[SERVER-82736] [BF-30666] sbe::UnwindStage does not correctly handle child yields Created: 02/Nov/23  Updated: 14/Nov/23  Resolved: 11/Nov/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.3.0-rc0, 7.2.0-rc2

Type: Bug Priority: Major - P3
Reporter: Kevin Cherkauer Assignee: Kevin Cherkauer
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.2
Sprint: QE 2023-11-13, QE 2023-11-27
Participants:
Linked BF Score: 155

 Description   

This is a previously existing latent bug that has been exposed by SERVER-80563, where sbe::UnwindStage does not correctly handle child yields and thus references memory (in UnwindStage::_inArrayAccessor) owned by a WiredTiger cursor that has been freed after a child yield event.

Apparently the prior internal uses of sbe::UnwindStage (e.g. in the SBE $lookup implementation) did not have the possibility of a child yielding under this stage, so the yield code paths were not exercised before. It looks like the bug has been latent for ~3 years.



 Comments   
Comment by Githook User [ 14/Nov/23 ]

Author:

{'name': 'Kevin Cherkauer', 'email': 'kevin.cherkauer@mongodb.com', 'username': 'kevin-cherkauer'}

Message: SERVER-82736 Fix sbe::UnwindStage yield handling to not use freed memory
Branch: v7.2
https://github.com/mongodb/mongo/commit/e5ed10c76ee46c24137b6d38f387535cd48b53d4

Comment by Githook User [ 11/Nov/23 ]

Author:

{'name': 'Kevin Cherkauer', 'email': 'kevin.cherkauer@mongodb.com', 'username': 'kevin-cherkauer'}

Message: SERVER-82736 Fix sbe::UnwindStage yield handling to not use freed memory
Branch: master
https://github.com/mongodb/mongo/commit/0a729cd810108699045473797e6127fb9d0eb997

Comment by Kevin Cherkauer [ 02/Nov/23 ]

The failing test jstests/aggregation/bugs/server5932.js --suite=aggregation_auth of memory accessed after being freed passes when run locally on a non-ASAN build but the failure reproduces with an ASAN build:

build/install/bin/resmoke.py run --dbpathPrefix ~/data \
   --mongodSetParameters="{featureFlagSbeFull: true}" \
   --suite=aggregation_auth \
  jstests/aggregation/bugs/server5932.js

Generated at Thu Feb 08 06:50:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.