IDBRequest::dispatchEvent should check nullability of m_transaction before operations...
authorjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2019 21:26:38 +0000 (21:26 +0000)
committerjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2019 21:26:38 +0000 (21:26 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196319
<rdar://problem/49355279>

Reviewed by Alex Christensen.

The test that triggers this crash is on Bug 196276.

* Modules/indexeddb/IDBRequest.cpp:
(WebCore::IDBRequest::dispatchEvent):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243622 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/Modules/indexeddb/IDBRequest.cpp

index 93ab661..f05425d 100644 (file)
@@ -1,3 +1,16 @@
+2019-03-27  Jiewen Tan  <jiewen_tan@apple.com>
+
+        IDBRequest::dispatchEvent should check nullability of m_transaction before operations that rely on it to be non null
+        https://bugs.webkit.org/show_bug.cgi?id=196319
+        <rdar://problem/49355279>
+
+        Reviewed by Alex Christensen.
+
+        The test that triggers this crash is on Bug 196276.
+
+        * Modules/indexeddb/IDBRequest.cpp:
+        (WebCore::IDBRequest::dispatchEvent):
+
 2019-03-28  Ryosuke Niwa  <rniwa@webkit.org>
 
         Debug assert in DOMSelection::containsNode when node belongs to a different tree
index 46be5e1..ab7f158 100644 (file)
@@ -330,21 +330,22 @@ void IDBRequest::dispatchEvent(Event& event)
     if (!m_hasPendingActivity)
         m_hasPendingActivity = isOpenDBRequest() && (event.type() == eventNames().upgradeneededEvent || event.type() == eventNames().blockedEvent);
 
+    m_dispatchingEvent = false;
+    if (!m_transaction)
+        return;
+
     // The request should only remain in the transaction's request list if it represents a pending cursor operation, or this is an open request that was blocked.
-    if (m_transaction && !m_pendingCursor && event.type() != eventNames().blockedEvent)
+    if (!m_pendingCursor && event.type() != eventNames().blockedEvent)
         m_transaction->removeRequest(*this);
 
     if (m_hasUncaughtException)
         m_transaction->abortDueToFailedRequest(DOMException::create(AbortError, "IDBTransaction will abort due to uncaught exception in an event handler"_s));
-    else if (!event.defaultPrevented() && event.type() == eventNames().errorEvent && m_transaction && !m_transaction->isFinishedOrFinishing()) {
+    else if (!event.defaultPrevented() && event.type() == eventNames().errorEvent && !m_transaction->isFinishedOrFinishing()) {
         ASSERT(m_domError);
         m_transaction->abortDueToFailedRequest(*m_domError);
     }
 
-    if (m_transaction)
-        m_transaction->finishedDispatchEventForRequest(*this);
-
-    m_dispatchingEvent = false;
+    m_transaction->finishedDispatchEventForRequest(*this);
 }
 
 void IDBRequest::uncaughtExceptionInEventHandler()