[SERVER-11671] Bad stored Javascript causes db.eval() to segfault the server Created: 12/Nov/13  Updated: 07/Jan/15  Resolved: 06/Dec/13

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 2.4.8
Fix Version/s: None

Type: Bug Priority: Blocker - P1
Reporter: Chris Heald Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: crash
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OSX Mavericks


Attachments: File js.tar.gz    
Issue Links:
Duplicate
duplicates SERVER-11099 clang compiled mongo shell crashes on... Closed
Operating System: OS X
Steps To Reproduce:

database.eval <<-EOF
db.posts.find().forEach(function(obj) {
db.posts.update({_id: obj._id}, {$set: {tiered_at: obj.post_date, tier: 0}})
});
EOF

Participants:

 Description   

Executing a db.eval() segfaults the server. We've been unable to replicate this on 2.4.3 on a Linux machine, and it seems to be related somehow to old data, as the same operation on a completely clean mongod install doesn't segfault.

The log mentions "map_heatmap" and "reduce_heatmap" functions, which don't appear in our code or collections (as far as we can tell). However, they show up via mongodump.

Tue Nov 12 18:17:03.143 [initandlisten] connection accepted from 127.0.0.1:53299 #6 (4 connections now open)
Tue Nov 12 18:17:03.144 [initandlisten] connection accepted from 127.0.0.1:53300 #7 (5 connections now open)
Tue Nov 12 18:17:03.145 [conn6] end connection 127.0.0.1:53299 (4 connections now open)
Tue Nov 12 18:17:03.247 [initandlisten] connection accepted from 127.0.0.1:53301 #8 (5 connections now open)
Tue Nov 12 18:17:03.248 [initandlisten] connection accepted from 127.0.0.1:53302 #9 (6 connections now open)
Tue Nov 12 18:17:03.248 [conn8] end connection 127.0.0.1:53301 (5 connections now open)
Tue Nov 12 18:17:04.029 [initandlisten] connection accepted from 127.0.0.1:53303 #10 (6 connections now open)
Tue Nov 12 18:17:04.043 [conn10] SyntaxError: Unexpected end of input
Tue Nov 12 18:17:04.043 [conn10] unable to load stored JavaScript function map_heatmap(): SyntaxError: Unexpected end of input
Tue Nov 12 18:17:04.043 [conn10] SyntaxError: Unexpected end of input
Tue Nov 12 18:17:04.043 [conn10] unable to load stored JavaScript function reduce_heatmap(): SyntaxError: Unexpected end of input
Tue Nov 12 18:17:04.145 Invalid access at address: 0x10 from thread: conn10

Tue Nov 12 18:17:04.145 Got signal: 11 (Segmentation fault: 11).

Tue Nov 12 18:17:04.149 Backtrace:
0x10c6b39e0 0x10c1c427d 0x10c1c45b8 0x7fff8d9e65aa 0x1f6df0f6dac1 0x10c7e6097 0x10c8b3699 0x10c8b3501 0x10c66d5cb 0x10c66d48f 0x10c66836a 0x10c6677cf 0x10c35d4d4 0x10c35d8cc 0x10c33d055 0x10c33e013 0x10c33edf6 0x10c45304d 0x10c459468 0x10c3f692a
0 mongod 0x000000010c6b39e0 _ZN5mongo15printStackTraceERSo + 64
1 mongod 0x000000010c1c427d _ZN5mongo10abruptQuitEi + 397
2 mongod 0x000000010c1c45b8 ZN5mongo24abruptQuitWithAddrSignalEiP9_siginfoPv + 344
3 libsystem_platform.dylib 0x00007fff8d9e65aa _sigtramp + 26
4 ??? 0x00001f6df0f6dac1 0x0 + 34557054606017
5 mongod 0x000000010c7e6097 _ZN2v88internal15DeoptimizerDataD1Ev + 55
6 mongod 0x000000010c8b3699 _ZN2v88internal7Isolate6DeinitEv + 105
7 mongod 0x000000010c8b3501 _ZN2v88internal7Isolate8TearDownEv + 81
8 mongod 0x000000010c66d5cb _ZN5mongo7V8ScopeD2Ev + 267
9 mongod 0x000000010c66d48f _ZN5mongo7V8ScopeD0Ev + 15
10 mongod 0x000000010c66836a _ZN5mongo11PooledScopeD2Ev + 842
11 mongod 0x000000010c6677cf _ZN5mongo11PooledScopeD0Ev + 15
12 mongod 0x000000010c35d4d4 _ZN5mongo6dbEvalERKSsRNS_7BSONObjERNS_14BSONObjBuilderERSs + 1812
13 mongod 0x000000010c35d8cc _ZN5mongo7CmdEval3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 172
14 mongod 0x000000010c33d055 _ZN5mongo12_execCommandEPNS_7CommandERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 37
15 mongod 0x000000010c33e013 _ZN5mongo7Command11execCommandEPS0_RNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb + 2915
16 mongod 0x000000010c33edf6 _ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 886
17 mongod 0x000000010c45304d _ZN5mongo11runCommandsEPKcRNS_7BSONObjERNS_5CurOpERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 45
18 mongod 0x000000010c459468 ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1 + 1112
19 mongod 0x000000010c3f692a _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE + 1338

Querying db.system.js.find() results in:

follow:PRIMARY> db.system.js.find()
{ "_id" : "debug", "value" : function (p)

{ print(p); }

}
Tue Nov 12 16:48:29.474 JavaScript execution failed: SyntaxError: Unexpected end of input
Error: 16722 JavaScript execution failed: SyntaxError: Unexpected end of input
follow:PRIMARY>

See the attached js.tar.gz for mongodumps of the system.js collection in question.

Attempting to remove the functions in question from the collection failed - it seems that the syntax errors prevent mongo from doing anything with them, and then eval just trashes the whole daemon when it tries to interpret them.



 Comments   
Comment by Daniel Pasette (Inactive) [ 06/Dec/13 ]

the fix for SERVER-11099 has been backported to 2.4.9-pre

Comment by Andrew Morrow (Inactive) [ 13/Nov/13 ]

Chris -

The v8 fix has been applied for the 2.5 development series, but it is not in 2.4. The best workaround for 2.4 on Mavericks is to build mongodb with GCC rather than clang.

Comment by Chris Heald [ 13/Nov/13 ]

Looks like that's a likely culprit. Looks like we can close this one.

Comment by Andrew Morrow (Inactive) [ 13/Nov/13 ]

Hi Chris -

This is almost certainly due to SERVER-11099.

Comment by Chris Heald [ 12/Nov/13 ]

I pasted the wrong bit into "steps to reproduce".

You just mongoimport the system.js collection, then attempt to run a db.eval against that database. The server will crash when it attempts to load that stored JS.

Generated at Thu Feb 08 03:26:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.