<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 06:46:12 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-81331] Spilling in SBE may lead to read on destroyed catalog object</title>
                <link>https://jira.mongodb.org/browse/SERVER-81331</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;TLDR: SBE may read freed memory after spilling, when there are concurrent catalog-changing operations.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Description of Bug&lt;/b&gt;&lt;br/&gt;
SBE is running a query, reading at a particular snapshot. A blocking stage then decides to spill. The spill operation performs a write and &lt;a href=&quot;https://github.com/10gen/mongo/blob/b79f7e0f6766aecfd22959c3d2b1163703f1f2b9/src/mongo/db/exec/sbe/util/spilling.cpp#L120&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;commits&lt;/a&gt; it in a separate WriteUnitOfWork under the same RecoveryUnit. After this write commits, our snapshot may &lt;a href=&quot;https://github.com/10gen/mongo/blob/b79f7e0f6766aecfd22959c3d2b1163703f1f2b9/src/mongo/db/storage/recovery_unit.cpp#L125&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;advance&lt;/a&gt;. As part of advancing the snapshot, the CollectionCatalog shared_ptr &lt;a href=&quot;https://github.com/10gen/mongo/blob/b79f7e0f6766aecfd22959c3d2b1163703f1f2b9/src/mongo/db/catalog/collection_catalog.cpp#L124-L125&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;decorating&lt;/a&gt; decorating the current &lt;tt&gt;Snapshot&lt;/tt&gt; is destroyed.&lt;/p&gt;

&lt;p&gt;Today SBE does not handle this situation, and assumes that the CollectionCatalog remains the same after the write, as it keeps pointers to the current &lt;tt&gt;Collection&lt;/tt&gt; in the &lt;tt&gt;CollectionPtr&lt;/tt&gt; objects it stores.&lt;/p&gt;

&lt;p&gt;In the (unlikely) case where the spilling query&apos;s RecoveryUnit holds the last reference to the CollectionCatalog, (or the case where another thread destroys the CollectionCatalog immediately after the spill write commits), attempting to call &lt;tt&gt;CollectionPtr::yield()&lt;/tt&gt; will result in a use-after-free, as the CollectionPtr will try to read the uuid of a deleted &lt;tt&gt;Collection&lt;/tt&gt; object.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;How to Fix it&lt;/b&gt;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;One option is to treat spills as &quot;yield events.&quot; We save the plan&apos;s state before committing the spill write, and restore it afterwards. This way the plan is never holding onto pointers to a destroyed CollectionCatalog.&lt;/li&gt;
	&lt;li&gt;Another option is to spill in a separate storage transaction. &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-61116&quot; title=&quot;Audit and add assertions against using multiple WT_SESSIONs on the same thread&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-61116&quot;&gt;SERVER-61116&lt;/a&gt; and &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-74133&quot; title=&quot;Spilling to TemporaryRecordStores in multi-doc transactions does not work as expected&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-74133&quot;&gt;SERVER-74133&lt;/a&gt; discusses why this requires a some delicacy. It is possible to deadlock when using multiple WT sessions from the same thread.&lt;/li&gt;
	&lt;li&gt;Don&apos;t spill to a temporary record store.&lt;/li&gt;
	&lt;li&gt;Anything else.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&lt;b&gt;Notes&lt;/b&gt;&lt;br/&gt;
As &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=louis.williams%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;louis.williams@mongodb.com&quot;&gt;louis.williams@mongodb.com&lt;/a&gt; discussed in &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-74133&quot; title=&quot;Spilling to TemporaryRecordStores in multi-doc transactions does not work as expected&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-74133&quot;&gt;SERVER-74133&lt;/a&gt;, there are other problems with spilling to a temporary RecordStore, so we may want to deal with both of these issues at the same time.&lt;/p&gt;
</description>
                <environment></environment>
        <key id="2448728">SERVER-81331</key>
            <summary>Spilling in SBE may lead to read on destroyed catalog object</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="martin.neupauer@mongodb.com">Martin Neupauer</assignee>
                                    <reporter username="ian.boros@mongodb.com">Ian Boros</reporter>
                        <labels>
                    </labels>
                <created>Fri, 22 Sep 2023 01:24:38 +0000</created>
                <updated>Wed, 29 Nov 2023 21:41:02 +0000</updated>
                            <resolved>Fri, 17 Nov 2023 14:26:35 +0000</resolved>
                                                    <fixVersion>7.2.0-rc0</fixVersion>
                                                        <votes>0</votes>
                                    <watches>20</watches>
                                                                                                                <comments>
                            <comment id="5888209" author="JIRAUSER1263890" created="Fri, 17 Nov 2023 14:28:45 +0000"  >&lt;p&gt;Note that a backport is not needed because the merge happened before the 7.2 branch cut.&#160; The fix is in &lt;a href=&quot;https://github.com/10gen/mongo/commits/v7.2/src/mongo/db/storage/recovery_unit.h&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/10gen/mongo/commits/v7.2/src/mongo/db/storage/recovery_unit.h&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="5851034" author="xgen-internal-githook" created="Thu, 2 Nov 2023 22:36:37 +0000"  >&lt;p&gt;Author: &lt;/p&gt;
{&apos;name&apos;: &apos;Martin Neupauer&apos;, &apos;email&apos;: &apos;xmaton@messengeruser.com&apos;, &apos;username&apos;: &apos;&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-81331&quot; title=&quot;Spilling in SBE may lead to read on destroyed catalog object&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-81331&quot;&gt;&lt;del&gt;SERVER-81331&lt;/del&gt;&lt;/a&gt; Spilling&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/3003c2d9b532ddb2ba8f8825902dbce5881b89c1&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/3003c2d9b532ddb2ba8f8825902dbce5881b89c1&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10420">
                    <name>Backports</name>
                                            <outwardlinks description="backported by">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10520">
                    <name>Problem/Incident</name>
                                            <outwardlinks description="causes">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="2267514">SERVER-74133</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_12751" key="com.atlassian.jira.plugin.system.customfieldtypes:multiselect">
                        <customfieldname>Assigned Teams</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="25125"><![CDATA[Query Execution]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5006R00001wP8GzQAK]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 1 Nov 2023 14:54:19 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        11 weeks, 5 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16941"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>britt.snyman@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            11 weeks, 5 days ago
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_16465" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Linked BF Score</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>129.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>ian.boros@mongodb.com</customfieldvalue>
            <customfieldvalue>martin.neupauer@mongodb.com</customfieldvalue>
            <customfieldvalue>steve.tarzia@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i2rnrr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i29lvg:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_22250" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Special Downgrade Instructions Required</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="23343"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="7251">QE 2023-10-02</customfieldvalue>
    <customfieldvalue id="7254">QE 2023-10-16</customfieldvalue>
    <customfieldvalue id="7255">QE 2023-10-30</customfieldvalue>
    <customfieldvalue id="7257">QE 2023-11-13</customfieldvalue>
    <customfieldvalue id="7259">QE 2023-11-27</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i2r9x3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>