test: getParams() called after request cancel (#34777)

Sjors · Sjors · commit 74459b8e203f · 2026-03-11T11:27:22.000+01:00
Test from: bitcoin/bitcoin#34777 (comment)
diff --git a/include/mp/proxy.h b/include/mp/proxy.h
@@ -70,6 +70,9 @@ struct ProxyContext
     Connection* connection;
     EventLoopRef loop;
     CleanupList cleanup_fns;
+    //! Hook called on the worker thread just before loop->sync() in PassField
+    //! for Context arguments. Used by tests to inject precise disconnect timing.
+    std::function<void()> testing_hook_before_sync;
 
     ProxyContext(Connection* connection);
 };
diff --git a/include/mp/type-context.h b/include/mp/type-context.h
@@ -72,6 +72,7 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&
     auto self = server.thisCap();
     auto invoke = [self = kj::mv(self), call_context = kj::mv(server_context.call_context), &server, req, fn, args...](CancelMonitor& cancel_monitor) mutable {
                 MP_LOG(*server.m_context.loop, Log::Debug) << "IPC server executing request #" << req;
+                if (server.m_context.testing_hook_before_sync) server.m_context.testing_hook_before_sync();
                 ServerContext server_context{server, call_context, req};
                 {
                     // Before invoking the function, store a reference to the
diff --git a/test/mp/test/test.cpp b/test/mp/test/test.cpp
@@ -325,6 +325,43 @@ KJ_TEST("Calling IPC method, disconnecting and blocking during the call")
     signal.set_value();
 }
 
+KJ_TEST("Calling async IPC method, with server disconnect racing the call")
+{
+    // Regression test for bitcoin/bitcoin#34777 (heap-use-after-free where
+    // getParams() was called on the worker thread after the event loop thread
+    // freed the RpcCallContext on disconnect). The fix moves getParams() inside
+    // loop->sync() so it always runs on the event loop thread.
+    //
+    // Use testing_hook_before_sync to pause the worker thread just before it
+    // enters loop->sync(), then disconnect the server from a separate thread.
+    TestSetup setup;
+    ProxyClient<messages::FooInterface>* foo = setup.client.get();
+    foo->initThreadMap();
+    setup.server->m_impl->m_fn = [] {};
+
+    std::promise<void> worker_ready;
+    std::promise<void> disconnect_done;
+    auto disconnect_done_future = disconnect_done.get_future().share();
+    setup.server->m_context.testing_hook_before_sync = [&worker_ready, disconnect_done_future] {
+        worker_ready.set_value();
+        disconnect_done_future.wait();
+    };
+
+    std::thread disconnect_thread{[&] {
+        worker_ready.get_future().wait();
+        setup.server_disconnect();
+        disconnect_done.set_value();
+    }};
+
+    try {
+        foo->callFnAsync();
+        KJ_EXPECT(false);
+    } catch (const std::runtime_error& e) {
+        KJ_EXPECT(std::string_view{e.what()} == "IPC client method call interrupted by disconnect.");
+    }
+    disconnect_thread.join();
+}
+
 KJ_TEST("Make simultaneous IPC calls on single remote thread")
 {
     TestSetup setup;

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,7 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&`
`72`	`72`	`auto self = server.thisCap();`
`73`	`73`	`auto invoke = [self = kj::mv(self), call_context = kj::mv(server_context.call_context), &server, req, fn, args...](CancelMonitor& cancel_monitor) mutable {`
`74`	`74`	`MP_LOG(*server.m_context.loop, Log::Debug) << "IPC server executing request #" << req;`
	`75`	`+ if (server.m_context.testing_hook_before_sync) server.m_context.testing_hook_before_sync();`
`75`	`76`	`ServerContext server_context{server, call_context, req};`
`76`	`77`	`{`
`77`	`78`	`// Before invoking the function, store a reference to the`