[SERVER-21760] C runtime crash in the mongo shell due to uninitialized variable 'machine' Created: 03/Dec/15  Updated: 08/Jan/24  Resolved: 06/May/16

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 3.2.0-rc6
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Kaloian Manassiev Assignee: Mira Carey
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: Windows
Steps To Reproduce:

E:\workspace\mongo>mongo.exe --nodb
MongoDB shell version: 3.2.0-rc6-7-gb1f0d16
> var r = Repli<TAB><TAB><TAB><TAB>...<TAB>

Sprint: Platforms E (01/08/16), Platforms 10 (02/19/16)
Participants:

 Description   

Pressing tab for completion in the shell, multiple times in a row in quick succession causes the crash below on Windows (haven't tried on Linux). The shell was started with the --nodb flag.

E:\workspace\mongo>mongo.exe --nodb
MongoDB shell version: 3.2.0-rc6-7-gb1f0d16
> var r = Repli<TAB><TAB><TAB><TAB>...<TAB>
2015-12-03T15:57:27.347-0500 I CONTROL  [thread1] *** C runtime error: e:\workspace\mongo\src\third_party\mozjs-38\extract\js\src\jit\jitframes.cpp(361) : Run-Time Check Failure #3 - The variable 'machine' is being used without being initialized., terminating
2015-12-03T15:57:27.380-0500 I -        [thread1] Fatal Assertion 17006

Stack:

 	mongo.exe!mongo::fassertFailed(int msgid=17006) Line 171	C++
 	mongo.exe!mongo::crtDebugCallback(int __formal=1, char * originalMessage=0x0000001b2d4f06a0, int * __formal=0x0000001b2d4f0648) Line 282	C++
 	msvcr120d.dll!_VCrtDbgReportW(int nRptType=1, void * returnAddress=0x00007ff6fc0c4759, const wchar_t * szFile=0x0000001b2d4f89d0, int nLine=361, const wchar_t * szModule=0x0000001b2d4f87c0, const wchar_t * szFormat=0x00007ff6fcbd2c80, char * arglist=0x0000001b2d4f8798) Line 609	C
 	msvcr120d.dll!_CrtDbgReportWV(int nRptType=1, void * returnAddress=0x00007ff6fc0c4759, const wchar_t * szFile=0x0000001b2d4f89d0, int nLine=361, const wchar_t * szModule=0x0000001b2d4f87c0, const wchar_t * szFormat=0x00007ff6fcbd2c80, char * arglist=0x0000001b2d4f8798) Line 263	C++
 	msvcr120d.dll!_CrtDbgReportW(int nRptType=1, const wchar_t * szFile=0x0000001b2d4f89d0, int nLine=361, const wchar_t * szModule=0x0000001b2d4f87c0, const wchar_t * szFormat=0x00007ff6fcbd2c80, ...) Line 279	C++
 	mongo.exe!failwithmessage(void * retaddr=0x00007ff6fb908e61, int crttype=1, int errnum, const char * msg=0x0000001b2d4f9680) Line 203	C++
 	mongo.exe!_RTC_UninitUse(const char * varname=0x00007ff6fc99e580) Line 475	C++
>	mongo.exe!js::jit::JitFrameIterator::machineState() Line 361	C++
 	mongo.exe!js::jit::SnapshotIterator::SnapshotIterator(const js::jit::JitFrameIterator & iter={...}) Line 1740	C++
 	mongo.exe!js::jit::InlineFrameIterator::resetOn(const js::jit::JitFrameIterator * iter=0x0000001b2d4fa078) Line 2353	C++
 	mongo.exe!js::jit::InlineFrameIterator::InlineFrameIterator(JSContext * cx=0x000001f64e0e2b50, const js::jit::JitFrameIterator * iter=0x0000001b2d4fa078) Line 2316	C++
 	mongo.exe!js::jit::GetPcScript(JSContext * cx=0x000001f64e0e2b50, JSScript * * scriptRes=0x0000001b2d4fa508, unsigned char * * pcRes=0x0000001b2d4fa628) Line 1606	C++
 	mongo.exe!JSContext::currentScript(unsigned char * * ppc=0x0000001b2d4fa628, JSContext::MaybeAllowCrossCompartment allowCrossCompartment=DONT_ALLOW_CROSS_COMPARTMENT) Line 463	C++
 	mongo.exe!js::jit::InvokeFunction(JSContext * cx=0x000001f64e0e2b50, JS::Handle<JSObject *> obj={...}, unsigned int argc=0, JS::Value * argv=0x0000001b2d4fa7a0, JS::Value * rval=0x0000001b2d4fa760) Line 81	C++



 Comments   
Comment by Mira Carey [ 06/May/16 ]

No longer seems reproducible under mozjs-45. Closing as gone away

Comment by Mira Carey [ 03/May/16 ]

kaloian.manassiev,

Can you still repro this using mozjs-45? I.e. latest master?

Comment by Mira Carey [ 09/Feb/16 ]

Ah, that's interesting. I thought it was debug only. What does a retail crash look like (does it still show up out of the crt, or does it segfault or something like that?)

Comment by Kaloian Manassiev [ 09/Feb/16 ]

Just for the record, it also happened on retail build previously, so it is not related to debug. Probably now because I was doing it through remote session from home, I was not able to press the tab completion key fast enough

Comment by Mira Carey [ 09/Feb/16 ]

In the short term, you can use --disableJavaScriptJIT to avoid that behavior on debug builds.

In the long term, I'm going to have to work with Mark to trace the callstack back through jitted frames to find out where we went wrong, and there's always the chance that the debug build is just broken (it's definitely broken on non-x86)

Comment by Kelsey Schubert [ 03/Dec/15 ]

I haven't been able to reproduce this on Linux or OS X.

Generated at Thu Feb 08 03:58:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.