-
Type: Bug
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: 7.0.15, 8.0.0-rc21
-
Component/s: None
-
None
-
Query Execution
-
ALL
As part of SERVER-90992 we implemented a safety checker that prevents the existence of stale CollectionPtr references once we abandon the WT snapshot.
This is because in lock-free reads we can have collections whose pointers are only valid during the current WT snapshot as they'll be instantiated in the presence of in-memory conflicts.
We discovered one such instance in the classic engine for multikey wildcard indexes in which the snapshot may advance and invalidate the pointer, which could lead to a crash as it would trigger a use-after-free error.
The way to trigger it is as follows:
- Have a lock-free read operation occur on a collection with a wildcard multikey index.
- This will acquire a collection and potentially instantiate a collection instance tied to the lifetime of the WT snapshot.
- As part of the executor creation we will acquire the multikey wildcard path set
- The operation is wrapped in a writeConflictRetry loop here and here
- If a WriteConflict conflict is detected, the loop will abandon the snapshot and re-attempt the operation.
- This causes the older collection instance to become invalid leaving a pointer to invalid memory.
As part of this we had to disable the jstests/noPassthrough/write_conflict_wildcard.js test since it was causing an invariant failure due to the checker.
- is related to
-
SERVER-90992 Collection acquisitions have no enforcement of snapshot stability
- In Code Review