[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

andreip at google.com andreip at google.com
Wed Dec 22 18:49:09 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 59cc8cceefa9c5b98fda74bce07c4964fa7e06b3
Author: andreip at google.com <andreip at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Dec 20 14:41:29 2010 +0000

    2010-12-20  Andrei Popescu  <andreip at google.com>
    
            Reviewed by Jeremy Orlow.
    
            IDBTransactionBackedImpl instances can be accidentally deleted during calls to abort/commit.
            https://bugs.webkit.org/show_bug.cgi?id=51112
    
            * storage/indexeddb/transaction-crash-on-abort-expected.txt: Added.
            * storage/indexeddb/transaction-crash-on-abort.html: Added.
    
    2010-12-20  Andrei Popescu  <andreip at google.com>
    
            Reviewed by Jeremy Orlow.
    
            IDBTransactionBackedImpl instances can be accidentally deleted during calls to abort/commit.
            https://bugs.webkit.org/show_bug.cgi?id=51112
    
            Makes IDBTransactionBackendImpl objects take a self reference while executing commit and abort.
    
            Test: storage/indexeddb/transaction-crash-on-abort.html
    
            * storage/IDBTransactionBackendImpl.cpp:
            (WebCore::IDBTransactionBackendImpl::abort):
            (WebCore::IDBTransactionBackendImpl::commit):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74343 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index d07d2d7..e59fc32 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -2,6 +2,16 @@
 
         Reviewed by Jeremy Orlow.
 
+        IDBTransactionBackedImpl instances can be accidentally deleted during calls to abort/commit.
+        https://bugs.webkit.org/show_bug.cgi?id=51112
+
+        * storage/indexeddb/transaction-crash-on-abort-expected.txt: Added.
+        * storage/indexeddb/transaction-crash-on-abort.html: Added.
+
+2010-12-20  Andrei Popescu  <andreip at google.com>
+
+        Reviewed by Jeremy Orlow.
+
         IDBCursor::delete is not implemented.
         https://bugs.webkit.org/show_bug.cgi?id=51110
 
diff --git a/LayoutTests/storage/indexeddb/transaction-crash-on-abort-expected.txt b/LayoutTests/storage/indexeddb/transaction-crash-on-abort-expected.txt
new file mode 100644
index 0000000..c83b228
--- /dev/null
+++ b/LayoutTests/storage/indexeddb/transaction-crash-on-abort-expected.txt
@@ -0,0 +1,31 @@
+Test IndexedDB transaction does not crash on abort.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS 'webkitIndexedDB' in window is true
+PASS webkitIndexedDB == null is false
+webkitIndexedDB.open('name')
+PASS 'onsuccess' in result is true
+PASS 'onerror' in result is true
+PASS 'readyState' in result is true
+An event should fire shortly...
+
+openSuccess():
+Success event fired:
+PASS 'result' in event is true
+PASS 'code' in event is false
+PASS 'message' in event is false
+PASS 'source' in event is true
+PASS event.source != null is true
+PASS 'onsuccess' in event.target is true
+PASS 'onerror' in event.target is true
+PASS 'readyState' in event.target is true
+PASS event.target.readyState is event.target.DONE
+
+db = event.result
+db.transaction([])
+window.gc()
+PASS successfullyParsed is true
+
+TEST COMPLETE
diff --git a/LayoutTests/storage/indexeddb/transaction-crash-on-abort.html b/LayoutTests/storage/indexeddb/transaction-crash-on-abort.html
new file mode 100644
index 0000000..1b13c87
--- /dev/null
+++ b/LayoutTests/storage/indexeddb/transaction-crash-on-abort.html
@@ -0,0 +1,44 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../fast/js/resources/js-test-style.css">
+<script src="../../fast/js/resources/js-test-pre.js"></script>
+<script src="../../fast/js/resources/js-test-post-function.js"></script>
+<script src="resources/shared.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+
+description("Test IndexedDB transaction does not crash on abort.");
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+function test()
+{
+    shouldBeTrue("'webkitIndexedDB' in window");
+    shouldBeFalse("webkitIndexedDB == null");
+
+    result = evalAndLog("webkitIndexedDB.open('name')");
+    verifyResult(result);
+    result.onsuccess = openSuccess;
+    result.onerror = unexpectedErrorCallback;
+}
+
+function openSuccess()
+{
+    debug("openSuccess():");
+    verifySuccessEvent(event);
+    db = evalAndLog("db = event.result");
+    evalAndLog("db.transaction([])");
+    evalAndLog("window.gc()");
+    done();
+}
+
+var successfullyParsed = true;
+
+test();
+
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index b213fb8..84c4413 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -2,6 +2,21 @@
 
         Reviewed by Jeremy Orlow.
 
+        IDBTransactionBackedImpl instances can be accidentally deleted during calls to abort/commit.
+        https://bugs.webkit.org/show_bug.cgi?id=51112
+
+        Makes IDBTransactionBackendImpl objects take a self reference while executing commit and abort.
+
+        Test: storage/indexeddb/transaction-crash-on-abort.html
+
+        * storage/IDBTransactionBackendImpl.cpp:
+        (WebCore::IDBTransactionBackendImpl::abort):
+        (WebCore::IDBTransactionBackendImpl::commit):
+
+2010-12-20  Andrei Popescu  <andreip at google.com>
+
+        Reviewed by Jeremy Orlow.
+
         IDBCursor::delete is not implemented.
         https://bugs.webkit.org/show_bug.cgi?id=51110
 
diff --git a/WebCore/storage/IDBTransactionBackendImpl.cpp b/WebCore/storage/IDBTransactionBackendImpl.cpp
index 336724a..0012231 100644
--- a/WebCore/storage/IDBTransactionBackendImpl.cpp
+++ b/WebCore/storage/IDBTransactionBackendImpl.cpp
@@ -106,6 +106,11 @@ void IDBTransactionBackendImpl::abort()
     if (m_state == Finished)
         return;
 
+    // The last reference to this object may be released while performing the
+    // abort steps below. We therefore take a self reference to keep ourselves
+    // alive while executing this method.
+    RefPtr<IDBTransactionBackendImpl> self(this);
+
     m_state = Finished;
     m_taskTimer.stop();
     m_taskEventTimer.stop();
@@ -155,6 +160,10 @@ void IDBTransactionBackendImpl::start()
 
 void IDBTransactionBackendImpl::commit()
 {
+    // The last reference to this object may be released while performing the
+    // commit steps below. We therefore take a self reference to keep ourselves
+    // alive while executing this method.
+    RefPtr<IDBTransactionBackendImpl> self(this);
     ASSERT(m_state == Running);
 
     m_state = Finished;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list