[SERVER-50193] Coverity analysis defect 116145: Out-of-bounds access Created: 08/Aug/20  Updated: 27/Oct/23  Resolved: 17/Aug/20

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Coverity Collector User Assignee: Anton Korshunov
Resolution: Works as Designed Votes: 0
Labels: coverity, qexec-team
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Sprint: Query 2020-08-24
Participants:

 Description   

Out-of-bounds access

Memory not owned by this buffer will be accessed, causing memory corruption or incorrect computations. Access of memory past the end of a memory buffer
/src/mongo/db/exec/sbe/values/value.cpp:191: ARRAY_VS_SINGLETON 116145 Taking address with "val" yields a singleton pointer.
/src/mongo/db/exec/sbe/values/value.cpp:191: ARRAY_VS_SINGLETON 116145 Assigning: "<temporary>" = "mongo::sbe::value::getSmallStringView(val)".



 Comments   
Comment by Anton Korshunov [ 17/Aug/20 ]

bernard.gorman Correct, for strings <= 7 characters we store it directly in a unit64_t Value, so this code fragment is legit. Marking it as Intentional.

Comment by Bernard Gorman [ 15/Aug/20 ]

Coverity is complaining that getSmallStringView returns a char* to the address of the passed uint64_t Value, and then treats that char* as an "array" for the purposes of constructing a debug string - in contrast to e.g. getBigStringView, which directly reinterprets the uint64_t Value as a char*. My assumption is that in the case of TypeTags::StringSmall, the uint64_t Value actually contains a string of <= 7 characters, while for TypeTags::StringBig the uint64_t Value is the address of the string in memory.

Passing this over to anton.korshunov to confirm. If this isn't actually a bug, please mark it as Classification: Intentional and Action: Ignore.

Generated at Thu Feb 08 05:22:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.