[SERVER-4512] segmentation fault on map-reduce javascript syntax error Created: 16/Dec/11  Updated: 29/May/12  Resolved: 21/Dec/11

Status: Closed
Project: Core Server
Component/s: JavaScript, MapReduce
Affects Version/s: 2.0.1
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Api Assignee: Antoine Girbal
Resolution: Duplicate Votes: 0
Labels: javascript, map_reduce, mapreduce,
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Ubuntu 10.04.3 LTS Linux 2.6.32-32-generic #62-Ubuntu SMP x86_64 GNU/Linux
sysInfo: Linux bs-linux64.10gen.cc 2.6.21.7-2.ec2.v1.2.fc8xen #1 SMP Fri Nov 20 17:48:28 EST 2009 x86_64 BOOST_LIB_VERSION=1_41
versionArray: Array
bits: 64
debug
maxBsonObjectSize: 16777216


Attachments: File mongodb.crash.log    
Operating System: Linux
Participants:

 Description   

Putting the following javascript function into the scope of a map reduce call makes the mongod process to seg fault.

Javascript function in the map reduce scope:

function(values) {
copy_val = {};
for (var k in values): // <-- SYNTAX ERROR
copy_val[k] = values[k];
return copy_val;
};

Clearly the function has a syntax error (the colon after the for loop).

Mongod log is as follows (also in attach).

Fri Dec 16 17:18:52 [conn103] JS Error: SyntaxError: syntax error nofile_b:2
Fri Dec 16 17:18:52 [conn103] compile failed for: function(values) {
copy_val = {};
for (var k in values):
copy_val[k] = values[k];

return copy_val;
};
Fri Dec 16 17:18:52 Invalid access at address: 0

Fri Dec 16 17:18:52 Got signal: 11 (Segmentation fault).

Fri Dec 16 17:18:52 Backtrace:
0xa89b19 0xa8a0f0 0x7f734bca38f0 0x6b9190 0x6b66a0 0x6b8177 0x9a24b3 0x9bbe94 0x9766df 0x9783b5 0x961745 0x964ad1 0x882407 0x888c2c 0xa9c576 0x638937 0x7f734bc9a9ca 0x7f734b24970d
/opt/mongodb/current/bin/mongod(_ZN5mongo10abruptQuitEi+0x399) [0xa89b19]
/opt/mongodb/current/bin/mongod(_ZN5mongo24abruptQuitWithAddrSignalEiP7siginfoPv+0x220) [0xa8a0f0]
/lib/libpthread.so.0(+0xf8f0) [0x7f734bca38f0]
/opt/mongodb/current/bin/mongod(JS_GetFunctionObject+0) [0x6b9190]
/opt/mongodb/current/bin/mongod(_ZN5mongo9Convertor5tovalERKNS_11BSONElementE+0xa20) [0x6b66a0]
/opt/mongodb/current/bin/mongod(_ZN5mongo7SMScope4initEPKNS_7BSONObjE+0xc7) [0x6b8177]
/opt/mongodb/current/bin/mongod(_ZN5mongo2mr5State4initEv+0x1f3) [0x9a24b3]
/opt/mongodb/current/bin/mongod(_ZN5mongo2mr16MapReduceCommand3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb+0x1a4) [0x9bbe94]
/opt/mongodb/current/bin/mongod(_ZN5mongo11execCommandEPNS_7CommandERNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb+0x62f) [0x9766df]
/opt/mongodb/current/bin/mongod(_ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi+0x705) [0x9783b5]
/opt/mongodb/current/bin/mongod(_ZN5mongo11runCommandsEPKcRNS_7BSONObjERNS_5CurOpERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi+0x35) [0x961745]
/opt/mongodb/current/bin/mongod(ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1+0x11e1) [0x964ad1]
/opt/mongodb/current/bin/mongod() [0x882407]
/opt/mongodb/current/bin/mongod(_ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE+0x55c) [0x888c2c]
/opt/mongodb/current/bin/mongod(_ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE+0x76) [0xa9c576]
/opt/mongodb/current/bin/mongod(_ZN5mongo3pms9threadRunEPNS_13MessagingPortE+0x287) [0x638937]
/lib/libpthread.so.0(+0x69ca) [0x7f734bc9a9ca]
/lib/libc.so.6(clone+0x6d) [0x7f734b24970d]

Logstream::get called in uninitialized state
Fri Dec 16 17:18:52 ERROR: Client::shutdown not called: conn

The same javascript syntax error does not trigger the seg fault if executed in the mongo shell.

> db.eval("function testone() { values = {}; copy_val = {}; for (var k in values): copy_val[k] = values[k]; return copy_val; };")
Fri Dec 16 17:58:41 uncaught exception: {
"errmsg" : "compile failed: JS Error: SyntaxError: syntax error nofile_b:0",
"ok" : 0
}



 Comments   
Comment by Antoine Girbal [ 21/Dec/11 ]

thanks for the report.
This will be fixed in 2.1.0 and later.

Comment by Api [ 20/Dec/11 ]

The crash is triggered by requesting a Map Reduce via a Python program using the Python driver (PyMongo).
Instead, requesting the same Map Reduce (with the JS syntax error in the scope) in the mongo shell, no crash is triggered, but the syntax error is reported correctly by mongo (see above).

I think the two bugs are related (sorry, I didn't found the duplicate since I searched for critical bugs: a server crash is regarded to be critical).

Thanks.

Comment by Antoine Girbal [ 17/Dec/11 ]

How exactly do you trigger the crash, using what client / driver?
You are saying that you cannot trigger the error from shell?

most likely this is related to
SERVER-3425: Server crash when passed invalid JS in CodeWScope object

Generated at Thu Feb 08 03:06:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.