[SERVER-11099] clang compiled mongo shell crashes on exit with a stack trace in v8 Created: 09/Oct/13  Updated: 11/Jul/16  Resolved: 18/Oct/13

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: None
Fix Version/s: 2.4.9, 2.5.4

Type: Bug Priority: Major - P3
Reporter: Andrew Morrow (Inactive) Assignee: Andrew Morrow (Inactive)
Resolution: Done Votes: 0
Labels: shell
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

So far, only observed on OS X using XCode 5 (which is clang).


Issue Links:
Duplicate
duplicates SERVER-10483 v8 segfaults and prints stack trace w... Closed
is duplicated by SERVER-11671 Bad stored Javascript causes db.eval(... Closed
is duplicated by SERVER-11899 Invalid access at address: 0x10 from ... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

A mongo shell built with --dbg=on --opt=on dies with the following stack trace on exit:

./mongo ./jstests/and.js
MongoDB shell version: 2.5.3-pre-
connecting to: test
XXX ACM printing on last line of js file
mongo got signal 11 (Segmentation fault: 11), stack trace:
0x10c560640 0x10c3eaacc 0x7fff8c13f90a 0x181d05f11249 0x10c6a305f 0x10c7f5b96 0x10c7f59be 0x10c4e8164 0x10c4e803f 0x10c3ef9e6 0x10c3f0abf 0x7fff8d8e07e1
 0   mongo                               0x000000010c560640 _ZN5mongo15printStackTraceERSo + 64
 1   mongo                               0x000000010c3eaacc _Z12quitAbruptlyi + 348
 2   libsystem_c.dylib                   0x00007fff8c13f90a _sigtramp + 26
 3   ???                                 0x0000181d05f11249 0x0 + 26512932803145
 4   mongo                               0x000000010c6a305f _ZN2v88internal15DeoptimizerDataD2Ev + 143
 5   mongo                               0x000000010c7f5b96 _ZN2v88internal7Isolate6DeinitEv + 134
 6   mongo                               0x000000010c7f59be _ZN2v88internal7Isolate8TearDownEv + 110
 7   mongo                               0x000000010c4e8164 _ZN5mongo7V8ScopeD2Ev + 244
 8   mongo                               0x000000010c4e803f _ZN5mongo7V8ScopeD0Ev + 15
 9   mongo                               0x000000010c3ef9e6 _Z5_mainiPPcS0_ + 13142
 10  mongo                               0x000000010c3f0abf main + 95
 11  libdyld.dylib                       0x00007fff8d8e07e1 start + 0

The 'XXX' line was added to the test as the last print in the function to confirm that this was after evaluating the file.



 Comments   
Comment by Githook User [ 02/Dec/13 ]

Author:

{u'username': u'acmorrow', u'name': u'Andrew Morrow', u'email': u'acm@10gen.com'}

Message: SERVER-11099 Partial cherry-pick from upstream v8 to fix UB related mongo shell crash

This is a backport of the portion of https://github.com/v8/v8/commit/b3775cf3
relevant to our vendored version of v8. Please see that commit for more
details on the nature of the undefined behavior and how this change fixes it.

This will repair the issue with the mongo shell crashing on shutdown
when compiled with clang-3.3 or newer.

(cherry picked from commit 670c981819ed1512b9f623d3879901dda606ed20)
Branch: v2.4
https://github.com/mongodb/mongo/commit/77dc6ecf84ef6020ae195e142780369b05533cdf

Comment by auto [ 18/Oct/13 ]

Author:

{u'username': u'acmorrow', u'name': u'Andrew Morrow', u'email': u'acm@10gen.com'}

Message: SERVER-11099 Partial cherry-pick from upstream v8 to fix UB related mongo shell crash

This is a backport of the portion of https://github.com/v8/v8/commit/b3775cf3
relevant to our vendored version of v8. Please see that commit for more
details on the nature of the undefined behavior and how this change fixes it.

This will repair the issue with the mongo shell crashing on shutdown
when compiled with clang-3.3 or newer.
Branch: master
https://github.com/mongodb/mongo/commit/670c981819ed1512b9f623d3879901dda606ed20

Comment by Andrew Morrow (Inactive) [ 16/Oct/13 ]

The relevant fix has been applied on the v8 master branch: https://code.google.com/p/v8/source/browse/trunk/src/spaces.h#325

This was v8 git commit b3775cf3. We should probably cherry pick this fix to our v8 tree.

I recommend we do this for 2.5.4, otherwise developers on OS X using newer XCode will never be able to test 2.6.

Comment by Andrew Morrow (Inactive) [ 10/Oct/13 ]

Built as follows:

SCONS_VERSION=2.3.0 ../scons-multi/scons --cache --opt=on --dbg=on --sanitize=address --allocator=system --cc=/usr/bin/clang --cxx=/usr/bin/clang++ -j30 ./mongo ./mongod

Comment by Mathias Stearn [ 10/Oct/13 ]

acm Was that with --opt=on or --opt=off?

Comment by Andrew Morrow (Inactive) [ 10/Oct/13 ]

I repro'd on Ubuntu Raring with the clang nightlies installed. Running under address sanitizer gives us:

 % ./mongo jstests/and.js 2>&1 | asan_symbolize
MongoDB shell version: 2.5.3-pre-
connecting to: test
ASAN:SIGSEGV
=================================================================
==25130==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000180d85a sp 0x7fff793c1be0 bp 0x7fff793c1c40 T0)
AddressSanitizer can not provide additional info.
    #0 0x180d859 in _ZN2v88internal5Space8identityEv /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/v8/src/spaces.h:772
    #1 0xf2369b in ~DeoptimizerData /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/v8/src/deoptimizer.cc:55
    #2 0x129821b in _ZN2v88internal7Isolate6DeinitEv /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/v8/src/isolate.cc:1603
    #3 0x1297ce3 in _ZN2v88internal7Isolate8TearDownEv /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/v8/src/isolate.cc:1572
    #4 0xa007f1 in ~IsolateHolder /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/engine_v8.h:441
    #5 0xa004ee in ~V8Scope /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/engine_v8.cpp:536
    #6 0x663ecf in ~auto_ptr /usr/bin/../lib/gcc/x86_64-linux-gnu/4.7/../../../../include/c++/4.7/backward/auto_ptr.h:170
    #7 0x66ae01 in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/shell/dbshell.cpp:957
    #8 0x7f4ba33f6ea4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
    #9 0x64f4cc in _start ??:?
==25130==ABORTING

Comment by Eric Milkie [ 09/Oct/13 ]

I was using the wrong command line parameters – it does reproduce; my mistake.

Comment by Eric Milkie [ 09/Oct/13 ]

I tried this on OS X Mavericks in C++11 mode and can't reproduce the crash.

Comment by Mathias Stearn [ 09/Oct/13 ]

./test js causes an easily reproducible segfault deep in V8's memory management code. Seems to only happen with clang and -opt=on (-dbg doesn't matter).

Generated at Thu Feb 08 03:24:53 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.