<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - IndexedDB 2.0: Fix flaky crashes in IDB GC-related code"
href="https://bugs.webkit.org/show_bug.cgi?id=164596">164596</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>IndexedDB 2.0: Fix flaky crashes in IDB GC-related code
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>WebCore Misc.
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>beidson@apple.com
</td>
</tr></table>
<p>
<div>
<pre>IndexedDB 2.0: Fix flaky crashes in IDB GC-related code
During GC sweeps we're sometimes seeing:
1 0x10ef2cc5d WTFCrash
2 0x10ea882c5 void WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::checkKey<WTF::IdentityHashTranslator<WTF::HashTraits<void*>, WTF::PtrHash<void*> >, void*>(void* const&)
3 0x10ed110ef WTF::HashTableAddResult<WTF::HashTableIterator<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> > > WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::add<WTF::IdentityHashTranslator<WTF::HashTraits<void*>, WTF::PtrHash<void*> >, void* const&, void* const&>(void* const&&&, void* const&&&)
4 0x10ed110a3 WTF::HashTable<void*, void*, WTF::IdentityExtractor, WTF::PtrHash<void*>, WTF::HashTraits<void*>, WTF::HashTraits<void*> >::add(void* const&)
5 0x10ed0fa94 WTF::HashSet<void*, WTF::PtrHash<void*>, WTF::HashTraits<void*> >::add(void* const&)
6 0x10ed0fb2f JSC::OpaqueRootSet::add(void*)
7 0x10ed0fa5d JSC::SlotVisitor::addOpaqueRoot(void*)
8 0x11731e651 WebCore::IDBTransaction::visitReferencedObjectStores(JSC::SlotVisitor&) const
9 0x116d081d5 WebCore::JSIDBTransaction::visitAdditionalChildren(JSC::SlotVisitor&)
10 0x117a7ca32 WebCore::JSIDBTransaction::visitChildren(JSC::JSCell*, JSC::SlotVisitor&)
11 0x10ed0f450 JSC::SlotVisitor::visitChildren(JSC::JSCell const*)
12 0x10ed0f1f0 JSC::SlotVisitor::drain()
...
And the reason is because in stack frame 8, we're passing a null pointer as an opaque root.
Same thing happens in IDBObjectStore.
The reason is that when transactions abort, we sometimes WTFMove the pointer out of the m_deletedObjects map, but leave the entry in the map, which causes this null ptr problem later.
Simple solution is to remove the entry in the map, as well.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>