[SERVER-20080] NULL pointer dereference when invoking constructor on natively injected functions Created: 21/Aug/15  Updated: 07/Oct/15  Resolved: 18/Sep/15

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 3.1.7
Fix Version/s: 3.1.9

Type: Bug Priority: Major - P3
Reporter: J Delaney Assignee: Mira Carey
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

db.foo.drop();
db.foo.insert({});
db.foo.mapReduce(function() {
	(new hex_md5())();
}, function(){
 
}, {
	out: {
		inline: 1
	}
});
 
// Can also be done with db.eval
db.eval('(new hex_md5())()');
db.eval('(new sleep())()');
 
// These will crash the shell
(new _isWindows())();
(new _rand())();

Sprint: Platform 9 (09/18/15)
Participants:

 Description   

Occurs for all natively injected functions. Affects SpiderMonkey only.

Backtrace:

* thread #2: tid = 0x6a5a41, 0x00000001012e2d0b mongod`mongo::mozjs::NativeFunctionInfo::call(cx=0x0000000104a166b0, args=CallArgs at 0x000000010a876998) + 379 at nativefunction.cpp:90, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001012e2d0b mongod`mongo::mozjs::NativeFunctionInfo::call(cx=0x0000000104a166b0, args=CallArgs at 0x000000010a876998) + 379 at nativefunction.cpp:90
    frame #1: 0x00000001012bd1f1 mongod`bool mongo::mozjs::smUtils::call<mongo::mozjs::NativeFunctionInfo>(cx=0x0000000104a166b0, argc=0, vp=0x000000010504a290) + 129 at wraptype.h:97
    frame #2: 0x000000010178d063 mongod`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x0000000104a166b0, native=0x00000001012bd170, args=0x000000010a876c90)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 208 at jscntxtinlines.h:226
    frame #3: 0x000000010178cf93 mongod`js::Invoke(cx=0x0000000104a166b0, args=CallArgs at 0x000000010a876c90, construct=NO_CONSTRUCT) + 931 at Interpreter.cpp:491
    frame #4: 0x00000001017b3089 mongod`Interpret(cx=0x0000000104a166b0, state=0x000000010a87fc70) + 90921 at Interpreter.cpp:2602
    frame #5: 0x000000010179cc60 mongod`js::RunScript(cx=0x0000000104a166b0, state=0x000000010a87fc70) + 816 at Interpreter.cpp:448
    frame #6: 0x000000010178d523 mongod`js::Invoke(cx=0x0000000104a166b0, args=CallArgs at 0x000000010a87fd10, construct=NO_CONSTRUCT) + 2355 at Interpreter.cpp:517
    frame #7: 0x0000000101773434 mongod`js::Invoke(cx=0x0000000104a166b0, thisv=0x000000010a880488, fval=0x000000010a8807c8, argc=0, argv=0x000000010a880858, rval=JS::MutableHandleValue at 0x000000010a880340) + 1460 at Interpreter.cpp:554
    frame #8: 0x0000000101d6ae74 mongod`JS_CallFunctionValue(cx=0x0000000104a166b0, obj=JS::HandleObject at 0x000000010a8804b8, fval=JS::HandleValue at 0x000000010a8804b0, args=0x000000010a880690, rval=JS::MutableHandleValue at 0x000000010a8804a8) + 260 at jsapi.cpp:4216
    frame #9: 0x00000001012b8acd mongod`JS::Call(cx=0x0000000104a166b0, thisObj=JS::HandleObject at 0x000000010a880508, fun=JS::HandleValue at 0x000000010a880500, args=0x000000010a880690, rval=JS::MutableHandleValue at 0x000000010a8804f8) + 77 at jsapi.h:3754
    frame #10: 0x00000001012b9da6 mongod`mongo::mozjs::MozJSImplScope::invoke(this=0x000000010605f800, func=1, argsObject=0x0000000104d0a180, recv=0x0000000109fc1a40, timeoutMs=0, ignoreReturn=true, readOnlyArgs=false, readOnlyRecv=false) + 1494 at implscope.cpp:523
    frame #11: 0x00000001012f4a88 mongod`mongo::mozjs::MozJSProxyScope::invoke(this=0x0000000104a36cd8)::$_23::operator()() const + 120 at proxyscope.cpp:197
    frame #12: 0x00000001012f496c mongod`std::__1::__function::__func<mongo::mozjs::MozJSProxyScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool)::$_23, std::__1::allocator<mongo::mozjs::MozJSProxyScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool)::$_23>, void ()>::operator()() [inlined] decltype(__f=0x0000000104a36cd8)::$_23&>(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<mongo::mozjs::MozJSProxyScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool)::$_23&>(mongo::mozjs::MozJSProxyScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool)::$_23&&&) + 60 at __functional_base:413
    frame #13: 0x00000001012f495b mongod`std::__1::__function::__func<mongo::mozjs::MozJSProxyScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool)::$_23, std::__1::allocator<mongo::mozjs::MozJSProxyScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool)::$_23>, void ()>::operator(this=0x0000000104a36cd0)() + 43 at functional:1370
    frame #14: 0x0000000100aa1881 mongod`std::__1::function<void ()>::operator(this=0x0000000104f02ea0)() const + 129 at functional:1756
    frame #15: 0x00000001012ebb69 mongod`mongo::mozjs::MozJSProxyScope::implThread(this=0x0000000104f02df0) + 1017 at proxyscope.cpp:323
    frame #16: 0x000000010130f08d mongod`void* std::__1::__thread_proxy<std::__1::tuple<void (mongo::mozjs::MozJSProxyScope::*)(), mongo::mozjs::MozJSProxyScope*> >(void*) [inlined] decltype(__f=0x0000000104f023f0, __a0=0x0000000104f02400)).*fp(std::__1::forward<>(fp1))) std::__1::__invoke<void (mongo::mozjs::MozJSProxyScope::*)(), mongo::mozjs::MozJSProxyScope*, void>(void (mongo::mozjs::MozJSProxyScope::*&&)(), mongo::mozjs::MozJSProxyScope*&&) + 136 at __functional_base:380
    frame #17: 0x000000010130f005 mongod`void* std::__1::__thread_proxy<std::__1::tuple<void (mongo::mozjs::MozJSProxyScope::*)(), mongo::mozjs::MozJSProxyScope*> >(void*) [inlined] void std::__1::__thread_execute<void (mongo::mozjs::MozJSProxyScope::*)(), mongo::mozjs::MozJSProxyScope*, 1ul>(__t=0x0000000104f023f0, (null)=__tuple_indices<1> at 0x000000010a880ea0)(), mongo::mozjs::MozJSProxyScope*>&, std::__1::__tuple_indices<1ul>) + 40 at thread:332
    frame #18: 0x000000010130efdd mongod`void* std::__1::__thread_proxy<std::__1::tuple<void (mongo::mozjs::MozJSProxyScope::*)(), mongo::mozjs::MozJSProxyScope*> >(__vp=0x0000000104f023f0) + 365 at thread:342
    frame #19: 0x00007fff8602c05a libsystem_pthread.dylib`_pthread_body + 131
    frame #20: 0x00007fff8602bfd7 libsystem_pthread.dylib`_pthread_start + 176
    frame #21: 0x00007fff860293ed libsystem_pthread.dylib`thread_start + 13



 Comments   
Comment by Githook User [ 18/Sep/15 ]

Author:

{u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}

Message: SERVER-20080 Constrain ctor calls for JS types

Several types shouldn't be called as a ctor:

  • NativeFunction
  • Cursor
  • CursorHandle
  • NativeFunction

This prevents them from being called as such.
Branch: master
https://github.com/mongodb/mongo/commit/8291bbb3a6ec192d177076b1fb0cd28995e48440

Generated at Thu Feb 08 03:53:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.