[SERVER-40869] $subtract with date can cause undefined behavior Created: 26/Apr/19  Updated: 29/Oct/23  Resolved: 11/Jun/19

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: 4.0.9, 4.1.10
Fix Version/s: 4.0.11, 4.2.0-rc1, 4.3.1

Type: Bug Priority: Major - P3
Reporter: Ian Boros Assignee: Ted Tuckman
Resolution: Fixed Votes: 0
Labels: afz
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Problem/Incident
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.2, v4.0, v3.6, v3.4
Participants:
Linked BF Score: 7

 Description   

The following test results in UB:

(function() {
    pipeline = [{$project: {x: { $subtract: [new Date('2019-04-23T00:05:48.829Z'), Infinity] }}}];
 
    db.adminCommand( { setParameter: 1, traceExceptions: true } )
 
    try {
        const res = db.c.aggregate(pipeline).toArray();
        print("Result was " + tojson(res));
    } catch(e) {
        print("Error was " + tojson(e));
    }
})();

The $subtract is performed with [<some date>, Infinity]. This causes this conversion to long long. This cast is UB when the truncated double is a value that can't fit in a long long (such as Infinity).

We may want to change the implementation of Value::coerceToLong() and audit existing calls to it in case there are similar bugs.



 Comments   
Comment by Githook User [ 25/Jun/19 ]

Author:

{'name': 'Ted Tuckman', 'email': 'TedTuckman@users.noreply.github.com', 'username': 'TedTuckman'}

Message: SERVER-40869 Part 2 Remove coerceTo error codes from blacklist (#93)
Branch: master
https://github.com/10gen/jstestfuzz/commit/1130b2b55a69ef8d9e1cbd4fd54099d744cecccc

Comment by Githook User [ 11/Jun/19 ]

Author:

{'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}

Message: SERVER-40869 Error when coercing out of bounds double to long

(cherry picked from commit dd1295d603e94cc8157238d41aaa909f45446526)
Branch: v4.0
https://github.com/mongodb/mongo/commit/113bbe9c6b08d501626d9c3996751cd0146c4deb

Comment by Githook User [ 11/Jun/19 ]

Author:

{'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}

Message: SERVER-40869 Error when coercing out of bounds double to long

(cherry picked from commit dd1295d603e94cc8157238d41aaa909f45446526)
Branch: v4.2
https://github.com/mongodb/mongo/commit/e52a0c4c3d9bd342aecc705a3c840a6193fc59c6

Comment by Githook User [ 11/Jun/19 ]

Author:

{'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}

Message: SERVER-40869 Error when coercing out of bounds double to long
Branch: master
https://github.com/mongodb/mongo/commit/dd1295d603e94cc8157238d41aaa909f45446526

Comment by Githook User [ 07/Jun/19 ]

Author:

{'name': 'Ted Tuckman', 'email': 'TedTuckman@users.noreply.github.com', 'username': 'TedTuckman'}

Message: SERVER-40869 Blacklist coerceToLong error codes until they have been backported (#68)
Branch: master
https://github.com/10gen/jstestfuzz/commit/c528d33f8bf881282940a4c9936b13dbf538f349

Comment by Githook User [ 05/Jun/19 ]

Author:

{'name': 'Gregory Wlodarek', 'email': 'gregory.wlodarek@mongodb.com', 'username': 'GWlodarek'}

Message: Revert "SERVER-40869 Error when coercing out of bounds double to long"

This reverts commit bcad0d20e517e10f0dab71a0cfabe0a9e25c401b.
Branch: master
https://github.com/mongodb/mongo/commit/9069ee03843ed66cd7745da5c0ce72fb54c030ed

Comment by Githook User [ 05/Jun/19 ]

Author:

{'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}

Message: SERVER-40869 Error when coercing out of bounds double to long
Branch: master
https://github.com/mongodb/mongo/commit/bcad0d20e517e10f0dab71a0cfabe0a9e25c401b

Comment by Ian Boros [ 02/May/19 ]

Yep! On PPC, for example, that error will not be triggered and I believe the query will complete.

Comment by Asya Kamsky [ 02/May/19 ]

On 4.0.9 I just get an error back that "Cannot negate the minimum duration" (presumably from overflow when casting). Is this different on different platforms?

Generated at Thu Feb 08 04:56:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.