[SERVER-15899] Querying against path in document containing long array of subdocuments with nested arrays causes stack overflow Created: 31/Oct/14  Updated: 11/Jul/16  Resolved: 18/Nov/14

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: 2.6.5, 2.7.8
Fix Version/s: 2.6.6, 2.8.0-rc1

Type: Bug Priority: Critical - P2
Reporter: Bruce Lucas (Inactive) Assignee: J Rassi
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Backport Completed:
Participants:

 Description   
Issue Status as of Dec 10, 2014

ISSUE SUMMARY
If a document contains a very large array "arr" of subdocuments with nested arrays, a query against a path where many consecutive array elements of "arr" do not match the query path may trigger a stack overflow inside mongod.

For example:

db.col.insert({arr: [{elem: []}, {elem: []}, {elem: []}, ...]})
db.col.find({"arr.elem.x" : 0})

In this example, the issue is triggered when the number of consecutive array elements that do not match the "arr.elem.x" path is sufficiently large.

USER IMPACT
MongoDB crashes with no information in the log files.

WORKAROUNDS
There are no workarounds for this issue.

AFFECTED VERSIONS
MongoDB 2.6 versions up to 2.6.5 are affected by this issue.

FIX VERSION
The fix is included in the 2.6.6 production release.

RESOLUTION DETAILS
Change BSONElementIterator::more() to not use a stack frame per array element traversed.



 Comments   
Comment by Githook User [ 25/Nov/14 ]

Author:

{u'username': u'jrassi', u'name': u'Jason Rassi', u'email': u'rassi@10gen.com'}

Message: SERVER-15899 BSONElementIterator::more() shouldn't overflow stack

BSONElementIterator::more() was using a stack frame per array
element traversed.

(cherry picked from commit 20c218d3d3df17c820b9cd3e6399a2dec6755d94)
Branch: v2.6
https://github.com/mongodb/mongo/commit/ca4a498ce711e307fb350e42be197d58d340c1cc

Comment by Githook User [ 18/Nov/14 ]

Author:

{u'username': u'jrassi', u'name': u'Jason Rassi', u'email': u'rassi@10gen.com'}

Message: SERVER-15899 BSONElementIterator::more() shouldn't overflow stack

BSONElementIterator::more() was using a stack frame per array
element traversed.
Branch: master
https://github.com/mongodb/mongo/commit/20c218d3d3df17c820b9cd3e6399a2dec6755d94

Comment by Bruce Lucas (Inactive) [ 31/Oct/14 ]

It doesn't seem to. I increased n to 100000 with no problem.

Comment by J Rassi [ 31/Oct/14 ]

Bruce, does this affect 2.4.12?

Generated at Thu Feb 08 03:39:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.