Changeset 96177 in webkit

Timestamp:

Sep 27, 2011 6:46:08 PM (13 years ago)

Author:

ericu@chromium.org

Message:

[Chromium/FileWriter] race condition in FileWriter completion can lead to assert
​https://bugs.webkit.org/show_bug.cgi?id=67684

Reviewed by David Levin.

Source/WebCore:

Tests: fast/filesystem/file-writer-abort-continue.html

fast/filesystem/file-writer-abort.html

Track the state of the backend and be prepared for reentrant user
requests. Limit recursion depth to an arbitrary small constant.

• fileapi/FileWriter.cpp: Lots of event-handling changes.
• fileapi/FileWriter.h:

LayoutTests:

• fast/filesystem/file-writer-abort-continue-expected.txt: Added.
• fast/filesystem/file-writer-abort-continue.html: Added.
• fast/filesystem/file-writer-abort-expected.txt: Added.
• fast/filesystem/file-writer-abort.html: Added.
• fast/filesystem/resources/file-writer-abort-continue.js: Added.
• fast/filesystem/resources/file-writer-abort.js: Added.
• fast/filesystem/resources/file-writer-events.js: Fixed a copy-paste error.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/filesystem/file-writer-abort-continue-expected.txt (added)
• LayoutTests/fast/filesystem/file-writer-abort-continue.html (added)
• LayoutTests/fast/filesystem/file-writer-abort-depth-expected.txt (added)
• LayoutTests/fast/filesystem/file-writer-abort-depth.html (added)
• LayoutTests/fast/filesystem/file-writer-abort-expected.txt (added)
• LayoutTests/fast/filesystem/file-writer-abort.html (added)
• LayoutTests/fast/filesystem/resources/file-writer-abort-continue.js (added)
• LayoutTests/fast/filesystem/resources/file-writer-abort-depth.js (added)
• LayoutTests/fast/filesystem/resources/file-writer-abort.js (copied) (copied from trunk/LayoutTests/fast/filesystem/resources/file-writer-events.js) (4 diffs)
• LayoutTests/fast/filesystem/resources/file-writer-events.js (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/fileapi/FileWriter.cpp (modified) (12 diffs)
• Source/WebCore/fileapi/FileWriter.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-09-27  Eric Uhrhane  <ericu@chromium.org>
+
+        [Chromium/FileWriter] race condition in FileWriter completion can lead to assert
+        https://bugs.webkit.org/show_bug.cgi?id=67684
+
+        Reviewed by David Levin.
+
+        * fast/filesystem/file-writer-abort-continue-expected.txt: Added.
+        * fast/filesystem/file-writer-abort-continue.html: Added.
+        * fast/filesystem/file-writer-abort-expected.txt: Added.
+        * fast/filesystem/file-writer-abort.html: Added.
+        * fast/filesystem/resources/file-writer-abort-continue.js: Added.
+        * fast/filesystem/resources/file-writer-abort.js: Added.
+        * fast/filesystem/resources/file-writer-events.js: Fixed a copy-paste error.
+
 2011-09-27  Tim Horton  <timothy_horton@apple.com>
 

trunk/LayoutTests/fast/filesystem/resources/file-writer-abort.js

@@ -4 +4 @@
 }
 
-description("Test that FileWriter produces proper progress events.");
+description("Test that FileWriter handles abort properly.");
 
-var fileEntry;
 var sawWriteStart;
-var sawWrite;
+var sawAbort;
 var sawWriteEnd;
-var sawProgress;
 var writer;
-var lastProgress = 0;
-var toBeWritten;
 
 function tenXBlob(blob) {
@@ -28 +24 @@
     assert(e.type == "writestart");
     assert(!sawWriteStart);
-    assert(!sawProgress);
-    assert(!sawWrite);
     assert(!sawWriteEnd);
     assert(!e.loaded);
-    assert(e.total == toBeWritten);
     sawWriteStart = true;
+    testPassed("Calling abort");
+    writer.abort();
 }
 
-function onProgress(e) {
-    assert(writer.readyState == writer.WRITING);
-    assert(sawWriteStart);
-    assert(!sawWrite);
-    assert(!sawWriteEnd);
-    assert(e.type == "progress");
-    assert(e.loaded <= e.total);
-    assert(lastProgress < e.loaded);
-    assert(e.total == toBeWritten);
-    lastProgress = e.loaded;
-    sawProgress = true;
+// We should always abort before completion.
+function onWrite(e) {
+    testFailed("In onWrite.");
 }
 
-function onWrite(e) {
+function onAbort(e) {
     assert(writer.readyState == writer.DONE);
+    assert(writer.error.code == writer.error.ABORT_ERR);
     assert(sawWriteStart);
-    assert(sawProgress);
-    assert(lastProgress == e.total);
-    assert(!sawWrite);
     assert(!sawWriteEnd);
-    assert(e.type == "write");
-    assert(e.loaded == e.total);
-    assert(e.total == toBeWritten);
-    sawWrite = true;
+    assert(!sawAbort);
+    assert(e.type == "abort");
+    sawAbort = true;
+    testPassed("Saw abort");
 }
 
 function onWriteEnd(e) {
     assert(writer.readyState == writer.DONE);
+    assert(writer.error.code == writer.error.ABORT_ERR);
     assert(sawWriteStart);
-    assert(sawProgress);
-    assert(sawWrite);
+    assert(sawAbort);
     assert(!sawWriteEnd);
     assert(e.type == "writeend");
-    assert(e.loaded == e.total);
-    assert(e.total == toBeWritten);
     sawWriteEnd = true;
-    testPassed("Saw all the right events.");
+    testPassed("Saw writeend.");
+    writer.abort();  // Verify that this does nothing in readyState DONE.
     cleanUp();
 }
@@ -85 +69 @@
     blob = tenXBlob(blob);
     blob = tenXBlob(blob);
-    toBeWritten = blob.size;
     writer = fileWriter;
     fileWriter.onerror = onError;
+    fileWriter.onabort = onAbort;
     fileWriter.onwritestart = onWriteStart;
-    fileWriter.onprogress = onProgress;
     fileWriter.onwrite = onWrite;
     fileWriter.onwriteend = onWriteEnd;
+    fileWriter.abort();  // Verify that this does nothing in readyState INIT.
     fileWriter.write(blob);
 }
@@ -99 +83 @@
 }
 var jsTestIsAsync = true;
-setupAndRunTest(2*1024*1024, 'file-writer-gc-blob', runTest);
+setupAndRunTest(2*1024*1024, 'file-writer-abort', runTest);
 var successfullyParsed = true;

trunk/LayoutTests/fast/filesystem/resources/file-writer-events.js

@@ -99 +99 @@
 }
 var jsTestIsAsync = true;
-setupAndRunTest(2*1024*1024, 'file-writer-gc-blob', runTest);
+setupAndRunTest(2*1024*1024, 'file-writer-events', runTest);
 var successfullyParsed = true;

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-09-27  Eric Uhrhane  <ericu@chromium.org>
+
+        [Chromium/FileWriter] race condition in FileWriter completion can lead to assert
+        https://bugs.webkit.org/show_bug.cgi?id=67684
+
+        Reviewed by David Levin.
+
+        Tests: fast/filesystem/file-writer-abort-continue.html
+               fast/filesystem/file-writer-abort.html
+
+        Track the state of the backend and be prepared for reentrant user
+        requests.  Limit recursion depth to an arbitrary small constant.
+        * fileapi/FileWriter.cpp: Lots of event-handling changes.
+        * fileapi/FileWriter.h:
+
 2011-09-27  Mihai Parparita  <mihaip@chromium.org>
 

trunk/Source/WebCore/fileapi/FileWriter.cpp

@@ -44 +44 @@
 namespace WebCore {
 
+static const int kMaxRecursionDepth = 3;
+
 FileWriter::FileWriter(ScriptExecutionContext* context)
     : ActiveDOMObject(context, this)
     , m_readyState(INIT)
-    , m_startedWriting(false)
+    , m_isOperationInProgress(false)
+    , m_queuedOperation(OperationNone)
     , m_bytesWritten(0)
     , m_bytesToWrite(0)
     , m_truncateLength(-1)
+    , m_numAborts(0)
+    , m_recursionDepth(0)
 {
 }
@@ -56 +61 @@
 FileWriter::~FileWriter()
 {
+    ASSERT(!m_recursionDepth);
     if (m_readyState == WRITING)
         stop();
@@ -73 +79 @@
 void FileWriter::stop()
 {
-    if (writer() && m_readyState == WRITING)
+    // Make sure we've actually got something to stop, and haven't already called abort().
+    if (writer() && m_readyState == WRITING && m_isOperationInProgress && m_queuedOperation == OperationNone)
         writer()->abort();
     m_blobBeingWritten.clear();
@@ -82 +89 @@
 {
     ASSERT(writer());
+    ASSERT(data);
+    ASSERT(m_truncateLength == -1);
     if (m_readyState == WRITING) {
         setError(FileError::INVALID_STATE_ERR, ec);
@@ -90 +99 @@
         return;
     }
-
+    if (m_recursionDepth > kMaxRecursionDepth) {
+        setError(FileError::SECURITY_ERR, ec);
+        return;
+    }
     m_blobBeingWritten = data;
     m_readyState = WRITING;
-    m_startedWriting = false;
     m_bytesWritten = 0;
     m_bytesToWrite = data->size();
-    writer()->write(position(), data);
+    ASSERT(m_queuedOperation == OperationNone);
+    if (m_isOperationInProgress) // We must be waiting for an abort to complete, since m_readyState wasn't WRITING.
+        m_queuedOperation = OperationWrite;
+    else
+        writer()->write(position(), m_blobBeingWritten.get());
+    m_isOperationInProgress = true;
+    fireEvent(eventNames().writestartEvent);
 }
 
@@ -107 +124 @@
     }
 
-    m_bytesWritten = 0;
-    m_bytesToWrite = 0;
+    ASSERT(m_truncateLength == -1);
+    ASSERT(m_queuedOperation == OperationNone);
     seekInternal(position);
 }
@@ -115 +132 @@
 {
     ASSERT(writer());
+    ASSERT(m_truncateLength == -1);
     if (m_readyState == WRITING || position < 0) {
         setError(FileError::INVALID_STATE_ERR, ec);
+        return;
+    }
+    if (m_recursionDepth > kMaxRecursionDepth) {
+        setError(FileError::SECURITY_ERR, ec);
         return;
     }
@@ -123 +145 @@
     m_bytesToWrite = 0;
     m_truncateLength = position;
-    writer()->truncate(position);
+    ASSERT(m_queuedOperation == OperationNone);
+    if (m_isOperationInProgress) // We must be waiting for an abort to complete.
+        m_queuedOperation = OperationTruncate;
+    else
+        writer()->truncate(m_truncateLength);
+    m_isOperationInProgress = true;
+    fireEvent(eventNames().writestartEvent);
 }
 
@@ -130 +158 @@
     ASSERT(writer());
     if (m_readyState != WRITING) {
-        setError(FileError::INVALID_STATE_ERR, ec);
-        return;
-    }
-
-    writer()->abort();
+        return;
+    }
+    ++m_numAborts;
+
+    if (m_isOperationInProgress)
+        writer()->abort();
+    m_queuedOperation = OperationNone;
+    m_blobBeingWritten.clear();
+    m_truncateLength = -1;
+    signalCompletion(FileError::ABORT_ERR);
 }
 
 void FileWriter::didWrite(long long bytes, bool complete)
 {
+    ASSERT(m_readyState == WRITING);
+    ASSERT(m_truncateLength == -1);
+    ASSERT(m_isOperationInProgress);
     ASSERT(bytes + m_bytesWritten > 0);
     ASSERT(bytes + m_bytesWritten <= m_bytesToWrite);
-    if (!m_startedWriting) {
-        fireEvent(eventNames().writestartEvent);
-        m_startedWriting = true;
-    }
     m_bytesWritten += bytes;
     ASSERT((m_bytesWritten == m_bytesToWrite) || !complete);
@@ -150 +182 @@
     if (position() > length())
         setLength(position());
+    // TODO: Throttle to no more frequently than every 50ms.
+    int numAborts = m_numAborts;
     fireEvent(eventNames().progressEvent);
-    if (complete) {
+    // We could get an abort in the handler for this event. If we do, it's
+    // already handled the cleanup and signalCompletion call.
+    if (complete && numAborts == m_numAborts) {
         m_blobBeingWritten.clear();
-        scriptExecutionContext()->postTask(FileWriterCompletionEventTask::create(this, FileError::OK));
+        m_isOperationInProgress = false;
+        signalCompletion(FileError::OK);
     }
 }
@@ -160 +197 @@
 {
     ASSERT(m_truncateLength >= 0);
-    fireEvent(eventNames().writestartEvent);
     setLength(m_truncateLength);
     if (position() > length())
         setPosition(length());
+    m_isOperationInProgress = false;
+    signalCompletion(FileError::OK);
+}
+
+void FileWriter::didFail(FileError::ErrorCode code)
+{
+    ASSERT(m_isOperationInProgress);
+    m_isOperationInProgress = false;
+    ASSERT(code != FileError::OK);
+    if (code == FileError::ABORT_ERR) {
+        Operation operation = m_queuedOperation;
+        m_queuedOperation = OperationNone;
+        doOperation(operation);
+    } else {
+        ASSERT(m_queuedOperation == OperationNone);
+        ASSERT(m_readyState == WRITING);
+        m_blobBeingWritten.clear();
+        signalCompletion(code);
+    }
+}
+
+void FileWriter::doOperation(Operation operation)
+{
+    ASSERT(m_queuedOperation == OperationNone);
+    ASSERT(!m_isOperationInProgress);
+    ASSERT(operation == OperationNone || operation == OperationWrite || operation == OperationTruncate);
+    switch (operation) {
+    case OperationWrite:
+        ASSERT(m_truncateLength == -1);
+        ASSERT(m_blobBeingWritten.get());
+        ASSERT(m_readyState == WRITING);
+        writer()->write(position(), m_blobBeingWritten.get());
+        m_isOperationInProgress = true;
+        break;
+    case OperationTruncate:
+        ASSERT(m_truncateLength >= 0);
+        ASSERT(m_readyState == WRITING);
+        writer()->truncate(m_truncateLength);
+        m_isOperationInProgress = true;
+        break;
+    case OperationNone:
+        ASSERT(m_truncateLength == -1);
+        ASSERT(!m_blobBeingWritten.get());
+        ASSERT(m_readyState == DONE);
+        break;
+    }
+}
+
+void FileWriter::signalCompletion(FileError::ErrorCode code)
+{
+    m_readyState = DONE;
     m_truncateLength = -1;
-    scriptExecutionContext()->postTask(FileWriterCompletionEventTask::create(this, FileError::OK));
-}
-
-void FileWriter::didFail(FileError::ErrorCode code)
-{
-    ASSERT(code != FileError::OK);
-    m_blobBeingWritten.clear();
-    scriptExecutionContext()->postTask(FileWriterCompletionEventTask::create(this, code));
-}
-
-void FileWriter::signalCompletion(FileError::ErrorCode code)
-{
-    m_readyState = DONE;
     if (FileError::OK != code) {
         m_error = FileError::create(code);
-        fireEvent(eventNames().errorEvent);
         if (FileError::ABORT_ERR == code)
             fireEvent(eventNames().abortEvent);
+        else
+            fireEvent(eventNames().errorEvent);
     } else
         fireEvent(eventNames().writeEvent);
@@ -190 +265 @@
 void FileWriter::fireEvent(const AtomicString& type)
 {
+    ++m_recursionDepth;
     dispatchEvent(ProgressEvent::create(type, true, m_bytesWritten, m_bytesToWrite));
+    --m_recursionDepth;
+    ASSERT(m_recursionDepth >= 0);
 }
 

trunk/Source/WebCore/fileapi/FileWriter.h

@@ -91 +91 @@
 
 private:
+    enum Operation {
+        OperationNone,
+        OperationWrite,
+        OperationTruncate
+    };
+
     FileWriter(ScriptExecutionContext*);
 
@@ -101 +107 @@
     virtual EventTargetData* ensureEventTargetData() { return &m_eventTargetData; }
 
+    void doOperation(Operation);
+
+    void signalCompletion(FileError::ErrorCode);
+
     void fireEvent(const AtomicString& type);
 
     void setError(FileError::ErrorCode, ExceptionCode&);
 
-    void signalCompletion(FileError::ErrorCode);
-
-    class FileWriterCompletionEventTask : public ScriptExecutionContext::Task {
-    public:
-        static PassOwnPtr<FileWriterCompletionEventTask> create(PassRefPtr<FileWriter> fileWriter, FileError::ErrorCode code)
-        {
-            return adoptPtr(new FileWriterCompletionEventTask(fileWriter, code));
-        }
-
-
-        virtual void performTask(ScriptExecutionContext*)
-        {
-            m_fileWriter->signalCompletion(m_code);
-        }
-    private:
-        FileWriterCompletionEventTask(PassRefPtr<FileWriter> fileWriter, FileError::ErrorCode code)
-            : m_fileWriter(fileWriter)
-            , m_code(code)
-        {
-        }
-
-        RefPtr<FileWriter> m_fileWriter;
-        FileError::ErrorCode m_code;
-    };
-
     RefPtr<FileError> m_error;
     EventTargetData m_eventTargetData;
     ReadyState m_readyState;
-    bool m_startedWriting;
+    bool m_isOperationInProgress;
+    Operation m_queuedOperation;
     long long m_bytesWritten;
     long long m_bytesToWrite;
     long long m_truncateLength;
+    long long m_numAborts;
+    long long m_recursionDepth;
     RefPtr<Blob> m_blobBeingWritten;
 };