https://svn.boost.org/trac10/ticket/2700 <p> I believe that there is a bug in sp_counted_impl_pd::destroy(). Currently the method looks like this: </p> <pre class="wiki">void destroy() // nothrow { //Self destruction, so get a copy of the allocator //(in the future we could move it) this_allocator a_copy(*this); BOOST_ASSERT(a_copy == *this); this_pointer this_ptr (this); //Do it now! scoped_ptr&lt;this_type, scoped_ptr_dealloc_functor&lt;this_allocator&gt; &gt; (this_ptr, a_copy); typedef typename this_allocator::value_type value_type; detail::get_pointer(this_ptr)-&gt;~value_type(); } </pre><p> What I think is wrong is on the deallocator functor line. I believe that it should read </p> <pre class="wiki"> scoped_ptr&lt;this_type, scoped_ptr_dealloc_functor&lt;this_allocator&gt; &gt; DEALLOCATOR(this_ptr, a_copy); </pre><p> The missing thing is the name for the scoped_ptr instance (the one I called DEALLOCATOR, to make it stand out). And since the name is missing it will become an anonymous instance, which will be destroyed <strong>before</strong> the destructor is called on this_ptr. </p> <p> The upshot is that with the bug we deallocate the memory and then call the destructor, rather than the opposite. If you're unlucky some other thread/process has allocated that memory for some other use, and you will then be running the destructor on that instead... </p> <p> I've found this in boost 1.35, but as far as I can see it is not fixed in later versions or in the trunk. </p> en-us /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/2700 Trac 1.4.3 Ion Gaztañaga Thu, 26 Mar 2009 07:50:14 GMT https://svn.boost.org/trac10/ticket/2700#comment:1 https://svn.boost.org/trac10/ticket/2700#comment:1 <ul> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">fixed</span> </li> </ul> <p> Fixed for Boost 1.39 </p> Ticket