[Webkit-unassigned] [Bug 177861] New: Ownership issues in IDBConnectionProxy::completeOpenDBRequest

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 4 03:27:06 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=177861

            Bug ID: 177861
           Summary: Ownership issues in
                    IDBConnectionProxy::completeOpenDBRequest
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ivlev.igor at gmail.com

It looks like IDBConnectionProxy::completeOpenDBRequest has some ownership issues.
They are quite subtle, but I will try to describe them below.

1) As the name of the following function suggests, it may try to post resultData to another thread, however resultData declared as a simple reference without reference counting (const IDBResultData& resultData), this is probably not correct and may lead to use-after-free in case the callback will be posted to another thread:
request->performCallbackOnOriginThread(*request, &IDBOpenDBRequest::requestCompleted, resultData);

2) HOWEVER at least in my setup, performCallbackOnOriginThread does not post the callback to another thread (why is it used then? Why don't we call the function directly?); 
instead, it calls the method directly: this is a special case when the object belongs to the current thread (i.e. object.originThreadID() == currentThread())

But even in this case there seems to be an ownership issue:

IDBOpenDBRequest::requestCompleted --> IDBOpenDBRequest::onUpgradeNeeded calls database->startVersionChangeTransaction.
database->startVersionChangeTransaction calls IDBTransaction::create
IDBTransaction::create calls IDBTransaction::IDBTransaction, which does the following (https://github.com/WebKit/webkit/blob/master/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp#L95):

        RefPtr<IDBTransaction> self;
        JSC::VM& vm = context->vm();
        vm.whenIdle([self, this]() {
                deactivate();
        });

Most likely this is a bug. deactivate() might be called on a wrong object since "RefPtr<IDBTransaction> self" does not capture reference to "this".

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171004/5ba50cab/attachment-0001.html>

More information about the webkit-unassigned mailing list