Details
Description
According to address sanitizer report, a double free is happening inside DocumentSource::optimizeAt().
Here’s the sanitizer output:
2705 [j0:prim] ==608==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000234f40 at pc 0x55dd2553a7b8 bp 0x7f29c3e52870 sp 0x7f29c3e52868 |
2706 [j0:prim] READ of size 8 at 0x612000234f40 thread T118 (conn50) |
2713 [j0:prim] #0 0x55dd2553a7b7 in mongo::DocumentSource::dispose() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source.h:328:9 |
2714 [j0:prim] #1 0x55dd25884e77 in mongo::TeeBuffer::dispose(unsigned long) /home/ubuntu/mongo/src/mongo/db/pipeline/tee_buffer.h:74:26 |
2715 [j0:prim] #2 0x55dd25883664 in mongo::DocumentSourceTeeConsumer::doDispose() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source_tee_consumer .cpp:62:20 |
2716 [j0:prim] #3 0x55dd2553a7f0 in mongo::DocumentSource::dispose() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source.h:328:9 |
2717 [j0:prim] #4 0x55dd2553a85c in mongo::DocumentSource::dispose() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source.h:330:22 |
2718 [j0:prim] #5 0x55dd2590210f in mongo::pipeline::dispose(mongo::OperationContext*) /home/ubuntu/mongo/src/mongo/db/pipeline/pipeline.cpp:338:30 |
2719 [j0:prim] #6 0x55dd255c3862 in mongo::DocumentSourceFacet::doDispose() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source_facet.cpp:145:25 |
2720 [j0:prim] #7 0x55dd2553a7f0 in mongo::DocumentSource::dispose() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source.h:328:9 |
2721 [j0:prim] #8 0x55dd2583faaf in mongo::DocumentSourceSequentialDocumentCache::doOptimizeAt(std::_List_iterator<boost::intrusive_ptr<mongo::Document Source> >, std::__cxx11::list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator<boost::intrusive_ptr<mongo::DocumentSource> > >*) /home/ubun tu/mongo/src/mongo/db/pipeline/document_source_sequential_document_cache.cpp:145:18 |
2722 [j0:prim] #9 0x55dd254e1d3b in mongo::DocumentSource::optimizeAt(std::_List_iterator<boost::intrusive_ptr<mongo::DocumentSource> >, std::__cxx11:: list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator<boost::intrusive_ptr<mongo::DocumentSource> > >*) /home/ubuntu/mongo/src/mongo/db/pip eline/document_source.cpp:234:12 |
2723 [j0:prim] #10 0x55dd2590041c in mongo::pipeline::optimizeContainer(std::__cxx11::list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator< boost::intrusive_ptr<mongo::DocumentSource> > >*) /home/ubuntu/mongo/src/mongo/db/pipeline/pipeline.cpp:275:33 |
2724 [j0:prim] #11 0x55dd258ffffd in mongo::pipeline::optimizePipeline() /home/ubuntu/mongo/src/mongo/db/pipeline/pipeline.cpp:265:5 |
2725 [j0:prim] #12 0x55dd2571f2df in mongo::DocumentSourceLookUp::buildPipeline(mongo::Document const&) /home/ubuntu/mongo/src/mongo/db/pipeline/docume nt_source_lookup.cpp:527:15 |
2726 [j0:prim] #13 0x55dd257195d4 in mongo::DocumentSourceLookUp::doGetNext() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source_lookup.cpp:377:2 0 |
2727 [j0:prim] #14 0x55dd2099ecef in mongo::DocumentSource::getNext() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source.h:293:20 |
2728 [j0:prim] #15 0x55dd25905e66 in mongo::pipeline::getNext() /home/ubuntu/mongo/src/mongo/db/pipeline/pipeline.cpp:469:40 |
2729 [j0:prim] #16 0x55dd23c12c94 in mongo::PlanExecutorPipeline::_tryGetNext() /home/ubuntu/mongo/src/mongo/db/pipeline/plan_executor_pipeline.cpp:129 :23 |
2730 [j0:prim] #17 0x55dd23c12917 in mongo::PlanExecutorPipeline::_getNext() /home/ubuntu/mongo/src/mongo/db/pipeline/plan_executor_pipeline.cpp:117:20 |
...
|
|
2834 [j0:prim] 0x612000234f40 is located 0 bytes inside of 280-byte region [0x612000234f40,0x612000235058) |
2835 [j0:prim] freed by thread T118 (conn50) here: |
2836 [j0:prim] #0 0x55dd1e259315 in operator delete(void*, unsigned long) /data/mci/a0a92963d3836bdfa3c974d486c10ee5/toolchain-builder/tmp/build-llvm.s h-DWL/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:179:3 |
2837 [j0:prim] #1 0x55dd2575a698 in mongo::DocumentSourceMatch::~DocumentSourceMatch() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source_match.h :104:44 |
2838 [j0:prim] #2 0x55dd1e2cd3b7 in mongo::intrusive_ptr_release(mongo::RefCountable const*) /home/ubuntu/mongo/src/mongo/util/intrusive_counter.h:74:1 3 |
2839 [j0:prim] #3 0x55dd205ced68 in boost::intrusive_ptr<mongo::DocumentSource>::~intrusive_ptr() /home/ubuntu/mongo/src/third_party/boost/boost/smart_ ptr/intrusive_ptr.hpp:98:23 |
2840 [j0:prim] #4 0x55dd205cecf8 in void __gnu_cxx::new_allocator<std::_List_node<boost::intrusive_ptr<mongo::DocumentSource> > >::destroy<boost::intru sive_ptr<mongo::DocumentSource> >(boost::intrusive_ptr<mongo::DocumentSource>*) /opt/mongodbtoolchain/revisions/39699409944dd532c7cbdce2f62da11361ac22 0a/stow/gcc-v3.Me0/lib/gcc/x86_64-mongodb-linux/8.2.0/../../../../include/c++/8.2.0/ext/new_allocator.h:140:28 |
2841 [j0:prim] #5 0x55dd205cec27 in void std::allocator_traits<std::allocator<std::_List_node<boost::intrusive_ptr<mongo::DocumentSource> > > >::destro y<boost::intrusive_ptr<mongo::DocumentSource> >(std::allocator<std::_List_node<boost::intrusive_ptr<mongo::DocumentSource> > >&, boost::intrusive_ptr< mongo::DocumentSource>*) /opt/mongodbtoolchain/revisions/39699409944dd532c7cbdce2f62da11361ac220a/stow/gcc-v3.Me0/lib/gcc/x86_64-mongodb-linux/8.2.0/. ./../../../include/c++/8.2.0/bits/alloc_traits.h:487:8 |
2842 [j0:prim] #6 0x55dd22b3ee92 in std::__cxx11::list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator<boost::intrusive_ptr<mongo::Document Source> > >::_M_erase(std::_List_iterator<boost::intrusive_ptr<mongo::DocumentSource> >) /opt/mongodbtoolchain/revisions/39699409944dd532c7cbdce2f62da 11361ac220a/stow/gcc-v3.Me0/lib/gcc/x86_64-mongodb-linux/8.2.0/../../../../include/c++/8.2.0/bits/stl_list.h:1916:2 |
2843 [j0:prim] #7 0x55dd22b3ec31 in std::__cxx11::list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator<boost::intrusive_ptr<mongo::Document Source> > >::erase(std::_List_const_iterator<boost::intrusive_ptr<mongo::DocumentSource> >) /opt/mongodbtoolchain/revisions/39699409944dd532c7cbdce2f6 2da11361ac220a/stow/gcc-v3.Me0/lib/gcc/x86_64-mongodb-linux/8.2.0/../../../../include/c++/8.2.0/bits/list.tcc:158:7 |
2844 [j0:prim] #8 0x55dd254df923 in mongo::DocumentSource::pushMatchBefore(std::_List_iterator<boost::intrusive_ptr<mongo::DocumentSource> >, std::__cx x11::list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator<boost::intrusive_ptr<mongo::DocumentSource> > >*) /home/ubuntu/mongo/src/mongo/d b/pipeline/document_source.cpp:185:24 |
2845 [j0:prim] #9 0x55dd254f00ec in mongo::DocumentSource::attemptToPushStageBefore(std::_List_iterator<boost::intrusive_ptr<mongo::DocumentSource> >, std::__cxx11::list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator<boost::intrusive_ptr<mongo::DocumentSource> > >*) /home/ubuntu/mongo/sr c/mongo/db/pipeline/document_source.h:465:16 |
2846 [j0:prim] #10 0x55dd254e19ad in mongo::DocumentSource::optimizeAt(std::_List_iterator<boost::intrusive_ptr<mongo::DocumentSource> >, std::__cxx11: :list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator<boost::intrusive_ptr<mongo::DocumentSource> > >*) /home/ubuntu/mongo/src/mongo/db/pi peline/document_source.cpp:228:9 |
2847 [j0:prim] #11 0x55dd2590041c in mongo::pipeline::optimizeContainer(std::__cxx11::list<boost::intrusive_ptr<mongo::DocumentSource>, std::allocator< boost::intrusive_ptr<mongo::DocumentSource> > >*) /home/ubuntu/mongo/src/mongo/db/pipeline/pipeline.cpp:275:33 |
2848 [j0:prim] #12 0x55dd258ffffd in mongo::pipeline::optimizePipeline() /home/ubuntu/mongo/src/mongo/db/pipeline/pipeline.cpp:265:5 |
2849 [j0:prim] #13 0x55dd2571f2df in mongo::DocumentSourceLookUp::buildPipeline(mongo::Document const&) /home/ubuntu/mongo/src/mongo/db/pipeline/docume nt_source_lookup.cpp:527:15 |
2850 [j0:prim] #14 0x55dd257195d4 in mongo::DocumentSourceLookUp::doGetNext() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source_lookup.cpp:377:2 0 |
2851 [j0:prim] #15 0x55dd2099ecef in mongo::DocumentSource::getNext() /home/ubuntu/mongo/src/mongo/db/pipeline/document_source.h:293:20 |
2852 [j0:prim] #16 0x55dd25905e66 in mongo::pipeline::getNext() /home/ubuntu/mongo/src/mongo/db/pipeline/pipeline.cpp:469:40 |
2853 [j0:prim] #17 0x55dd23c12c94 in mongo::PlanExecutorPipeline::_tryGetNext() /home/ubuntu/mongo/src/mongo/db/pipeline/plan_executor_pipeline.cpp:129 :23 |
2854 [j0:prim] #18 0x55dd23c12917 in mongo::PlanExecutorPipeline::_getNext() /home/ubuntu/mongo/src/mongo/db/pipeline/plan_executor_pipeline.cpp:117:20 |
It looks like that we’re deleting some document source at attemptToPushStageBefore() and then delete it again at doOptimizeAt().
Pipeline::SourceContainer::iterator DocumentSource::optimizeAt(
|
Pipeline::SourceContainer::iterator itr, Pipeline::SourceContainer* container) \{
|
invariant(*itr == this); |
|
|
// Attempt to swap 'itr' with a subsequent stage, if applicable. |
if (attemptToPushStageBefore(itr, container)) { |
// The stage before the pushed before stage may be able to optimize further, if there is |
// such a stage. |
return std::prev(itr) == container->begin() ? std::prev(itr) : std::prev(std::prev(itr)); |
}
|
|
|
return doOptimizeAt(itr, container); |
}
|
Attachments
Issue Links
- is related to
-
SERVER-57000 Fix handling of correlated pipeline with facet
-
- Closed
-