[SERVER-7751] V8 crash in shell with "DB._v8_function" or autocomplete on "DB._" Created: 24/Nov/12  Updated: 11/Jul/16  Resolved: 03/Jan/13

Status: Closed
Project: Core Server
Component/s: JavaScript, Shell
Affects Version/s: None
Fix Version/s: 2.3.2

Type: Bug Priority: Major - P3
Reporter: Tad Marshall Assignee: Ben Becker
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Crashes in debug and release builds on Linux, Windows & Mac


Operating System: ALL
Participants:

 Description   

Our V8 engine interface code creates a property named "_v8_function" pointing at C++ code, and this makes V8 crash if you try to display or examine this property. You can get the crash by typing "DB._v8_function<enter>" or "DB._<tab>" in the shell. The debug builds note that we have reached "unreachable code" at src\third_party\v8\src\code-stubs.cc, line 426 in the autocomplete case.

DB._<tab>

#
# Fatal error in src\third_party\v8\src\code-stubs.cc, line 426
# unreachable code
#
 
 
==== Stack trace ============================================
 
Security context: 0000000088006361 <JS Object>#0#
    1: /* anonymous */ [src/mongo/shell/utils.js:1398] (this=0000000088006479 <JS Global Object>#1#,prefix=00000000E0FEC979 <String[4]: DB._>)
    2: shellAutocomplete [src/mongo/shell/utils.js:1414] (this=0000000088006479 <JS Global Object>#1#,prefix=00000000E0FEC979 <String[4]: DB._>)
    3: _funcs1(aka callShellAutocomplete) [_funcs1:1] (this=0000000088006479 <JS Global Object>#1#,x=00000000E0FEC979 <String[4]: DB._>)
 
==== Details ================================================
 
[1]: /* anonymous */ [src/mongo/shell/utils.js:1398] (this=0000000088006479 <JS Global Object>#1#,prefix=00000000E0FEC979 <String[4]: DB._>) {
  // stack-allocated locals
  var p = 00000000FDD1A929 <String[12]: _v8_function>
  var possibilities = 00000000E0FECDB9 <JS Array[16]>#2#
  var parts = 00000000E0FECA61 <JS Array[2]>#3#
  var curObj = 000000008802CCB9 <JS Function>#4#
  var global = 0000000088006479 <JS Global Object>#1#
  var completion = 00000000E0FED1C1 <String[15]: DB._v8_function>
  var lastPrefix = 00000000FDD1E2C9 <String[1]: _>
  var ret = 0000000088004121 <undefined>
  var lastPrefixLowercase = 00000000FDD1E2C9 <String[1]: _>
  var i = 7
  var beginning = 00000000E0FECB49 <String[3]: DB.>
  var noDuplicates = 00000000E0FECE69 <an Object>#5#
  // expression stack (top to bottom)
  [14] : 24
  [13] : 0
  [12] : 00000000E0F33379 <Foreign>#6#
--------- s o u r c e   c o d e ---------
function ( prefix ) {?var global = ( function() { return this; } ).call(); // trick to get global object??var curObj = global;?var parts = prefix.spli
t( '.' );?for ( var p = 0; p < parts.length - 1; p++ ) { // doesn't include last part?curObj = curObj[parts[p]];?if ( curObj == null )?return [];?}??v
ar lastPr...
 
-----------------------------------------
}
 
[2]: shellAutocomplete [src/mongo/shell/utils.js:1414] (this=0000000088006479 <JS Global Object>#1#,prefix=00000000E0FEC979 <String[4]: DB._>) {
  // expression stack (top to bottom)
  [07] : 00000000E0FEC979 <String[4]: DB._>
  [06] : 0000000088006479 <JS Global Object>#1#
  [05] : 00000000E0F57941 <JS Function>#7#
--------- s o u r c e   c o d e ---------
function ( prefix ) {?try {?__autocomplete__ = worker( prefix ).sort();?} catch ( e ) {?print( "exception during autocomplete: " + tojson( e.message )
 );?__autocomplete__ = [];?}?}
-----------------------------------------
}
 
[3]: _funcs1(aka callShellAutocomplete) [_funcs1:1] (this=0000000088006479 <JS Global Object>#1#,x=00000000E0FEC979 <String[4]: DB._>) {
  // expression stack (top to bottom)
  [02] : 00000000E0FEC979 <String[4]: DB._>
  [01] : 0000000088006479 <JS Global Object>#1#
  [00] : 00000000E0FE95C1 <JS Function callShellAutocomplete>#8#
--------- s o u r c e   c o d e ---------
function callShellAutocomplete(x) {shellAutocomplete(x)}
-----------------------------------------
}
 
==== Key         ============================================
 
 #0# 0000000088006361: 0000000088006361 <JS Object>
 #1# 0000000088006479: 0000000088006479 <JS Global Object>
 #2# 00000000E0FECDB9: 00000000E0FECDB9 <JS Array[16]>
                 0: 00000000FDD04451 <String[11]: constructor>
                 1: 00000000FDD04751 <String[9]: prototype>
                 2: 00000000FDD047F9 <String[8]: toString>
                 3: 00000000FDD04839 <String[7]: valueOf>
                 4: 00000000FDD0D331 <String[14]: toLocaleString>
                 5: 00000000FDD0D359 <String[14]: hasOwnProperty>
                 6: 00000000FDD0D3A9 <String[20]: propertyIsEnumerable>
                 7: 00000000FDD1A929 <String[12]: _v8_function>
                 8: 00000000FDD1FDC9 <String[11]: tsToSeconds>
                 9: 00000000FDD1E311 <String[12]: autocomplete>
                  ...
 #3# 00000000E0FECA61: 00000000E0FECA61 <JS Array[2]>
                 0: 00000000FDD1A989 <String[2]: DB>
                 1: 00000000FDD1E2C9 <String[1]: _>
 #4# 000000008802CCB9: 000000008802CCB9 <JS Function>
      _v8_function: 00000000E0F33379 <Foreign>#6#
 #5# 00000000E0FECE69: 00000000E0FECE69 <an Object>
 #6# 00000000E0F33379: 00000000E0F33379 <Foreign>
 #7# 00000000E0F57941: 00000000E0F57941 <JS Function>
 #8# 00000000E0FE95C1: 00000000E0FE95C1 <JS Function callShellAutocomplete>
=====================

DB._v8_function<enter>

#
# Fatal error in c:\users\tad\documents\visual studio 2010\projects\mongodev\src\third_party\v8\src\objects-inl.h, line 2244
# CHECK(object->IsJSReceiver()) failed
#
 
 
==== Stack trace ============================================
 
Security context: 000000008EE06361 <JS Object>#0#
    1: DefaultString [native runtime.js:646] (this=000000008EE07401 <JS Object>#1#,a=00000000D8F33379 <Foreign>#2#)
    2: ToString [native runtime.js:555] (this=000000008EE07401 <JS Object>#1#,a=00000000D8F33379 <Foreign>#2#)
    6: shellPrintHelper [src/mongo/shell/utils.js:1302] (this=000000008EE06479 <JS Global Object>#3#,x=00000000D8F33379 <Foreign>#2#)
    7: /* anonymous */ [(shell2):1] (this=000000008EE06479 <JS Global Object>#3#)
 
==== Details ================================================
 
[1]: DefaultString [native runtime.js:646] (this=000000008EE07401 <JS Object>#1#,a=00000000D8F33379 <Foreign>#2#) {
  // stack-allocated locals
  var e = 000000008EE04121 <undefined>
  var d = 000000008EE04121 <undefined>
  var b = 000000008EE04121 <undefined>
  var c = 000000008EE04121 <undefined>
  // expression stack (top to bottom)
  [05] : 00000000D0B047F9 <String[8]: toString>
  [04] : 00000000D8F33379 <Foreign>#2#
--------- s o u r c e   c o d e ---------
function DefaultString(a){?var b=a.toString;?if((%_ClassOf(b)==='Function')){?var c=%_CallFunction(a,b);?if(%IsPrimitive(c))return c;?}??var d=a.valueOf;?if((%_ClassOf(d)
==='Function')){?var e=%_CallFunction(a,d);?if(%IsPrimitive(e))return e;?}??throw %MakeTypeError('cannot_convert_to_primitive',[]);?}
-----------------------------------------
}
 
[2]: ToString [native runtime.js:555] (this=000000008EE07401 <JS Object>#1#,a=00000000D8F33379 <Foreign>#2#) {
  // expression stack (top to bottom)
  [02] : 00000000D8F33379 <Foreign>#2#
  [01] : 000000008EE07401 <JS Object>#1#
  [00] : 000000008EE07401 <JS Object>#1#
--------- s o u r c e   c o d e ---------
function ToString(a){?if((typeof(a)==='string'))return a;?if((typeof(a)==='number'))return %_NumberToString(a);?if((typeof(a)==='boolean'))return a?'true':'false';?if((ty
peof(a)==='undefined'))return'undefined';?return((a===null))?'null':%ToString(%DefaultString(a));?}
-----------------------------------------
}
 
[6]: shellPrintHelper [src/mongo/shell/utils.js:1302] (this=000000008EE06479 <JS Global Object>#3#,x=00000000D8F33379 <Foreign>#2#) {
  // stack-allocated locals
  var err = 000000008EE04121 <undefined>
  var p = 000000008EE04121 <undefined>
  // expression stack (top to bottom)
  [04] : 000000008EE2C461 <JS Function>#4#
  [03] : 00000000D8F33379 <Foreign>#2#
  [02] : 000000008EE06479 <JS Global Object>#3#
--------- s o u r c e   c o d e ---------
function (x) {?if (typeof (x) == "undefined") {?// Make sure that we have a db var before we use it?// TODO: This implicit calling of GLE can cause subtle, hard to track
issues - remove??if (__callLastError && typeof( db ) != "undefined" && db.getMongo ) {?__callLastError = false;?// explicit w:1 so that rep...
 
-----------------------------------------
}
 
[7]: /* anonymous */ [(shell2):1] (this=000000008EE06479 <JS Global Object>#3#) {
  // stack-allocated locals
  var .result = 000000008EE04121 <undefined>
  // expression stack (top to bottom)
  [02] : 00000000D8F33379 <Foreign>#2#
  [01] : 000000008EE06479 <JS Global Object>#3#
--------- s o u r c e   c o d e ---------
shellPrintHelper( __lastres__ );
-----------------------------------------
}
 
==== Key         ============================================
 
 #0# 000000008EE06361: 000000008EE06361 <JS Object>
 #1# 000000008EE07401: 000000008EE07401 <JS Object>
 #2# 00000000D8F33379: 00000000D8F33379 <Foreign>
 #3# 000000008EE06479: 000000008EE06479 <JS Global Object>
 #4# 000000008EE2C461: 000000008EE2C461 <JS Function>
      _v8_function: 00000000D8F32179 <Foreign>#5#
 #5# 00000000D8F32179: 00000000D8F32179 <Foreign>
=====================



 Comments   
Comment by auto [ 03/Jan/13 ]

Author:

{u'date': u'2013-01-03T00:42:09Z', u'email': u'ben.becker@10gen.com', u'name': u'Ben Becker'}

Message: Bulk v8 cleanup:

  • conventions and consistency
  • added some comments
  • removed some dead code
  • always use v8:: prefix and don't use namespace v8
  • removed redundant arg handles in v8/mongo conversion functions
  • removed redundant erase logic in loadStored()
  • s/exec error:/JavaScript error:/
  • in v8-specific files, changed jsassert to use uassert instead of verify
  • replaced verify() w/ uassert and massert

Includes fix for SERVER-7751.
Branch: master
https://github.com/mongodb/mongo/commit/ae5a98ca54b4c9287cf7634d8086a44930f7c0b5

Generated at Thu Feb 08 03:15:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.