Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Unresolved
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- found-by-ai

Assigned Teams:

Query Optimization
Operating System:
ALL
Steps To Reproduce:
Hide

const conn = MongoRunner.runMongod({}); const db = conn.getDB(jsTestName()); const coll = db.bug; try { assert.commandWorked(coll.insertOne({_id: 1})); // WILL FAIL: 9248801 "Expected the input to be of the shape {_id: <value>}, but the input is { _id: { $ref: \"foo\", $id: 1.0 } }" assert.commandWorked( db.runCommand({ update: coll.getName(), updates: [{q: {_id: {$eq: {$ref: "foo", $id: 1}}}, u: {$set: {x: 1}}}], }), ); } finally { MongoRunner.stopMongod(conn); }
Show
const conn = MongoRunner.runMongod({}); const db = conn.getDB(jsTestName()); const coll = db.bug; try { assert .commandWorked(coll.insertOne({_id: 1})); // WILL FAIL: 9248801 "Expected the input to be of the shape {_id: <value>}, but the input is { _id: { $ref: \" foo\ ", $id: 1.0 } }" assert .commandWorked( db.runCommand({ update: coll.getName(), updates: [{q: {_id: {$eq: {$ref: "foo" , $id: 1}}}, u: {$set: {x: 1}}}], }), ); } finally { MongoRunner.stopMongod(conn); }
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Problem

The Express update/delete fast path can tassert for an exact _id equality query where the explicit $eq value is an object whose first field starts with $, such as a DBRef-shaped object.

Reproduction

db.bug.insertOne({_id: 1});

db.runCommand({
  update: "bug",
  updates: [{q: {_id: {$eq: {$ref: "foo", $id: 1}}}, u: {$set: {x: 1}}}]
});

The request is routed to the Express write path and mongod hits a tassert:

update: tassert(9248801)
delete: tassert(9248804)

Root Cause

isSimpleIdQuery() accepts _id: {$eq: <object>} as an exact _id query. The Express write path then unwraps $eq to _id: <object>, but re-validates the unwrapped query with isExactMatchOnId(), which rejects object values whose first field starts with $. This incorrectly treats a literal DBRef-shaped value as operator-like syntax.

is caused by

SERVER-92488 Expand IDHACK eligibility to include {_id: {$eq: <val>}}

Closed

Assignee:: Unassigned
Reporter:: Max Verbinnen
Participants:: Max Verbinnen
Votes:: 0 Vote for this issue
Watchers:: 1 Start watching this issue

Created:: May 13 2026 04:45:24 PM UTC
Updated:: May 14 2026 01:17:48 PM UTC

Details

Description

Problem

Reproduction

Root Cause

Attachments

Issue Links

Activity

People

Dates