Memory leak in QueryPlanner::plan due to unmanaged raw pointers

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • 3.6.0-rc0
    • Affects Version/s: 3.5.13
    • Component/s: Querying
    • None
    • Fully Compatible
    • ALL
    • Hide

      The BF ticket has instructions on the ASAN builder needed to repro with
      the following code changes.

      --- a/src/mongo/db/query/query_planner.cpp
+++ b/src/mongo/db/query/query_planner.cpp
@@ -873,6 +873,8 @@ Status QueryPlanner::plan(const CanonicalQuery& query,
             // Store the plan cache index tree before calling prepareForAccessingPlanning(), so that
             // the PlanCacheIndexTree has the same sort as the MatchExpression used to generate the
             // plan cache key.
+            uassert(ErrorCodes::InternalError, "intentionally thrown", false);
+
             std::unique_ptr<MatchExpression> clone(rawTree->shallowClone());
             PlanCacheIndexTree* cacheData;
             Status indexTreeStatus =

      And then running this script.

      repro_bf6473.js
      (function() {
    "use strict";

    assert.commandWorked(db.mycoll.createIndex({a: 1}));
    assert.commandWorked(db.mycoll.createIndex({b: 1}));
    assert.writeOK(db.mycoll.insert({}));

    var cursor = db.mycoll.find({a: 1, b: 2});
    cursor.hasNext();
})();
      Show
      The BF ticket has instructions on the ASAN builder needed to repro with the following code changes. --- a/src/mongo/db/query/query_planner.cpp +++ b/src/mongo/db/query/query_planner.cpp @@ -873,6 +873,8 @@ Status QueryPlanner::plan( const CanonicalQuery& query, // Store the plan cache index tree before calling prepareForAccessingPlanning(), so that // the PlanCacheIndexTree has the same sort as the MatchExpression used to generate the // plan cache key. + uassert(ErrorCodes::InternalError, "intentionally thrown" , false ); + std ::unique_ptr <MatchExpression> clone(rawTree->shallowClone()); PlanCacheIndexTree* cacheData; Status indexTreeStatus = And then running this script. repro_bf6473.js ( function () { "use strict" ; assert.commandWorked(db.mycoll.createIndex({a: 1})); assert.commandWorked(db.mycoll.createIndex({b: 1})); assert.writeOK(db.mycoll.insert({})); var cursor = db.mycoll.find({a: 1, b: 2}); cursor.hasNext(); })();
    • TIG 2017-10-23
    • 0
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None

      In the QueryPlanner::plan function, a MatchExpression* rawTree pointer is assigned an object, but before it is able to pass off ownership to a smart pointer, an exception occurs. This leads to the memory being leaked.

            Assignee:
            Eddie Louie (Inactive)
            Reporter:
            Eddie Louie (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: