WebKit Bugzilla
Attachment 362699 Details for
Bug 194843
: Crash under IDBServer::IDBConnectionToClient::identifier() const
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-194843-20190221234429.patch (text/plain), 5.78 KB, created by
Sihui Liu
on 2019-02-21 23:44:30 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Sihui Liu
Created:
2019-02-21 23:44:30 PST
Size:
5.78 KB
patch
obsolete
>Subversion Revision: 241761 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index a6da53fe8e04ad79dd06c117c410a040b2b97e76..262177e05f4be8c3ac6f71e2f56b2a24cd447223 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,26 @@ >+2019-02-21 Sihui Liu <sihui_liu@apple.com> >+ >+ Crash under IDBServer::IDBConnectionToClient::identifier() const >+ https://bugs.webkit.org/show_bug.cgi?id=194843 >+ <rdar://problem/48203102> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ UniqueIDBDatabase should ignore requests from connections that are already closed. >+ >+ Tests are hard to create without some tricks on UniqueIDBDatabase so this fix is verified manually. >+ One test is created by adding delay to UniqueIDBDatabase::openBackingStore on the background thread to make sure >+ disconnection of web process happens before UniqueIDBDatabase::didOpenBackingStore, because didOpenBackingStore >+ may start a version change transaction and ask for identifier from the connection that is already gone. >+ >+ * Modules/indexeddb/server/IDBConnectionToClient.cpp: >+ (WebCore::IDBServer::IDBConnectionToClient::connectionToClientClosed): >+ * Modules/indexeddb/server/IDBConnectionToClient.h: >+ (WebCore::IDBServer::IDBConnectionToClient::isConenctionClosed): >+ * Modules/indexeddb/server/UniqueIDBDatabase.cpp: >+ (WebCore::IDBServer::UniqueIDBDatabase::handleDatabaseOperations): >+ (WebCore::IDBServer::UniqueIDBDatabase::operationAndTransactionTimerFired): >+ > 2019-02-19 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r241722. >diff --git a/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.cpp b/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.cpp >index 8c8b72052243769cc9e83e34908ad63c4631a3bb..6be3430bfe94e60861c7615e308192791412423c 100644 >--- a/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.cpp >+++ b/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.cpp >@@ -207,6 +207,7 @@ void IDBConnectionToClient::connectionToClientClosed() > connection->connectionClosedFromClient(); > } > >+ m_isClosed = true; > m_databaseConnections.clear(); > } > >diff --git a/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h b/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h >index 160abfeec96003cbb1df335297f7b099d0f6800f..ed23b4bc652b4970741b1a60a2bd62535b7f633b 100644 >--- a/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h >+++ b/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h >@@ -79,12 +79,13 @@ public: > void registerDatabaseConnection(UniqueIDBDatabaseConnection&); > void unregisterDatabaseConnection(UniqueIDBDatabaseConnection&); > void connectionToClientClosed(); >- >+ bool isConenctionClosed() { return m_isClosed; } > private: > IDBConnectionToClient(IDBConnectionToClientDelegate&); > > WeakPtr<IDBConnectionToClientDelegate> m_delegate; > HashSet<UniqueIDBDatabaseConnection*> m_databaseConnections; >+ bool m_isClosed { false }; > }; > > } // namespace IDBServer >diff --git a/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp b/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp >index 722e7e94682d3456ad71bf5ec622b1e0c4356d63..4fe4dc7f6b83f49a21f39f254c7b1920de0e65cb 100644 >--- a/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp >+++ b/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp >@@ -353,20 +353,28 @@ void UniqueIDBDatabase::handleDatabaseOperations() > if (m_deleteBackingStoreInProgress) > return; > >- if (m_versionChangeDatabaseConnection || m_versionChangeTransaction || m_currentOpenDBRequest) { >+ if (m_versionChangeDatabaseConnection || m_versionChangeTransaction || (m_currentOpenDBRequest && !m_currentOpenDBRequest->connection().isConenctionClosed())) { > // We can't start any new open-database operations right now, but we might be able to start handling a delete operation. >- if (!m_currentOpenDBRequest && !m_pendingOpenDBRequests.isEmpty() && m_pendingOpenDBRequests.first()->isDeleteRequest()) >- m_currentOpenDBRequest = m_pendingOpenDBRequests.takeFirst(); >+ if (!m_currentOpenDBRequest) { >+ while (!m_pendingOpenDBRequests.isEmpty() && m_pendingOpenDBRequests.first()->connection().isConenctionClosed()) >+ m_pendingOpenDBRequests.removeFirst(); >+ if (!m_pendingOpenDBRequests.isEmpty() && m_pendingOpenDBRequests.first()->isDeleteRequest()) >+ m_currentOpenDBRequest = m_pendingOpenDBRequests.takeFirst(); >+ } > > // Some operations (such as the first open operation after a delete) require multiple passes to completely handle > if (m_currentOpenDBRequest) > handleCurrentOperation(); >- > return; > } > >- if (m_pendingOpenDBRequests.isEmpty()) >+ // Skip requests with closed connection. >+ while (!m_pendingOpenDBRequests.isEmpty() && m_pendingOpenDBRequests.first()->connection().isConenctionClosed()) >+ m_pendingOpenDBRequests.removeFirst(); >+ if (m_pendingOpenDBRequests.isEmpty()) { >+ m_currentOpenDBRequest = nullptr; > return; >+ } > > m_currentOpenDBRequest = m_pendingOpenDBRequests.takeFirst(); > LOG(IndexedDB, "UniqueIDBDatabase::handleDatabaseOperations - Popped an operation, now there are %u pending", m_pendingOpenDBRequests.size()); >@@ -1573,7 +1581,7 @@ void UniqueIDBDatabase::operationAndTransactionTimerFired() > > // The current operation might require multiple attempts to handle, so try to > // make further progress on it now. >- if (m_currentOpenDBRequest) >+ if (m_currentOpenDBRequest && !m_currentOpenDBRequest->connection().isConenctionClosed()) > handleCurrentOperation(); > > if (!m_currentOpenDBRequest)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=362699">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194843
:
362455
|
362678
|
362699
|
362747
|
362765