Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-56900

SBE sort stage may violate SBE copyOrMove contract

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Gone away
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • ALL
    • Query Execution 2021-05-17, Query Execution 2021-05-31

    Description

      This code assumes that 'keys' and 'values' get moved into the sorter. However, not all implementations of the sorter's emplace() method actually move from the passed in key. See here for example.

       

      Consider the following scenario:

      1) the sort stage is opened, and calls getNext() on its child. It calls copyOrMove() on its inAccessors, moving ownership to local variables 'keys' and 'vals'. Keep in mind that SBE "move" is non-destructive, unlike a C++ std::move(). So the inAccessors still point to the same values, just their 'owned' flag is now false.

      2) The call to emplace() is made to an overload which does not move from the arguments.

      3) The local variables 'keys' and 'vals' go out of scope. The underlying memory is freed. Now the inAccessors are pointing to garbage.

      Attachments

        Activity

          People

            ian.boros@mongodb.com Ian Boros
            ian.boros@mongodb.com Ian Boros
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: