Keep reference to DOMStorageNamespace while it's being cloned

While DOMStorageNamespace::Clone constructs an instance, it binds it to a callback, post it to a task runner and returns the instance as a raw pointer. Note that base::BindOnce here retains a reference to |clone| and releases the reference when the callback instance is destroyed. However, if PostTaskAndReply there failed, the callback instance is destroyed immediately and DOMStorageNamespace loses the last reference. Then, DOMStorageNamespace::Clone may return a stale pointer. This CL converts the return value to scoped_refptr, and has Clone() to keep the reference to the resulting instance. Bug: 866456 Change-Id: Ic3a5a02e266bf55f8ad3c4f901eb1eebc2ea9d8e Reviewed-on: https://chromium-review.googlesource.com/1146409Reviewed-by: Daniel Murphy <dmurph@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/heads/master@{#577377}

Keep reference to DOMStorageNamespace while it's being cloned
While DOMStorageNamespace::Clone constructs an instance, it binds it to a callback, post it to a task runner and returns the instance as a raw pointer. Note that base::BindOnce here retains a reference to |clone| and releases the reference when the callback instance is destroyed. However, if PostTaskAndReply there failed, the callback instance is destroyed immediately and DOMStorageNamespace loses the last reference. Then, DOMStorageNamespace::Clone may return a stale pointer. This CL converts the return value to scoped_refptr, and has Clone() to keep the reference to the resulting instance. Bug: 866456 Change-Id: Ic3a5a02e266bf55f8ad3c4f901eb1eebc2ea9d8e Reviewed-on: https://chromium-review.googlesource.com/1146409Reviewed-by: Daniel Murphy <dmurph@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/heads/master@{#577377}
e17c5244 · tzik · Commit Bot · ccfa84ac · e17c5244 · e17c5244
Commit e17c5244 authored Jul 24, 2018 by tzik Committed by Commit Bot Jul 24, 2018
Showing with 4 additions and 3 deletions

content/browser/dom_storage/dom_storage_namespace.cc content/browser/dom_storage/dom_storage_namespace.cc +2 -2

content/browser/dom_storage/dom_storage_namespace.h content/browser/dom_storage/dom_storage_namespace.h +2 -1

No files found.
--- a/content/browser/dom_storage/dom_storage_namespace.cc
+++ b/content/browser/dom_storage/dom_storage_namespace.cc
@@ -64,11 +64,11 @@ DOMStorageArea* DOMStorageNamespace::GetOpenStorageArea(
  return nullptr;
 }
-DOMStorageNamespace* DOMStorageNamespace::Clone(
+scoped_refptr<DOMStorageNamespace> DOMStorageNamespace::Clone(
    const std::string& clone_namespace_id) {
  DCHECK(!namespace_id_.empty());
  DCHECK(!clone_namespace_id.empty());
-  DOMStorageNamespace* clone = new DOMStorageNamespace(
+  auto clone = base::MakeRefCounted<DOMStorageNamespace>(
      clone_namespace_id, session_storage_database_.get(), task_runner_.get());
  AreaMap::const_iterator it = areas_.begin();
  // Clone the in-memory structures.

--- a/content/browser/dom_storage/dom_storage_namespace.h
+++ b/content/browser/dom_storage/dom_storage_namespace.h
@@ -63,7 +63,8 @@ class CONTENT_EXPORT DOMStorageNamespace
  // Creates a clone of |this| namespace including
  // shallow copies of all contained areas.
  // Should only be called for session storage namespaces.
-  DOMStorageNamespace* Clone(const std::string& clone_namespace_id);
+  scoped_refptr<DOMStorageNamespace> Clone(
+      const std::string& clone_namespace_id);
  void DeleteSessionStorageOrigin(const url::Origin& origin);
  void PurgeMemory(bool aggressively);