[SERVER-3395] Searching for certain IDs on documents with indexed fields using the Mongoose driver can seg fault the mongodb server Created: 08/Jul/11  Updated: 12/Jul/16  Resolved: 15/Jul/11

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: 1.8.1
Fix Version/s: 1.9.0

Type: Bug Priority: Major - P3
Reporter: Brett Kiefer Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

64-bit FreeBSD


Operating System: FreeBSD
Participants:

 Description   

Running this gist against MongoDB 1.8.1 on FreeBSD will crash the server
https://gist.github.com/1071926

Message is:
Fri Jul 8 09:58:29 Invalid access at address: 0x801fffffa

Fri Jul 8 09:58:29 Got signal: 11 (Segmentation fault: 11).

Fri Jul 8 09:58:29 Backtrace:

Fri Jul 8 09:58:29 Invalid access at address: 0x801b1c813

Fri Jul 8 09:58:29 Got signal: 10 (Bus error: 10).

Fri Jul 8 09:58:29 Backtrace:

Repro:
Install node.js
Install npm
npm install mongoose
node crashMongo.js

Expected:
Bad query (because of the blank id)

Observed:
Server crashes

My other test environment is MongoDB 1.6.5 on Linux, and it does not crash

The driver is probably doing something incorrect, but I would expect the server to be robust against ill-formed queries.



 Comments   
Comment by Spencer Brody (Inactive) [ 15/Jul/11 ]

Was able to successfully reproduce with 1.8.1 and 1.8.2 on FreeBSD, but it seems to be fixed already on 1.9.0.

Comment by Daniel Pasette (Inactive) [ 14/Jul/11 ]

I think the seg fault is OS dependent. However, this particular problem was traced back to bug in the node-native-mongo driver, according to the maintainer. Apparently there was a bad serialization of arrays to bson. This bug had been fixed in 0.9.6.5 already for a while but mongoose was using 0.9.6.4. Mongoose can upgrade their driver now.

Comment by Brett Kiefer [ 14/Jul/11 ]

I wonder if the seg fault might be OS-dependent? We're on Freebsd 8.2: (8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64), with MongoDB 1.8.1 built from ports with no modifications. In what ways does your test environment differ?

Comment by Spencer Brody (Inactive) [ 14/Jul/11 ]

While I was successfully able to reproduce the bug on the mongoose side using version 1.6.0 of mongoose, I could not reproduce the server segfault on mongo 1.8.1, 1.8.2, or HEAD.

Thanks for reporting, we'll keep our eyes open for more reports of this problem.

Comment by Brett Kiefer [ 08/Jul/11 ]

The gist will crash just fine against a blank DB – no data needs to be populated. The Mongoose version is 1.6.0.

Comment by Scott Hernandez (Inactive) [ 08/Jul/11 ]

Can you put together a test case to reproduce it? It seems like there is some data expected in your gist, or can we just run that without anything else?

Also, what version of the driver are you using?

Comment by Brett Kiefer [ 08/Jul/11 ]

No, I can only repro through Mongoose, and only with a schema that it thinks has an 'indexed:true' member. Unfortunately, the backtrace in the mongo logs is blank, as in the description above. I reported it to Mongoose as well: https://github.com/LearnBoost/mongoose/issues/407, but the server crash seems like it's for y'all.

Comment by Scott Hernandez (Inactive) [ 08/Jul/11 ]

Can you reproduce this without mongoose, and with just the mongo javascript shell? Also, is there a chance there is corruption in the db (did you have any unclean shutdowns)? Please include the full stacktrace as well.

Generated at Thu Feb 08 03:02:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.