added overflow protection for in-flight memory

uses saturated_cast Bug: 116075 Change-Id: I228a00f77bd2df3b429b16a58c15eb47285c055b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2435282Reviewed-by: enne <enne@chromium.org> Reviewed-by: Daniel Murphy <dmurph@chromium.org> Commit-Queue: enne <enne@chromium.org> Commit-Queue: Austin Sullivan <asully@chromium.org> Cr-Commit-Position: refs/heads/master@{#812866}

added overflow protection for in-flight memory
uses saturated_cast Bug: 116075 Change-Id: I228a00f77bd2df3b429b16a58c15eb47285c055b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2435282Reviewed-by: enne <enne@chromium.org> Reviewed-by: Daniel Murphy <dmurph@chromium.org> Commit-Queue: enne <enne@chromium.org> Commit-Queue: Austin Sullivan <asully@chromium.org> Cr-Commit-Position: refs/heads/master@{#812866}
da226512 · Austin Sullivan · Commit Bot · bdbeca36 · da226512 · da226512
Commit da226512 authored Oct 01, 2020 by Austin Sullivan Committed by Commit Bot Oct 01, 2020
4 changed files
--- a/content/browser/indexed_db/indexed_db_database.cc
+++ b/content/browser/indexed_db/indexed_db_database.cc
@@ -1140,8 +1140,8 @@ Status IndexedDBDatabase::PutOperation(
  DCHECK_NE(transaction->mode(), blink::mojom::IDBTransactionMode::ReadOnly);
  bool key_was_generated = false;
  Status s = Status::OK();
-  transaction->set_in_flight_memory(transaction->in_flight_memory() -
-                                    params->value.SizeEstimate());
+  transaction->in_flight_memory() -= params->value.SizeEstimate();
+  DCHECK(transaction->in_flight_memory().IsValid());

  if (!IsObjectStoreIdInMetadata(params->object_store_id)) {
    IndexedDBDatabaseError error = CreateError(
@@ -1285,11 +1285,8 @@ Status IndexedDBDatabase::PutAllOperation(
  DCHECK_NE(transaction->mode(), blink::mojom::IDBTransactionMode::ReadOnly);
  bool key_was_generated = false;
  Status s = Status::OK();
-  // TODO(nums): Add checks to prevent overflow and underflow
-  // https://crbug.com/1116075
-  transaction->set_in_flight_memory(
-      transaction->in_flight_memory() -
-      base::checked_cast<int64_t>(size_estimate.ValueOrDie()));
+  transaction->in_flight_memory() -= size_estimate.ValueOrDefault(0);
+  DCHECK(transaction->in_flight_memory().IsValid());

  if (!IsObjectStoreIdInMetadata(object_store_id)) {
    IndexedDBDatabaseError error = CreateError(

--- a/content/browser/indexed_db/indexed_db_database_unittest.cc
+++ b/content/browser/indexed_db/indexed_db_database_unittest.cc
@@ -680,6 +680,10 @@ TEST_F(IndexedDBDatabaseOperationTest, CreatePutDelete) {
  std::vector<IndexedDBIndexKeys> index_keys;
  base::MockCallback<blink::mojom::IDBTransaction::PutCallback> callback;

+  // Set in-flight memory to a reasonably large number to prevent underflow in
+  // |PutOperation|
+  transaction_->in_flight_memory() += 1000;
+
  auto put_params = std::make_unique<IndexedDBDatabase::PutOperationParams>();
  put_params->object_store_id = store_id;
  put_params->value = value;

--- a/content/browser/indexed_db/indexed_db_transaction.h
+++ b/content/browser/indexed_db/indexed_db_transaction.h
@@ -151,10 +151,7 @@ class CONTENT_EXPORT IndexedDBTransaction {

  // in_flight_memory() is used to keep track of all memory scheduled to be
  // written using ScheduleTask. This is reported to memory dumps.
-  int64_t in_flight_memory() const { return in_flight_memory_; }
-  void set_in_flight_memory(int64_t in_flight_memory) {
-    in_flight_memory_ = in_flight_memory;
-  }
+  base::CheckedNumeric<size_t>& in_flight_memory() { return in_flight_memory_; }

 protected:
  // Test classes may derive, but most creation should be done via
@@ -247,7 +244,7 @@ class CONTENT_EXPORT IndexedDBTransaction {
  // Metrics for quota.
  int64_t size_ = 0;

-  int64_t in_flight_memory_ = 0;
+  base::CheckedNumeric<size_t> in_flight_memory_ = 0;

  class TaskQueue {
   public:

--- a/content/browser/indexed_db/transaction_impl.cc
+++ b/content/browser/indexed_db/transaction_impl.cc
@@ -148,8 +148,7 @@ void TransactionImpl::Put(
  params->callback = std::move(aborting_callback);
  params->index_keys = index_keys;
  // This is decremented in IndexedDBDatabase::PutOperation.
-  transaction_->set_in_flight_memory(transaction_->in_flight_memory() +
-                                     output_value.SizeEstimate());
+  transaction_->in_flight_memory() += output_value.SizeEstimate();
  transaction_->ScheduleTask(BindWeakOperation(
      &IndexedDBDatabase::PutOperation, connection->database()->AsWeakPtr(),
      std::move(params)));
@@ -218,11 +217,8 @@ void TransactionImpl::PutAll(int64_t object_store_id,
          blink::mojom::IDBTransactionPutAllResultPtr>(
          std::move(callback), transaction_->AsWeakPtr());

-  // TODO(nums): Add checks to prevent overflow and underflow
-  // https://crbug.com/1116075
-  transaction_->set_in_flight_memory(
-      transaction_->in_flight_memory() +
-      base::checked_cast<int64_t>(size_estimate.ValueOrDie()));
+  transaction_->in_flight_memory() += size_estimate.ValueOrDefault(0);
+  DCHECK(transaction_->in_flight_memory().IsValid());
  transaction_->ScheduleTask(BindWeakOperation(
      &IndexedDBDatabase::PutAllOperation, connection->database()->AsWeakPtr(),
      object_store_id, std::move(put_params), std::move(aborting_callback)));