|
|
Boost : |
Subject: [boost] [interprocess] Severe bug in sp_counted_impl.hpp!
From: Lars Hagström (lars_at_[hidden])
Date: 2009-01-30 07:31:18
Hi,
I believe that there is a bug in sp_counted_impl_pd::destroy().
Currently the method looks like this:
void destroy() // nothrow
{
//Self destruction, so get a copy of the allocator
//(in the future we could move it)
this_allocator a_copy(*this);
BOOST_ASSERT(a_copy == *this);
this_pointer this_ptr (this);
//Do it now!
scoped_ptr<this_type,
scoped_ptr_dealloc_functor<this_allocator> >
(this_ptr, a_copy);
typedef typename this_allocator::value_type value_type;
detail::get_pointer(this_ptr)->~value_type();
}
What I think is wrong is on the deallocator functor line.
I believe that it should read
scoped_ptr<this_type,
scoped_ptr_dealloc_functor<this_allocator> >
DEALLOCATOR(this_ptr, a_copy);
The missing thing is the name for the scoped_ptr instance (the one I
called DEALLOCATOR, to make it stand out). And since the name is missing
it will become an anonymous instance, which will be destroyed *before*
the destructor is called on this_ptr.
The upshot is that with the bug we deallocate the memory and then call
the destructor, rather than the opposite. If you're unlucky some other
thread/process has allocated that memory for some other use, and you
will then be running the destructor on that instead...
I'm writing a ticket on this as well, just so it doesn't get overlooked.
(If I'm wrong about all this my face will be red for a while...)
Cheers
Lars
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk