[IndexedDB] Added wrapper to cursor to avoid use-after-free on shutdown.

content/browser/indexed_db/indexed_db_callbacks.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/indexed_db/indexed_db_callbacks.h"
 
 #include <stddef.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 26 matching lines @@
 #include "storage/browser/quota/quota_manager.h"
 
 using indexed_db::mojom::CallbacksAssociatedPtrInfo;
 using std::swap;
 using storage::ShareableFileReference;
 
 namespace content {
 
 namespace {
 
-// If this is destructed with the connection still living inside it, we assume
-// we have been killed due to IO thread shutdown, and we need to safely schedule
-// the destruction of the connection on the IDB thread, as we should still be in
-// a transaction's operation queue, where we cannot destroy the transaction.
+// The following two objects protect the given objects from being destructed on
+// the IO thread if we have a shutdown or an error.
 struct SafeIOThreadConnectionWrapper {
   SafeIOThreadConnectionWrapper(std::unique_ptr<IndexedDBConnection> connection)
       : connection(std::move(connection)),
         idb_runner(base::ThreadTaskRunnerHandle::Get()) {}
   ~SafeIOThreadConnectionWrapper() {
     if (connection) {
       idb_runner->PostTask(
           FROM_HERE, base::Bind(
                          [](std::unique_ptr<IndexedDBConnection> connection) {
                            connection->ForceClose();
                          },
                          base::Passed(&connection)));
     }
   }
   SafeIOThreadConnectionWrapper(SafeIOThreadConnectionWrapper&& other) =
       default;
 
   std::unique_ptr<IndexedDBConnection> connection;
   scoped_refptr<base::SequencedTaskRunner> idb_runner;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(SafeIOThreadConnectionWrapper);
 };
 
+struct SafeIOThreadCursorWrapper {
+  SafeIOThreadCursorWrapper(std::unique_ptr<IndexedDBCursor> cursor)
+      : cursor(std::move(cursor)),
+        idb_runner(base::ThreadTaskRunnerHandle::Get()) {}
+  ~SafeIOThreadCursorWrapper() {
+    if (cursor)
+      idb_runner->DeleteSoon(FROM_HERE, cursor.release());
+  }
+  SafeIOThreadCursorWrapper(SafeIOThreadCursorWrapper&& other) = default;
+
+  std::unique_ptr<IndexedDBCursor> cursor;
+  scoped_refptr<base::SequencedTaskRunner> idb_runner;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(SafeIOThreadCursorWrapper);
+};
+
 void ConvertBlobInfo(
     const std::vector<IndexedDBBlobInfo>& blob_info,
     std::vector<::indexed_db::mojom::BlobInfoPtr>* blob_or_file_info) {
   blob_or_file_info->reserve(blob_info.size());
   for (const auto& iter : blob_info) {
     if (!iter.mark_used_callback().is_null())
       iter.mark_used_callback().Run();
 
     auto info = ::indexed_db::mojom::BlobInfo::New();
     info->mime_type = iter.type();
@@ skipping 37 matching lines @@
   void SendError(const IndexedDBDatabaseError& error);
   void SendSuccessStringList(const std::vector<base::string16>& value);
   void SendBlocked(int64_t existing_version);
   void SendUpgradeNeeded(SafeIOThreadConnectionWrapper connection,
                          int64_t old_version,
                          blink::WebIDBDataLoss data_loss,
                          const std::string& data_loss_message,
                          const content::IndexedDBDatabaseMetadata& metadata);
   void SendSuccessDatabase(SafeIOThreadConnectionWrapper connection,
                            const content::IndexedDBDatabaseMetadata& metadata);
-  void SendSuccessCursor(std::unique_ptr<IndexedDBCursor> cursor,
+  void SendSuccessCursor(SafeIOThreadCursorWrapper cursor,
                          const IndexedDBKey& key,
                          const IndexedDBKey& primary_key,
                          ::indexed_db::mojom::ValuePtr value,
                          const std::vector<IndexedDBBlobInfo>& blob_info);
   void SendSuccessValue(::indexed_db::mojom::ReturnValuePtr value,
                         const std::vector<IndexedDBBlobInfo>& blob_info);
   void SendSuccessCursorContinue(
       const IndexedDBKey& key,
       const IndexedDBKey& primary_key,
       ::indexed_db::mojom::ValuePtr value,
@@ skipping 178 matching lines @@
 
   DCHECK_EQ(blink::kWebIDBDataLossNone, data_loss_);
 
   ::indexed_db::mojom::ValuePtr mojo_value;
   std::vector<IndexedDBBlobInfo> blob_info;
   if (value) {
     mojo_value = ConvertAndEraseValue(value);
     blob_info.swap(value->blob_info);
   }
 
+  SafeIOThreadCursorWrapper cursor_wrapper(std::move(cursor));
+
   BrowserThread::PostTask(
       BrowserThread::IO, FROM_HERE,
       base::Bind(&IOThreadHelper::SendSuccessCursor,
-                 base::Unretained(io_helper_.get()), base::Passed(&cursor), key,
-                 primary_key, base::Passed(&mojo_value),
-                 base::Passed(&blob_info)));
+                 base::Unretained(io_helper_.get()),
+                 base::Passed(&cursor_wrapper), key, primary_key,
+                 base::Passed(&mojo_value), base::Passed(&blob_info)));
   complete_ = true;
 }
 
 void IndexedDBCallbacks::OnSuccess(const IndexedDBKey& key,
                                    const IndexedDBKey& primary_key,
                                    IndexedDBValue* value) {
   DCHECK(thread_checker_.CalledOnValidThread());
   DCHECK(!complete_);
   DCHECK(io_helper_);
 
@@ skipping 220 matching lines @@
         dispatcher_host_.get(), idb_runner_);
 
     auto request = mojo::MakeRequest(&ptr_info);
     dispatcher_host_->AddDatabaseBinding(std::move(database),
                                          std::move(request));
   }
   callbacks_->SuccessDatabase(std::move(ptr_info), metadata);
 }
 
 void IndexedDBCallbacks::IOThreadHelper::SendSuccessCursor(
-    std::unique_ptr<IndexedDBCursor> cursor,
+    SafeIOThreadCursorWrapper cursor,
     const IndexedDBKey& key,
     const IndexedDBKey& primary_key,
     ::indexed_db::mojom::ValuePtr value,
     const std::vector<IndexedDBBlobInfo>& blob_info) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   if (!callbacks_)
     return;
   if (!dispatcher_host_) {
     OnConnectionError();
     return;
   }
   auto cursor_impl = base::MakeUnique<CursorImpl>(
-      std::move(cursor), origin_, dispatcher_host_.get(), idb_runner_);
+      std::move(cursor.cursor), origin_, dispatcher_host_.get(), idb_runner_);
 
   if (value && !CreateAllBlobs(blob_info, &value->blob_or_file_info))
     return;
 
   ::indexed_db::mojom::CursorAssociatedPtrInfo ptr_info;
   auto request = mojo::MakeRequest(&ptr_info);
   dispatcher_host_->AddCursorBinding(std::move(cursor_impl),
                                      std::move(request));
   callbacks_->SuccessCursor(std::move(ptr_info), key, primary_key,
                             std::move(value));
@@ skipping 148 matching lines @@
   return true;
 }
 
 void IndexedDBCallbacks::IOThreadHelper::OnConnectionError() {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   callbacks_.reset();
   dispatcher_host_ = nullptr;
 }
 
 }  // namespace content