Fix double-free on GCC-12 in CoroTaskRunner frame destruction

pratikmankawde · claude · pratikmankawde · commit 4613377a413c · 2026-02-27T18:38:30.000Z
Replace `task_ = {}` with `std::move(task_)` in resume() and
expectEarlyExit(). The move assignment operator calls
handle_.destroy() while task_.handle_ still holds the old (now
dangling) handle value. If frame destruction triggers re-entrant
runner cleanup on GCC-12, the destructor sees a non-null handle_
and destroys the same frame again — a double-free.

std::move(task_) immediately nulls task_.handle_ via the move
constructor, then the frame is destroyed when the local goes out
of scope. This eliminates the re-entrancy window.

Also remove storedFunc_.reset() from resume() — the callable does
not participate in the shared_ptr cycle and will be cleaned up by
the runner's destructor.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/include/xrpl/core/CoroTaskRunner.ipp b/include/xrpl/core/CoroTaskRunner.ipp
@@ -256,11 +256,12 @@ JobQueue::CoroTaskRunner::resume()
 #ifndef NDEBUG
         finished_ = true;
 #endif
-        // Destroy the coroutine frame to break the shared_ptr cycle:
-        // frame -> lambda captures shared_ptr<CoroTaskRunner> -> this.
-        // Also release the heap-stored callable (no longer needed).
-        task_ = {};
-        storedFunc_.reset();
+        // Break the shared_ptr cycle: frame -> shared_ptr<runner> -> this.
+        // Use std::move (not task_ = {}) so task_.handle_ is null BEFORE the
+        // frame is destroyed. operator= would destroy the frame while handle_
+        // still holds the old value -- a re-entrancy hazard on GCC-12 if
+        // frame destruction triggers runner cleanup.
+        [[maybe_unused]] auto completed = std::move(task_);
     }
     std::lock_guard lk(mutex_run_);
     running_ = false;
@@ -296,11 +297,13 @@ JobQueue::CoroTaskRunner::expectEarlyExit()
         finished_ = true;
 #endif
     }
-    // Destroy the coroutine frame to break a potential shared_ptr cycle.
+    // Break the shared_ptr cycle: frame -> shared_ptr<runner> -> this.
     // The coroutine is at initial_suspend and never ran user code, so
-    // destroying it is safe. Without this, the frame holds a shared_ptr
-    // back to this CoroTaskRunner, creating an unreachable reference cycle.
-    task_ = {};
+    // destroying it is safe. Use std::move (not task_ = {}) so
+    // task_.handle_ is null before the frame is destroyed.
+    {
+        [[maybe_unused]] auto completed = std::move(task_);
+    }
     storedFunc_.reset();
 }
 
