Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11781

Crash when converting deeply-nested or cyclical JS objects to BSON

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.6.0-rc0
    • Affects Version/s: 2.4.6
    • Component/s: JavaScript, MapReduce
    • Labels:
    • Environment:
      unix
    • Minor Change
    • ALL
    • Hide

      1. Create collection, documents something like

      {
    _id: ObjectId("..."),
   data: {
       "some":"kind of",
       "trivial": "data"
   }
   document: DBRef("otherCollection", ObjectID("..."))
}

      2. Insert a reasonable number of them:
      > db.audit.count()
      4002

      3. Simple query:

      db.audit.group({
    keyf:function(doc){ return {doc:doc.document} },
    cond: {},
    reduce: function(c, r){ r.audits.push(r) }, 
    initial: {audits: []}})

      4. Watch as mongod segfaults.

      Show
      1. Create collection, documents something like { _id: ObjectId( "..." ), data: { "some" : "kind of" , "trivial" : "data" } document: DBRef( "otherCollection" , ObjectID( "..." )) } 2. Insert a reasonable number of them: > db.audit.count() 4002 3. Simple query: db.audit.group({ keyf:function(doc){ return {doc:doc.document} }, cond: {}, reduce: function(c, r){ r.audits.push(r) }, initial: {audits: []}}) 4. Watch as mongod segfaults.

      Original Title: Group query crashes mongo server

      Bad group query crashes mongo server

      backtrace:

      #0 0x0000000000f95f91 in v8::internal::GetKeysInFixedArrayFor(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::KeyCollectionType, bool*) ()
      #1 0x0000000000ef56b3 in v8::Object::GetOwnPropertyNames() ()
      #2 0x0000000000d7f3c1 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #3 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #4 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #5 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #6 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #7 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #8 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #9 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #10 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #11 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #12 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #13 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #14 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #15 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #16 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #17 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #18 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #19 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #20 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #21 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #22 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #23 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #24 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #25 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #26 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #27 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #28 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #29 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #30 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #31 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #32 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #33 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #34 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #35 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #36 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #37 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #38 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #39 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #40 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #41 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #42 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #43 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #44 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #45 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #46 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()

      ......

      #2167 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2168 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2169 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #2170 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2171 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2172 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2173 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #2174 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2175 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2176 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2177 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #2178 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2179 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2180 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2181 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #2182 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSON--Type <return> to continue, or q <return> to quit--
      Obj*) ()
      #2183 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2184 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2185 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #2186 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2187 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2188 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2189 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #2190 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2191 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
      #2192 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
      #2193 0x0000000000d8192e in mongo::V8Scope::getObject(char const*) ()
      #2194 0x0000000000d6faf1 in mongo::PooledScope::getObject(char const*) ()
      #2195 0x000000000086f86b in mongo::GroupCommand::group(std::string const&, std::string const&, mongo::BSONObj const&, mongo::BSONObj, std::string const&, std::string const&, char const*, mongo::BSONObj, std::string const&, std::string&, mongo::BSONObjBuilder&) ()
      #2196 0x00000000008716c0 in mongo::GroupCommand::run(std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&, bool) ()
      #2197 0x00000000008d78ca in mongo::_execCommand(mongo::Command*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&, bool) ()
      #2198 0x00000000008d9a02 in mongo::Command::execCommand(mongo::Command*, mongo::Client&, int, char const*, mongo::BSONObj&, mongo::BSONObjBuilder&, bool) ()
      #2199 0x00000000008daa72 in mongo::_runCommands(char const*, mongo::BSONObj&, mongo::_BufBuilder<mongo::TrivialAllocator>&, mongo::BSONObjBuilder&, bool, int) ()
      #2200 0x0000000000a80970 in mongo::runCommands(char const*, mongo::BSONObj&, mongo::CurOp&, mongo::_BufBuilder<mongo::TrivialAllocator>&, mongo::BSONObjBuilder&, bool, int) ()
      #2201 0x0000000000a8523c in mongo::runQuery(mongo::Message&, mongo::QueryMessage&, mongo::CurOp&, mongo::Message&) ()
      #2202 0x00000000009f9079 in ?? ()
      #2203 0x00000000009fa5a3 in mongo::assembleResponse(mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) ()
      #2204 0x00000000006e8b88 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) ()
      #2205 0x0000000000dca34e in mongo::PortMessageServer::handleIncomingMsg(void*) ()
      #2206 0x00007ffff7bc6e0e in start_thread (arg=0x7fffea756700) at pthread_create.c:311
      #2207 0x00007ffff6edc9ed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

            Assignee:
            mathias@mongodb.com Mathias Stearn
            Reporter:
            davegalos dave galos
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: