[SERVER-7266] Using db.eval within $where causes the server to crash Created: 04/Oct/12  Updated: 11/Jul/16  Resolved: 01/Apr/13

Status: Closed
Project: Core Server
Component/s: Stability
Affects Version/s: 2.2.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Sridhar Nanjundeswaran Assignee: Unassigned
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Participants:

 Description   

> db.venues.insert(

{foo:1}

)
> db.venues.find({$where:"db.eval('anything')"})
will cause the server to crash with

Thu Oct  4 16:45:13 [conn1] can't lock_W, threadState=114
Thu Oct  4 16:45:13 [conn1]  test.venues Fatal Assertion 16114
0x10037637b 0x1000aeeb5 0x1005f29cc 0x10031ce47 0x1003a51d6 0x1003a5e96 0x1003a7a01 0x10008126b 0x100085399 0x1006464c9 0x1006494d6 0x10064aec9 0x100175487 0x1001ac2df 0x10063efbf 0x10043c73e 0x1005349cc 0x100536651 0x1005351c4 0x1005456b4 
 0   mongod                              0x000000010037637b _ZN5mongo15printStackTraceERSo + 43
 1   mongod                              0x00000001000aeeb5 _ZN5mongo13fassertFailedEi + 165
 2   mongod                              0x00000001005f29cc _ZN5mongo4Lock11GlobalWriteC2Ebi + 588
 3   mongod                              0x000000010031ce47 _ZN5mongo7CmdEval3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 647
 4   mongod                              0x00000001003a51d6 _ZN5mongo12_execCommandEPNS_7CommandERKSsRNS_7BSONObjEiRNS_14BSONObjBuilderEb + 86
 5   mongod                              0x00000001003a5e96 _ZN5mongo11execCommandEPNS_7CommandERNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb + 2054
 6   mongod                              0x00000001003a7a01 _ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 1697
 7   mongod                              0x000000010008126b _ZN5mongo11runCommandsEPKcRNS_7BSONObjERNS_5CurOpERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 59
 8   mongod                              0x0000000100085399 _ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1_ + 4345
 9   mongod                              0x00000001006464c9 _ZN5mongoL13receivedQueryERNS_6ClientERNS_10DbResponseERNS_7MessageE + 393
 10  mongod                              0x00000001006494d6 _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE + 950
 11  mongod                              0x000000010064aec9 _ZN5mongo14DBDirectClient4callERNS_7MessageES2_bPSs + 121
 12  mongod                              0x0000000100175487 _ZN5mongo14DBClientCursor4initEv + 167
 13  mongod                              0x00000001001ac2df _ZN5mongo12DBClientBase5queryERKSsNS_5QueryEiiPKNS_7BSONObjEii + 191
 14  mongod                              0x000000010063efbf _ZN5mongo14DBDirectClient5queryERKSsNS_5QueryEiiPKNS_7BSONObjEii + 79
 15  mongod                              0x000000010043c73e _ZN5mongo10mongo_findEP9JSContextP8JSObjectjPlS4_ + 814
 16  mongod                              0x00000001005349cc js_Invoke + 1260
 17  mongod                              0x0000000100536651 js_Interpret + 3921
 18  mongod                              0x00000001005351c4 js_Invoke + 3300
 19  mongod                              0x00000001005456b4 js_InternalInvoke + 212
Thu Oct  4 16:45:13 [conn1] 
 
***aborting after fassert() failure
 
 
Thu Oct  4 16:45:13 Got signal: 6 (Abort trap: 6).
 
Thu Oct  4 16:45:13 Backtrace:
0x10037637b 0x100001a6b 0x7fff928f58ea 0x104c0b790 0x7fff9294cdce 0x1000aeef0 0x1005f29cc 0x10031ce47 0x1003a51d6 0x1003a5e96 0x1003a7a01 0x10008126b 0x100085399 0x1006464c9 0x1006494d6 0x10064aec9 0x100175487 0x1001ac2df 0x10063efbf 0x10043c73e 
 0   mongod                              0x000000010037637b _ZN5mongo15printStackTraceERSo + 43
 1   mongod                              0x0000000100001a6b _ZN5mongo10abruptQuitEi + 987
 2   libsystem_c.dylib                   0x00007fff928f58ea _sigtramp + 26
 3   ???                                 0x0000000104c0b790 0x0 + 4374706064
 4   libsystem_c.dylib                   0x00007fff9294cdce abort + 143
 5   mongod                              0x00000001000aeef0 _ZN5mongo13fassertFailedEi + 224
 6   mongod                              0x00000001005f29cc _ZN5mongo4Lock11GlobalWriteC2Ebi + 588
 7   mongod                              0x000000010031ce47 _ZN5mongo7CmdEval3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 647
 8   mongod                              0x00000001003a51d6 _ZN5mongo12_execCommandEPNS_7CommandERKSsRNS_7BSONObjEiRNS_14BSONObjBuilderEb + 86
 9   mongod                              0x00000001003a5e96 _ZN5mongo11execCommandEPNS_7CommandERNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb + 2054
 10  mongod                              0x00000001003a7a01 _ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 1697
 11  mongod                              0x000000010008126b _ZN5mongo11runCommandsEPKcRNS_7BSONObjERNS_5CurOpERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 59
 12  mongod                              0x0000000100085399 _ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1_ + 4345
 13  mongod                              0x00000001006464c9 _ZN5mongoL13receivedQueryERNS_6ClientERNS_10DbResponseERNS_7MessageE + 393
 14  mongod                              0x00000001006494d6 _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE + 950
 15  mongod                              0x000000010064aec9 _ZN5mongo14DBDirectClient4callERNS_7MessageES2_bPSs + 121
 16  mongod                              0x0000000100175487 _ZN5mongo14DBClientCursor4initEv + 167
 17  mongod                              0x00000001001ac2df _ZN5mongo12DBClientBase5queryERKSsNS_5QueryEiiPKNS_7BSONObjEii + 191
 18  mongod                              0x000000010063efbf _ZN5mongo14DBDirectClient5queryERKSsNS_5QueryEiiPKNS_7BSONObjEii + 79
 19  mongod                              0x000000010043c73e _ZN5mongo10mongo_findEP9JSContextP8JSObjectjPlS4_ + 814



 Comments   
Comment by Sridhar Nanjundeswaran [ 29/Mar/13 ]

No longer crashes with 2.4.0 on OS X

Comment by Tad Marshall [ 05/Oct/12 ]

Reproduced on Windows:

Fri Oct 05 17:32:04 [initandlisten] MongoDB starting : pid=2472 port=27017 dbpath=\data\db\ 64-bit host=MissLucy
Fri Oct 05 17:32:04 [initandlisten]
Fri Oct 05 17:32:04 [initandlisten] ** NOTE: This is a development version (2.3.0-pre-) of MongoDB.
Fri Oct 05 17:32:04 [initandlisten] **       Not recommended for production.
Fri Oct 05 17:32:04 [initandlisten]
Fri Oct 05 17:32:04 [initandlisten] db version v2.3.0-pre-, pdfile version 4.5
Fri Oct 05 17:32:04 [initandlisten] git version: 0cb718d3cf435264e2d41f811ac5760d5a27027a
Fri Oct 05 17:32:04 [initandlisten] build info: windows sys.getwindowsversion(major=6, minor=1, build=7601, platform=2, service_pack='Service Pack 1') BOOST_LIB_VERSION=1_49
Fri Oct 05 17:32:04 [initandlisten] options: {}
Fri Oct 05 17:32:04 [initandlisten] journal dir=/data/db/journal
Fri Oct 05 17:32:04 [initandlisten] recover : no journal files present, no recovery needed
Fri Oct 05 17:32:05 [initandlisten] waiting for connections on port 27017
Fri Oct 05 17:32:05 [websvr] admin web console waiting for connections on port 28017
Fri Oct 05 17:32:27 [initandlisten] connection accepted from 127.0.0.1:59374 #1 (1 connection now open)
Fri Oct 05 17:32:30 [conn1] build index test.venues { _id: 1 }
Fri Oct 05 17:32:30 [conn1] build index done.  scanned 0 total records. 0 secs
Fri Oct 05 17:32:30 [conn1] insert test.venues keyUpdates:0 locks(micros) w:192328 157ms
Fri Oct 05 17:32:40 [conn1] warning: PageFaultException::touch happening with a lock
Fri Oct 05 17:32:40 [conn1] can't lock_W, threadState=114
Fri Oct 05 17:32:40 [conn1]  test.venues Fatal Assertion 16114
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\util\stacktrace.cpp(161)       mongo::printStackTrace+0x3e
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\util\assert_util.cpp(126)      mongo::fassertFailed+0x43
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\d_concurrency.cpp(133)      mongo::WrapperForQLock::lock_W+0x93
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\d_concurrency.cpp(435)      mongo::Lock::GlobalWrite::GlobalWrite+0xe9
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\dbeval.cpp(132)             mongo::CmdEval::run+0x1cc
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\dbcommands.cpp(1879)        mongo::_execCommand+0x69
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\dbcommands.cpp(2006)        mongo::execCommand+0x98d
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\dbcommands.cpp(2099)        mongo::_runCommands+0x3d7
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\ops\query.cpp(43)           mongo::runCommands+0x46
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\ops\query.cpp(933)          mongo::runQuery+0x414
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\instance.cpp(244)           mongo::receivedQuery+0x16d
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\instance.cpp(390)           mongo::assembleResponse+0x2ed
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\instance.cpp(881)           mongo::DBDirectClient::call+0x104
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\client\dbclientcursor.cpp(66)  mongo::DBClientCursor::init+0xd1
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\client\dbclient.cpp(803)       mongo::DBClientBase::query+0xd8
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\db\instance.cpp(900)           mongo::DBDirectClient::query+0x97
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\mongo\scripting\sm_db.cpp(409)       mongo::mongo_find+0x23b
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\third_party\js-1.7\jsinterp.c(1375)  js_Invoke+0xbf2
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\third_party\js-1.7\jsinterp.c(3944)  js_Interpret+0xdf3a
Fri Oct 05 17:32:40 [conn1] mongod.exe  ...\src\third_party\js-1.7\jsinterp.c(1394)  js_Invoke+0xc71
Fri Oct 05 17:32:40 [conn1]
 
***aborting after fassert() failure

>Debug.ListCallStack
 Index  Function
--------------------------------------------------------------------------------
 1      mongod.exe!__crt_debugger_hook(int _Reserved=85896248) 
 2      mongod.exe!_call_reportfault(int nDbgHookCode=16114, unsigned long dwExceptionCode=73364688, unsigned long dwExceptionFlags=85899944) 
 3      mongod.exe!abort() 
 4      mongod.exe!mongo::WrapperForQLock::lock_W() 
 5      mongod.exe!mongo::Lock::GlobalWrite::GlobalWrite(bool sg=true, int timeoutms=85899408) 
*6      mongod.exe!mongo::CmdEval::run(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & dbname=<Bad Ptr>, mongo::BSONObj & cmdObj={...}, int __formal=421530, std::basic_string<char,std::char_traits<char>,std::allocator<char> > & errmsg="", mongo::BSONObjBuilder & result={...}, bool fromRepl=false) 
 7      mongod.exe!mongo::_execCommand(mongo::Command * c=0x02f1f194202d5c9a, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & dbname={...}, mongo::BSONObj & cmdObj={...}, int queryOptions=85898944, mongo::BSONObjBuilder & result={...}, bool fromRepl=false) 
 8      mongod.exe!mongo::execCommand(mongo::Command * c=0x00000000051ebb60, mongo::Client & client={...}, int queryOptions=85901296, const char * cmdns=0x00000000778c0000, mongo::BSONObj & cmdObj={...}, mongo::BSONObjBuilder & result={...}, bool fromRepl=false) 
 9      mongod.exe!mongo::_runCommands(const char * ns=0x0000000000000204, mongo::BSONObj & _cmdobj={...}, mongo::_BufBuilder<mongo::TrivialAllocator> & b={...}, mongo::BSONObjBuilder & anObjBuilder={...}, bool fromRepl=false, int queryOptions=0) 
 10     mongod.exe!mongo::runCommands(const char * ns=0x0000000000000000, mongo::BSONObj & jsobj={...}, mongo::CurOp & curop={...}, mongo::_BufBuilder<mongo::TrivialAllocator> & b={...}, mongo::BSONObjBuilder & anObjBuilder={...}, bool fromRepl=true, int queryOptions=0) 
 11     mongod.exe!mongo::runQuery(mongo::Message & m={...}, mongo::QueryMessage & q={...}, mongo::CurOp & curop={...}, mongo::Message & result={...}) 
 12     mongod.exe!mongo::receivedQuery(mongo::Client & c={...}, mongo::DbResponse & dbresponse={...}, mongo::Message & m={...}) 
 13     mongod.exe!mongo::assembleResponse(mongo::Message & m={...}, mongo::DbResponse & dbresponse={...}, const mongo::HostAndPort & remote={...}) 
 14     mongod.exe!mongo::DBDirectClient::call(mongo::Message & toSend={...}, mongo::Message & response={...}, bool assertOk=true, std::basic_string<char,std::char_traits<char>,std::allocator<char> > * actualServer=0x00000000046becd8 "DBDirectClient") 
 15     mongod.exe!mongo::DBClientCursor::init() 
 16     mongod.exe!mongo::DBClientBase::query(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & ns="#", mongo::Query * query=0x00000000051ecb60, int nToReturn=-1, int nToSkip=0, const mongo::BSONObj * fieldsToReturn=0x0000000000000000, int queryOptions=0, int batchSize=0) 
 17     mongod.exe!mongo::DBDirectClient::query(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & ns="#", mongo::Query * query=0x00000000051ecc48, int nToReturn=-1, int nToSkip=0, const mongo::BSONObj * fieldsToReturn=0x0000000000000000, int queryOptions=0, int batchSize=0) 
 18     mongod.exe!mongo::mongo_find(JSContext * cx=0x000000000068ef80, JSObject * obj=0x000000000464af10, unsigned int argc=74346048, __int64 * argv=0x000000000464af10, __int64 * rval=0x00000000051eced0) 
 19     mongod.exe!js_Invoke(JSContext * cx=0x000000000068ef80, unsigned int argc=7, unsigned int flags=0) 
 20     mongod.exe!js_Interpret(JSContext * cx=0x000000000068ef80, unsigned char * pc=0x00000000046d4d3e, __int64 * result=0x00000000051edae8) 
 21     mongod.exe!js_Invoke(JSContext * cx=0x000000000068ef80, unsigned int argc=0, unsigned int flags=2) 
 22     mongod.exe!js_InternalInvoke(JSContext * cx=0x000000000068ef80, JSObject * obj=0x000000000464afd0, __int64 fval=73707408, unsigned int flags=0, unsigned int argc=0, __int64 * argv=0x00000000046e5f80, __int64 * rval=0x00000000051ede78) 
 23     mongod.exe!JS_CallFunction(JSContext * cx=0x000000000068ef80, JSObject * obj=0x000000000464afd0, JSFunction * fun=0x00000000046c4c40, unsigned int argc=0, __int64 * argv=0x00000000046e5f80, __int64 * rval=0x00000000051ede78) 
 24     mongod.exe!mongo::SMScope::invoke(JSFunction * func=0x00000000051edfb8, const mongo::BSONObj * args=0x00000000046bb8d0, const mongo::BSONObj * recv=0x0000000000000001, int timeoutMs=60000, bool ignoreReturn=false, bool readOnlyArgs=true, bool readOnlyRecv=true) 
 25     mongod.exe!mongo::SMScope::invoke(unsigned __int64 funcAddr=85909432, const mongo::BSONObj * args=0xfffffffffffffffe, const mongo::BSONObj * recv=0x000000000064d270, int timeoutMs=60000, bool ignoreReturn=false, bool readOnlyArgs=false, bool readOnlyRecv=false) 
 26     mongod.exe!mongo::PooledScope::invoke(unsigned __int64 func=85910064, const mongo::BSONObj * args=0x00000000051ee2f8, const mongo::BSONObj * recv=0x000000000000000e, int timeoutMs=60000, bool ignoreReturn=false, bool readOnlyArgs=false, bool readOnlyRecv=false) 
 27     mongod.exe!mongo::Where::exec(const mongo::BSONObj & obj={...}) 
 28     mongod.exe!mongo::Matcher::matches(const mongo::BSONObj & jsobj={...}, mongo::MatchDetails * details=0x0000000000000000) 
 29     mongod.exe!mongo::CoveredIndexMatcher::matches(const mongo::BSONObj & key={...}, const mongo::DiskLoc & recLoc={...}, mongo::MatchDetails * details=0x000000013fd439e1, bool keyUsable=false) 
 30     mongod.exe!mongo::CoveredIndexMatcher::matchesCurrent(mongo::Cursor * cursor=0x0000000000000001, mongo::MatchDetails * details=0x00000000051ee670) 
 31     mongod.exe!mongo::Cursor::currentMatches(mongo::MatchDetails * details=0x0000000000000001) 
 32     mongod.exe!mongo::QueryResponseBuilder::addMatch() 
 33     mongod.exe!mongo::queryWithQueryOptimizer(int queryOptions=-1, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & ns="0Âd", const mongo::BSONObj & jsobj={...}, mongo::CurOp & curop={...}, const mongo::BSONObj & query={...}, const mongo::BSONObj & order={...}, const boost::shared_ptr<mongo::ParsedQuery> & pq_shared={...}, const mongo::BSONObj & oldPlan={...}, const mongo::ShardChunkVersion & shardingVersionAtStart={...}, boost::scoped_ptr<mongo::PageFaultRetryableSection> & parentPageFaultSection={...}, boost::scoped_ptr<mongo::NoPageFaultsAllowed> & noPageFault={...}, mongo::Message & result={...}) 
 34     mongod.exe!mongo::runQuery(mongo::Message & m={...}, mongo::QueryMessage & q={...}, mongo::CurOp & curop={...}, mongo::Message & result={...}) 
 35     mongod.exe!mongo::receivedQuery(mongo::Client & c={...}, mongo::DbResponse & dbresponse={...}, mongo::Message & m={...}) 
 36     mongod.exe!mongo::assembleResponse(mongo::Message & m={...}, mongo::DbResponse & dbresponse={...}, const mongo::HostAndPort & remote={...}) 
 37     mongod.exe!mongo::MyMessageHandler::process(mongo::Message & m={...}, mongo::AbstractMessagingPort * port=0x000000000000005c, mongo::LastError * le=0x000000000066ea60) 
 38     mongod.exe!mongo::pms::threadRun(mongo::MessagingPort * inPort=0x0000000000000000) 
 39     mongod.exe!boost::`anonymous namespace'::thread_start_function(void * param=0x0000000000000000) 
 40     mongod.exe!_callthreadstartex() 
 41     mongod.exe!_threadstartex(void * ptd=0x0000000000000000) 
 42     kernel32.dll!BaseThreadInitThunk() 
 43     ntdll.dll!RtlUserThreadStart() 
>

Generated at Thu Feb 08 03:14:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.