Cherry-pick 64bcd93. rdar://117463447

jsc_fuz/wktr: heap-use-after-free in WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long long) MemoryObjectStore.cpp:128. https://bugs.webkit.org/show_bug.cgi?id=264180. rdar://117463447. Reviewed by Sihui Liu. MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and checks it's validity before using it. Also RefPtr conversion from WekPtr using get() API as applicable. * LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt: Added the test expected file. * LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the test case. * Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: Checks the validity of MemoryObjectStore pointer before using. (WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted): (WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed): (WebCore::IDBServer::MemoryBackingStoreTransaction::abort): * Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct reference to WeakPtr. Also used RefPtr conversion using get() API as applicable. (WebCore::IDBServer::MemoryIndex::objectStoreCleared): (WebCore::IDBServer::MemoryIndex::clearIndexValueStore): (WebCore::IDBServer::MemoryIndex::replaceIndexValueStore): (WebCore::IDBServer::MemoryIndex::getResultForKeyRange const): (WebCore::IDBServer::MemoryIndex::getAllRecords const): * Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct reference to WeakPtr. (WebCore::IDBServer::MemoryIndex::objectStore): * Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used RefPtr conversion using get() API for MemoryIndex based MemoryObjectStore object. (WebCore::IDBServer::MemoryIndexCursor::currentData): * Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h: Canonical link: https://commits.webkit.org/267815.545@safari-7617-branch
WebKit · Nov 8, 2023 · c9941f3 · c9941f3
1 parent e7e6ce5
commit c9941f3
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 26 deletions.
diff --git a/LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt b/LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
diff --git a/LayoutTests/storage/indexeddb/abort-index-rename-crash.html b/LayoutTests/storage/indexeddb/abort-index-rename-crash.html
@@ -0,0 +1,27 @@
+<!-- webkit-test-runner [ useEphemeralSession=true ] -->
+<body>
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+  testRunner.waitUntilDone();
+}
+indexedDB.open('abort-index-rename').onupgradeneeded = (event) => {
+    request = event.target;
+    transaction = request.transaction;
+    transaction.onabort = () => {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+    database = request.result;
+    objectStore = database.createObjectStore('os');
+    index = objectStore.createIndex('foo', 'foo');
+    index.name = 'bar';
+    database.deleteObjectStore('os');
+    objectStore2 = database.createObjectStore('os2');
+    objectStore2.add('value', 'key').onsuccess = () => {
+        transaction.abort();
+    }
+};
+</script>
+<p>This test passes if it doesn't crash.</p>
+</body>
diff --git a/Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp b/Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
@@ -124,7 +124,7 @@ void MemoryBackingStoreTransaction::objectStoreDeleted(Ref<MemoryObjectStore>&&
     if (auto addedObjectStore = m_versionChangeAddedObjectStores.take(&objectStore.get())) {
         // We don't need to track its indexes either.
         m_deletedIndexes.removeIf([identifier = objectStore->info().identifier()](auto& entry) {
-            return entry.value->objectStore().info().identifier() == identifier;
+            return entry.value->objectStore()->info().identifier() == identifier;
         });
         return;
     }
@@ -162,7 +162,7 @@ void MemoryBackingStoreTransaction::objectStoreRenamed(MemoryObjectStore& object
 
 void MemoryBackingStoreTransaction::indexRenamed(MemoryIndex& index, const String& oldName)
 {
-    ASSERT(m_objectStores.contains(&index.objectStore()));
+    ASSERT(!index.objectStore() || m_objectStores.contains(index.objectStore().get()));
     ASSERT(m_info.mode() == IDBTransactionMode::Versionchange);
 
     // We only care about the first rename in a given transaction, because if the transaction is aborted we want
@@ -225,15 +225,16 @@ void MemoryBackingStoreTransaction::abort()
                 break;
             }
         }
-        if (indexToDelete)
-            indexToDelete->objectStore().deleteIndex(*this, indexToDelete->info().identifier());
-
-        auto& objectStore = index->objectStore();
-        auto indexToReRegister = objectStore.takeIndexByIdentifier(identifier).releaseNonNull();
-        objectStore.info().deleteIndex(identifier);
-        index->rename(originalName);
-        objectStore.info().addExistingIndex(index->info());
-        objectStore.registerIndex(WTFMove(indexToReRegister));
+        if (indexToDelete && indexToDelete->objectStore())
+            indexToDelete->objectStore()->deleteIndex(*this, indexToDelete->info().identifier());
+
+        if (auto objectStore = index->objectStore()) {
+            auto indexToReRegister = objectStore->takeIndexByIdentifier(identifier).releaseNonNull();
+            objectStore->info().deleteIndex(identifier);
+            index->rename(originalName);
+            objectStore->info().addExistingIndex(index->info());
+            objectStore->registerIndex(WTFMove(indexToReRegister));
+        }
     }
     m_originalIndexNames.clear();
 
@@ -244,7 +245,7 @@ void MemoryBackingStoreTransaction::abort()
     for (const auto& objectStore : m_versionChangeAddedObjectStores)
         m_backingStore.removeObjectStoreForVersionChangeAbort(*objectStore);
     m_deletedIndexes.removeIf([&](auto& entry) {
-        return m_versionChangeAddedObjectStores.contains(&entry.value->objectStore());
+        return m_versionChangeAddedObjectStores.contains(entry.value->objectStore().get());
     });
     m_versionChangeAddedObjectStores.clear();
 
@@ -288,7 +289,7 @@ void MemoryBackingStoreTransaction::abort()
 
     for (auto& index : m_deletedIndexes.values()) {
         RELEASE_ASSERT(m_backingStore.hasObjectStore(index->info().objectStoreIdentifier()));
-        index->objectStore().maybeRestoreDeletedIndex(*index);
+        index->objectStore()->maybeRestoreDeletedIndex(*index);
     }
     m_deletedIndexes.clear();
 

diff --git a/Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp b/Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
@@ -65,7 +65,7 @@ void MemoryIndex::cursorDidBecomeDirty(MemoryIndexCursor& cursor)
 
 void MemoryIndex::objectStoreCleared()
 {
-    auto transaction = m_objectStore.writeTransaction();
+    auto transaction = m_objectStore->writeTransaction();
     ASSERT(transaction);
 
     transaction->indexCleared(*this, WTFMove(m_records));
@@ -89,16 +89,16 @@ void MemoryIndex::notifyCursorsOfAllRecordsChanged()
 
 void MemoryIndex::clearIndexValueStore()
 {
-    ASSERT(m_objectStore.writeTransaction());
-    ASSERT(m_objectStore.writeTransaction()->isAborting());
+    ASSERT(m_objectStore->writeTransaction());
+    ASSERT(m_objectStore->writeTransaction()->isAborting());
 
     m_records = nullptr;
 }
 
 void MemoryIndex::replaceIndexValueStore(std::unique_ptr<IndexValueStore>&& valueStore)
 {
-    ASSERT(m_objectStore.writeTransaction());
-    ASSERT(m_objectStore.writeTransaction()->isAborting());
+    ASSERT(m_objectStore->writeTransaction());
+    ASSERT(m_objectStore->writeTransaction()->isAborting());
 
     m_records = WTFMove(valueStore);
 }
@@ -124,7 +124,7 @@ IDBGetResult MemoryIndex::getResultForKeyRange(IndexedDB::IndexRecordType type,
     if (!keyValue)
         return { };
 
-    return type == IndexedDB::IndexRecordType::Key ? IDBGetResult(*keyValue) : IDBGetResult(*keyValue, m_objectStore.valueForKeyRange(*keyValue), m_objectStore.info().keyPath());
+    return type == IndexedDB::IndexRecordType::Key ? IDBGetResult(*keyValue) : IDBGetResult(*keyValue, m_objectStore->valueForKeyRange(*keyValue), m_objectStore->info().keyPath());
 }
 
 uint64_t MemoryIndex::countForKeyRange(const IDBKeyRangeData& inRange)
@@ -154,7 +154,7 @@ void MemoryIndex::getAllRecords(const IDBKeyRangeData& keyRangeData, std::option
 {
     LOG(IndexedDB, "MemoryIndex::getAllRecords");
 
-    result = { type, m_objectStore.info().keyPath() };
+    result = { type, m_objectStore->info().keyPath() };
 
     if (!m_records)
         return;
@@ -179,7 +179,7 @@ void MemoryIndex::getAllRecords(const IDBKeyRangeData& keyRangeData, std::option
         for (auto& keyValue : allValues) {
             result.addKey(IDBKeyData(keyValue));
             if (type == IndexedDB::GetAllType::Values)
-                result.addValue(m_objectStore.valueForKeyRange(keyValue));
+                result.addValue(m_objectStore->valueForKeyRange(keyValue));
         }
 
         currentCount += allValues.size();

diff --git a/Source/WebCore/Modules/indexeddb/server/MemoryIndex.h b/Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
@@ -81,7 +81,7 @@ class MemoryIndex : public RefCounted<MemoryIndex> {
 
     IndexValueStore* valueStore() { return m_records.get(); }
 
-    MemoryObjectStore& objectStore() { return m_objectStore; }
+    WeakPtr<MemoryObjectStore> objectStore() { return m_objectStore; }
 
     void cursorDidBecomeClean(MemoryIndexCursor&);
     void cursorDidBecomeDirty(MemoryIndexCursor&);
@@ -96,7 +96,7 @@ class MemoryIndex : public RefCounted<MemoryIndex> {
     void notifyCursorsOfAllRecordsChanged();
 
     IDBIndexInfo m_info;
-    MemoryObjectStore& m_objectStore;
+    WeakPtr<MemoryObjectStore> m_objectStore;
 
     std::unique_ptr<IndexValueStore> m_records;
 

diff --git a/Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp b/Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
@@ -72,8 +72,8 @@ void MemoryIndexCursor::currentData(IDBGetResult& getResult)
     if (m_info.cursorType() == IndexedDB::CursorType::KeyOnly)
         getResult = { m_currentKey, m_currentPrimaryKey };
     else {
-        IDBValue value = { m_index.objectStore().valueForKey(m_currentPrimaryKey), { }, { } };
-        getResult = { m_currentKey, m_currentPrimaryKey, WTFMove(value), m_index.objectStore().info().keyPath() };
+        IDBValue value = { m_index.objectStore()->valueForKey(m_currentPrimaryKey), { }, { } };
+        getResult = { m_currentKey, m_currentPrimaryKey, WTFMove(value), m_index.objectStore()->info().keyPath() };
     }
 }
 

diff --git a/Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h b/Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h
@@ -55,7 +55,7 @@ class MemoryBackingStoreTransaction;
 
 typedef HashMap<IDBKeyData, ThreadSafeDataBuffer, IDBKeyDataHash, IDBKeyDataHashTraits> KeyValueMap;
 
-class MemoryObjectStore : public RefCounted<MemoryObjectStore> {
+class MemoryObjectStore : public RefCounted<MemoryObjectStore>, public CanMakeWeakPtr<MemoryObjectStore> {
 public:
     static Ref<MemoryObjectStore> create(const IDBObjectStoreInfo&);