Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-31305

Memory leak in QueryPlanner::plan due to unmanaged raw pointers

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 3.5.13
    • 3.6.0-rc0
    • Querying
    • None
    • Fully Compatible
    • ALL
    • Hide

      The BF ticket has instructions on the ASAN builder needed to repro with
      the following code changes.

      --- a/src/mongo/db/query/query_planner.cpp
      		 
      +++ b/src/mongo/db/query/query_planner.cpp
      		 
      @@ -873,6 +873,8 @@ Status QueryPlanner::plan(const CanonicalQuery& query,
      		 
                   // Store the plan cache index tree before calling prepareForAccessingPlanning(), so that
      		 
                   // the PlanCacheIndexTree has the same sort as the MatchExpression used to generate the
      		 
                   // plan cache key.
      		 
      +            uassert(ErrorCodes::InternalError, "intentionally thrown", false);
      		 
      +
      		 
                   std::unique_ptr<MatchExpression> clone(rawTree->shallowClone());
      		 
                   PlanCacheIndexTree* cacheData;
      		 
                   Status indexTreeStatus =

      And then running this script.

      repro_bf6473.js

      		 
      (function() {
      		 
          "use strict";
      		 
       
      		 
          assert.commandWorked(db.mycoll.createIndex({a: 1}));
      		 
          assert.commandWorked(db.mycoll.createIndex({b: 1}));
      		 
          assert.writeOK(db.mycoll.insert({}));
      		 
       
      		 
          var cursor = db.mycoll.find({a: 1, b: 2});
      		 
          cursor.hasNext();
      		 
      })();

      Show
      The BF ticket has instructions on the ASAN builder needed to repro with the following code changes. --- a/src/mongo/db/query/query_planner.cpp +++ b/src/mongo/db/query/query_planner.cpp @@ -873,6 +873,8 @@ Status QueryPlanner::plan( const CanonicalQuery& query, // Store the plan cache index tree before calling prepareForAccessingPlanning(), so that // the PlanCacheIndexTree has the same sort as the MatchExpression used to generate the // plan cache key. + uassert(ErrorCodes::InternalError, "intentionally thrown" , false ); + std::unique_ptr<MatchExpression> clone(rawTree->shallowClone()); PlanCacheIndexTree* cacheData; Status indexTreeStatus = And then running this script. repro_bf6473.js ( function () { "use strict" ;   assert.commandWorked(db.mycoll.createIndex({a: 1})); assert.commandWorked(db.mycoll.createIndex({b: 1})); assert.writeOK(db.mycoll.insert({}));   var cursor = db.mycoll.find({a: 1, b: 2}); cursor.hasNext(); })();
    • TIG 2017-10-23
    • 0

    Description

      In the QueryPlanner::plan function, a MatchExpression* rawTree pointer is assigned an object, but before it is able to pass off ownership to a smart pointer, an exception occurs. This leads to the memory being leaked.

      Attachments

        Activity

          People

            eddie.louie Eddie Louie
            eddie.louie Eddie Louie
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: