From d3510f45cd6ae0789eeca2f1895abd0c21428153 Mon Sep 17 00:00:00 2001
From: Yixuan Wang <wangyixuan@selectdb.com>
Date: Mon, 16 Mar 2026 22:28:17 +0800
Subject: [PATCH] [fix](sync_point) Fix heap-use-after-free in SyncPoint during
 program exit (#61040)

### What problem does this PR solve?

The SyncPoint singleton was being destroyed during program exit while
background bthread timers were still accessing it, causing
heap-use-after-free.

Changed get_instance() to return a never-destructed heap-allocated
pointer
instead of a stack-allocated static object to prevent destruction order
issues.

This is a standard pattern for singletons accessed by background
threads.

```
11:47:40       #0 0x5582a963153d in operator new(unsigned long) (/root/doris/cloud/ut_build_ASAN/test/recycler_test+0x122b53d) (BuildId: 1191affa24589f52)
11:47:40       #1 0x5582ab0aa52f in doris::SyncPoint::SyncPoint() /root/doris/common/cpp/sync_point.cpp:77:9
11:47:40       #2 0x5582ab0aa46b in doris::SyncPoint::get_instance() /root/doris/common/cpp/sync_point.cpp:73:20
11:47:40       #3 0x5582aae33ee8 in doris::cloud::memkv::Transaction::get(std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, std::unique_ptr<doris::cloud::RangeGetIterator, std::default_delete<doris::cloud::RangeGetIterator>>*, bool, int) /root/doris/cloud/src/meta-store/mem_txn_kv.cpp:276:5
11:47:40       #4 0x5582a968f49f in doris::cloud::txn_get(doris::cloud::TxnKv*, std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, std::unique_ptr<doris::cloud::RangeGetIterator, std::default_delete<doris::cloud::RangeGetIterator>>&) /root/doris/cloud/src/recycler/recycler.cpp:99:18
11:47:40       #5 0x5582a9657090 in doris::cloud::InstanceRecycler::scan_and_recycle(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::basic_string_view<char, std::char_traits<char>>, std::function<int (std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>)>, std::function<int ()>) /root/doris/cloud/src/recycler/recycler.cpp:2976:23
11:47:40       #6 0x5582a9686153 in doris::cloud::InstanceRecycler::recycle_rowsets() /root/doris/cloud/src/recycler/recycler.cpp:2587:15
11:47:40       #7 0x5582a96a8d47 in doris::cloud::RecyclerTest_recycle_empty_Test::TestBody() /root/doris/cloud/test/recycler_test.cpp:1136:5
```
---
 common/cpp/sync_point.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/cpp/sync_point.cpp b/common/cpp/sync_point.cpp
index 02bdce1ec3487a..209d5dcf0d5df9 100644
--- a/common/cpp/sync_point.cpp
+++ b/common/cpp/sync_point.cpp
@@ -70,8 +70,8 @@ struct SyncPoint::Data { // impl
 };
 
 SyncPoint* SyncPoint::get_instance() {
-  static SyncPoint sync_point;
-  return &sync_point;
+  static auto* sync_point = new SyncPoint();
+  return sync_point;
 }
 SyncPoint::SyncPoint() : 
   impl_(new Data) {