[FlopCpp] Crash/Security issue in FlopC++

[Tim Hultberg]

Hi Gaetano,
  your quick fix looks good, however if somebody wants something like

void crash() {
  {
    MP_model myFirstModel(new OsiCbcSolverInterface);
    {
      MP_model myModel(new OsiCbcSolverInterface);
    }
    {
      MP_constraint myConstraint;
    }
  }
}

I guess they would expect myConstraint to be added to myFirstModel, not the default model. Looks like current_model should really be a stack of models (with default model at the bottom).

Cheers, Tim
_____________________________________
From: Gaetano Mendola [mendola at gmail.com]
Sent: 28 February 2010 00:18
To: flopcpp at list.coin-or.org
Cc: Tim Hultberg; Lou Hafer
Subject: Crash/Security issue in FlopC++

Hi,
I'm in the process of writing some tests, and I'm experiencing random crashes.
The reason for it is quite simple. The crash can be obtained in the
following way:

void crash() {
  {
    MP_model myModel(new OsiCbcSolverInterface);
  }
  {
    MP_constraint myConstraint;
  }
}

what happens is the fact that MP_model has a current and a default model
initialized as follow:

MP_model& MP_model::default_model = *new MP_model(0);
MP_model* MP_model::current_model = &MP_model::default_model;

and MP_model on his CTOR updates the current model:

MP_Model::current_model = this;

MP_constraint on his constructor performs:

MP_model::current_model->add(*this);

As you can see in that crash function as soon the myModel scope is over then
the  "MP_model::current_model->add(*this);"  dereferences an invalid pointer.

The standard say this is an undefined behavior, it's also a security risk.

In order to properly fix it, I need to know the meaning of
current_model and the
default_model.

A quick fix is to put in the MP_model DTOR the following:

MP_model::current_model = &MP_model::default_model;

can someone enlighten me about the semantic of those two current_model and
default_model ?


Regards
Gaetano Mendola


--
cpp-today.blogspot.com