The BSONObjBuilder declared in ObjectWrapper::toBSON needs to remain in scope until after all of the WriteFieldRecursionFrame objects in the 'frames' LifetimeStack are destroyed, because each frame, when destroyed, may write to memory owned by the BSONObjBuilder.

Unfortunately, the BSONObjBuilder is declared after the frames object. So, normal object destruction sequencing means that the BSONObjBuilder will be destroyed before the frames, leading to a use after free.

Note that during normal processing, this won't happen, as the loop that comprises the primary body of the function pops (and destroys) all frames before leaving the function. In that case, any frames that had referenced the BSONObjBuilder have already been destroyed.

However, if the function is exited via an exception, as would happen if the object being walked was circular, then the frames have not all been popped, and the incorrect object sequencing will result in a use-after-free.