[SERVER-31803] Segfault while constructing boost::optional in sharded post-change lookup Created: 02/Nov/17  Updated: 30/Oct/23  Resolved: 06/Nov/17

Status: Closed
Project: Core Server
Component/s: Aggregation Framework
Affects Version/s: None
Fix Version/s: 3.6.0-rc3

Type: Bug Priority: Major - P3
Reporter: Bernard Gorman Assignee: Bernard Gorman
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-31394 Create passthroughs of existing chang... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Query 2017-11-13
Participants:

 Description   

On a sharded cluster, when conditionally constructing the boost::optional return value for $changeStream post-update lookup in cases where no matching document is found, a segfault can occur due to passing a null BSONObj reference to the Document constructor.

  thread #27, stop reason = signal SIGSTOP
    frame #0: 0x0000000107cfcdcc mongos`mongo::BSONObj::objdata(this=0x0000000000000000) const at bsonobj.h:363
    frame #1: 0x0000000107cfcd73 mongos`mongo::BSONObj::objsize(this=0x0000000000000000) const at bsonobj.h:368
    frame #2: 0x0000000107d99121 mongos`mongo::BSONObjIterator::BSONObjIterator(this=0x00007000045a6fb8, jso=0x0000000000000000) at bsonobj.h:600
    frame #3: 0x0000000107d8a1cd mongos`mongo::BSONObjIterator::BSONObjIterator(this=0x00007000045a6fb8, jso=0x0000000000000000) at bsonobj.h:599
    frame #4: 0x0000000109478e01 mongos`mongo::BSONObj::nFields(this=0x0000000000000000) const at bsonobj.cpp:582
    frame #5: 0x00000001091147d7 mongos`mongo::Document::Document(this=0x00007000045a7418, bson=0x0000000000000000) at document.cpp:226
    frame #6: 0x00000001091149dd mongos`mongo::Document::Document(this=0x00007000045a7418, bson=0x0000000000000000) at document.cpp:225
    frame #7: 0x0000000107ed0b07 mongos`mongo::(anonymous namespace)::MongosProcessInterface::lookupSingleDocument(this=0x00007ff957c1e268, expCtx=0x00007000045a7958, filter=0x00007000045a7988) at pipeline_s.cpp:244
    frame #8: 0x00000001084030d6 mongos`mongo::DocumentSourceLookupChangePostImage::lookupPostImage(this=0x00007ff957c1d150, updateOp=0x00007000045a7ae0) const at document_source_lookup_change_post_image.cpp:111
    frame #9: 0x0000000108402b5a mongos`mongo::DocumentSourceLookupChangePostImage::getNext(this=0x00007ff957c1d150) at document_source_lookup_change_post_image.cpp:75
    frame #10: 0x0000000108427133 mongos`mongo::Pipeline::getNext(this=0x00007ff957c18200) at pipeline.cpp:541
    frame #11: 0x0000000107f67b23 mongos`mongo::RouterStagePipeline::next(this=0x00007ff957c1dfe0, execContext=kGetMoreNoResultsYet) at router_stage_pipeline.cpp:61
    frame #12: 0x0000000107f4f91e mongos`mongo::ClusterClientCursorImpl::next(this=0x00007ff957c200b0, execContext=kGetMoreNoResultsYet) at cluster_client_cursor_impl.cpp:93
    frame #13: 0x0000000108303a3d mongos`mongo::ClusterCursorManager::PinnedCursor::next(this=0x00007000045a8700, execContext=kGetMoreNoResultsYet) at cluster_cursor_manager.cpp:119
    frame #14: 0x0000000107f38153 mongos`mongo::ClusterFind::runGetMore(opCtx=0x00007ff957d1a390, request=0x00007000045a8898) at cluster_find.cpp:463
    frame #15: 0x0000000107e5842e mongos`mongo::(anonymous namespace)::ClusterGetMoreCmd::run(this=0x0000000109fefbe8, opCtx=0x00007ff957d1a390, dbname="test", cmdObj=0x00007000045a9d60, result=0x00007000045a9e98) at cluster_getmore_cmd.cpp:107
    frame #16: 0x00000001086eee66 mongos`mongo::BasicCommand::enhancedRun(this=0x0000000109fefbe8, opCtx=0x00007ff957d1a390, request=0x00007000045a9d60, result=0x00007000045a9e98) at commands.cpp:416
    frame #17: 0x00000001086eca61 mongos`mongo::Command::publicRun(this=0x0000000109fefbe8, opCtx=0x00007ff957d1a390, request=0x00007000045a9d60, result=0x00007000045a9e98) at commands.cpp:354
    frame #18: 0x0000000107edcf10 mongos`mongo::(anonymous namespace)::execCommandClient(opCtx=0x00007ff957d1a390, c=0x0000000109fefbe8, request=0x00007000045a9d60, result=0x00007000045a9e98) at strategy.cpp:214
    frame #19: 0x0000000107ed92f6 mongos`mongo::(anonymous namespace)::runCommand(opCtx=0x00007ff957d1a390, request=0x00007000045a9d60, builder=0x00007000045a9e98) at strategy.cpp:260
    frame #20: 0x0000000107ed5ed4 mongos`mongo::Strategy::clientCommand(this=0x00007000045aa260)::$_0::operator()() const at strategy.cpp:418
    frame #21: 0x0000000107ed4d21 mongos`mongo::Strategy::clientCommand(opCtx=0x00007ff957d1a390, m=0x00007ff957d17ea8) at strategy.cpp:396
    frame #22: 0x0000000107d2a421 mongos`mongo::ServiceEntryPointMongos::handleRequest(this=0x00007ff958a00cd0, opCtx=0x00007ff957d1a390, message=0x00007ff957d17ea8) at service_entry_point_mongos.cpp:92
    frame #23: 0x0000000107d49c47 mongos`mongo::ServiceStateMachine::_processMessage(this=0x00007ff957d17e00, guard=0x00007000045ab098) at service_state_machine.cpp:307
    frame #24: 0x0000000107d48fa0 mongos`mongo::ServiceStateMachine::_runNextInGuard(this=0x00007ff957d17e00, guard=0x00007000045ab098) at service_state_machine.cpp:401
    frame #25: 0x0000000107d49846 mongos`mongo::ServiceStateMachine::runNext(this=0x00007ff957d17e00) at service_state_machine.cpp:365
    frame #26: 0x0000000107d58458 mongos`mongo::ServiceStateMachine::scheduleNext(this=0x00007000045ab408)::$_4::operator()() const at service_state_machine.cpp:429



 Comments   
Comment by Githook User [ 06/Nov/17 ]

Author:

{'name': 'Bernard Gorman', 'username': 'gormanb', 'email': 'bernard.gorman@gmail.com'}

Message: SERVER-31803 Segfault while constructing boost_optional in sharded post-change lookup
Branch: master
https://github.com/mongodb/mongo/commit/0b073092a8127c3723569f37d9ffa9d81e785116

Generated at Thu Feb 08 04:28:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.