Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-76321

Buffer overrun while deserializing compound group key spilled to disk in SBE hash agg implementation

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Blocker - P1 Blocker - P1
    • 7.1.0-rc0, 6.0.6, 7.0.0-rc1, 6.3.2
    • Affects Version/s: 6.0.5, 6.3.0-rc3
    • Component/s: None
    • Labels:
      None
    • Fully Compatible
    • ALL
    • v7.0, v6.3, v6.0
    • QE 2023-05-01

      Our current strategy for executing $group in most contexts is a hash aggregation. Namely, we maintain a hash table which maps from group key to accumulator state. In order to avoid using too much memory, when this hash table grows large enough it gets serialized to disk. This slot-based execution engine (SBE) implementation spills to an internal table managed by the storage engine using a type called TemporaryRecordStore. The keys of this spill table are serialized to an internal format called KeyString.

      We have discovered a buffer overrun bug related to the deserialization of KeyStrings to a MaterializedRow of SBE values. This can cause queries to fail with tassert() code 6136200. Given potential memory corruption, it could also lead to crashing with a segfault.

      A tassert() error message like the following one of the possible symptoms of this bug:

      {"t":{"$date":"2023-04-20T16:21:05.592-04:00"},"s":"E",  "c":"ASSERT",   "id":4457000, "ctx":"conn1","msg":"Tripwire assertion","attr":{"error":{"code":6136200,"codeName":"Location6136200","errmsg":"sbe tag must be 'Boolean'"},"location":"{fileName:\"src/mongo/db/exec/sbe/values/value_builder.h\", line:332, functionName:\"readValues\"}"}}
      

            Assignee:
            david.storch@mongodb.com David Storch
            Reporter:
            david.storch@mongodb.com David Storch
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: