-
Type: Bug
-
Resolution: Done
-
Priority: Minor - P4
-
None
-
Affects Version/s: 2.6.4, 2.7.1, 2.7.4
-
Component/s: Shell
-
ALL
-
-
Server 2.7.6
In pre-2.6.4 and pre-2.7.1 shells, printing the index bounds of a DBPointer field results in a (harmless) SyntaxError exception. In 2.6.4 and 2.7.1+, the exception is followed by a crash.
Valgrind output:
==12721== Invalid read of size 8 ==12721== at 0x12E4AA40D139: ??? ==12721== by 0x12E4AA406275: ??? ==12721== by 0x948FF8: v8::internal::Execution::New(v8::internal::Handle<v8::internal::JSFunction>, int, v8::internal::Handle<v8::internal::Object>*, bool*) (execution.cc:118) ==12721== by 0x8F8B6D: v8::Function::NewInstance(int, v8::Handle<v8::Value>*) const (api.cc:3638) ==12721== by 0x74868F: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1501) ==12721== by 0x748442: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1422) ==12721== by 0x748442: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1422) ==12721== by 0x749571: mongo::namedGet(v8::Local<v8::String>, v8::AccessorInfo const&) (engine_v8.cpp:124) ==12721== by 0xA4F941: v8::internal::JSObject::GetPropertyWithInterceptor(v8::internal::JSReceiver*, v8::internal::String*, PropertyAttributes*) (objects.cc:10297) ==12721== by 0xA4FFC2: v8::internal::Object::GetProperty(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LookupResult*, v8::internal::Handle<v8::internal::String>, PropertyAttributes*) (objects.cc:582) ==12721== by 0x9DF95C: v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) (ic.cc:1180) ==12721== by 0x9DFB24: v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) (ic.cc:2101) ==12721== by 0x12E4AA406361: ??? ==12721== by 0x12E4AA45E607: ??? ==12721== by 0x12E4AA45DA64: ??? ==12721== by 0x12E4AA45E806: ??? ==12721== by 0x12E4AA45DA64: ??? ==12721== by 0x12E4AA40C76D: ??? ==12721== by 0x12E4AA4527AB: ??? ==12721== by 0x12E4AA45229A: ??? ==12721== by 0x12E4AA40CFA6: ??? ==12721== by 0x12E4AA406115: ??? ==12721== by 0x94AA5C: v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*, bool) (execution.cc:118) ==12721== by 0x8EFF68: v8::Script::Run() (api.cc:1613) ==12721== by 0x74ACD9: mongo::V8Scope::exec(mongo::StringData const&, std::string const&, bool, bool, bool, int) (engine_v8.cpp:1106) ==12721== by 0x62D0D0: _main(int, char**, char**) (dbshell.cpp:878) ==12721== by 0x6193D1: main (dbshell.cpp:918) ==12721== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==12721== 2014-08-14T23:41:12.869-0400 F Invalid access at address: 0 2014-08-14T23:41:12.900-0400 F Got signal: 11 (Segmentation fault). 0x7f6759 0x7f6362 0x7f65ce 0x4e47340 0x12e4aa40d139 ----- BEGIN BACKTRACE ----- {"backtrace":[{"b":"400000","o":"3F6759"},{"b":"400000","o":"3F6362"},{"b":"400000","o":"3F65CE"},{"b":"4E37000","o":"10340"},{"b":"0","o":"12E4AA40D139"}],"processInfo":{ "mongodbVersion" : "2.7.5-pre-", "gitVersion" : "7a1a0ce4ca6bbdf047adc7528310078ef7ca08f8", "uname" : { "sysname" : "Linux", "release" : "3.13.0-24-generic", "version" : "#46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000", "buildId" : "F68A844EB0B781158FA4CE7FB2D67ECDCAA1B21D" }, { "b" : "4A25000", "path" : "/usr/lib/valgrind/vgpreload_core-amd64-linux.so", "elfType" : 3, "buildId" : "39258A592B45456E029EA7458EDB059E25DAD54D" }, { "b" : "4C27000", "path" : "/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so", "elfType" : 3, "buildId" : "DA51DCDE9F27F24FDD755CB7089E7A2CAC6518E9" }, { "b" : "4E37000", "path" : "/lib/x86_64-linux-gnu/libpthread.so.0", "elfType" : 3, "buildId" : "FE662C4D7B14EE804E0C1902FB55218A106BC5CB" }, { "b" : "5055000", "path" : "/lib/x86_64-linux-gnu/librt.so.1", "elfType" : 3, "buildId" : "92FCF41EFE012D6186E31A59AD05BDBB487769AB" }, { "b" : "525D000", "path" : "/lib/x86_64-linux-gnu/libdl.so.2", "elfType" : 3, "buildId" : "C1AE4CB7195D337A77A3C689051DABAA3980CA0C" }, { "b" : "5461000", "path" : "/usr/lib/x86_64-linux-gnu/libstdc++.so.6", "elfType" : 3, "buildId" : "19EFDDAB11B3BF5C71570078C59F91CF6592CE9E" }, { "b" : "5765000", "path" : "/lib/x86_64-linux-gnu/libm.so.6", "elfType" : 3, "buildId" : "574C6350381DA194C00FF555E0C1784618C05569" }, { "b" : "5A6B000", "path" : "/lib/x86_64-linux-gnu/libgcc_s.so.1", "elfType" : 3, "buildId" : "CC0D578C2E0D86237CA7B0CE8913261C506A629A" }, { "b" : "5C81000", "path" : "/lib/x86_64-linux-gnu/libc.so.6", "elfType" : 3, "buildId" : "8BA18E4F3BB61EB5DBBF9C490B398C665DF407F9" }, { "b" : "4000000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3, "buildId" : "9F00581AB3C73E3AEA35995A0C50D24D59A01D47" } ] }} mongo(_ZN5mongo15printStackTraceERSo+0x29) [0x7f6759] mongo(+0x3F6362) [0x7f6362] mongo(+0x3F65CE) [0x7f65ce] libpthread.so.0(+0x10340) [0x4e47340] ??? [0x12e4aa40d139] ----- END BACKTRACE -----
- is related to
-
SERVER-4737 Viewing a document that has code_w_s will crash the shell
- Closed
-
SERVER-13707 mongo shell may crash when converting invalid regular expression
- Closed
-
SERVER-14107 Querying for a document containing a value of either type Javascript or JavascriptWithScope crashes the shell
- Closed