[SERVER-14107] Querying for a document containing a value of either type Javascript or JavascriptWithScope crashes the shell Created: 30/May/14 Updated: 31/Jul/15 Resolved: 22/Jul/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Shell |
| Affects Version/s: | 2.6.0 |
| Fix Version/s: | 2.6.4 |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Jeffrey Yemin | Assignee: | Adam Midvidy |
| Resolution: | Done | Votes: | 0 |
| Labels: | community-team | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||
| Operating System: | OS X | ||||||||||||||||||||||||||||
| Steps To Reproduce: | First mongorestore from the attached mongodump. Then
|
||||||||||||||||||||||||||||
| Sprint: | Server 2.7.3, Server 2.7.4 | ||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||
| Description |
| Comments |
| Comment by Githook User [ 22/Jul/14 ] | |||||||||||||||||||||||||
|
Author: {u'username': u'amidvidy', u'name': u'Adam Midvidy', u'email': u'amidvidy@gmail.com'}Message: Signed-off-by: Matt Kangas <matt.kangas@mongodb.com> | |||||||||||||||||||||||||
| Comment by Adam Midvidy [ 22/Jul/14 ] | |||||||||||||||||||||||||
|
After further investigation, this bug is caused by the interaction of two separate issues - a bug in the mongo shell code, and differing behavior in libc++ and libstdc++. The bug is in engine_v8.cpp:
Operator * on exceptionText returns the underlying char *, which in our case is a null pointer. Now for why this crashes on the homebrew build, but not our binaries. Homebrew builds mongo with the flag '--osx-version-min=10.9' for OSX Mavericks bottles. This results in linking libc++ as the standard library instead of libstdc++. Consider the following program:
Building with libstdc++ (no crash):
Building with libc++ (crash):
As for why this does not occur on master, schwerin inadvertently fixed this in | |||||||||||||||||||||||||
| Comment by Benety Goh [ 03/Jun/14 ] | |||||||||||||||||||||||||
|
Does not crash under 2.6.2rc0 or 2.7.1 downloaded from http://www.mongodb.org/downloads | |||||||||||||||||||||||||
| Comment by Benety Goh [ 03/Jun/14 ] | |||||||||||||||||||||||||
|
Reproduced using 2.6.1 shell installed using Brew:
| |||||||||||||||||||||||||
| Comment by Benety Goh [ 02/Jun/14 ] | |||||||||||||||||||||||||
|
This is what I saw running on OS X 10.9 under 2.6.0:
| |||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 30/May/14 ] | |||||||||||||||||||||||||
but mongod survived the encounter. | |||||||||||||||||||||||||
| Comment by Eric Milkie [ 30/May/14 ] | |||||||||||||||||||||||||
|
I meant to say, if you did this type of Javascript operation in an interpreter in the server (via $eval or map/reduce), could it crash the server? If so, the severity of this issue is higher. | |||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 30/May/14 ] | |||||||||||||||||||||||||
|
It does not crash the server. I discovered this bug while executing a Java test that inserts a document with values of every possible BSON type. The insert succeeds, as does a query for that document (from the Java test). But a query for the same document via the shell crashes the shell (and not mongod). | |||||||||||||||||||||||||
| Comment by Eric Milkie [ 30/May/14 ] | |||||||||||||||||||||||||
|
Could this crash the server as well? |