[SERVER-14107] Querying for a document containing a value of either type Javascript or JavascriptWithScope crashes the shell Created: 30/May/14  Updated: 31/Jul/15  Resolved: 22/Jul/14

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 2.6.0
Fix Version/s: 2.6.4

Type: Bug Priority: Minor - P4
Reporter: Jeffrey Yemin Assignee: Adam Midvidy
Resolution: Done Votes: 0
Labels: community-team
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File mongodump.tar    
Issue Links:
Depends
Related
related to SERVER-4737 Viewing a document that has code_w_s ... Closed
related to SERVER-14909 Shell crashes when printing DBPointer... Closed
related to SERVER-10178 Print js stack traces when exceptions... Closed
is related to SERVER-11771 extended options for $regex cannot be... Closed
is related to SERVER-13707 mongo shell may crash when converting... Closed
Backwards Compatibility: Fully Compatible
Operating System: OS X
Steps To Reproduce:

First mongorestore from the attached mongodump. Then

> use DriverTest-1
switched to db DriverTest-1
> db.org.mongodb.protocol.InsertProtocolSpecification.findOne()

Sprint: Server 2.7.3, Server 2.7.4
Participants:

 Description   
Issue Status as of Aug 8, 2014

ISSUE SUMMARY
The mongo shell crashes when trying to display a document containing a value of either type Javascript or JavascriptWithScope.

USER IMPACT
The shell crashes with a SegmentationFault error and a stack trace. The mongod process is not affected.

WORKAROUNDS
N/A

AFFECTED VERSIONS
MongoDB production releases up to 2.6.3 are affected by this issue.

FIX VERSION
The fix is included in the 2.6.4 production release.

RESOLUTION DETAILS
Values of type Javascript or JavascriptWithScope are converted to a string for representation in the mongo shell.

Original description

Here's the stack trace:

> db.org.mongodb.protocol.InsertProtocolSpecification.findOne()
2014-05-30T14:35:57.286-0400 SyntaxError: Unexpected identifier
2014-05-30T14:35:57.287-0400 mongo got signal 11 (Segmentation fault: 11), stack trace:
2014-05-30T14:35:57.289-0400 0x10131f9aa 0x101186d93 0x7fff94f825aa 0x7fff5ea791d8 0x1015ec1a8 0x10148b107 0x1013fa2cd 0x1012925f6 0x10156e0f2 0x101571801 0x1015ececc 0x16f15b506362
 0   mongo                               0x000000010131f9aa _ZN5mongo15printStackTraceERNSt3__113basic_ostreamIcNS0_11char_traitsIcEEEE + 58
 1   mongo                               0x0000000101186d93 _Z12quitAbruptlyi + 243
 2   libsystem_platform.dylib            0x00007fff94f825aa _sigtramp + 26
 3   ???                                 0x00007fff5ea791d8 0x0 + 140734781428184
 4   mongo                               0x00000001015ec1a8 _ZN2v88internal7Runtime17SetObjectPropertyEPNS0_7IsolateENS0_6HandleINS0_6ObjectEEES6_S6_18PropertyAttributesNS0_14StrictModeFlagE + 904
 5   mongo                               0x000000010148b107 _ZN2v88internal11SetPropertyENS0_6HandleINS0_6ObjectEEES3_S3_18PropertyAttributesNS0_14StrictModeFlagE + 87
 6   mongo                               0x00000001013fa2cd _ZN2v86Object3SetENS_6HandleINS_5ValueEEES3_NS_17PropertyAttributeE + 285
 7   mongo                               0x00000001012925f6 _ZN5mongoL8namedGetEN2v85LocalINS0_6StringEEERKNS0_12AccessorInfoE + 598
 8   mongo                               0x000000010156e0f2 _ZN2v88internal8JSObject35GetPropertyAttributeWithInterceptorEPS1_PNS0_6StringEb + 706
 9   mongo                               0x0000000101571801 _ZN2v88internal10JSReceiver32GetPropertyAttributeWithReceiverEPS1_PNS0_6StringE + 289
 10  mongo                               0x00000001015ececc _ZN2v88internal19Runtime_HasPropertyENS0_9ArgumentsEPNS0_7IsolateE + 108
 11  ???                                 0x000016f15b506362 0x0 + 25225874924386



 Comments   
Comment by Githook User [ 22/Jul/14 ]

Author:

{u'username': u'amidvidy', u'name': u'Adam Midvidy', u'email': u'amidvidy@gmail.com'}

Message: SERVER-14107 Querying for a document containing a value of either type Javascript or JavascriptWithScope crashes the shell

Signed-off-by: Matt Kangas <matt.kangas@mongodb.com>
Branch: v2.6
https://github.com/mongodb/mongo/commit/1bc6f5dce536cc0e90d3d33850a119720d7edb1f

Comment by Adam Midvidy [ 22/Jul/14 ]

After further investigation, this bug is caused by the interaction of two separate issues - a bug in the mongo shell code, and differing behavior in libc++ and libstdc++.

The bug is in engine_v8.cpp:

stringstream ss;                                                                                                                                                                                                                      
v8::String::Utf8Value exceptionText(try_catch->Exception());                                                                                                                                                                          
ss << *exceptionText; // crash happens here                                                                                                                                                                                                            

Operator * on exceptionText returns the underlying char *, which in our case is a null pointer.

Now for why this crashes on the homebrew build, but not our binaries. Homebrew builds mongo with the flag '--osx-version-min=10.9' for OSX Mavericks bottles. This results in linking libc++ as the standard library instead of libstdc++.

Consider the following program:

#include <iostream>
#include <string>
#include <sstream>
 
int main() {
    std::stringstream ss;
    ss << static_cast<const char*>(NULL);
    return 0;
}

Building with libstdc++ (no crash):

amidvidy ~/Documents/scratch/cpp $ g++ null_ostream.cpp -mmacosx-version-min=10.6 && ./a.out
amidvidy ~/Documents/scratch/cpp $ otool -L a.out
a.out:
	/usr/lib/libstdc++.6.dylib (compatibility version 7.0.0, current version 60.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)

Building with libc++ (crash):

amidvidy ~/Documents/scratch/cpp $ g++ null_ostream.cpp -mmacosx-version-min=10.9 && ./a.out
Segmentation fault: 11
amidvidy ~/Documents/scratch/cpp $ otool -L a.out
a.out:
	/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 120.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)

As for why this does not occur on master, schwerin inadvertently fixed this in SERVER-10178.
See this commit: https://github.com/mongodb/mongo/commit/1b871f8951d26975625ffb9717dcb609821974d5
After talking to him, a good course of action (for 2.6.4) is to backport the part of his commit that fixes the bug without the portions changing the behavior of mongo shell exception handling, so as to keep behavior consistent between minor releases.

Comment by Benety Goh [ 03/Jun/14 ]

Does not crash under 2.6.2rc0 or 2.7.1 downloaded from http://www.mongodb.org/downloads

Comment by Benety Goh [ 03/Jun/14 ]

Reproduced using 2.6.1 shell installed using Brew:

brew info mongo
mongodb: stable 2.6.1 (bottled), devel 2.7.1, HEAD
http://www.mongodb.org/
/usr/local/Cellar/mongodb/2.6.1 (17 files, 317M) *
  Poured from bottle
From: https://github.com/Homebrew/homebrew/commits/master/Library/Formula/mongodb.rb
==> Dependencies
Build: scons ✘
Optional: boost ✘, openssl ✘
==> Options
--with-boost
	Compile using installed boost, not the version shipped with mongodb
--with-openssl
	Build with openssl support
--devel
	install development version 2.7.1
--HEAD
	install HEAD version
==> Caveats
To have launchd start mongodb at login:
    ln -sfv /usr/local/opt/mongodb/*.plist ~/Library/LaunchAgents
Then to load mongodb now:
    launchctl load ~/Library/LaunchAgents/homebrew.mxcl.mongodb.plist
Or, if you don't want/need launchctl, you can just run:
    mongod --config /usr/local/etc/mongod.conf

Comment by Benety Goh [ 02/Jun/14 ]

This is what I saw running on OS X 10.9 under 2.6.0:

MongoDB shell version: 2.6.0
connecting to: test
> use DriverTest-1
switched to db DriverTest-1
> db.org.mongodb.protocol.InsertProtocolSpecification.findOne()
2014-06-02T09:58:28.178-0400 SyntaxError: Unexpected identifier
2014-06-02T09:58:28.179-0400 warning: CodeWScope doesn't transfer to db.eval
2014-06-02T09:58:28.179-0400 
2014-06-02T09:58:28.180-0400 Error: 16722  at src/mongo/shell/types.js:616

Comment by Jeffrey Yemin [ 30/May/14 ]

> db.eval( function() { return db.org.mongodb.protocol.InsertProtocolSpecification.findOne() })
2014-05-30T15:40:32.513-0400 SyntaxError: Unexpected identifier
2014-05-30T15:40:32.513-0400 warning: CodeWScope doesn't transfer to db.eval
2014-05-30T15:40:32.513-0400 mongo got signal 11 (Segmentation fault: 11), stack trace:
2014-05-30T15:40:32.515-0400 0x104cda9aa 0x104b41d93 0x7fff94f825aa 0x105bbf508 0x104b47665 0x104c549cb 0x104c5a6e5 0x104c58711 0x104c50f3b 0x104c4d5c4 0x104f290f2 0x104f2c801 0x104fa7ecc 0xb3b99006362
 0   mongo                               0x0000000104cda9aa _ZN5mongo15printStackTraceERNSt3__113basic_ostreamIcNS0_11char_traitsIcEEEE + 58
 1   mongo                               0x0000000104b41d93 _Z12quitAbruptlyi + 243
 2   libsystem_platform.dylib            0x00007fff94f825aa _sigtramp + 26
 3   ???                                 0x0000000105bbf508 0x0 + 4391171336
 4   mongo                               0x0000000104b47665 _ZNSt3__1lsINS_11char_traitsIcEEEERNS_13basic_ostreamIcT_EES6_PKc + 53
 5   mongo                               0x0000000104c549cb _ZN5mongo7V8Scope22v8ExceptionToSTLStringEPKN2v88TryCatchE + 331
 6   mongo                               0x0000000104c5a6e5 _ZN5mongo7V8Scope17checkV8ErrorStateIN2v85LocalINS2_5ValueEEEEEbRKT_RKNS2_8TryCatchEbb + 85
 7   mongo                               0x0000000104c58711 _ZN5mongo7V8Scope11newFunctionERKNS_10StringDataE + 465
 8   mongo                               0x0000000104c50f3b _ZN5mongo7V8Scope16mongoToV8ElementERKNS_11BSONElementEb + 3291
 9   mongo                               0x0000000104c4d5c4 _ZN5mongoL8namedGetEN2v85LocalINS0_6StringEEERKNS0_12AccessorInfoE + 548
 10  mongo                               0x0000000104f290f2 _ZN2v88internal8JSObject35GetPropertyAttributeWithInterceptorEPS1_PNS0_6StringEb + 706
 11  mongo                               0x0000000104f2c801 _ZN2v88internal10JSReceiver32GetPropertyAttributeWithReceiverEPS1_PNS0_6StringE + 289
 12  mongo                               0x0000000104fa7ecc _ZN2v88internal19Runtime_HasPropertyENS0_9ArgumentsEPNS0_7IsolateE + 108
 13  ???                                 0x00000b3b99006362 0x0 + 12350597915490

but mongod survived the encounter.

Comment by Eric Milkie [ 30/May/14 ]

I meant to say, if you did this type of Javascript operation in an interpreter in the server (via $eval or map/reduce), could it crash the server? If so, the severity of this issue is higher.

Comment by Jeffrey Yemin [ 30/May/14 ]

It does not crash the server. I discovered this bug while executing a Java test that inserts a document with values of every possible BSON type. The insert succeeds, as does a query for that document (from the Java test). But a query for the same document via the shell crashes the shell (and not mongod).

Comment by Eric Milkie [ 30/May/14 ]

Could this crash the server as well?

Generated at Thu Feb 08 03:33:53 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.