AK: Fix crash during teardown of self-owning objects

We now null out smart pointers *before* calling unref on the pointee. This ensures that the same smart pointer can't be used to acquire a new reference to the pointee after its destruction has begun. I ran into this when destroying a non-empty IntrusiveList of RefPtrs, but the problem was more general so this fixes it for all of RefPtr, NonnullRefPtr, OwnPtr and NonnullOwnPtr.
2025-07-26 05:37:35 +00:00 · 2023-04-21 13:36:32 +02:00 · 2023-04-21 13:36:32 +02:00 · b7e847e58b
commit b7e847e58b
parent 66bd7cdb28
10 changed files with 102 additions and 14 deletions
--- a/Tests/AK/TestRefPtr.cpp
+++ b/Tests/AK/TestRefPtr.cpp
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
+ * Copyright (c) 2018-2023, Andreas Kling <kling@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */
@ -153,3 +153,15 @@ TEST_CASE(adopt_ref_if_nonnull)
    RefPtr<SelfAwareObject> failed_allocation = adopt_ref_if_nonnull(null_object);
    EXPECT_EQ(failed_allocation.is_null(), true);
 }
+
+TEST_CASE(destroy_self_owning_refcounted_object)
+{
+    struct SelfOwningRefCounted : public RefCounted<SelfOwningRefCounted> {
+        RefPtr<SelfOwningRefCounted> self;
+    };
+    RefPtr object = make_ref_counted<SelfOwningRefCounted>();
+    auto* object_ptr = object.ptr();
+    object->self = object;
+    object = nullptr;
+    object_ptr->self = nullptr;
+}