[SERVER-70867] [SBE] Unsafe usage of value::compareValue Created: 26/Oct/22  Updated: 29/Oct/23  Resolved: 05/Dec/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.3.0-rc0

Type: Bug Priority: Major - P3
Reporter: Alberto Massari Assignee: Adi Agrawal
Resolution: Fixed Votes: 0
Labels: pm2697-m2, sbe
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Sprint: QE 2022-10-31, QE 2022-11-14, QE 2022-11-28, QE 2022-12-12
Participants:
Story Points: 1

 Description   

The value::compareValue returns a tag+value that in some cases can be Nothing instead of an Integer32. This happens when one of the two operands is Nothing, or they are two ArraySets of different content. There are two places where the caller directly reaches for the value and assumes it's an Integer32, leading to a Nothing result to be treated as "values are equal".

1. the const_eval rewrite at https://github.com/10gen/mongo/blob/master/src/mongo/db/query/optimizer/rewrites/const_eval.cpp#L312
2. the sort algorithm in the SortStage at https://github.com/10gen/mongo/blob/master/src/mongo/db/exec/sbe/stages/sort.cpp#L138

The latter should be protected by the presence of Nothing (because it's converted into Null by the code that generates the sort keys), but we should investigate how ArraySet are handled in both cases.



 Comments   
Comment by Githook User [ 02/Dec/22 ]

Author:

{'name': 'Adityavardhan Agrawal', 'email': 'aa729@cornell.edu', 'username': 'Adityav369'}

Message: SERVER-70867 Add uassert to handle unsafe usage of value::compareValue
Branch: master
https://github.com/mongodb/mongo/commit/9836a37758bf158652b5664e9ddda961bd548326

Generated at Thu Feb 08 06:17:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.