Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-56869

[SBE][ASAN jscore] heap-use-after-free during computed_projections.js

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 5.0.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Fully Compatible
    • ALL
    • Query Execution 2021-05-17, Query Execution 2021-05-31

      During this patch build to enable SBE by default, we hit a heap-use-after-free during the "ludicrous nesting torture test" in jstests/core/computed_projections.js:

      [j3] =================================================================
      [j3] ==120948==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060002fb2f4 at pc 0x7fa517900524 bp 0x7fa4cf0bb540 sp 0x7fa4cf0bb538
      [j3] READ of size 4 at 0x6060002fb2f4 thread T37 (conn6)
      [j3]     #0 0x7fa517900523 in mongo::DataType::Handler<unsigned int, void>::unsafeLoad(unsigned int*, char const*, unsigned long*) /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_type.h:70:17
      [j3]     #1 0x7fa517900523 in void mongo::DataType::unsafeLoad<unsigned int>(unsigned int*, char const*, unsigned long*) /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_type.h:153
      [j3]     #2 0x7fa517900523 in mongo::DataType::Handler<mongo::LittleEndian<unsigned int>, void>::unsafeLoad(mongo::LittleEndian<unsigned int>*, char const*, unsigned long*) /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_type_endian.h:90
      [j3]     #3 0x7fa517900523 in void mongo::DataType::unsafeLoad<mongo::LittleEndian<unsigned int> >(mongo::LittleEndian<unsigned int>*, char const*, unsigned long*) /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_type.h:153
      [j3]     #4 0x7fa517900523 in mongo::ConstDataView const& mongo::ConstDataView::readInto<mongo::LittleEndian<unsigned int> >(mongo::LittleEndian<unsigned int>*, long) const /data/mci/233c861a4a4a55a5148357cf11c28002/src/src/mongo/base/data_view.h:53
      [j3]     #5 0x7fa50502067c in mongo::LittleEndian<unsigned int> mongo::ConstDataView::read<mongo::LittleEndian<unsigned int> >(long) const /data/mci/5b39450893c745aa14863a3d17537c10/src/src/mongo/base/data_view.h:62:9
      [j3]     #6 0x7fa50502067c in mongo::sbe::value::copyValue(mongo::sbe::value::TypeTags, unsigned long) /data/mci/5b39450893c745aa14863a3d17537c10/src/src/mongo/db/exec/sbe/values/value.h:1068
      [j3]     #7 0x7fa50333fffe in mongo::sbe::value::OwnedValueAccessor::makeOwned() /data/mci/72ab04a1a9ea0fb5cd8990198a70f1c8/src/src/mongo/db/exec/sbe/values/slot.h:194:32
      [j3]     #8 0x7fa502d76717 in mongo::sbe::ProjectStage::doSaveState() /data/mci/5b39450893c745aa14863a3d17537c10/src/src/mongo/db/exec/sbe/stages/project.cpp:155:18
      [j3]     #9 0x7fa504e19495 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:132:16
      [j3]     #10 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #11 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #12 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #13 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #14 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #15 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #16 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #17 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #18 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #19 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #20 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #21 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #22 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #23 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #24 0x7fa504e195a9 in mongo::sbe::CanChangeState<mongo::sbe::PlanStage>::saveState() /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/exec/sbe/stages/stages.h:137:20
      [j3]     #25 0x7fa504e61e74 in mongo::PlanYieldPolicySBE::saveState(mongo::OperationContext*) /data/mci/60e523f5a256ca21c1b14b893792fad5/src/src/mongo/db/query/plan_yield_policy_sbe.cpp:37:15
      [j3]     #26 0x7fa5028a424b in mongo::PlanYieldPolicy::yieldOrInterrupt(mongo::OperationContext*, std::function<void ()>) /data/mci/72ab04a1a9ea0fb5cd8990198a70f1c8/src/src/mongo/db/query/plan_yield_policy.cpp:96:17
      [j3]     #27 0x7fa503341dbc in mongo::sbe::CanInterrupt::checkForInterrupt(mongo::OperationContext*) /data/mci/72ab04a1a9ea0fb5cd8990198a70f1c8/src/src/mongo/db/exec/sbe/stages/stages.h:335:13
      [j3]     #28 0x7fa50336f108 in mongo::sbe::ScanStage::getNext() /data/mci/72ab04a1a9ea0fb5cd8990198a70f1c8/src/src/mongo/db/exec/sbe/stages/scan.cpp:286:5
      [j3]     #29 0x7fa502e04c50 in mongo::sbe::TraverseStage::getNext() /data/mci/5b39450893c745aa14863a3d17537c10/src/src/mongo/db/exec/sbe/stages/traverse.cpp:147:32
      [j3]     #30 0x7fa504e15e2e in mongo::fetchNext(mongo::sbe::PlanStage*, mongo::sbe::value::SlotAccessor*, mongo::sbe::value::SlotAccessor*, mongo::BSONObj*, mongo::RecordId*, bool) /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/query/plan_executor_sbe.cpp:327:24
      [j3]     #31 0x7fa504e13c1d in mongo::PlanExecutorSBE::getNext(mongo::BSONObj*, mongo::RecordId*) /data/mci/801c90706300d15577b3a7cfdb920ef2/src/src/mongo/db/query/plan_executor_sbe.cpp:235:13
      

      The full trace has been omitted due to length but the full logs with ASAN output are attached to this ticket.

        1. jscore_asan.txt
          213 kB
          Kyle Suarez

            Assignee:
            ian.boros@mongodb.com Ian Boros
            Reporter:
            kyle.suarez@mongodb.com Kyle Suarez
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: