[SERVER-14909] Shell crashes when printing DBPointer index bounds Created: 15/Aug/14  Updated: 13/Apr/20  Resolved: 13/Apr/20

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 2.6.4, 2.7.1, 2.7.4
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Kamran K. Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Done Votes: 0
Labels: 28qa, community-team, move-sa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File server14909.js    
Issue Links:
Related
is related to SERVER-4737 Viewing a document that has code_w_s ... Closed
is related to SERVER-13707 mongo shell may crash when converting... Closed
is related to SERVER-14107 Querying for a document containing a ... Closed
Operating System: ALL
Steps To Reproduce:

var t = db.shell_crash;
t.drop();
 
t.ensureIndex({a: 1});
t.find({a: {$type: 12}}).explain(true);

Sprint: Server 2.7.6
Participants:

 Description   

In pre-2.6.4 and pre-2.7.1 shells, printing the index bounds of a DBPointer field results in a (harmless) SyntaxError exception. In 2.6.4 and 2.7.1+, the exception is followed by a crash.

Valgrind output:

==12721== Invalid read of size 8
==12721==    at 0x12E4AA40D139: ???
==12721==    by 0x12E4AA406275: ???
==12721==    by 0x948FF8: v8::internal::Execution::New(v8::internal::Handle<v8::internal::JSFunction>, int, v8::internal::Handle<v8::internal::Object>*, bool*) (execution.cc:118)
==12721==    by 0x8F8B6D: v8::Function::NewInstance(int, v8::Handle<v8::Value>*) const (api.cc:3638)
==12721==    by 0x74868F: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1501)
==12721==    by 0x748442: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1422)
==12721==    by 0x748442: mongo::V8Scope::mongoToV8Element(mongo::BSONElement const&, bool) (engine_v8.cpp:1422)
==12721==    by 0x749571: mongo::namedGet(v8::Local<v8::String>, v8::AccessorInfo const&) (engine_v8.cpp:124)
==12721==    by 0xA4F941: v8::internal::JSObject::GetPropertyWithInterceptor(v8::internal::JSReceiver*, v8::internal::String*, PropertyAttributes*) (objects.cc:10297)
==12721==    by 0xA4FFC2: v8::internal::Object::GetProperty(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LookupResult*, v8::internal::Handle<v8::internal::String>, PropertyAttributes*) (objects.cc:582)
==12721==    by 0x9DF95C: v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) (ic.cc:1180)
==12721==    by 0x9DFB24: v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) (ic.cc:2101)
==12721==    by 0x12E4AA406361: ???
==12721==    by 0x12E4AA45E607: ???
==12721==    by 0x12E4AA45DA64: ???
==12721==    by 0x12E4AA45E806: ???
==12721==    by 0x12E4AA45DA64: ???
==12721==    by 0x12E4AA40C76D: ???
==12721==    by 0x12E4AA4527AB: ???
==12721==    by 0x12E4AA45229A: ???
==12721==    by 0x12E4AA40CFA6: ???
==12721==    by 0x12E4AA406115: ???
==12721==    by 0x94AA5C: v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*, bool) (execution.cc:118)
==12721==    by 0x8EFF68: v8::Script::Run() (api.cc:1613)
==12721==    by 0x74ACD9: mongo::V8Scope::exec(mongo::StringData const&, std::string const&, bool, bool, bool, int) (engine_v8.cpp:1106)
==12721==    by 0x62D0D0: _main(int, char**, char**) (dbshell.cpp:878)
==12721==    by 0x6193D1: main (dbshell.cpp:918)
==12721==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==12721== 
2014-08-14T23:41:12.869-0400 F          Invalid access at address: 0
2014-08-14T23:41:12.900-0400 F          Got signal: 11 (Segmentation fault).
 
 0x7f6759 0x7f6362 0x7f65ce 0x4e47340 0x12e4aa40d139
----- BEGIN BACKTRACE -----
{"backtrace":[{"b":"400000","o":"3F6759"},{"b":"400000","o":"3F6362"},{"b":"400000","o":"3F65CE"},{"b":"4E37000","o":"10340"},{"b":"0","o":"12E4AA40D139"}],"processInfo":{ "mongodbVersion" : "2.7.5-pre-", "gitVersion" : "7a1a0ce4ca6bbdf047adc7528310078ef7ca08f8", "uname" : { "sysname" : "Linux", "release" : "3.13.0-24-generic", "version" : "#46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000", "buildId" : "F68A844EB0B781158FA4CE7FB2D67ECDCAA1B21D" }, { "b" : "4A25000", "path" : "/usr/lib/valgrind/vgpreload_core-amd64-linux.so", "elfType" : 3, "buildId" : "39258A592B45456E029EA7458EDB059E25DAD54D" }, { "b" : "4C27000", "path" : "/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so", "elfType" : 3, "buildId" : "DA51DCDE9F27F24FDD755CB7089E7A2CAC6518E9" }, { "b" : "4E37000", "path" : "/lib/x86_64-linux-gnu/libpthread.so.0", "elfType" : 3, "buildId" : "FE662C4D7B14EE804E0C1902FB55218A106BC5CB" }, { "b" : "5055000", "path" : "/lib/x86_64-linux-gnu/librt.so.1", "elfType" : 3, "buildId" : "92FCF41EFE012D6186E31A59AD05BDBB487769AB" }, { "b" : "525D000", "path" : "/lib/x86_64-linux-gnu/libdl.so.2", "elfType" : 3, "buildId" : "C1AE4CB7195D337A77A3C689051DABAA3980CA0C" }, { "b" : "5461000", "path" : "/usr/lib/x86_64-linux-gnu/libstdc++.so.6", "elfType" : 3, "buildId" : "19EFDDAB11B3BF5C71570078C59F91CF6592CE9E" }, { "b" : "5765000", "path" : "/lib/x86_64-linux-gnu/libm.so.6", "elfType" : 3, "buildId" : "574C6350381DA194C00FF555E0C1784618C05569" }, { "b" : "5A6B000", "path" : "/lib/x86_64-linux-gnu/libgcc_s.so.1", "elfType" : 3, "buildId" : "CC0D578C2E0D86237CA7B0CE8913261C506A629A" }, { "b" : "5C81000", "path" : "/lib/x86_64-linux-gnu/libc.so.6", "elfType" : 3, "buildId" : "8BA18E4F3BB61EB5DBBF9C490B398C665DF407F9" }, { "b" : "4000000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3, "buildId" : "9F00581AB3C73E3AEA35995A0C50D24D59A01D47" } ] }}
 mongo(_ZN5mongo15printStackTraceERSo+0x29) [0x7f6759]
 mongo(+0x3F6362) [0x7f6362]
 mongo(+0x3F65CE) [0x7f65ce]
 libpthread.so.0(+0x10340) [0x4e47340]
 ??? [0x12e4aa40d139]
-----  END BACKTRACE  -----



 Comments   
Comment by Spencer Jackson [ 13/Apr/20 ]

This no longer repos on master.

Comment by Benety Goh [ 26/Aug/14 ]

git bisect is pointing to

https://github.com/mongodb/mongo/commit/2d157304846c8f211a43e37a1290f50132901a8c

as the first bad commit resulting in the shell crash using the attached JS script server14909.js

Comment by Benety Goh [ 20/Aug/14 ]

This is the bounds the shell is trying to render:

2014-08-20T16:04:52.991-0400 D QUERY    [conn1] [QLOG] Planner: adding solution:
KEEP_MUTATIONS
---filter:
        a type: 12
---fetched = 1
---sortedByDiskLoc = 0
---getSort = []
---Child:
------FETCH
---------filter:
                a type: 12  || Selected Index #0 pos 0
---------fetched = 1
---------sortedByDiskLoc = 0
---------getSort = [{ a: 1 }, ]
---------Child:
------------IXSCAN
---------------keyPattern = { a: 1.0 }
---------------direction = 1
---------------bounds = field #0['a']: [DBRef('',000000000000000000000000), ]
---------------fetched = 0
---------------sortedByDiskLoc = 0
---------------getSort = [{ a: 1 }, ]

Generated at Thu Feb 08 03:36:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.