Changeset 126254 in webkit

Timestamp:

Aug 21, 2012 7:43:47 PM (12 years ago)

Author:

jsbell@chromium.org

Message:

IndexedDB: IDBRequest can be GCd during event dispatch
​https://bugs.webkit.org/show_bug.cgi?id=94235

Reviewed by Ojan Vafai.

Source/WebCore:

Avoid a "race" where GC may attempt to reclaim IDB objects that are marked
"done" prior to the completion of the event dispatch. The script runtime
may decide to do a GC pass before calling the event handler, releasing the
object and turning the dispatch into a no-op.

This is a partial reversion (with renames, etc) of r123275, r124842,
and r121492. Added a new test, although it does not exercise the "race"
condition directly.

Test: storage/indexeddb/pending-activity.html

storage/indexeddb/pending-activity-workers.html

• Modules/indexeddb/IDBCursor.cpp:

(WebCore::IDBCursor::close): Let the IDBRequest know it this cursor won't
make it fire again.

• Modules/indexeddb/IDBRequest.cpp:

(WebCore::IDBRequest::IDBRequest): Reintroduce "am I done?" flag.
(WebCore::IDBRequest::finishCursor): Cursors may fire events at the same
IDBRequest repeatedly, so we need to know when they're are really done.
(WebCore):
(WebCore::IDBRequest::hasPendingActivity): Test the flag.
(WebCore::IDBRequest::dispatchEvent): Set the flag.

• Modules/indexeddb/IDBRequest.h:

(IDBRequest):

• Modules/indexeddb/IDBTransaction.cpp:

(WebCore::IDBTransaction::IDBTransaction): Reintroduce "am I done?" flag.
(WebCore::IDBTransaction::hasPendingActivity): Test the flag.
(WebCore::IDBTransaction::dispatchEvent): Set the flag.

• Modules/indexeddb/IDBTransaction.h:

LayoutTests:

Release references to IDBRequest and IDBTransaction objects and force GC,
to ensure that pending events are still fired. (Doesn't exercise race
condition where GC is triggered by script during dispatch itself, though.)

• storage/indexeddb/pending-activity-expected.txt: Added.
• storage/indexeddb/pending-activity-workers-expected.txt: Added.
• storage/indexeddb/pending-activity-workers.html: Added.
• storage/indexeddb/pending-activity.html: Added.
• storage/indexeddb/resources/pending-activity.js: Added.

(test):
(prepareDatabase.request.onsuccess.request.onsuccess.request.onsuccess):
(prepareDatabase.request.onsuccess.request.onsuccess):
(prepareDatabase.request.onsuccess):
(prepareDatabase):
(testTransaction):
(transactionOnComplete):
(testRequest):
(requestOnSuccess):
(testCursorRequest):
(cursorRequestOnFirstSuccess):
(cursorRequestOnSecondSuccess):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/storage/indexeddb/pending-activity-expected.txt (added)
• LayoutTests/storage/indexeddb/pending-activity-workers-expected.txt (added)
• LayoutTests/storage/indexeddb/pending-activity-workers.html (added)
• LayoutTests/storage/indexeddb/pending-activity.html (added)
• LayoutTests/storage/indexeddb/resources/pending-activity.js (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/indexeddb/IDBCursor.cpp (modified) (1 diff)
• Source/WebCore/Modules/indexeddb/IDBRequest.cpp (modified) (5 diffs)
• Source/WebCore/Modules/indexeddb/IDBRequest.h (modified) (3 diffs)
• Source/WebCore/Modules/indexeddb/IDBTransaction.cpp (modified) (4 diffs)
• Source/WebCore/Modules/indexeddb/IDBTransaction.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-08-21  Joshua Bell  <jsbell@chromium.org>
+
+        IndexedDB: IDBRequest can be GCd during event dispatch
+        https://bugs.webkit.org/show_bug.cgi?id=94235
+
+        Reviewed by Ojan Vafai.
+
+        Release references to IDBRequest and IDBTransaction objects and force GC,
+        to ensure that pending events are still fired. (Doesn't exercise race
+        condition where GC is triggered by script during dispatch itself, though.)
+
+        * storage/indexeddb/pending-activity-expected.txt: Added.
+        * storage/indexeddb/pending-activity-workers-expected.txt: Added.
+        * storage/indexeddb/pending-activity-workers.html: Added.
+        * storage/indexeddb/pending-activity.html: Added.
+        * storage/indexeddb/resources/pending-activity.js: Added.
+        (test):
+        (prepareDatabase.request.onsuccess.request.onsuccess.request.onsuccess):
+        (prepareDatabase.request.onsuccess.request.onsuccess):
+        (prepareDatabase.request.onsuccess):
+        (prepareDatabase):
+        (testTransaction):
+        (transactionOnComplete):
+        (testRequest):
+        (requestOnSuccess):
+        (testCursorRequest):
+        (cursorRequestOnFirstSuccess):
+        (cursorRequestOnSecondSuccess):
+
 2012-08-21  Keishi Hattori  <keishi@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-08-21  Joshua Bell  <jsbell@chromium.org>
+
+        IndexedDB: IDBRequest can be GCd during event dispatch
+        https://bugs.webkit.org/show_bug.cgi?id=94235
+
+        Reviewed by Ojan Vafai.
+
+        Avoid a "race" where GC may attempt to reclaim IDB objects that are marked
+        "done" prior to the completion of the event dispatch. The script runtime
+        may decide to do a GC pass before calling the event handler, releasing the
+        object and turning the dispatch into a no-op.
+
+        This is a partial reversion (with renames, etc) of r123275, r124842,
+        and r121492. Added a new test, although it does not exercise the "race"
+        condition directly.
+
+        Test: storage/indexeddb/pending-activity.html
+              storage/indexeddb/pending-activity-workers.html
+
+        * Modules/indexeddb/IDBCursor.cpp:
+        (WebCore::IDBCursor::close): Let the IDBRequest know it this cursor won't
+        make it fire again.
+        * Modules/indexeddb/IDBRequest.cpp:
+        (WebCore::IDBRequest::IDBRequest): Reintroduce "am I done?" flag.
+        (WebCore::IDBRequest::finishCursor): Cursors may fire events at the same
+        IDBRequest repeatedly, so we need to know when they're are really done.
+        (WebCore):
+        (WebCore::IDBRequest::hasPendingActivity): Test the flag.
+        (WebCore::IDBRequest::dispatchEvent): Set the flag.
+        * Modules/indexeddb/IDBRequest.h:
+        (IDBRequest):
+        * Modules/indexeddb/IDBTransaction.cpp:
+        (WebCore::IDBTransaction::IDBTransaction): Reintroduce "am I done?" flag.
+        (WebCore::IDBTransaction::hasPendingActivity): Test the flag.
+        (WebCore::IDBTransaction::dispatchEvent): Set the flag.
+        * Modules/indexeddb/IDBTransaction.h:
+
 2012-08-21  Pavel Feldman  <pfeldman@chromium.org>
 

trunk/Source/WebCore/Modules/indexeddb/IDBCursor.cpp

@@ -263 +263 @@
 {
     ASSERT(m_request);
+    m_request->finishCursor();
     m_request.clear();
 }

trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp

@@ -69 +69 @@
     , m_source(source)
     , m_taskType(taskType)
+    , m_hasPendingActivity(true)
     , m_cursorType(IDBCursorBackendInterface::InvalidCursorType)
     , m_cursorDirection(IDBCursor::NEXT)
+    , m_cursorFinished(false)
     , m_pendingCursor(0)
     , m_didFireUpgradeNeededEvent(false)
@@ -223 +225 @@
 
     m_result = IDBAny::create(IDBCursorWithValue::fromCursor(cursor));
+}
+
+void IDBRequest::finishCursor()
+{
+    m_cursorFinished = true;
 }
 
@@ -405 +412 @@
     //        get a handle to us and we have event listeners. This is order to handle
     //        user generated events properly.
-    return m_readyState == PENDING || ActiveDOMObject::hasPendingActivity();
+    return m_hasPendingActivity || ActiveDOMObject::hasPendingActivity();
 }
 
@@ -439 +446 @@
     ASSERT(m_readyState == PENDING);
     ASSERT(!m_contextStopped);
+    ASSERT(m_hasPendingActivity);
     ASSERT(m_enqueuedEvents.size());
     ASSERT(scriptExecutionContext());
@@ -489 +497 @@
         cursorToNotify->postSuccessHandlerCallback();
 
+    if (m_readyState == DONE && (!cursorToNotify || m_cursorFinished) && event->type() != eventNames().upgradeneededEvent)
+        m_hasPendingActivity = false;
+
     if (m_transaction) {
         if (event->type() == eventNames().errorEvent && dontPreventDefault && !m_requestAborted) {

trunk/Source/WebCore/Modules/indexeddb/IDBRequest.h

@@ -78 +78 @@
     void setCursorDetails(IDBCursorBackendInterface::CursorType, IDBCursor::Direction);
     void setPendingCursor(PassRefPtr<IDBCursor>);
+    void finishCursor();
     void abort();
 
@@ -139 +140 @@
     const IDBTransactionBackendInterface::TaskType m_taskType;
 
+    bool m_hasPendingActivity;
     Vector<RefPtr<Event> > m_enqueuedEvents;
 
@@ -144 +146 @@
     IDBCursorBackendInterface::CursorType m_cursorType;
     IDBCursor::Direction m_cursorDirection;
+    bool m_cursorFinished;
     RefPtr<IDBCursor> m_pendingCursor;
     RefPtr<IDBKey> m_cursorKey;

trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp

@@ -95 +95 @@
     , m_active(true)
     , m_state(Unused)
+    , m_hasPendingActivity(true)
     , m_contextStopped(false)
 {
@@ -322 +323 @@
     //        get a handle to us or any child request object and any of those have
     //        event listeners. This is  in order to handle user generated events properly.
-    return m_state != Finished || ActiveDOMObject::hasPendingActivity();
+    return m_hasPendingActivity || ActiveDOMObject::hasPendingActivity();
 }
 
@@ -371 +372 @@
     IDB_TRACE("IDBTransaction::dispatchEvent");
     ASSERT(m_state != Finished);
+    ASSERT(m_hasPendingActivity);
     ASSERT(scriptExecutionContext());
     ASSERT(event->target() == this);
@@ -393 +395 @@
         m_openDBRequest->transactionDidFinishAndDispatch();
     }
+    m_hasPendingActivity = false;
     return returnValue;
 }

trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.h

@@ -149 +149 @@
     bool m_active;
     State m_state;
+    bool m_hasPendingActivity;
     bool m_contextStopped;
     RefPtr<DOMError> m_error;