[SERVER-66458] Positional projection can result in caching incorrect parameterized plan Created: 13/May/22  Updated: 29/Oct/23  Resolved: 03/Jun/22

Status: Closed
Project: Core Server
Component/s: Query Planning
Affects Version/s: 6.1.0-rc0
Fix Version/s: 6.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: David Storch Assignee: Denis Grebennicov
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v6.0
Steps To Reproduce:

The second assertion in this repro script fails against a server that has SBE and the SBE plan cache enabled:

(function() {
"use strict";
 
const coll = db.c;
coll.drop();
 
assert.commandWorked(coll.insert({"arr": [{"c": 2, "a": {"b": 3}}]}));
 
// Creates an incorrect SBE plan cache entry.
assert.eq(0,
          coll.find({"arr": {"$elemMatch": {"c": 99, "a.b": {"$exists": true}}}}, {"arr.$": 1})
              .itcount());
 
// Re-uses the incorrect SBE plan cache entry, resulting in missing the matching document.
assert.eq(
    1,
    coll.find({"arr": {"$elemMatch": {"c": 2, "a.b": {"$exists": true}}}}, {"arr.$": 1}).itcount());
}());

Sprint: QO 2022-05-16, QO 2022-05-30, QO 2022-06-13
Participants:

 Description   

In order to execute a positional projection, the corresponding match expression must run to find the first matching element of the array. Internally, this is implemented by keeping a MatchExpressionASTNode inside the projection AST. The MatchExpressionASTNode holds onto a copy of the MatchExpression. This match expression is created by re-parsing the BSON representation provided by the user, and it is implemented in such a way that no input parameter markers are added to the resulting MatchExpression tree.

When the projection is compiled to an SBE plan by the SBE stage builders, the resulting plan inlines any constants in the match expression because it has no parameter markers. This is true even if the match expression was auto-parameterized! Also, note that the MatchExpressionASTNode is an internal construct which is not reflected in the SBE plan cache key – we currently encode the user's projection verbatim into the key, and the positional projection does not syntactically contain the match expression. The consequence is that we have a parameterized plan cache entry which accidentally embeds particular constants into the SBE plan for executing the projection. When this cache entry is reused for a new query with different parameter values, it can result in missing or incorrect query results.



 Comments   
Comment by Githook User [ 02/Jun/22 ]

Author:

{'name': 'Denis Grebennicov', 'email': 'denis.grebennicov@mongodb.com', 'username': 'denis631'}

Message: SERVER-66458 Positional projection can result in caching incorrect parameterized plan
Branch: master
https://github.com/mongodb/mongo/commit/06ca72e3ac95649bf5c0ef9981f8fdc30eb8ca3e

Generated at Thu Feb 08 06:05:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.