common/RefCountedObject: fix use-after-free in debug print

We could race with another thread that deletes this right after we call
dec().  Our access of cct would then become a use-after-free.  Valgrind
managed to turn this up.

Copy it into a local variable before the dec() to be safe, and move the
dout line below to make this possibility explicit and obvious in the code.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/common/RefCountedObj.h b/src/common/RefCountedObj.h
index f9644a791cefdcf4b0c244e1d3f0f5b6aa772fb0..b16e071238afdb6dbf59f983682262abc37a25b2 100644 (file)
--- a/src/common/RefCountedObj.h
+++ b/src/common/RefCountedObj.h
@@ -39,13 +39,14 @@ public:
     return this;
   }
   void put() {
+    CephContext *local_cct = cct;
     int v = nref.dec();
-    if (cct)
-      lsubdout(cct, refs, 1) << "RefCountedObject::put " << this << " "
-                            << (v + 1) << " -> " << v
-                            << dendl;
     if (v == 0)
       delete this;
+    if (local_cct)
+      lsubdout(local_cct, refs, 1) << "RefCountedObject::put " << this << " "
+                                  << (v + 1) << " -> " << v
+                                  << dendl;
   }
   void set_cct(CephContext *c) {
     cct = c;