22 15:28:33 PDT
Comment on attachment 159729 [details]
Patch

Clearing flags on attachment: 159729

Committed r126361: <http://trac.webkit.org/changeset/126361>
Comment 7 WebKit Review Bot 2012-08-22 15:28:36 PDT
All reviewed patches have been landed.  Closing bug.