[Webkit-unassigned] [Bug 164596] New: IndexedDB 2.0: Fix flaky crashes in IDB GC-related code

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 10 09:01:12 PST 2016


https://bugs.webkit.org/show_bug.cgi?id=164596

            Bug ID: 164596
           Summary: IndexedDB 2.0: Fix flaky crashes in IDB GC-related
                    code
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: beidson at apple.com

IndexedDB 2.0: Fix flaky crashes in IDB GC-related code

During GC sweeps we're sometimes seeing:

1   0x10ef2cc5d WTFCrash
2   0x10ea882c5 void WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::checkKey<WTF::IdentityHashTranslator<WTF::HashTraits<void*>, WTF::PtrHash<void*> >, void*>(void* const&)
3   0x10ed110ef WTF::HashTableAddResult<WTF::HashTableIterator<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> > > WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::add<WTF::IdentityHashTranslator<WTF::HashTraits<void*>, WTF::PtrHash<void*> >, void* const&, void* const&>(void* const&&&, void* const&&&)
4   0x10ed110a3 WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::add(void* const&)
5   0x10ed0fa94 WTF::HashSet<void*, WTF::PtrHash<void*>, WTF::HashTraits<void*> >::add(void* const&)
6   0x10ed0fb2f JSC::OpaqueRootSet::add(void*)
7   0x10ed0fa5d JSC::SlotVisitor::addOpaqueRoot(void*)
8   0x11731e651 WebCore::IDBTransaction::visitReferencedObjectStores(JSC::SlotVisitor&) const
9   0x116d081d5 WebCore::JSIDBTransaction::visitAdditionalChildren(JSC::SlotVisitor&)
10  0x117a7ca32 WebCore::JSIDBTransaction::visitChildren(JSC::JSCell*, JSC::SlotVisitor&)
11  0x10ed0f450 JSC::SlotVisitor::visitChildren(JSC::JSCell const*)
12  0x10ed0f1f0 JSC::SlotVisitor::drain()
...

And the reason is because in stack frame 8, we're passing a null pointer as an opaque root.

Same thing happens in IDBObjectStore.

The reason is that when transactions abort, we sometimes WTFMove the pointer out of the m_deletedObjects map, but leave the entry in the map, which causes this null ptr problem later.

Simple solution is to remove the entry in the map, as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161110/798f96ef/attachment.html>


More information about the webkit-unassigned mailing list