Race condition calling back to an IDBOpenDBRequest during WorkerThread shutdown.
authorbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 May 2016 21:19:09 +0000 (21:19 +0000)
committerbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 May 2016 21:19:09 +0000 (21:19 +0000)
https://bugs.webkit.org/show_bug.cgi?id=158089

Reviewed by Alex Christensen.

No new tests (Only seen randomly under GuardMalloc).

Crash was seen once running under GuardMalloc. The error is obvious.

* Modules/indexeddb/client/IDBConnectionProxy.cpp:
(WebCore::IDBClient::IDBConnectionProxy::completeOpenDBRequest): Don't get a raw pointer out of the map.
  Instead store off as a RefPtr, as the map might be cleared out from the worker thread.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201402 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/Modules/indexeddb/client/IDBConnectionProxy.cpp

index b4c4d64..4cf7173 100644 (file)
@@ -1,3 +1,18 @@
+2016-05-25  Brady Eidson  <beidson@apple.com>
+
+        Race condition calling back to an IDBOpenDBRequest during WorkerThread shutdown.
+        https://bugs.webkit.org/show_bug.cgi?id=158089
+
+        Reviewed by Alex Christensen.
+
+        No new tests (Only seen randomly under GuardMalloc).
+
+        Crash was seen once running under GuardMalloc. The error is obvious.
+
+        * Modules/indexeddb/client/IDBConnectionProxy.cpp:
+        (WebCore::IDBClient::IDBConnectionProxy::completeOpenDBRequest): Don't get a raw pointer out of the map.
+          Instead store off as a RefPtr, as the map might be cleared out from the worker thread.
+
 2016-05-25  Chris Dumez  <cdumez@apple.com>
 
         Simplify and inline minimumValueForLength()
index 5ebb268..64ee930 100644 (file)
@@ -104,7 +104,7 @@ void IDBConnectionProxy::completeOpenDBRequest(const IDBResultData& resultData)
 {
     ASSERT(isMainThread());
 
-    IDBOpenDBRequest* request;
+    RefPtr<IDBOpenDBRequest> request;
     {
         Locker<Lock> locker(m_openDBRequestMapLock);
         request = m_openDBRequestMap.get(resultData.requestIdentifier());