Bug 1717814 - LSNG: End explicit snapshots while IPC is still available; r=dom-storage-reviewers,asuth

Differential Revision: https://phabricator.services.mozilla.com/D118588

dom/base/nsGlobalWindowInner.cpp

@@ -1290,7 +1290,10 @@ void nsGlobalWindowInner::FreeInnerObjects() {
   mExternal = nullptr;
   mInstallTrigger = nullptr;
 
-  mLocalStorage = nullptr;
+  if (mLocalStorage) {
+    mLocalStorage->Disconnect();
+    mLocalStorage = nullptr;
+  }
   mSessionStorage = nullptr;
   mPerformance = nullptr;
 
@@ -1517,7 +1520,10 @@ NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(nsGlobalWindowInner)
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mHistory)
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mCustomElements)
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mSharedWorkers)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK(mLocalStorage)
+  if (tmp->mLocalStorage) {
+    tmp->mLocalStorage->Disconnect();
+    NS_IMPL_CYCLE_COLLECTION_UNLINK(mLocalStorage)
+  }
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mSessionStorage)
   if (tmp->mApplicationCache) {
     static_cast<nsDOMOfflineResourceList*>(tmp->mApplicationCache.get())

dom/localstorage/LSObject.cpp

@@ -566,6 +566,16 @@ int64_t LSObject::GetOriginQuotaUsage() const {
   return 0;
 }
 
+void LSObject::Disconnect() {
+  // Explicit snapshots which were not ended in JS, must be ended here while
+  // IPC is still available. We can't do that in DropDatabase because actors
+  // may have been destroyed already at that point.
+  if (mInExplicitSnapshot) {
+    nsresult rv = EndExplicitSnapshotInternal();
+    Unused << NS_WARN_IF(NS_FAILED(rv));
+  }
+}
+
 uint32_t LSObject::GetLength(nsIPrincipal& aSubjectPrincipal,
                              ErrorResult& aError) {
   AssertIsOnOwningThread();
@@ -962,11 +972,6 @@ nsresult LSObject::EnsureDatabase() {
 void LSObject::DropDatabase() {
   AssertIsOnOwningThread();
 
-  if (mInExplicitSnapshot) {
-    nsresult rv = EndExplicitSnapshotInternal();
-    Unused << NS_WARN_IF(NS_FAILED(rv));
-  }
-
   mDatabase = nullptr;
 }
 
@@ -1053,11 +1058,11 @@ nsresult LSObject::EndExplicitSnapshotInternal() {
   // An explicit snapshot must have been created.
   MOZ_ASSERT(mInExplicitSnapshot);
 
-  // If an explicit snapshot have been created then mDatabase must be not null.
+  // If an explicit snapshot has been created then mDatabase must be not null.
-  // DropDatabase could be called in the meatime, but that would set
+  // DropDatabase could be called in the meatime, but that must be preceded by
-  // mInExplicitSnapshot to false. EnsureDatabase could be called in the
+  // Disconnect which sets mInExplicitSnapshot to false. EnsureDatabase could
-  // meantime too, but that can't set mDatabase to null or to a new value. See
+  // be called in the meantime too, but that can't set mDatabase to null or to
-  // the comment below.
+  // a new value. See the comment below.
   MOZ_ASSERT(mDatabase);
 
   // Existence of a snapshot prevents the database from allowing to close. See

dom/localstorage/LSObject.h

@@ -149,6 +149,8 @@ class LSObject final : public Storage {
 
   int64_t GetOriginQuotaUsage() const override;
 
+  void Disconnect() override;
+
   uint32_t GetLength(nsIPrincipal& aSubjectPrincipal,
                      ErrorResult& aError) override;
 

dom/storage/Storage.h

@@ -45,6 +45,8 @@ class Storage : public nsISupports, public nsWrapperCache {
 
   virtual int64_t GetOriginQuotaUsage() const = 0;
 
+  virtual void Disconnect() {}
+
   nsIPrincipal* Principal() const { return mPrincipal; }
 
   nsIPrincipal* StoragePrincipal() const { return mStoragePrincipal; }