Skip to content

Commit

Permalink
reactor: fix crash in pending registration task after poller dtor
Browse files Browse the repository at this point in the history
A poller destructor that finds the poller still has
a registration task cancels it (sets _p = nullptr),
however the task remains on the task queue.
The original commit (below) introduced deleting such
registration task object right in ~poller().
Which means the reactor will pick this task from the task queue
while the contents is stale: use after free.
If we're lucky, _p will still read as nullptr, but otherwise
run_and_dispose() will likely segfault.

Fix:
Removed deleting _registration_task: run_and_dispose() will do it.

Fixes: bcb5cf3

Signed-off-by: Anton Eidelman <[email protected]>

Closes #2571
  • Loading branch information
anton-lb authored and xemul committed Dec 10, 2024
1 parent d605734 commit 7068d03
Showing 1 changed file with 0 additions and 1 deletion.
1 change: 0 additions & 1 deletion src/core/reactor.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3445,7 +3445,6 @@ poller::~poller() {
if (_registration_task) {
// not added yet, so don't do it at all.
_registration_task->cancel();
delete _registration_task;
} else if (!engine()._finished_running_tasks) {
// If _finished_running_tasks, the call to add_task() below will just
// leak it, since no one will call task::run_and_dispose(). Just leave
Expand Down

0 comments on commit 7068d03

Please sign in to comment.