Critical - P2 The problem is caused by the SBE lookup hash table under specific conditions.
The query to trigger it can be just a simple lookup:
db.local.aggregate({$lookup: {from: 'foreign', localField: 'k', foreignField: 'k', as: 'out'}})
The conditions to trigger the bug are:
- $lookup must use SBE
- SBE must choose a hash join algorithm
- The hash table must be more than 100 MB to cause spilling
- Adding an already existing key to the hash table is what must cause the spilling
- The triggering hash table key must be stored in a heap memory. For example: object, array, large string
Under these circumstances, the unnecessary “key” variable will wrongly assume ownership of tagKeyView / valKeyView. This leads to a double-free of the same value: when the “key” variable leaves the scope and whenever the keyAccessor releases its value.
- is related to
-
SERVER-91339 $redact may corrupt memory if $$ROOT is used in the expression.
-
- Closed
-
- related to
-
SERVER-118865 LookupHashTable::spillIndicesToRecordStore doesn't check for interrupt
-
- Closed
-