Wow, good catch! You are right. If this e.g. decrements from 2 to 1, but then before fetch_sub returns another thread decrements from 1 to 0 and deallocates, we have an &self pointing to deallocated memory.
But this is a problem. I am not sure what exactly dereferencable means for LLVM, but it seems to me that a pointer to memory that disappears while the function still runs must NOT be marked dereferencable. @hanna-kruppe, what do you think?
My inclination is that there should be a variant of fetch_sub that takes a raw pointer for self, and Arc should use that. Or else we have to remove dereferencable from shared references (maybe just non-Freeze shared references), which seems bad.