Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11671

Bad stored Javascript causes db.eval() to segfault the server

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Blocker - P1 Blocker - P1
    • None
    • Affects Version/s: 2.4.8
    • Component/s: JavaScript
    • Labels:
    • Environment:
      OSX Mavericks
    • OS X
    • Hide

      database.eval <<-EOF
      db.posts.find().forEach(function(obj) {
      db.posts.update({_id: obj._id}, {$set: {tiered_at: obj.post_date, tier: 0}})
      });
      EOF

      Show
      database.eval <<-EOF db.posts.find().forEach(function(obj) { db.posts.update({_id: obj._id}, {$set: {tiered_at: obj.post_date, tier: 0}}) }); EOF

      Executing a db.eval() segfaults the server. We've been unable to replicate this on 2.4.3 on a Linux machine, and it seems to be related somehow to old data, as the same operation on a completely clean mongod install doesn't segfault.

      The log mentions "map_heatmap" and "reduce_heatmap" functions, which don't appear in our code or collections (as far as we can tell). However, they show up via mongodump.

      Tue Nov 12 18:17:03.143 [initandlisten] connection accepted from 127.0.0.1:53299 #6 (4 connections now open)
      Tue Nov 12 18:17:03.144 [initandlisten] connection accepted from 127.0.0.1:53300 #7 (5 connections now open)
      Tue Nov 12 18:17:03.145 [conn6] end connection 127.0.0.1:53299 (4 connections now open)
      Tue Nov 12 18:17:03.247 [initandlisten] connection accepted from 127.0.0.1:53301 #8 (5 connections now open)
      Tue Nov 12 18:17:03.248 [initandlisten] connection accepted from 127.0.0.1:53302 #9 (6 connections now open)
      Tue Nov 12 18:17:03.248 [conn8] end connection 127.0.0.1:53301 (5 connections now open)
      Tue Nov 12 18:17:04.029 [initandlisten] connection accepted from 127.0.0.1:53303 #10 (6 connections now open)
      Tue Nov 12 18:17:04.043 [conn10] SyntaxError: Unexpected end of input
      Tue Nov 12 18:17:04.043 [conn10] unable to load stored JavaScript function map_heatmap(): SyntaxError: Unexpected end of input
      Tue Nov 12 18:17:04.043 [conn10] SyntaxError: Unexpected end of input
      Tue Nov 12 18:17:04.043 [conn10] unable to load stored JavaScript function reduce_heatmap(): SyntaxError: Unexpected end of input
      Tue Nov 12 18:17:04.145 Invalid access at address: 0x10 from thread: conn10

      Tue Nov 12 18:17:04.145 Got signal: 11 (Segmentation fault: 11).

      Tue Nov 12 18:17:04.149 Backtrace:
      0x10c6b39e0 0x10c1c427d 0x10c1c45b8 0x7fff8d9e65aa 0x1f6df0f6dac1 0x10c7e6097 0x10c8b3699 0x10c8b3501 0x10c66d5cb 0x10c66d48f 0x10c66836a 0x10c6677cf 0x10c35d4d4 0x10c35d8cc 0x10c33d055 0x10c33e013 0x10c33edf6 0x10c45304d 0x10c459468 0x10c3f692a
      0 mongod 0x000000010c6b39e0 _ZN5mongo15printStackTraceERSo + 64
      1 mongod 0x000000010c1c427d _ZN5mongo10abruptQuitEi + 397
      2 mongod 0x000000010c1c45b8 ZN5mongo24abruptQuitWithAddrSignalEiP9_siginfoPv + 344
      3 libsystem_platform.dylib 0x00007fff8d9e65aa _sigtramp + 26
      4 ??? 0x00001f6df0f6dac1 0x0 + 34557054606017
      5 mongod 0x000000010c7e6097 _ZN2v88internal15DeoptimizerDataD1Ev + 55
      6 mongod 0x000000010c8b3699 _ZN2v88internal7Isolate6DeinitEv + 105
      7 mongod 0x000000010c8b3501 _ZN2v88internal7Isolate8TearDownEv + 81
      8 mongod 0x000000010c66d5cb _ZN5mongo7V8ScopeD2Ev + 267
      9 mongod 0x000000010c66d48f _ZN5mongo7V8ScopeD0Ev + 15
      10 mongod 0x000000010c66836a _ZN5mongo11PooledScopeD2Ev + 842
      11 mongod 0x000000010c6677cf _ZN5mongo11PooledScopeD0Ev + 15
      12 mongod 0x000000010c35d4d4 _ZN5mongo6dbEvalERKSsRNS_7BSONObjERNS_14BSONObjBuilderERSs + 1812
      13 mongod 0x000000010c35d8cc _ZN5mongo7CmdEval3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 172
      14 mongod 0x000000010c33d055 _ZN5mongo12_execCommandEPNS_7CommandERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 37
      15 mongod 0x000000010c33e013 _ZN5mongo7Command11execCommandEPS0_RNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb + 2915
      16 mongod 0x000000010c33edf6 _ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 886
      17 mongod 0x000000010c45304d _ZN5mongo11runCommandsEPKcRNS_7BSONObjERNS_5CurOpERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 45
      18 mongod 0x000000010c459468 ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1 + 1112
      19 mongod 0x000000010c3f692a _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE + 1338

      Querying db.system.js.find() results in:

      follow:PRIMARY> db.system.js.find()
      { "_id" : "debug", "value" : function (p)

      { print(p); }

      }
      Tue Nov 12 16:48:29.474 JavaScript execution failed: SyntaxError: Unexpected end of input
      Error: 16722 JavaScript execution failed: SyntaxError: Unexpected end of input
      follow:PRIMARY>

      See the attached js.tar.gz for mongodumps of the system.js collection in question.

      Attempting to remove the functions in question from the collection failed - it seems that the syntax errors prevent mongo from doing anything with them, and then eval just trashes the whole daemon when it tries to interpret them.

        1. js.tar.gz
          0.5 kB
          Chris Heald

            Assignee:
            Unassigned Unassigned
            Reporter:
            cheald Chris Heald
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: