[SERVER-82717] QueryPlannerIXSelect::stripInvalidAssignments tries to strip non-existent index assignment from $_internalSchemaAllElemMatchFromIndex Created: 02/Nov/23  Updated: 29/Nov/23  Resolved: 14/Nov/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.3.0-rc0

Type: Bug Priority: Major - P3
Reporter: Will Buerger Assignee: David Percy
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.2, v7.0, v6.0, v5.0, v4.4, v4.2
Participants:
Linked BF Score: 105

 Description   

See BF-30665 for full reproducible bug. Consider this parsed query:

{ $or: [ { a: { $not: { $exists: true } } }, { a: { $not: { $_internalSchemaType: [ 4 ] } } }, { a: { $_internalSchemaAllElemMatchFromIndex: [ 0, { $or: [ { i: { $regex: "a+b" } }, { i: { $not: { $_internalSchemaType: [ 2 ] } } } ] } ] } } ] } 

The call to QueryPlannerIXSelect::rateIndices does not set any "RelevantTag"s on any parts of the query other than "{ a: { $not: { $exists: true }} }". When _rateIndices reaches the node that represents the sub-query 

 { a: { $_internalSchemaAllElemMatchFromIndex: [ 0, { $or: [ { i: { $regex: "a+b" } }, { i: { $not: { $_internalSchemaType: [ 2 ] } } } ] } ] } } 

it does not recurse any farther since the call to "Indexability::isBoundsGenerating" returns false and the node is not a logical node.

 

However, once we reach "stripInvalidAssignmentsTo2dsphereIndices", it does recurse into the above sub-query. When it reaches the leaf node for

{ i: { $regex: "a+b" } 

it tries to strip the RelevantTag, but that tag was never set.  That causes a server crash here.

 

 



 Comments   
Comment by Githook User [ 13/Nov/23 ]

Author:

{'name': 'David Percy', 'email': 'david.percy@mongodb.com', 'username': 'dpercy'}

Message: SERVER-82717 Fix invalid assertion in query planner removeIndexRelevantTag

One phase of query planning attaches RelevantTag objects to predicates
which may be indexable, then a later phase removes some of them.

A fuzzer found a case, involving a rarely(?) used internal operator
$_internalSchemaAllElemMatchFromIndex, where we incorrectly attempt to
remove a tag that was never added.

It seems simpler to just leave the predicate alone when the tag isn't
present--there's nothing to remove, so we've succeeded in removing it.
It's unclear why this was an assertion in the first place.
Branch: master
https://github.com/mongodb/mongo/commit/d64c1f47745c590b54a8c4e2127b84ea42a9ec20

Generated at Thu Feb 08 06:50:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.