|
The Matcher manages memory for its _where object manually, with an explicit delete call in ~Matcher(). It is possible for a query validation error to trigger an exception in the Matcher() constructor after _where has been allocated. In this case, the _where object is never deallocated because the ~Matcher() destructor is never called.
The Where object will not yet have set up a javascript scope in this case (so no scope will be leaked). But the small Where object will be leaked, and if a user repeatedly sends bad queries these leaks will add up.
Test
t = db.t;
|
t.drop();
|
|
// Does not leak.
|
t.find( { $where:'true', a:{ $mod:[ 1 /* valid arg */, 0 ] } } ).itcount();
|
|
// Leaks, because $mod validation fails inside Matcher() constructor and _where is never deallocated.
|
t.find( { $where:'true', a:{ $mod:[ 0 /* invalid arg */, 0 ] } } ).itcount();
|
|