[SERVER-11741] invalid use of DBClientBase object with DBClientCursor destructor that is tracked by v8 Created: 16/Nov/13  Updated: 14/Apr/16  Resolved: 01/Feb/16

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Zardosht Kasheff Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by CXX-1 invalid use of DBClientBase object wi... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

In engine_v8.h, the following (global?) variables are used to track objects referenced by v8:
ObjTracker<BSONHolder> bsonHolderTracker;
ObjTracker<DBClientWithCommands> dbClientWithCommandsTracker;
ObjTracker<DBClientBase> dbClientBaseTracker;
ObjTracker<DBClientCursor> dbClientCursorTracker;

Objects tracked by these are deleted by v8 with the callback deleteOnCollect.

The problem is that the dbClientCursorTracker may have references to DBClientCursors that reference an instance of a DBClientBase that is also tracked by v8. If v8 decides to delete the DBClientBase before an associated DBClientCursor, then the DBClientCursor will have a pointer to a DBClientBase that has already been deleted. The destructor will then crash on the following code:
_client->sayPiggyBack( m );

So, suppose we have a DBClientBase* foo, and DBClientCursor* bar, both of which are tracked by v8, and that bar->_client == foo. If v8 destroys foo before bar, then the client may crash when destroying bar, due to bar's now bad reference to foo.



 Comments   
Comment by Mira Carey [ 01/Feb/16 ]

ObjTracker is no longer used in our js integration.

Nothing equivalent exists for spidermonkey

Generated at Thu Feb 08 03:26:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.