fixes heap-use-after-free when cleaning up interaction

Summary: Fixes heap-use-after-free bug by changing the lambda that cleans up a tile aka interaction to capture the variables needed before scheduling the lambda. Differential Revision: D52223739 fbshipit-source-id: 770f4e83f29222fea8331adcdf5376596e228ff0
facebook · Jan 9, 2024 · 3b3db56 · 3b3db56
1 parent f7c8a33
commit 3b3db56
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/third-party/thrift/src/thrift/lib/cpp2/async/AsyncProcessor.cpp b/third-party/thrift/src/thrift/lib/cpp2/async/AsyncProcessor.cpp
@@ -163,8 +163,9 @@ void GeneratedAsyncProcessorBase::processInteraction(ServerRequest&& req) {
   apache::thrift::detail::ServerRequestHelper::setInternalPriority(
       request, source);
 
-  apache::thrift::detail::ServerRequestHelper::resourcePool(request)->accept(
-      std::move(request));
+  auto&& resourcePool =
+      apache::thrift::detail::ServerRequestHelper::resourcePool(request);
+  resourcePool->accept(std::move(request));
 }
 
 bool GeneratedAsyncProcessorBase::createInteraction(ServerRequest& req) {
@@ -805,7 +806,8 @@ bool HandlerCallbackBase::fulfillTilePromise(std::unique_ptr<Tile> ptr) {
     return false;
   }
 
-  auto fn = [ctx = reqCtx_,
+  auto fn = [connCtx = reqCtx_->getConnectionContext(),
+             interactionId = reqCtx_->getInteractionId(),
              interaction = std::move(interaction_),
              ptr = std::move(ptr),
              tm = getThreadManager_deprecated(),
@@ -819,8 +821,7 @@ bool HandlerCallbackBase::fulfillTilePromise(std::unique_ptr<Tile> ptr) {
     } else {
       static_cast<TilePromise&>(*interaction).fulfill(*tile, tm, *eb);
     }
-    ctx->getConnectionContext()->tryReplaceTile(
-        ctx->getInteractionId(), std::move(tile));
+    connCtx->tryReplaceTile(interactionId, std::move(tile));
   };
 
   eb_->runImmediatelyOrRunInEventBaseThread(std::move(fn));