Fix critical memory safety issue in Transaction API

TonyMasson · claude · TonyMasson · commit 9e992acbde97 · 2025-07-18T09:59:45.000+02:00
PROBLEM: Transaction was storing a raw *mut CBLDatabase pointer without ensuring the underlying Database remains alive. This could lead to use-after-free if the Database was dropped before the Transaction: ```rust let transaction = { let mut db = Database::open("test", None)?; db.begin_transaction()? // db dropped here\! }; transaction.commit()?; // 💥 Use-after-free\! ``` SOLUTION: Transaction now owns a Database clone instead of a raw pointer: - Transaction::new() calls db.clone() which uses reference counting - Database::clone() calls retain() to increment CBLDatabase ref count - When Transaction is dropped, Database is automatically released - CBLDatabase stays alive for the entire Transaction lifetime CHANGES: - Transaction.db_ref: *mut CBLDatabase → Transaction.db: Database - Transaction::new() takes &Database instead of *mut CBLDatabase - All Transaction methods use self.db.get_ref() instead of raw pointer - Memory safety now guaranteed through Rust's ownership system 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/database.rs b/src/database.rs
@@ -359,7 +359,7 @@ impl Database {
     ///
     /// For simpler cases, consider using `in_transaction()` instead.
     pub fn begin_transaction(&mut self) -> Result<Transaction> {
-        Transaction::new(self.get_ref())
+        Transaction::new(self)
     }
 
     /// Encrypts or decrypts a database, or changes its encryption key.
@@ -606,20 +606,21 @@ impl Database {
 /// A database transaction that can be committed or rolled back.
 /// When dropped without being committed, the transaction is automatically rolled back.
 pub struct Transaction {
-    db_ref: *mut CBLDatabase,
+    db: Database,
     committed: bool,
 }
 
 impl Transaction {
-    fn new(db_ref: *mut CBLDatabase) -> Result<Self> {
+    fn new(db: &Database) -> Result<Self> {
+        let db_clone = db.clone();
         unsafe {
             let mut err = CBLError::default();
-            if !CBLDatabase_BeginTransaction(db_ref, &mut err) {
+            if !CBLDatabase_BeginTransaction(db_clone.get_ref(), &mut err) {
                 return failure(err);
             }
         }
         Ok(Transaction {
-            db_ref,
+            db: db_clone,
             committed: false,
         })
     }
@@ -628,7 +629,7 @@ impl Transaction {
     pub fn commit(mut self) -> Result<()> {
         unsafe {
             let mut err = CBLError::default();
-            if !CBLDatabase_EndTransaction(self.db_ref, true, &mut err) {
+            if !CBLDatabase_EndTransaction(self.db.get_ref(), true, &mut err) {
                 return failure(err);
             }
         }
@@ -642,7 +643,7 @@ impl Drop for Transaction {
         if !self.committed {
             unsafe {
                 let mut err = CBLError::default();
-                let _ = CBLDatabase_EndTransaction(self.db_ref, false, &mut err);
+                let _ = CBLDatabase_EndTransaction(self.db.get_ref(), false, &mut err);
             }
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ impl Database {`
`359`	`359`	`///`
`360`	`360`	/// For simpler cases, consider using `in_transaction()` instead.
`361`	`361`	`pub fn begin_transaction(&mut self) -> Result<Transaction> {`
`362`		`- Transaction::new(self.get_ref())`
	`362`	`+ Transaction::new(self)`
`363`	`363`	`}`
`364`	`364`
`365`	`365`	`/// Encrypts or decrypts a database, or changes its encryption key.`
`@@ -606,20 +606,21 @@ impl Database {`
`606`	`606`	`/// A database transaction that can be committed or rolled back.`
`607`	`607`	`/// When dropped without being committed, the transaction is automatically rolled back.`
`608`	`608`	`pub struct Transaction {`
`609`		`- db_ref: *mut CBLDatabase,`
	`609`	`+ db: Database,`
`610`	`610`	`committed: bool,`
`611`	`611`	`}`
`612`	`612`
`613`	`613`	`impl Transaction {`
`614`		`- fn new(db_ref: *mut CBLDatabase) -> Result<Self> {`
	`614`	`+ fn new(db: &Database) -> Result<Self> {`
	`615`	`+ let db_clone = db.clone();`
`615`	`616`	`unsafe {`
`616`	`617`	`let mut err = CBLError::default();`
`617`		`- if !CBLDatabase_BeginTransaction(db_ref, &mut err) {`
	`618`	`+ if !CBLDatabase_BeginTransaction(db_clone.get_ref(), &mut err) {`
`618`	`619`	`return failure(err);`
`619`	`620`	`}`
`620`	`621`	`}`
`621`	`622`	`Ok(Transaction {`
`622`		`- db_ref,`
	`623`	`+ db: db_clone,`
`623`	`624`	`committed: false,`
`624`	`625`	`})`
`625`	`626`	`}`
`@@ -628,7 +629,7 @@ impl Transaction {`
`628`	`629`	`pub fn commit(mut self) -> Result<()> {`
`629`	`630`	`unsafe {`
`630`	`631`	`let mut err = CBLError::default();`
`631`		`- if !CBLDatabase_EndTransaction(self.db_ref, true, &mut err) {`
	`632`	`+ if !CBLDatabase_EndTransaction(self.db.get_ref(), true, &mut err) {`
`632`	`633`	`return failure(err);`
`633`	`634`	`}`
`634`	`635`	`}`
`@@ -642,7 +643,7 @@ impl Drop for Transaction {`
`642`	`643`	`if !self.committed {`
`643`	`644`	`unsafe {`
`644`	`645`	`let mut err = CBLError::default();`
`645`		`- let _ = CBLDatabase_EndTransaction(self.db_ref, false, &mut err);`
	`646`	`+ let _ = CBLDatabase_EndTransaction(self.db.get_ref(), false, &mut err);`
`646`	`647`	`}`
`647`	`648`	`}`
`648`	`649`	`}`