[scheduler] Add defensive nullptr checks and explicit locking requirements

2025-11-19 00:05:43 +00:00 · 2025-11-18 11:31:01 -06:00
parent 33983b051b
commit d83a698398
2 changed files with 31 additions and 18 deletions
--- a/esphome/core/scheduler.cpp
+++ b/esphome/core/scheduler.cpp
@@ -154,8 +154,8 @@ void HOT Scheduler::set_timer_common_(Component *component, SchedulerItem::Type

  // For retries, check if there's a cancelled timeout first
  if (is_retry && name_cstr != nullptr && type == SchedulerItem::TIMEOUT &&
-      (has_cancelled_timeout_in_container_(this->items_, component, name_cstr, /* match_retry= */ true) ||
-       has_cancelled_timeout_in_container_(this->to_add_, component, name_cstr, /* match_retry= */ true))) {
+      (has_cancelled_timeout_in_container_locked_(this->items_, component, name_cstr, /* match_retry= */ true) ||
+       has_cancelled_timeout_in_container_locked_(this->to_add_, component, name_cstr, /* match_retry= */ true))) {
    // Skip scheduling - the retry was cancelled
 #ifdef ESPHOME_DEBUG_SCHEDULER
    ESP_LOGD(TAG, "Skipping retry '%s' - found cancelled item", name_cstr);
@@ -556,7 +556,8 @@ bool HOT Scheduler::cancel_item_locked_(Component *component, const char *name_c
 #ifndef ESPHOME_THREAD_SINGLE
  // Mark items in defer queue as cancelled (they'll be skipped when processed)
  if (type == SchedulerItem::TIMEOUT) {
-    total_cancelled += this->mark_matching_items_removed_(this->defer_queue_, component, name_cstr, type, match_retry);
+    total_cancelled +=
+        this->mark_matching_items_removed_locked_(this->defer_queue_, component, name_cstr, type, match_retry);
  }
 #endif /* not ESPHOME_THREAD_SINGLE */

@@ -565,19 +566,20 @@ bool HOT Scheduler::cancel_item_locked_(Component *component, const char *name_c
  // (removing the last element doesn't break heap structure)
  if (!this->items_.empty()) {
    auto &last_item = this->items_.back();
-    if (this->matches_item_(last_item, component, name_cstr, type, match_retry)) {
+    if (this->matches_item_locked_(last_item, component, name_cstr, type, match_retry)) {
      this->recycle_item_(std::move(this->items_.back()));
      this->items_.pop_back();
      total_cancelled++;
    }
    // For other items in heap, we can only mark for removal (can't remove from middle of heap)
-    size_t heap_cancelled = this->mark_matching_items_removed_(this->items_, component, name_cstr, type, match_retry);
+    size_t heap_cancelled =
+        this->mark_matching_items_removed_locked_(this->items_, component, name_cstr, type, match_retry);
    total_cancelled += heap_cancelled;
    this->to_remove_ += heap_cancelled;  // Track removals for heap items
  }

  // Cancel items in to_add_
-  total_cancelled += this->mark_matching_items_removed_(this->to_add_, component, name_cstr, type, match_retry);
+  total_cancelled += this->mark_matching_items_removed_locked_(this->to_add_, component, name_cstr, type, match_retry);

  return total_cancelled > 0;
 }
--- a/esphome/core/scheduler.h
+++ b/esphome/core/scheduler.h
@@ -243,8 +243,18 @@ class Scheduler {
  }

  // Helper function to check if item matches criteria for cancellation
-  inline bool HOT matches_item_(const std::unique_ptr<SchedulerItem> &item, Component *component, const char *name_cstr,
-                                SchedulerItem::Type type, bool match_retry, bool skip_removed = true) const {
+  // IMPORTANT: Must be called with scheduler lock held
+  inline bool HOT matches_item_locked_(const std::unique_ptr<SchedulerItem> &item, Component *component,
+                                       const char *name_cstr, SchedulerItem::Type type, bool match_retry,
+                                       bool skip_removed = true) const {
+    // THREAD SAFETY: Check for nullptr first to prevent LoadProhibited crashes. On multi-threaded
+    // platforms, items can be moved out of defer_queue_ during processing, leaving nullptr entries.
+    // PR #11305 added nullptr checks in callers (mark_matching_items_removed_locked_() and
+    // has_cancelled_timeout_in_container_locked_()), but this check provides defense-in-depth: helper
+    // functions should be safe regardless of caller behavior.
+    // Fixes: https://github.com/esphome/esphome/issues/11940
+    if (!item)
+      return false;
    if (item->component != component || item->type != type || (skip_removed && item->remove) ||
        (match_retry && !item->is_retry)) {
      return false;
@@ -304,8 +314,8 @@ class Scheduler {
        // SAFETY: Moving out the unique_ptr leaves a nullptr in the vector at defer_queue_front_.
        // This is intentional and safe because:
        // 1. The vector is only cleaned up by cleanup_defer_queue_locked_() at the end of this function
-        // 2. Any code iterating defer_queue_ MUST check for nullptr items (see mark_matching_items_removed_
-        //    and has_cancelled_timeout_in_container_ in scheduler.h)
+        // 2. Any code iterating defer_queue_ MUST check for nullptr items (see mark_matching_items_removed_locked_
+        //    and has_cancelled_timeout_in_container_locked_ in scheduler.h)
        // 3. The lock protects concurrent access, but the nullptr remains until cleanup
        item = std::move(this->defer_queue_[this->defer_queue_front_]);
        this->defer_queue_front_++;
@@ -393,10 +403,10 @@ class Scheduler {

  // Helper to mark matching items in a container as removed
  // Returns the number of items marked for removal
-  // IMPORTANT: Caller must hold the scheduler lock before calling this function.
+  // IMPORTANT: Must be called with scheduler lock held
  template<typename Container>
-  size_t mark_matching_items_removed_(Container &container, Component *component, const char *name_cstr,
-                                      SchedulerItem::Type type, bool match_retry) {
+  size_t mark_matching_items_removed_locked_(Container &container, Component *component, const char *name_cstr,
+                                             SchedulerItem::Type type, bool match_retry) {
    size_t count = 0;
    for (auto &item : container) {
      // Skip nullptr items (can happen in defer_queue_ when items are being processed)
@@ -405,7 +415,7 @@ class Scheduler {
      // the vector can still contain nullptr items from the processing loop. This check prevents crashes.
      if (!item)
        continue;
-      if (this->matches_item_(item, component, name_cstr, type, match_retry)) {
+      if (this->matches_item_locked_(item, component, name_cstr, type, match_retry)) {
        // Mark item for removal (platform-specific)
        this->set_item_removed_(item.get(), true);
        count++;
@@ -415,9 +425,10 @@ class Scheduler {
  }

  // Template helper to check if any item in a container matches our criteria
+  // IMPORTANT: Must be called with scheduler lock held
  template<typename Container>
-  bool has_cancelled_timeout_in_container_(const Container &container, Component *component, const char *name_cstr,
-                                           bool match_retry) const {
+  bool has_cancelled_timeout_in_container_locked_(const Container &container, Component *component,
+                                                  const char *name_cstr, bool match_retry) const {
    for (const auto &item : container) {
      // Skip nullptr items (can happen in defer_queue_ when items are being processed)
      // The defer_queue_ uses index-based processing: items are std::moved out but left in the
@@ -426,8 +437,8 @@ class Scheduler {
      if (!item)
        continue;
      if (is_item_removed_(item.get()) &&
-          this->matches_item_(item, component, name_cstr, SchedulerItem::TIMEOUT, match_retry,
-                              /* skip_removed= */ false)) {
+          this->matches_item_locked_(item, component, name_cstr, SchedulerItem::TIMEOUT, match_retry,
+                                     /* skip_removed= */ false)) {
        return true;
      }
    }