[SERVER-11781] Crash when converting deeply-nested or cyclical JS objects to BSON Created: 19/Nov/13  Updated: 28/Oct/15  Resolved: 14/Feb/14

Status: Closed
Project: Core Server
Component/s: JavaScript, MapReduce
Affects Version/s: 2.4.6
Fix Version/s: 2.6.0-rc0

Type: Bug Priority: Major - P3
Reporter: dave galos Assignee: Mathias Stearn
Resolution: Done Votes: 0
Labels: crash
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

unix


Backwards Compatibility: Minor Change
Operating System: ALL
Steps To Reproduce:

1. Create collection, documents something like

{
    _id: ObjectId("..."),
   data: {
       "some":"kind of",
       "trivial": "data"
   }
   document: DBRef("otherCollection", ObjectID("..."))
}

2. Insert a reasonable number of them:
> db.audit.count()
4002

3. Simple query:

db.audit.group({
    keyf:function(doc){ return {doc:doc.document} },
    cond: {},
    reduce: function(c, r){ r.audits.push(r) }, 
    initial: {audits: []}})

4. Watch as mongod segfaults.

Participants:

 Description   

Original Title: Group query crashes mongo server

Bad group query crashes mongo server

backtrace:

#0 0x0000000000f95f91 in v8::internal::GetKeysInFixedArrayFor(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::KeyCollectionType, bool*) ()
#1 0x0000000000ef56b3 in v8::Object::GetOwnPropertyNames() ()
#2 0x0000000000d7f3c1 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#3 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#4 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#5 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#6 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#7 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#8 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#9 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#10 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#11 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#12 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#13 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#14 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#15 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#16 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#17 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#18 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#19 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#20 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#21 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#22 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#23 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#24 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#25 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#26 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#27 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#28 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#29 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#30 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#31 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#32 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#33 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#34 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#35 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#36 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#37 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#38 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#39 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#40 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#41 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#42 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#43 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#44 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#45 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#46 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()

......

#2167 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2168 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2169 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#2170 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2171 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2172 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2173 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#2174 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2175 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2176 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2177 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#2178 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2179 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2180 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2181 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#2182 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSON--Type <return> to continue, or q <return> to quit--
Obj*) ()
#2183 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2184 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2185 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#2186 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2187 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2188 0x0000000000d80cb6 in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2189 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#2190 0x0000000000d8038f in mongo::V8Scope::v8ToMongoObject(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2191 0x0000000000d810be in mongo::V8Scope::v8ToMongoElement(mongo::BSONObjBuilder&, mongo::StringData const&, v8::Handle<v8::Value>, int, mongo::BSONObj*) ()
#2192 0x0000000000d7f4e9 in mongo::V8Scope::v8ToMongo(v8::Handle<v8::Object>, int) ()
#2193 0x0000000000d8192e in mongo::V8Scope::getObject(char const*) ()
#2194 0x0000000000d6faf1 in mongo::PooledScope::getObject(char const*) ()
#2195 0x000000000086f86b in mongo::GroupCommand::group(std::string const&, std::string const&, mongo::BSONObj const&, mongo::BSONObj, std::string const&, std::string const&, char const*, mongo::BSONObj, std::string const&, std::string&, mongo::BSONObjBuilder&) ()
#2196 0x00000000008716c0 in mongo::GroupCommand::run(std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&, bool) ()
#2197 0x00000000008d78ca in mongo::_execCommand(mongo::Command*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&, bool) ()
#2198 0x00000000008d9a02 in mongo::Command::execCommand(mongo::Command*, mongo::Client&, int, char const*, mongo::BSONObj&, mongo::BSONObjBuilder&, bool) ()
#2199 0x00000000008daa72 in mongo::_runCommands(char const*, mongo::BSONObj&, mongo::_BufBuilder<mongo::TrivialAllocator>&, mongo::BSONObjBuilder&, bool, int) ()
#2200 0x0000000000a80970 in mongo::runCommands(char const*, mongo::BSONObj&, mongo::CurOp&, mongo::_BufBuilder<mongo::TrivialAllocator>&, mongo::BSONObjBuilder&, bool, int) ()
#2201 0x0000000000a8523c in mongo::runQuery(mongo::Message&, mongo::QueryMessage&, mongo::CurOp&, mongo::Message&) ()
#2202 0x00000000009f9079 in ?? ()
#2203 0x00000000009fa5a3 in mongo::assembleResponse(mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) ()
#2204 0x00000000006e8b88 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) ()
#2205 0x0000000000dca34e in mongo::PortMessageServer::handleIncomingMsg(void*) ()
#2206 0x00007ffff7bc6e0e in start_thread (arg=0x7fffea756700) at pthread_create.c:311
#2207 0x00007ffff6edc9ed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113



 Comments   
Comment by Githook User [ 14/Feb/14 ]

Author:

{u'username': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-11781 Lower JS to BSON depth limit to 150
Branch: master
https://github.com/mongodb/mongo/commit/47fd56c4e5c5d84e60c9501305f9b680c8c828cf

Comment by Githook User [ 26/Nov/13 ]

Author:

{u'username': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-11781 temporarily disable depth_limit.js
Branch: master
https://github.com/mongodb/mongo/commit/1ee023824d669de56c8223f6e3da5a10e6274f2c

Comment by Githook User [ 22/Nov/13 ]

Author:

{u'username': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-11781 better fix for V8Scope::objectDeptLimit linker error
Branch: master
https://github.com/mongodb/mongo/commit/0b4202bb531dbdccd87215396ccb3726f55c1421

Comment by Githook User [ 22/Nov/13 ]

Author:

{u'username': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-11781 Use enum hack to avoid need to assign storage to static constant
Branch: master
https://github.com/mongodb/mongo/commit/50ce8f67dbea91a0f8f471021c1432dfc7452a62

Comment by Githook User [ 22/Nov/13 ]

Author:

{u'username': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-11781 Don't crash when converting deeply nested or cyclical JS objects to BSON
Branch: master
https://github.com/mongodb/mongo/commit/7669448d1a41e0e9ef6237926c0173949b5d9868

Comment by Mathias Stearn [ 20/Nov/13 ]

Updating title to reflect underlying issue

Comment by Mathias Stearn [ 19/Nov/13 ]

The root issue here is that your reduce function is creating a circular data structure which can't be correctly serialized to BSON which only supports tree structures. I think this is due to a typo:

The current function is:

function(c, r){ r.audits.push(r) }

But I think you meant:

function(c, r){ r.audits.push(c) }

While that will solve your problem we do need to fix our code to not crash (stack overflow) or infinite loop in this case.

Generated at Thu Feb 08 03:26:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.