Fix use-after-free of FSocketIONative from its own game-thread callbacks#462
Open
marekl11 wants to merge 1 commit into
Open
Fix use-after-free of FSocketIONative from its own game-thread callbacks#462marekl11 wants to merge 1 commit into
marekl11 wants to merge 1 commit into
Conversation
SetupInternalCallbacks() marshals each internal listener (connect/disconnect/ namespace/fail/reconnect) onto the game thread via RunShortLambdaOnGameThread, and those lambdas captured the FSocketIONative by reference. The deferred task lives on the game-thread task graph independently of the object, so if the native client is released before the task runs, the lambda dereferences freed memory. This reproduces during a UE level transition: tearing down the old world releases the client on a background thread, and LoadMap's own FlushRenderingCommands then pumps the game-thread task graph and runs the stale callback. Observed as an access violation reading 0xffffffffffffffff on the game thread, top frame being the namespace-disconnect lambda. FSocketIONative now derives from TSharedFromThis and each deferred lambda captures a TWeakPtr and Pin()s it, so it no-ops if the object is already gone. A weak (not strong) capture avoids extending the object's lifetime and moving its destruction (which joins the network thread) onto the game thread. This is the same class of fix as the component-level weak-pointer guard, one layer down at the native object. The shared-pointer mode has to be ESPMode::ThreadSafe because the object can be released on a background thread while the lambda runs on the game thread, so the refcount must be atomic; the handful of TSharedPtr<FSocketIONative> in the module API change accordingly (README example updated to match). The outer asio-thread listeners intentionally keep their [&] capture: PrivateClient is the last member, so ~FSocketIONative destroys it first and the network thread is joined before the other members are torn down.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SetupInternalCallbacks() marshals each internal listener (connect/disconnect/ namespace/fail/reconnect) onto the game thread via RunShortLambdaOnGameThread, and those lambdas captured the FSocketIONative by reference. The deferred task lives on the game-thread task graph independently of the object, so if the native client is released before the task runs, the lambda dereferences freed memory.
This reproduces during a UE level transition: tearing down the old world releases the client on a background thread, and LoadMap's own FlushRenderingCommands then pumps the game-thread task graph and runs the stale callback. Observed as an access violation reading 0xffffffffffffffff on the game thread, top frame being the namespace-disconnect lambda.
FSocketIONative now derives from TSharedFromThis and each deferred lambda captures a TWeakPtr and Pin()s it, so it no-ops if the object is already gone. A weak (not strong) capture avoids extending the object's lifetime and moving its destruction (which joins the network thread) onto the game thread. This is the same class of fix as the component-level weak-pointer guard, one layer down at the native object.
The shared-pointer mode has to be ESPMode::ThreadSafe because the object can be released on a background thread while the lambda runs on the game thread, so the refcount must be atomic; the handful of TSharedPtr in the module API change accordingly (README example updated to match). The outer asio-thread listeners intentionally keep their [&] capture: PrivateClient is the last member, so ~FSocketIONative destroys it first and the network thread is joined before the other members are torn down.