-
Notifications
You must be signed in to change notification settings - Fork 280
Fix use-after-free bug in registry_watcher#554
Fix use-after-free bug in registry_watcher #554Royar13 wants to merge 2 commits intomicrosoft:master from
Conversation
dmachaj
commented
Oct 29, 2025
/azp run
ChrisGuzak
commented
Oct 29, 2025
looks good. do you have a synthetic test that shows the problem and validates the fix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This suggests you are guarding against negative values. If you've seen this actually happen, we'd be very interested to learn more since that would suggest there's a mis-match of AddRef and Release.
dunhor
commented
Oct 30, 2025
Something seems fishy here. unique_threadpool_wait calls WaitForThreadpoolWaitCallbacks in its destructor, so scenario doesn't seem possible, assuming everything is working as designed. In particular, registry_watcher_state cannot be fully deleted during an invocation of the callback.
You do mention:
TryAddRef() is reached and accesses destroyed member m_refCount
which may technically have some merit to it since m_refCount is declared after m_threadPoolWait in the definition of registry_watcher_state. That said, longs are trivially destructible, so this is only a "technically wrong" thing and unlikely to be observable in practice, outside of something like a Debug build or ASan/UBSan etc.
I'll second Chris' question - I'd like to know more about the scenario where you've seen issues.
Fix the following scenario: