Our current strategy for executing $group in most contexts is a hash aggregation. Namely, we maintain a hash table which maps from group key to accumulator state. In order to avoid using too much memory, when this hash table grows large enough it gets serialized to disk. This slot-based execution engine (SBE) implementation spills to an internal table managed by the storage engine using a type called TemporaryRecordStore. The keys of this spill table are serialized to an internal format called KeyString.

We have discovered a buffer overrun bug related to the deserialization of KeyStrings to a MaterializedRow of SBE values. This can cause queries to fail with tassert() code 6136200. Given potential memory corruption, it could also lead to crashing with a segfault.

A tassert() error message like the following one of the possible symptoms of this bug:

{"t":{"$date":"2023-04-20T16:21:05.592-04:00"},"s":"E",  "c":"ASSERT",   "id":4457000, "ctx":"conn1","msg":"Tripwire assertion","attr":{"error":{"code":6136200,"codeName":"Location6136200","errmsg":"sbe tag must be 'Boolean'"},"location":"{fileName:\"src/mongo/db/exec/sbe/values/value_builder.h\", line:332, functionName:\"readValues\"}"}}