V8 crash in shell with "DB._v8_function" or autocomplete on "DB._"

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Major - P3
    • 2.3.2
    • Affects Version/s: None
    • Component/s: JavaScript, Shell
    • None
    • Environment:
      Crashes in debug and release builds on Linux, Windows & Mac
    • ALL
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Our V8 engine interface code creates a property named "_v8_function" pointing at C++ code, and this makes V8 crash if you try to display or examine this property. You can get the crash by typing "DB._v8_function<enter>" or "DB._<tab>" in the shell. The debug builds note that we have reached "unreachable code" at src\third_party\v8\src\code-stubs.cc, line 426 in the autocomplete case.

      DB._<tab>
      #
# Fatal error in src\third_party\v8\src\code-stubs.cc, line 426
# unreachable code
#


==== Stack trace ============================================

Security context: 0000000088006361 <JS Object>#0#
    1: /* anonymous */ [src/mongo/shell/utils.js:1398] (this=0000000088006479 <JS Global Object>#1#,prefix=00000000E0FEC979 <String[4]: DB._>)
    2: shellAutocomplete [src/mongo/shell/utils.js:1414] (this=0000000088006479 <JS Global Object>#1#,prefix=00000000E0FEC979 <String[4]: DB._>)
    3: _funcs1(aka callShellAutocomplete) [_funcs1:1] (this=0000000088006479 <JS Global Object>#1#,x=00000000E0FEC979 <String[4]: DB._>)

==== Details ================================================

[1]: /* anonymous */ [src/mongo/shell/utils.js:1398] (this=0000000088006479 <JS Global Object>#1#,prefix=00000000E0FEC979 <String[4]: DB._>) {
  // stack-allocated locals
  var p = 00000000FDD1A929 <String[12]: _v8_function>
  var possibilities = 00000000E0FECDB9 <JS Array[16]>#2#
  var parts = 00000000E0FECA61 <JS Array[2]>#3#
  var curObj = 000000008802CCB9 <JS Function>#4#
  var global = 0000000088006479 <JS Global Object>#1#
  var completion = 00000000E0FED1C1 <String[15]: DB._v8_function>
  var lastPrefix = 00000000FDD1E2C9 <String[1]: _>
  var ret = 0000000088004121 <undefined>
  var lastPrefixLowercase = 00000000FDD1E2C9 <String[1]: _>
  var i = 7
  var beginning = 00000000E0FECB49 <String[3]: DB.>
  var noDuplicates = 00000000E0FECE69 <an Object>#5#
  // expression stack (top to bottom)
  [14] : 24
  [13] : 0
  [12] : 00000000E0F33379 <Foreign>#6#
--------- s o u r c e   c o d e ---------
function ( prefix ) {?var global = ( function() { return this; } ).call(); // trick to get global object??var curObj = global;?var parts = prefix.spli
t( '.' );?for ( var p = 0; p < parts.length - 1; p++ ) { // doesn't include last part?curObj = curObj[parts[p]];?if ( curObj == null )?return [];?}??v
ar lastPr...

-----------------------------------------
}

[2]: shellAutocomplete [src/mongo/shell/utils.js:1414] (this=0000000088006479 <JS Global Object>#1#,prefix=00000000E0FEC979 <String[4]: DB._>) {
  // expression stack (top to bottom)
  [07] : 00000000E0FEC979 <String[4]: DB._>
  [06] : 0000000088006479 <JS Global Object>#1#
  [05] : 00000000E0F57941 <JS Function>#7#
--------- s o u r c e   c o d e ---------
function ( prefix ) {?try {?__autocomplete__ = worker( prefix ).sort();?} catch ( e ) {?print( "exception during autocomplete: " + tojson( e.message )
 );?__autocomplete__ = [];?}?}
-----------------------------------------
}

[3]: _funcs1(aka callShellAutocomplete) [_funcs1:1] (this=0000000088006479 <JS Global Object>#1#,x=00000000E0FEC979 <String[4]: DB._>) {
  // expression stack (top to bottom)
  [02] : 00000000E0FEC979 <String[4]: DB._>
  [01] : 0000000088006479 <JS Global Object>#1#
  [00] : 00000000E0FE95C1 <JS Function callShellAutocomplete>#8#
--------- s o u r c e   c o d e ---------
function callShellAutocomplete(x) {shellAutocomplete(x)}
-----------------------------------------
}

==== Key         ============================================

 #0# 0000000088006361: 0000000088006361 <JS Object>
 #1# 0000000088006479: 0000000088006479 <JS Global Object>
 #2# 00000000E0FECDB9: 00000000E0FECDB9 <JS Array[16]>
                 0: 00000000FDD04451 <String[11]: constructor>
                 1: 00000000FDD04751 <String[9]: prototype>
                 2: 00000000FDD047F9 <String[8]: toString>
                 3: 00000000FDD04839 <String[7]: valueOf>
                 4: 00000000FDD0D331 <String[14]: toLocaleString>
                 5: 00000000FDD0D359 <String[14]: hasOwnProperty>
                 6: 00000000FDD0D3A9 <String[20]: propertyIsEnumerable>
                 7: 00000000FDD1A929 <String[12]: _v8_function>
                 8: 00000000FDD1FDC9 <String[11]: tsToSeconds>
                 9: 00000000FDD1E311 <String[12]: autocomplete>
                  ...
 #3# 00000000E0FECA61: 00000000E0FECA61 <JS Array[2]>
                 0: 00000000FDD1A989 <String[2]: DB>
                 1: 00000000FDD1E2C9 <String[1]: _>
 #4# 000000008802CCB9: 000000008802CCB9 <JS Function>
      _v8_function: 00000000E0F33379 <Foreign>#6#
 #5# 00000000E0FECE69: 00000000E0FECE69 <an Object>
 #6# 00000000E0F33379: 00000000E0F33379 <Foreign>
 #7# 00000000E0F57941: 00000000E0F57941 <JS Function>
 #8# 00000000E0FE95C1: 00000000E0FE95C1 <JS Function callShellAutocomplete>
=====================
      DB._v8_function<enter>
      #
# Fatal error in c:\users\tad\documents\visual studio 2010\projects\mongodev\src\third_party\v8\src\objects-inl.h, line 2244
# CHECK(object->IsJSReceiver()) failed
#


==== Stack trace ============================================

Security context: 000000008EE06361 <JS Object>#0#
    1: DefaultString [native runtime.js:646] (this=000000008EE07401 <JS Object>#1#,a=00000000D8F33379 <Foreign>#2#)
    2: ToString [native runtime.js:555] (this=000000008EE07401 <JS Object>#1#,a=00000000D8F33379 <Foreign>#2#)
    6: shellPrintHelper [src/mongo/shell/utils.js:1302] (this=000000008EE06479 <JS Global Object>#3#,x=00000000D8F33379 <Foreign>#2#)
    7: /* anonymous */ [(shell2):1] (this=000000008EE06479 <JS Global Object>#3#)

==== Details ================================================

[1]: DefaultString [native runtime.js:646] (this=000000008EE07401 <JS Object>#1#,a=00000000D8F33379 <Foreign>#2#) {
  // stack-allocated locals
  var e = 000000008EE04121 <undefined>
  var d = 000000008EE04121 <undefined>
  var b = 000000008EE04121 <undefined>
  var c = 000000008EE04121 <undefined>
  // expression stack (top to bottom)
  [05] : 00000000D0B047F9 <String[8]: toString>
  [04] : 00000000D8F33379 <Foreign>#2#
--------- s o u r c e   c o d e ---------
function DefaultString(a){?var b=a.toString;?if((%_ClassOf(b)==='Function')){?var c=%_CallFunction(a,b);?if(%IsPrimitive(c))return c;?}??var d=a.valueOf;?if((%_ClassOf(d)
==='Function')){?var e=%_CallFunction(a,d);?if(%IsPrimitive(e))return e;?}??throw %MakeTypeError('cannot_convert_to_primitive',[]);?}
-----------------------------------------
}

[2]: ToString [native runtime.js:555] (this=000000008EE07401 <JS Object>#1#,a=00000000D8F33379 <Foreign>#2#) {
  // expression stack (top to bottom)
  [02] : 00000000D8F33379 <Foreign>#2#
  [01] : 000000008EE07401 <JS Object>#1#
  [00] : 000000008EE07401 <JS Object>#1#
--------- s o u r c e   c o d e ---------
function ToString(a){?if((typeof(a)==='string'))return a;?if((typeof(a)==='number'))return %_NumberToString(a);?if((typeof(a)==='boolean'))return a?'true':'false';?if((ty
peof(a)==='undefined'))return'undefined';?return((a===null))?'null':%ToString(%DefaultString(a));?}
-----------------------------------------
}

[6]: shellPrintHelper [src/mongo/shell/utils.js:1302] (this=000000008EE06479 <JS Global Object>#3#,x=00000000D8F33379 <Foreign>#2#) {
  // stack-allocated locals
  var err = 000000008EE04121 <undefined>
  var p = 000000008EE04121 <undefined>
  // expression stack (top to bottom)
  [04] : 000000008EE2C461 <JS Function>#4#
  [03] : 00000000D8F33379 <Foreign>#2#
  [02] : 000000008EE06479 <JS Global Object>#3#
--------- s o u r c e   c o d e ---------
function (x) {?if (typeof (x) == "undefined") {?// Make sure that we have a db var before we use it?// TODO: This implicit calling of GLE can cause subtle, hard to track
issues - remove??if (__callLastError && typeof( db ) != "undefined" && db.getMongo ) {?__callLastError = false;?// explicit w:1 so that rep...

-----------------------------------------
}

[7]: /* anonymous */ [(shell2):1] (this=000000008EE06479 <JS Global Object>#3#) {
  // stack-allocated locals
  var .result = 000000008EE04121 <undefined>
  // expression stack (top to bottom)
  [02] : 00000000D8F33379 <Foreign>#2#
  [01] : 000000008EE06479 <JS Global Object>#3#
--------- s o u r c e   c o d e ---------
shellPrintHelper( __lastres__ );
-----------------------------------------
}

==== Key         ============================================

 #0# 000000008EE06361: 000000008EE06361 <JS Object>
 #1# 000000008EE07401: 000000008EE07401 <JS Object>
 #2# 00000000D8F33379: 00000000D8F33379 <Foreign>
 #3# 000000008EE06479: 000000008EE06479 <JS Global Object>
 #4# 000000008EE2C461: 000000008EE2C461 <JS Function>
      _v8_function: 00000000D8F32179 <Foreign>#5#
 #5# 00000000D8F32179: 00000000D8F32179 <Foreign>
=====================

            Assignee:
            Ben Becker (Inactive)
            Reporter:
            Tad Marshall
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: