IndexedDB: Protect against use-after-free in ChainedBlobWriter.

This is a speculative fix for a heap user-after-free bug. Was unable
to verify using a Windows SyzyASan build. The theory is that if Abort()
was called before ChainedBlobWriterImpl::WriteNextFile() could set
waiting_for_callback_ then the ReportWriteCompletion() would never know
that it was aborted and attempt to use it's dangling raw pointer to a
deleted IndexedDBBackingStore instance.

Also in this change is the elimination of the redundant aborted_
member variable.

BUG=472614

Review URL: https://codereview.chromium.org/1060613002

Cr-Commit-Position: refs/heads/master@{#326597}
diff --git a/content/browser/indexed_db/indexed_db_backing_store.cc b/content/browser/indexed_db/indexed_db_backing_store.cc
index e7107c5..5000e50 100644
--- a/content/browser/indexed_db/indexed_db_backing_store.cc
+++ b/content/browser/indexed_db/indexed_db_backing_store.cc
@@ -2242,8 +2242,7 @@
       : waiting_for_callback_(false),
         database_id_(database_id),
         backing_store_(backing_store),
-        callback_(callback),
-        aborted_(false) {
+        callback_(callback) {
     blobs_.swap(*blobs);
     iter_ = blobs_.begin();
     backing_store->task_runner()->PostTask(
@@ -2261,8 +2260,8 @@
     if (delegate_.get())  // Only present for Blob, not File.
       content::BrowserThread::DeleteSoon(
           content::BrowserThread::IO, FROM_HERE, delegate_.release());
-    if (aborted_) {
-      self_ref_ = NULL;
+    if (aborted_self_ref_.get()) {
+      aborted_self_ref_ = NULL;
       return;
     }
     if (iter_->size() != -1 && iter_->size() != bytes_written)
@@ -2278,38 +2277,36 @@
   void Abort() override {
     if (!waiting_for_callback_)
       return;
-    self_ref_ = this;
-    aborted_ = true;
+    aborted_self_ref_ = this;
   }
 
  private:
-  ~ChainedBlobWriterImpl() override {}
+  ~ChainedBlobWriterImpl() override { DCHECK(!waiting_for_callback_); }
 
   void WriteNextFile() {
     DCHECK(!waiting_for_callback_);
-    DCHECK(!aborted_);
+    DCHECK(!aborted_self_ref_.get());
     if (iter_ == blobs_.end()) {
-      DCHECK(!self_ref_.get());
       callback_->Run(true);
       return;
     } else {
+      waiting_for_callback_ = true;
       if (!backing_store_->WriteBlobFile(database_id_, *iter_, this)) {
+        waiting_for_callback_ = false;
         callback_->Run(false);
         return;
       }
-      waiting_for_callback_ = true;
     }
   }
 
   bool waiting_for_callback_;
-  scoped_refptr<ChainedBlobWriterImpl> self_ref_;
+  scoped_refptr<ChainedBlobWriterImpl> aborted_self_ref_;
   WriteDescriptorVec blobs_;
   WriteDescriptorVec::const_iterator iter_;
   int64 database_id_;
   IndexedDBBackingStore* backing_store_;
   scoped_refptr<IndexedDBBackingStore::BlobWriteCallback> callback_;
   scoped_ptr<FileWriterDelegate> delegate_;
-  bool aborted_;
 
   DISALLOW_COPY_AND_ASSIGN(ChainedBlobWriterImpl);
 };