[SERVER-7615] FieldParser::extract(...BSONField<BSONObj>&...) does not copy unowned (maybe temp) memory Created: 10/Nov/12  Updated: 11/Jul/16  Resolved: 13/Nov/12

Status: Closed
Project: Core Server
Component/s: Internal Code
Affects Version/s: None
Fix Version/s: 2.3.1

Type: Bug Priority: Major - P3
Reporter: Tad Marshall Assignee: Alberto Lerner
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

All, but most visible in debug builds (especially Windows)


Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

The FieldParser::extract() routine for BSONObj creates a BSONObj from an embedded field in a source document and sets its output parameter to this BSONObj. If the source document goes away, the resulting BSONObj becomes invalid; it points to freed or reused memory.

This routine should probably call getOwned() on the object before returning it so that the extracted field has its own copy of the data.

For example:
http://buildlogs.mongodb.org/Windows%2064-bit%20DEBUG/builds/312/test/core/type_collection_test.exe

Sat Nov 10 01:09:55.861 [UNKNOWN] going to run suite: Compatibility
Sat Nov 10 01:09:55.861 [UNKNOWN] 	 going to run test: OldLastmod
Sat Nov 10 01:09:55.861 [UNKNOWN] DEV WARNING appendDate() called with a tiny (but nonzero) date
Sat Nov 10 01:09:55.861 [UNKNOWN] 	 going to run test: OldEpoch
Sat Nov 10 01:09:55.861 [UNKNOWN] 	 going to run test: OldDroppedTrue
Sat Nov 10 01:09:55.861 [UNKNOWN] 	 going to run test: OldDroppedFalse
Sat Nov 10 01:09:55.861 [UNKNOWN] Assertion: 10320:BSONElement: bad type -35
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\util\stacktrace.cpp(161)                               mongo::printStackTrace+0x5b
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\util\log.cpp(436)                                      mongo::logContext+0x72
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\util\assert_util.cpp(154)                              mongo::msgasserted+0x171
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\bson\bson-inl.h(661)                                   mongo::BSONElement::size+0x239
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\bson\bsonobjiterator.h(81)                             mongo::BSONObjIterator::next+0x83
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\bson\bson-inl.h(200)                                   mongo::BSONObj::equal+0x7a
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\bson\bsonobj.h(401)                                    mongo::BSONObj::operator==+0x32
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.h(361)                               mongo::unittest::ComparisonAssertion::assertEqual<mongo::BSONObj,mongo::BSONObj>+0x61
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\s\type_collection_test.cpp(108)                        `anonymous namespace'::UnitTest__Compatibility__OldDroppedFalse::_doTest+0x5fe
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.cpp(87)                              mongo::unittest::Test::run+0x48
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.h(276)                               mongo::unittest::Suite::runTestObject<`anonymous namespace'::UnitTest__Compatibility__OldDroppedFalse>+0x33
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\third_party\boost\boost\function\function_template.hpp(113)  boost::detail::function::void_function_invoker0<void (__cdecl*)(void),void>::invoke+0x2f
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\third_party\boost\boost\function\function_template.hpp(761)  boost::function0<void>::operator()+0x87
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.h(174)                               mongo::unittest::TestHolder::run+0x2f
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.cpp(143)                             mongo::unittest::Suite::run+0x6c8
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.cpp(207)                             mongo::unittest::Suite::run+0x497
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest_main.cpp(26)                         main+0xb2
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0.c(278)              __tmainCRTStartup+0xe2
Sat Nov 10 01:09:56.017 [UNKNOWN] type_collection_test.exe  f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0.c(189)              mainCRTStartup+0xe
Sat Nov 10 01:09:56.017 [UNKNOWN] kernel32.dll                                                                                   BaseThreadInitThunk+0xd
Sat Nov 10 01:09:56.017 [UNKNOWN] FAIL: OldDroppedFalse	 std::exception: BSONElement: bad type -35 in test OldDroppedFalse
Sat Nov 10 01:09:56.017 [UNKNOWN] 	 DONE running tests
Sat Nov 10 01:09:56.017 [UNKNOWN] going to run suite: Validity
Sat Nov 10 01:09:56.017 [UNKNOWN] 	 going to run test: Empty
Sat Nov 10 01:09:56.017 [UNKNOWN] 	 going to run test: ShardedCollection
Sat Nov 10 01:09:56.017 [UNKNOWN] Assertion: 10320:BSONElement: bad type -35
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\util\stacktrace.cpp(161)                               mongo::printStackTrace+0x5b
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\util\log.cpp(436)                                      mongo::logContext+0x72
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\util\assert_util.cpp(154)                              mongo::msgasserted+0x171
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\bson\bson-inl.h(661)                                   mongo::BSONElement::size+0x239
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\bson\bsonobjiterator.h(81)                             mongo::BSONObjIterator::next+0x83
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\bson\bson-inl.h(814)                                   mongo::BSONObj::nFields+0x5e
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\s\type_collection.cpp(66)                              mongo::CollectionType::isValid+0x331
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\s\type_collection_test.cpp(38)                         `anonymous namespace'::UnitTest__Validity__ShardedCollection::_doTest+0x325
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.cpp(87)                              mongo::unittest::Test::run+0x48
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.h(276)                               mongo::unittest::Suite::runTestObject<`anonymous namespace'::UnitTest__Validity__ShardedCollection>+0x33
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\third_party\boost\boost\function\function_template.hpp(113)  boost::detail::function::void_function_invoker0<void (__cdecl*)(void),void>::invoke+0x2f
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\third_party\boost\boost\function\function_template.hpp(761)  boost::function0<void>::operator()+0x87
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.h(174)                               mongo::unittest::TestHolder::run+0x2f
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.cpp(143)                             mongo::unittest::Suite::run+0x6c8
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest.cpp(207)                             mongo::unittest::Suite::run+0x497
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  ...\src\mongo\unittest\unittest_main.cpp(26)                         main+0xb2
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0.c(278)              __tmainCRTStartup+0xe2
Sat Nov 10 01:09:56.173 [UNKNOWN] type_collection_test.exe  f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0.c(189)              mainCRTStartup+0xe
Sat Nov 10 01:09:56.173 [UNKNOWN] kernel32.dll                                                                                   BaseThreadInitThunk+0xd
Sat Nov 10 01:09:56.173 [UNKNOWN] FAIL: ShardedCollection	 std::exception: BSONElement: bad type -35 in test ShardedCollection
Sat Nov 10 01:09:56.173 [UNKNOWN] 	 going to run test: UnshardedCollection
Sat Nov 10 01:09:56.173 [UNKNOWN] 	 going to run test: MixingOptionals
Sat Nov 10 01:09:56.173 [UNKNOWN] 	 DONE running tests
Sat Nov 10 01:09:56.173 [UNKNOWN] **************************************************

Another example:
http://buildlogs.mongodb.org/Linux%2064-bit%20DEBUG/builds/1585/test/core/type_collection_test

Fri Nov  9 20:36:41.849 [UNKNOWN] going to run suite: Compatibility
Fri Nov  9 20:36:41.849 [UNKNOWN] 	 going to run test: OldLastmod
Fri Nov  9 20:36:41.850 [UNKNOWN] DEV WARNING appendDate() called with a tiny (but nonzero) date
Fri Nov  9 20:36:41.850 [UNKNOWN] 	 going to run test: OldEpoch
Fri Nov  9 20:36:41.850 [UNKNOWN] 	 going to run test: OldDroppedTrue
Fri Nov  9 20:36:41.850 [UNKNOWN] 	 going to run test: OldDroppedFalse
Fri Nov  9 20:36:41.850 [UNKNOWN]   Assertion failure _pos <= _theend src/mongo/db/../bson/bsonobjiterator.h 79
0x60e5db 0x60708b 0x60172a 0x58e03e 0x58ea3a 0x58cdf7 0x591c9e 0x589515 0x5fb8a1 0x58b0f4 0x5935a2 0x5fdbd1 0x5fd788 0x5fc23b 0x5fc9b5 0x600ede 0x7fe9e5724d8e 0x585b99 
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5mongo15printStackTraceERSo+0x27) [0x60e5db]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5mongo10logContextEPKc+0x5e) [0x60708b]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5mongo12verifyFailedEPKcS1_j+0x124) [0x60172a]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5mongo15BSONObjIterator4nextEv+0x42) [0x58e03e]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZNK5mongo7BSONObj5equalERKS0_+0x5a) [0x58ea3a]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZNK5mongo7BSONObjeqERKS0_+0x23) [0x58cdf7]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5mongo8unittest19ComparisonAssertion11assertEqualINS_7BSONObjES3_EEvRKT_RKT0_+0x2a) [0x591c9e]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test() [0x589515]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5mongo8unittest4Test3runEv+0x3d) [0x5fb8a1]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test() [0x58b0f4]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5boost6detail8function22void_function_invoker0IPFvvEvE6invokeERNS1_15function_bufferE+0x1d) [0x5935a2]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZNK5boost9function0IvEclEv+0x73) [0x5fdbd1]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZNK5mongo8unittest10TestHolder3runEv+0x1c) [0x5fd788]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5mongo8unittest5Suite3runERKSsi+0x499) [0x5fc23b]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(_ZN5mongo8unittest5Suite3runERKSt6vectorISsSaISsEERKSsi+0x2e7) [0x5fc9b5]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test(main+0x72) [0x600ede]
 /lib/libc.so.6(__libc_start_main+0xfe) [0x7fe9e5724d8e]
 /home/yellow/buildslave/Linux_64bit_DEBUG/mongo/build/linux2/dd/mongo/s/type_collection_test() [0x585b99]
Fri Nov  9 20:36:41.853 [UNKNOWN] 
 
***aborting after verify() failure as this is a debug/test build



 Comments   
Comment by Tad Marshall [ 13/Nov/12 ]

Fixed by these commits:

https://github.com/mongodb/mongo/commit/894cc05556fbf69ee515b3685a60e8a5e6d345aa
https://github.com/mongodb/mongo/commit/889fd753e98dfb91970560c798c3b9c15bdb96f2

Generated at Thu Feb 08 03:15:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.