Abhishek Shanthkumar (Gerrit)

unread,

Nov 20, 2025, 8:51:04 AM11/20/25

to Evan Stade, Chromium LUCI CQ, chromium...@chromium.org, dmurph+wa...@chromium.org, edgesto...@microsoft.com, enne...@chromium.org, storage...@chromium.org

Attention needed from Evan Stade

Abhishek Shanthkumar voted and added 1 comment

Votes added by Abhishek Shanthkumar

Code-Review

+1

1 comment

Patchset-level comments

File-level comment, Patchset 3 (Latest):

Abhishek Shanthkumar . resolved

I don't have access to the linked bug (I assume this was also reported by the fuzzer), but the change LGTM, thanks!

Open in Gerrit

Related details

Attention is currently required from:

Evan Stade

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Evan Stade (Gerrit)

unread,

Nov 20, 2025, 3:03:26 PM11/20/25

to Abhishek Shanthkumar, Chromium LUCI CQ, chromium...@chromium.org, dmurph+wa...@chromium.org, edgesto...@microsoft.com, enne...@chromium.org, storage...@chromium.org

Evan Stade voted and added 2 comments

Votes added by Evan Stade

Commit-Queue

+2

2 comments

Patchset-level comments

File-level comment, Patchset 3 (Latest):

Evan Stade . resolved

thanks!

File-level comment, Patchset 3 (Latest):

Abhishek Shanthkumar . resolved

I don't have access to the linked bug (I assume this was also reported by the fuzzer), but the change LGTM, thanks!

Evan Stade

Your supposition is correct. CC'd you on the bug

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Evan Stade (Gerrit)

unread,

Nov 20, 2025, 5:41:37 PM11/20/25

to Abhishek Shanthkumar, Chromium LUCI CQ, chromium...@chromium.org, dmurph+wa...@chromium.org, edgesto...@microsoft.com, enne...@chromium.org, storage...@chromium.org

Evan Stade voted

Code-Review	+1
Commit-Queue	+2

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Chromium LUCI CQ (Gerrit)

unread,

Nov 20, 2025, 7:06:48 PM11/20/25

to Evan Stade, Abhishek Shanthkumar, chromium...@chromium.org, dmurph+wa...@chromium.org, edgesto...@microsoft.com, enne...@chromium.org, storage...@chromium.org

Chromium LUCI CQ submitted the change

Change information

Commit message:

IDB: fix recently introduced UAF

After fixing the Connection leak, Transaction can now be destroyed
inside RunTasks. Support doing so without UAF.

Fixed: 461720662

Change-Id: Ic9bb49ab2bd047f478beb47235bb671ed1dbdaa7

Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7170735

Commit-Queue: Evan Stade <evan...@microsoft.com>

Reviewed-by: Evan Stade <evan...@microsoft.com>

Reviewed-by: Abhishek Shanthkumar <abhishek.s...@microsoft.com>

Cr-Commit-Position: refs/heads/main@{#1548144}

Files:

M content/browser/indexed_db/indexed_db_unittest.cc
M content/browser/indexed_db/instance/transaction.cc

Change size: M

Delta: 2 files changed, 80 insertions(+), 3 deletions(-)

Branch: refs/heads/main

Submit Requirements:

Code-Review: +1 by Abhishek Shanthkumar, +1 by Evan Stade

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Victor Obando (Gerrit)

unread,

9:16 AM (4 hours ago) 9:16 AM

to Chromium LUCI CQ, Evan Stade, Abhishek Shanthkumar, chromium...@chromium.org, dmurph+wa...@chromium.org, edgesto...@microsoft.com, enne...@chromium.org, storage...@chromium.org

Victor Obando added 1 comment

Patchset-level comments

File-level comment, Patchset 4 (Latest):

Victor Obando . resolved

// chromium/src/content/browser/indexed_db/indexed_db_transaction.cc

#include "content/browser/indexed_db/indexed_db_transaction.h"
#include "base/memory/weak_ptr.h"

void IndexedDBTransaction::RunTasks() {
  // Se utiliza un WeakPtr para monitorear si 'this' (la transacción) 
  // es destruida durante la ejecución de una tarea.
  base::WeakPtr<IndexedDBTransaction> weak_ptr = weak_factory_.GetWeakPtr();

  if (is_commit_pending_) {
    return;
  }

  while (!task_queue_.empty() && state_ != FINISHED) {
    DCHECK(!processing_event_queue_);
    
    // Ejecutar la siguiente tarea en la cola
    std::unique_ptr<IndexedDBRecordTask> task = std::move(task_queue_.front());
    task_queue_.pop_front();
    
    task->Run(this);

    // CRÍTICO: Después de que task->Run() se ejecuta, la transacción 
    // podría haber sido eliminada por una limpieza de conexiones.
    // Verificamos si el weak_ptr sigue siendo válido antes de continuar.
    if (!weak_ptr) {
      return;
    }

    if (state_ == FINISHED) {
      return;
    }
  }

  // Si la cola está vacía y estamos listos para hacer commit
  if (task_queue_.empty() && state_ == COMMITTING) {
    Commit();
  }
}

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Reply all

Reply to author

Forward

IDB: fix recently introduced UAF [chromium/src : main]

Abhishek Shanthkumar (Gerrit)

Abhishek Shanthkumar voted and added 1 comment

Votes added by Abhishek Shanthkumar

1 comment

Related details

Evan Stade (Gerrit)

Evan Stade voted and added 2 comments

Votes added by Evan Stade

2 comments

Related details

Evan Stade (Gerrit)

Evan Stade voted

Related details

Chromium LUCI CQ (Gerrit)

Chromium LUCI CQ submitted the change

Change information

Victor Obando (Gerrit)

Victor Obando added 1 comment

Related details