the mechanism defect of `bt_action_server ->on_cleanup()` may lead to UAF

## Bug report

**Required Info:**

- Operating System:
  -  Ubuntu22.04
- ROS2 Version:
  -  humble
- Version or commit hash:
  -  the latest
- DDS implementation:
  -  defaulted

#### Steps to reproduce issue


I encounter this UAF-bug many times when using the Nav2Goal feature 

Launch the navigation2 normally, as following steps:
```sh
#!/bin/bash
export ASAN_OPTIONS=halt_on_error=0:new_delete_type_mismatch=0:detect_leaks=0:log_pah=asan
source install/setup.bash
export TURTLEBOT3_MODEL=waffle
export GAZEBO_MODEL_PATH=$GAZEBO_MODEL_PATH:/opt/ros/humble/share/turtlebot3_gazebo/models
ros2 launch nav2_bringup tb3_simulation_launch.py headless:=True use_rviz:=False use_composition:=False 
```

Keep sending `Nav2Goal` in rviz2-displayer or sending goal by command `ros2 action send_goal` or send msm into topic `/goal_pose` , in which the goal_pose is random.

Finally sent Ctrl+C to shutdown navigation2, which is before stop the action-sending and even before the latest action-goal finished.

An ASAN report file was discovered in my execution environment.


#### Expected behavior


#### Actual behavior
The ASAN reporting a **use-after-free** bug to me, as following:
```
=================================================================
==151301==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030006bf260 at pc 0x563e36ee1206 bp 0x7fb86af78520 sp 0x7fb86af77cd0
READ of size 16 at 0x6030006bf260 thread T17
    #0 0x563e36ee1205 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/nav2_bt_navigator/bt_navigator+0x4c205) (BuildId: 34a63e084ab75f9b1885869f4001c62f73d97070)
    #1 0x563e36ee1759 in bcmp (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/nav2_bt_navigator/bt_navigator+0x4c759) (BuildId: 34a63e084ab75f9b1885869f4001c62f73d97070)
    #2 0x7fb87667cec2 in nav2_bt_navigator::NavigatorMuxer::stopNavigating(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x47cec2) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #3 0x7fb87666d1a6 in nav2_bt_navigator::Navigator<nav2_msgs::action::NavigateToPose>::onCompletion(std::shared_ptr<nav2_msgs::action::NavigateToPose_Result_<std::allocator<void> > >, nav2_behavior_tree::BtStatus) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x46d1a6) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #4 0x7fb87667bb81 in void std::__invoke_impl<void, void (nav2_bt_navigator::Navigator<nav2_msgs::action::NavigateToPose>::*&)(std::shared_ptr<nav2_msgs::action::NavigateToPose_Result_<std::allocator<void> > >, nav2_behavior_tree::BtStatus), nav2_bt_navigator::Navigator<nav2_msgs::action::NavigateToPose>*&, std::shared_ptr<nav2_msgs::action::NavigateToPose_Result_<std::allocator<void> > >, nav2_behavior_tree::BtStatus>(std::__invoke_memfun_deref, void (nav2_bt_navigator::Navigator<nav2_msgs::action::NavigateToPose>::*&)(std::shared_ptr<nav2_msgs::action::NavigateToPose_Result_<std::allocator<void> > >, nav2_behavior_tree::BtStatus), nav2_bt_navigator::Navigator<nav2_msgs::action::NavigateToPose>*&, std::shared_ptr<nav2_msgs::action::NavigateToPose_Result_<std::allocator<void> > >&&, nav2_behavior_tree::BtStatus&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x47bb81) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #5 0x7fb87667b6e6 in std::_Function_handler<void (std::shared_ptr<nav2_msgs::action::NavigateToPose_Result_<std::allocator<void> > >, nav2_behavior_tree::BtStatus), std::_Bind<void (nav2_bt_navigator::Navigator<nav2_msgs::action::NavigateToPose>::* (nav2_bt_navigator::Navigator<nav2_msgs::action::NavigateToPose>*, std::_Placeholder<1>, std::_Placeholder<2>))(std::shared_ptr<nav2_msgs::action::NavigateToPose_Result_<std::allocator<void> > >, nav2_behavior_tree::BtStatus)> >::_M_invoke(std::_Any_data const&, std::shared_ptr<nav2_msgs::action::NavigateToPose_Result_<std::allocator<void> > >&&, nav2_behavior_tree::BtStatus&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x47b6e6) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #6 0x7fb87667ea2f in nav2_behavior_tree::BtActionServer<nav2_msgs::action::NavigateToPose>::executeCallback() (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x47ea2f) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #7 0x7fb8766a9cef in nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::work() (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a9cef) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #8 0x7fb8766a9208 in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>::operator()() const (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a9208) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #9 0x7fb8766a8f29 in std::enable_if<is_invocable_r_v<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>&>, std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> >::type std::__invoke_r<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>&>(std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a8f29) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #10 0x7fb8766a8db0 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void> >::_M_invoke(std::_Any_data const&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a8db0) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #11 0x7fb8792457f6 in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) (/home/*****/nav2_humble/install/nav2_behavior_tree/lib/libnav2_compute_path_to_pose_action_bt_node.so+0x307f6) (BuildId: 552cfd70a84cf279d69712ed189efea8e25d71f0)
    #12 0x7fb875899ee7 in __pthread_once_slow nptl/./nptl/pthread_once.c:116:7
    #13 0x7fb8766a6b8a in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>::_M_run() (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a6b8a) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #14 0x7fb875cdc252  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc252) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #15 0x7fb875894ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
    #16 0x7fb87592684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6030006bf260 is located 0 bytes inside of 31-byte region [0x6030006bf260,0x6030006bf27f)
freed by thread T0 here:
    #0 0x563e36f8511d in operator delete(void*) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/nav2_bt_navigator/bt_navigator+0xf011d) (BuildId: 34a63e084ab75f9b1885869f4001c62f73d97070)
    #1 0x7fb876596e21 in nav2_bt_navigator::BtNavigator::~BtNavigator() (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x396e21) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #2 0x7fb875829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T13 here:
    #0 0x563e36f848bd in operator new(unsigned long) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/nav2_bt_navigator/bt_navigator+0xef8bd) (BuildId: 34a63e084ab75f9b1885869f4001c62f73d97070)
    #1 0x7fb875d4bfee in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14bfee) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)

Thread T17 created by T0 here:
    #0 0x563e36f32f6c in __interceptor_pthread_create (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/nav2_bt_navigator/bt_navigator+0x9df6c) (BuildId: 34a63e084ab75f9b1885869f4001c62f73d97070)
    #1 0x7fb875cdc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x7fb8766a6509 in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>::_Async_state_impl<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()>(nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a6509) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #3 0x7fb8766a5e50 in std::_Sp_counted_ptr_inplace<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>, std::allocator<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void> >, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()>(std::allocator<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void> >, nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a5e50) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #4 0x7fb8766a365a in std::future<std::__invoke_result<std::decay<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()>::type>::type> std::async<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()>(std::launch, nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a365a) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #5 0x7fb87668c533 in nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x48c533) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #6 0x7fb8766af3ae in void std::__invoke_impl<void, void (nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::*&)(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >), nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>*&, std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> > >(std::__invoke_memfun_deref, void (nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::*&)(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >), nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>*&, std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4af3ae) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #7 0x7fb876694973 in rclcpp_action::Server<nav2_msgs::action::NavigateToPose>::call_goal_accepted_callback(std::shared_ptr<rcl_action_goal_handle_s>, std::array<unsigned char, 16ul>, std::shared_ptr<void>) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x494973) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #8 0x7fb877a7e1b6 in rclcpp_action::ServerBase::execute_goal_request_received(std::shared_ptr<void>&) (/opt/ros/humble/lib/librclcpp_action.so+0x131b6) (BuildId: 8da0710b8af025b200f6ce73ffc85c5ed5c45a8d)

Thread T13 created by T0 here:
    #0 0x563e36f32f6c in __interceptor_pthread_create (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/nav2_bt_navigator/bt_navigator+0x9df6c) (BuildId: 34a63e084ab75f9b1885869f4001c62f73d97070)
    #1 0x7fb875cdc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x7fb8766a6509 in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>::_Async_state_impl<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()>(nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a6509) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #3 0x7fb8766a5e50 in std::_Sp_counted_ptr_inplace<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void>, std::allocator<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void> >, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()>(std::allocator<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()> >, void> >, nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a5e50) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #4 0x7fb8766a365a in std::future<std::__invoke_result<std::decay<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()>::type>::type> std::async<nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()>(std::launch, nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >)::'lambda'()&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4a365a) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #5 0x7fb87668c533 in nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::handle_accepted(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x48c533) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #6 0x7fb8766af3ae in void std::__invoke_impl<void, void (nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::*&)(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >), nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>*&, std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> > >(std::__invoke_memfun_deref, void (nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>::*&)(std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >), nav2_util::SimpleActionServer<nav2_msgs::action::NavigateToPose>*&, std::shared_ptr<rclcpp_action::ServerGoalHandle<nav2_msgs::action::NavigateToPose> >&&) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x4af3ae) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #7 0x7fb876694973 in rclcpp_action::Server<nav2_msgs::action::NavigateToPose>::call_goal_accepted_callback(std::shared_ptr<rcl_action_goal_handle_s>, std::array<unsigned char, 16ul>, std::shared_ptr<void>) (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/libbt_navigator_core.so+0x494973) (BuildId: 014f746fc22fa55b4dda12be8ead56d03af59e4e)
    #8 0x7fb877a7e1b6 in rclcpp_action::ServerBase::execute_goal_request_received(std::shared_ptr<void>&) (/opt/ros/humble/lib/librclcpp_action.so+0x131b6) (BuildId: 8da0710b8af025b200f6ce73ffc85c5ed5c45a8d)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/*****/nav2_humble/install/nav2_bt_navigator/lib/nav2_bt_navigator/bt_navigator+0x4c205) (BuildId: 34a63e084ab75f9b1885869f4001c62f73d97070) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c06800cfdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800cfe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800cfe10: fa fa fa fa fa fa 00 00 00 00 fa fa 00 00 00 03
  0x0c06800cfe20: fa fa 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800cfe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c06800cfe40: fa fa fa fa fa fa fa fa fa fa fa fa[fd]fd fd fd
  0x0c06800cfe50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800cfe60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800cfe70: fa fa fa fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c06800cfe80: fa fa fa fa fa fa fa fa fd fd fd fa fa fa fa fa
  0x0c06800cfe90: fa fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
```

#### Additional information


----
**simple analysis:**
1> During the shutdown period, a difficult to execute action thread is currently blocking and has received a shutdown signal
2> nav2 starts resource cleaning, and finally nav2_bt_navigator is released as a whole. The destructor releases all the pointers it creates, but the actionServer thread is still executing, resulting in UAF access.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

the mechanism defect of `bt_action_server ->on_cleanup()` may lead to UAF #4175

Bug report

Steps to reproduce issue

Expected behavior

Actual behavior

Additional information

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

the mechanism defect of bt_action_server ->on_cleanup() may lead to UAF #4175

Description

Bug report

Steps to reproduce issue

Expected behavior

Actual behavior

Additional information

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

the mechanism defect of `bt_action_server ->on_cleanup()` may lead to UAF #4175