Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14909

Shell crashes when printing DBPointer index bounds

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 2.6.4, 2.7.1, 2.7.4
    • Component/s: Shell
    • ALL
    • Hide
      var t = db.shell_crash;
      t.drop();
      
      t.ensureIndex({a: 1});
      t.find({a: {$type: 12}}).explain(true);
      
      Show
      var t = db.shell_crash; t.drop(); t.ensureIndex({a: 1}); t.find({a: {$type: 12}}).explain(true);
    • Server 2.7.6

      In pre-2.6.4 and pre-2.7.1 shells, printing the index bounds of a DBPointer field results in a (harmless) SyntaxError exception. In 2.6.4 and 2.7.1+, the exception is followed by a crash.

      Valgrind output:

      ==12721== Invalid read of size 8
      ==12721==    at 0x12E4AA40D139: ???
      ==12721==    by 0x12E4AA406275: ???
      ==12721==    by 0x948FF8: v8::internal::Execution::New(v8::internal::Handle<v8::internal::JSFunction>, int, v8::internal::Handle<v8::internal::Object>*, bool*) (execution.cc:118)
      ==12721==    by 0x8F8B6D: v8::Function::NewInstance(int, v8::Handle<v8::Value>*) const (api.cc:3638)
      ==12721==    by 0x74868F: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1501)
      ==12721==    by 0x748442: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1422)
      ==12721==    by 0x748442: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1422)
      ==12721==    by 0x749571: mongo::namedGet(v8::Local<v8::String>, v8::AccessorInfo const&) (engine_v8.cpp:124)
      ==12721==    by 0xA4F941: v8::internal::JSObject::GetPropertyWithInterceptor(v8::internal::JSReceiver*, v8::internal::String*, PropertyAttributes*) (objects.cc:10297)
      ==12721==    by 0xA4FFC2: v8::internal::Object::GetProperty(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LookupResult*, v8::internal::Handle<v8::internal::String>, PropertyAttributes*) (objects.cc:582)
      ==12721==    by 0x9DF95C: v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) (ic.cc:1180)
      ==12721==    by 0x9DFB24: v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) (ic.cc:2101)
      ==12721==    by 0x12E4AA406361: ???
      ==12721==    by 0x12E4AA45E607: ???
      ==12721==    by 0x12E4AA45DA64: ???
      ==12721==    by 0x12E4AA45E806: ???
      ==12721==    by 0x12E4AA45DA64: ???
      ==12721==    by 0x12E4AA40C76D: ???
      ==12721==    by 0x12E4AA4527AB: ???
      ==12721==    by 0x12E4AA45229A: ???
      ==12721==    by 0x12E4AA40CFA6: ???
      ==12721==    by 0x12E4AA406115: ???
      ==12721==    by 0x94AA5C: v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*, bool) (execution.cc:118)
      ==12721==    by 0x8EFF68: v8::Script::Run() (api.cc:1613)
      ==12721==    by 0x74ACD9: mongo::V8Scope::exec(mongo::StringData const&, std::string const&, bool, bool, bool, int) (engine_v8.cpp:1106)
      ==12721==    by 0x62D0D0: _main(int, char**, char**) (dbshell.cpp:878)
      ==12721==    by 0x6193D1: main (dbshell.cpp:918)
      ==12721==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
      ==12721== 
      2014-08-14T23:41:12.869-0400 F          Invalid access at address: 0
      2014-08-14T23:41:12.900-0400 F          Got signal: 11 (Segmentation fault).
      
       0x7f6759 0x7f6362 0x7f65ce 0x4e47340 0x12e4aa40d139
      ----- BEGIN BACKTRACE -----
      {"backtrace":[{"b":"400000","o":"3F6759"},{"b":"400000","o":"3F6362"},{"b":"400000","o":"3F65CE"},{"b":"4E37000","o":"10340"},{"b":"0","o":"12E4AA40D139"}],"processInfo":{ "mongodbVersion" : "2.7.5-pre-", "gitVersion" : "7a1a0ce4ca6bbdf047adc7528310078ef7ca08f8", "uname" : { "sysname" : "Linux", "release" : "3.13.0-24-generic", "version" : "#46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000", "buildId" : "F68A844EB0B781158FA4CE7FB2D67ECDCAA1B21D" }, { "b" : "4A25000", "path" : "/usr/lib/valgrind/vgpreload_core-amd64-linux.so", "elfType" : 3, "buildId" : "39258A592B45456E029EA7458EDB059E25DAD54D" }, { "b" : "4C27000", "path" : "/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so", "elfType" : 3, "buildId" : "DA51DCDE9F27F24FDD755CB7089E7A2CAC6518E9" }, { "b" : "4E37000", "path" : "/lib/x86_64-linux-gnu/libpthread.so.0", "elfType" : 3, "buildId" : "FE662C4D7B14EE804E0C1902FB55218A106BC5CB" }, { "b" : "5055000", "path" : "/lib/x86_64-linux-gnu/librt.so.1", "elfType" : 3, "buildId" : "92FCF41EFE012D6186E31A59AD05BDBB487769AB" }, { "b" : "525D000", "path" : "/lib/x86_64-linux-gnu/libdl.so.2", "elfType" : 3, "buildId" : "C1AE4CB7195D337A77A3C689051DABAA3980CA0C" }, { "b" : "5461000", "path" : "/usr/lib/x86_64-linux-gnu/libstdc++.so.6", "elfType" : 3, "buildId" : "19EFDDAB11B3BF5C71570078C59F91CF6592CE9E" }, { "b" : "5765000", "path" : "/lib/x86_64-linux-gnu/libm.so.6", "elfType" : 3, "buildId" : "574C6350381DA194C00FF555E0C1784618C05569" }, { "b" : "5A6B000", "path" : "/lib/x86_64-linux-gnu/libgcc_s.so.1", "elfType" : 3, "buildId" : "CC0D578C2E0D86237CA7B0CE8913261C506A629A" }, { "b" : "5C81000", "path" : "/lib/x86_64-linux-gnu/libc.so.6", "elfType" : 3, "buildId" : "8BA18E4F3BB61EB5DBBF9C490B398C665DF407F9" }, { "b" : "4000000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3, "buildId" : "9F00581AB3C73E3AEA35995A0C50D24D59A01D47" } ] }}
       mongo(_ZN5mongo15printStackTraceERSo+0x29) [0x7f6759]
       mongo(+0x3F6362) [0x7f6362]
       mongo(+0x3F65CE) [0x7f65ce]
       libpthread.so.0(+0x10340) [0x4e47340]
       ??? [0x12e4aa40d139]
      -----  END BACKTRACE  -----
      

        1. server14909.js
          0.2 kB
          Benety Goh

            Assignee:
            backlog-server-platform DO NOT USE - Backlog - Platform Team
            Reporter:
            kamran.khan Kamran K.
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: