Ladybird/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-06-09 17:44:56 +09:00
Code Activity

AK: Fix crash during teardown of self-owning objects

Browse source 
We now null out smart pointers *before* calling unref on the pointee.
This ensures that the same smart pointer can't be used to acquire a new
reference to the pointee after its destruction has begun.

I ran into this when destroying a non-empty IntrusiveList of RefPtrs,
but the problem was more general so this fixes it for all of RefPtr,
NonnullRefPtr, OwnPtr and NonnullOwnPtr.
This commit is contained in:
Andreas Kling 2023-04-21 13:36:32 +02:00
parent 66bd7cdb28
commit b7e847e58b
Notes: sideshowbarker 2024-07-17 03:51:15 +09:00
10 changed files with 102 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

6
AK/NonnullOwnPtr.h
View file

@ -129,10 +129,8 @@ public:
private:
void clear()
{
if (!m_ptr)
return;
delete m_ptr;
m_ptr = nullptr;
auto* ptr = exchange(m_ptr, nullptr);
delete ptr;
}
T* m_ptr = nullptr;

6
AK/NonnullRefPtr.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
* Copyright (c) 2018-2023, Andreas Kling <kling@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
@ -94,8 +94,8 @@ public:
ALWAYS_INLINE ~NonnullRefPtr()
{
unref_if_not_null(m_ptr);
m_ptr = nullptr;
auto* ptr = exchange(m_ptr, nullptr);
unref_if_not_null(ptr);
#ifdef SANITIZE_PTRS
m_ptr = reinterpret_cast<T*>(explode_byte(NONNULLREFPTR_SCRUB_BYTE));
#endif

4
AK/OwnPtr.h
View file

@ -106,8 +106,8 @@ public:
void clear()
{
TDeleter {}(m_ptr);
m_ptr = nullptr;
auto* ptr = exchange(m_ptr, nullptr);
TDeleter {}(ptr);
}
bool operator!() const { return !m_ptr; }

6
AK/RefPtr.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
* Copyright (c) 2018-2023, Andreas Kling <kling@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
@ -220,8 +220,8 @@ public:
ALWAYS_INLINE void clear()
{
unref_if_not_null(m_ptr);
m_ptr = nullptr;
auto* ptr = exchange(m_ptr, nullptr);
unref_if_not_null(ptr);
}
bool operator!() const { return !m_ptr; }

1
Tests/AK/CMakeLists.txt
View file

@ -51,6 +51,7 @@ set(AK_TEST_SOURCES
TestMemory.cpp
TestMemoryStream.cpp
TestNeverDestroyed.cpp
TestNonnullOwnPtr.cpp
TestNonnullRefPtr.cpp
TestNumberFormat.cpp
TestOptional.cpp

6
Tests/AK/TestIntrusiveList.cpp
View file

@ -155,3 +155,9 @@ TEST_CASE(intrusive_nonnull_ref_ptr_intrusive)
EXPECT(nonnull_ref_list.is_empty());
}
TEST_CASE(destroy_nonempty_intrusive_list)
{
IntrusiveNonnullRefPtrList nonnull_ref_list;
nonnull_ref_list.append(adopt_ref(*new IntrusiveNonnullRefPtrItem));
}

34
Tests/AK/TestNonnullOwnPtr.cpp Normal file
View file

@ -0,0 +1,34 @@
/*
* Copyright (c) 2018-2023, Andreas Kling <kling@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <LibTest/TestCase.h>
#include <AK/DeprecatedString.h>
#include <AK/NonnullOwnPtr.h>
#include <AK/OwnPtr.h>
TEST_CASE(destroy_self_owning_object)
{
// This test is a little convoluted because SelfOwning can't own itself
// through a NonnullOwnPtr directly. We have to use an intermediate object ("Inner").
struct SelfOwning {
SelfOwning()
{
}
struct Inner {
explicit Inner(NonnullOwnPtr<SelfOwning> self)
: self(move(self))
{
}
NonnullOwnPtr<SelfOwning> self;
};
OwnPtr<Inner> inner;
};
OwnPtr<SelfOwning> object = make<SelfOwning>();
auto* object_ptr = object.ptr();
object_ptr->inner = make<SelfOwning::Inner>(object.release_nonnull());
object_ptr->inner = nullptr;
}

27
Tests/AK/TestNonnullRefPtr.cpp
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
* Copyright (c) 2018-2023, Andreas Kling <kling@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
@ -8,6 +8,7 @@
#include <AK/DeprecatedString.h>
#include <AK/NonnullRefPtr.h>
#include <AK/OwnPtr.h>
struct Object : public RefCounted<Object> {
int x;
@ -58,3 +59,27 @@ TEST_CASE(swap_with_self)
swap(object, object);
EXPECT_EQ(object->ref_count(), 1u);
}
TEST_CASE(destroy_self_owning_refcounted_object)
{
// This test is a little convoluted because SelfOwningRefCounted can't own itself
// through a NonnullRefPtr directly. We have to use an intermediate object ("Inner").
struct SelfOwningRefCounted : public RefCounted<SelfOwningRefCounted> {
SelfOwningRefCounted()
: inner(make<Inner>(*this))
{
}
struct Inner {
explicit Inner(SelfOwningRefCounted& self)
: self(self)
{
}
NonnullRefPtr<SelfOwningRefCounted> self;
};
OwnPtr<Inner> inner;
};
RefPtr object = make_ref_counted<SelfOwningRefCounted>();
auto* object_ptr = object.ptr();
object = nullptr;
object_ptr->inner = nullptr;
}

12
Tests/AK/TestOwnPtr.cpp
View file

@ -21,3 +21,15 @@ TEST_CASE(should_call_custom_deleter)
ptr.clear();
EXPECT_EQ(1u, deleter_call_count);
}
TEST_CASE(destroy_self_owning_object)
{
struct SelfOwning {
OwnPtr<SelfOwning> self;
};
OwnPtr<SelfOwning> object = make<SelfOwning>();
auto* object_ptr = object.ptr();
object->self = move(object);
object = nullptr;
object_ptr->self = nullptr;
}

14
Tests/AK/TestRefPtr.cpp
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
* Copyright (c) 2018-2023, Andreas Kling <kling@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
@ -153,3 +153,15 @@ TEST_CASE(adopt_ref_if_nonnull)
RefPtr<SelfAwareObject> failed_allocation = adopt_ref_if_nonnull(null_object);
EXPECT_EQ(failed_allocation.is_null(), true);
}
TEST_CASE(destroy_self_owning_refcounted_object)
{
struct SelfOwningRefCounted : public RefCounted<SelfOwningRefCounted> {
RefPtr<SelfOwningRefCounted> self;
};
RefPtr object = make_ref_counted<SelfOwningRefCounted>();
auto* object_ptr = object.ptr();
object->self = object;
object = nullptr;
object_ptr->self = nullptr;
}