Loading...

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 5.0.0-rc0
Affects Version/s: None
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Sprint:
Query Execution 2021-05-17, Query Execution 2021-05-31

During this patch build to enable SBE by default, we hit a heap-use-after-free during the "ludicrous nesting torture test" in jstests/core/computed_projections.js:

[j3] =================================================================
[j3] ==120948==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060002fb2f4 at pc 0x7fa517900524 bp 0x7fa4cf0bb540 sp 0x7fa4cf0bb538
[j3] READ of size 4 at 0x6060002fb2f4 thread T37 (conn6)
[j3]     #0 0x7fa517900523 in mongo::DataType::Handler<unsigned int, void>::unsafeLoad(unsigned int*, char const*, unsigned long*) /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_type.h:70:17
[j3]     #1 0x7fa517900523 in void mongo::DataType::unsafeLoad<unsigned int>(unsigned int*, char const*, unsigned long*) /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_type.h:153
[j3]     #2 0x7fa517900523 in mongo::DataType::Handler<mongo::LittleEndian<unsigned int>, void>::unsafeLoad(mongo::LittleEndian<unsigned int>*, char const*, unsigned long*) /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_type_endian.h:90
[j3]     #3 0x7fa517900523 in void mongo::DataType::unsafeLoad<mongo::LittleEndian<unsigned int> >(mongo::LittleEndian<unsigned int>*, char const*, unsigned long*) /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_type.h:153
[j3]     #4 0x7fa517900523 in mongo::ConstDataView const& mongo::ConstDataView::readInto<mongo::LittleEndian<unsigned int> >(mongo::LittleEndian<unsigned int>*, long) const /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_view.h:53
[j3]     #5 0x7fa50502067c in mongo::LittleEndian<unsigned int> mongo::ConstDataView::read<mongo::LittleEndian<unsigned int> >(long) const /data/mci/5b39450893c745aa14863a3d17537c10/src/src/mongo/base/data_view.h:62:9
[j3]     #6 0x7fa50502067c in mongo::sbe::value::copyValue(mongo::sbe::value::TypeTags, unsigned long) /data/mci/5b39450893c745aa14863a3d17537c10/src/src/mongo/db/exec/sbe/values/value.h:1068
[j3]     #7 0x7fa50333fffe in mongo::sbe::value::OwnedValueAccessor::makeOwned() /data/mci/72ab04a1a9ea0fb5cd8990198a70f1c8/src/src/mongo/db/exec/sbe/values/slot.h:194:32
[j3]     #8 0x7fa502d76717 in mongo::sbe::ProjectStage::doSaveState() /data/mci/5b39450893c745aa14863a3d17537c10/src/src/mongo/db/exec/sbe/stages/project.cpp:155:18
[j3]     #9 0x7fa504e19495 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:132:16
[j3]     #10 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #11 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #12 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #13 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #14 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #15 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #16 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #17 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #18 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #19 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #20 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #21 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #22 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #23 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #24 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
[j3]     #25 0x7fa504e61e74 in mongo::PlanYieldPolicySBE::saveState(mongo::OperationContext*) /data/mci/60e523f5a256ca21c1b14b893792fad5/src/src/mongo/db/query/plan_yield_policy_sbe.cpp:37:15
[j3]     #26 0x7fa5028a424b in mongo::PlanYieldPolicy::yieldOrInterrupt(mongo::OperationContext*, std::function<void ()>) /data/mci/72ab04a1a9ea0fb5cd8990198a70f1c8/src/src/mongo/db/query/plan_yield_policy.cpp:96:17
[j3]     #27 0x7fa503341dbc in mongo::sbe::CanInterrupt::checkForInterrupt(mongo::OperationContext*) /data/mci/72ab04a1a9ea0fb5cd8990198a70f1c8/src/src/mongo/db/exec/sbe/stages/stages.h:335:13
[j3]     #28 0x7fa50336f108 in mongo::sbe::ScanStage::getNext() /data/mci/72ab04a1a9ea0fb5cd8990198a70f1c8/src/src/mongo/db/exec/sbe/stages/scan.cpp:286:5
[j3]     #29 0x7fa502e04c50 in mongo::sbe::TraverseStage::getNext() /data/mci/5b39450893c745aa14863a3d17537c10/src/src/mongo/db/exec/sbe/stages/traverse.cpp:147:32
[j3]     #30 0x7fa504e15e2e in mongo::fetchNext(mongo::sbe::PlanStage*, mongo::sbe::value::SlotAccessor*, mongo::sbe::value::SlotAccessor*, mongo::BSONObj*, mongo::RecordId*, bool) /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/query/plan_executor_sbe.cpp:327:24
[j3]     #31 0x7fa504e13c1d in mongo::PlanExecutorSBE::getNext(mongo::BSONObj*, mongo::RecordId*) /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/query/plan_executor_sbe.cpp:235:13

The full trace has been omitted due to length but the full logs with ASAN output are attached to this ticket.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

jscore_asan.txt
213 kB
May 11 2021 09:45:12 PM UTC

is depended on by

SERVER-52799 Make sbe the default execution engine and switch "SBE" build variant to "SBE off"

Closed

is related to

SERVER-56900 SBE sort stage may violate SBE copyOrMove contract

Closed

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates