The following line in KrpcDataStreamRecvr may lead to use-after-free. A KrpcDataStreamRecvr is co-owned by KrpcDataStreamMgr and an ExchangeNode. There is a window in which the ExchangeNode has already been closed and when the last reference to KrpcDataStreamMgr goes away. In this window, the KrpcDataStreamRecvr queues should all have been cancelled and closed but the receiver itself may still reference resources owned by the ExchangeNode. The general pattern is that once a receiver's queue is cancelled or closed, there should be no more access to its data structures not owned by the receiver or the queue itself. However, there are a couple of places in KrpcDataStreamRecvr which violate this pattern:
In the long run, we really need to re-think this business of co-ownership and simplify the lifecycle management of a KrpcDataStreamRecvr object.
The bug above may lead to crash like the following: