[SERVER-1860] BufBuilder copy, assignment memory double-frees memory Created: 27/Sep/10  Updated: 12/Jul/16  Resolved: 27/Sep/10

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 1.7.1

Type: Bug Priority: Minor - P4
Reporter: Matt Taylor Assignee: Alberto Lerner
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

This code issue is minor because it is not currently triggered by existing code.

StringBuilder uses a BufBuilder (bson/util/builder.h) to manually manage a char buffer. The default copy constructor and operator= will shallow copy the data pointer, which will ultimately lead to freeing the memory multiple times. You can produce the issue with:
{
StringBuffer a;

{ StringBuffer b=a; }

// b d'tor frees b.data, which == a.data

{ StringBuffer c(a); }

// c d'tor frees a.data again

} // a d'tor frees a.data again



 Comments   
Comment by Matt Taylor [ 29/Sep/10 ]

I did the same for BufBuilder (used by StringBuilder to manage char buffer), and made kill() private because it invalidates the object

http://github.com/tayls/mongo/commit/03861eaf216c678b4b7d6caaf1ef0446f6e00afd

Comment by Alberto Lerner [ 27/Sep/10 ]

Matt, the class is better left non-copyable. But it's true that code like that should not shallow copy silently. I made the class explicitly non-copyable.

Comment by auto [ 27/Sep/10 ]

Author:

{'login': 'alerner', 'name': 'Alberto Lerner', 'email': 'alerner@10gen.com'}

Message: SERVER-1860 Stringbuilder is non-copyable
http://github.com/mongodb/mongo/commit/4b56d14a15baf9853df4c74a5fcfa0c32845842b

Comment by Matt Taylor [ 27/Sep/10 ]

Issues can be fixed by pulling http://github.com/tayls/mongo/commit/e9b10a49d39200c3c97c48bbd0728b9fd7330d6f

Generated at Thu Feb 08 02:58:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.