Avoid GCing an aborting and stopped FileReader.

If a FileReader is abort()ed, a task is scheduled to perform the actual abort operation. Should the containing Document's ActiveDOMObjects be stopped before that task gets to run, the FileReader would already advance to a DONE state and be at risk from being GCed before the abort task gets to run. If so, it would then access a dead object. The provided test elicits an assert that shows up the problem, but doesn't trigger the GC and subsequent access of the dead object. R=kouhei@chromium.org, tzik@chromium.org BUG=404513 Review URL: https://codereview.chromium.org/478263002 git-svn-id: svn://svn.chromium.org/blink/trunk@180450 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Avoid GCing an aborting and stopped FileReader.
If a FileReader is abort()ed, a task is scheduled to perform the actual abort operation. Should the containing Document's ActiveDOMObjects be stopped before that task gets to run, the FileReader would already advance to a DONE state and be at risk from being GCed before the abort task gets to run. If so, it would then access a dead object. The provided test elicits an assert that shows up the problem, but doesn't trigger the GC and subsequent access of the dead object. R=kouhei@chromium.org, tzik@chromium.org BUG=404513 Review URL: https://codereview.chromium.org/478263002 git-svn-id: svn://svn.chromium.org/blink/trunk@180450 bbb929c8-8fbe-4397-9dbb-9b2b20218538
9c614e9c · sigbjornf@opera.com · 83bb16e0 · 9c614e9c · 9c614e9c · 9c614e9c
Commit 9c614e9c authored Aug 18, 2014 by sigbjornf@opera.com
4 changed files
--- a/third_party/WebKit/LayoutTests/fast/files/file-reader-abort-gc-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/files/file-reader-abort-gc-iframe-expected.txt
+Verify that an aborted and stopping FileReader doesn't crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS No crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- a/third_party/WebKit/LayoutTests/fast/files/file-reader-abort-gc-iframe.html
+++ b/third_party/WebKit/LayoutTests/fast/files/file-reader-abort-gc-iframe.html
+<!DOCTYPE html>
+<script src="../../resources/js-test.js"></script>
+<script>
+description("Verify that an aborted and stopping FileReader doesn't crash");
+
+window.jsTestIsAsync = true;
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var reader;
+function setReader(r) {
+    reader = r;
+}
+
+function runTest() {
+    reader.readAsText(new Blob());
+    reader.abort();
+    document.body.removeChild(document.getElementById('ifr'));
+    reader = null;
+    gc();
+    testPassed("No crash");
+    finishJSTest();
+}
+</script>
+<iframe id=ifr src="resources/file-reader-abort-gc-iframe.html"></iframe>
--- a/third_party/WebKit/LayoutTests/fast/files/resources/file-reader-abort-gc-iframe.html
+++ b/third_party/WebKit/LayoutTests/fast/files/resources/file-reader-abort-gc-iframe.html
+<script>
+window.parent.setReader(new FileReader());
+window.parent.runTest();
+</script>
--- a/third_party/WebKit/Source/core/fileapi/FileReader.cpp
+++ b/third_party/WebKit/Source/core/fileapi/FileReader.cpp
@@ -243,6 +243,10 @@ const AtomicString& FileReader::interfaceName() const

 void FileReader::stop()
 {
+    // The delayed abort task tidies up and advances to the DONE state.
+    if (m_loadingState == LoadingStateAborted)
+        return;
+
    if (hasPendingActivity())
        ThrottlingController::finishReader(executionContext(), this, ThrottlingController::removeReader(executionContext(), this));
    terminate();