[SERVER-17565] Bad MultiPolygon Crashes mongod Created: 12/Mar/15  Updated: 14/Apr/16  Resolved: 12/Mar/15

Status: Closed
Project: Core Server
Component/s: Geo
Affects Version/s: 3.0.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Ray Kulberda Assignee: Siyuan Zhou
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-17486 Crash when parsing invalid polygon co... Closed
Related
Operating System: Linux
Steps To Reproduce:

use geotest;
db.locations.createIndex({"geo" : "2dsphere"});
db.locations.insert(
{
  "geo" : {
    "type": "MultiPolygon",
    "coordinates": [
      [
        [
          [
            -66.17,
            17.94
          ],
          [
            -65.69,
            17.92
          ],
          [
            -66.53,
            17.71
          ],
          [
            -67.23,
            17.77
          ],
          [
            -67.39,
            17.96
          ],
          [
            -66.17,
            17.94
          ]
        ]
      ],
      [
        [
          [
            -66.17,
            17.94
          ],
          [
            -66.17,
            17.94
          ],
          [
            -66.17,
            17.94
          ],
          [
            -66.17,
            17.94
          ]
        ]
      ],
      [
        [
          [
            -66.97,
            17.94
          ],
          [
            -66.97,
            17.94
          ],
          [
            -66.97,
            17.94
          ],
          [
            -66.97,
            17.94
          ],
          [
            -66.97,
            17.94
          ]
        ]
      ],
      [
        [
          [
            -66.25,
            17.93
          ],
          [
            -66.25,
            17.93
          ],
          [
            -66.25,
            17.94
          ],
          [
            -66.25,
            17.94
          ],
          [
            -66.25,
            17.93
          ]
        ]
      ]
    ]
  }
});

Participants:

 Description   

A bad MultiPolygon causes mongod to crash parsing it:

2015-03-12T12:09:06.483-0400 I CONTROL  [conn1] 
 0xf42359 0xeec481 0xfe9e89 0x100c644 0x100c938 0x100ca87 0xa57d2a 0xa5916c 0xa5046d 0xa51d91 0xa8bc1d 0xa8d8b1 0xa7126c 0x90552e 0x905875 0x8f34f0 0x8f3c6c 0x996953 0x99755a 0x997624 0x997d35 0x99a96d 0x9bcad4 0x9bda13 0x9be60b 0xb8e5a5 0xaa0639 0x7e7590 0xf0040b 0x7f5082f1eee5 0x7f508201cb8d
----- BEGIN BACKTRACE -----
{"backtrace":[{"b":"400000","o":"B42359"},{"b":"400000","o":"AEC481"},{"b":"400000","o":"BE9E89"},{"b":"400000","o":"C0C644"},{"b":"400000","o":"C0C938"},{"b":"400000","o":"C0CA87"},{"b":"400000","o":"657D2A"},{"b":"400000","o":"65916C"},{"b":"400000","o":"65046D"},{"b":"400000","o":"651D91"},{"b":"400000","o":"68BC1D"},{"b":"400000","o":"68D8B1"},{"b":"400000","o":"67126C"},{"b":"400000","o":"50552E"},{"b":"400000","o":"505875"},{"b":"400000","o":"4F34F0"},{"b":"400000","o":"4F3C6C"},{"b":"400000","o":"596953"},{"b":"400000","o":"59755A"},{"b":"400000","o":"597624"},{"b":"400000","o":"597D35"},{"b":"400000","o":"59A96D"},{"b":"400000","o":"5BCAD4"},{"b":"400000","o":"5BDA13"},{"b":"400000","o":"5BE60B"},{"b":"400000","o":"78E5A5"},{"b":"400000","o":"6A0639"},{"b":"400000","o":"3E7590"},{"b":"400000","o":"B0040B"},{"b":"7F5082F17000","o":"7EE5"},{"b":"7F5081F28000","o":"F4B8D"}],"processInfo":{ "mongodbVersion" : "3.0.0", "gitVersion" : "a841fd6394365954886924a35076691b4d149168", "uname" : { "sysname" : "Linux", "release" : "3.14.6-200.fc20.x86_64", "version" : "#1 SMP Sun Jun 8 01:21:56 UTC 2014", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000" }, { "b" : "7FFF5FC87000", "elfType" : 3 }, { "b" : "7F5082F17000", "path" : "/lib64/libpthread.so.0", "elfType" : 3 }, { "b" : "7F5082D0F000", "path" : "/lib64/librt.so.1", "elfType" : 3 }, { "b" : "7F5082B0B000", "path" : "/lib64/libdl.so.2", "elfType" : 3 }, { "b" : "7F5082803000", "path" : "/lib64/libstdc++.so.6", "elfType" : 3 }, { "b" : "7F50824FC000", "path" : "/lib64/libm.so.6", "elfType" : 3 }, { "b" : "7F50822E6000", "path" : "/lib64/libgcc_s.so.1", "elfType" : 3 }, { "b" : "7F5081F28000", "path" : "/lib64/libc.so.6", "elfType" : 3 }, { "b" : "7F5083134000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3 } ] }}
 mongod(_ZN5mongo15printStackTraceERSo+0x29) [0xf42359]
 mongod(_ZN5mongo10logContextEPKc+0xE1) [0xeec481]
 mongod(_ZN17LogMessageWarningD1Ev+0x19) [0xfe9e89]
 mongod(_ZN6S2Loop10InitOriginEv+0x1D4) [0x100c644]
 mongod(_ZN6S2Loop4InitERKSt6vectorI7Vector3IdESaIS2_EE+0x138) [0x100c938]
 mongod(_ZN6S2LoopC2ERKSt6vectorI7Vector3IdESaIS2_EE+0x117) [0x100ca87]
 mongod(+0x657D2A) [0xa57d2a]
 mongod(_ZN5mongo9GeoParser17parseMultiPolygonERKNS_7BSONObjEPNS_19MultiPolygonWithCRSE+0x34C) [0xa5916c]
 mongod(_ZN5mongo17GeometryContainer16parseFromGeoJSONERKNS_7BSONObjE+0xF5D) [0xa5046d]
 mongod(_ZN5mongo17GeometryContainer16parseFromStorageERKNS_11BSONElementE+0x181) [0xa51d91]
 mongod(+0x68BC1D) [0xa8bc1d]
 mongod(_ZN5mongo21ExpressionKeysPrivate9getS2KeysERKNS_7BSONObjES3_RKNS_16S2IndexingParamsEPSt3setIS1_NS_10BSONObjCmpESaIS1_EE+0x2A1) [0xa8d8b1]
 mongod(_ZN5mongo22BtreeBasedAccessMethod6insertEPNS_16OperationContextERKNS_7BSONObjERKNS_8RecordIdERKNS_19InsertDeleteOptionsEPl+0xAC) [0xa7126c]
 mongod(_ZN5mongo12IndexCatalog12_indexRecordEPNS_16OperationContextEPNS_17IndexCatalogEntryERKNS_7BSONObjERKNS_8RecordIdE+0x6E) [0x90552e]
 mongod(_ZN5mongo12IndexCatalog11indexRecordEPNS_16OperationContextERKNS_7BSONObjERKNS_8RecordIdE+0x85) [0x905875]
 mongod(_ZN5mongo10Collection15_insertDocumentEPNS_16OperationContextERKNS_7BSONObjEb+0xB0) [0x8f34f0]
 mongod(_ZN5mongo10Collection14insertDocumentEPNS_16OperationContextERKNS_7BSONObjEb+0x8C) [0x8f3c6c]
 mongod(_ZN5mongo18WriteBatchExecutor13execOneInsertEPNS0_16ExecInsertsStateEPPNS_16WriteErrorDetailE+0xA93) [0x996953]
 mongod(_ZN5mongo18WriteBatchExecutor11execInsertsERKNS_21BatchedCommandRequestEPSt6vectorIPNS_16WriteErrorDetailESaIS6_EE+0x27A) [0x99755a]
 mongod(_ZN5mongo18WriteBatchExecutor11bulkExecuteERKNS_21BatchedCommandRequestEPSt6vectorIPNS_19BatchedUpsertDetailESaIS6_EEPS4_IPNS_16WriteErrorDetailESaISB_EE+0x34) [0x997624]
 mongod(_ZN5mongo18WriteBatchExecutor12executeBatchERKNS_21BatchedCommandRequestEPNS_22BatchedCommandResponseE+0x3A5) [0x997d35]
 mongod(_ZN5mongo8WriteCmd3runEPNS_16OperationContextERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb+0x15D) [0x99a96d]
 mongod(_ZN5mongo12_execCommandEPNS_16OperationContextEPNS_7CommandERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb+0x34) [0x9bcad4]
 mongod(_ZN5mongo7Command11execCommandEPNS_16OperationContextEPS0_iPKcRNS_7BSONObjERNS_14BSONObjBuilderEb+0xC13) [0x9bda13]
 mongod(_ZN5mongo12_runCommandsEPNS_16OperationContextEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi+0x28B) [0x9be60b]
 mongod(_ZN5mongo8runQueryEPNS_16OperationContextERNS_7MessageERNS_12QueryMessageERKNS_15NamespaceStringERNS_5CurOpES3_b+0x755) [0xb8e5a5]
 mongod(_ZN5mongo16assembleResponseEPNS_16OperationContextERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortEb+0xB19) [0xaa0639]
 mongod(_ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE+0xE0) [0x7e7590]
 mongod(_ZN5mongo17PortMessageServer17handleIncomingMsgEPv+0x32B) [0xf0040b]
 libpthread.so.0(+0x7EE5) [0x7f5082f1eee5]
 libc.so.6(clone+0x6D) [0x7f508201cb8d]
-----  END BACKTRACE  -----
2015-03-12T12:09:06.484-0400 W GEO      [conn1] src/third_party/s2/s2loop.h:117:  Check failed: (i) < ((2 * num_vertices_))
2015-03-12T12:09:06.484-0400 F -        [conn1] Invalid access at address: 0x18
2015-03-12T12:09:06.509-0400 F -        [conn1] Got signal: 11 (Segmentation fault).
 
 0xf42359 0xf419d2 0xf41d2e 0x7f5082f266d0 0x10046dc 0x1005ec1 0x100c4ba 0x100c938 0x100ca87 0xa57d2a 0xa5916c 0xa5046d 0xa51d91 0xa8bc1d 0xa8d8b1 0xa7126c 0x90552e 0x905875 0x8f34f0 0x8f3c6c 0x996953 0x99755a 0x997624 0x997d35 0x99a96d 0x9bcad4 0x9bda13 0x9be60b 0xb8e5a5 0xaa0639 0x7e7590 0xf0040b 0x7f5082f1eee5 0x7f508201cb8d
----- BEGIN BACKTRACE -----
{"backtrace":[{"b":"400000","o":"B42359"},{"b":"400000","o":"B419D2"},{"b":"400000","o":"B41D2E"},{"b":"7F5082F17000","o":"F6D0"},{"b":"400000","o":"C046DC"},{"b":"400000","o":"C05EC1"},{"b":"400000","o":"C0C4BA"},{"b":"400000","o":"C0C938"},{"b":"400000","o":"C0CA87"},{"b":"400000","o":"657D2A"},{"b":"400000","o":"65916C"},{"b":"400000","o":"65046D"},{"b":"400000","o":"651D91"},{"b":"400000","o":"68BC1D"},{"b":"400000","o":"68D8B1"},{"b":"400000","o":"67126C"},{"b":"400000","o":"50552E"},{"b":"400000","o":"505875"},{"b":"400000","o":"4F34F0"},{"b":"400000","o":"4F3C6C"},{"b":"400000","o":"596953"},{"b":"400000","o":"59755A"},{"b":"400000","o":"597624"},{"b":"400000","o":"597D35"},{"b":"400000","o":"59A96D"},{"b":"400000","o":"5BCAD4"},{"b":"400000","o":"5BDA13"},{"b":"400000","o":"5BE60B"},{"b":"400000","o":"78E5A5"},{"b":"400000","o":"6A0639"},{"b":"400000","o":"3E7590"},{"b":"400000","o":"B0040B"},{"b":"7F5082F17000","o":"7EE5"},{"b":"7F5081F28000","o":"F4B8D"}],"processInfo":{ "mongodbVersion" : "3.0.0", "gitVersion" : "a841fd6394365954886924a35076691b4d149168", "uname" : { "sysname" : "Linux", "release" : "3.14.6-200.fc20.x86_64", "version" : "#1 SMP Sun Jun 8 01:21:56 UTC 2014", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000" }, { "b" : "7FFF5FC87000", "elfType" : 3 }, { "b" : "7F5082F17000", "path" : "/lib64/libpthread.so.0", "elfType" : 3 }, { "b" : "7F5082D0F000", "path" : "/lib64/librt.so.1", "elfType" : 3 }, { "b" : "7F5082B0B000", "path" : "/lib64/libdl.so.2", "elfType" : 3 }, { "b" : "7F5082803000", "path" : "/lib64/libstdc++.so.6", "elfType" : 3 }, { "b" : "7F50824FC000", "path" : "/lib64/libm.so.6", "elfType" : 3 }, { "b" : "7F50822E6000", "path" : "/lib64/libgcc_s.so.1", "elfType" : 3 }, { "b" : "7F5081F28000", "path" : "/lib64/libc.so.6", "elfType" : 3 }, { "b" : "7F5083134000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3 } ] }}
 mongod(_ZN5mongo15printStackTraceERSo+0x29) [0xf42359]
 mongod(+0xB419D2) [0xf419d2]
 mongod(+0xB41D2E) [0xf41d2e]
 libpthread.so.0(+0xF6D0) [0x7f5082f266d0]
 mongod(_ZN8S2LatLngC1ERK7Vector3IdE+0xC) [0x10046dc]
 mongod(_ZNK12S2LatLngRect8ContainsERK7Vector3IdE+0x11) [0x1005ec1]
 mongod(_ZN6S2Loop10InitOriginEv+0x4A) [0x100c4ba]
 mongod(_ZN6S2Loop4InitERKSt6vectorI7Vector3IdESaIS2_EE+0x138) [0x100c938]
 mongod(_ZN6S2LoopC2ERKSt6vectorI7Vector3IdESaIS2_EE+0x117) [0x100ca87]
 mongod(+0x657D2A) [0xa57d2a]
 mongod(_ZN5mongo9GeoParser17parseMultiPolygonERKNS_7BSONObjEPNS_19MultiPolygonWithCRSE+0x34C) [0xa5916c]
 mongod(_ZN5mongo17GeometryContainer16parseFromGeoJSONERKNS_7BSONObjE+0xF5D) [0xa5046d]
 mongod(_ZN5mongo17GeometryContainer16parseFromStorageERKNS_11BSONElementE+0x181) [0xa51d91]
 mongod(+0x68BC1D) [0xa8bc1d]
 mongod(_ZN5mongo21ExpressionKeysPrivate9getS2KeysERKNS_7BSONObjES3_RKNS_16S2IndexingParamsEPSt3setIS1_NS_10BSONObjCmpESaIS1_EE+0x2A1) [0xa8d8b1]
 mongod(_ZN5mongo22BtreeBasedAccessMethod6insertEPNS_16OperationContextERKNS_7BSONObjERKNS_8RecordIdERKNS_19InsertDeleteOptionsEPl+0xAC) [0xa7126c]
 mongod(_ZN5mongo12IndexCatalog12_indexRecordEPNS_16OperationContextEPNS_17IndexCatalogEntryERKNS_7BSONObjERKNS_8RecordIdE+0x6E) [0x90552e]
 mongod(_ZN5mongo12IndexCatalog11indexRecordEPNS_16OperationContextERKNS_7BSONObjERKNS_8RecordIdE+0x85) [0x905875]
 mongod(_ZN5mongo10Collection15_insertDocumentEPNS_16OperationContextERKNS_7BSONObjEb+0xB0) [0x8f34f0]
 mongod(_ZN5mongo10Collection14insertDocumentEPNS_16OperationContextERKNS_7BSONObjEb+0x8C) [0x8f3c6c]
 mongod(_ZN5mongo18WriteBatchExecutor13execOneInsertEPNS0_16ExecInsertsStateEPPNS_16WriteErrorDetailE+0xA93) [0x996953]
 mongod(_ZN5mongo18WriteBatchExecutor11execInsertsERKNS_21BatchedCommandRequestEPSt6vectorIPNS_16WriteErrorDetailESaIS6_EE+0x27A) [0x99755a]
 mongod(_ZN5mongo18WriteBatchExecutor11bulkExecuteERKNS_21BatchedCommandRequestEPSt6vectorIPNS_19BatchedUpsertDetailESaIS6_EEPS4_IPNS_16WriteErrorDetailESaISB_EE+0x34) [0x997624]
 mongod(_ZN5mongo18WriteBatchExecutor12executeBatchERKNS_21BatchedCommandRequestEPNS_22BatchedCommandResponseE+0x3A5) [0x997d35]
 mongod(_ZN5mongo8WriteCmd3runEPNS_16OperationContextERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb+0x15D) [0x99a96d]
 mongod(_ZN5mongo12_execCommandEPNS_16OperationContextEPNS_7CommandERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb+0x34) [0x9bcad4]
 mongod(_ZN5mongo7Command11execCommandEPNS_16OperationContextEPS0_iPKcRNS_7BSONObjERNS_14BSONObjBuilderEb+0xC13) [0x9bda13]
 mongod(_ZN5mongo12_runCommandsEPNS_16OperationContextEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi+0x28B) [0x9be60b]
 mongod(_ZN5mongo8runQueryEPNS_16OperationContextERNS_7MessageERNS_12QueryMessageERKNS_15NamespaceStringERNS_5CurOpES3_b+0x755) [0xb8e5a5]
 mongod(_ZN5mongo16assembleResponseEPNS_16OperationContextERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortEb+0xB19) [0xaa0639]
 mongod(_ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE+0xE0) [0x7e7590]
 mongod(_ZN5mongo17PortMessageServer17handleIncomingMsgEPv+0x32B) [0xf0040b]
 libpthread.so.0(+0x7EE5) [0x7f5082f1eee5]
 libc.so.6(clone+0x6D) [0x7f508201cb8d]
-----  END BACKTRACE  -----



 Comments   
Comment by Siyuan Zhou [ 12/Mar/15 ]

kulberda, thanks for reporting this bug. We are aware of this bug and have fixed it in SERVER-17486. It will be included to next 3.0 release.

Comment by Ramon Fernandez Marina [ 12/Mar/15 ]

Thanks for your report kulberda and for the concise reproducer. We can observe the behavior you describe and are investigating.

Generated at Thu Feb 08 03:44:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.