Bug 1502871 - Get RefPtr to transaction before using it. r=janv, a=RyanVM
authorYaron Tausky <ytausky@mozilla.com>
Thu, 20 Dec 2018 13:39:46 +0000
changeset 509159 5ae197bcb7f7d87dafcb6d90045dc8b01e4cd282
parent 509158 d73774b1ca376809e5f3eda30b308599062f2a3a
child 509160 b65f3b9a581a33e96490b6d95aba832784b98859
push id1905
push userffxbld-merge
push dateMon, 21 Jan 2019 12:33:13 +0000
treeherdermozilla-release@c2fca1944d8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjanv, RyanVM
bugs1502871
milestone65.0
Bug 1502871 - Get RefPtr to transaction before using it. r=janv, a=RyanVM Avoid use-after-free by getting a RefPtr to a transaction before calling content code that could cause its deallocation. Differential Revision: https://phabricator.services.mozilla.com/D14427
dom/indexedDB/ActorsChild.cpp
--- a/dom/indexedDB/ActorsChild.cpp
+++ b/dom/indexedDB/ActorsChild.cpp
@@ -3539,16 +3539,18 @@ mozilla::ipc::IPCResult BackgroundCursor
   MaybeCollectGarbageOnIPCMessage();
 
   RefPtr<IDBRequest> request;
   mStrongRequest.swap(request);
 
   RefPtr<IDBCursor> cursor;
   mStrongCursor.swap(cursor);
 
+  RefPtr<IDBTransaction> transaction = mTransaction;
+
   switch (aResponse.type()) {
     case CursorResponse::Tnsresult:
       HandleResponse(aResponse.get_nsresult());
       break;
 
     case CursorResponse::Tvoid_t:
       HandleResponse(aResponse.get_void_t());
       break;
@@ -3568,17 +3570,17 @@ mozilla::ipc::IPCResult BackgroundCursor
     case CursorResponse::TIndexKeyCursorResponse:
       HandleResponse(aResponse.get_IndexKeyCursorResponse());
       break;
 
     default:
       MOZ_CRASH("Should never get here!");
   }
 
-  mTransaction->OnRequestFinished(/* aActorDestroyedNormally */ true);
+  transaction->OnRequestFinished(/* aActorDestroyedNormally */ true);
 
   return IPC_OK();
 }
 
 NS_IMETHODIMP
 BackgroundCursorChild::DelayedActionRunnable::Run() {
   MOZ_ASSERT(mActor);
   mActor->AssertIsOnOwningThread();