[SERVER-11731] $where inside of projection $elemMatch causes segmentation fault Created: 15/Nov/13  Updated: 11/Jul/16  Resolved: 09/Dec/13

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 2.4.8
Fix Version/s: 2.2.7, 2.4.9

Type: Bug Priority: Major - P3
Reporter: Luke Lovett Assignee: Matt Dannenberg
Resolution: Done Votes: 0
Labels: 26qa, nqf
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

> db.serverBuildInfo()

{ "version" : "2.4.8", "gitVersion" : "a350fc38922fbda2cec8d5dd842237b904eafc14", "sysInfo" : "Darwin bs-osx-106-x86-64-2.10gen.cc 10.8.0 Darwin Kernel Version 10.8.0: Tue Jun 7 16:32:41 PDT 2011; root:xnu-1504.15.3~1/RELEASE_X86_64 x86_64 BOOST_LIB_VERSION=1_49", "loaderFlags" : "-fPIC -pthread -rdynamic -m64", "compilerFlags" : "-Wnon-virtual-dtor -Woverloaded-virtual -fPIC -fno-strict-aliasing -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -O3 -m64", "allocator" : "system", "versionArray" : [ 2, 4, 8, 0 ], "javascriptEngine" : "V8", "bits" : 64, "debug" : false, "maxBsonObjectSize" : 16777216, "ok" : 1 }

Attachments: File mongod-2.4.8.log.2013-11-15T19-35-34    
Issue Links:
Related
related to SERVER-10538 Passing $where predicate to db.curren... Closed
is related to SERVER-12439 $where in $elemMatch no longer valid ... Closed
Operating System: ALL
Steps To Reproduce:

1. Start mongod 2.4.8
2. Start a mongo shell
3. In the shell:

> db.c.find({},{a:{$elemMatch:{$where:"true"}}})

Participants:

 Description   
Issue Status as of December 30th, 2013

ISSUE SUMMARY
$where can cause a segfault when used inside an $elemMatch

USER IMPACT
Mongod will crash with a stack trace showing an error in the mongo::Matcher::parseWhere method, similar to the following

Fri Nov 15 19:34:35.259 Backtrace:
0x10044c60b 0x100001121 0x1000013a2 0x7fff979285aa 0 0x10021a733 0x10021d43b 0x10021dcb9 0x10021e657 0x10021c14e 0x10021d619 0x10021dcb9 0x1002b472a 0x1002b2628 0x1002a7464 0x1002dbcf2 0x100240b14 0x1001ee10f 0x10000b682 0x100441fd9 
 0   mongod                              0x000000010044c60b _ZN5mongo15printStackTraceERSo + 43
 1   mongod                              0x0000000100001121 _ZN5mongo10abruptQuitEi + 225
 2   mongod                              0x00000001000013a2 _ZN5mongo24abruptQuitWithAddrSignalEiP9__siginfoPv + 242
 3   libsystem_platform.dylib            0x00007fff979285aa _sigtramp + 26
 4   ???                                 0x0000000000000000 0x0 + 0
 5   mongod                              0x000000010021a733 _ZN5mongo7Matcher10parseWhereERKNS_11BSONElementE + 
...

SOLUTION
Mongod now returns the following error message when $where is used inside an $elemMatch

no valid context found for $where

WORKAROUNDS
Users should avoid using $where inside an $elemMatch.

PATCHES
Production release v2.4.9 and v2.2.7 contain the fix for this issue, and production release v2.6.0 will have a brand new query engine, which does not contain this bug.

problem: mongod 2.4.8 crashes with a segmentation fault when doing a $where inside of a $elemMatch. This appears to be fixed in versions 2.5.x.

mongod log attached



 Comments   
Comment by Githook User [ 09/Dec/13 ]

Author:

{u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}

Message: SERVER-10538 SERVER-11731 change segfault to uassert on improper use of $where
Branch: v2.2
https://github.com/mongodb/mongo/commit/9c9bbd9eeb0978023c599e714d33e004fa94b5c8

Comment by Githook User [ 09/Dec/13 ]

Author:

{u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}

Message: SERVER-10538 SERVER-11731 change segfault to uassert on improper use of $where
Branch: v2.4
https://github.com/mongodb/mongo/commit/77a74780a02b25a250888077e2b700409e3c50a9

Generated at Thu Feb 08 03:26:36 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.