From 67f3a10c6861a8200002c3e1a6de1af12a39cdd4 Mon Sep 17 00:00:00 2001
From: art-snake <art-snake@yandex-team.ru>
Date: Mon, 30 Sep 2024 11:27:14 +0300
Subject: [PATCH] fix use_of_uninitialized_value in message_loop_task_queues.cc

 This issue was found with memory sanitizer.

    Commit f2f09b69691403d08fac3cb56e00bfc619a371af introduced a change that leads to use-after-free condition.

    In function MessageLoopTaskQueues::GetNextTaskToRun:

        1) Call is made to PeekNextTaskUnlocked(queue_id);. Returned value contains a reference to to an object of const DelayedTask& taken from an std::queue container as returned by primary_task_queue_.top().
        2) Variable TaskSource::TopTask top now contains a reference to this object.
        3) Function queue_entries_.at(top.task_queue_id)->task_source->PopTask(...) which in turn calls pop() method on std::queue.
        4) Object of type DelayedTask on top of the queue gets deleted.
        5) top.task.GetTaskSourceGrade() is called later with top.task refering to an already deleted object.
---
 fml/message_loop_task_queues.cc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fml/message_loop_task_queues.cc b/fml/message_loop_task_queues.cc
index bc017cc00c2e7..f32fa7410a060 100644
--- a/fml/message_loop_task_queues.cc
+++ b/fml/message_loop_task_queues.cc
@@ -132,9 +132,8 @@ fml::closure MessageLoopTaskQueues::GetNextTaskToRun(TaskQueueId queue_id,
     return nullptr;
   }
   fml::closure invocation = top.task.GetTask();
-  queue_entries_.at(top.task_queue_id)
-      ->task_source->PopTask(top.task.GetTaskSourceGrade());
   const auto task_source_grade = top.task.GetTaskSourceGrade();
+  queue_entries_.at(top.task_queue_id)->task_source->PopTask(task_source_grade);
   tls_task_source_grade.reset(new TaskSourceGradeHolder{task_source_grade});
   return invocation;
 }