Fix use-after-free in moveForSlabRelease fragmentation stats

AlnisM · meta-codesync[bot] · commit 336cf2a37730 · 2026-03-30T12:03:46.000-07:00
Summary:
`moveForSlabRelease` called `util::getFragmentation(*this, oldItem)` after
`allocator_-&gt;free(&amp;oldItem)`, accessing freed memory (`getSize()`,
`isChainedItem()`, `getKey()`). Move the fragmentation computation before the
`free()` call to eliminate the use-after-free.

Reviewed By: rlyerly

Differential Revision: D98666914

fbshipit-source-id: 427d5a8e460d22a3d13e4941401d7dd8b60bd3a9
diff --git a/cachelib/allocator/CacheAllocator.h b/cachelib/allocator/CacheAllocator.h
@@ -5246,10 +5246,9 @@ bool CacheAllocator<CacheTrait>::moveForSlabRelease(Item& oldItem) {
     auto ref = unmarkMovingAndWakeUpWaiters(oldItem, std::move(newItemHdl));
     XDCHECK_EQ(0u, ref);
   }
-  allocator_->free(&oldItem);
-
   (*stats_.fragmentationSize)[allocInfo.poolId][allocInfo.classId].sub(
       util::getFragmentation(*this, oldItem));
+  allocator_->free(&oldItem);
   stats_.numMoveSuccesses.inc();
   return true;
 }

Original file line number	Diff line number	Diff line change
`@@ -5246,10 +5246,9 @@ bool CacheAllocator<CacheTrait>::moveForSlabRelease(Item& oldItem) {`
`5246`	`5246`	`auto ref = unmarkMovingAndWakeUpWaiters(oldItem, std::move(newItemHdl));`
`5247`	`5247`	`XDCHECK_EQ(0u, ref);`
`5248`	`5248`	`}`
`5249`		`- allocator_->free(&oldItem);`
`5250`		`-`
`5251`	`5249`	`(*stats_.fragmentationSize)[allocInfo.poolId][allocInfo.classId].sub(`
`5252`	`5250`	`util::getFragmentation(*this, oldItem));`
	`5251`	`+ allocator_->free(&oldItem);`
`5253`	`5252`	`stats_.numMoveSuccesses.inc();`
`5254`	`5253`	`return true;`
`5255`	`5254`	`}`