AK: Fix a race condition with WeakPtr<T>::strong_ref and destruction

Since RefPtr<T> decrements the ref counter to 0 and after that starts destructing the object, there is a window where the ref count is 0 and the weak references have not been revoked. Also change WeakLink to be able to obtain a strong reference concurrently and block revoking instead, which should happen a lot less often. Fixes a problem observed in #4621
2025-07-27 03:57:44 +00:00 · 2020-12-29 13:14:21 -07:00 · 2020-12-29 13:14:21 -07:00 · 54eeb8ee9a
commit 54eeb8ee9a
parent 3e00e3da72
4 changed files with 88 additions and 24 deletions
--- a/AK/WeakPtr.h
+++ b/AK/WeakPtr.h
@ -201,16 +201,40 @@ template<typename T>
 template<typename U>
 inline WeakPtr<U> Weakable<T>::make_weak_ptr() const
 {
-#ifdef DEBUG
-    ASSERT(!m_being_destroyed);
-#endif
+    if constexpr (IsBaseOf<RefCountedBase, T>::value) {
+        // Checking m_being_destroyed isn't sufficient when dealing with
+        // a RefCounted type.The reference count will drop to 0 before the
+        // destructor is invoked and revoke_weak_ptrs is called. So, try
+        // to add a ref (which should fail if the ref count is at 0) so
+        // that we prevent the destructor and revoke_weak_ptrs from being
+        // triggered until we're done.
+        if (!static_cast<const T*>(this)->try_ref())
+            return {};
+    } else {
+        // For non-RefCounted types this means a weak reference can be
+        // obtained until the ~Weakable destructor is invoked!
+        if (m_being_destroyed.load(AK::MemoryOrder::memory_order_acquire))
+            return {};
+    }
    if (!m_link) {
        // There is a small chance that we create a new WeakLink and throw
        // it away because another thread beat us to it. But the window is
        // pretty small and the overhead isn't terrible.
        m_link.assign_if_null(adopt(*new WeakLink(const_cast<T&>(static_cast<const T&>(*this)))));
    }
-    return WeakPtr<U>(m_link);
+
+    WeakPtr<U> weak_ptr(m_link);
+
+    if constexpr (IsBaseOf<RefCountedBase, T>::value) {
+        // Now drop the reference we temporarily added
+        if (static_cast<const T*>(this)->unref()) {
+            // We just dropped the last reference, which should have called
+            // revoke_weak_ptrs, which should have invalidated our weak_ptr
+            ASSERT(!weak_ptr.strong_ref());
+            return {};
+        }
+    }
+    return weak_ptr;
 }

 template<typename T>