MongoDB | 2631782

Info

As mentioned in the FCV README, it's only safe to check a featureFlag while holding the global lock in IX / X to ensure that the FCV doesn't transition all the way from upgraded -> downgraded or downgraded -> upgraded in the lifetime of an operation. This rule isn't enforced / well-known. And so we have a few cases in the code where we check a featureFlag without holding the global lock in IX / X: In createCollection, when checking for collection options (makes secondaries crash - SERVER-88964 will fix it) In bulkWrite In analyzeCmd (There might be other cases as well, I haven't checked.) This means that a node may potentially be in the fully downgraded but allow a command only executable in the upgraded state to run. Also note that the latter two examples don't seem harmful because the commands don't persist data in a new format. So we might want a way to differentiate between when a command causes data to get persisted in a new format and when a command is cosmetic (like bulkWrite). It's also worth thinking about what may happen on a sharded cluster if some shards process the command while others reject it.

Top User Comments

Steps to Reproduce