Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-40869

$subtract with date can cause undefined behavior

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.11, 4.2.0-rc1, 4.3.1
    • Affects Version/s: 4.0.9, 4.1.10
    • Component/s: Querying
    • Labels:
    • Fully Compatible
    • ALL
    • v4.2, v4.0, v3.6, v3.4
    • 7

      The following test results in UB:

      (function() {
    pipeline = [{$project: {x: { $subtract: [new Date('2019-04-23T00:05:48.829Z'), Infinity] }}}];
 
    db.adminCommand( { setParameter: 1, traceExceptions: true } )
 
    try {
        const res = db.c.aggregate(pipeline).toArray();
        print("Result was " + tojson(res));
    } catch(e) {
        print("Error was " + tojson(e));
    }
})();

      The $subtract is performed with [<some date>, Infinity]. This causes this conversion to long long. This cast is UB when the truncated double is a value that can't fit in a long long (such as Infinity).

      We may want to change the implementation of Value::coerceToLong() and audit existing calls to it in case there are similar bugs.

            Assignee:
            ted.tuckman@mongodb.com Ted Tuckman
            Reporter:
            ian.boros@mongodb.com Ian Boros
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: