summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Giesecke <sgiesecke@mozilla.com>2020-02-14 14:39:40 +0100
committerwolfbeast <mcwerewolf@wolfbeast.com>2020-04-14 12:43:34 +0200
commita377d1ecd42370fbf28395b75535ebfcd9f733f7 (patch)
treedcac011989cd0d116521a6847e944d6704436875
parent1ebbb0af0329192f4766fee671bc473a88b9e3e4 (diff)
downloadUXP-a377d1ecd42370fbf28395b75535ebfcd9f733f7.tar
UXP-a377d1ecd42370fbf28395b75535ebfcd9f733f7.tar.gz
UXP-a377d1ecd42370fbf28395b75535ebfcd9f733f7.tar.lz
UXP-a377d1ecd42370fbf28395b75535ebfcd9f733f7.tar.xz
UXP-a377d1ecd42370fbf28395b75535ebfcd9f733f7.zip
[IndexedDB] Ensure that strong references to newly created cursors are
kept until the DOM Binding is created. This fixes random crashes on websites that use IndexedDB cursors. See also BZ bug 1599420
-rw-r--r--dom/indexedDB/ActorsChild.cpp6
1 files changed, 4 insertions, 2 deletions
diff --git a/dom/indexedDB/ActorsChild.cpp b/dom/indexedDB/ActorsChild.cpp
index 30dc9b6da..85f876cdc 100644
--- a/dom/indexedDB/ActorsChild.cpp
+++ b/dom/indexedDB/ActorsChild.cpp
@@ -3291,6 +3291,10 @@ BackgroundCursorChild::HandleResponse(
auto& responses =
const_cast<nsTArray<ObjectStoreCursorResponse>&>(aResponses);
+ // If a new cursor is created, we need to keep a reference to it until the
+ // ResultHelper creates a DOM Binding.
+ RefPtr<IDBCursor> newCursor;
+
for (ObjectStoreCursorResponse& response : responses) {
StructuredCloneReadInfo cloneReadInfo(Move(response.cloneInfo()));
cloneReadInfo.mDatabase = mTransaction->Database();
@@ -3300,8 +3304,6 @@ BackgroundCursorChild::HandleResponse(
nullptr,
cloneReadInfo.mFiles);
- RefPtr<IDBCursor> newCursor;
-
if (mCursor) {
mCursor->Reset(Move(response.key()), Move(cloneReadInfo));
} else {