Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-40869

$subtract with date can cause undefined behavior

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 4.0.11, 4.2.0-rc1, 4.3.1
    • 4.0.9, 4.1.10
    • Querying
    • Fully Compatible
    • ALL
    • v4.2, v4.0, v3.6, v3.4
    • 7

    Description

      The following test results in UB:

      (function() {
      		 
          pipeline = [{$project: {x: { $subtract: [new Date('2019-04-23T00:05:48.829Z'), Infinity] }}}];
      		 
       
          db.adminCommand( { setParameter: 1, traceExceptions: true } )
      		 
       
          try {
      		 
              const res = db.c.aggregate(pipeline).toArray();
      		 
              print("Result was " + tojson(res));
      		 
          } catch(e) {
      		 
              print("Error was " + tojson(e));
      		 
          }
      		 
      })();

      The $subtract is performed with [<some date>, Infinity]. This causes this conversion to long long. This cast is UB when the truncated double is a value that can't fit in a long long (such as Infinity).

      We may want to change the implementation of Value::coerceToLong() and audit existing calls to it in case there are similar bugs.

      Attachments

        Activity

          People

            ted.tuckman@mongodb.com Ted Tuckman
            ian.boros@mongodb.com Ian Boros
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: