Summary
A race during strand teardown can null-dereference service_: enqueue() commits to post_invoker() while shutdown() nulls out service_.
Detail
Race in strand_service.cpp:173 — enqueue() returns true (committed to post_invoker()) while shutdown() stores nullptr into service_; the invoker's operator new then dereferences the now-null service_. Nothing serializes the two paths.
Suggested acceptance criteria
- The
enqueue()/shutdown() paths are serialized (or otherwise made race-free).
- No null-deref of
service_ during strand teardown.
References
strand_service.cpp:173.
Summary
A race during strand teardown can null-dereference
service_:enqueue()commits topost_invoker()whileshutdown()nulls outservice_.Detail
Race in
strand_service.cpp:173—enqueue()returns true (committed topost_invoker()) whileshutdown()stores nullptr intoservice_; the invoker'soperator newthen dereferences the now-nullservice_. Nothing serializes the two paths.Suggested acceptance criteria
enqueue()/shutdown()paths are serialized (or otherwise made race-free).service_during strand teardown.References
strand_service.cpp:173.