Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 3.3.2
Affects Version/s: None
Component/s: JavaScript
Labels:
- undefined-sanitizer

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:

Hide

Run jstests/core/bulk_insert.js under a ubsan instrumented mongod

Show
Run jstests/core/bulk_insert.js under a ubsan instrumented mongod
Sprint:
Platforms 11 (03/11/16)

If the double value casted here is not representable as an integer, the behavior is undefined:

https://github.com/mongodb/mongo/blob/1a74a81b6eb2ad4b3fdd30408b522826aa08610c/src/mongo/scripting/mozjs/valuewriter.cpp#L207

See https://www.securecoding.cert.org/confluence/display/c/FLP34-C.+Ensure+that+floating-point+conversions+are+within+range+of+the+new+type for additional details.

The relevant undefined behavior sanitizer stack trace is:

[js_test:bulk_insert] 2016-02-17T11:39:27.140-0500 (/home/andrew/Documents/10gen/dev/src/mongodb/mongo+0x99eb81): runtime error: value 1.45573e+12 is outside the range of representable values of type 'int'
[js_test:bulk_insert] 2016-02-17T11:39:27.142-0500     #0 0xbdaf6c in mongo::mozjs::ValueWriter::writeThis(mongo::BSONObjBuilder*, mongo::StringData, mongo::mozjs::LifetimeStack<mongo::mozjs::ObjectWrapper::WriteFieldRecursionFrame, 150ul>*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/valuewriter.cpp:207:39
[js_test:bulk_insert] 2016-02-17T11:39:27.143-0500     #1 0xbc87c9 in mongo::mozjs::ObjectWrapper::_writeField(mongo::BSONObjBuilder*, mongo::mozjs::ObjectWrapper::Key, mongo::mozjs::LifetimeStack<mongo::mozjs::ObjectWrapper::WriteFieldRecursionFrame, 150ul>*, mongo::BSONObj*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/objectwrapper.cpp:568:5
[js_test:bulk_insert] 2016-02-17T11:39:27.143-0500     #2 0xbc8216 in mongo::mozjs::ObjectWrapper::toBSON() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/objectwrapper.cpp:522:13
[js_test:bulk_insert] 2016-02-17T11:39:27.143-0500     #3 0xbc0192 in mongo::mozjs::NativeFunctionInfo::call(JSContext*, JS::CallArgs) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/nativefunction.cpp:85:33
[js_test:bulk_insert] 2016-02-17T11:39:27.146-0500     #4 0xbaa550 in bool mongo::mozjs::smUtils::call<mongo::mozjs::NativeFunctionInfo>(JSContext*, unsigned int, JS::Value*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/wraptype.h:117:9
[js_test:bulk_insert] 2016-02-17T11:39:27.164-0500     #5 0xfcad7f in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/jscntxtinlines.h:226:15
[js_test:bulk_insert] 2016-02-17T11:39:27.164-0500     #6 0xf6b64a in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:491:16
[js_test:bulk_insert] 2016-02-17T11:39:27.165-0500     #7 0xf852c2 in Interpret(JSContext*, js::RunState&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:2602:18
[js_test:bulk_insert] 2016-02-17T11:39:27.166-0500     #8 0xf7a19c in js::RunScript(JSContext*, js::RunState&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:448:12
[js_test:bulk_insert] 2016-02-17T11:39:27.167-0500     #9 0xf8efec in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:654:15
[js_test:bulk_insert] 2016-02-17T11:39:27.167-0500     #10 0xf8f343 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:690:12
[js_test:bulk_insert] 2016-02-17T11:39:27.180-0500     #11 0x14452fc in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/jsapi.cpp:3994:12
[js_test:bulk_insert] 2016-02-17T11:39:27.180-0500     #12 0xb9d1cf in mongo::mozjs::MozJSImplScope::exec(mongo::StringData, std::string const&, bool, bool, bool, int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/implscope.cpp:637:15
[js_test:bulk_insert] 2016-02-17T11:39:27.181-0500     #13 0xbd0eed in mongo::mozjs::MozJSProxyScope::exec(mongo::StringData, std::string const&, bool, bool, bool, int)::$_26::operator()() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/proxyscope.cpp:223:15
[js_test:bulk_insert] 2016-02-17T11:39:27.181-0500     #14 0xbcaea2 in mongo::mozjs::MozJSProxyScope::implThread(void*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/proxyscope.cpp:348:13
[js_test:bulk_insert] 2016-02-17T11:39:27.182-0500     #15 0xb77e81 in nspr::Thread::ThreadRoutine(void*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/PosixNSPR.cpp:56:5
[js_test:bulk_insert] 2016-02-17T11:39:27.187-0500     #16 0x7f445017d02f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb902f)
[js_test:bulk_insert] 2016-02-17T11:39:27.191-0500     #17 0x7f444fead6a9 in start_thread /build/buildd/glibc-2.21/nptl/pthread_create.c:333
[js_test:bulk_insert] 2016-02-17T11:39:27.221-0500     #18 0x7f444f9cbeec in clone /build/buildd/glibc-2.21/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
[js_test:bulk_insert] 2016-02-17T11:39:27.221-0500

Assignee:: Samantha Ritter (Inactive)

Reporter:: Andrew Morrow (Inactive)

Participants:: Andrew Morrow, Githook User, Samantha Ritter

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: Feb 17 2016 04:13:51 PM UTC

Updated:: Apr 17 2017 10:02:37 PM UTC

Resolved:: Mar 10 2016 11:02:12 PM UTC

Details

Description

Attachments

Activity

People

Dates