[Webkit-unassigned] [Bug 67684] New: [Chromium/FileWriter] race condition in FileWriter completion can lead to assert

Tue Sep 6 16:40:15 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=67684

           Summary: [Chromium/FileWriter] race condition in FileWriter
                    completion can lead to assert
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ericu at chromium.org
                CC: kinuko at chromium.org

In FileWriter.cpp, when we complete a FileWriter action [didWrite, didTruncate, or didFail] we post a task to notify the user asynchronously.  We only update m_readyState when that task gets executed.  If, in the window between completion and the notification, we get a cancel request, we'll pass it through to a backend that knows it's already done.  On Chromium's implementation, this leads to an assertion failure.

The fix is to prevent any action that would be illegal in that interim state, perhaps by keying off of m_blobBeingWritten not being set or m_truncateLength being invalid.  The assertion fix is just to fix stop(), but abort() should also be handled.

See http://code.google.com/p/chromium/issues/detail?id=94895 for sample code that will cause the assertion failure [also attached].

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.