AK: Fix crash during teardown of self-owning objects

We now null out smart pointers *before* calling unref on the pointee. This ensures that the same smart pointer can't be used to acquire a new reference to the pointee after its destruction has begun. I ran into this when destroying a non-empty IntrusiveList of RefPtrs, but the problem was more general so this fixes it for all of RefPtr, NonnullRefPtr, OwnPtr and NonnullOwnPtr.
2025-07-25 15:37:46 +00:00 · 2023-04-21 13:36:32 +02:00 · 2023-04-21 13:36:32 +02:00 · b7e847e58b
commit b7e847e58b
parent 66bd7cdb28
10 changed files with 102 additions and 14 deletions
--- a/Tests/AK/TestNonnullRefPtr.cpp
+++ b/Tests/AK/TestNonnullRefPtr.cpp
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
+ * Copyright (c) 2018-2023, Andreas Kling <kling@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */
@ -8,6 +8,7 @@

 #include <AK/DeprecatedString.h>
 #include <AK/NonnullRefPtr.h>
+#include <AK/OwnPtr.h>

 struct Object : public RefCounted<Object> {
    int x;
@ -58,3 +59,27 @@ TEST_CASE(swap_with_self)
    swap(object, object);
    EXPECT_EQ(object->ref_count(), 1u);
 }
+
+TEST_CASE(destroy_self_owning_refcounted_object)
+{
+    // This test is a little convoluted because SelfOwningRefCounted can't own itself
+    // through a NonnullRefPtr directly. We have to use an intermediate object ("Inner").
+    struct SelfOwningRefCounted : public RefCounted<SelfOwningRefCounted> {
+        SelfOwningRefCounted()
+            : inner(make<Inner>(*this))
+        {
+        }
+        struct Inner {
+            explicit Inner(SelfOwningRefCounted& self)
+                : self(self)
+            {
+            }
+            NonnullRefPtr<SelfOwningRefCounted> self;
+        };
+        OwnPtr<Inner> inner;
+    };
+    RefPtr object = make_ref_counted<SelfOwningRefCounted>();
+    auto* object_ptr = object.ptr();
+    object = nullptr;
+    object_ptr->inner = nullptr;
+}