[SERVER-9089] 'Cloning' a document in JavaScript can create an empty _bson field Created: 22/Mar/13  Updated: 11/Jul/16  Resolved: 18/Apr/13

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 2.4.0
Fix Version/s: 2.4.3, 2.5.0

Type: Bug Priority: Critical - P2
Reporter: Ben Becker Assignee: Mathias Stearn
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File clone_bson.js    
Issue Links:
Duplicate
is duplicated by SERVER-9405 Map/Reduce leads to Segmentation faul... Closed
Operating System: ALL
Participants:

 Description   

When a document is 'cloned' in JavaScript, or if a field named '_bson' is created on a JS object passed to an internal mongo function, unwrapHolder() may return a NULL pointer. This is unchecked at most call-sites.



 Comments   
Comment by auto [ 18/Apr/13 ]

Author:

{u'date': u'2013-04-18T18:41:28Z', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-9089 Check for NULL BSONHolder
Branch: v2.4
https://github.com/mongodb/mongo/commit/716d31016dc572a87ffc7748d6d4f5348e1a28d6

Comment by auto [ 18/Apr/13 ]

Author:

{u'date': u'2013-04-18T18:41:28Z', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-9089 Check for NULL BSONHolder
Branch: master
https://github.com/mongodb/mongo/commit/f63d4e568bfc00f27d573520f16e66e215890355

Comment by Mathias Stearn [ 18/Apr/13 ]

Easier repro: try converting any real v8 object (ie one that wasn't sourced from BSON) with a field named _bson to BSON

> db.foo.find({_bson: 1})
Thu Apr 18 11:40:56.280 mongo got signal 11 (Segmentation fault), stack trace: 
 
Thu Apr 18 11:40:56.281 0x7027d3 0x60e054 0x7f70910bd340 0x6bbfbc 0x6cc95f 0x6b956b 0x1c6b51e4c21b 
 mongo(_ZN5mongo15printStackTraceERSo+0x23) [0x7027d3]
 mongo(_Z12quitAbruptlyi+0xe4) [0x60e054]
 /usr/lib/libc.so.6(+0x35340) [0x7f70910bd340]
 mongo(_ZN5mongo7V8Scope9v8ToMongoEN2v86HandleINS1_6ObjectEEEi+0xfc) [0x6bbfbc]
 mongo(_ZN5mongo9mongoFindEPNS_7V8ScopeERKN2v89ArgumentsE+0x14f) [0x6cc95f]
 mongo(_ZN5mongo7V8Scope10v8CallbackERKN2v89ArgumentsE+0xab) [0x6b956b]
 [0x1c6b51e4c21b]

Generated at Thu Feb 08 03:19:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.