[SERVER-7459] BSONObjBuilder and BSONArrayBuilder may throw (msgasserted) in destructor Created: 24/Oct/12  Updated: 15/Mar/22  Resolved: 15/Mar/22

Status: Closed
Project: Core Server
Component/s: Internal Code, Stability
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Andrea Lattuada (Inactive) Assignee: Henrik Edin
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-17224 Aggregation pipeline with 64MB docume... Closed
related to SERVER-17226 'top' command with 64MB result docume... Closed
Operating System: ALL
Sprint: Execution Team 2022-04-04
Participants:

 Description   

If a BSONObjBuilder or BSONArrayBuilder is destroyed and done() or obj() have not been called, _done() is invoked by the destructor.
_done(), in turn, calls _BufBuilder::grow() to make space for EOO.
When an attempt is made by _BufBuilder::grow_reallocate() (called by grow()) to expand the buffer over BufferMaxSize a MsgAssertionException is raised by msgasserted(13548, "BufBuilder attempted to grow() " ... " past the 64MB limit").
This exception is not catchable and crashes the process.

A suboptimal workaround is to make sure to call *Builder::doneFast() before the builder's destructor is invoked when there's a chance that the constructed BSONObject exceeds 64MB.

A possible solution involves reserving space for EOO when creating a builder so that the destructor never needs to grow the buffer to append EOO.



 Comments   
Comment by Henrik Edin [ 15/Mar/22 ]

Space is reserved for the EOO byte so we do not need to grow in the destructor.

Generated at Thu Feb 08 03:14:36 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.