[Runtime] Fix swift_weakTakeStrong().

al45tair · al45tair · commit 381f397e6f98 · 2023-04-14T18:40:34.000+01:00
It turns out that when taking the last weak reference for an object that
has been deallocated, we might have returned a non-null pointer when we
shouldn't have.  Which is exciting.

rdar://106375185
diff --git a/stdlib/public/SwiftShims/swift/shims/RefCount.h b/stdlib/public/SwiftShims/swift/shims/RefCount.h
@@ -1457,17 +1457,18 @@ class HeapObjectSideTableEntry {
     return this;
   }
 
-  void decrementWeak() {
+  bool decrementWeak() {
     // FIXME: assertions
     // FIXME: optimize barriers
     bool cleanup = refCounts.decrementWeakShouldCleanUp();
     if (!cleanup)
-      return;
+      return false;
 
     // Weak ref count is now zero. Delete the side table entry.
     // FREED -> DEAD
     assert(refCounts.getUnownedCount() == 0);
     swift_cxx_deleteObject(this);
+    return true;
   }
 
   void decrementWeakNonAtomic() {
diff --git a/stdlib/public/runtime/WeakReference.h b/stdlib/public/runtime/WeakReference.h
@@ -174,8 +174,7 @@ class WeakReference {
   
   HeapObject *nativeTakeStrongFromBits(WeakReferenceBits bits) {
     auto side = bits.getNativeOrNull();
-    if (side) {
-      side->decrementWeak();
+    if (side && !side->decrementWeak()) {
       return side->tryRetain();
     } else {
       return nullptr;
