Fix critical memory safety issue in Transaction API #49
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PROBLEM:
Transaction was storing a raw *mut CBLDatabase pointer without ensuring
the underlying Database remains alive. This could lead to use-after-free
if the Database was dropped before the Transaction:
```rust
let transaction = {
let mut db = Database::open("test", None)?;
db.begin_transaction()? // db dropped here\!
};
transaction.commit()?; // 💥 Use-after-free\!
```
SOLUTION:
Transaction now owns a Database clone instead of a raw pointer:
- Transaction::new() calls db.clone() which uses reference counting
- Database::clone() calls retain() to increment CBLDatabase ref count
- When Transaction is dropped, Database is automatically released
- CBLDatabase stays alive for the entire Transaction lifetime
CHANGES:
- Transaction.db_ref: *mut CBLDatabase → Transaction.db: Database
- Transaction::new() takes &Database instead of *mut CBLDatabase
- All Transaction methods use self.db.get_ref() instead of raw pointer
- Memory safety now guaranteed through Rust's ownership system
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <[email protected]>
Nao-ris
reviewed
Jul 18, 2025
Transaction::new() only needs &Database (not &mut) because:
- We only call db.clone() which doesn't mutate the Database
- All transaction operations go through the C API via get_ref()
- This makes the API more flexible - no need for mutable Database
This allows usage like:
let db = Database::open("test", None)?; // immutable
let transaction = db.begin_transaction()?; // works now
DamienVoreiter
approved these changes
Jul 28, 2025
|
Pas sûr que ça compile côté billeo-engine, l'objet Database pourrait ne pas être transférable entre les threads. A tester. |
|
A réouvrir plus tard |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Critical Memory Safety Fix
Problem
The Transaction API had a use-after-free vulnerability where Transaction stored a raw
*mut CBLDatabasepointer without ensuring the underlying Database remains alive.Dangerous scenario:
Solution
Transaction now owns a
Databaseclone instead of a raw pointer:Transaction::new()callsdb.clone()which uses reference countingDatabase::clone()callsretain()to increment CBLDatabase ref countChanges
Transaction.db_ref: *mut CBLDatabase→Transaction.db: DatabaseTransaction::new()takes&Databaseinstead of*mut CBLDatabaseself.db.get_ref()instead of raw pointerTesting
Risk Assessment
🤖 Generated with Claude Code