[SERVER-7719] mongo shell segfaults when inserting array that contains non-objects Created: 20/Nov/12  Updated: 11/Jul/16  Resolved: 24/Dec/12

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.3.2

Type: Bug Priority: Minor - P4
Reporter: Shaun Verch Assignee: Ben Becker
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

> db.test.insert([true])
Mon Nov 19 17:53:05.349 mongo got signal 11 (Segmentation fault: 11), stack trace: 
 
Mon Nov 19 17:53:05.350 0x1076a9b8b 0x1075b4d9f 0x7fff8f5cb8ea 0x9 0x10767fec1 0x10766fa21 0x1077559b0 0x369b7e006362 
 0   mongo                               0x00000001076a9b8b _ZN5mongo15printStackTraceERSo + 43
 1   mongo                               0x00000001075b4d9f _Z12quitAbruptlyi + 191
 2   libsystem_c.dylib                   0x00007fff8f5cb8ea _sigtramp + 26
 3   ???                                 0x0000000000000009 0x0 + 9
 4   mongo                               0x000000010767fec1 _ZN5mongo11mongoInsertEPNS_7V8ScopeERKN2v89ArgumentsE + 689
 5   mongo                               0x000000010766fa21 _ZN5mongo7V8Scope10v8CallbackERKN2v89ArgumentsE + 105
 6   mongo                               0x00000001077559b0 _ZN2v88internalL21Builtin_HandleApiCallENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE + 464
 7   ???                                 0x0000369b7e006362 0x0 + 60041461785442
 
Mon Nov 19 17:53:05.351 [conn1] end connection 127.0.0.1:56686 (0 connections now open)



 Comments   
Comment by auto [ 24/Dec/12 ]

Author:

{u'date': u'2012-12-24T00:45:50Z', u'email': u'ben.becker@10gen.com', u'name': u'Ben Becker'}

Message: SERVER-7719: fix argument handling in js insert() method
Branch: master
https://github.com/mongodb/mongo/commit/538134e8bb0400e790beb6761f7306c5dd65b411

Comment by Ben Becker [ 09/Dec/12 ]

Some test cases that should be handled:

db.foo.insert('a');
db.foo.insert(1);
db.foo.insert(['a']);
db.foo.insert([{a:1}, 1]);
db.foo.insert([]);

Comment by Tad Marshall [ 20/Nov/12 ]

The bug here is triggered by inserting an array that does not consist of objects. Inserting into an array works if the array elements are objects.

db.test.insert( [ { a: 1 } ] )

The code is not defensive against array elements that are not objects.

Comment by Tad Marshall [ 20/Nov/12 ]

Cute. It looks like we are running in a callback from V8, but we didn't set up our V8 environment so handles don't work and we get zeros when we try to dereference them. Nice catch!

Generated at Thu Feb 08 03:15:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.