[SERVER-26343] Inserting DBPointer.prototype into collection segmentation faults mongo shell Created: 26/Sep/16  Updated: 10/Apr/17  Resolved: 05/Oct/16

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 3.1.7
Fix Version/s: 3.2.13, 3.4.0-rc1

Type: Bug Priority: Major - P3
Reporter: Eddie Louie Assignee: Mira Carey
Resolution: Done Votes: 0
Labels: bkp
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v3.2
Sprint: Platforms 2016-10-10
Participants:
Linked BF Score: 0

 Description   

Issue reproduced on 3.2.x. Does not repro on 3.0.x. Appears to affect releases with SpiderMonkey engine.
Backtrace from Ubuntu 16.04 using mongo 3.3.12.

src/mongo/util/stacktrace_posix.cpp:172:0: mongo::printStackTrace(std::ostream&)
src/mongo/util/signal_handlers_synchronous.cpp:178:0: mongo::(anonymous namespace)::printSignalAndBacktrace(int)
src/mongo/util/signal_handlers_synchronous.cpp:274:0: mongo::(anonymous namespace)::abruptQuitWithAddrSignal(int, siginfo_t*, void*)
src/third_party/mozjs-45/extract/js/src/asmjs/AsmJSSignalHandlers.cpp:1159:0: AsmJSFaultHandler(int, siginfo_t*, void*)
 ??:0:0: ??
src/third_party/mozjs-45/extract/js/src/jsapi.cpp:1742:0: ??
src/mongo/scripting/mozjs/oid.cpp:111:0: mongo::mozjs::OIDInfo::getOID(JSContext*, JS::Handle<JSObject*>)
src/mongo/scripting/mozjs/oid.cpp:107:0: mongo::mozjs::OIDInfo::getOID(JSContext*, JS::Handle<JS::Value>)
src/mongo/scripting/mozjs/valuewriter.cpp:346:0: mongo::mozjs::ValueWriter::_writeObject(mongo::BSONObjBuilder*, mongo::StringData, mongo::mozjs::LifetimeStack<mongo::mozjs::ObjectWrapper::WriteFieldRecursionFrame, 150ul>*)
src/mongo/scripting/mozjs/valuewriter.cpp:267:0: mongo::mozjs::ValueWriter::writeThis(mongo::BSONObjBuilder*, mongo::StringData, mongo::mozjs::LifetimeStack<mongo::mozjs::ObjectWrapper::WriteFieldRecursionFrame, 150ul>*)
src/mongo/scripting/mozjs/objectwrapper.cpp:601:0: mongo::mozjs::ObjectWrapper::_writeField(mongo::BSONObjBuilder*, mongo::mozjs::ObjectWrapper::Key, mongo::mozjs::LifetimeStack<mongo::mozjs::ObjectWrapper::WriteFieldRecursionFrame, 150ul>*, mongo::BSONObj*)
src/mongo/scripting/mozjs/objectwrapper.cpp:528:0: mongo::mozjs::ObjectWrapper::toBSON()
src/mongo/scripting/mozjs/valuewriter.cpp:153:0: mongo::mozjs::ValueWriter::toBSON()
src/mongo/scripting/mozjs/object.cpp:59:0: mongo::mozjs::ObjectInfo::Functions::bsonsize::call(JSContext*, JS::CallArgs)
src/mongo/scripting/mozjs/wraptype.h:94:0: bool mongo::mozjs::smUtils::wrapFunction<mongo::mozjs::ObjectInfo::Functions::bsonsize>(JSContext*, unsigned int, JS::Value*)
src/third_party/mozjs-45/extract/js/src/jscntxtinlines.h:235:0: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)
src/third_party/mozjs-45/extract/js/src/vm/Interpreter.cpp:444:0: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct)
src/third_party/mozjs-45/extract/js/src/vm/Interpreter.cpp:2766:0: Interpret(JSContext*, js::RunState&)
src/third_party/mozjs-45/extract/js/src/vm/Interpreter.cpp:391:0: js::RunScript(JSContext*, js::RunState&)
src/third_party/mozjs-45/extract/js/src/vm/Interpreter.cpp:650:0: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*)
src/third_party/mozjs-45/extract/js/src/vm/Interpreter.cpp:685:0: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*)
src/third_party/mozjs-45/extract/js/src/jsapi.cpp:4410:0: ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*)
src/third_party/mozjs-45/extract/js/src/jsapi.cpp:4436:0: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>)
src/mongo/scripting/mozjs/implscope.cpp:707:0: mongo::mozjs::MozJSImplScope::exec(mongo::StringData, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool, bool, bool, int)
src/mongo/scripting/mozjs/proxyscope.cpp:224:0: operator()
 /usr/include/c++/5/functional:1871:0: std::_Function_handler<void (), mongo::mozjs::MozJSProxyScope::exec(mongo::StringData, std::__cxx11::basic_string<char,



 Comments   
Comment by Githook User [ 10/Apr/17 ]

Author:

{u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}

Message: SERVER-26343 DBPointer.prototype -> bson crashes

DBPointer's prototype isn't serializable and triggers a bad code path in
oid. Let's guard against that route.

(cherry picked from commit cd96e35ef6e004d89a1618740beec5f405cbfe69)
Branch: v3.2
https://github.com/mongodb/mongo/commit/f9e931888991b78ac7d8ff6367f0a168e0bbaa15

Comment by Githook User [ 05/Oct/16 ]

Author:

{u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}

Message: SERVER-26343 DBPointer.prototype -> bson crashes

DBPointer's prototype isn't serializable and triggers a bad code path in
oid. Let's guard against that route.
Branch: master
https://github.com/mongodb/mongo/commit/cd96e35ef6e004d89a1618740beec5f405cbfe69

Generated at Thu Feb 08 04:11:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.