fix: don't destroy server in stop() - causes use-after-free

claude · claude · commit 79554e8cae94 · 2025-12-04T20:34:57.000Z
The stop() method was calling m_server.reset() which destroys the
httplib::Server. But listen() is a blocking call that may still be on
the call stack in another thread. Destroying the server while listen()
is returning causes null pointer dereference (SIGSEGV at 0x20).

The crash was in httplib's process_request during map operations
(__construct_node at string:1793), where httplib was trying to copy
headers but the Server object had been destroyed.

Fix:
- stop() now only signals shutdown via m_server-&gt;stop(), does NOT
  call reset() or clear()
- Destructor handles actual destruction: stops server, resets
  (joins threads), then clears content
- This ensures the server is only destroyed after listen() has
  fully returned and all threads are joined
diff --git a/src/odr/http_server.cpp b/src/odr/http_server.cpp
@@ -91,6 +91,11 @@ class HttpServer::Impl {
       m_server->stop();
       m_server.reset();  // Destroy server, join all thread pool threads
     }
+
+    // Clear content after server is fully destroyed.
+    // This is safe now because all threads have been joined.
+    clear();
+
     // Now safe to let other members destruct - no threads are running
   }
 
@@ -239,21 +244,20 @@ class HttpServer::Impl {
     ODR_VERBOSE(*m_logger, "Stopping HTTP server...");
 
     // Set stopping flag first to reject new requests immediately.
-    // This prevents new requests from starting while we're shutting down.
     m_stopping.store(true, std::memory_order_release);
 
     if (m_server) {
-      // Stop the server to prevent new connections.
-      // Note: httplib::Server::stop() signals shutdown but thread pool
-      // threads may still be running. They only fully stop when the
-      // Server is destroyed. For explicit stop() calls (not destructor),
-      // we destroy the server here to ensure threads are joined.
+      // Signal the server to stop. This will cause listen() to return.
+      // IMPORTANT: Do NOT call m_server.reset() here! The listen() call
+      // may still be on the call stack in another thread. Destroying the
+      // server while listen() is returning causes use-after-free crashes.
+      // The destructor will handle the actual destruction after listen()
+      // has fully returned.
       m_server->stop();
-      m_server.reset();  // Destroy server, join all thread pool threads
     }
 
-    // Clear content after server is fully destroyed to avoid use-after-free.
-    clear();
+    // Note: We don't call clear() here anymore because handlers might still
+    // be running until the server is actually destroyed in the destructor.
   }
 
 private:
