test: m_on_cancel called after request finishes (#34782)

Test from: bitcoin/bitcoin#34782 (comment)

Author: Sjors

include/mp/proxy.h

@@ -74,6 +74,8 @@ struct ProxyContext
     //! Hook called on the worker thread just before loop->sync() in PassField
     //! for Context arguments. Used by tests to inject precise disconnect timing.
     std::function<void()> testing_hook_before_sync;
+    //! Hook called on the worker thread just before returning results.
+    std::function<void()> testing_hook_after_cleanup;
 #endif
 
     ProxyContext(Connection* connection);

include/mp/type-context.h

@@ -193,6 +193,9 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&
                     }
                     // End of scope: if KJ_DEFER was reached, it runs here
                 }
+#ifndef NDEBUG
+                if (server.m_context.testing_hook_after_cleanup) server.m_context.testing_hook_after_cleanup();
+#endif
                 return call_context;
             };
 

test/mp/test/test.cpp

@@ -366,6 +366,39 @@ KJ_TEST("Calling async IPC method, with server disconnect racing the call")
 #endif
 }
 
+KJ_TEST("Calling async IPC method, with server disconnect after cleanup")
+{
+#ifdef NDEBUG
+    KJ_LOG(WARNING, "Test skipped: testing_hook_after_cleanup requires debug build");
+    return;
+#else
+    // Regression test for bitcoin/bitcoin#34782 (stack-use-after-return where
+    // the m_on_cancel callback accessed stack-local cancel_mutex and
+    // server_context after the invoke lambda's inner scope exited). The fix
+    // clears m_on_cancel in the cleanup loop->sync() so it is null by the
+    // time the scope exits.
+    //
+    // Use testing_hook_after_cleanup to trigger a server disconnect after the
+    // inner scope exits (cancel_mutex destroyed). Without the fix, the
+    // disconnect fires m_on_cancel which accesses the destroyed mutex.
+    TestSetup setup;
+    ProxyClient<messages::FooInterface>* foo = setup.client.get();
+    foo->initThreadMap();
+    setup.server->m_impl->m_fn = [] {};
+
+    setup.server->m_context.testing_hook_after_cleanup = [&] {
+        setup.server_disconnect();
+    };
+
+    try {
+        foo->callFnAsync();
+        KJ_EXPECT(false);
+    } catch (const std::runtime_error& e) {
+        KJ_EXPECT(std::string_view{e.what()} == "IPC client method call interrupted by disconnect.");
+    }
+#endif
+}
+
 KJ_TEST("Make simultaneous IPC calls on single remote thread")
 {
     TestSetup setup;