[SERVER-79161] Deeply nested queries can segfault expression parser Created: 20/Jul/23  Updated: 27/Jul/23  Resolved: 27/Jul/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Matt Boros Assignee: Backlog - Query Optimization
Resolution: Won't Fix Votes: 0
Labels: query-director-triage
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-62509 Write tests to stress ABT and Bonsai Closed
Assigned Teams:
Query Optimization
Operating System: ALL
Sprint: QO 2023-08-07
Participants:
Linked BF Score: 45

 Description   

Details in dev-only comment below.

The depth limit for a query appears to be implicit in BSON, rather than enforced on the server side. We could add an explicit limit, or fix the expression parsing code (and other code that may crash later on in the system for this query) to not crash.

This recursive parsing code has been around for a while so this isn't a 7.0 specific bug.



 Comments   
Comment by Matt Boros [ 27/Jul/23 ]

The plan is to recommit this test (it was reverted) and have it bail out if debug is on or sanitizers are on.

Comment by Matt Boros [ 27/Jul/23 ]

Won't fix as this is specific to ASAN and doesn't occur on standard builds.

Comment by Jacob Evans [ 21/Jul/23 ]

I believe this may be ASAN which is togglable independent of building with debug info or optimization level.

Comment by Matt Boros [ 21/Jul/23 ]

I'd like this test to bail out if we see buildInfo.debug is on. We only really care about testing the optimized builds. The debug builds have had a few BFs already and isn't the target case for this test anyway.

Comment by Jacob Evans [ 20/Jul/23 ]

ASAN is likely to make them much larger.

Comment by Matt Boros [ 20/Jul/23 ]

Maybe the solution is to lower the depth on this test when debug is on, if the larger stack frames from debug=on is the cause of this.

Comment by Matt Boros [ 20/Jul/23 ]

Could the issue be that BF-29371 has debug and ASAN on? The limit I ran into when constructing this query was in json object to BSON conversion:

Exceeded depth limit of 150 when converting js object to BSON. Do you have a cycle?

The depth that succeeded locally is around 144. Do you know where the BSON depth check is in the server?

Generated at Thu Feb 08 06:40:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.