Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-70867

[SBE] Unsafe usage of value::compareValue

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 6.3.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • Fully Compatible
    • QE 2022-10-31, QE 2022-11-14, QE 2022-11-28, QE 2022-12-12
    • 1

      The value::compareValue returns a tag+value that in some cases can be Nothing instead of an Integer32. This happens when one of the two operands is Nothing, or they are two ArraySets of different content. There are two places where the caller directly reaches for the value and assumes it's an Integer32, leading to a Nothing result to be treated as "values are equal".

      1. the const_eval rewrite at https://github.com/10gen/mongo/blob/master/src/mongo/db/query/optimizer/rewrites/const_eval.cpp#L312
      2. the sort algorithm in the SortStage at https://github.com/10gen/mongo/blob/master/src/mongo/db/exec/sbe/stages/sort.cpp#L138

      The latter should be protected by the presence of Nothing (because it's converted into Null by the code that generates the sort keys), but we should investigate how ArraySet are handled in both cases.

            Assignee:
            adi.agrawal@mongodb.com Adi Agrawal
            Reporter:
            alberto.massari@mongodb.com Alberto Massari
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: