[webkit-changes] [243622] trunk/Source/WebCore

[jiewen_tan]

Title: [243622] trunk/Source/WebCore

Revision

243622

Author

jiewen_...@apple.com

Date

2019-03-28 14:26:38 -0700 (Thu, 28 Mar 2019)

Log Message

IDBRequest::dispatchEvent should check nullability of m_transaction before operations that rely on it to be non null
https://bugs.webkit.org/show_bug.cgi?id=196319
<rdar://problem/49355279>

Reviewed by Alex Christensen.

The test that triggers this crash is on Bug 196276.

* Modules/indexeddb/IDBRequest.cpp:
(WebCore::IDBRequest::dispatchEvent):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (243621 => 243622)

--- trunk/Source/WebCore/ChangeLog	2019-03-28 21:23:49 UTC (rev 243621)
+++ trunk/Source/WebCore/ChangeLog	2019-03-28 21:26:38 UTC (rev 243622)
@@ -1,3 +1,16 @@
+2019-03-27  Jiewen Tan  <jiewen_...@apple.com>
+
+        IDBRequest::dispatchEvent should check nullability of m_transaction before operations that rely on it to be non null
+        https://bugs.webkit.org/show_bug.cgi?id=196319
+        <rdar://problem/49355279>
+
+        Reviewed by Alex Christensen.
+
+        The test that triggers this crash is on Bug 196276.
+
+        * Modules/indexeddb/IDBRequest.cpp:
+        (WebCore::IDBRequest::dispatchEvent):
+
 2019-03-28  Ryosuke Niwa  <rn...@webkit.org>
 
         Debug assert in DOMSelection::containsNode when node belongs to a different tree

Modified: trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp (243621 => 243622)

--- trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp	2019-03-28 21:23:49 UTC (rev 243621)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp	2019-03-28 21:26:38 UTC (rev 243622)
@@ -330,21 +330,22 @@
     if (!m_hasPendingActivity)
         m_hasPendingActivity = isOpenDBRequest() && (event.type() == eventNames().upgradeneededEvent || event.type() == eventNames().blockedEvent);
 
+    m_dispatchingEvent = false;
+    if (!m_transaction)
+        return;
+
     // The request should only remain in the transaction's request list if it represents a pending cursor operation, or this is an open request that was blocked.
-    if (m_transaction && !m_pendingCursor && event.type() != eventNames().blockedEvent)
+    if (!m_pendingCursor && event.type() != eventNames().blockedEvent)
         m_transaction->removeRequest(*this);
 
     if (m_hasUncaughtException)
         m_transaction->abortDueToFailedRequest(DOMException::create(AbortError, "IDBTransaction will abort due to uncaught exception in an event handler"_s));
-    else if (!event.defaultPrevented() && event.type() == eventNames().errorEvent && m_transaction && !m_transaction->isFinishedOrFinishing()) {
+    else if (!event.defaultPrevented() && event.type() == eventNames().errorEvent && !m_transaction->isFinishedOrFinishing()) {
         ASSERT(m_domError);
         m_transaction->abortDueToFailedRequest(*m_domError);
     }
 
-    if (m_transaction)
-        m_transaction->finishedDispatchEventForRequest(*this);
-
-    m_dispatchingEvent = false;
+    m_transaction->finishedDispatchEventForRequest(*this);
 }
 
 void IDBRequest::uncaughtExceptionInEventHandler()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes