<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - IndexedDB 2.0: Fix flaky crashes in IDB GC-related code"
   href="https://bugs.webkit.org/show_bug.cgi?id=164596">164596</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>IndexedDB 2.0: Fix flaky crashes in IDB GC-related code
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Nightly Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>WebCore Misc.
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>beidson&#64;apple.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>IndexedDB 2.0: Fix flaky crashes in IDB GC-related code

During GC sweeps we're sometimes seeing:

1   0x10ef2cc5d WTFCrash
2   0x10ea882c5 void WTF::HashTable&lt;void*, void*, WTF::IdentityExtractor, WTF::PtrHash&lt;void*&gt;, WTF::HashTraits&lt;void*&gt;, WTF::HashTraits&lt;void*&gt; &gt;::checkKey&lt;WTF::IdentityHashTranslator&lt;WTF::HashTraits&lt;void*&gt;, WTF::PtrHash&lt;void*&gt; &gt;, void*&gt;(void* const&amp;)
3   0x10ed110ef WTF::HashTableAddResult&lt;WTF::HashTableIterator&lt;void*, void*, WTF::IdentityExtractor, WTF::PtrHash&lt;void*&gt;, WTF::HashTraits&lt;void*&gt;, WTF::HashTraits&lt;void*&gt; &gt; &gt; WTF::HashTable&lt;void*, void*, WTF::IdentityExtractor, WTF::PtrHash&lt;void*&gt;, WTF::HashTraits&lt;void*&gt;, WTF::HashTraits&lt;void*&gt; &gt;::add&lt;WTF::IdentityHashTranslator&lt;WTF::HashTraits&lt;void*&gt;, WTF::PtrHash&lt;void*&gt; &gt;, void* const&amp;, void* const&amp;&gt;(void* const&amp;&amp;&amp;, void* const&amp;&amp;&amp;)
4   0x10ed110a3 WTF::HashTable&lt;void*, void*, WTF::IdentityExtractor, WTF::PtrHash&lt;void*&gt;, WTF::HashTraits&lt;void*&gt;, WTF::HashTraits&lt;void*&gt; &gt;::add(void* const&amp;)
5   0x10ed0fa94 WTF::HashSet&lt;void*, WTF::PtrHash&lt;void*&gt;, WTF::HashTraits&lt;void*&gt; &gt;::add(void* const&amp;)
6   0x10ed0fb2f JSC::OpaqueRootSet::add(void*)
7   0x10ed0fa5d JSC::SlotVisitor::addOpaqueRoot(void*)
8   0x11731e651 WebCore::IDBTransaction::visitReferencedObjectStores(JSC::SlotVisitor&amp;) const
9   0x116d081d5 WebCore::JSIDBTransaction::visitAdditionalChildren(JSC::SlotVisitor&amp;)
10  0x117a7ca32 WebCore::JSIDBTransaction::visitChildren(JSC::JSCell*, JSC::SlotVisitor&amp;)
11  0x10ed0f450 JSC::SlotVisitor::visitChildren(JSC::JSCell const*)
12  0x10ed0f1f0 JSC::SlotVisitor::drain()
...

And the reason is because in stack frame 8, we're passing a null pointer as an opaque root.

Same thing happens in IDBObjectStore.

The reason is that when transactions abort, we sometimes WTFMove the pointer out of the m_deletedObjects map, but leave the entry in the map, which causes this null ptr problem later.

Simple solution is to remove the entry in the map, as well.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>