[SERVER-22692] DocumentStorage::end may call ValueElement::plusBytes on nullptr Created: 17/Feb/16  Updated: 26/Apr/16  Resolved: 13/Apr/16

Status: Closed
Project: Core Server
Component/s: Aggregation Framework
Affects Version/s: None
Fix Version/s: 3.3.5

Type: Bug Priority: Major - P3
Reporter: Andrew Morrow (Inactive) Assignee: Mathias Stearn
Resolution: Done Votes: 0
Labels: undefined-sanitizer
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Run jstests/core/bypass_doc_validation.js under UBSAN

Sprint: Integration 12 (04/04/16), Integration 13 (04/22/16)
Participants:

 Description   

Some tests fail when run under UBSAN with the following stack trace:

[MongoDFixture:job0] src/mongo/db/pipeline/document_internal.h:311:16: runtime error: member call on null pointer of type 'mongo::ValueElement'
[MongoDFixture:job0]     #0 0x15787ad in mongo::DocumentStorage::end() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document_internal.h:311:16
[MongoDFixture:job0]     #1 0x157d601 in mongo::DocumentStorage::iteratorAll() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document_internal.h:263:55
[MongoDFixture:job0]     #2 0x1578989 in mongo::DocumentStorage::findField(mongo::StringData) const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document.cpp:64:43
[MongoDFixture:job0]     #3 0x15692aa in mongo::DocumentStorage::getField(mongo::StringData) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document_internal.h:242:24
[MongoDFixture:job0]     #4 0x1568fee in mongo::MutableDocument::getField(mongo::StringData) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document.h:399:29
[MongoDFixture:job0]     #5 0x1568e52 in mongo::MutableDocument::operator[](mongo::StringData) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document.h:393:16
[MongoDFixture:job0]     #6 0x1568e52 in mongo::DocumentStream::ValueStream::operator<<(mongo::Value const&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document.h:574
[MongoDFixture:job0]     #7 0x158b70b in mongo::DocumentStream& mongo::DocumentStream::ValueStream::operator<< <mongo::Document>(mongo::Document const&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document.h:581:21
[MongoDFixture:job0]     #8 0x15ae303 in mongo::DocumentSourceMatch::serialize(bool) const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document_source_match.cpp:54:18
[MongoDFixture:job0]     #9 0x15800f8 in mongo::DocumentSource::serializeToArray(std::vector<mongo::Value, std::allocator<mongo::Value> >&, bool) const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/document_source.cpp:97:19
[MongoDFixture:job0]     #10 0x16536e1 in mongo::Pipeline::serialize() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/pipeline/pipeline.cpp:394:1
[MongoDFixture:job0]     #11 0x1284ffa in mongo::PipelineCommand::run(mongo::OperationContext*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/commands/pipeline_command.cpp:206:22
[MongoDFixture:job0]     #12 0x1307263 in mongo::Command::run(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/dbcommands.cpp:1464:19
[MongoDFixture:job0]     #13 0x1305682 in mongo::Command::execCommand(mongo::OperationContext*, mongo::Command*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/dbcommands.cpp:1332:18
[MongoDFixture:job0]     #14 0x1214624 in mongo::runCommands(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/commands.cpp:498:9
[MongoDFixture:job0]     #15 0x14b4803 in mongo::(anonymous namespace)::receivedRpc(mongo::OperationContext*, mongo::Client&, mongo::DbResponse&, mongo::Message&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/instance.cpp:304:9
[MongoDFixture:job0]     #16 0x14b4803 in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/instance.cpp:525
[MongoDFixture:job0]     #17 0x1012e54 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:173:17
[MongoDFixture:job0]     #18 0x1dcb6ad in mongo::PortMessageServer::handleIncomingMsg(void*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/util/net/message_server_port.cpp:229:17
[MongoDFixture:job0]     #19 0x7fb4eef0a6a9 in start_thread /build/buildd/glibc-2.21/nptl/pthread_create.c:333
[MongoDFixture:job0]     #20 0x7fb4eea28eec in clone /build/buildd/glibc-2.21/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
[MongoDFixture:job0]



 Comments   
Comment by Githook User [ 13/Apr/16 ]

Author:

{u'username': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-22692 Don't use ValueElement ptr arithmetic methods on null pointers

This was causing failures with UBSan.
Branch: master
https://github.com/mongodb/mongo/commit/4b3928d17918b241b38e2850f2c18d24b37f6b2c

Generated at Thu Feb 08 04:01:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.