id	summary	reporter	owner	description	type	status	milestone	component	version	severity	resolution	keywords	cc
9940	bad bug in intrusive list with safe_link (or auto_unlink) hooks	Matei David <matei@…>	Ion Gaztañaga	"Looking at `class list_impl` inside `list.hpp`:
- the header node is stored as a data **member** somewhere inside `list_impl::data_`;
- however, the class **inherits** from `detail::clear_on_destructor_base`.

This is really bad. During destruction, the header is deallocated first (as a data member), and after, the destructor of `clear_on_destructor_base` attempts to clear the list.

To replicate the bug, use `safe_link` hooks, and have the node/value destructor clear the list pointers. The base class destructor calls `clear()`, which calls `clear_and_dispose()`, which forms iterator `it` by following the header pointer (which is zeroed by then). Incrementing `it` results in SEGV.

The same probably happens with `auto_unlink` hooks which also trigger post-mortem destruction from the base class."	Bugs	closed	To Be Determined	intrusive	Boost 1.55.0	Problem	fixed	intrusive list safe_link