From 6049c3552816c21a7c17a9d0e877a1132897abb1 Mon Sep 17 00:00:00 2001
From: Anthony Shoumikhin <shoumikhin@meta.com>
Date: Fri, 13 Sep 2024 17:37:57 -0700
Subject: [PATCH] Fix EValue construction from a smart pointer. (#5357)

Summary:
Pull Request resolved: https://github.com/pytorch/executorch/pull/5357

The move constructor invoked by `*this =` expression tries to `destroy()` the `this` first, but it's not yet initialized.

For example, if the tag is randomly `Tag::ListTensor`, `destroy()` will try to iterate over and destroy a list of tensors. But since the memory is uninitialized, it will typically crash or corrupt memory.

Reviewed By: dbort

Differential Revision: D62658327
---
 runtime/core/evalue.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/runtime/core/evalue.h b/runtime/core/evalue.h
index c0c534e0692..d2e57c35d4d 100644
--- a/runtime/core/evalue.h
+++ b/runtime/core/evalue.h
@@ -248,7 +248,9 @@ struct EValue {
           decltype(*std::forward<T>(value)),
           EValue>::value>::type* = 0) {
     ET_CHECK_MSG(value != nullptr, "Pointer is null.");
-    *this = EValue(*std::forward<T>(value));
+    // Note that this ctor does not initialize this->tag directly; it is set by
+    // moving in the new value.
+    moveFrom(*std::forward<T>(value));
   }
 
   // Delete constructor for raw pointers to ensure they cannot be used.