SERVER-56869 Various fixes for use-after-free bugs in SBE

author: Ian Boros <ian.boros@mongodb.com> 2021-05-12 18:22:11 -0400
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2021-05-17 20:58:49 +0000
commit: fcdc972cd6f64bfe710161fb3a0ffc4a5ca329d1 (patch)
tree: 74e51c4fca725ea747a941fbc00f3b3c399c1080 /src/mongo/db/query/plan_executor_sbe.cpp
parent: e37ca4e197187847786b79fb1af810bbfc2a6e4d (diff)
download: mongo-fcdc972cd6f64bfe710161fb3a0ffc4a5ca329d1.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/mongo/db/query/plan_executor_sbe.cpp b/src/mongo/db/query/plan_executor_sbe.cpp
index b4905fce9ec..a62dfc5b8aa 100644
--- a/src/mongo/db/query/plan_executor_sbe.cpp
+++ b/src/mongo/db/query/plan_executor_sbe.cpp
@@ -89,6 +89,10 @@ PlanExecutorSBE::PlanExecutorSBE(OperationContext* opCtx,
 
     if (!winner.results.empty()) {
         _stash = std::move(winner.results);
+        // The PlanExecutor keeps an extra reference to the last object pulled out of the PlanStage
+        // tree. This is because we want to ensure that the caller of PlanExecutor::getNext() does
+        // not free the object and leave a dangling pointer in the PlanStage tree.
+        _lastGetNext = _stash.back().first;
     }
 
     // Callers are allowed to disable yielding for this plan by passing a null yield policy.
author	Ian Boros <ian.boros@mongodb.com>	2021-05-12 18:22:11 -0400
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2021-05-17 20:58:49 +0000
commit	fcdc972cd6f64bfe710161fb3a0ffc4a5ca329d1 (patch)
tree	74e51c4fca725ea747a941fbc00f3b3c399c1080 /src/mongo/db/query/plan_executor_sbe.cpp
parent	e37ca4e197187847786b79fb1af810bbfc2a6e4d (diff)
download	mongo-fcdc972cd6f64bfe710161fb3a0ffc4a5ca329d1.tar.gz