[SERVER-13798] v8 garbage collection can cause crash due to independent lifetime of DBClient and Cursor objects Created: 30/Apr/14  Updated: 11/Mar/15  Resolved: 15/May/14

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 2.6.0
Fix Version/s: 2.6.4, 2.7.1

Type: Bug Priority: Major - P3
Reporter: Matt Dannenberg Assignee: Benety Goh
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File server13798.patch    
Issue Links:
Duplicate
duplicates SERVER-14719 shell crash on find Closed
is duplicated by SERVER-13303 Crash during garbage collection Closed
Related
related to SERVER-13686 support V8 3.25 JavaScript scripting ... Closed
is related to SERVER-13091 remove old sync source code (via getm... Closed
Operating System: ALL
Backport Completed:
Sprint: Server 2.7.1
Participants:

 Description   

To reproduce:

  • apply the attached patch.
  • run the multi version test suite

After applying the patch, it would be necessary to explicitly invoke gc() in the test script to prevent the shell from crashing.

Stack trace in the mongo shell program:

2014-04-30T09:05:02.659-0400 mongo got signal 11 (Segmentation fault), stack trace: 
2014-04-30T09:05:02.662-0400 0xd86f13 0xaa8e53 0x7f3503928400 0xb4b965 0xb4b7a9 0xc97aee 0xc97aa4 0xc966f5 0xcb46fe 0x1088e43 0x108740f 0x109a68a 0x1099d95 0xfe013f 0x10998bf 0x1039acc 0x12c4b58 0x3df6dbc06362 
 /home/dannenberg/work/server10086/mongo/mongo(_ZN5mongo15printStackTraceERSo+0x23) [0xd86f13]
 /home/dannenberg/work/server10086/mongo/mongo(_Z12quitAbruptlyi+0xf3) [0xaa8e53]
 /usr/lib/libc.so.6(+0x35400) [0x7f3503928400]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN5mongo14DBClientCursorD1Ev+0x1a5) [0xb4b965]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN5mongo14DBClientCursorD0Ev+0x19) [0xb4b7a9]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN5boost14checked_deleteIN5mongo14DBClientCursorEEEvPT_+0x2e) [0xc97aee]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN5boost10scoped_ptrIN5mongo14DBClientCursorEED2Ev+0x14) [0xc97aa4]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN5mongo10ObjTrackerINS_14DBClientCursorEE10TrackedPtrD2Ev+0x15) [0xc966f5]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN5mongo10ObjTrackerINS_14DBClientCursorEE15deleteOnCollectEN2v810PersistentINS3_5ValueEEEPv+0x4e) [0xcb46fe]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN2v88internal13GlobalHandles4Node31PostGarbageCollectionProcessingEPNS0_7IsolateEPS1_+0x1d3) [0x1088e43]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN2v88internal13GlobalHandles31PostGarbageCollectionProcessingENS0_16GarbageCollectorE+0x1bf) [0x108740f]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN2v88internal4Heap24PerformGarbageCollectionENS0_16GarbageCollectorEPNS0_8GCTracerE+0x64a) [0x109a68a]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN2v88internal4Heap14CollectGarbageENS0_15AllocationSpaceENS0_16GarbageCollectorEPKcS5_+0x3b5) [0x1099d95]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN2v88internal4Heap14CollectGarbageENS0_15AllocationSpaceEPKc+0x4f) [0xfe013f]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN2v88internal4Heap17CollectAllGarbageEiPKc+0x3f) [0x10998bf]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN2v88internal9Execution25HandleStackGuardInterruptEPNS0_7IsolateE+0x7c) [0x1039acc]
 /home/dannenberg/work/server10086/mongo/mongo(_ZN2v88internal18Runtime_StackGuardENS0_9ArgumentsEPNS0_7IsolateE+0xc8) [0x12c4b58]
 ??? [0x3df6dbc06362]

When addr2line'd this looks like:

/home/dannenberg/work/server10086/mongo/src/mongo/util/stacktrace.cpp:306
/home/dannenberg/work/server10086/mongo/src/mongo/shell/dbshell.cpp:229
??:0
/home/dannenberg/work/server10086/mongo/src/mongo/client/dbclientcursor.cpp:331
/home/dannenberg/work/server10086/mongo/src/mongo/client/dbclientcursor.cpp:327
/home/dannenberg/work/server10086/mongo/src/third_party/boost/boost/checked_delete.hpp:40
/home/dannenberg/work/server10086/mongo/src/third_party/boost/boost/smart_ptr/scoped_ptr.hpp:80
/home/dannenberg/work/server10086/mongo/src/mongo/scripting/engine_v8.h:92
/home/dannenberg/work/server10086/mongo/src/mongo/scripting/engine_v8.h:110
/home/dannenberg/work/server10086/mongo/src/third_party/v8/src/global-handles.cc:233
/home/dannenberg/work/server10086/mongo/src/third_party/v8/src/global-handles.cc:558
/home/dannenberg/work/server10086/mongo/src/third_party/v8/src/heap.cc:923
/home/dannenberg/work/server10086/mongo/src/third_party/v8/src/heap.cc:588
/home/dannenberg/work/server10086/mongo/src/third_party/v8/src/heap-inl.h:440
/home/dannenberg/work/server10086/mongo/src/third_party/v8/src/heap.cc:498
/home/dannenberg/work/server10086/mongo/src/third_party/v8/src/execution.cc:928
/home/dannenberg/work/server10086/mongo/src/third_party/v8/src/runtime.cc:9198
??:0



 Comments   
Comment by Githook User [ 30/Jul/14 ]

Author:

{u'username': u'benety', u'name': u'Benety Goh', u'email': u'benety@mongodb.com'}

Message: SERVER-13798 add dependency on connection to cursor object tracker in JavaScript scripting engine
(cherry picked from commit c576cdd324f847e0f047dfa5d1bee429d659efb2)
Branch: v2.6
https://github.com/mongodb/mongo/commit/e7ac34dcf82d8794edc646a2d65fd28c095f0d8c

Comment by Benety Goh [ 15/May/14 ]

Tests are committed under SERVER-13091

Comment by Benety Goh [ 15/May/14 ]

Commit to backport:

SERVER-13798 add dependency on connection to cursor object tracker in JavaScript scripting engine

c576cdd324f847e0f047dfa5d1bee429d659efb2

Comment by Githook User [ 15/May/14 ]

Author:

{u'username': u'benety', u'name': u'Benety Goh', u'email': u'benety@mongodb.com'}

Message: SERVER-13798 (v8-3.25) add dependency on connection to cursor object tracker in JavaScript scripting engine
Branch: master
https://github.com/mongodb/mongo/commit/10190dcbcda90ed4accb5a01a57823bf25bbd309

Comment by Githook User [ 15/May/14 ]

Author:

{u'username': u'benety', u'name': u'Benety Goh', u'email': u'benety@mongodb.com'}

Message: SERVER-13798 add dependency on connection to cursor object tracker in JavaScript scripting engine
Branch: master
https://github.com/mongodb/mongo/commit/c576cdd324f847e0f047dfa5d1bee429d659efb2

Generated at Thu Feb 08 03:32:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.