209618 – REGRESSION(r259034): access to null UniqueIDBDatabase in UniqueIDBDatabaseConnection::~UniqueIDBDatabaseConnection()

Bug 209618 - REGRESSION(r259034): access to null UniqueIDBDatabase in UniqueIDBDatabaseConnection::~UniqueIDBDatabaseConnection()

Summary: REGRESSION(r259034): access to null UniqueIDBDatabase in UniqueIDBDatabaseCon...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Sihui Liu

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-03-26 13:30 PDT by Sihui Liu
Modified:	2020-03-26 16:10 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (4.14 KB, patch) 2020-03-26 13:39 PDT, Sihui Liu	no flags	Details \| Formatted Diff \| Diff
Patch (6.57 KB, patch) 2020-03-26 15:15 PDT, Sihui Liu	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sihui Liu 2020-03-26 13:30:00 PDT

~UniqueIDBDatabaseConnection should happen before ~UniqueIDBDatabase, but we protect UniqueIDBDatabaseConnection in UniqueIDBDatabase::connectionClosedFromClient.

Comment 1 Sihui Liu 2020-03-26 13:31:05 PDT

<rdar://problem/60919105>

Comment 2 Sihui Liu 2020-03-26 13:39:05 PDT

Created attachment 394654 [details]
Patch

Comment 3 Geoffrey Garen 2020-03-26 14:42:37 PDT

Comment on attachment 394654 [details]
Patch

It's not great for correctness to rely on destruction order. We don't have a smart reliable way to guarantee destruction order.

I think a better solution in this case would be to change UniqueIDBDatabaseConnection to hold a direct pointer to IDBServer. That way, there's no need to deference UniqueIDBDatabase in the destructor. Also, it would be good to change UniqueIDBDatabaseConnection::m_database to be a WeakPtr, for memory safety. (That way, a bug like this will be detectable even without guard malloc, and will not become a security bug.)

Comment 4 Sihui Liu 2020-03-26 15:15:55 PDT

Created attachment 394662 [details]
Patch

Comment 5 Geoffrey Garen 2020-03-26 15:20:10 PDT

Comment on attachment 394662 [details]
Patch

r=me

Comment 6 EWS 2020-03-26 16:10:05 PDT

Committed r259090: <https://trac.webkit.org/changeset/259090>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 394662 [details].