race fix: m_on_cancel called after request finishes

ryanofsky · ryanofsky · commit 415081af17de · 2026-03-11T08:39:38.000-04:00
This fixes a race condition in the mp.Context PassField() overload which is used to execute async requests, that can currently trigger segfaults as reported in bitcoin/bitcoin#34782 when a cancellation happens after the request executes but before it returns. The bug can be reproduced by running the unit test added in the previous commit and was also seen in antithesis (see details in linked issue), but should be unlikely to happen normally because the cancellation would have to happen in a very short window for there to be a problem. This bug was introduced commit in 0174450 which started to cancel requests on disconnects. Before that commit a cancellation callback was not present. This fix was originally posted in bitcoin/bitcoin#34782 (comment) and there is a sequence diagram explaining the bug in bitcoin-core#249 (comment)
diff --git a/include/mp/type-context.h b/include/mp/type-context.h
@@ -157,6 +157,15 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&
                         // the disconnect handler trying to destroy the thread
                         // client object.
                         server.m_context.loop->sync([&] {
+                            // Clear cancellation callback. At this point the
+                            // method invocation finished and the result is
+                            // either being returned, or discarded if a
+                            // cancellation happened. So we do not need to be
+                            // notified of cancellations after this point. Also
+                            // we do not want to be notified because
+                            // cancel_mutex and server_context could be out of
+                            // scope when it happens.
+                            cancel_monitor.m_on_cancel = nullptr;
                             auto self_dispose{kj::mv(self)};
                             if (erase_thread) {
                             // Look up the thread again without using existing
