[SERVER-21166] Leak in getExecutorDistinct Created: 27/Oct/15  Updated: 25/Apr/16  Resolved: 29/Oct/15

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: 3.2.0-rc1
Fix Version/s: 3.2.0-rc2

Type: Bug Priority: Major - P3
Reporter: Robert Guo (Inactive) Assignee: David Storch
Resolution: Done Votes: 0
Labels: fuzzer-blocker
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-19712 Index spec with integer-overflowing s... Closed
is duplicated by SERVER-21165 Leak in QueryPlannerAccess::makeLeafNode Closed
Related
related to SERVER-18372 QuerySolution leak when exception is ... Closed
related to SERVER-21251 jstestfuzz causing invariant failure ... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Sprint: TIG B (10/30/15)
Participants:

 Description   

mongod githash: 0613deff6f

[MongoDFixture:job0] Direct leak of 200 byte(s) in 1 object(s) allocated from:
[MongoDFixture:job0]     #0 0xae13c9 in operator new(unsigned long) (/home/ubuntu/mongo/mongod+0xae13c9)
[MongoDFixture:job0]     #1 0x1c00d08 in mongo::getExecutorDistinct(mongo::OperationContext*, mongo::Collection*, std::string const&, mongo::BSONObj const&, std::string const&, bool, mongo::PlanExecutor::YieldPolicy) /home/ubuntu/mongo/src/mongo/db/query/get_executor.cpp:1363
[MongoDFixture:job0]     #2 0x118776d in mongo::DistinctCommand::getPlanExecutor(mongo::OperationContext*, mongo::Collection*, std::string const&, mongo::BSONObj const&, bool) const /home/ubuntu/mongo/src/mongo/db/commands/distinct.cpp:127
[MongoDFixture:job0]     #3 0x1181e67 in mongo::DistinctCommand::run(mongo::OperationContext*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&) /home/ubuntu/mongo/src/mongo/db/commands/distinct.cpp:170
[MongoDFixture:job0]     #4 0x13d4b30 in mongo::Command::run(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/dbcommands.cpp:1385
[MongoDFixture:job0]     #5 0x13cff9a in mongo::Command::execCommand(mongo::OperationContext*, mongo::Command*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/dbcommands.cpp:1290
[MongoDFixture:job0]     #6 0x1122c11 in mongo::runCommands(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/commands.cpp:496



 Comments   
Comment by Githook User [ 30/Oct/15 ]

Author:

{u'username': u'dstorch', u'name': u'David Storch', u'email': u'david.storch@10gen.com'}

Message: SERVER-21166 better error message
Branch: master
https://github.com/mongodb/mongo/commit/89a4d15153c23050aeb08ba60955517d34ab8f60

Comment by Githook User [ 29/Oct/15 ]

Author:

{u'username': u'dstorch', u'name': u'David Storch', u'email': u'david.storch@10gen.com'}

Message: SERVER-21166 validate that index key pattern values are representable as 32-bit signed numbers
Branch: master
https://github.com/mongodb/mongo/commit/f95d12b1e033bc77713cabc32b51d0e2e347d828

Comment by Githook User [ 29/Oct/15 ]

Author:

{u'username': u'dstorch', u'name': u'David Storch', u'email': u'david.storch@10gen.com'}

Message: SERVER-21166 don't leak DistinctNode
Branch: master
https://github.com/mongodb/mongo/commit/d75f311d37b5710421668425bbdf703c0b3324e7

Comment by David Storch [ 29/Oct/15 ]

The root cause of the leak is an unexpected exception being thrown by a verify() tripped during query planning. We were leaking a raw pointer, so I've changed the raw pointer to a unique_ptr in order to protect against any early return.

I've also fixed the verify() failure, which is the underlying problem. Planning code is converting the value inside the index key pattern to a 32-bit signed int in order to determine whether the index is ascending or descending. If the value overflows these 32 bits, then the planner can misinterpret an ascending index as descending (or vice-versa). In order to protect against this scenario, I've added validation which makes sure that the numeric value inside each key pattern element fits inside a 32-bit signed int.

Comment by David Storch [ 27/Oct/15 ]

Looks like we're leaking the DistinctNode:

https://github.com/mongodb/mongo/blob/28a2d6fa3f7fb6659f578d69e6d772ae9be8c25e/src/mongo/db/query/get_executor.cpp#L1363

We should be managing the DistinctNode with a unique_ptr. However, a repro would be useful, since the call to analyzeDataAccess() is supposed to take ownership of the DistinctNode, and I'm not sure how anything before then could throw.

Generated at Thu Feb 08 03:56:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.