[Webkit-unassigned] [Bug 74554] New: [Chromium] DatabaseTrackerChromium: iterating DatabaseSet races with Database disposal on worker thread
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 14 16:09:59 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=74554
Summary: [Chromium] DatabaseTrackerChromium: iterating
DatabaseSet races with Database disposal on worker
thread
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: dslomov at google.com
CC: michaeln at google.com, ericu at chromium.org,
dslomov at google.com
The race is exposed if several layout tests are run in the same DumpRenderTree instance. To reproduce, run
path/to/DumpRenderTree path/to/LayoutTests/fast/workers/storage/*
Looks like DatabaseSet and friends should expose RefPtrs, not naked pointers to Database.
Here are the valgrind traces:
Invalid read on UI thread where a naked AbstarctDatabase* is exposed
==882== Invalid read of size 8
==882== at 0x13BA78C: WebCore::DatabaseTracker::interruptAllDatabasesForContext(WebCore::ScriptExecutionContext const*) (DatabaseTrackerChromium.cpp:206)
==882== by 0x13DCD5E: WebCore::WorkerThread::stop() (WorkerThread.cpp:252)
==882== by 0x13D5CA5: WebCore::WorkerMessagingProxy::terminateWorkerContext() (WorkerMessagingProxy.cpp:446)
==882== by 0x5217CE: WebKit::WebWorkerClientImpl::terminateWorkerContext() (WebWorkerClientImpl.cpp:97)
==882== by 0x23D4C8E: WebCore::Worker::terminate() (Worker.cpp:118)
==882== by 0x23D4CB9: WebCore::Worker::stop() (Worker.cpp:129)
==882== by 0xD2353F: WebCore::ScriptExecutionContext::stopActiveDOMObjects() (ScriptExecutionContext.cpp:250)
==882== by 0xC7EE42: WebCore::Document::detach() (Document.cpp:1831)
==882== by 0x130DEB9: WebCore::Frame::setView(WTF::PassRefPtr<WebCore::FrameView>) (Frame.cpp:261)
==882== by 0x1310594: WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (Frame.cpp:848)
==882== by 0x49A478: WebKit::WebFrameImpl::createFrameView() (WebFrameImpl.cpp:2119)
==882== by 0x4E6FD1: WebKit::FrameLoaderClientImpl::makeDocumentView() (FrameLoaderClientImpl.cpp:265)
==882== by 0x4EA9EB: WebKit::FrameLoaderClientImpl::transitionToCommittedForNewPage() (FrameLoaderClientImpl.cpp:1401)
==882== by 0x127468E: WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>) (FrameLoader.cpp:1917)
==882== by 0x1273B1F: WebCore::FrameLoader::commitProvisionalLoad() (FrameLoader.cpp:1769)
==882== by 0x1255909: WebCore::DocumentLoader::commitIfReady() (DocumentLoader.cpp:274)
==882== by 0x12559B7: WebCore::DocumentLoader::commitLoad(char const*, int) (DocumentLoader.cpp:295)
==882== by 0x1255C1D: WebCore::DocumentLoader::receivedData(char const*, int) (DocumentLoader.cpp:329)
==882== by 0x1289A5E: WebCore::MainResourceLoader::addData(char const*, int, bool) (MainResourceLoader.cpp:170)
==882== by 0x129D38A: WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) (ResourceLoader.cpp:287)
==882== by 0x128B00B: WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) (MainResourceLoader.cpp:476)
==882== by 0x129DC99: WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) (ResourceLoader.cpp:441)
==882== by 0x4FEE31: WebCore::ResourceHandleInternal::didReceiveData(WebKit::WebURLLoader*, char const*, int, int) (ResourceHandle.cpp:140)
==882== by 0x1B1BA3F: webkit_glue::WebURLLoaderImpl::Context::OnReceivedData(char const*, int, int) (weburlloader_impl.cc:600)
==882== by 0x1BF48BF: (anonymous namespace)::RequestProxy::NotifyReceivedData(int) (simple_resource_loader_bridge.cc:274)
==882== by 0x1BFAFB8: base::internal::RunnableAdapter<void ((anonymous namespace)::RequestProxy::*)(int)>::Run((anonymous namespace)::RequestProxy*, int const&) (bind_internal.h:189)
==882== by 0x1BFA9AB: base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void ((anonymous namespace)::RequestProxy::*)(int)>, void ()((anonymous namespace)::RequestProxy* const&, int const&)>::MakeItSo(base::internal::RunnableAdapter<void ((anonymous namespace)::RequestProxy::*)(int)>, (anonymous namespace)::RequestProxy* const&, int const&) (bind_internal.h:876)
==882== by 0x1BF9E13: base::internal::Invoker<2, base::internal::BindState<base::internal::RunnableAdapter<void ((anonymous namespace)::RequestProxy::*)(int)>, void ()((anonymous namespace)::RequestProxy*, int), void ()((anonymous namespace)::RequestProxy*, int)>, void ()((anonymous namespace)::RequestProxy*, int)>::Run(base::internal::BindStateBase*) (bind_internal.h:1214)
==882== by 0x693C8E: base::Callback<void ()()>::Run() const (callback.h:274)
==882== by 0x6AF0BC: MessageLoop::RunTask(base::PendingTask const&) (message_loop.cc:491)
Disposal on worker thread:
==882== Address 0x1e1bf690 is 0 bytes inside a block of size 360 free'd
==882== at 0x5CBE5BA: free (vg_replace_malloc.c:1081)
==882== by 0x65D220: WTF::fastFree(void*) (FastMalloc.cpp:330)
==882== by 0x48BD4B: WTF::ThreadSafeRefCountedBase::operator delete(void*) (ThreadSafeRefCounted.h:72)
==882== by 0x138EE1E: WebCore::Database::~Database() (Database.cpp:168)
==882== by 0x121445B: WTF::ThreadSafeRefCounted<WebCore::AbstractDatabase>::deref() (ThreadSafeRefCounted.h:137)
==882== by 0x17FF0D7: WebCore::V8Database::derefObject(void*) (V8Database.cpp:219)
==882== by 0x140B6C5: WebCore::WrapperTypeInfo::derefObject(void*) (WrapperTypeInfo.h:81)
==882== by 0x140B694: WebCore::DOMData::derefObject(WebCore::WrapperTypeInfo*, void*) (DOMData.cpp:59)
==882== by 0x10412A6: WebCore::DOMData::WrapperMapObjectRemover<void>::visitDOMWrapper(WebCore::DOMDataStore*, void*, v8::Persistent<v8::Object>) (DOMData.h:67)
==882== by 0x1410505: WebCore::WeakReferenceMap<void, v8::Object>::visit(WebCore::DOMDataStore*, WebCore::AbstractWeakReferenceMap<void, v8::Object>::Visitor*) (V8DOMMap.h:131)
==882== by 0x1040BA4: void WebCore::DOMData::removeObjectsFromWrapperMap<void>(WebCore::DOMDataStore*, WebCore::AbstractWeakReferenceMap<void, v8::Object>&) (DOMData.h:101)
==882== by 0x1040198: WebCore::removeAllDOMObjects() (V8DOMMap.cpp:112)
==882== by 0x1064CE4: WebCore::WorkerScriptController::~WorkerScriptController() (WorkerScriptController.cpp:66)
==882== by 0x13CEB38: void WTF::deleteOwnedPtr<WebCore::WorkerScriptController>(WebCore::WorkerScriptController*) (OwnPtrCommon.h:53)
==882== by 0x13DD22B: WTF::OwnPtr<WebCore::WorkerScriptController>::clear() (OwnPtr.h:100)
==882== by 0x13DCDED: WebCore::WorkerContext::clearScript() (WorkerContext.h:85)
==882== by 0x13DCFB7: WebCore::WorkerThreadShutdownFinishTask::performTask(WebCore::ScriptExecutionContext*) (WorkerThread.cpp:197)
==882== by 0x13D8D3A: WebCore::WorkerRunLoop::Task::performTask(WebCore::WorkerRunLoop const&, WebCore::ScriptExecutionContext*) (WorkerRunLoop.cpp:216)
==882== by 0x13D8B02: WebCore::WorkerRunLoop::runCleanupTasks(WebCore::WorkerContext*) (WorkerRunLoop.cpp:188)
==882== by 0x13D86AD: WebCore::WorkerRunLoop::run(WebCore::WorkerContext*) (WorkerRunLoop.cpp:137)
==882== by 0x13DCCCC: WebCore::WorkerThread::runEventLoop() (WorkerThread.cpp:179)
==882== by 0x13CA35C: WebCore::DedicatedWorkerThread::runEventLoop() (DedicatedWorkerThread.cpp:66)
==882== by 0x13DCBD6: WebCore::WorkerThread::workerThread() (WorkerThread.cpp:153)
==882== by 0x13DC9B5: WebCore::WorkerThread::workerThreadStart(void*) (WorkerThread.cpp:124)
==882== by 0x1C50568: WTF::threadEntryPoint(void*) (Threading.cpp:67)
==882== by 0xA2DF9C9: start_thread (pthread_create.c:300)
==882== by 0xC6EB70C: clone (clone.S:112)
==882==
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list