[SERVER-18858] MatchExpression use-after-free after dropping partial index Created: 07/Jun/15  Updated: 05/Feb/16  Resolved: 09/Jun/15

Status: Closed
Project: Core Server
Component/s: Index Maintenance
Affects Version/s: 3.1.3
Fix Version/s: 3.1.5

Type: Bug Priority: Major - P3
Reporter: Kamran K. Assignee: J Rassi
Resolution: Done Votes: 0
Labels: 32qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

var t = db.filter_drop;
t.drop();
 
t.ensureIndex({a: 1}, {filter: {a: {$exists: true}}});
t.dropIndexes();
 
t.find({a: 2}).itcount();

Sprint: Quint Iteration 5
Participants:

 Description   

An IndexCatalogEntry's MatchExpression (_filterExpression) can be used by the partial index code after it's already been deleted:

==27896==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000006d08 at pc 0x000001e35ee9 bp 0x7fe2b4a90b30 sp 0x7fe2b4a90b28
READ of size 4 at 0x60f000006d08 thread T11
    #0 0x1e35ee8 in mongo::MatchExpression::matchType() const /home/s/code/mongo/mongo-asan/src/mongo/db/matcher/expression.h:85:46
    #1 0x2db66c3 in mongo::ComparisonMatchExpression::equivalent(mongo::MatchExpression const*) const /home/s/code/mongo/mongo-asan/src/mongo/db/matcher/expression_leaf.cpp:67:14
    #2 0x2d843c3 in mongo::expression::isSubsetOf(mongo::MatchExpression const*, mongo::MatchExpression const*) /home/s/code/mongo/mongo-asan/src/mongo/db/matcher/expression_algo.cpp:197:13
    #3 0x365dd8d in mongo::PlanCacheIndexabilityState::processPartialIndex(mongo::MatchExpression const*)::$_1::operator()(mongo::MatchExpression const*) const /home/s/code/mongo/mongo-asan/src/mongo/db/query/plan_cache_indexability.cpp:67:28
    #4 0x365cb82 in std::_Function_handler<bool (mongo::MatchExpression const*), mongo::PlanCacheIndexabilityState::processPartialIndex(mongo::MatchExpression const*)::$_1>::_M_invoke(std::_Any_data const&, mongo::MatchExpression const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/functional:2056:11
    #5 0x360e786 in std::function<bool (mongo::MatchExpression const*)>::operator()(mongo::MatchExpression const*) const /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/functional:2464:14
    #6 0x35fc1e9 in mongo::PlanCache::encodeKeyForMatch(mongo::MatchExpression const*, mongo::StringBuilderImpl<mongo::TrivialAllocator>*) const /home/s/code/mongo/mongo-asan/src/mongo/db/query/plan_cache.cpp:452:32
    #7 0x3602c36 in mongo::PlanCache::computeKey(mongo::CanonicalQuery const&) const /home/s/code/mongo/mongo-asan/src/mongo/db/query/plan_cache.cpp:641:9
    #8 0x34fad33 in mongo::fillOutPlannerParams(mongo::OperationContext*, mongo::Collection*, mongo::CanonicalQuery*, mongo::QueryPlannerParams*) /home/s/code/mongo/mongo-asan/src/mongo/db/query/get_executor.cpp:164:13
    #9 0x34fe76f in mongo::(anonymous namespace)::prepareExecution(mongo::OperationContext*, mongo::Collection*, mongo::WorkingSet*, mongo::CanonicalQuery*, unsigned long, mongo::PlanStage**, mongo::QuerySolution**) /home/s/code/mongo/mongo-asan/src/mongo/db/query/get_executor.cpp:258:13
    #10 0x34fc5d3 in mongo::getExecutor(mongo::OperationContext*, mongo::Collection*, mongo::CanonicalQuery*, mongo::PlanExecutor::YieldPolicy, mongo::PlanExecutor**, unsigned long) /home/s/code/mongo/mongo-asan/src/mongo/db/query/get_executor.cpp:452:25
    #11 0x350a0e2 in mongo::getExecutorFind(mongo::OperationContext*, mongo::Collection*, mongo::NamespaceString const&, mongo::CanonicalQuery*, mongo::PlanExecutor::YieldPolicy, mongo::PlanExecutor**) /home/s/code/mongo/mongo-asan/src/mongo/db/query/get_executor.cpp:641:16
    #12 0x34d995b in mongo::runQuery(mongo::OperationContext*, mongo::QueryMessage&, mongo::NamespaceString const&, mongo::Message&) /home/s/code/mongo/mongo-asan/src/mongo/db/query/find.cpp:573:33
    #13 0x2d333e8 in mongo::receivedQuery(mongo::OperationContext*, mongo::NamespaceString const&, mongo::Client&, mongo::DbResponse&, mongo::Message&) /home/s/code/mongo/mongo-asan/src/mongo/db/instance.cpp:403:36
    #14 0x2d2970a in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) /home/s/code/mongo/mongo-asan/src/mongo/db/instance.cpp:541:17
    #15 0x124f855 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) /home/s/code/mongo/mongo-asan/src/mongo/db/db.cpp:170:21
    #16 0x58af85d in mongo::PortMessageServer::handleIncomingMsg(void*) /home/s/code/mongo/mongo-asan/src/mongo/util/net/message_server_port.cpp:227:21
    #17 0x7fe2d4916181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312
    #18 0x7fe2d442d47c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
 
0x60f000006d08 is located 8 bytes inside of 176-byte region [0x60f000006d00,0x60f000006db0)
freed by thread T11 here:
    #0 0x11b8632 in operator delete(void*) (/home/s/code/mongo/mongo-asan/mongod+0x11b8632)
    #1 0x2dd6bd0 in mongo::ExistsMatchExpression::~ExistsMatchExpression() /home/s/code/mongo/mongo-asan/src/mongo/db/matcher/expression_leaf.h:258:11
    #2 0x1aa758e in void boost::checked_delete<mongo::MatchExpression>(mongo::MatchExpression*) /home/s/code/mongo/mongo-asan/src/third_party/boost-1.56.0/boost/core/checked_delete.hpp:34:5
    #3 0x1a8a266 in boost::scoped_ptr<mongo::MatchExpression>::~scoped_ptr() /home/s/code/mongo/mongo-asan/src/third_party/boost-1.56.0/boost/smart_ptr/scoped_ptr.hpp:82:9
    #4 0x1e4080b in mongo::IndexCatalogEntry::~IndexCatalogEntry() /home/s/code/mongo/mongo-asan/src/mongo/db/catalog/index_catalog_entry.cpp:93:5
    #5 0x1e205a4 in mongo::(anonymous namespace)::IndexRemoveChange::commit() /home/s/code/mongo/mongo-asan/src/mongo/db/catalog/index_catalog.cpp:821:13
    #6 0x4760674 in mongo::DurRecoveryUnit::commitChanges() /home/s/code/mongo/mongo-asan/src/mongo/db/storage/mmap_v1/dur_recovery_unit.cpp:87:17
    #7 0x47601c6 in mongo::DurRecoveryUnit::commitUnitOfWork() /home/s/code/mongo/mongo-asan/src/mongo/db/storage/mmap_v1/dur_recovery_unit.cpp:60:9
    #8 0x120b13a in mongo::WriteUnitOfWork::commit() /home/s/code/mongo/mongo-asan/src/mongo/db/operation_context.h:246:17
    #9 0x1dea667 in mongo::dropIndexes(mongo::OperationContext*, mongo::NamespaceString const&, mongo::BSONObj const&, mongo::BSONObjBuilder*) /home/s/code/mongo/mongo-asan/src/mongo/db/catalog/drop_indexes.cpp:159:13
    #10 0x1fb7a30 in mongo::CmdDropIndexes::run(mongo::OperationContext*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&) /home/s/code/mongo/mongo-asan/src/mongo/db/commands/drop_indexes.cpp:94:40
    #11 0x244a77f in mongo::Command::run(mongo::OperationContext*, mongo::BSONObj const&, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/s/code/mongo/mongo-asan/src/mongo/db/dbcommands.cpp:1376:23
    #12 0x2447c15 in mongo::Command::execCommand(mongo::OperationContext*, mongo::Command*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/s/code/mongo/mongo-asan/src/mongo/db/dbcommands.cpp:1315:22
    #13 0x1ef9c86 in mongo::runCommands(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/s/code/mongo/mongo-asan/src/mongo/db/commands.cpp:507:13
    #14 0x2d320a3 in mongo::receivedCommand(mongo::OperationContext*, mongo::NamespaceString const&, mongo::Client&, mongo::DbResponse&, mongo::Message&) /home/s/code/mongo/mongo-asan/src/mongo/db/instance.cpp:268:13
    #15 0x2d295ff in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) /home/s/code/mongo/mongo-asan/src/mongo/db/instance.cpp:538:17
    #16 0x124f855 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) /home/s/code/mongo/mongo-asan/src/mongo/db/db.cpp:170:21
    #17 0x58af85d in mongo::PortMessageServer::handleIncomingMsg(void*) /home/s/code/mongo/mongo-asan/src/mongo/util/net/message_server_port.cpp:227:21
    #18 0x7fe2d4916181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312
 
previously allocated by thread T11 here:
    #0 0x11b8072 in operator new(unsigned long) (/home/s/code/mongo/mongo-asan/mongod+0x11b8072)
    #1 0x2ded97a in mongo::MatchExpressionParser::_parseSubField(mongo::BSONObj const&, mongo::AndMatchExpression const*, char const*, mongo::BSONElement const&, int) /home/s/code/mongo/mongo-asan/src/mongo/db/matcher/expression_parser.cpp:213:56
    #2 0x2e03b58 in mongo::MatchExpressionParser::_parseSub(char const*, mongo::BSONObj const&, mongo::AndMatchExpression*, int) /home/s/code/mongo/mongo-asan/src/mongo/db/matcher/expression_parser.cpp:456:43
    #3 0x2e00708 in mongo::MatchExpressionParser::_parse(mongo::BSONObj const&, int) /home/s/code/mongo/mongo-asan/src/mongo/db/matcher/expression_parser.cpp:376:28
    #4 0x1a87fec in mongo::MatchExpressionParser::parse(mongo::BSONObj const&, mongo::MatchExpressionParser::WhereCallback const&) /home/s/code/mongo/mongo-asan/src/mongo/db/matcher/expression_parser.h:72:20
    #5 0x1e41474 in mongo::IndexCatalogEntry::init(mongo::OperationContext*, mongo::IndexAccessMethod*) /home/s/code/mongo/mongo-asan/src/mongo/db/catalog/index_catalog_entry.cpp:108:45
    #6 0x1df2e80 in mongo::IndexCatalog::_setupInMemoryStructures(mongo::OperationContext*, mongo::IndexDescriptor*, bool) /home/s/code/mongo/mongo-asan/src/mongo/db/catalog/index_catalog.cpp:174:9
    #7 0x1e0aaed in mongo::IndexCatalog::IndexBuildBlock::init() /home/s/code/mongo/mongo-asan/src/mongo/db/catalog/index_catalog.cpp:401:18
    #8 0x1e5168d in mongo::MultiIndexBlock::init(std::vector<mongo::BSONObj, std::allocator<mongo::BSONObj> > const&) /home/s/code/mongo/mongo-asan/src/mongo/db/catalog/index_create.cpp:181:22
    #9 0x1f7bfe4 in mongo::CmdCreateIndex::run(mongo::OperationContext*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&) /home/s/code/mongo/mongo-asan/src/mongo/db/commands/create_indexes.cpp:198:33
    #10 0x244a77f in mongo::Command::run(mongo::OperationContext*, mongo::BSONObj const&, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/s/code/mongo/mongo-asan/src/mongo/db/dbcommands.cpp:1376:23
    #11 0x2447c15 in mongo::Command::execCommand(mongo::OperationContext*, mongo::Command*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/s/code/mongo/mongo-asan/src/mongo/db/dbcommands.cpp:1315:22
    #12 0x1ef9c86 in mongo::runCommands(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/s/code/mongo/mongo-asan/src/mongo/db/commands.cpp:507:13
    #13 0x2d320a3 in mongo::receivedCommand(mongo::OperationContext*, mongo::NamespaceString const&, mongo::Client&, mongo::DbResponse&, mongo::Message&) /home/s/code/mongo/mongo-asan/src/mongo/db/instance.cpp:268:13
    #14 0x2d295ff in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) /home/s/code/mongo/mongo-asan/src/mongo/db/instance.cpp:538:17
    #15 0x124f855 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) /home/s/code/mongo/mongo-asan/src/mongo/db/db.cpp:170:21
    #16 0x58af85d in mongo::PortMessageServer::handleIncomingMsg(void*) /home/s/code/mongo/mongo-asan/src/mongo/util/net/message_server_port.cpp:227:21
    #17 0x7fe2d4916181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312


Version: 5bf56982d557a6c4e7d156b1e525950dd7960684



 Comments   
Comment by Githook User [ 09/Jun/15 ]

Author:

{u'username': u'jrassi', u'name': u'Jason Rassi', u'email': u'rassi@10gen.com'}

Message: SERVER-18858 IndexCatalog::_dropIndex() reset info cache after drop
Branch: master
https://github.com/mongodb/mongo/commit/f686546a5b9a80f87bac7e664ff022f2dd8c72f3

Generated at Thu Feb 08 03:48:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.