Changeset 109271 in webkit

Timestamp:

Feb 29, 2012 3:03:19 PM (12 years ago)

Author:

jsbell@chromium.org

Message:

IndexedDB: Resource leak with IDBObjectStore.openCursor
​https://bugs.webkit.org/show_bug.cgi?id=79835

Source/WebCore:

IDBCursor object that were never continue()'d to the end would leak due to a
reference cycle with IDBRequest. In addition, the IDBRequest would never be
marked "finished" which would prevent GC from reclaiming it. IDBTransactions
now track and notify IDBCursors to break these references when the transaction
can no longer not process requests.

Reviewed by Tony Chang.

Tests: storage/indexeddb/cursor-continue.html

• storage/IDBCursor.cpp:

(WebCore::IDBCursor::IDBCursor): Register with IDBTransaction bookkeeping.
(WebCore::IDBCursor::continueFunction): Early error if transaction has finished.
(WebCore::IDBCursor::close): Break the reference cycle with IDBRequest, and notify it
that the cursor is finished.
(WebCore):

• storage/IDBCursor.h:

(WebCore):
(IDBCursor):

• storage/IDBRequest.cpp:

(WebCore::IDBRequest::IDBRequest):
(WebCore::IDBRequest::finishCursor): If there is no request in flight, mark itself as
finished to allow GC.
(WebCore):
(WebCore::IDBRequest::dispatchEvent): Once an in-flight request has been processed,
mark the request as finished if the cursor is finished, to allow GC.

• storage/IDBRequest.h:

(IDBRequest):

• storage/IDBTransaction.cpp: Track open cursors, close them when finished.

(WebCore::IDBTransaction::OpenCursorNotifier::OpenCursorNotifier):
(WebCore):
(WebCore::IDBTransaction::OpenCursorNotifier::~OpenCursorNotifier):
(WebCore::IDBTransaction::registerOpenCursor):
(WebCore::IDBTransaction::unregisterOpenCursor):
(WebCore::IDBTransaction::closeOpenCursors):
(WebCore::IDBTransaction::onAbort):
(WebCore::IDBTransaction::onComplete):

• storage/IDBTransaction.h:

(WebCore):
(OpenCursorNotifier):
(IDBTransaction):

LayoutTests:

Ensure that IDBCursor.continue() throws the right exception when transaction is finished.

Reviewed by Tony Chang.

• storage/indexeddb/cursor-continue-expected.txt:
• storage/indexeddb/cursor-continue.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/storage/indexeddb/cursor-continue-expected.txt (modified) (1 diff)
• LayoutTests/storage/indexeddb/cursor-continue.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/storage/IDBCursor.cpp (modified) (3 diffs)
• Source/WebCore/storage/IDBCursor.h (modified) (4 diffs)
• Source/WebCore/storage/IDBRequest.cpp (modified) (3 diffs)
• Source/WebCore/storage/IDBRequest.h (modified) (2 diffs)
• Source/WebCore/storage/IDBTransaction.cpp (modified) (3 diffs)
• Source/WebCore/storage/IDBTransaction.h (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-02-29  Joshua Bell  <jsbell@chromium.org>
+
+        IndexedDB: Resource leak with IDBObjectStore.openCursor
+        https://bugs.webkit.org/show_bug.cgi?id=79835
+
+        Ensure that IDBCursor.continue() throws the right exception when transaction is finished.
+
+        Reviewed by Tony Chang.
+
+        * storage/indexeddb/cursor-continue-expected.txt:
+        * storage/indexeddb/cursor-continue.html:
+
 2012-02-29  Adam Klein  <adamk@chromium.org>
 

trunk/LayoutTests/storage/indexeddb/cursor-continue-expected.txt

@@ -109 +109 @@
 event.target.result.continue('A bit2')
 PASS event.target.result.primaryKey is 15
+cursor = event.target.result
 Expecting exception from event.target.result.continue('A bit2')
 PASS Exception was thrown.
 PASS code is IDBDatabaseException.DATA_ERR
+Expecting exception from cursor.continue()
+PASS Exception was thrown.
+PASS code is IDBDatabaseException.TRANSACTION_INACTIVE_ERR
 PASS successfullyParsed is true
 

trunk/LayoutTests/storage/indexeddb/cursor-continue.html

@@ -263 +263 @@
         } else if (window.stage == 1) {
             shouldBe("event.target.result.primaryKey", "15");
+            evalAndLog("cursor = event.target.result");
             evalAndExpectException("event.target.result.continue('A bit2')", "IDBDatabaseException.DATA_ERR");
-            done();
-            return;
-        } else {
-           testFailed("Illegal stage.");
-        }
-        window.stage++;
-    };
+            window.trans.oncomplete = onTransactionComplete;
+            return;
+        } else {
+           testFailed("Illegal stage.");
+        }
+        window.stage++;
+    };
+}
+
+function onTransactionComplete()
+{
+    evalAndExpectException("cursor.continue()", "IDBDatabaseException.TRANSACTION_INACTIVE_ERR");
+    done();
 }
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-02-29  Joshua Bell  <jsbell@chromium.org>
+
+        IndexedDB: Resource leak with IDBObjectStore.openCursor
+        https://bugs.webkit.org/show_bug.cgi?id=79835
+
+        IDBCursor object that were never continue()'d to the end would leak due to a 
+        reference cycle with IDBRequest. In addition, the IDBRequest would never be
+        marked "finished" which would prevent GC from reclaiming it. IDBTransactions
+        now track and notify IDBCursors to break these references when the transaction
+        can no longer not process requests.
+
+        Reviewed by Tony Chang.
+
+        Tests: storage/indexeddb/cursor-continue.html
+
+        * storage/IDBCursor.cpp:
+        (WebCore::IDBCursor::IDBCursor): Register with IDBTransaction bookkeeping.
+        (WebCore::IDBCursor::continueFunction): Early error if transaction has finished.
+        (WebCore::IDBCursor::close): Break the reference cycle with IDBRequest, and notify it
+        that the cursor is finished.
+        (WebCore):
+        * storage/IDBCursor.h:
+        (WebCore):
+        (IDBCursor):
+        * storage/IDBRequest.cpp:
+        (WebCore::IDBRequest::IDBRequest):
+        (WebCore::IDBRequest::finishCursor): If there is no request in flight, mark itself as
+        finished to allow GC.
+        (WebCore):
+        (WebCore::IDBRequest::dispatchEvent): Once an in-flight request has been processed,
+        mark the request as finished if the cursor is finished, to allow GC.
+        * storage/IDBRequest.h:
+        (IDBRequest):
+        * storage/IDBTransaction.cpp: Track open cursors, close them when finished.
+        (WebCore::IDBTransaction::OpenCursorNotifier::OpenCursorNotifier):
+        (WebCore):
+        (WebCore::IDBTransaction::OpenCursorNotifier::~OpenCursorNotifier):
+        (WebCore::IDBTransaction::registerOpenCursor):
+        (WebCore::IDBTransaction::unregisterOpenCursor):
+        (WebCore::IDBTransaction::closeOpenCursors):
+        (WebCore::IDBTransaction::onAbort):
+        (WebCore::IDBTransaction::onComplete):
+        * storage/IDBTransaction.h:
+        (WebCore):
+        (OpenCursorNotifier):
+        (IDBTransaction):
+
 2012-02-29  David Hyatt  <hyatt@apple.com>
 

trunk/Source/WebCore/storage/IDBCursor.cpp

@@ -51 +51 @@
     , m_source(source)
     , m_transaction(transaction)
+    , m_transactionNotifier(transaction, this)
 {
     ASSERT(m_backend);
@@ -111 +112 @@
     }
 
+    if (!m_request) {
+        ec = IDBDatabaseException::TRANSACTION_INACTIVE_ERR;
+        return;
+    }
     // FIXME: We're not using the context from when continue was called, which means the callback
     //        will be on the original context openCursor was called on. Is this right?
@@ -137 +142 @@
 }
 
+void IDBCursor::close()
+{
+    ASSERT(m_request);
+    m_request->finishCursor();
+    m_request.clear();
+}
+
 } // namespace WebCore
 

trunk/Source/WebCore/storage/IDBCursor.h

@@ -30 +30 @@
 
 #include "IDBKey.h"
+#include "IDBTransaction.h"
 #include <wtf/PassRefPtr.h>
 #include <wtf/RefCounted.h>
@@ -40 +41 @@
 class IDBCursorBackendInterface;
 class IDBRequest;
-class IDBTransaction;
 class ScriptExecutionContext;
 class SerializedScriptValue;
@@ -72 +72 @@
 
     void postSuccessHandlerCallback();
+    void close();
 
 protected:
@@ -81 +82 @@
     RefPtr<IDBAny> m_source;
     RefPtr<IDBTransaction> m_transaction;
+    IDBTransaction::OpenCursorNotifier m_transactionNotifier;
 };
 

trunk/Source/WebCore/storage/IDBRequest.cpp

@@ -59 +59 @@
     , m_readyState(LOADING)
     , m_requestFinished(false)
+    , m_cursorFinished(false)
     , m_contextStopped(false)
     , m_cursorType(IDBCursorBackendInterface::InvalidCursorType)
@@ -181 +182 @@
     ASSERT(!m_cursor);
     m_cursor = cursor;
+}
+
+void IDBRequest::finishCursor()
+{
+    m_cursorFinished = true;
+    if (m_readyState != LOADING)
+        m_requestFinished = true;
 }
 
@@ -365 +373 @@
 
     // If the result was of type IDBCursor, or a onBlocked event, then we'll fire again.
-    if (event->type() != eventNames().blockedEvent && m_result && m_result->type() != IDBAny::IDBCursorType && m_result->type() != IDBAny::IDBCursorWithValueType)
+    if (event->type() != eventNames().blockedEvent && (!cursorToNotify || m_cursorFinished))
         m_requestFinished = true;
 

trunk/Source/WebCore/storage/IDBRequest.h

@@ -73 +73 @@
     void setCursorType(IDBCursorBackendInterface::CursorType);
     void setCursor(PassRefPtr<IDBCursor>);
+    void finishCursor();
     IDBAny* source();
     void abort();
@@ -123 +124 @@
     ReadyState m_readyState;
     bool m_requestFinished; // Is it possible that we'll fire any more events? If not, we're finished.
+    bool m_cursorFinished;
     bool m_contextStopped;
     Vector<RefPtr<Event> > m_enqueuedEvents;

trunk/Source/WebCore/storage/IDBTransaction.cpp

@@ -127 +127 @@
 }
 
+IDBTransaction::OpenCursorNotifier::OpenCursorNotifier(PassRefPtr<IDBTransaction> transaction, IDBCursor* cursor)
+    : m_transaction(transaction),
+      m_cursor(cursor)
+{
+    m_transaction->registerOpenCursor(m_cursor);
+}
+
+IDBTransaction::OpenCursorNotifier::~OpenCursorNotifier()
+{
+    m_transaction->unregisterOpenCursor(m_cursor);
+}
+
+void IDBTransaction::registerOpenCursor(IDBCursor* cursor)
+{
+    m_openCursors.add(cursor);
+}
+
+void IDBTransaction::unregisterOpenCursor(IDBCursor* cursor)
+{
+    m_openCursors.remove(cursor);
+}
+
+void IDBTransaction::closeOpenCursors()
+{
+    HashSet<IDBCursor*> cursors;
+    cursors.swap(m_openCursors);
+    for (HashSet<IDBCursor*>::iterator i = cursors.begin(); i != cursors.end(); ++i)
+        (*i)->close();
+}
+
 void IDBTransaction::registerRequest(IDBRequest* request)
 {
@@ -149 +179 @@
     if (m_mode == IDBTransaction::VERSION_CHANGE)
         m_database->clearVersionChangeTransaction(this);
+    closeOpenCursors();
 
     if (m_contextStopped || !scriptExecutionContext())
@@ -161 +192 @@
     if (m_mode == IDBTransaction::VERSION_CHANGE)
         m_database->clearVersionChangeTransaction(this);
+    closeOpenCursors();
 
     if (m_contextStopped || !scriptExecutionContext())

trunk/Source/WebCore/storage/IDBTransaction.h

@@ -37 +37 @@
 #include "IDBTransactionBackendInterface.h"
 #include "IDBTransactionCallbacks.h"
+#include <wtf/HashSet.h>
 #include <wtf/RefCounted.h>
 
 namespace WebCore {
 
+class IDBCursor;
 class IDBDatabase;
 class IDBObjectStore;
@@ -62 +64 @@
     PassRefPtr<IDBObjectStore> objectStore(const String& name, ExceptionCode&);
     void abort();
+
+    class OpenCursorNotifier {
+    public:
+        OpenCursorNotifier(PassRefPtr<IDBTransaction>, IDBCursor*);
+        ~OpenCursorNotifier();
+    private:
+        RefPtr<IDBTransaction> m_transaction;
+        IDBCursor* m_cursor;
+    };
 
     void registerRequest(IDBRequest*);
@@ -94 +105 @@
 
     void enqueueEvent(PassRefPtr<Event>);
+    void closeOpenCursors();
+
+    void registerOpenCursor(IDBCursor*);
+    void unregisterOpenCursor(IDBCursor*);
 
     // EventTarget
@@ -112 +127 @@
     IDBObjectStoreMap m_objectStoreMap;
 
+    HashSet<IDBCursor*> m_openCursors;
+
     EventTargetData m_eventTargetData;
 };