From e7539936ea26d2db3b1612ebed8271bc1e80f79c Mon Sep 17 00:00:00 2001
From: JasonZhang <74013184+zhangzhuang15@users.noreply.github.com>
Date: Sat, 6 Dec 2025 17:48:40 +0800
Subject: [PATCH] fix: prevent null pointer dereference in rb_tree delete_fixup
 (#952)

---
 src/data_structures/rb_tree.rs | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/data_structures/rb_tree.rs b/src/data_structures/rb_tree.rs
index df7d09cb006..5cb6316b150 100644
--- a/src/data_structures/rb_tree.rs
+++ b/src/data_structures/rb_tree.rs
@@ -367,6 +367,12 @@ unsafe fn delete_fixup<K: Ord, V>(tree: &mut RBTree<K, V>, mut parent: *mut RBNo
     let mut sr: *mut RBNode<K, V>;
 
     loop {
+        // rb-tree will keep color balance up to root,
+        // if parent is null, we are done.
+        if parent.is_null() {
+            break;
+        }
+
         /*
          * Loop invariants:
          * - node is black (or null on first iteration)
@@ -647,4 +653,23 @@ mod tests {
         let s: String = tree.iter().map(|x| x.value).collect();
         assert_eq!(s, "hlo orl!");
     }
+
+    #[test]
+    fn delete_edge_case_null_pointer_guard() {
+        let mut tree = RBTree::<i8, i8>::new();
+        tree.insert(4, 4);
+        tree.insert(2, 2);
+        tree.insert(5, 5);
+        tree.insert(0, 0);
+        tree.insert(3, 3);
+        tree.insert(-1, -1);
+        tree.insert(1, 1);
+        tree.insert(-2, -2);
+        tree.insert(6, 6);
+        tree.insert(7, 7);
+        tree.insert(8, 8);
+        tree.delete(&1);
+        tree.delete(&3);
+        tree.delete(&-1);
+    }
 }