[Webkit-unassigned] [Bug 111642] New: IndexedDB: Transactions can be started between versionchange oncomplete and openrequest onsuccess

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 6 16:35:16 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=111642

           Summary: IndexedDB: Transactions can be started between
                    versionchange oncomplete and openrequest onsuccess
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jsbell at chromium.org


As discovered in https://code.google.com/p/chromium/issues/detail?id=153064:

In multiprocess ports there's a race condition that allows a transaction to be created between the "complete" event from a "versionchange" transaction (c/o an "ugpradeneeded" handler) and the subsequent "success" event from an open() call. During this window, the database has "old" metadata, which can lead to an inconsistency:

var req = indexedDB.open("db", 1);
req.onupgradeneeded = function() {
  var db = req.result;
  db.createObjectStore('store');
  req.transaction.oncomplete = function() {
    var trans = db.transaction('store'); // <---- HERE
  };
};

In multiprocess ports, the line marked HERE could execute before the "success" event for the database open arrives from the backend. If it does, the db will have old metadata and raise an exception since there is no such object store. (This has a low probability because firing the "complete" and "success" events should happen with no gap in between, but depending on the IPC mechanism and context switching it could be more likely on certain OS/hardware configurations.)

But we should fix the race somehow - either by ensuring the database gets the updated metadata earlier (via the versionchange transaction) or failing the .transaction() call in the time window between the "complete" and "success" events arriving from the backend.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list