Attachment 362765 Details for Bug 194843 – Patch

[patch] Patch

bug-194843-20190222142852.patch (text/plain), 6.40 KB, created by Sihui Liu on 2019-02-22 14:28:52 PST

(hide)

Description:

Filename:

MIME Type:

Creator: Sihui Liu

Created: 2019-02-22 14:28:52 PST

Size: 6.40 KB

patch

obsolete

>Subversion Revision: 241761
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
>index a6da53fe8e04ad79dd06c117c410a040b2b97e76..67bd02ea6ef627fec846cb48f8800111d5d3494c 100644
>--- a/Source/WebCore/ChangeLog
>+++ b/Source/WebCore/ChangeLog
>@@ -1,3 +1,28 @@
>+2019-02-22  Sihui Liu  <sihui_liu@apple.com>
>+
>+        Crash under IDBServer::IDBConnectionToClient::identifier() const
>+        https://bugs.webkit.org/show_bug.cgi?id=194843
>+        <rdar://problem/48203102>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        UniqueIDBDatabase should ignore requests from connections that are already closed.
>+
>+        Tests are hard to create without some tricks on UniqueIDBDatabase so this fix is verified manually. 
>+        One test is created by adding delay to UniqueIDBDatabase::openBackingStore on the background thread to make sure
>+        disconnection of web process happens before UniqueIDBDatabase::didOpenBackingStore, because didOpenBackingStore
>+        may start a version change transaction and ask for identifier from the connection that is already gone.
>+
>+        * Modules/indexeddb/server/IDBConnectionToClient.cpp:
>+        (WebCore::IDBServer::IDBConnectionToClient::connectionToClientClosed):
>+        * Modules/indexeddb/server/IDBConnectionToClient.h:
>+        (WebCore::IDBServer::IDBConnectionToClient::isClosed):
>+        * Modules/indexeddb/server/UniqueIDBDatabase.cpp:
>+        (WebCore::IDBServer::UniqueIDBDatabase::clearStalePendingOpenDBRequests):
>+        (WebCore::IDBServer::UniqueIDBDatabase::handleDatabaseOperations):
>+        (WebCore::IDBServer::UniqueIDBDatabase::operationAndTransactionTimerFired):
>+        * Modules/indexeddb/server/UniqueIDBDatabase.h:
>+
> 2019-02-19  Commit Queue  <commit-queue@webkit.org>
> 
>         Unreviewed, rolling out r241722.
>diff --git a/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.cpp b/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.cpp
>index 8c8b72052243769cc9e83e34908ad63c4631a3bb..6be3430bfe94e60861c7615e308192791412423c 100644
>--- a/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.cpp
>+++ b/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.cpp
>@@ -207,6 +207,7 @@ void IDBConnectionToClient::connectionToClientClosed()
>             connection->connectionClosedFromClient();
>     }
> 
>+    m_isClosed = true;
>     m_databaseConnections.clear();
> }
> 
>diff --git a/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h b/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h
>index 160abfeec96003cbb1df335297f7b099d0f6800f..aafc53802482b54f1f7f36ec28c7ae715e9aa96f 100644
>--- a/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h
>+++ b/Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h
>@@ -79,12 +79,13 @@ public:
>     void registerDatabaseConnection(UniqueIDBDatabaseConnection&);
>     void unregisterDatabaseConnection(UniqueIDBDatabaseConnection&);
>     void connectionToClientClosed();
>-
>+    bool isClosed() { return m_isClosed; }
> private:
>     IDBConnectionToClient(IDBConnectionToClientDelegate&);
>     
>     WeakPtr<IDBConnectionToClientDelegate> m_delegate;
>     HashSet<UniqueIDBDatabaseConnection*> m_databaseConnections;
>+    bool m_isClosed { false };
> };
> 
> } // namespace IDBServer
>diff --git a/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp b/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp
>index 722e7e94682d3456ad71bf5ec622b1e0c4356d63..5b9fad40d1b2c823f6d5aa1d8a120a815f2f6da9 100644
>--- a/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp
>+++ b/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp
>@@ -344,6 +344,12 @@ void UniqueIDBDatabase::didDeleteBackingStore(uint64_t deletedVersion)
>     invokeOperationAndTransactionTimer();
> }
> 
>+void UniqueIDBDatabase::clearStalePendingOpenDBRequests()
>+{
>+    while (!m_pendingOpenDBRequests.isEmpty() && m_pendingOpenDBRequests.first()->connection().isClosed())
>+        m_pendingOpenDBRequests.removeFirst();
>+}
>+
> void UniqueIDBDatabase::handleDatabaseOperations()
> {
>     ASSERT(isMainThread());
>@@ -353,7 +359,9 @@ void UniqueIDBDatabase::handleDatabaseOperations()
>     if (m_deleteBackingStoreInProgress)
>         return;
> 
>-    if (m_versionChangeDatabaseConnection || m_versionChangeTransaction || m_currentOpenDBRequest) {
>+    clearStalePendingOpenDBRequests();
>+
>+    if (m_versionChangeDatabaseConnection || m_versionChangeTransaction || (m_currentOpenDBRequest && !m_currentOpenDBRequest->connection().isClosed())) {
>         // We can't start any new open-database operations right now, but we might be able to start handling a delete operation.
>         if (!m_currentOpenDBRequest && !m_pendingOpenDBRequests.isEmpty() && m_pendingOpenDBRequests.first()->isDeleteRequest())
>             m_currentOpenDBRequest = m_pendingOpenDBRequests.takeFirst();
>@@ -365,8 +373,10 @@ void UniqueIDBDatabase::handleDatabaseOperations()
>         return;
>     }
> 
>-    if (m_pendingOpenDBRequests.isEmpty())
>+    if (m_pendingOpenDBRequests.isEmpty()) {
>+        m_currentOpenDBRequest = nullptr;
>         return;
>+    }
> 
>     m_currentOpenDBRequest = m_pendingOpenDBRequests.takeFirst();
>     LOG(IndexedDB, "UniqueIDBDatabase::handleDatabaseOperations - Popped an operation, now there are %u pending", m_pendingOpenDBRequests.size());
>@@ -1573,10 +1583,9 @@ void UniqueIDBDatabase::operationAndTransactionTimerFired()
> 
>     // The current operation might require multiple attempts to handle, so try to
>     // make further progress on it now.
>-    if (m_currentOpenDBRequest)
>+    if (m_currentOpenDBRequest && !m_currentOpenDBRequest->connection().isClosed())
>         handleCurrentOperation();
>-
>-    if (!m_currentOpenDBRequest)
>+    else
>         handleDatabaseOperations();
> 
>     bool hadDeferredTransactions = false;
>diff --git a/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.h b/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.h
>index 83c0c908a54e59b463a0f670da9e192554e29977..de060e68d7f462d945647515a86fc3215270d6f7 100644
>--- a/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.h
>+++ b/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.h
>@@ -214,6 +214,8 @@ private:
>     RefPtr<UniqueIDBDatabaseTransaction> takeNextRunnableTransaction(bool& hadDeferredTransactions);
> 
>     bool prepareToFinishTransaction(UniqueIDBDatabaseTransaction&);
>+    
>+    void clearStalePendingOpenDBRequests();
> 
>     void postDatabaseTask(CrossThreadTask&&);
>     void postDatabaseTaskReply(CrossThreadTask&&);

Actions: View | Formatted Diff | Diff

Attachments on bug 194843: 362455 | 362678 | 362699 | 362747 | 362765