[webkit-changes] [201188] trunk/Source/WebCore

[beidson]

Title: [201188] trunk/Source/WebCore

Revision

201188

Author

beid...@apple.com

Date

2016-05-19 15:11:52 -0700 (Thu, 19 May 2016)

Log Message

REGRESSION(201098) GuardMalloc / ASan crashes in WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply
https://bugs.webkit.org/show_bug.cgi?id=157917

Reviewed by Alex Christensen.

No new tests (Covered by all existing tests in Gmalloc/ASAN configs).

* Modules/indexeddb/server/UniqueIDBDatabase.cpp:
(WebCore::IDBServer::UniqueIDBDatabase::~UniqueIDBDatabase):
(WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply): Protect this from deletion before executing the task.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (201187 => 201188)

--- trunk/Source/WebCore/ChangeLog	2016-05-19 21:59:12 UTC (rev 201187)
+++ trunk/Source/WebCore/ChangeLog	2016-05-19 22:11:52 UTC (rev 201188)
@@ -1,3 +1,16 @@
+2016-05-19  Brady Eidson  <beid...@apple.com>
+
+        REGRESSION(201098) GuardMalloc / ASan crashes in WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply
+        https://bugs.webkit.org/show_bug.cgi?id=157917
+
+        Reviewed by Alex Christensen.
+
+        No new tests (Covered by all existing tests in Gmalloc/ASAN configs).
+
+        * Modules/indexeddb/server/UniqueIDBDatabase.cpp:
+        (WebCore::IDBServer::UniqueIDBDatabase::~UniqueIDBDatabase):
+        (WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply): Protect this from deletion before executing the task.
+
 2016-05-19  Jer Noble  <jer.no...@apple.com>
 
         [IOS] Add setting to allow playback to continue inline after exiting fullscreen.

Modified: trunk/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp (201187 => 201188)

--- trunk/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp	2016-05-19 21:59:12 UTC (rev 201187)
+++ trunk/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp	2016-05-19 22:11:52 UTC (rev 201188)
@@ -65,6 +65,7 @@
     ASSERT(m_openDatabaseConnections.isEmpty());
     ASSERT(m_clientClosePendingDatabaseConnections.isEmpty());
     ASSERT(m_serverClosePendingDatabaseConnections.isEmpty());
+    ASSERT(!m_queuedTaskCount);
 }
 
 const IDBDatabaseInfo& UniqueIDBDatabase::info() const
@@ -1515,11 +1516,14 @@
     auto task = m_databaseReplyQueue.tryGetMessage();
     ASSERT(task);
 
+    // Performing the task might end up removing the last reference to this.
+    RefPtr<UniqueIDBDatabase> protectedThis(this);
+
     task->performTask();
     --m_queuedTaskCount;
 
     // If this database was force closed (e.g. for a user delete) and there are no more
-    // queued tasks left, delete this.
+    // cleanup tasks left, delete this.
     if (m_hardCloseProtector && doneWithHardClose())
         m_hardCloseProtector = nullptr;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes