[SERVER-22686] ValueWriter::writeThis exhibits undefined behavior with large floating point values Created: 17/Feb/16  Updated: 17/Apr/17  Resolved: 10/Mar/16

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: None
Fix Version/s: 3.3.2

Type: Bug Priority: Major - P3
Reporter: Andrew Morrow (Inactive) Assignee: Samantha Ritter (Inactive)
Resolution: Done Votes: 0
Labels: undefined-sanitizer
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Run jstests/core/bulk_insert.js under a ubsan instrumented mongod

Sprint: Platforms 11 (03/11/16)
Participants:

 Description   

If the double value casted here is not representable as an integer, the behavior is undefined:

https://github.com/mongodb/mongo/blob/1a74a81b6eb2ad4b3fdd30408b522826aa08610c/src/mongo/scripting/mozjs/valuewriter.cpp#L207

See https://www.securecoding.cert.org/confluence/display/c/FLP34-C.+Ensure+that+floating-point+conversions+are+within+range+of+the+new+type for additional details.

The relevant undefined behavior sanitizer stack trace is:

[js_test:bulk_insert] 2016-02-17T11:39:27.140-0500 (/home/andrew/Documents/10gen/dev/src/mongodb/mongo+0x99eb81): runtime error: value 1.45573e+12 is outside the range of representable values of type 'int'
[js_test:bulk_insert] 2016-02-17T11:39:27.142-0500     #0 0xbdaf6c in mongo::mozjs::ValueWriter::writeThis(mongo::BSONObjBuilder*, mongo::StringData, mongo::mozjs::LifetimeStack<mongo::mozjs::ObjectWrapper::WriteFieldRecursionFrame, 150ul>*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/valuewriter.cpp:207:39
[js_test:bulk_insert] 2016-02-17T11:39:27.143-0500     #1 0xbc87c9 in mongo::mozjs::ObjectWrapper::_writeField(mongo::BSONObjBuilder*, mongo::mozjs::ObjectWrapper::Key, mongo::mozjs::LifetimeStack<mongo::mozjs::ObjectWrapper::WriteFieldRecursionFrame, 150ul>*, mongo::BSONObj*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/objectwrapper.cpp:568:5
[js_test:bulk_insert] 2016-02-17T11:39:27.143-0500     #2 0xbc8216 in mongo::mozjs::ObjectWrapper::toBSON() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/objectwrapper.cpp:522:13
[js_test:bulk_insert] 2016-02-17T11:39:27.143-0500     #3 0xbc0192 in mongo::mozjs::NativeFunctionInfo::call(JSContext*, JS::CallArgs) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/nativefunction.cpp:85:33
[js_test:bulk_insert] 2016-02-17T11:39:27.146-0500     #4 0xbaa550 in bool mongo::mozjs::smUtils::call<mongo::mozjs::NativeFunctionInfo>(JSContext*, unsigned int, JS::Value*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/wraptype.h:117:9
[js_test:bulk_insert] 2016-02-17T11:39:27.164-0500     #5 0xfcad7f in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/jscntxtinlines.h:226:15
[js_test:bulk_insert] 2016-02-17T11:39:27.164-0500     #6 0xf6b64a in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:491:16
[js_test:bulk_insert] 2016-02-17T11:39:27.165-0500     #7 0xf852c2 in Interpret(JSContext*, js::RunState&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:2602:18
[js_test:bulk_insert] 2016-02-17T11:39:27.166-0500     #8 0xf7a19c in js::RunScript(JSContext*, js::RunState&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:448:12
[js_test:bulk_insert] 2016-02-17T11:39:27.167-0500     #9 0xf8efec in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:654:15
[js_test:bulk_insert] 2016-02-17T11:39:27.167-0500     #10 0xf8f343 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:690:12
[js_test:bulk_insert] 2016-02-17T11:39:27.180-0500     #11 0x14452fc in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/mozjs-38/extract/js/src/jsapi.cpp:3994:12
[js_test:bulk_insert] 2016-02-17T11:39:27.180-0500     #12 0xb9d1cf in mongo::mozjs::MozJSImplScope::exec(mongo::StringData, std::string const&, bool, bool, bool, int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/implscope.cpp:637:15
[js_test:bulk_insert] 2016-02-17T11:39:27.181-0500     #13 0xbd0eed in mongo::mozjs::MozJSProxyScope::exec(mongo::StringData, std::string const&, bool, bool, bool, int)::$_26::operator()() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/proxyscope.cpp:223:15
[js_test:bulk_insert] 2016-02-17T11:39:27.181-0500     #14 0xbcaea2 in mongo::mozjs::MozJSProxyScope::implThread(void*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/proxyscope.cpp:348:13
[js_test:bulk_insert] 2016-02-17T11:39:27.182-0500     #15 0xb77e81 in nspr::Thread::ThreadRoutine(void*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/PosixNSPR.cpp:56:5
[js_test:bulk_insert] 2016-02-17T11:39:27.187-0500     #16 0x7f445017d02f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb902f)
[js_test:bulk_insert] 2016-02-17T11:39:27.191-0500     #17 0x7f444fead6a9 in start_thread /build/buildd/glibc-2.21/nptl/pthread_create.c:333
[js_test:bulk_insert] 2016-02-17T11:39:27.221-0500     #18 0x7f444f9cbeec in clone /build/buildd/glibc-2.21/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
[js_test:bulk_insert] 2016-02-17T11:39:27.221-0500



 Comments   
Comment by Githook User [ 17/Apr/17 ]

Author:

{u'username': u'samantharitter', u'name': u'samantharitter', u'email': u'samantha.ritter@10gen.com'}

Message: SERVER-22686 Add C++14 enable_if_t to stdx

(cherry picked from commit 25f28a35d6a02a11c39c0be454169fc93baf4bf9)
Branch: v3.2
https://github.com/mongodb/mongo/commit/39e2812ef1b0dc31ead23ca057f81c928538c547

Comment by Githook User [ 10/Mar/16 ]

Author:

{u'username': u'samantharitter', u'name': u'samantharitter', u'email': u'samantha.ritter@10gen.com'}

Message: SERVER-22686 Replace unsafe static_cast with call to representAs
Branch: master
https://github.com/mongodb/mongo/commit/41a738c7629cd52b357b0bce6650182219ae9088

Comment by Githook User [ 10/Mar/16 ]

Author:

{u'username': u'samantharitter', u'name': u'samantharitter', u'email': u'samantha.ritter@10gen.com'}

Message: SERVER-22686 Add a generic representAs library to /util
Branch: master
https://github.com/mongodb/mongo/commit/09f0ea9e86f981fad344df339bbadb6eb587f28e

Comment by Githook User [ 10/Mar/16 ]

Author:

{u'username': u'samantharitter', u'name': u'samantharitter', u'email': u'samantha.ritter@10gen.com'}

Message: SERVER-22686 Add C++14 enable_if_t to stdx
Branch: master
https://github.com/mongodb/mongo/commit/25f28a35d6a02a11c39c0be454169fc93baf4bf9

Comment by Andrew Morrow (Inactive) [ 17/Feb/16 ]

Note that it appears that -Inf can occur here too:

[js_test:index_bounds_number_edge_cases] 2016-02-17T12:37:30.436-0500 (/home/andrew/Documents/10gen/dev/src/mongodb/mongo+0x99eb81): runtime error: value -inf is outside the range of representable values of type 'int'
[js_test:index_bounds_number_edge_cases] 2016-02-17T12:37:30.437-0500     #0 0xbdaf6c in mongo::mozjs::ValueWriter::writeThis(mongo::BSONObjBuilder*, mongo::StringData, mongo::mozjs::LifetimeStack<mongo::mozjs::ObjectWrapper::WriteFieldRecursionFrame, 150ul>*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/mozjs/valuewriter.cpp:207:39

Generated at Thu Feb 08 04:01:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.