While looking into PHPC-712, I came across a peculiarity with mongoc_collection_update(), which apparently skips BSON validation entirely for update documents:

if (!((uint32_t)flags & MONGOC_UPDATE_NO_VALIDATE) &&
    bson_iter_init (&iter, update) &&
    bson_iter_next (&iter) &&
    (bson_iter_key (&iter) [0] != '$') &&
    !bson_validate (update, (bson_validate_flags_t)vflags, &err_offset)) {
   bson_set_error (error,
                   MONGOC_ERROR_BSON,
                   MONGOC_ERROR_BSON_INVALID,
                   "update document is corrupt or contains "
                   "invalid keys including $ or .");
   return false;
} else {
   flags = (uint32_t)flags & ~MONGOC_UPDATE_NO_VALIDATE;
}

Validation flags defined earlier are:

int vflags = (BSON_VALIDATE_UTF8 | BSON_VALIDATE_UTF8_ALLOW_NULL
            | BSON_VALIDATE_DOLLAR_KEYS | BSON_VALIDATE_DOT_KEYS);

I understand that BSON_VALIDATE_DOLLAR_KEYS and BSON_VALIDATE_DOT_KEYS should not apply to update arguments with atomic modifiers, but UTF-8 validation still seems relevant. Should libmongoc instead construct vflags based on whether the argument has atomic modifiers or is a replacement document?

Two other observations:

• The flags assignment in the else condition does not appear to affect the function in any way. The variable is only checked again when building the update options (i.e. "upsert" and "multi"). Is there any reason for this variable, or should the function instead simply read the mongoc_update_flags_t uflags argument?
• MONGOC_UPDATE_NO_VALIDATE is used no where else in libmongoc; however, it is part of the public API in mongoc-flags.h. This contrasts with the MONGOC_INSERT_NO_VALIDATE, which is at least used internally for legacy index creation.