[SERVER-850] $where clause can crash server Created: 30/Mar/10  Updated: 26/Apr/10  Resolved: 30/Mar/10

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 1.4.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Matt Mastracci Assignee: Eliot Horowitz (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OSX: 10.3.0 Darwin Kernel Version 10.3.0: Fri Feb 26 11:58:09 PST 2010; root:xnu-1504.3.12~1/RELEASE_I386 i386
mongodb-osx-x86_64-1.4.0


Participants:

 Description   

Run a $where clause and attempt to dereference a null value. The server will fail with "TypeError: this.x has no properties nofile_a:0" and assert. The server will no longer respond to queries:

> db.foo.save(

{a:1}

)
> db.foo.find({$where:"this.x.x"})
error: {
"$err" : "error on invocation of $where function:
JS Error: TypeError: this.x has no properties nofile_a:0"

From the server:

Tue Mar 30 10:16:52 JS Error: TypeError: this.x has no properties nofile_a:0
Tue Mar 30 10:16:52 User Exception 10071:error on invocation of $where function:
JS Error: TypeError: this.x has no properties nofile_a:0
Tue Mar 30 10:16:52 Assertion: 10362:error on invocation of $where function:
JS Error: TypeError: this.x has no properties nofile_a:0
0x100067c57 0x1000c74de 0x100162c84 0x100165a4d 0x10022330b 0x10022c6f4 0x7fff8346a8b6 0x7fff8346a769
0 mongod 0x0000000100067c57 _ZN5mongo11msgassertedEiPKc + 487
1 mongod 0x00000001000c74de _ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpE + 7534
2 mongod 0x0000000100162c84 _ZN5mongo13receivedQueryERNS_6ClientERNS_10DbResponseERNS_7MessageE + 644
3 mongod 0x0000000100165a4d _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERK11sockaddr_in + 3629
4 mongod 0x000000010022330b _ZN5mongo10connThreadEv + 619
5 mongod 0x000000010022c6f4 thread_proxy + 132
6 libSystem.B.dylib 0x00007fff8346a8b6 _pthread_start + 331
7 libSystem.B.dylib 0x00007fff8346a769 thread_start + 13
Tue Mar 30 10:16:52 Caught Assertion in runQuery ns:dotspots.foo massert:error on invocation of $where function:
JS Error: TypeError: this.x has no properties nofile_a:0
Tue Mar 30 10:16:52 ntoskip:0 ntoreturn:0
Tue Mar 30 10:16:52 query:

{ $where: "this.x.x" }

 Comments   
Comment by Eliot Horowitz (Inactive) [ 30/Mar/10 ]

i see.
yes - can you open a separate issue for that

Comment by Matt Mastracci [ 30/Mar/10 ]

The issue seems to be that the client will re-print the previous server error on a client JS error. It's not a mongod error, but rather a dbshell issue.

Should I open up another issue for that?

Comment by Eliot Horowitz (Inactive) [ 30/Mar/10 ]

If i'm reading your comment correctly, then all the mongo code is fine.
If I read it wrong - please add a new comment.

Comment by Matt Mastracci [ 30/Mar/10 ]

I'm trying it again now and it's not always fatal to the server. I did manage to get the server into a spot where it wouldn't respond to queries at all (and I couldn't reconnect).

I've tried this over and over and it's not getting into the wedged state that it did for me the first couple of times.

[update] I've retraced my steps and tried this over and over and can't reproduce it at all. When I look through the logs, I think that it was a different bug causing the confusion:

      • First, a $where that fails on the server:

> db.dot.find({$where:"this.contents.body.segments.length > 10"})
error: {
"$err" : "error on invocation of $where function:
JS Error: TypeError: this.contents.body.segments has no properties nofile_a:0"
}

      • Next, a client JS error. Note that it repeats the last server error back at me. I think this is where the confusion came from:

> db.dot.find({"rebuild_dot":{"version"}})
Tue Mar 30 10:14:19 JS Error: SyntaxError: missing : after property id (shell):0
error on invocation of $where function:
JS Error: TypeError: this.contents.body.segments has no properties nofile_a:0

Generated at Thu Feb 08 02:55:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.