<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/64152>64152</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [C++20] [Coroutines] Use-After-Free problem if we destroy the coroutine handle in other thread while we're in await_suspend
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            coroutines
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          ChuanqiXu9
      </td>
    </tr>
</table>

<pre>
    This comes from https://github.com/llvm/llvm-project/issues/56301. And this may be the later reported use-after-free problem.

The spec http://eel.is/c++draft/expr.await#5.1 says the coroutines are considered to be suspended once the `await_ready()` return false. In other words, the coroutines are considered to be suspended once it enters `await_suspend()`. Then it is legal to destroy a coroutine in other threads when it enters `await_suspend()` but not leaving yet.

But this is problematic and unimplementable actually, for example,

```C++
struct Awaiter {
 int suspended;

  bool await_ready() { return false; }

  void await_suspend(const std::coroutine_handle<> h) {
    init(suspended);
 
    func(h);

    use(suspended);
  }

  void await_resume() {}
  }
};
```

When we're executing the above `await_suspend()`, and we pass the coroutine handle to an async function `Register` then the coroutine handle may get destroyed. Then it is problematic to access the variable `suspended`.

Since the waiter lives on the coroutine frame but we may access it after the coroutine got destroyed in `await_suspend ()`.

I am not sure if this is specified in the spec. But I don't feel it is implementable in LLVM.

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJycVV2P6jYQ_TXmZbRRcCAhDzzwUaSVbl_a7cfblRNPEleOTe0xLP--cggE6L2tdKXVosSec05mzswI71VrENdsuWXL_UwE6qxb77ogzN_qz1DOKisv649Oeahtjx4aZ3voiI6eZRvGD4wfWkVdqJLa9owftD7dft6Ozv6FNTF-UN4H9IwflnmWzhPYGAkUQXtxgQqBOgQtCB04PFpHKCF4fBMNoXtrHCIcna009glL9yzdXP9_dAj-iPWg5y4HUScqctWMbxnfSieaqAE_jy4RZ6GI8WyZzMGLix-Ya-tsIGXQg3Dx0Xgl0aEEslGdD_6IRqIEa-qrWJanA9RXh0JeGF8xXrI8BYcUnIFGaI8JvBuw1KGDs3XSM777ETpFgIbQ-Yl0vHGnTeCjQxNvKg8aW6EjlERPzl5ATIygboqoi8o9nMfA_6OAKhAYS6BRnJRp4YL0VIxtoGtJlb8VS5CqQRgJwaj-qLFHQ6LSCKKmILS-xIw01gF-injO-O4RkeXp9W93LeT1rScXaoJNVIkOWDG-B2VoSh3Lto9QAJW1Gv5Vshj-VDOWbYEV--fYk1USXtMSy0bgSUbjZZt7ir92wkiNLNux7CfoRpIbFIAy0YCrSSkv72JhutYEUzO-6h6Pp9Pg8bsY_6nfoQ89Th9_v_sYVuwnylsNHhH_iJ45I-OFQ8BPrOOHt4O3RWVP-H0XxYJHQ5wRjsK_dB9cMxetKwwIfzH1kAZS1kTIX7BVntBFN1KU8M3oOFFapJv7UT41x6MzI09d4yjjJJwazMnydEpsnj6Z_Fd1GwCj_bQ6oQf7qqVxosehZc5XRSORIhhm2sv11j7ojT36mkCYWv1RzjuIfmhKHxyCau4NGKeiatQVjMYxmUDs0XeQ1jBeEDSIekzLc3sqA1--_P7zSDWT60yWWSlmuJ7nZbpYLlbz1axbN_miqUtRV01ZpOUS59kKpaxyXlbFvBDVTK15yrO04MU8XeTLIslW-VzUZSGKFa8XTc4WKfZC6SSui8S6djYsinW-mC_5TIsKtR9WE-fT0GScx1Xl1sOOqULr2SLVypOfYEiRHpbaODp4ypZ7iM8TzHIPv3l82ww75vCwY2Iiz3gfn9902cschXOnNN57QpnncTELTq9_fGkO6fgnAAD__2cNeaA">