Subject: [Boost-bugs] [Boost C++ Libraries] #9940: bad bug in intrusive list with safe_link (or auto_unlink) hooks
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2014-04-23 06:10:29
#9940: bad bug in intrusive list with safe_link (or auto_unlink) hooks
--------------------------------------+------------------------
Reporter: Matei David <matei@…> | Owner: igaztanaga
Type: Bugs | Status: new
Milestone: To Be Determined | Component: intrusive
Version: Boost 1.55.0 | Severity: Problem
Keywords: intrusive list safe_link |
--------------------------------------+------------------------
Looking at `class list_impl` inside `list.hpp`:
- the header node is stored as a data **member** somewhere inside
`list_impl::data_`;
- however, the class **inherits** from `detail::clear_on_destructor_base`.
This is really bad. During destruction, the header is deallocated first
(as a data member), and after, the destructor of
`clear_on_destructor_base` attempts to clear the list.
To replicate the bug, use `safe_link` hooks, and have the node/value
destructor clear the list pointers. The base class destructor calls
`clear()`, which calls `clear_and_dispose()`, which forms iterator `it` by
following the header pointer (which is zeroed by then). Incrementing `it`
results in SEGV.
The same probably happens with `auto_unlink` hooks which also trigger
post-mortem destruction from the base class.
-- Ticket URL: <https://svn.boost.org/trac/boost/ticket/9940> Boost C++ Libraries <http://www.boost.org/> Boost provides free peer-reviewed portable C++ source libraries.
This archive was generated by hypermail 2.1.7 : 2017-02-16 18:50:16 UTC