From 09fe9f4542bdada7369a19f5c3fc3b9c0b21969f Mon Sep 17 00:00:00 2001 From: Andrew Kaster Date: Wed, 12 May 2021 04:46:16 -0600 Subject: [PATCH] Tests: Fix use-after-free in TestRefPtr.self_observers We can't unref an object to destruction while there's still a live RefPtr to the object, otherwise the RefPtr destructor will try to destroy it again, accessing the refcount of a destroyed object (before realizing that oops! the object is already dead) --- Tests/AK/TestRefPtr.cpp | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/Tests/AK/TestRefPtr.cpp b/Tests/AK/TestRefPtr.cpp index 26615ffba96..995b6fcf1db 100644 --- a/Tests/AK/TestRefPtr.cpp +++ b/Tests/AK/TestRefPtr.cpp @@ -129,22 +129,22 @@ TEST_CASE(assign_copy_self) TEST_CASE(self_observers) { - RefPtr object = adopt_ref(*new SelfAwareObject); - EXPECT_EQ(object->ref_count(), 1u); - EXPECT_EQ(object->m_has_one_ref_left, false); - EXPECT_EQ(SelfAwareObject::num_destroyed, 0u); + { + RefPtr object = adopt_ref(*new SelfAwareObject); + EXPECT_EQ(object->ref_count(), 1u); + EXPECT_EQ(object->m_has_one_ref_left, false); + EXPECT_EQ(SelfAwareObject::num_destroyed, 0u); - object->ref(); - EXPECT_EQ(object->ref_count(), 2u); - EXPECT_EQ(object->m_has_one_ref_left, false); - EXPECT_EQ(SelfAwareObject::num_destroyed, 0u); + object->ref(); + EXPECT_EQ(object->ref_count(), 2u); + EXPECT_EQ(object->m_has_one_ref_left, false); + EXPECT_EQ(SelfAwareObject::num_destroyed, 0u); - object->unref(); - EXPECT_EQ(object->ref_count(), 1u); - EXPECT_EQ(object->m_has_one_ref_left, true); - EXPECT_EQ(SelfAwareObject::num_destroyed, 0u); - - object->unref(); + object->unref(); + EXPECT_EQ(object->ref_count(), 1u); + EXPECT_EQ(object->m_has_one_ref_left, true); + EXPECT_EQ(SelfAwareObject::num_destroyed, 0u); + } EXPECT_EQ(SelfAwareObject::num_destroyed, 1u); }