|
Author:
{'name': 'Ben Shteinfeld', 'email': 'ben.shteinfeld@mongodb.com', 'username': 'bshteinfeld'}
Message: SERVER-83100: Extend Pipeline lifetime by plumbing it through to SBE PlanExecutor.
This fixes a use-after-free in CQF with parameterization enabled. In the SBE stage builders codepaths for find() and agg() (and Bonsai find() codepath), the SBE PlanExecutor ends up owning the CanonicalQuery containing the MatchExpression used to generate the plan. The binding of constants to global slots for ComparisonMatchExpressions uses an unowned view of the constants. This was safe because the PlanExecutor held the MatchExpression. This is preferable to copying the constants to the slots since they can potentially be large.
When we the SBE PlanExecutor is generated by Bonsai via aggregate, the MatchExpression is destroyed after the PlanExecutor is constructed but before we execute it. This leaves a dangling reference to freed memory in the PlanExecutor. We fix this by transferring ownership of the Pipeline to the PlanExecutor, so that lifetime of the MatchExpression which contains the constants is extended to that of the PlanExecutor.
Branch: master
https://github.com/mongodb/mongo/commit/29a04e25233624d39b17f174c580cb0c588282f4
|