Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 875cda03e034e9a14cd8e43265db5245ea0201d3
https://github.com/WebKit/WebKit/commit/875cda03e034e9a14cd8e43265db5245ea0201d3
Author: Chris Dumez <[email protected]>
Date: 2026-05-08 (Fri, 08 May 2026)
Changed paths:
M Source/WebCore/workers/service/server/SWRegistrationDatabase.cpp
M Source/WebCore/workers/service/server/SWRegistrationDatabase.h
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/ServiceWorkerBasic.mm
M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WebsiteDataStoreCustomPaths.mm
Log Message:
-----------
Regression(312195@main): Crash in SWRegistrationDatabase when importing
registrations for an origin with no records
https://bugs.webkit.org/show_bug.cgi?id=314307
rdar://176098012
Reviewed by Youenn Fablet.
312195@main introduced per-origin lazy import of service worker registrations,
adding
SWRegistrationDatabase::importRegistrations(const SecurityOriginData&). When
the per-origin
query returned no rows, the function called deleteAllFiles() while the
SQLiteStatementAutoResetScope returned by cachedStatement() and its associated
CheckedPtr<SQLiteStatement> were still live on the stack. deleteAllFiles()
calls close(),
which destroys the SQLiteStatement cached in m_cachedStatements. Because
outstanding
CheckedPtrs exist, WTF_OVERRIDE_DELETE_FOR_CHECKED_PTR zeros the object rather
than freeing
it, but the local SQLiteStatementAutoResetScope destructor still runs reset()
on the zombie
SQLiteStatement on return, which ends up calling sqlite3_reset() with a zeroed
sqlite3_stmt*
and crashes inside sqlite with a PAC authentication failure.
importOrigins() had the same shape bug: deleteAllFiles() was called at the
bottom of the
function while sqlStatement/statement were still in scope.
Fix by following the existing pattern used by importRegistrations() /
updateRegistrations():
move the SQL work into an importRegistrationsImpl(topOrigin) /
importOriginsImpl() helper
so the statement scopes are destroyed before the empty-database cleanup runs.
TEST: ServiceWorkers.ImportRegistrationsForOriginWithEmptyDatabase
* Source/WebCore/workers/service/server/SWRegistrationDatabase.cpp:
(WebCore::SWRegistrationDatabase::importRegistrations): Now a thin wrapper
around
importRegistrationsImpl(topOrigin) that performs the recordsCount() +
deleteAllFiles()
cleanup after the inner statement scope has been destroyed.
(WebCore::SWRegistrationDatabase::importRegistrationsImpl): New helper
containing the SQL
work previously inline in importRegistrations(topOrigin).
(WebCore::SWRegistrationDatabase::importOrigins): Now a thin wrapper around
importOriginsImpl() that performs the empty-database cleanup after the inner
statement
scope has been destroyed.
(WebCore::SWRegistrationDatabase::importOriginsImpl): New helper containing the
SQL work
previously inline in importOrigins().
* Source/WebCore/workers/service/server/SWRegistrationDatabase.h:
Canonical link: https://commits.webkit.org/312873@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
