[SERVER-8200] Using aggregation $sort on certain BinData causes segfault Created: 16/Jan/13  Updated: 11/Jul/16  Resolved: 18/Jan/13

Status: Closed
Project: Core Server
Component/s: Aggregation Framework
Affects Version/s: 2.3.2
Fix Version/s: 2.4.0-rc0

Type: Bug Priority: Major - P3
Reporter: Andre de Frere Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

The following repro steps will cause a seg fault in the mongod process:

db.bindata.drop()
db.bindata.insert({a:BinData(3, "JliB6gIMRuSphAD2KmhzgQ==")})
db.bindata.aggregate({$sort:{a:1}})

Here is the stack trace:

Wed Jan 16 17:59:15.680 Invalid access at address: 0 from thread: conn1
 
Wed Jan 16 17:59:15.680 Got signal: 11 (Segmentation fault: 11).
 
Wed Jan 16 17:59:15.699 Backtrace:
0x109427a8b 0x108e454a1 0x108e45352 0x7fff954838ea 0x10946c56b 0x109258a32 0x10925e1a1 0x10925cd6a 0x10926a31b 0x10926a6ce 0x109285eb8 0x108f666e2 0x108f809a5 0x108f817f9 0x108f82195 0x10922460e 0x109224e11 0x1091d1c7f 0x108e4fb02 0x10941d579 
 0   mongod                              0x0000000109427a8b _ZN5mongo15printStackTraceERSo + 43
 1   mongod                              0x0000000108e454a1 _ZN5mongo10abruptQuitEi + 225
 2   mongod                              0x0000000108e45352 _ZN5mongo24abruptQuitWithAddrSignalEiP9__siginfoPv + 242
 3   libsystem_c.dylib                   0x00007fff954838ea _sigtramp + 26
 4   mongod                              0x000000010946c56b _ZN12_GLOBAL__N_19do_mallocEm + 459
 5   mongod                              0x0000000109258a32 _ZN5mongo8DocumentC2ERKNS_7BSONObjE + 386
 6   mongod                              0x000000010925e1a1 _ZN5mongo20DocumentSourceCursor8findNextEv + 553
 7   mongod                              0x000000010925cd6a _ZN5mongo20DocumentSourceCursor3eofEv + 26
 8   mongod                              0x000000010926a31b _ZN5mongo18DocumentSourceSort11populateAllEv + 49
 9   mongod                              0x000000010926a6ce _ZN5mongo18DocumentSourceSort3eofEv + 52
 10  mongod                              0x0000000109285eb8 _ZN5mongo8Pipeline3runERNS_14BSONObjBuilderERSs + 548
 11  mongod                              0x0000000108f666e2 _ZN5mongo15PipelineCommand3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 350
 12  mongod                              0x0000000108f809a5 _ZN5mongo12_execCommandEPNS_7CommandERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 37
 13  mongod                              0x0000000108f817f9 _ZN5mongo7Command11execCommandEPS0_RNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb + 2289
 14  mongod                              0x0000000108f82195 _ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 1013
 15  mongod                              0x000000010922460e _ZN5mongo11runCommandsEPKcRNS_7BSONObjERNS_5CurOpERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 46
 16  mongod                              0x0000000109224e11 _ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1_ + 1553
 17  mongod                              0x00000001091d1c7f _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE + 1519
 18  mongod                              0x0000000108e4fb02 _ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE + 198
 19  mongod                              0x000000010941d579 _ZN5mongo17PortMessageServer17handleIncomingMsgEPv + 1657



 Comments   
Comment by auto [ 17/Jan/13 ]

Author:

{u'date': u'2013-01-16T23:53:03Z', u'email': u'mathias@10gen.com', u'name': u'Mathias Stearn'}

Message: SERVER-8200 Don't overlap binDataType with genericRCPtr in Value

This required disabling the short string optimization for BinData (but
not for String) and treat all binary data as large. That shouldn't be
much of an issue in practice since BinData tends to be larger than 12
bytes anyway (eg UUID is 16). It should be possible to reenable the
optimization after 2.4.
Branch: master
https://github.com/mongodb/mongo/commit/f9940fb9ba9a1a562a2624f87ad6e821516ea5ca

Comment by Mathias Stearn [ 16/Jan/13 ]

I've debugged the issue and it is that the binDataType was overlapped with a pointer. CR should be up soon.

Generated at Thu Feb 08 03:16:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.