Friday, June 12, 2015

V8 in MongoDB

Those two follow node.js releases closely may have noticed that version 0.10 has taken a very long time to release, as contributions stagnated. Unable to follow Chrome's short release cycles, it stayed with a V8 version 3.14 that quickly became outdated. Fortunately, io.js was able to pick up the pace and now closely follows V8's releases.

A less well-known issue is MongoDB. Two years ago, MongoDB switched to V8 for its Javascript VM (from previously SpiderMonkey). However, that's where they stayed. Two years later, MongoDB is still using V8 3.12. There have been efforts to update to version 3.25, but seems to have been given up.

The issue seems to be that MongoDB expects V8 to handle out of memory situations more gracefully, but instead, as a result of architectural changes and bug fixes, V8 does not attempt to recover and intentionally crashes.

Given that V8 3.12 is now three years old, I wish something could be done here. Of course the Javascript code run on MongoDB are usually server-side, but given three years of security issues being fixed, I wouldn't be surprised if there are some exploits.

There is a bright counter-example: plv8 is very up-to-date as we speak, using V8 4.3, which is currently the most recent stable branch.