Window functions: heap-use-after-free
В ходе изучения излишнего расхода резидентной памяти с @funbringer, мы поймали следующую ошибку на сборке пикодаты с асаном. Для воспроизведения нужно:
- поставить llvm-symbolizer
- наложить патч на тарантул модуль для obuf (у него другая структура под асаном) - obuf.patch
- сделать шаги, описанные Георгием тут: picodata#1611 (comment 133870) (единственное, у таблицы cd_customer_account стоит уменьшить количество кортежей в 100 раз, а не грузить через timeout; остальные таблицы должны быть загружены полностью)
При этом точно установлено, что heap-use-after-free не возникает без оконок.
==901560==ERROR: AddressSanitizer: heap-use-after-free on address 0x50b00043f2b0 at pc 0x000002da115a bp 0x6ffcc97fd250 sp 0x6ffcc97fd248
READ of size 1 at 0x50b00043f2b0 thread T0
#0 0x000002da1159 in sql_expr_coll /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/expr.c:287:15
#1 0x000002db7f22 in sql_binary_compare_coll_seq /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/expr.c:527:6
#2 0x000002db7f22 in codeCompare /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/expr.c:555:6
#3 0x000002dbbdd9 in sqlExprIfFalse /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/expr.c:4860:4
#4 0x000002dbc4b7 in sqlExprIfFalse /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/expr.c:4824:4
#5 0x000002db02db in sqlExprCodeTarget /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/expr.c:4310:5
#6 0x000002db8756 in sqlExprCodeExprList /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/expr.c:4548:8
#7 0x000002e2613c in selectInnerLoop /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/select.c:1266:7
#8 0x000002e1e36a in sqlSelect /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/select.c:6107:4
#9 0x000002d8185b in yy_reduce /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/parse.y:419:3
#10 0x000002d77d93 in sqlParser /home/picoadm/leak/picodata/target/x86_64-unknown-linux-gnu/asan-dev/build/tarantool-sys/static/tarantool-prefix/src/tarantool-build/src/box/sql/parse.c:4695:7
#11 0x000002e37464 in sqlRunParser /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/tokenize.c:655:3
#12 0x000002e02323 in sql_stmt_compile /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/prepare.c:79:4
#13 0x000002d612dd in sql_stmt_find_or_create /home/picoadm/leak/picodata/tarantool-sys/src/box/execute.c:132:7
#14 0x000002d615a5 in sql_prepare_ext /home/picoadm/leak/picodata/tarantool-sys/src/box/execute.c:180:6
#15 0x00000515e303 in tarantool::ffi::sql::sql_prepare_ext::h3651b2e4671d683a /home/picoadm/leak/picodata/tarantool/tarantool/src/ffi/helper.rs:136:24
#16 0x00000515e303 in tarantool::sql::prepare::h7270373f5badef0d /home/picoadm/leak/picodata/tarantool/tarantool/src/sql.rs:64:9
#17 0x000004e6ccad in sbroad::executor::engine::helpers::proxy::proxy_start::_$u7b$$u7b$closure$u7d$$u7d$::h72e8925bb2d1b9a8 /home/picoadm/leak/picodata/sbroad/sbroad-core/src/executor/engine/helpers/proxy.r$:52:57
#18 0x0000048d87d2 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h90a0891b6e4dc9c6 /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688/library/alloc/sr$/boxed.rs:1993:9
#19 0x000004e316b0 in tarantool::fiber::Fyber$LT$F$C$T$GT$::trampoline_for_ffi::hd9b8cb5407a356ea /home/picoadm/leak/picodata/tarantool/tarantool/src/fiber.rs:828:17
#20 0x000002a99918 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*) /home/picoadm/leak/picodata/tarantool-sys/src/lib/core/fiber.h:1300:10
#21 0x0000028f8e53 in fiber_loop /home/picoadm/leak/picodata/tarantool-sys/src/lib/core/fiber.c:1160:18
#22 0x0000029e7a68 in coro_init /home/picoadm/leak/picodata/tarantool-sys/third_party/coro/coro.c:108:3
0x50b00043f2b0 is located 0 bytes inside of 104-byte region [0x50b00043f2b0,0x50b00043f318)
freed by thread T0 here:
#0 0x0000004ab536 in free /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x000002e301e8 in substExpr /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/select.c:3771:5
previously allocated by thread T0 here:
#0 0x0000004ab7cf in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
#1 0x000002dd9049 in sql_xmalloc /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/malloc.c:83:9
SUMMARY: AddressSanitizer: heap-use-after-free /home/picoadm/leak/picodata/tarantool-sys/src/box/sql/expr.c:287:15 in sql_expr_coll
Shadow bytes around the buggy address:
0x50b00043f000: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x50b00043f080: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x50b00043f100: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x50b00043f180: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x50b00043f200: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
=>0x50b00043f280: fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
0x50b00043f300: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x50b00043f380: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x50b00043f400: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x50b00043f480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x50b00043f500: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==901560==ABORTING
AbortedRef picodata#1611 (изначальная отправная точка, из которой пришло репро)
Activity
added bug label
mentioned in issue picodata#1611
changed milestone to %25.2 - LTS
marked this issue as related to picodata#1611
Я подключился отладчиком - нужно использовать lldb (gdb теряется и не показывает ничего путного, кроме имен функций). Так же не забыть выставить длину выводимых строк побольше (
set set target.max-string-summary-length 10000).* thread #1, name = 'picodata', stop reason = signal SIGABRT * frame #0: 0x0000749b7f64eacf libc.so.6`raise + 271 frame #1: 0x0000749b7f621ea5 libc.so.6`abort + 295 frame #2: 0x00000000004c7eac picodata`::Abort() at sanitizer_posix_libcdep.cpp:163:3 frame #3: 0x00000000004c692e picodata`__sanitizer::Die() at sanitizer_termination.cpp:58:5 frame #4: 0x00000000004af079 picodata`::~ScopedInErrorReport() at asan_report.cpp:193:7 frame #5: 0x00000000004b1d37 picodata`::ReportGenericError() at asan_report.cpp:498:1 frame #6: 0x00000000004b2396 picodata`__asan_report_load1 at asan_rtl.cpp:128:1 frame #7: 0x0000000002da115a picodata`sql_expr_coll(parse=<unavailable>, p=0x000050b001767470, is_explicit_coll=0x0000749b647fd35f, coll_id=<unavailable>, coll=<unavailable>) at expr.c:287:15 frame #8: 0x0000000002db7f23 picodata`codeCompare [inlined] sql_binary_compare_coll_seq(parser=0x0000749aa564b020, left=0x000050b00176a6a0, right=0x000050b00176a5f0, id=0x0000749b647fd37c) at expr.c:527:6 frame #9: 0x0000000002db7efc picodata`codeCompare(pParse=0x0000749aa564b020, pLeft=0x000050b00176a6a0, pRight=<unavailable>, opcode=<unavailable>, in1=<unavailable>, in2=<unavailable>, dest=<unavailable>, jumpIfNull=<unavailable>) at expr.c:555:6 frame #10: 0x0000000002dbbdda picodata`sqlExprIfFalse(pParse=0x0000749aa564b020, pExpr=<unavailable>, dest=<unavailable>, jumpIfNull=<unavailable>) at expr.c:4860:4 frame #11: 0x0000000002dbc4b8 picodata`sqlExprIfFalse(pParse=0x0000749aa564b020, pExpr=<unavailable>, dest=<unavailable>, jumpIfNull=<unavailable>) at expr.c:4824:4 frame #12: 0x0000000002db02dc picodata`sqlExprCodeTarget(pParse=0x0000749aa564b020, pExpr=<unavailable>, target=<unavailable>) at expr.c:4310:5 frame #13: 0x0000000002db8757 picodata`sqlExprCodeExprList(pParse=0x0000749aa564b020, pList=<unavailable>, target=<unavailable>, srcReg=<unavailable>, flags=<unavailable>) at expr.c:4548:8 frame #14: 0x0000000002e2613d picodata`selectInnerLoop(pParse=0x0000749aa564b020, p=<unavailable>, pEList=<unavailable>, srcTab=<unavailable>, pSort=0x0000000000000000, pDistinct=<unavailable>, pDest=<unavailable>, iContinue=<unavailable>, iBreak=<unavailable>) at select.c:1266:7 frame #15: 0x0000000002e1e36b picodata`sqlSelect(pParse=0x0000749aa564b020, p=<unavailable>, pDest=<unavailable>) at select.c:6107:4 frame #16: 0x0000000002d8185c picodata`yy_reduce(yypParser=0x000051f00006ac80, yyruleno=<unavailable>) at parse.y:419:3 frame #17: 0x0000000002d77d94 picodata`sqlParser(yyp=0x000051f00006ac80, yymajor=<unavailable>, yyminor=(z = "", n = 0, isReserved = false), pParse=0x0000749aa564b020) at parse.c:4695:7 frame #18: 0x0000000002e37465 picodata`sqlRunParser(pParse=0x0000749aa564b020, zSql=<unavailable>) at tokenize.c:655:3 frame #19: 0x0000000002e02324 picodata`sql_stmt_compile(zSql=<unavailable>, nBytes=<unavailable>, pReprepare=<unavailable>, ppStmt=<unavailable>, pzTail=<unavailable>) at prepare.c:79:4 frame #20: 0x0000000002d612de picodata`sql_stmt_find_or_create(sql=<unavailable>, len=1111, stmt_id=<unavailable>, stmt=<unavailable>) at execute.c:132:7 frame #21: 0x0000000002d615a6 picodata`sql_prepare_ext(sql=<unavailable>, len=<unavailable>, stmt_id=<unavailable>, session_id=0x0000749aa564aed0) at execute.c:180:6 frame #22: 0x000000000515e304 picodata`tarantool::sql::prepare::h7270373f5badef0d [inlined] tarantool::ffi::sql::sql_prepare_ext::h3651b2e4671d683a(sql="SELECT \"COL_28\" as \"client_mdm_id_first\", \"COL_23\" as \"key_join\", \"COL_24\" as \"flag\", \"COL_25\" as \"begindate\", \"COL_26\" as \"enddate\", \"COL_1\" as \"customer_account_no\", \"COL_0\" as \"customer_account_sk\", \"COL_3\" as \"open_date\", \"COL_4\" as \"close_date\", \"COL_5\" as \"currency_code_num\", \"COL_6\" as \"currency_code_alpha\", \"COL_9\" as \"account_desc\", \"COL_2\" as \"client_mdm_id\", \"COL_8\" as \"status\", \"COL_11\" as \"abs_system\", \"COL_12\" as \"abs_system_name\", \"COL_14\" as \"sub_office_sk\", \"COL_18\" as \"effective_from_dttm\", \"COL_19\" as \"effective_to_dttm\", \"COL_16\" as \"deleted_flg\", CASE WHEN (\"COL_11\") = (?) and (\"COL_15\") <> (?) THEN \"COL_15\" ELSE CAST (? as double) END as \"flag_sk\", row_number () OVER (PARTITION BY \"COL_23\", \"COL_1\" ORDER BY \"COL_11\" DESC, \"COL_18\" DESC, \"COL_15\", \"COL_0\" DESC, \"COL_20\" DESC) as \"flag_a\" FROM (SELECT \"COL_0\",\"COL_1\",\"COL_2\",\"COL_3\",\"COL_4\",\"COL_5\",\"COL_6\",\"COL_7\",\"COL_8\",\"COL_9\",\"COL_10\",\"COL_11\",\"COL_12\",\"COL_13\",\"COL_14\",\"COL_15\",\"COL_16\",\"COL_17\",\"COL_18\",\"COL_19\",\"COL_20\",\"COL_21\",\"COL_22\",\"COL_23\",\"COL_24\",\"COL_25\",\"COL_26\",\"COL_27\",\"COL_28\" FROM \"TMP_3781021201_1136\")", len=1111, stmt_id=0x0000749aa564aef0, session_id=0x0000749aa564aed0) at helper.rs:136:24 frame #23: 0x000000000515e2c7 picodata`tarantool::sql::prepare::h7270373f5badef0d(query=String @ 0x0000749aa5705870) at sql.rs:64:9 frame #24: 0x0000000004e6ccae picodata`sbroad::executor::engine::helpers::proxy::proxy_start::_$u7b$$u7b$closure$u7d$$u7d$::h72e8925bb2d1b9a8 at proxy.rs:52:57 frame #25: 0x00000000048d87d3 picodata`_$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h90a0891b6e4dc9c6(self=0x000050200003bb10, args=<unavailable>) at boxed.rs:1993:9 frame #26: 0x0000000004e316b1 picodata`tarantool::fiber::Fyber$LT$F$C$T$GT$::trampoline_for_ffi::hd9b8cb5407a356ea(args=VaList @ 0x0000749aa5485040) at fiber.rs:828:17 frame #27: 0x0000000002a99919 picodata`fiber_cxx_invoke(f=<unavailable>, ap=<unavailable>) at fiber.h:1300:10 frame #28: 0x00000000028f8e54 picodata`fiber_loop(data=<unavailable>) at fiber.c:1160:18 frame #29: 0x00000000029e7a69 picodata`coro_init at coro.c:108:3 (lldb) f 7 frame #7: 0x0000000002da115a picodata`sql_expr_coll(parse=<unavailable>, p=0x000050b001767470, is_explicit_coll=0x0000749b647fd35f, coll_id=<unavailable>, coll=<unavailable>) at expr.c:287:15 284 *coll_id = COLL_NONE; 285 *coll = NULL; 286 while (p != NULL) { -> 287 int op = p->op; 288 if (op == TK_CAST || op == TK_UPLUS) { 289 p = p->pLeft; 290 continue;Запрос
SELECT "COL_28" as "client_mdm_id_first", "COL_23" as "key_join", "COL_24" as "flag", "COL_25" as "begindate", "COL_26" as "enddate", "COL_1" as "customer_account_no", "COL_0" as "customer_account_sk", "COL_3" as "open_date", "COL_4" as "close_date", "COL_5" as "currency_code_num", "COL_6" as "currency_code_alpha", "COL_9" as "account_desc", "COL_2" as "client_mdm_id", "COL_8" as "status", "COL_11" as "abs_system", "COL_12" as "abs_system_name", "COL_14" as "sub_office_sk", "COL_18" as "effective_from_dttm", "COL_19" as "effective_to_dttm", "COL_16" as "deleted_flg", CASE WHEN ("COL_11") = (?) and ("COL_15") <> (?) THEN "COL_15" ELSE CAST (? as double) END as "flag_sk", row_number () OVER ( PARTITION BY "COL_23", "COL_1" ORDER BY "COL_11" DESC, "COL_18" DESC, "COL_15", "COL_0" DESC, "COL_20" DESC ) as "flag_a" FROM ( SELECT "COL_0", "COL_1", "COL_2", "COL_3", "COL_4", "COL_5", "COL_6", "COL_7", "COL_8", "COL_9", "COL_10", "COL_11", "COL_12", "COL_13", "COL_14", "COL_15", "COL_16", "COL_17", "COL_18", "COL_19", "COL_20", "COL_21", "COL_22", "COL_23", "COL_24", "COL_25", "COL_26", "COL_27", "COL_28" FROM "TMP_3781021201_1136" )Edited by Denis Smirnov-
Репро:
create table "TMP_3781021201_1136"( "COL_0" int, "COL_1" int, "COL_2" int, "COL_3" int, "COL_4" int, "COL_5" int, "COL_6" int, "COL_7" int, "COL_8" int, "COL_9" int, "COL_10" int, "COL_11" int, "COL_12" int, "COL_13" int, "COL_14" int, "COL_15" int, "COL_16" int, "COL_17" int, "COL_18" int, "COL_19" int, "COL_20" int, "COL_21" int, "COL_22" int, "COL_23" int, "COL_24" int, "COL_25" int, "COL_26" int, "COL_27" int, "COL_28" int, "COL_29" int primary key ); SELECT "COL_28" as "client_mdm_id_first", "COL_23" as "key_join", "COL_24" as "flag", "COL_25" as "begindate", "COL_26" as "enddate", "COL_1" as "customer_account_no", "COL_0" as "customer_account_sk", CASE WHEN ("COL_11") = (?) and ("COL_15") <> (?) THEN "COL_15" ELSE CAST (? as double) END as "flag_sk", row_number () OVER ( PARTITION BY "COL_23", "COL_1" ORDER BY "COL_11" DESC, "COL_18" DESC, "COL_15", "COL_0" DESC, "COL_20" DESC ) as "flag_a" FROM ( SELECT "COL_0", "COL_1", "COL_2", "COL_3", "COL_4", "COL_5", "COL_6", "COL_7", "COL_8", "COL_9", "COL_10", "COL_11", "COL_12", "COL_13", "COL_14", "COL_15", "COL_16", "COL_17", "COL_18", "COL_19", "COL_20", "COL_21", "COL_22", "COL_23", "COL_24", "COL_25", "COL_26", "COL_27", "COL_28" FROM "TMP_3781021201_1136" ) -
Этот коммит чинит проблему - 46115fc2
mentioned in merge request !234 (merged)
added domain/sql label
closed with merge request !234 (merged)
Please register or sign in to reply