[SERVER-8220] db.eval('return print') crashes client Created: 17/Jan/13  Updated: 11/Jul/16  Resolved: 12/Feb/13

Status: Closed
Project: Core Server
Component/s: JavaScript, Shell
Affects Version/s: 2.3.2
Fix Version/s: 2.4.0-rc1

Type: Bug Priority: Major - P3
Reporter: Ben Becker Assignee: Ben Becker
Resolution: Done Votes: 0
Labels: javascript, shell
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-8366 mongoToV8Object crashes when converti... Closed
Operating System: ALL
Steps To Reproduce:

> db.eval('print')

Participants:

 Description   

Thu Jan 17 14:34:04.848 terminate() called in shell, printing stack:
0x1000e7c0b 0x100001caf 0x7fff9094e001 0x7fff9094e05c 0x7fff9094f152 0x1000c5f8d 0x1000c5fed 0x1000b2823 0x1000b59c9 0x1000b1374 0x1002d9677 0x1002dbb53 0x10025ff37 0x100258686 0x2d7b58606362 0x2d7b5864d460 
 0   mongo                               0x00000001000e7c0b _ZN5mongo15printStackTraceERSo + 43
 1   mongo                               0x0000000100001caf _Z11myterminatev + 79
 2   libc++abi.dylib                     0x00007fff9094e001 _Z19safe_handler_callerPFvvE + 11
 3   libc++abi.dylib                     0x00007fff9094e05c __cxa_bad_typeid + 0
 4   libc++abi.dylib                     0x00007fff9094f152 _Z23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception + 0
 5   mongo                               0x00000001000c5f8d _ZN5mongo9uassertedEiPKc + 269
 6   mongo                               0x00000001000c5fed _ZN5mongo9uassertedEiRKSs + 29
 7   mongo                               0x00000001000b2823 _ZN5mongo7V8Scope11newFunctionEPKc + 493
 8   mongo                               0x00000001000b59c9 _ZN5mongo7V8Scope16mongoToV8ElementERKNS_11BSONElementEb + 157
 9   mongo                               0x00000001000b1374 _ZN5mongoL8namedGetEN2v85LocalINS0_6StringEEERKNS0_12AccessorInfoE + 500
 10  mongo                               0x00000001002d9677 _ZN2v88internal8JSObject26GetPropertyWithInterceptorEPNS0_10JSReceiverEPNS0_6StringEP18PropertyAttributes + 523
 11  mongo                               0x00000001002dbb53 _ZN2v88internal6Object11GetPropertyENS0_6HandleIS1_EES3_PNS0_12LookupResultENS2_INS0_6StringEEEP18PropertyAttributes + 125
 12  mongo                               0x000000010025ff37 _ZN2v88internal6LoadIC4LoadENS0_16InlineCacheStateENS0_6HandleINS0_6ObjectEEENS3_INS0_6StringEEE + 1221
 13  mongo                               0x0000000100258686 _ZN2v88internal11LoadIC_MissENS0_9ArgumentsEPNS0_7IsolateE + 454
 14  ???                                 0x00002d7b58606362 0x0 + 50007786939234
 15  ???                                 0x00002d7b5864d460 0x0 + 50007787230304



 Comments   
Comment by auto [ 12/Feb/13 ]

Author:

{u'date': u'2013-02-12T19:16:08Z', u'name': u'Ben Becker', u'email': u'ben.becker@10gen.com'}

Message: SERVER-8220: test for eval() returning a native function
Branch: master
https://github.com/mongodb/mongo/commit/fe6e8f69d0d0453622b3ea6e99c113580f79ca5b

Comment by auto [ 12/Feb/13 ]

Author:

{u'date': u'2013-02-12T18:09:19Z', u'name': u'Ben Becker', u'email': u'ben.becker@10gen.com'}

Message: SERVER-8220: fix native function conversion
Branch: master
https://github.com/mongodb/mongo/commit/65ed5f4d576e380ae9e59ca7ae9d6b06b9d9766c

Comment by Ben Becker [ 12/Feb/13 ]

Two issues here:

1) We have no protection for converting native code to/from BSON types. Same issue has always existed with SM (though SM throws a parse error). Proposed solution is to prevent v8ToMongo()* from converting native functions to BSON.

2) The named property accessors do not catch C++ exceptions. Should be trivial, assuming property accessors can throw JS exceptions.

Comment by Ben Becker [ 17/Jan/13 ]

Same for db.eval('print').

Generated at Thu Feb 08 03:16:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.