[SERVER-83152] Invalid reserve() in getCellPathReqs() when subtraction wraps around Created: 11/Nov/23  Updated: 13/Nov/23  Resolved: 13/Nov/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.3.0-rc0

Type: Bug Priority: Major - P3
Reporter: David Percy Assignee: Alberto Massari
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File SERVER-83152.js    
Issue Links:
Depends
Assigned Teams:
Query Execution
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: QE 2023-11-27
Participants:
Linked BF Score: 142

 Description   

The time-series fuzzer found a case where this subtraction is negative, which wraps around and causes reserve() to throw:

    ret.topLevelPaths.reserve(fieldSet.size() - computedFromMeta.size());



 Comments   
Comment by Githook User [ 13/Nov/23 ]

Author:

{'name': 'Alberto Massari', 'email': 'alberto.massari@mongodb.com', 'username': 'albymassari'}

Message: SERVER-83152 Remove size estimation based on broken assumptions
Branch: master
https://github.com/mongodb/mongo/commit/e1fc84129a3516fd2caf0ab262c17713cd3e592d

Comment by David Percy [ 11/Nov/23 ]

#0  0x0000aaaac3a6ad3c in std::__throw_length_error(char const*) ()
#1  0x0000aaaabfc25704 in std::vector<mongo::sbe::value::CellBlock::PathRequest, std::allocator<mongo::sbe::value::CellBlock::PathRequest> >::reserve (this=0xffffdea2e960, __n=18446744073709551615) at /opt/mongodbtoolchain/revisions/11316f1e7b36f08dcdd2ad0640af18f9287876f4/stow/gcc-v4.XAW/include/c++/11.3.0/bits/vector.tcc:70
#2  0x0000aaaabfc21888 in mongo::stage_builder::(anonymous namespace)::getCellPathReqs (unpackNode=0xffffe53771a0) at src/mongo/db/query/sbe_stage_builder_ts.cpp:75
#3  0x0000aaaabfc225bc in mongo::stage_builder::SlotBasedStageBuilder::buildUnpackTsBucket (this=0xffffdc7891a0, root=0xffffe53771a0, reqs=...) at src/mongo/db/query/sbe_stage_builder_ts.cpp:215
#4  0x0000aaaabfa49f44 in mongo::stage_builder::SlotBasedStageBuilder::build (this=0xffffdc7891a0, root=0xffffe53771a0, reqs=...) at src/mongo/db/query/sbe_stage_builder.cpp:5250
#5  0x0000aaaabfa3bc4c in mongo::stage_builder::SlotBasedStageBuilder::buildProjection (this=0xffffdc7891a0, root=0xffffdc78b220, reqs=...) at src/mongo/db/query/sbe_stage_builder.cpp:3324

This happens because an unsigned subtraction wraps around:

(gdb) i args
this = 0xffffdea2e960
__n = 18446744073709551615
(gdb) up
#2  0x0000aaaabfc21888 in mongo::stage_builder::(anonymous namespace)::getCellPathReqs (unpackNode=0xffffe53771a0) at src/mongo/db/query/sbe_stage_builder_ts.cpp:75
75          ret.topLevelPaths.reserve(fieldSet.size() - computedFromMeta.size());
(gdb) p fieldSet.size()
$1 = 0
(gdb) p computedFromMeta.size()
$2 = 1

Generated at Thu Feb 08 06:51:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.