Title: [126361] trunk/Source/WebCore
- Revision
- 126361
- Author
- [email protected]
- Date
- 2012-08-22 15:28:56 -0700 (Wed, 22 Aug 2012)
Log Message
IndexedDB: IDBRequest can be destructed during abort
https://bugs.webkit.org/show_bug.cgi?id=94618
Reviewed by Tony Chang.
If there are no script references, an IDBRequest could be kept alive
only by enqueued events. On document destruction, the parent transaction
is aborted, which aborts the request. During the abort, the enqueued events
are deleted, releasing the last reference to the IDBRequest which then
destructs in mid-method call and an "unfinished" state, hitting an assert.
This patch keeps the IDBRequest alive through the completion of the abort()
method, which will enqueue another event. In the document destruction case,
this will end up with the IDBRequest having stop() called on it which will
send the IDBRequest into EarlyDeath state, satisfying the destructor assert.
Addresses existing layout tests that behave flakily in Chromium port.
* Modules/indexeddb/IDBRequest.cpp:
(WebCore::IDBRequest::abort):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (126360 => 126361)
--- trunk/Source/WebCore/ChangeLog 2012-08-22 22:27:45 UTC (rev 126360)
+++ trunk/Source/WebCore/ChangeLog 2012-08-22 22:28:56 UTC (rev 126361)
@@ -1,3 +1,26 @@
+2012-08-22 Joshua Bell <[email protected]>
+
+ IndexedDB: IDBRequest can be destructed during abort
+ https://bugs.webkit.org/show_bug.cgi?id=94618
+
+ Reviewed by Tony Chang.
+
+ If there are no script references, an IDBRequest could be kept alive
+ only by enqueued events. On document destruction, the parent transaction
+ is aborted, which aborts the request. During the abort, the enqueued events
+ are deleted, releasing the last reference to the IDBRequest which then
+ destructs in mid-method call and an "unfinished" state, hitting an assert.
+
+ This patch keeps the IDBRequest alive through the completion of the abort()
+ method, which will enqueue another event. In the document destruction case,
+ this will end up with the IDBRequest having stop() called on it which will
+ send the IDBRequest into EarlyDeath state, satisfying the destructor assert.
+
+ Addresses existing layout tests that behave flakily in Chromium port.
+
+ * Modules/indexeddb/IDBRequest.cpp:
+ (WebCore::IDBRequest::abort):
+
2012-08-22 Kentaro Hara <[email protected]>
[V8] Move precompileScript() from V8Proxy to ScriptSourceCode
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp (126360 => 126361)
--- trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp 2012-08-22 22:27:45 UTC (rev 126360)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp 2012-08-22 22:28:56 UTC (rev 126361)
@@ -160,6 +160,9 @@
if (m_readyState == DONE)
return;
+ // Enqueued events may be the only reference to this object.
+ RefPtr<IDBRequest> self(this);
+
EventQueue* eventQueue = scriptExecutionContext()->eventQueue();
for (size_t i = 0; i < m_enqueuedEvents.size(); ++i) {
bool removed = eventQueue->cancelEvent(m_enqueuedEvents[i].get());
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
