Fix a bug in hidden class deletion.

We were leaving the isa pointer pointing to the deleted class and were
then following its super_class pointer, both of which are potentially
serious.  This didn't show up on FreeBSD, because the relevant memory
was always returned to a thread-local pool and the accesses were
immediately afterwards, so it always worked.  It broke with malloc
implementations that were more aggressive about checking for
use-after-free.

Author: davidchisnall

associate.m

@@ -274,6 +274,7 @@ static void deallocHiddenClass(id obj, SEL _cmd)
 			sub = sub->sibling_class;
 		}
 	}
+	obj->isa = hiddenClass->super_class;
 	// Free the class
 	free(hiddenClass);
 }

runtime.c

@@ -40,11 +40,14 @@ PRIVATE void call_cxx_destruct(id obj)
 
 	while (cls)
 	{
-		if (cls->cxx_destruct)
+		// If we're deallocating a class with a hidden class, then the
+		// `.cxx_destruct` method may deallocate the class.
+		Class currentClass = cls;
+		cls = cls->super_class;
+		if (currentClass->cxx_destruct)
 		{
-			cls->cxx_destruct(obj, cxx_destruct);
+			currentClass->cxx_destruct(obj, cxx_destruct);
 		}
-		cls = cls->super_class;
 	}
 }