Index: base/memory/scoped_ptr.h |
diff --git a/base/memory/scoped_ptr.h b/base/memory/scoped_ptr.h |
index fb781b0b32ddfd8b47ff3e4a0662ff53b9cd8760..2399e954cc6451ab593661a04c9bb5643ce3aedb 100644 |
--- a/base/memory/scoped_ptr.h |
+++ b/base/memory/scoped_ptr.h |
@@ -228,25 +228,14 @@ class scoped_ptr_impl { |
// https://crbug.com/162971 |
assert(!ShouldAbortOnSelfReset<D>::value || p == nullptr || p != data_.ptr); |
- // Note that running data_.ptr = p can lead to undefined behavior if |
- // get_deleter()(get()) deletes this. In order to prevent this, reset() |
- // should update the stored pointer before deleting its old value. |
- // |
- // However, changing reset() to use that behavior may cause current code to |
- // break in unexpected ways. If the destruction of the owned object |
- // dereferences the scoped_ptr when it is destroyed by a call to reset(), |
- // then it will incorrectly dispatch calls to |p| rather than the original |
- // value of |data_.ptr|. |
- // |
- // During the transition period, set the stored pointer to nullptr while |
- // deleting the object. Eventually, this safety check will be removed to |
- // prevent the scenario initially described from occuring and |
- // http://crbug.com/176091 can be closed. |
+ // Match C++11's definition of unique_ptr::reset(), which requires changing |
+ // the pointer before invoking the deleter on the old pointer. This prevents |
+ // |this| from being accessed after the deleter is run, which may destroy |
+ // |this|. |
T* old = data_.ptr; |
- data_.ptr = nullptr; |
+ data_.ptr = p; |
if (old != nullptr) |
static_cast<D&>(data_)(old); |
- data_.ptr = p; |
} |
T* get() const { return data_.ptr; } |