[SERVER-70379] Coverity analysis defect 128813: Wrapper object use after free Created: 08/Oct/22 Updated: 08/Apr/23 Resolved: 02/Nov/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Coverity Collector User | Assignee: | Christopher Caplinger |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | coverity | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Sprint: | Server Serverless 2022-10-17, Server Serverless 2022-10-31, Server Serverless 2022-11-14 | ||||||||
| Participants: | |||||||||
| Description |
|
Wrapper object use after free A use after free bug would occur if the internal pointer is used. An internal pointer of a wrapper object remains available after the object is freed |
| Comments |
| Comment by Christopher Caplinger [ 02/Nov/22 ] |
|
false positive. as written, this can't actually cause a use after free. |
| Comment by Suganthi Mani [ 10/Oct/22 ] |
|
yes, we conditionally reset. And, I still think it's false positive. We reset the _opCtx only if the _opCtx's getOpID() matches localOpCtx's getOpID() |
| Comment by Eric Milkie [ 10/Oct/22 ] |
|
I think the problem is that the ON_BLOCK_EXIT you linked does not definitively reset the _opCtx pointer. It conditionally does it. |
| Comment by Suganthi Mani [ 10/Oct/22 ] |
|
This seems to be a false positive as we have this ON_BLOCK_EXIT() logic which resets the _opCtx before the local opCtx goes out of scope. |