[Webkit-unassigned] [Bug 108355] Crash because DatabaseContext destructed before its ScriptExecutionContext

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 30 19:44:08 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=108355


Mark Lam <mark.lam at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[EFL]                       |Crash because
                   |fast/js/caller-property.htm |DatabaseContext destructed
                   |l sometimes asserts         |before its
                   |                            |ScriptExecutionContext
             Status|NEW                         |ASSIGNED
         AssignedTo|webkit-unassigned at lists.web |mark.lam at apple.com
                   |kit.org                     |
                 CC|                            |ap at webkit.org,
                   |                            |beidson at apple.com,
                   |                            |ggaren at apple.com,
                   |                            |sam at webkit.org




--- Comment #3 from Mark Lam <mark.lam at apple.com>  2013-01-30 19:46:08 PST ---
(In reply to comment #0)
> ASSERTION FAILED: m_scriptExecutionContext->isContextThread()
> /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WebCore/dom/ActiveDOMObject.cpp(65) : virtual WebCore::ActiveDOMObject::~ActiveDOMObject()
> 1   0x7f28e5ea029e WebCore::ActiveDOMObject::~ActiveDOMObject()
...
> 3   0x7f28e5c2433c WebCore::DatabaseContext::~DatabaseContext()
> 4   0x7f28e5c13dcc WTF::RefCounted<WebCore::DatabaseContext>::deref()
...
> 9   0x7f28e5c0e982 WebCore::Database::~Database()
...
> 16  0x7f28e5c2afff WebCore::DatabaseThread::databaseThread()
> 17  0x7f28e5c2adaa WebCore::DatabaseThread::databaseThreadStart(void*)
...

The crash stack trace shows that the DatabaseContext is being destructed from the DatabaseThread.  This should be fine.  However, the failed assertion only triggers if the DatabaseContext is still associated with the ScriptExecutionContext.  The code to disassociate the DatabaseContext can only be safely called from the script thread (hence, the assertion in ActiveDOMObject).  Hence, the DatabaseContext needs to stay alive until the ScriptExecutionContext destructs and calls (from the script thread) the relevant DatabaseContext functions to do the disassociation.

Therefore, the fix is to add a m_selfRef to DatabaseContext that will keep itself alive until DatabaseContext::contextDestroyed() is called.   contextDestroyed() will nullify m_selfRef and allow the DatabaseContext to be safely destructed thereafter.

The patch for the fix will be coming shortly.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list