[SERVER-74131] Multiplanning together with subplanning causes server crash in mapReduce queries Created: 17/Feb/23  Updated: 29/Oct/23  Resolved: 05/Apr/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 6.0.5, 6.3.0-rc1
Fix Version/s: 7.0.0-rc0, 4.4.20, 5.0.16, 6.0.6, 6.3.1

Type: Bug Priority: Major - P3
Reporter: Denis Grebennicov Assignee: Denis Grebennicov
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
is related to SERVER-75159 Write unit test which re-uses operati... Backlog
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v6.3, v6.0, v5.0, v4.4
Sprint: QE 2023-03-06, QE 2023-03-20, QE 2023-04-03, QE 2023-04-17
Participants:
Linked BF Score: 104

 Description   

While investigating BF-27079 I managed to recreate a server crash, which was detected while running mongosync suite.

The issue it that multiple multiplanners are sharing the same javascript execution context while performing the subplanning. Currently the implementation is injecting the ‘emit’ function only once to the javascript environment. This is causing issues, when that multiplanner is deallocated and another multiplanner starts executing, as emit function is not reinjected, causing heap-use-after-free issue.

Reinjecting the emit function on every evaluate call of the ExpressionInternalJsEmit will fix the issue



 Comments   
Comment by Githook User [ 17/Apr/23 ]

Author:

{'name': 'Denis Grebennicov', 'email': 'denis.grebennicov@mongodb.com', 'username': 'denis631'}

Message: SERVER-74131 Inject emit function on every call to ExpressionInternalJsEmit::evaluate()
Branch: v6.3
https://github.com/mongodb/mongo/commit/ea3d8e0bf18b4db3ca37a6ace3e45893a494a9ba

Comment by Githook User [ 29/Mar/23 ]

Author:

{'name': 'Denis Grebennicov', 'email': 'denis.grebennicov@mongodb.com', 'username': 'denis631'}

Message: SERVER-74131 Inject emit function on every call to ExpressionInternalJsEmit::evaluate()
Branch: v4.4
https://github.com/mongodb/mongo/commit/460fbeac66a4d1138c664fb1bf040714d0062aba

Comment by Githook User [ 28/Mar/23 ]

Author:

{'name': 'Denis Grebennicov', 'email': 'denis.grebennicov@mongodb.com', 'username': 'denis631'}

Message: SERVER-74131 Inject emit function on every call to ExpressionInternalJsEmit::evaluate()
Branch: v5.0
https://github.com/mongodb/mongo/commit/6dbb000ab3ce29b76cc145cfa6ac0c93eee14961

Comment by Githook User [ 28/Mar/23 ]

Author:

{'name': 'Denis Grebennicov', 'email': 'denis.grebennicov@mongodb.com', 'username': 'denis631'}

Message: SERVER-74131 Inject emit function on every call to ExpressionInternalJsEmit::evaluate()
Branch: v6.0
https://github.com/mongodb/mongo/commit/26346aac14188b0ed19799eaed99cbafbc51fd99

Comment by Githook User [ 28/Mar/23 ]

Author:

{'name': 'Denis Grebennicov', 'email': 'denis.grebennicov@mongodb.com', 'username': 'denis631'}

Message: SERVER-74131 Inject emit function on every call to ExpressionInternalJsEmit::evaluate()
Branch: master
https://github.com/mongodb/mongo/commit/e61c2fa72d3df294b8497445a1ccfca383afc788

Comment by David Storch [ 23/Feb/23 ]

denis.grebennicov@mongodb.com I've scheduled this into the active sprint and requested backport to 6.0 and 6.3. Is this a regression in 6.0 that doesn't affect older branches?

Generated at Thu Feb 08 06:26:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.