Fix possible double free during context destruction

2025-09-09 00:48:50 -07:00
parent 52008a0110
commit 9282e0bbc6
2 changed files with 36 additions and 18 deletions
--- a/src/refcount.c
+++ b/src/refcount.c
@ -95,23 +95,32 @@ refcount_make_context(size_t entry_offset,
 }

 /**
- * Cleanup a #RefcountContext and free any associated resources. This also
- * causes all remaining references, both static and non-static, to be dropped
- * and the context's destroy callback to be called on each object.
+ * Callback that deinits a static, but sets its static_entry field to NULL
+ * first. Used in #refcount_context_destroy.
+ */
+static void deinit_static_for_context_destroy(void *obj, void *ctx_raw) {
+    RefcountContext *ctx = ctx_raw;
+    ENTRY->impl.static_entry = NULL;
+    refcount_context_deinit_static(ctx, obj);
+}
+
+/**
+ * Cleanup a #RefcountContext and free any associated resources. This first
+ * frees all static objects, then runs the garbage collector.
 * @param ctx The #RefcountContext
 */
 void refcount_context_destroy(RefcountContext *ctx) {
-    refcount_list_free_with_data_full(
-        ctx->static_objects, refcount_context_deinit_static_as_callback, ctx,
+    refcount_list_free_with_data_full(ctx->static_objects,
+                                      deinit_static_for_context_destroy, ctx,
                                      &ctx->alloc);

+    refcount_context_garbage_collect(ctx);
+
 #ifdef REFCOUNT_HAS_THREADS
    mtx_destroy(&ctx->so_mtx);
    mtx_destroy(&ctx->gr_mtx);
 #endif

-    refcount_context_garbage_collect(ctx);
-
    refcount_free(&ctx->alloc, ctx);
 }

@ -325,8 +334,11 @@ bool refcount_context_deinit_static(RefcountContext *ctx, void *obj) {
    ht_free(ENTRY->destructors);
    unref_weakref(ctx, ENTRY->weak_ref);
    unlock_entry_mtx(ENTRY);
+    // this is set to null if we are destroying the context
+    if (ENTRY->impl.static_entry) {
        ctx->static_objects = refcount_list_remove_full(
            ctx->static_objects, ENTRY->impl.static_entry, NULL, &ctx->alloc);
+    }
    refcount_list_free_with_data_full(
        held_refs, refcount_context_unref_as_callback, ctx, &ctx->alloc);
    success = true;
--- a/test/test_refcount.c
+++ b/test/test_refcount.c
@ -55,12 +55,16 @@ int main(int argc, const char **argv) {

    ctx_and_flag.ctx = c;

-    A static_a = {
-        .num = 0,
-        .str = counting_strdup("static"),
-        .next = make_a(c, 0, "in static"),
-    };
-    refcount_context_init_static(c, &static_a);
+#define STATIC_A(id)                            \
+    A static_a_##id = {                         \
+        .num = __LINE__,                        \
+        .str = counting_strdup("static " #id),  \
+        .next = make_a(c, 0, "in static " #id), \
+    };                                          \
+    refcount_context_init_static(c, &static_a_##id)
+    STATIC_A(1);
+    STATIC_A(2);
+    STATIC_A(3);

    A *a = make_a(c, 10, "Hello world\n");
    assert(!refcount_context_is_static(c, a));
@ -187,10 +191,12 @@ int main(int argc, const char **argv) {
    assert(refcount_context_num_refs(c, a) == 1);
    assert(!refcount_context_unref(c, a));

-    refcount_context_deinit_static(c, &static_a);
-    counting_free(static_a.str);
+    refcount_context_deinit_static(c, &static_a_1);
+    counting_free(static_a_1.str);

    refcount_context_destroy(c);
+    counting_free(static_a_2.str);
+    counting_free(static_a_3.str);

    check_allocator_status();
    return 0;