ipc: AddressSanitizer: heap-use-after-free in `capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>::getParams()`

[dergoegge]

[        20.861] [               node1] [err] ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ca5d9d93040 at pc 0x5591a0449d08 bp 0x7b95bdbba8f0 sp 0x7b95bdbba8e8
[        20.861] [               node1] [err] READ of size 8 at 0x7ca5d9d93040 thread T18
[        20.862] [               node1] [inf] 2026-03-04T17:59:47Z [all:info] ipc: {bitcoin-node-1/b-capnp-loop-24} IPC server destroy N2mp11ProxyServerIN3ipc5capnp8messages6MiningEEE
[        20.862] [               node1] [inf] 2026-03-04T17:59:47Z [all:info] ipc: {bitcoin-node-1/b-capnp-loop-24} IPC server: socket disconnected.
[        20.862] [               node1] [inf] 2026-03-04T17:59:47Z [all:info] ipc: {bitcoin-node-1/b-capnp-loop-24} IPC server destroy N2mp11ProxyServerIN3ipc5capnp8messages4InitEEE
[        20.989] [               node1] [err]     #0 0x5591a0449d07 in capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>::getParams() /src/bitcoin/depends/x86_64-pc-linux-gnu/include/capnp/capability.h:1129:16
[        20.989] [               node1] [err]     #1 0x5591a0449d07 in std::enable_if<std::is_same<decltype(mp::Accessor<mp::mining_fields::Context, 17>::get(fp1.call_context.getParams())), mp::Context::Reader>::value, kj::Promise<mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>::CallContext>>::type mp::PassField<mp::Accessor<mp::mining_fields::Context, 17>, mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>, mp::ServerRet<mp::Accessor<mp::mining_fields::Result, 18>, mp::ServerCall>, mp::TypeList<>>(mp::Priority<1>, mp::TypeList<>, mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>&, mp::ServerRet<mp::Accessor<mp::mining_fields::Result, 18>, mp::ServerCall> const&, mp::TypeList<>&&)::'lambda'(mp::CancelMonitor&)::operator()(mp::CancelMonitor&) /src/bitcoin/src/ipc/libmultiprocess/include/mp/type-context.h:77:51
[        20.989] [               node1] [err]     #2 0x5591a0446cd3 in kj::Promise<mp::Accessor<mp::mining_fields::Context, 17>> mp::ProxyServer<mp::Thread>::post<capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>, std::enable_if<std::is_same<decltype(mp::Accessor<mp::mining_fields::Context, 17>::get(fp1.call_context.getParams())), mp::Context::Reader>::value, kj::Promise<mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>::CallContext>>::type mp::PassField<mp::Accessor<mp::mining_fields::Context, 17>, mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>, mp::ServerRet<mp::Accessor<mp::mining_fields::Result, 18>, mp::ServerCall>, mp::TypeList<>>(mp::Priority<1>, mp::TypeList<>, mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>&, mp::ServerRet<mp::Accessor<mp::mining_fields::Result, 18>, mp::ServerCall> const&, mp::TypeList<>&&)::'lambda'(mp::CancelMonitor&)>(mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>&&)::'lambda'()::operator()()::'lambda'()::operator()()::'lambda0'()::operator()() const /src/bitcoin/src/ipc/libmultiprocess/include/mp/proxy-io.h:744:100
[        20.989] [               node1] [err]     #3 0x5591a0446cd3 in kj::Maybe<kj::Exception> kj::runCatchingExceptions<kj::Promise<mp::Accessor<mp::mining_fields::Context, 17>> mp::ProxyServer<mp::Thread>::post<capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>, std::enable_if<std::is_same<decltype(mp::Accessor<mp::mining_fields::Context, 17>::get(fp1.call_context.getParams())), mp::Context::Reader>::value, kj::Promise<mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>::CallContext>>::type mp::PassField<mp::Accessor<mp::mining_fields::Context, 17>, mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>, mp::ServerRet<mp::Accessor<mp::mining_fields::Result, 18>, mp::ServerCall>, mp::TypeList<>>(mp::Priority<1>, mp::TypeList<>, mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>&, mp::ServerRet<mp::Accessor<mp::mining_fields::Result, 18>, mp::ServerCall> const&, mp::TypeList<>&&)::'lambda'(mp::CancelMonitor&)>(mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>&&)::'lambda'()::operator()()::'lambda'()::operator()()::'lambda0'()>(mp::Accessor<mp::mining_fields::Context, 17>&&) /src/bitcoin/depends/x86_64-pc-linux-gnu/include/kj/exception.h:371:5
[        20.989] [               node1] [err]     #4 0x5591a0445e85 in kj::Promise<mp::Accessor<mp::mining_fields::Context, 17>> mp::ProxyServer<mp::Thread>::post<capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>, std::enable_if<std::is_same<decltype(mp::Accessor<mp::mining_fields::Context, 17>::get(fp1.call_context.getParams())), mp::Context::Reader>::value, kj::Promise<mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>::CallContext>>::type mp::PassField<mp::Accessor<mp::mining_fields::Context, 17>, mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>, mp::ServerRet<mp::Accessor<mp::mining_fields::Result, 18>, mp::ServerCall>, mp::TypeList<>>(mp::Priority<1>, mp::TypeList<>, mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>&, mp::ServerRet<mp::Accessor<mp::mining_fields::Result, 18>, mp::ServerCall> const&, mp::TypeList<>&&)::'lambda'(mp::CancelMonitor&)>(mp::ServerInvokeContext<mp::ProxyServer<ipc::capnp::messages::BlockTemplate>, capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>>&&)::'lambda'()::operator()()::'lambda'()::operator()() /src/bitcoin/src/ipc/libmultiprocess/include/mp/proxy-io.h:744:48
[        20.989] [               node1] [err]     #5 0x5591a025ad46 in kj::Function<void ()>::operator()() /src/bitcoin/depends/x86_64-pc-linux-gnu/include/kj/function.h:119:12
[        20.989] [               node1] [err]     #6 0x5591a025ad46 in void mp::Unlock<mp::Lock, kj::Function<void ()>&>(mp::Lock&, kj::Function<void ()>&) /src/bitcoin/src/ipc/libmultiprocess/include/mp/util.h:210:5
[        20.989] [               node1] [err]     #7 0x5591a0c85aa1 in void mp::Waiter::wait<mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0::operator()() const::'lambda'()>(mp::Lock&, mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0::operator()() const::'lambda'())::'lambda'()::operator()() const /src/bitcoin/src/ipc/libmultiprocess/include/mp/proxy-io.h:382:17
[        20.989] [               node1] [err]     #8 0x5591a0c85aa1 in void std::condition_variable::wait<void mp::Waiter::wait<mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0::operator()() const::'lambda'()>(mp::Lock&, mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0::operator()() const::'lambda'())::'lambda'()>(std::unique_lock<std::mutex>&, mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0::operator()() const::'lambda'()) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/condition_variable:101:10
[        20.989] [               node1] [err]     #9 0x5591a0c85aa1 in void mp::Waiter::wait<mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0::operator()() const::'lambda'()>(mp::Lock&, mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0::operator()() const::'lambda'()) /src/bitcoin/src/ipc/libmultiprocess/include/mp/proxy-io.h:373:14
[        20.989] [               node1] [err]     #10 0x5591a0c85aa1 in mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0::operator()() const /src/bitcoin/src/ipc/libmultiprocess/src/mp/proxy.cpp:423:34
[        20.989] [               node1] [err]     #11 0x5591a0c85aa1 in void std::__invoke_impl<void, mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0>(std::__invoke_other, mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0&&) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:61:14
[        20.989] [               node1] [err]     #12 0x5591a0c85aa1 in std::__invoke_result<mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0>::type std::__invoke<mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0>(mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0&&) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:96:14
[        20.989] [               node1] [err]     #13 0x5591a0c85aa1 in void std::thread::_Invoker<std::tuple<mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0>>::_M_invoke<0ul>(std::_Index_tuple<0ul>) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:252:13
[        20.989] [               node1] [err]     #14 0x5591a0c85aa1 in std::thread::_Invoker<std::tuple<mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0>>::operator()() /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:259:11
[        20.989] [               node1] [err]     #15 0x5591a0c85aa1 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<mp::ProxyServer<mp::ThreadMap>::makeThread(capnp::CallContext<mp::ThreadMap::MakeThreadParams, mp::ThreadMap::MakeThreadResults>)::$_0>>>::_M_run() /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:210:13
[        20.989] [               node1] [err]     #16 0x7f95dab434a2  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd44a2) (BuildId: 289ee39f8c07bd4fa48102dfeeb7e6f9c76158b4)
[        20.989] [               node1] [err]     #17 0x55919f5ed7b6 in asan_thread_start(void*) crtstuff.c
[        20.989] [               node1] [err]     #18 0x7f95da8031f4 in start_thread nptl/pthread_create.c:442:8
[        20.989] [               node1] [err]     #19 0x7f95da882b3f in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100
[        20.989] [               node1] [err] 
[        20.989] [               node1] [err] 0x7ca5d9d93040 is located 0 bytes inside of 240-byte region [0x7ca5d9d93040,0x7ca5d9d93130)
[        20.989] [               node1] [err] freed by thread T2 (b-capnp-loop) here:
[        20.991] [               node1] [err]     #0 0x55919f634172 in operator delete(void*, unsigned long) (/usr/local/bin/bitcoin-node+0xdd2172) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #1 0x5591a0d8bf78 in capnp::_::(anonymous namespace)::RpcConnectionState::RpcCallContext::~RpcCallContext() rpc.c++
[        20.991] [               node1] [err]     #2 0x5591a12893ef in kj::Refcounted::disposeImpl(void*) const (/usr/local/bin/bitcoin-node+0x2a273ef) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #3 0x5591a0ccddfe in kj::Disposer::Dispose_<capnp::CallContextHook, true>::dispose(capnp::CallContextHook*, kj::Disposer const&) (/usr/local/bin/bitcoin-node+0x246bdfe) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #4 0x5591a0ccdd1c in void kj::Disposer::dispose<capnp::CallContextHook>(capnp::CallContextHook*) const (/usr/local/bin/bitcoin-node+0x246bd1c) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #5 0x5591a0ccdcea in kj::Own<capnp::CallContextHook, std::nullptr_t>::dispose() (/usr/local/bin/bitcoin-node+0x246bcea) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #6 0x5591a0cc1a94 in kj::Own<capnp::CallContextHook, std::nullptr_t>::~Own() (/usr/local/bin/bitcoin-node+0x245fa94) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #7 0x5591a0cfa4c4 in kj::_::TupleElement<1u, kj::Own<capnp::CallContextHook, std::nullptr_t>>::~TupleElement() (/usr/local/bin/bitcoin-node+0x24984c4) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #8 0x5591a0cfa45c in kj::_::TupleImpl<kj::_::Indexes<0ul, 1ul>, kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>::~TupleImpl() (/usr/local/bin/bitcoin-node+0x249845c) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #9 0x5591a0cf9504 in kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>::~Tuple() (/usr/local/bin/bitcoin-node+0x2497504) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #10 0x5591a0cf9be7 in kj::_::AttachmentPromiseNode<kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>>::~AttachmentPromiseNode() (/usr/local/bin/bitcoin-node+0x2497be7) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #11 0x5591a0cf9bb4 in void kj::dtor<kj::_::AttachmentPromiseNode<kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>>>(kj::_::AttachmentPromiseNode<kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>>&) (/usr/local/bin/bitcoin-node+0x2497bb4) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #12 0x5591a0cf9b94 in kj::_::FreePromiseNode<kj::_::AttachmentPromiseNode<kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>>, true>::free(kj::_::AttachmentPromiseNode<kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>>*) (/usr/local/bin/bitcoin-node+0x2497b94) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #13 0x5591a0c9c754 in void kj::_::freePromise<kj::_::AttachmentPromiseNode<kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>>>(kj::_::AttachmentPromiseNode<kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>>*) capability.c++
[        20.991] [               node1] [err]     #14 0x5591a0cf99d4 in kj::_::AttachmentPromiseNode<kj::_::Tuple<kj::Own<capnp::LocalClient, std::nullptr_t>, kj::Own<capnp::CallContextHook, std::nullptr_t>>>::destroy() (/usr/local/bin/bitcoin-node+0x24979d4) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #15 0x5591a0ca5071 in kj::_::PromiseDisposer::dispose(kj::_::PromiseArenaMember*) (/usr/local/bin/bitcoin-node+0x2443071) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #16 0x5591a0ca4fe9 in kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>::dispose() (/usr/local/bin/bitcoin-node+0x2442fe9) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #17 0x5591a10167bc in kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>::operator=(std::nullptr_t) (/usr/local/bin/bitcoin-node+0x27b47bc) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #18 0x5591a100185d in kj::_::ForkHubBase::fire()::$_0::operator()() const async.c++
[        20.991] [               node1] [err]     #19 0x5591a0fec48d in kj::Maybe<kj::Exception> kj::runCatchingExceptions<kj::_::ForkHubBase::fire()::$_0>(kj::_::ForkHubBase::fire()::$_0&&) async.c++
[        20.991] [               node1] [err]     #20 0x5591a0febea5 in kj::_::ForkHubBase::fire() (/usr/local/bin/bitcoin-node+0x2789ea5) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #21 0x5591a0fec723 in non-virtual thunk to kj::_::ForkHubBase::fire() (/usr/local/bin/bitcoin-node+0x278a723) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #22 0x5591a0fe0399 in kj::EventLoop::turn() (/usr/local/bin/bitcoin-node+0x277e399) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #23 0x5591a0fffe2b in kj::_::waitImpl(kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>&&, kj::_::ExceptionOrValue&, kj::WaitScope&, kj::SourceLocation)::$_2::operator()() const async.c++
[        20.991] [               node1] [err]     #24 0x5591a0fe3919 in void kj::WaitScope::runOnStackPool<kj::_::waitImpl(kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>&&, kj::_::ExceptionOrValue&, kj::WaitScope&, kj::SourceLocation)::$_2>(kj::_::waitImpl(kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>&&, kj::_::ExceptionOrValue&, kj::WaitScope&, kj::SourceLocation)::$_2&&) async.c++
[        20.991] [               node1] [err]     #25 0x5591a0fe320e in kj::_::waitImpl(kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>&&, kj::_::ExceptionOrValue&, kj::WaitScope&, kj::SourceLocation) (/usr/local/bin/bitcoin-node+0x278120e) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #26 0x5591a0c7a643 in kj::Promise<unsigned long>::wait(kj::WaitScope&, kj::SourceLocation) /src/bitcoin/depends/x86_64-pc-linux-gnu/include/kj/async-inl.h:1359:3
[        20.991] [               node1] [err]     #27 0x5591a0c78d94 in mp::EventLoop::loop() /src/bitcoin/src/ipc/libmultiprocess/src/mp/proxy.cpp:244:68
[        20.991] [               node1] [err]     #28 0x5591a02317a2 in ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()::operator()() const /src/bitcoin/src/ipc/capnp/protocol.cpp:136:21
[        20.991] [               node1] [err]     #29 0x5591a02317a2 in void std::__invoke_impl<void, ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>(std::__invoke_other, ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()&&) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:61:14
[        20.991] [               node1] [err]     #30 0x5591a02317a2 in std::__invoke_result<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>::type std::__invoke<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>(ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()&&) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:96:14
[        20.991] [               node1] [err]     #31 0x5591a02317a2 in void std::thread::_Invoker<std::tuple<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>>::_M_invoke<0ul>(std::_Index_tuple<0ul>) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:252:13
[        20.991] [               node1] [err]     #32 0x5591a02317a2 in std::thread::_Invoker<std::tuple<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>>::operator()() /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:259:11
[        20.991] [               node1] [err]     #33 0x5591a02317a2 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>>>::_M_run() /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:210:13
[        20.991] [               node1] [err]     #34 0x7f95dab434a2  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd44a2) (BuildId: 289ee39f8c07bd4fa48102dfeeb7e6f9c76158b4)
[        20.991] [               node1] [err] 
[        20.991] [               node1] [err] previously allocated by thread T2 (b-capnp-loop) here:
[        20.991] [               node1] [err]     #0 0x55919f63350d in operator new(unsigned long) (/usr/local/bin/bitcoin-node+0xdd150d) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #1 0x5591a0d3e6f8 in kj::Own<capnp::_::(anonymous namespace)::RpcConnectionState::RpcCallContext, std::nullptr_t> kj::refcounted<capnp::_::(anonymous namespace)::RpcConnectionState::RpcCallContext, capnp::_::(anonymous namespace)::RpcConnectionState&, unsigned int&, kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>, kj::Array<kj::Maybe<kj::Own<capnp::ClientHook, std::nullptr_t>>>, capnp::AnyPointer::Reader, bool&, unsigned long, unsigned short, capnp::Capability::Client::CallHints&>(capnp::_::(anonymous namespace)::RpcConnectionState&, unsigned int&, kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>&&, kj::Array<kj::Maybe<kj::Own<capnp::ClientHook, std::nullptr_t>>>&&, capnp::AnyPointer::Reader&&, bool&, unsigned long&&, unsigned short&&, capnp::Capability::Client::CallHints&) rpc.c++
[        20.991] [               node1] [err]     #2 0x5591a0d252f1 in capnp::_::(anonymous namespace)::RpcConnectionState::handleCall(kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>&&, capnp::rpc::Call::Reader const&) rpc.c++
[        20.991] [               node1] [err]     #3 0x5591a0d2266d in capnp::_::(anonymous namespace)::RpcConnectionState::handleMessage(kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>) rpc.c++
[        20.991] [               node1] [err]     #4 0x5591a0d21d98 in capnp::_::(anonymous namespace)::RpcConnectionState::messageLoop()::'lambda'(kj::Maybe<kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>>&&)::operator()(kj::Maybe<kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>>&&) const rpc.c++
[        20.991] [               node1] [err]     #5 0x5591a0db9c3c in bool kj::_::MaybeVoidCaller<kj::Maybe<kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>>, bool>::apply<capnp::_::(anonymous namespace)::RpcConnectionState::messageLoop()::'lambda'(kj::Maybe<kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>>&&)>(capnp::_::(anonymous namespace)::RpcConnectionState::messageLoop()::'lambda'(kj::Maybe<kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>>&&)&, kj::Maybe<kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>>&&) rpc.c++
[        20.991] [               node1] [err]     #6 0x5591a0db97be in kj::_::TransformPromiseNode<bool, kj::Maybe<kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>>, capnp::_::(anonymous namespace)::RpcConnectionState::messageLoop()::'lambda'(kj::Maybe<kj::Own<capnp::IncomingRpcMessage, std::nullptr_t>>&&), capnp::_::(anonymous namespace)::RpcConnectionState::messageLoop()::'lambda'(kj::Exception&&)>::getImpl(kj::_::ExceptionOrValue&) rpc.c++
[        20.991] [               node1] [err]     #7 0x5591a100176a in kj::_::TransformPromiseNodeBase::get(kj::_::ExceptionOrValue&)::$_0::operator()() const async.c++
[        20.991] [               node1] [err]     #8 0x5591a0fe99ed in kj::Maybe<kj::Exception> kj::runCatchingExceptions<kj::_::TransformPromiseNodeBase::get(kj::_::ExceptionOrValue&)::$_0>(kj::_::TransformPromiseNodeBase::get(kj::_::ExceptionOrValue&)::$_0&&) async.c++
[        20.991] [               node1] [err]     #9 0x5591a0fe9750 in kj::_::TransformPromiseNodeBase::get(kj::_::ExceptionOrValue&) (/usr/local/bin/bitcoin-node+0x2787750) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #10 0x5591a0fe9fd8 in kj::_::TransformPromiseNodeBase::getDepResult(kj::_::ExceptionOrValue&) (/usr/local/bin/bitcoin-node+0x2787fd8) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #11 0x5591a0dbca3a in kj::_::TransformPromiseNode<kj::_::Void, bool, capnp::_::(anonymous namespace)::RpcConnectionState::messageLoop()::'lambda'(bool), kj::_::PropagateException>::getImpl(kj::_::ExceptionOrValue&) rpc.c++
[        20.991] [               node1] [err]     #12 0x5591a100176a in kj::_::TransformPromiseNodeBase::get(kj::_::ExceptionOrValue&)::$_0::operator()() const async.c++
[        20.991] [               node1] [err]     #13 0x5591a0fe99ed in kj::Maybe<kj::Exception> kj::runCatchingExceptions<kj::_::TransformPromiseNodeBase::get(kj::_::ExceptionOrValue&)::$_0>(kj::_::TransformPromiseNodeBase::get(kj::_::ExceptionOrValue&)::$_0&&) async.c++
[        20.991] [               node1] [err]     #14 0x5591a0fe9750 in kj::_::TransformPromiseNodeBase::get(kj::_::ExceptionOrValue&) (/usr/local/bin/bitcoin-node+0x2787750) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #15 0x5591a1027b22 in kj::TaskSet::Task::fire() (/usr/local/bin/bitcoin-node+0x27c5b22) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #16 0x5591a10284c3 in non-virtual thunk to kj::TaskSet::Task::fire() (/usr/local/bin/bitcoin-node+0x27c64c3) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #17 0x5591a0fe0399 in kj::EventLoop::turn() (/usr/local/bin/bitcoin-node+0x277e399) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #18 0x5591a0fffe2b in kj::_::waitImpl(kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>&&, kj::_::ExceptionOrValue&, kj::WaitScope&, kj::SourceLocation)::$_2::operator()() const async.c++
[        20.991] [               node1] [err]     #19 0x5591a0fe3919 in void kj::WaitScope::runOnStackPool<kj::_::waitImpl(kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>&&, kj::_::ExceptionOrValue&, kj::WaitScope&, kj::SourceLocation)::$_2>(kj::_::waitImpl(kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>&&, kj::_::ExceptionOrValue&, kj::WaitScope&, kj::SourceLocation)::$_2&&) async.c++
[        20.991] [               node1] [err]     #20 0x5591a0fe320e in kj::_::waitImpl(kj::Own<kj::_::PromiseNode, kj::_::PromiseDisposer>&&, kj::_::ExceptionOrValue&, kj::WaitScope&, kj::SourceLocation) (/usr/local/bin/bitcoin-node+0x278120e) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #21 0x5591a0c7a643 in kj::Promise<unsigned long>::wait(kj::WaitScope&, kj::SourceLocation) /src/bitcoin/depends/x86_64-pc-linux-gnu/include/kj/async-inl.h:1359:3
[        20.991] [               node1] [err]     #22 0x5591a0c78d94 in mp::EventLoop::loop() /src/bitcoin/src/ipc/libmultiprocess/src/mp/proxy.cpp:244:68
[        20.991] [               node1] [err]     #23 0x5591a02317a2 in ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()::operator()() const /src/bitcoin/src/ipc/capnp/protocol.cpp:136:21
[        20.991] [               node1] [err]     #24 0x5591a02317a2 in void std::__invoke_impl<void, ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>(std::__invoke_other, ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()&&) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:61:14
[        20.991] [               node1] [err]     #25 0x5591a02317a2 in std::__invoke_result<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>::type std::__invoke<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>(ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()&&) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:96:14
[        20.991] [               node1] [err]     #26 0x5591a02317a2 in void std::thread::_Invoker<std::tuple<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>>::_M_invoke<0ul>(std::_Index_tuple<0ul>) /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:252:13
[        20.991] [               node1] [err]     #27 0x5591a02317a2 in std::thread::_Invoker<std::tuple<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>>::operator()() /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:259:11
[        20.991] [               node1] [err]     #28 0x5591a02317a2 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<ipc::capnp::(anonymous namespace)::CapnpProtocol::startLoop(char const*)::'lambda'()>>>::_M_run() /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_thread.h:210:13
[        20.991] [               node1] [err]     #29 0x7f95dab434a2  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd44a2) (BuildId: 289ee39f8c07bd4fa48102dfeeb7e6f9c76158b4)
[        20.991] [               node1] [err] 
[        20.991] [               node1] [err] Thread T18 created by T2 (b-capnp-loop) here:
[        20.991] [               node1] [err]     #0 0x55919f5d4061 in pthread_create (/usr/local/bin/bitcoin-node+0xd72061) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        20.991] [               node1] [err]     #1 0x7f95dab43578 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State>>, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd4578) (BuildId: 289ee39f8c07bd4fa48102dfeeb7e6f9c76158b4)
[        20.991] [               node1] [err]     #2 0x5591a0c70d9c in mp::ThreadMap::Server::dispatchCallInternal(unsigned short, capnp::CallContext<capnp::AnyPointer, capnp::AnyPointer>) /src/bitcoin/build/src/ipc/libmultiprocess/include/mp/proxy.capnp.c++:602:9
[        20.991] [               node1] [err]     #3 0x5591a0c70d9c in mp::ThreadMap::Server::dispatchCall(unsigned long, unsigned short, capnp::CallContext<capnp::AnyPointer, capnp::AnyPointer>) /src/bitcoin/build/src/ipc/libmultiprocess/include/mp/proxy.capnp.c++:591:14
[        20.991] [               node1] [err]     #4 0x5591a0c70d9c in virtual thunk to mp::ThreadMap::Server::dispatchCall(unsigned long, unsigned short, capnp::CallContext<capnp::AnyPointer, capnp::AnyPointer>) /src/bitcoin/build/src/ipc/libmultiprocess/include/mp/proxy.capnp.c++
[        20.991] [               node1] [err] 
[        20.991] [               node1] [err] Thread T2 (b-capnp-loop) created by T0 here:
[        21.003] [               node1] [err]     #0 0x55919f5d4061 in pthread_create (/usr/local/bin/bitcoin-node+0xd72061) (BuildId: c25495e4b8b85714b81a64e4409d2ed23b7adc0a)
[        21.003] [               node1] [err]     #1 0x7f95dab43578 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State>>, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd4578) (BuildId: 289ee39f8c07bd4fa48102dfeeb7e6f9c76158b4)
[        21.003] [               node1] [err]     #2 0x5591a022e9f5 in ipc::capnp::(anonymous namespace)::CapnpProtocol::listen(int, char const*, interfaces::Init&) /src/bitcoin/src/ipc/capnp/protocol.cpp:87:9
[        21.003] [               node1] [err]     #3 0x5591a022b42c in ipc::(anonymous namespace)::IpcImpl::listenAddress(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) /src/bitcoin/src/ipc/interfaces.cpp:111:21
[        21.003] [               node1] [err]     #4 0x55919f686df2 in AppInitMain(node::NodeContext&, interfaces::BlockAndHeaderTipInfo*) /src/bitcoin/src/init.cpp:1505:22
[        21.003] [               node1] [err]     #5 0x55919f638083 in AppInit(node::NodeContext&) /src/bitcoin/src/bitcoind.cpp:242:43
[        21.003] [               node1] [err]     #6 0x55919f638083 in main /src/bitcoin/src/bitcoind.cpp:283:10
[        21.003] [               node1] [err]     #7 0x7f95da7a1249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
[        21.003] [               node1] [err] 
[        21.003] [               node1] [err] SUMMARY: AddressSanitizer: heap-use-after-free /src/bitcoin/depends/x86_64-pc-linux-gnu/include/capnp/capability.h:1129:16 in capnp::CallContext<ipc::capnp::messages::BlockTemplate::GetBlockParams, ipc::capnp::messages::BlockTemplate::GetBlockResults>::getParams()
[        21.003] [               node1] [err] Shadow bytes around the buggy address:
[        21.003] [               node1] [err]   0x7ca5d9d92d80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
[        21.003] [               node1] [err]   0x7ca5d9d92e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[        21.003] [               node1] [err]   0x7ca5d9d92e80: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
[        21.003] [               node1] [err]   0x7ca5d9d92f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[        21.003] [               node1] [err]   0x7ca5d9d92f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
[        21.003] [               node1] [err] =>0x7ca5d9d93000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
[        21.003] [               node1] [err]   0x7ca5d9d93080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[        21.003] [               node1] [err]   0x7ca5d9d93100: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
[        21.003] [               node1] [err]   0x7ca5d9d93180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[        21.003] [               node1] [err]   0x7ca5d9d93200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
[        21.003] [               node1] [err]   0x7ca5d9d93280: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
[        21.003] [               node1] [err] Shadow byte legend (one shadow byte represents 8 application bytes):
[        21.003] [               node1] [err]   Addressable:           00
[        21.003] [               node1] [err]   Partially addressable: 01 02 03 04 05 06 07 
[        21.003] [               node1] [err]   Heap left redzone:       fa
[        21.003] [               node1] [err]   Freed heap region:       fd
[        21.003] [               node1] [err]   Stack left redzone:      f1
[        21.003] [               node1] [err]   Stack mid redzone:       f2
[        21.003] [               node1] [err]   Stack right redzone:     f3
[        21.003] [               node1] [err]   Stack after return:      f5
[        21.003] [               node1] [err]   Stack use after scope:   f8
[        21.003] [               node1] [err]   Global redzone:          f9
[        21.003] [               node1] [err]   Global init order:       f6
[        21.003] [               node1] [err]   Poisoned by user:        f7
[        21.003] [               node1] [err]   Container overflow:      fc
[        21.003] [               node1] [err]   Array cookie:            ac
[        21.003] [               node1] [err]   Intra object redzone:    bb
[        21.003] [               node1] [err]   ASan internal:           fe
[        21.003] [               node1] [err]   Left alloca redzone:     ca
[        21.003] [               node1] [err]   Right alloca redzone:    cb
[        21.004] [               node1] [err] ==1==ABORTING

Full debug log for the node that crashed: uaf-ipc-node1-debug.log

Full antithesis log for this testcase: uaf-ipc-antithesis-full.log

This was found with a test running on Antithesis.

[fanquake]

cc @Sjors @ryanofsky

[ryanofsky]

Wow, great find!

The stack trace shows the use-after-free happening here:

bitcoin/src/ipc/libmultiprocess/include/mp/type-context.h

Line 77 in e09b816

const auto& params = call_context.getParams();

When call_context.getParams() is called by the worker thread after the request is cancelled in the event loop thread.

This bug was introduced in bitcoin-core/libmultiprocess@0174450 which started cancelling requests on disconnects. That commit uses a mutex called cancel_mutex to prevent parameters returned from call_context.getParams() from ever being used after cancellation. But it looks like even calling call_context.getParams() at all after cancellation is a problem.

I think following patch should fix the problem.

diff

--- a/src/ipc/libmultiprocess/include/mp/type-context.h
+++ b/src/ipc/libmultiprocess/include/mp/type-context.h
@@ -61,8 +61,6 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&
         std::is_same<decltype(Accessor::get(server_context.call_context.getParams())), Context::Reader>::value,
         kj::Promise<typename ServerContext::CallContext>>::type
 {
-    const auto& params = server_context.call_context.getParams();
-    Context::Reader context_arg = Accessor::get(params);
     auto& server = server_context.proxy_server;
     int req = server_context.req;
     // Keep a reference to the ProxyServer instance by assigning it to the self
@@ -74,8 +72,6 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&
     auto self = server.thisCap();
     auto invoke = [self = kj::mv(self), call_context = kj::mv(server_context.call_context), &server, req, fn, args...](CancelMonitor& cancel_monitor) mutable {
                 MP_LOG(*server.m_context.loop, Log::Debug) << "IPC server executing request #" << req;
-                const auto& params = call_context.getParams();
-                Context::Reader context_arg = Accessor::get(params);
                 ServerContext server_context{server, call_context, req};
                 {
                     // Before invoking the function, store a reference to the
@@ -127,6 +123,8 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&
                             server_context.request_canceled = true;
                         };
                         // Update requests_threads map if not canceled.
+                        const auto& params = call_context.getParams();
+                        Context::Reader context_arg = Accessor::get(params);
                         std::tie(request_thread, inserted) = SetThread(
                             GuardedRef{thread_context.waiter->m_mutex, request_threads}, server.m_context.connection,
                             [&] { return context_arg.getCallbackThread(); });
@@ -189,6 +187,8 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&
     // Lookup Thread object specified by the client. The specified thread should
     // be a local Thread::Server object, but it needs to be looked up
     // asynchronously with getLocalServer().
+    const auto& params = server_context.call_context.getParams();
+    Context::Reader context_arg = Accessor::get(params);
     auto thread_client = context_arg.getThread();
     auto result = server.m_context.connection->m_threads.getLocalServer(thread_client)
         .then([&server, invoke = kj::mv(invoke), req](const kj::Maybe<Thread::Server&>& perhaps) mutable {

This is not a minimal fix since it moves two getParams() calls when only moving the second one should be required. But it makes sense to move both calls closer to where they are actually being used.

I can follow up with a PR and should also try to reproduce the bug locally to make sure the fix is sufficient. It would probably be difficult to trigger from a test but might not be hard to reproduce manually by introducing a sleep before the getParams call

[Sjors]

That fix makes sense to me. Here's a test (with a little extra scaffolding, diff is on top of your fix):

diff --git a/src/ipc/libmultiprocess/include/mp/proxy.h b/src/ipc/libmultiprocess/include/mp/proxy.h
index c55380c1c9..a0b9c3d31e 100644
--- a/src/ipc/libmultiprocess/include/mp/proxy.h
+++ b/src/ipc/libmultiprocess/include/mp/proxy.h
@@ -68,10 +68,15 @@ public:
 struct ProxyContext
 {
     Connection* connection;
     EventLoopRef loop;
     CleanupList cleanup_fns;
+#ifndef NDEBUG
+    //! Hook called on the worker thread just before loop->sync() in PassField
+    //! for Context arguments. Used by tests to inject precise disconnect timing.
+    std::function<void()> testing_hook_before_sync;
+#endif

     ProxyContext(Connection* connection);
 };

 //! Base class for generated ProxyClient classes that implement a C++ interface
diff --git a/src/ipc/libmultiprocess/include/mp/type-context.h b/src/ipc/libmultiprocess/include/mp/type-context.h
index 09ec6fff09..1c8b8d93fd 100644
--- a/src/ipc/libmultiprocess/include/mp/type-context.h
+++ b/src/ipc/libmultiprocess/include/mp/type-context.h
@@ -70,10 +70,13 @@ auto PassField(Priority<1>, TypeList<>, ServerContext& server_context, const Fn&
     // needs to be destroyed on the event loop thread so it is freed in a sync()
     // call below.
     auto self = server.thisCap();
     auto invoke = [self = kj::mv(self), call_context = kj::mv(server_context.call_context), &server, req, fn, args...](CancelMonitor& cancel_monitor) mutable {
                 MP_LOG(*server.m_context.loop, Log::Debug) << "IPC server executing request #" << req;
+#ifndef NDEBUG
+                if (server.m_context.testing_hook_before_sync) server.m_context.testing_hook_before_sync();
+#endif
                 ServerContext server_context{server, call_context, req};
                 {
                     // Before invoking the function, store a reference to the
                     // callbackThread provided by the client in the
                     // thread_local.request_threads map. This way, if this
diff --git a/src/ipc/libmultiprocess/test/mp/test/test.cpp b/src/ipc/libmultiprocess/test/mp/test/test.cpp
index b8df4677ca..8b776b83ea 100644
--- a/src/ipc/libmultiprocess/test/mp/test/test.cpp
+++ b/src/ipc/libmultiprocess/test/mp/test/test.cpp
@@ -314,10 +314,51 @@ KJ_TEST("Calling IPC method, disconnecting and blocking during the call")
     // *before* the TestSetup variable so is not destroyed while
     // signal.get_future().get() is called.
     signal.set_value();
 }

+KJ_TEST("Calling async IPC method, with server disconnect racing the call")
+{
+#ifdef NDEBUG
+    KJ_LOG(WARNING, "Test skipped: testing_hook_before_sync requires debug build");
+    return;
+#else
+    // Regression test for bitcoin/bitcoin#34777 (heap-use-after-free where
+    // getParams() was called on the worker thread after the event loop thread
+    // freed the RpcCallContext on disconnect). The fix moves getParams() inside
+    // loop->sync() so it always runs on the event loop thread.
+    //
+    // Use testing_hook_before_sync to pause the worker thread just before it
+    // enters loop->sync(), then disconnect the server from a separate thread.
+    TestSetup setup;
+    ProxyClient<messages::FooInterface>* foo = setup.client.get();
+    foo->initThreadMap();
+    setup.server->m_impl->m_fn = [] {};
+
+    std::promise<void> worker_ready;
+    std::promise<void> disconnect_done;
+    setup.server->m_context.testing_hook_before_sync = [&] {
+        worker_ready.set_value();
+        disconnect_done.get_future().wait();
+    };
+
+    std::thread disconnect_thread{[&] {
+        worker_ready.get_future().wait();
+        setup.server_disconnect();
+        disconnect_done.set_value();
+    }};
+
+    try {
+        foo->callFnAsync();
+        KJ_EXPECT(false);
+    } catch (const std::runtime_error& e) {
+        KJ_EXPECT(std::string_view{e.what()} == "IPC client method call interrupted by disconnect.");
+    }
+    disconnect_thread.join();
+#endif
+}
+
 KJ_TEST("Make simultaneous IPC calls on single remote thread")
 {
     TestSetup setup;
     ProxyClient<messages::FooInterface>* foo = setup.client.get();
     std::promise<void> signal;

(and then use -DCMAKE_BUILD_TYPE=Release on most CI machines and recommend it in developer doc)