[SERVER-8433] Aggregating deeply-nested documents can cause stack overflow Created: 01/Feb/13 Updated: 24/Jan/24 Resolved: 21/Mar/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Aggregation Framework, Security, Stability |
| Affects Version/s: | 2.3.2 |
| Fix Version/s: | 3.4.4, 3.5.5 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | J Rassi | Assignee: | Kyle Suarez |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||
| Backport Completed: | |||||||||||||||||||||||||||||
| Backport Requested: |
v3.4
|
||||||||||||||||||||||||||||
| Sprint: | Query 2017-01-23, Query 2017-02-13, Query 2017-03-27 | ||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||
| Description |
|
Recursive calls made to mongo::Document::toBson, in mongo/db/pipeline/document.cpp. To reproduce (on my OS X 10.8 machine, triggers if levels >= 811):
(snippet above borrowed from |
| Comments |
| Comment by Githook User [ 28/Mar/17 ] | |||||||||||
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}Message: (cherry picked from commit b25e825ede4acd47bfdae25edef44c497ee2233e) Conflicts: | |||||||||||
| Comment by Githook User [ 28/Mar/17 ] | |||||||||||
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}Message: (cherry picked from commit ba8c4a2cb599861bcd92446926b72bb17eb5df6b) Conflicts: | |||||||||||
| Comment by Githook User [ 21/Mar/17 ] | |||||||||||
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}Message: | |||||||||||
| Comment by Githook User [ 21/Mar/17 ] | |||||||||||
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}Message: | |||||||||||
| Comment by Tad Marshall [ 25/Jul/13 ] | |||||||||||
|
If you hit the C++ stack overflow on the Mac but not in Linux at some specific depth, this is very likely to be V8 has its own JavaScript stack which can also overflow. I suspect that in the first example ("db.foo.insert(makeNestObj(15000));") we never get to the point of passing the deep object to the Mongo code since the JS stack overflows before that can happen. Every stack is going to have some limit, so to prevent overflows completely we'd need to use a non-recursive method to walk through a deeply nested structure. | |||||||||||
| Comment by Duraid Madina [ 25/Jul/13 ] | |||||||||||
|
@Tad: no, we don't. levels=1000 works for me on linux (ulimit -s = 8MB) interestingly, a deep js stack gets caught:
but we can certainly overflow our stack:
I ran into this with a similar aggregation (ending in thousands of ]}]}}]}]} ), the overflow occurred in the parser:
| |||||||||||
| Comment by Tad Marshall [ 01/Feb/13 ] | |||||||||||
|
Do we hit the stack overflow at the same point in Linux? If we hit it sooner in Mac OS X, this could be related to |