Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 3.1.7
Affects Version/s: 3.1.6
Component/s: JavaScript
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:
Hide

// Running without db.eval will crash the shell instead var s = '' + 't = db.foo;' + 't.drop();' + 'ObjectId = t.stats();' + 't.save({ a: "apple" });'; db.eval(s);
Show
// Running without db.eval will crash the shell instead var s = '' + 't = db.foo;' + 't.drop();' + 'ObjectId = t.stats();' + 't.save({ a: "apple" });'; db.eval(s);
Sprint:
Platform 7 08/10/15

ASan Report:

==4976== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000250128b sp 0x7f91c65b6560 bp 0x7f91c65b6960 T15)
AddressSanitizer can not provide additional info.
    #0 0x250128a in BSONObj /home/jdelaney/mongo/src/mongo/bson/bsonobj.h:129
    #1 0x250128a in mongo::mozjs::ObjectWrapper::writeThis(mongo::BSONObjBuilder*) /home/jdelaney/mongo/src/mongo/scripting/mozjs/objectwrapper.cpp:344
    #2 0x25210be in mongo::mozjs::ValueWriter::_writeObject(mongo::BSONObjBuilder*, mongo::StringData, JS::Handle<JSObject*>) /home/jdelaney/mongo/src/mongo/scripting/mozjs/valuewriter.cpp:247
    #3 0x252372d in mongo::mozjs::ValueWriter::writeThis(mongo::BSONObjBuilder*, mongo::StringData) /home/jdelaney/mongo/src/mongo/scripting/mozjs/valuewriter.cpp:172
    #4 0x250050f in mongo::mozjs::ObjectWrapper::_writeField(mongo::BSONObjBuilder*, mongo::mozjs::ObjectWrapper::Key, mongo::BSONObj*) /home/jdelaney/mongo/src/mongo/scripting/mozjs/objectwrapper.cpp:381
    #5 0x2501439 in mongo::mozjs::ObjectWrapper::writeThis(mongo::BSONObjBuilder*) /home/jdelaney/mongo/src/mongo/scripting/mozjs/objectwrapper.cpp:352
    #6 0x251acdb in mongo::mozjs::ValueWriter::toBSON() /home/jdelaney/mongo/src/mongo/scripting/mozjs/valuewriter.cpp:102
    #7 0x24f9be0 in mongo::mozjs::ObjectInfo::Functions::bsonsize(JSContext*, JS::CallArgs) /home/jdelaney/mongo/src/mongo/scripting/mozjs/object.cpp:59
    #8 0x24fb190 in mongo::mozjs::ObjectInfo::Functions::WRAPPER_bsonsize(JSContext*, unsigned int, JS::Value*) /home/jdelaney/mongo/src/mongo/scripting/mozjs/object.h:44
    #9 0x2c901c5 in CallJSNative /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/jscntxtinlines.h:226
    #10 0x2c901c5 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:498
    #11 0x2c78e89 in Interpret(JSContext*, js::RunState&) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:2602
    #12 0x2c8f82f in js::RunScript(JSContext*, js::RunState&) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:448
    #13 0x2c90075 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:517
    #14 0x2c9345b in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:554
    #15 0x363f73a in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/jsapi.cpp:4216
    #16 0x24c288b in Call /home/jdelaney/mongo/src/third_party/mozjs-38/include/jsapi.h:3754
    #17 0x24c288b in mongo::mozjs::MozJSImplScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool) /home/jdelaney/mongo/src/mongo/scripting/mozjs/implscope.cpp:525
    #18 0x250c773 in operator() /home/jdelaney/mongo/src/mongo/scripting/mozjs/proxyscope.cpp:190
    #19 0x250c773 in std::_Function_handler<void (), mongo::mozjs::MozJSProxyScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool)::{lambda()#1}>::_M_invoke(std::_Any_data const&) /usr/include/c++/4.8/functional:2071
    #20 0x250cfd4 in std::function<void ()>::operator()() const /usr/include/c++/4.8/functional:2471
    #21 0x250cfd4 in mongo::mozjs::MozJSProxyScope::implThread() /home/jdelaney/mongo/src/mongo/scripting/mozjs/proxyscope.cpp:306
    #22 0x7f91d360ea3f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb1a3f)
    #23 0x7f91d3c85b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x18b97)
    #24 0x7f91d2e2b181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #25 0x7f91d2b5847c (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)
SUMMARY: AddressSanitizer: SEGV /home/jdelaney/mongo/src/mongo/bson/bsonobj.h:129 BSONObj
Thread T15 created by T14 here:
    #0 0x7f91d3c77b5b (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xab5b)
    #1 0x7f91d360ec8e (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb1c8e)
Thread T14 created by T0 here:
    #0 0x7f91d3c77b5b (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xab5b)
    #1 0x258fdb2 in mongo::PortMessageServer::accepted(std::shared_ptr<mongo::Socket>, long long) /home/jdelaney/mongo/src/mongo/util/net/message_server_port.cpp:148
    #2 0x257ec26 in mongo::Listener::initAndListen() /home/jdelaney/mongo/src/mongo/util/net/listen.cpp:351
    #3 0x9bcc44 in _initAndListen /home/jdelaney/mongo/src/mongo/db/db.cpp:587
    #4 0x9bcc44 in mongo::initAndListen(int) /home/jdelaney/mongo/src/mongo/db/db.cpp:592
    #5 0x92b966 in mongoDbMain /home/jdelaney/mongo/src/mongo/db/db.cpp:822
    #6 0x92b966 in main /home/jdelaney/mongo/src/mongo/db/db.cpp:637
    #7 0x7f91d2a7fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
==4976== ABORTING

In ObjectWrapper::writeThis, originalBSON is being set to NULL when BSONInfo::originalBSON is called.

Does not affect 3.0.x

Assignee:: Mira Carey

Reporter:: J Delaney

Participants:: Githook User, J Delaney, Mira Carey

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: Jul 24 2015 10:03:46 PM UTC

Updated:: Sep 19 2015 12:08:01 AM UTC

Resolved:: Jul 28 2015 10:34:43 PM UTC

Details

Description

Attachments

Activity

People

Dates