The Matcher manages memory for its _where object manually, with an explicit delete call in ~Matcher(). It is possible for a query validation error to trigger an exception in the Matcher() constructor after _where has been allocated. In this case, the _where object is never deallocated because the ~Matcher() destructor is never called.

The Where object will not yet have set up a javascript scope in this case (so no scope will be leaked). But the small Where object will be leaked, and if a user repeatedly sends bad queries these leaks will add up.

Test

t = db.t;
t.drop();

// Does not leak.
t.find( { $where:'true', a:{ $mod:[ 1 /* valid arg */, 0 ] } } ).itcount();

// Leaks, because $mod validation fails inside Matcher() constructor and _where is never deallocated.
t.find( { $where:'true', a:{ $mod:[ 0 /* invalid arg */, 0 ] } } ).itcount();