[SERVER-1860] BufBuilder copy, assignment memory double-frees memory Created: 27/Sep/10 Updated: 12/Jul/16 Resolved: 27/Sep/10 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.7.1 |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Matt Taylor | Assignee: | Alberto Lerner |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Participants: |
| Description |
|
This code issue is minor because it is not currently triggered by existing code. StringBuilder uses a BufBuilder (bson/util/builder.h) to manually manage a char buffer. The default copy constructor and operator= will shallow copy the data pointer, which will ultimately lead to freeing the memory multiple times. You can produce the issue with: // b d'tor frees b.data, which == a.data // c d'tor frees a.data again } // a d'tor frees a.data again |
| Comments |
| Comment by Matt Taylor [ 29/Sep/10 ] |
|
I did the same for BufBuilder (used by StringBuilder to manage char buffer), and made kill() private because it invalidates the object http://github.com/tayls/mongo/commit/03861eaf216c678b4b7d6caaf1ef0446f6e00afd |
| Comment by Alberto Lerner [ 27/Sep/10 ] |
|
Matt, the class is better left non-copyable. But it's true that code like that should not shallow copy silently. I made the class explicitly non-copyable. |
| Comment by auto [ 27/Sep/10 ] |
|
Author: {'login': 'alerner', 'name': 'Alberto Lerner', 'email': 'alerner@10gen.com'}Message: |
| Comment by Matt Taylor [ 27/Sep/10 ] |
|
Issues can be fixed by pulling http://github.com/tayls/mongo/commit/e9b10a49d39200c3c97c48bbd0728b9fd7330d6f |