[SERVER-78477] Long aggregation pipelines can segfault SBE Created: 27/Jun/23  Updated: 29/Oct/23  Resolved: 02/Aug/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Matt Boros Assignee: Justin Seyster
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-62509 Write tests to stress ABT and Bonsai Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: QE 2023-07-10, QE 2023-07-24, QE 2023-08-07
Participants:

 Description   

The query below segfaults in SBE stagebuilders. This appears to be a stack overflow.

Note that the pipeline length limit is 1000 for non-debug builds. The minimum pipeline length that reproduces this crash appears to be 400 stages. I ran into this with optimizations on and debug off.



 Comments   
Comment by Githook User [ 02/Aug/23 ]

Author:

{'name': 'Justin Seyster', 'email': 'justin.seyster@mongodb.com', 'username': 'jseyster'}

Message: SERVER-78477 Limit depth of SBE query plans created for pipeline execution

There is also some refactoring included to reduce stack sizes so that
the depth limit can be higher:
1) refactor the buildGroup stage builder so that it has a smaller
stack frame, and
2) use C-style function pointers for the stage builder function
table instead of std::function objects, because std::invoke (needed
to call the std::function member functions) adds extra strack frames
at every level of recursion.
Branch: minh.luu-no_compile_sys-perf
https://github.com/mongodb/mongo/commit/8be924637abcbca1510378f0617f7f7d93eae3fc

Comment by Githook User [ 01/Aug/23 ]

Author:

{'name': 'Justin Seyster', 'email': 'justin.seyster@mongodb.com', 'username': 'jseyster'}

Message: SERVER-78477 Limit depth of SBE query plans created for pipeline execution

There is also some refactoring included to reduce stack sizes so that
the depth limit can be higher:
1) refactor the buildGroup stage builder so that it has a smaller
stack frame, and
2) use C-style function pointers for the stage builder function
table instead of std::function objects, because std::invoke (needed
to call the std::function member functions) adds extra strack frames
at every level of recursion.
Branch: master
https://github.com/mongodb/mongo/commit/8be924637abcbca1510378f0617f7f7d93eae3fc

Generated at Thu Feb 08 06:38:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.