[SERVER-9051] v8 heap allocation failure can lead to segfault Created: 21/Mar/13 Updated: 14/Apr/16 Resolved: 24/Sep/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | JavaScript |
| Affects Version/s: | 2.4.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Ben Becker | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||
| Description |
|
The following functions may attempt to dereference an empty handle when v8 heap space is nearly depleted:
This is because mongoToV8Element() does not check for allocation success nor OOM when creating a new JS object. |
| Comments |
| Comment by Mira Carey [ 24/Sep/15 ] | |||||||||||||||||||||||||
|
No longer relevant as we've ported forward to SpiderMonkey, which doesn't have the underlying issue (all allocations crash in our allocator, or fail sensibly if initiated by SM) | |||||||||||||||||||||||||
| Comment by Francois Rigault [ 09/Aug/13 ] | |||||||||||||||||||||||||
|
I got a similar problem in MongoDB v2.4.5 or v2.5.2-pre- (git version: bac3b67d20128e03487680b8d713195a18315d6e) mongod server process core with segfault: On server side:
On client side (I'm connecting using PyMongo as mongo shell seems fine ):
mongod segfault in mongo::V8Scope::v8ToMongoObject EDIT: still reproducable today with 2.5.4 | |||||||||||||||||||||||||
| Comment by Ben Becker [ 29/Mar/13 ] | |||||||||||||||||||||||||
|
The linked tickets resolve an issue with excessive memory consumption, which is what provoked this ticket. They have already been backported to the v2.4 branch, and should land in v2.4.2. I'm leaving this ticket open as we still need to find a way to handle OOM conditions more gracefully. | |||||||||||||||||||||||||
| Comment by Andy Schwerin [ 25/Mar/13 ] | |||||||||||||||||||||||||
|
We lack a facility for it now, but what you'd like in this scenario is to terminate the current operation, block further JS execution, and do a clean server shutdown. More broadly, you'd like to stop running JS inside the server process, so that the JS engine wouldn't have to share fate with the rest of the process, but that's a much larger redesign. fassertFailed() might be the only real choice for us, in the very short term. That might be the right fix for the proximate bug, but the larger issue of why V8 is reporting out-of-memory in the field needs to be addressed, too. | |||||||||||||||||||||||||
| Comment by Ben Becker [ 25/Mar/13 ] | |||||||||||||||||||||||||
|
In debug mode, the stack trace may look like this:
Note that we're setting IgnoreOutOfMemoryException(), but it isn't checked when ForceSetProperty()'s CALL_HEAP_FUNCTION/CALL_AND_RETRY macro checks for an OOM condition. Not sure how useful this would be, but v8::SetFatalErrorHandler() allows us to set a callback when a fatal error has been encountered. v8 will not be useable at this point, and I'm not aware of any way to cleanly free all resources at this point. | |||||||||||||||||||||||||
| Comment by Ben Becker [ 25/Mar/13 ] | |||||||||||||||||||||||||
|
It's the v8-specific heap allocator; not a malloc failure. | |||||||||||||||||||||||||
| Comment by Andy Schwerin [ 25/Mar/13 ] | |||||||||||||||||||||||||
|
Specifically, what allocator is returning NULL? Is it a V8-specific allocator, or is malloc failing? |