Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(221)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 774593004: IndexedDB: Fixed cursor/blob use-after-free bug (Closed)

Created:
6 years ago by cmumford
Modified:
6 years ago
Reviewers:
dgrogan, jsbell
CC:
chromium-reviews, darin-cc_chromium.org, dgrogan, jsbell+idb_chromium.org, jam, cmumford
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Project:
chromium
Visibility:
Public.

Description

IndexedDB: Fixed cursor/blob use-after-free bug The IndexedDBDispatcherHost maintains a map of BLOB UUID's to BLOBs, but if two (or more) cursors are both active and referencing the same BLOB then two (or more) BLOBs would exist with the same UUID, and their keys would collide in this map. This change reference counts these BLOBs to avoid duplication. Also, access to the existing map was not synchronized and was accessed on two different threads. BUG=435880, 436137 Committed: https://crrev.com/2d74497dfa5e6fd6ddddc93248c322a57dd8dd2c Cr-Commit-Position: refs/heads/master@{#307063}

Patch Set 1 #

Total comments: 4

Patch Set 2 : Merged IncrementBlobDataIfHeld into HoldBlobData #

Patch Set 3 : Ensuring AckReceivedBlobs called on IO thread #

Total comments: 2

Patch Set 4 : Using std::make_pair #

Total comments: 2

Patch Set 5 : Removed unused BlobStorageContext param from CreateBlobData() #

Unified diffs Side-by-side diffs Delta from patch set Stats (+61 lines, -41 lines) Patch
M content/browser/indexed_db/indexed_db_callbacks.cc View 1 2 3 4 4 chunks +3 lines, -20 lines 0 comments Download
M content/browser/indexed_db/indexed_db_dispatcher_host.h View 1 2 5 chunks +6 lines, -4 lines 0 comments Download
M content/browser/indexed_db/indexed_db_dispatcher_host.cc View 1 2 3 7 chunks +52 lines, -17 lines 0 comments Download

Messages

Total messages: 13 (2 generated)
cmumford
Blob implementation is a bit complex so requesting both of you take a look just ...
6 years ago (2014-12-03 23:27:55 UTC) #2
jsbell
Thanks for tracking this down! Two things: 1) Threading HoldBlobDataHandle is called from the IO ...
6 years ago (2014-12-04 00:18:17 UTC) #3
cmumford
https://codereview.chromium.org/774593004/diff/1/content/browser/indexed_db/indexed_db_callbacks.cc File content/browser/indexed_db/indexed_db_callbacks.cc (right): https://codereview.chromium.org/774593004/diff/1/content/browser/indexed_db/indexed_db_callbacks.cc#newcode231 content/browser/indexed_db/indexed_db_callbacks.cc:231: if (!dispatcher_host->IncrementBlobDataIfHeld(uuid)) { On 2014/12/04 00:18:16, jsbell wrote: > ...
6 years ago (2014-12-04 18:00:30 UTC) #4
jsbell
lgtm! https://codereview.chromium.org/774593004/diff/40001/content/browser/indexed_db/indexed_db_dispatcher_host.cc File content/browser/indexed_db/indexed_db_dispatcher_host.cc (right): https://codereview.chromium.org/774593004/diff/40001/content/browser/indexed_db/indexed_db_dispatcher_host.cc#newcode245 content/browser/indexed_db/indexed_db_dispatcher_host.cc:245: std::pair<storage::BlobDataHandle*, int>(blob_data_handle.release(), 1); Can you use std::make_pair here?
6 years ago (2014-12-04 18:13:42 UTC) #5
cmumford
https://codereview.chromium.org/774593004/diff/40001/content/browser/indexed_db/indexed_db_dispatcher_host.cc File content/browser/indexed_db/indexed_db_dispatcher_host.cc (right): https://codereview.chromium.org/774593004/diff/40001/content/browser/indexed_db/indexed_db_dispatcher_host.cc#newcode245 content/browser/indexed_db/indexed_db_dispatcher_host.cc:245: std::pair<storage::BlobDataHandle*, int>(blob_data_handle.release(), 1); On 2014/12/04 18:13:42, jsbell wrote: > ...
6 years ago (2014-12-04 18:17:52 UTC) #6
cmumford
dgrogan@ PTAL - or rubber stamp if you're OK with jsbell's review.
6 years ago (2014-12-04 20:19:50 UTC) #7
dgrogan
lgtm https://codereview.chromium.org/774593004/diff/60001/content/browser/indexed_db/indexed_db_callbacks.cc File content/browser/indexed_db/indexed_db_callbacks.cc (right): https://codereview.chromium.org/774593004/diff/60001/content/browser/indexed_db/indexed_db_callbacks.cc#newcode225 content/browser/indexed_db/indexed_db_callbacks.cc:225: storage::BlobStorageContext* blob_storage_context, Looks like you can ax this ...
6 years ago (2014-12-05 01:09:29 UTC) #8
cmumford
https://codereview.chromium.org/774593004/diff/60001/content/browser/indexed_db/indexed_db_callbacks.cc File content/browser/indexed_db/indexed_db_callbacks.cc (right): https://codereview.chromium.org/774593004/diff/60001/content/browser/indexed_db/indexed_db_callbacks.cc#newcode225 content/browser/indexed_db/indexed_db_callbacks.cc:225: storage::BlobStorageContext* blob_storage_context, On 2014/12/05 01:09:29, dgrogan wrote: > Looks ...
6 years ago (2014-12-05 19:08:09 UTC) #9
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/774593004/80001
6 years ago (2014-12-05 19:09:09 UTC) #11
commit-bot: I haz the power
Committed patchset #5 (id:80001)
6 years ago (2014-12-05 20:01:13 UTC) #12
commit-bot: I haz the power
6 years ago (2014-12-05 20:01:55 UTC) #13
Message was sent while issue was closed. 
Patchset 5 (id:??) landed as
https://crrev.com/2d74497dfa5e6fd6ddddc93248c322a57dd8dd2c
Cr-Commit-Position: refs/heads/master@{#307063}

Powered by Google App Engine
This is Rietveld 408576698