fix use-after-free bug

ericniebler · ericniebler · commit d44ca194fc55 · 2025-04-07T10:07:22.000-07:00
diff --git a/include/stdexec/__detail/__optional.hpp b/include/stdexec/__detail/__optional.hpp
@@ -19,6 +19,7 @@
 
 // include these after __execution_fwd.hpp
 #include "__concepts.hpp"
+#include "__scope.hpp"
 
 #include <new> // IWYU pragma: keep for ::new
 #include <exception>
@@ -34,6 +35,13 @@ namespace stdexec {
       }
     };
 
+    inline auto __mk_has_value_guard(bool& __has_value) noexcept {
+      __has_value = true;
+      return __scope_guard{[&]() noexcept {
+        __has_value = false;
+      }};
+    }
+
     inline constexpr struct __nullopt_t {
     } __nullopt{};
 
@@ -43,10 +51,10 @@ namespace stdexec {
       static_assert(destructible<_Tp>);
 
       union {
-        _Tp __value;
+        _Tp __value_;
       };
 
-      bool __has_value = false;
+      bool __has_value_ = false;
 
       __optional() noexcept {
       }
@@ -58,88 +66,102 @@ namespace stdexec {
 
       template <__not_decays_to<__optional> _Up>
         requires constructible_from<_Tp, _Up>
-      __optional(_Up&& __v)
-        : __value(static_cast<_Up&&>(__v))
-        , __has_value(true) {
+      __optional(_Up&& __v) noexcept(__nothrow_constructible_from<_Tp, _Up>) {
+        emplace(static_cast<_Up&&>(__v));
       }
 
       template <class... _Us>
         requires constructible_from<_Tp, _Us...>
-      __optional(std::in_place_t, _Us&&... __us)
-        : __value(static_cast<_Us&&>(__us)...)
-        , __has_value(true) {
+      __optional(std::in_place_t, _Us&&... __us) noexcept(
+        __nothrow_constructible_from<_Tp, _Us...>) {
+        emplace(static_cast<_Us&&>(__us)...);
       }
 
       ~__optional() {
-        if (__has_value) {
-          std::destroy_at(std::addressof(__value));
+        if (__has_value_) {
+          std::destroy_at(std::addressof(__value_));
         }
       }
 
+      // The following emplace function must take great care to avoid use-after-free bugs.
+      // If the object being constructed calls `start` on a newly created operation state
+      // (as does the object returned from `submit`), and if `start` completes inline, it
+      // could cause the destruction of the outer operation state that owns *this. The
+      // function below uses the following pattern to avoid this:
+      // 1. Set __has_value_ to true.
+      // 2. Create a scope guard that will reset __has_value_ to false if the constructor
+      //    throws.
+      // 3. Construct the new object in the storage, which may cause the invalidation of
+      //    *this. The emplace function must not access any members of *this after this point.
+      // 4. Dismiss the scope guard, which will leave __has_value_ set to true.
+      // 5. Return a reference to the new object -- which may be invalid! Calling code
+      //    must be aware of the danger.
       template <class... _Us>
         requires constructible_from<_Tp, _Us...>
       auto emplace(_Us&&... __us) noexcept(__nothrow_constructible_from<_Tp, _Us...>) -> _Tp& {
-        reset(); // sets __has_value to false in case the next line throws
-        ::new (&__value) _Tp{static_cast<_Us&&>(__us)...};
-        __has_value = true;
-        return __value;
+        reset();
+        auto __sg = __mk_has_value_guard(__has_value_);
+        auto* __p = ::new (static_cast<void*>(std::addressof(__value_)))
+          _Tp{static_cast<_Us&&>(__us)...};
+        __sg.__dismiss();
+        return *std::launder(__p);
       }
 
       auto value() & -> _Tp& {
-        if (!__has_value) {
+        if (!__has_value_) {
           throw __bad_optional_access();
         }
-        return __value;
+        return __value_;
       }
 
       auto value() const & -> const _Tp& {
-        if (!__has_value) {
+        if (!__has_value_) {
           throw __bad_optional_access();
         }
-        return __value;
+        return __value_;
       }
 
       auto value() && -> _Tp&& {
-        if (!__has_value) {
+        if (!__has_value_) {
           throw __bad_optional_access();
         }
-        return static_cast<_Tp&&>(__value);
+        return static_cast<_Tp&&>(__value_);
       }
 
       auto operator*() & noexcept -> _Tp& {
-        STDEXEC_ASSERT(__has_value);
-        return __value;
+        STDEXEC_ASSERT(__has_value_);
+        return __value_;
       }
 
       auto operator*() const & noexcept -> const _Tp& {
-        STDEXEC_ASSERT(__has_value);
-        return __value;
+        STDEXEC_ASSERT(__has_value_);
+        return __value_;
       }
 
       auto operator*() && noexcept -> _Tp&& {
-        STDEXEC_ASSERT(__has_value);
-        return static_cast<_Tp&&>(__value);
+        STDEXEC_ASSERT(__has_value_);
+        return static_cast<_Tp&&>(__value_);
       }
 
       auto operator->() & noexcept -> _Tp* {
-        STDEXEC_ASSERT(__has_value);
-        return &__value;
+        STDEXEC_ASSERT(__has_value_);
+        return &__value_;
       }
 
       auto operator->() const & noexcept -> const _Tp* {
-        STDEXEC_ASSERT(__has_value);
-        return &__value;
+        STDEXEC_ASSERT(__has_value_);
+        return &__value_;
       }
 
       [[nodiscard]]
       auto has_value() const noexcept -> bool {
-        return __has_value;
+        return __has_value_;
       }
 
       void reset() noexcept {
-        if (__has_value) {
-          std::destroy_at(std::addressof(__value));
-          __has_value = false;
+        if (__has_value_) {
+          std::destroy_at(std::addressof(__value_));
+          __has_value_ = false;
         }
       }
     };
diff --git a/include/stdexec/__detail/__submit.hpp b/include/stdexec/__detail/__submit.hpp
@@ -70,35 +70,35 @@ namespace stdexec {
         static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr)};
     }
 
-    // This implementation is used if the sender has a non-static submit member function.
-    template <class _Sender, class _Receiver, class _Default = __void>
-      requires sender_to<_Sender, _Receiver> && __submit::__has_memfn<_Sender, _Receiver>
-    auto operator()(_Sender&& __sndr, _Receiver __rcvr, [[maybe_unused]] _Default __def = {}) const
-      noexcept(noexcept(static_cast<_Sender&&>(__sndr).submit(static_cast<_Receiver&&>(__rcvr)))) {
-      using __result_t =
-        decltype(static_cast<_Sender&&>(__sndr).submit(static_cast<_Receiver&&>(__rcvr)));
-      if constexpr (__same_as<__result_t, void> && !__same_as<_Default, __void>) {
-        static_cast<_Sender&&>(__sndr).submit(static_cast<_Receiver&&>(__rcvr));
-        return __def;
-      } else {
-        return static_cast<_Sender&&>(__sndr).submit(static_cast<_Receiver&&>(__rcvr));
-      }
-    }
+    // // This implementation is used if the sender has a non-static submit member function.
+    // template <class _Sender, class _Receiver, class _Default = __void>
+    //   requires sender_to<_Sender, _Receiver> && __submit::__has_memfn<_Sender, _Receiver>
+    // auto operator()(_Sender&& __sndr, _Receiver __rcvr, [[maybe_unused]] _Default __def = {}) const
+    //   noexcept(noexcept(static_cast<_Sender&&>(__sndr).submit(static_cast<_Receiver&&>(__rcvr)))) {
+    //   using __result_t =
+    //     decltype(static_cast<_Sender&&>(__sndr).submit(static_cast<_Receiver&&>(__rcvr)));
+    //   if constexpr (__same_as<__result_t, void> && !__same_as<_Default, __void>) {
+    //     static_cast<_Sender&&>(__sndr).submit(static_cast<_Receiver&&>(__rcvr));
+    //     return __def;
+    //   } else {
+    //     return static_cast<_Sender&&>(__sndr).submit(static_cast<_Receiver&&>(__rcvr));
+    //   }
+    // }
 
-    // This implementation is used if the sender has a static submit member function.
-    template <class _Sender, class _Receiver, class _Default = __void>
-      requires sender_to<_Sender, _Receiver> && __submit::__has_static_memfn<_Sender, _Receiver>
-    auto operator()(_Sender&& __sndr, _Receiver __rcvr, [[maybe_unused]] _Default __def = {}) const
-      noexcept(noexcept(__sndr.submit(static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr)))) {
-      using __result_t =
-        decltype(__sndr.submit(static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr)));
-      if constexpr (__same_as<__result_t, void> && !__same_as<_Default, __void>) {
-        __sndr.submit(static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr));
-        return __def;
-      } else {
-        return __sndr.submit(static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr));
-      }
-    }
+    // // This implementation is used if the sender has a static submit member function.
+    // template <class _Sender, class _Receiver, class _Default = __void>
+    //   requires sender_to<_Sender, _Receiver> && __submit::__has_static_memfn<_Sender, _Receiver>
+    // auto operator()(_Sender&& __sndr, _Receiver __rcvr, [[maybe_unused]] _Default __def = {}) const
+    //   noexcept(noexcept(__sndr.submit(static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr)))) {
+    //   using __result_t =
+    //     decltype(__sndr.submit(static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr)));
+    //   if constexpr (__same_as<__result_t, void> && !__same_as<_Default, __void>) {
+    //     __sndr.submit(static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr));
+    //     return __def;
+    //   } else {
+    //     return __sndr.submit(static_cast<_Sender&&>(__sndr), static_cast<_Receiver&&>(__rcvr));
+    //   }
+    // }
   };
 
   inline constexpr __submit_t submit{};
diff --git a/include/stdexec/__detail/__variant.hpp b/include/stdexec/__detail/__variant.hpp
@@ -18,6 +18,7 @@
 #include "__meta.hpp"
 #include "__type_traits.hpp"
 #include "__utility.hpp"
+#include "__scope.hpp"
 
 #include <cstddef>
 #include <memory>
@@ -40,6 +41,13 @@ namespace stdexec {
   struct __monostate { };
 
   namespace __var {
+    STDEXEC_ATTRIBUTE((host, device)) inline auto __mk_index_guard(std::size_t &__index, std::size_t __new) noexcept {
+      __index = __new;
+      return __scope_guard{[&__index]() noexcept {
+        __index = __variant_npos;
+      }};
+    }
+
     template <auto _Idx, class... _Ts>
     class __variant;
 
@@ -102,16 +110,30 @@ namespace stdexec {
         return __index_ == __variant_npos;
       }
 
+      // The following emplace functions must take great care to avoid use-after-free bugs.
+      // If the object being constructed calls `start` on a newly created operation state
+      // (as does the object returned from `submit`), and if `start` completes inline, it
+      // could cause the destruction of the outer operation state that owns *this. The
+      // function below uses the following pattern to avoid this:
+      // 1. Store the new index in __index_.
+      // 2. Create a scope guard that will reset __index_ to __variant_npos if the
+      //    constructor throws.
+      // 3. Construct the new object in the storage, which may cause the invalidation of
+      //    *this. The emplace function must not access any members of *this after this point.
+      // 4. Dismiss the scope guard, which will leave __index_ set to the new index.
+      // 5. Return a reference to the new object -- which may be invalid! Calling code
+      //    must be aware of the danger.
       template <class _Ty, class... _As>
       STDEXEC_ATTRIBUTE((host, device)) auto emplace(_As &&...__as) //
         noexcept(__nothrow_constructible_from<_Ty, _As...>) -> _Ty & {
         constexpr std::size_t __new_index = stdexec::__index_of<_Ty, _Ts...>();
         static_assert(__new_index != __variant_npos, "Type not in variant");
 
         __destroy();
-        ::new (__storage_) _Ty{static_cast<_As &&>(__as)...};
-        __index_ = __new_index;
-        return *std::launder(reinterpret_cast<_Ty *>(__storage_));
+        auto __sg = __mk_index_guard(__index_, __new_index);
+        auto *__p = ::new (__storage_) _Ty{static_cast<_As &&>(__as)...};
+        __sg.__dismiss();
+        return *std::launder(__p);
       }
 
       template <std::size_t _Ny, class... _As>
@@ -120,9 +142,10 @@ namespace stdexec {
         static_assert(_Ny < sizeof...(_Ts), "variant index is too large");
 
         __destroy();
-        ::new (__storage_) __at<_Ny>{static_cast<_As &&>(__as)...};
-        __index_ = _Ny;
-        return *std::launder(reinterpret_cast<__at<_Ny> *>(__storage_));
+        auto __sg = __mk_index_guard(__index_, _Ny);
+        auto *__p = ::new (__storage_) __at<_Ny>{static_cast<_As &&>(__as)...};
+        __sg.__dismiss();
+        return *std::launder(__p);
       }
 
       template <std::size_t _Ny, class _Fn, class... _As>
@@ -133,9 +156,11 @@ namespace stdexec {
           "callable does not return the correct type");
 
         __destroy();
-        ::new (__storage_) __at<_Ny>(static_cast<_Fn &&>(__fn)(static_cast<_As &&>(__as)...));
-        __index_ = _Ny;
-        return *std::launder(reinterpret_cast<__at<_Ny> *>(__storage_));
+        auto __sg = __mk_index_guard(__index_, _Ny);
+        auto *__p = ::new (__storage_)
+          __at<_Ny>(static_cast<_Fn &&>(__fn)(static_cast<_As &&>(__as)...));
+        __sg.__dismiss();
+        return *std::launder(__p);
       }
 
       template <class _Fn, class... _As>
