[CXX-1] invalid use of DBClientBase object with DBClientCursor destructor that is tracked by v8 Created: 17/Jan/14  Updated: 10/Apr/14  Resolved: 17/Jan/14

Status: Closed
Project: C++ Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Zardosht Kasheff Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: legacy-cxx
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-11741 invalid use of DBClientBase object wi... Closed

 Description   

I opened this originally under Core Server with Server-11741. I think this is where it belongs?

In engine_v8.h, the following (global?) variables are used to track objects referenced by v8:
ObjTracker<BSONHolder> bsonHolderTracker;
ObjTracker<DBClientWithCommands> dbClientWithCommandsTracker;
ObjTracker<DBClientBase> dbClientBaseTracker;
ObjTracker<DBClientCursor> dbClientCursorTracker;
.
Objects tracked by these are deleted by v8 with the callback deleteOnCollect.

The problem is that the dbClientCursorTracker may have references to DBClientCursors that reference an instance of a DBClientBase that is also tracked by v8. If v8 decides to delete the DBClientBase before an associated DBClientCursor, then the DBClientCursor will have a pointer to a DBClientBase that has already been deleted. The destructor will then crash on the following code:
_client->sayPiggyBack( m );

So, suppose we have a DBClientBase* foo, and DBClientCursor* bar, both of which are tracked by v8, and that bar->_client == foo. If v8 destroys foo before bar, then the client may crash when destroying bar, due to bar's now bad reference to foo.



 Comments   
Comment by Andrew Morrow (Inactive) [ 17/Jan/14 ]

Hi -

The engine_v8.h code is part of the core server, so the SERVER-11741 is actually where this belongs.

Generated at Wed Feb 07 21:57:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.