Clear statement before closing db in cookie code.

sql::Statement maintains a weak ref to the associated sql::Connection,
meaning that if the database and statement are destructed in the wrong
order, a use-after-free can result.  sql::Statement::Clear() allows
resetting the statement to the default-constructed state.

BUG=111376
TEST=fewer crashes.


Review URL: http://codereview.chromium.org/9418021

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@122430 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 9 insertions, 0 deletions

diff --git a/sql/statement.cc b/sql/statement.cc
index 7bc6adf..626c15b 100644
--- a/sql/statement.cc
+++ b/sql/statement.cc
@@ -36,6 +36,11 @@ void Statement::Assign(scoped_refptr<Connection::StatementRef> ref) {
   ref_ = ref;
 }
 
+void Statement::Clear() {
+  Assign(new Connection::StatementRef);
+  succeeded_ = false;
+}
+
 bool Statement::CheckValid() const {
   if (!is_valid())
     DLOG(FATAL) << "Cannot call mutating statements on an invalid statement.";
diff --git a/sql/statement.h b/sql/statement.h
index fb70cf1..5b4ff92 100644
--- a/sql/statement.h
+++ b/sql/statement.h
@@ -55,6 +55,10 @@ class SQL_EXPORT Statement {
   // be valid. Use is_valid() to check if it's OK.
   void Assign(scoped_refptr<Connection::StatementRef> ref);
 
+  // Resets the statement to an uninitialized state corrosponding to
+  // the default constructor, releasing the StatementRef.
+  void Clear();
+
   // Returns true if the statement can be executed. All functions can still
   // be used if the statement is invalid, but they will return failure or some
   // default value. This is because the statement can become invalid in the