Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 6.2.0-rc0
Affects Version/s: None
Component/s: None
Labels:
- pm2697-m2

Backwards Compatibility:
Fully Compatible
Sprint:
QE 2022-11-28
Story Points:
10
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

When an expression is retrieving data from a value that is owned by the stack, it should either ensure that it has a lifetime bigger than the lifetime of the return value, or make it a stack-owned copy.

Example:

TEST_F(SBEBuiltinExtractSubArrayTest, MemoryManagement) {
    auto array = makeArray(BSON_ARRAY("Item#1"
                                      << "Item#2"
                                      << "Item#3"
                                      << "Item#4"));

    // Run getElement(0) on the subarray holding just the last entry in the above array.
    auto extractFromSubArrayExpr = makeE<EFunction>(
        "getElement",
        makeEs(makeE<EFunction>(
                   "extractSubArray",
                                makeEs(makeE<EConstant>(array.first, array.second),
                                       makeE<EConstant>(value::TypeTags::NumberInt32, 1),
                                       makeE<EConstant>(value::TypeTags::NumberInt32, 2))),
               makeE<EConstant>(value::TypeTags::NumberInt32, 0)));

    auto compiledExpr = compileExpression(*extractFromSubArrayExpr);

    auto [tag, value] = runCompiledExpression(compiledExpr.get());
    std::cout << std::make_pair(tag, value) << std::endl;
    ASSERT_TRUE(value::isString(tag));
    ASSERT_EQ("Item#3", value::getRawStringView(tag, value));
}

The extractSubArray instruction creates a new stack-owned array, and getElement returns a shared value that points to deleted memory by the time runCompiledExpression attempts to copy.

 	KernelBase.dll!wil::details::DebugBreak(void)	Unknown
 	db_sbe_test.exe!mongo::invariantFailed(const char * expr, const char * file, unsigned int line) Line 142	C++
 	[Inline Frame] db_sbe_test.exe!mongo::invariantWithLocation(const bool &) Line 74	C++
 	db_sbe_test.exe!mongo::sbe::value::makeBigString(mongo::StringData input) Line 1110	C++
 	db_sbe_test.exe!mongo::sbe::value::copyValue(mongo::sbe::value::TypeTags tag, unsigned __int64 val) Line 1452	C++
>	[Inline Frame] db_sbe_test.exe!mongo::sbe::EExpressionTestFixture::runCompiledExpression(const mongo::sbe::vm::CodeFragment *) Line 85	C++
 	db_sbe_test.exe!mongo::sbe::UnitTest_SuiteNameSBEBuiltinExtractSubArrayTestTestNameMemoryManagement::_doTest() Line 240	C++

is duplicated by

SERVER-70582 [CQF] Sampling CE may cause a MONGO_UNREACHABLE to be reached / segfault in traverseF

Closed

Assignee:: Zixuan Zhuang
Reporter:: Alberto Massari
Participants:: Alberto Massari, Ana Meza, Githook User, Kyle Suarez, Mihai Andrei, Zixuan Zhuang
Votes:: 0 Vote for this issue
Watchers:: 8 Start watching this issue

Created:: Oct 27 2022 11:13:11 AM UTC
Updated:: Oct 29 2023 09:31:25 PM UTC
Resolved:: Nov 14 2022 07:13:13 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates