bson_copy_to crash in Mongo C driver when used from Rust

[Thijs Cadier]

Hi,

I've been working on a wrapper around the Mongo C driver for Rust: https://github.com/thijsc/mongo-rust-driver

This has been going great so far, but now I've run into an issue that I need some help with. I'm hoping one of the C driver developers could help me along with this :-).

The problem I've run into is that the C driver crashes when I try to use a fields bson_t in a query. The odd thing is that this only fails on a release build on Linux. On my local mac machine the same query is successful. I've tried this with both 1.1.10 and 1.2.0-beta with the same result. The backtrace (bottom line is the last line on the Rust side):

#0  0x00007fbf59496859 in _bson_data (bson=0x7fbf5a362f60) at src/bson/bson.c:244
#1  bson_copy_to (src=0x7fbf5a362f60, dst=0x7fbf5a363060) at src/bson/bson.c:2041
#2  0x00007fbf594a0836 in _mongoc_cursor_new (client=<optimized out>, db_and_collection=<optimized out>, qflags=<optimized out>, skip=<optimized out>, limit=<optimized out>, batch_size=<optimized out>,
    is_command=<optimized out>, query=<optimized out>, fields=0x7fbf5a362f60, read_prefs=<optimized out>) at src/mongoc/mongoc-cursor.c:304
#3  0x00007fbf5949d103 in mongoc_collection_find (collection=<optimized out>, flags=(unknown: 1513500417), skip=1513502016, limit=0, batch_size=0, query=<optimized out>, fields=<optimized out>,
    read_prefs=<optimized out>) at src/mongoc/mongoc-collection.c:377
#4  0x00007fbf59481662 in mongo_driver::collection::Collection<'a>::find (self=0x7fff8bfbd3e0, query=<optimized out>, options=...)
    at /root/.cargo/git/checkouts/mongo-rust-driver-08d244116e7ca6b0/mongo_c_1_2/src/collection.rs:245

I've traced the problem down to this: https://github.com/mongodb/mongo-c-driver/blob/master/src/mongoc/mongoc-cursor.c#L302. It looks like it can properly determine that fields is set, but then the pointer to the bson_t is null. The code for find on the Rust side: https://github.com/thijsc/mongo-rust-driver/blob/master/src/collection.rs#L234

Could anybody on the C driver team point me in the right direction here?

Thanks!

Thijs

[A. Jesse Jiryu Davis]

Seems like the "fields" bson_t is non-NULL but also not properly initialized, so when libbson tries to access its data it crashes. I don't know Rust at all, but the direction I suggest is to verify that "options.fields" is always initialized or NULL, not some uninitialized or bson_destroy'ed structure.

[Thijs Cadier]

Thanks for the reply!

I found and fixed the bug. It turns out that the cursor expects the bson that was passed to it for fields to be available for the entire lifetime of the cursor. The Rust code was already cleaning this up.

[A. Jesse Jiryu Davis]

Keeping your own copy of "fields" shouldn't be necessary. mongoc_cursor_new copies the contents of the "fields" bson_t that you pass in, to its internal "fields" bson_t:

https://github.com/mongodb/mongo-c-driver/blob/master/src/mongoc/mongoc-cursor.c#L303

So after mongoc_cursor_new you should be able to destroy your own copy of the "fields" bson_t and continue using the cursor without any trouble.

--
You received this message because you are subscribed to a topic in the Google Groups "mongodb-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mongodb-dev/9Y-7wUyr2JM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mongodb-dev...@googlegroups.com.
To post to this group, send email to mongo...@googlegroups.com.
Visit this group at http://groups.google.com/group/mongodb-dev.
For more options, visit https://groups.google.com/d/optout.