fix another use-after-free...

timfish · timfish · commit 9de613f1fbd0 · 2026-04-14T10:55:44.000+01:00
diff --git a/module.cc b/module.cc
@@ -318,7 +318,7 @@ std::string GetThreadState(Isolate *isolate,
 
 struct InterruptArgs {
   std::promise<JsStackTrace> promise;
-  const std::optional<AsyncLocalStorageLookup> *store;
+  std::shared_ptr<std::optional<AsyncLocalStorageLookup>> store;
 };
 
 // Function to be called when an isolate's execution is interrupted
@@ -348,9 +348,9 @@ static void ExecutionInterrupted(Isolate *isolate, void *data) {
 }
 
 // Function to capture the stack trace of a single isolate
-JsStackTrace
-CaptureStackTrace(Isolate *isolate,
-                  const std::optional<AsyncLocalStorageLookup> &store) {
+JsStackTrace CaptureStackTrace(
+    Isolate *isolate,
+    const std::shared_ptr<std::optional<AsyncLocalStorageLookup>> &store) {
   if (isolate->IsExecutionTerminating()) {
     return JsStackTrace{{}, ""};
   }
@@ -359,12 +359,18 @@ CaptureStackTrace(Isolate *isolate,
   auto future = promise.get_future();
 
   // The v8 isolate must be interrupted to capture the stack trace
+  // Note: Even if we timeout below, the interrupt may still fire later.
+  // The InterruptArgs holds a shared_ptr to keep data alive until the callback
+  // executes.
   isolate->RequestInterrupt(ExecutionInterrupted,
-                            new InterruptArgs{std::move(promise), &store});
+                            new InterruptArgs{std::move(promise), store});
 
   // Wait with timeout to prevent infinite hang if isolate never processes
   // interrupt (e.g., stuck in native code or terminating)
   if (future.wait_for(std::chrono::seconds(5)) == std::future_status::timeout) {
+    // Timeout occurred. The InterruptArgs is intentionally leaked - it will be
+    // deleted by ExecutionInterrupted if/when the callback eventually fires.
+    // The shared_ptr keeps the store data alive.
     return JsStackTrace{{}, ""};
   }
 
@@ -393,15 +399,14 @@ void CaptureStackTraces(const FunctionCallbackInfo<Value> &args) {
       // from map
       auto async_store_ptr = thread_info.async_store;
 
-      futures.emplace_back(
-          std::async(std::launch::async,
-                     [thread_isolate, thread_name, poll_state,
-                      async_store_ptr]() -> ThreadResult {
-                       return ThreadResult{
-                           thread_name,
-                           CaptureStackTrace(thread_isolate, *async_store_ptr),
-                           poll_state};
-                     }));
+      futures.emplace_back(std::async(
+          std::launch::async,
+          [thread_isolate, thread_name, poll_state,
+           async_store_ptr]() -> ThreadResult {
+            return ThreadResult{
+                thread_name, CaptureStackTrace(thread_isolate, async_store_ptr),
+                poll_state};
+          }));
     }
   }
 
