StorageArea should not be destructed on the main thread
authorsihui_liu@apple.com <sihui_liu@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Jul 2019 22:26:25 +0000 (22:26 +0000)
committersihui_liu@apple.com <sihui_liu@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Jul 2019 22:26:25 +0000 (22:26 +0000)
https://bugs.webkit.org/show_bug.cgi?id=199713
<rdar://problem/52911900>

Reviewed by Alex Christensen.

After r246079, LocalStorageNameSpace could be destructed on the main thread and it may hold the last reference
to StorageArea. Then we saw the crashes that StorageArea was wrongly destructed on the main thread.

* NetworkProcess/NetworkSession.cpp:
(WebKit::NetworkSession::~NetworkSession):
* NetworkProcess/WebStorage/StorageManager.cpp:
(WebKit::StorageManager::waitUntilTasksFinished):
(WebKit::StorageManager::waitUntilWritesFinished): Deleted.
* NetworkProcess/WebStorage/StorageManager.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247370 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/NetworkSession.cpp
Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp
Source/WebKit/NetworkProcess/WebStorage/StorageManager.h

index b0f490d..737f71f 100644 (file)
@@ -1,3 +1,21 @@
+2019-07-11  Sihui Liu  <sihui_liu@apple.com>
+
+        StorageArea should not be destructed on the main thread
+        https://bugs.webkit.org/show_bug.cgi?id=199713
+        <rdar://problem/52911900>
+
+        Reviewed by Alex Christensen.
+
+        After r246079, LocalStorageNameSpace could be destructed on the main thread and it may hold the last reference 
+        to StorageArea. Then we saw the crashes that StorageArea was wrongly destructed on the main thread.
+
+        * NetworkProcess/NetworkSession.cpp:
+        (WebKit::NetworkSession::~NetworkSession):
+        * NetworkProcess/WebStorage/StorageManager.cpp:
+        (WebKit::StorageManager::waitUntilTasksFinished):
+        (WebKit::StorageManager::waitUntilWritesFinished): Deleted.
+        * NetworkProcess/WebStorage/StorageManager.h:
+
 2019-07-11  Tim Horton  <timothy_horton@apple.com>
 
         Null deref of Range under WebPage::startAutoscrollAtPosition
index 1e3a0d9..c7faf04 100644 (file)
@@ -95,7 +95,7 @@ NetworkSession::NetworkSession(NetworkProcess& networkProcess, PAL::SessionID se
 NetworkSession::~NetworkSession()
 {
     m_storageManager->resume();
-    m_storageManager->waitUntilWritesFinished();
+    m_storageManager->waitUntilTasksFinished();
 }
 
 void NetworkSession::invalidateAndCancel()
index 6691294..34a031e 100644 (file)
@@ -907,7 +907,7 @@ void StorageManager::clear(IPC::Connection& connection, WebCore::SecurityOriginD
     });
 }
 
-void StorageManager::waitUntilWritesFinished()
+void StorageManager::waitUntilTasksFinished()
 {
     BinarySemaphore semaphore;
     m_queue->dispatch([this, &semaphore] {
@@ -920,6 +920,8 @@ void StorageManager::waitUntilWritesFinished()
         for (auto& connectionStorageAreaPair : connectionAndStorageMapIDPairsToRemove)
             m_storageAreasByConnection.remove(connectionStorageAreaPair);
 
+        m_localStorageNamespaces.clear();
+
         semaphore.signal();
     });
     semaphore.wait();
index fb9b7e6..a5afada 100644 (file)
@@ -57,7 +57,7 @@ public:
     void cloneSessionStorageNamespace(uint64_t storageNamespaceID, uint64_t newStorageNamespaceID);
 
     void processDidCloseConnection(IPC::Connection&);
-    void waitUntilWritesFinished();
+    void waitUntilTasksFinished();
     void suspend(CompletionHandler<void()>&&);
     void resume();