Opened 10 years ago
Closed 10 years ago
#7903 closed Bugs (fixed)
boost::heap::fibonacci_heap::erase() does not reset top_element after the last element is erased
| Reported by: | Owned by: | timblechmann | |
|---|---|---|---|
| Milestone: | To Be Determined | Component: | heap |
| Version: | Boost Development Trunk | Severity: | Problem |
| Keywords: | Cc: |
Description
When a fibonacci heap contains only one element, calling fibonacci_heap::erase() deallocates that element's memory, changes the heap size to 0, but does not reset the top_element member, leaving it a dangling pointer.
This member is however used in the push() function:
if (!top_element || super_t::operator()(top_element->value, n->value)) top_element = n;
Calling the comparison operator would result in an invalid read.
Code to reproduce (confirmed by valgrind memcheck):
using namespace boost::heap; fibonacci_heap<int> fh; fh.erase(fh.push(1)); fh.push(2); // invalid memory access here
I don't know if the heap is supposed to be used like this, but I've attached a patch anyway, which simply resets top_element in the consolidate() function.
Thanks.
Attachments (1)
Change History (2)
by , 10 years ago
| Attachment: | erase-last-one.diff added |
|---|
comment:1 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
(In [82534]) heap: fix fibonacci_heap::erase
fixes #7903