Query crashes in DataBlock_ItemIsDeleted

[DominicWuest]

When running the following query:

CREATE (x) CREATE ()-[:A{n1:size([n2 IN [n3 IN [0] | x.n4] | 0])}]->()-[y:B]->() DELETE y

The RedisGraph instance crashes due to a null-pointer dereference.

I encountered this issue when testing queries against RedisGraph v2.12.0 compiled with address sanitization in a Docker container running alpine v.3.

Redis Bug Report

=== REDIS BUG REPORT START: Cut & paste starting from here ===
10:M 24 Apr 2023 18:54:43.433 # Redis 7.0.11 crashed by signal: 11, si_code: 128
10:M 24 Apr 2023 18:54:43.433 # Accessing address: (nil)
10:M 24 Apr 2023 18:54:43.433 # Crashed running the instruction at: 0x7f283d48aef5

------ STACK TRACE ------
EIP:
/app/bin/linux-x64-debug-asan/src/redisgraph.so(DataBlock_ItemIsDeleted+0x25)[0x7f283d48aef5]

Backtrace:
redis-server *:6379(sigsegvHandler+0x8a)[0x56216429294a]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x13140)[0x7f28452a2140]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(DataBlock_ItemIsDeleted+0x25)[0x7f283d48aef5]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(Graph_EntityIsDeleted+0x40)[0x7f283d3a9000]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x6a02ee)[0x7f283d3212ee]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x69f5d0)[0x7f283d3205d0]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(OpBase_Free+0x7d)[0x7f283d307f5d]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x671bd7)[0x7f283d2f2bd7]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(ExecutionPlan_Free+0x4d)[0x7f283d2f2a2d]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x6407d4)[0x7f283d2c17d4]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x831d8a)[0x7f283d4b2d8a]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x7ea7)[0x7f2845296ea7]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f28451b4a2f]

------ REGISTERS ------
10:M 24 Apr 2023 18:54:43.436 #
RAX:ffffffffffffffff RBX:00007f28371a44c0
RCX:1fffffffffffffff RDX:0000000000000000
RDI:0000000000000000 RSI:00007f28371a3520
RBP:00007f28371a3e40 RSP:00007f28371a3e20
R8 :0000000000000001 R9 :000000000000000a
R10:000000000000001e R11:00007f28369a7000
R12:00007ffc3cf1c2ce R13:00007ffc3cf1c2cf
R14:00007f28371a46c0 R15:0000000000802000
RIP:00007f283d48aef5 EFL:0000000000010a07
CSGSFS:002b000000000033
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2f) -> 00007f2831828178
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2e) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2d) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2c) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2b) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2a) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e29) -> 00007f283d3212ee
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e28) -> 00007f28371a3fd0
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e27) -> 00007f2831834a0c
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e26) -> 00007f2831834a0c
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e25) -> 00007f283d3a9000
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e24) -> 00007f28371a3e60
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e23) -> 0000000000000000
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e22) -> ffffffffffffffff
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e21) -> 834cfcd8e8894900
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e20) -> 00007f28371a3d70

------ INFO OUTPUT ------
# Server

redis_version:7.0.11

redis_git_sha1:00000000

redis_git_dirty:0

redis_build_id:5c712dc4cb9cfb70

redis_mode:standalone

os:Linux 6.2.10-arch1-1 x86_64

arch_bits:64

monotonic_clock:POSIX clock_gettime

multiplexing_api:epoll

atomicvar_api:c11-builtin

gcc_version:10.2.1

process_id:10

process_supervised:no

run_id:567d37ab65b9a1eff8459ee690db4f259efbed00

tcp_port:6379

server_time_usec:1682362483432067

uptime_in_seconds:7

uptime_in_days:0

hz:10

configured_hz:10

lru_clock:4640883

executable:/redis/redis-server

config_file:

io_threads_active:0



# Clients

connected_clients:1

cluster_connections:0

maxclients:10000

client_recent_max_input_buffer:0

client_recent_max_output_buffer:0

blocked_clients:1

tracking_clients:0

clients_in_timeout_table:0



# Memory

used_memory:1497320

used_memory_human:1.43M

used_memory_rss:42692608

used_memory_rss_human:40.71M

used_memory_peak:1497320

used_memory_peak_human:1.43M

used_memory_peak_perc:110.76%

used_memory_overhead:929048

used_memory_startup:928792

used_memory_dataset:568272

used_memory_dataset_perc:99.95%

allocator_allocated:1223920

allocator_active:1409024

allocator_resident:4825088

total_system_memory:8039120896

total_system_memory_human:7.49G

used_memory_lua:31744

used_memory_vm_eval:31744

used_memory_lua_human:31.00K

used_memory_scripts_eval:0

number_of_cached_scripts:0

number_of_functions:0

number_of_libraries:0

used_memory_vm_functions:32768

used_memory_vm_total:64512

used_memory_vm_total_human:63.00K

used_memory_functions:184

used_memory_scripts:184

used_memory_scripts_human:184B

maxmemory:0

maxmemory_human:0B

maxmemory_policy:noeviction

allocator_frag_ratio:1.15

allocator_frag_bytes:185104

allocator_rss_ratio:3.42

allocator_rss_bytes:3416064

rss_overhead_ratio:8.85

rss_overhead_bytes:37867520

mem_fragmentation_ratio:45.96

mem_fragmentation_bytes:41763672

mem_not_counted_for_evict:0

mem_replication_backlog:0

mem_total_replication_buffers:0

mem_clients_slaves:0

mem_clients_normal:0

mem_cluster_links:0

mem_aof_buffer:0

mem_allocator:jemalloc-5.2.1

active_defrag_running:0

lazyfree_pending_objects:0

lazyfreed_objects:0



# Persistence

loading:0

async_loading:0

current_cow_peak:0

current_cow_size:0

current_cow_size_age:0

current_fork_perc:0.00

current_save_keys_processed:0

current_save_keys_total:0

rdb_changes_since_last_save:0

rdb_bgsave_in_progress:0

rdb_last_save_time:1682362476

rdb_last_bgsave_status:ok

rdb_last_bgsave_time_sec:-1

rdb_current_bgsave_time_sec:-1

rdb_saves:0

rdb_last_cow_size:0

rdb_last_load_keys_expired:0

rdb_last_load_keys_loaded:0

aof_enabled:0

aof_rewrite_in_progress:0

aof_rewrite_scheduled:0

aof_last_rewrite_time_sec:-1

aof_current_rewrite_time_sec:-1

aof_last_bgrewrite_status:ok

aof_rewrites:0

aof_rewrites_consecutive_failures:0

aof_last_write_status:ok

aof_last_cow_size:0

module_fork_in_progress:0

module_fork_last_cow_size:0



# Stats

total_connections_received:1

total_commands_processed:2

instantaneous_ops_per_sec:0

total_net_input_bytes:246

total_net_output_bytes:93

total_net_repl_input_bytes:0

total_net_repl_output_bytes:0

instantaneous_input_kbps:0.00

instantaneous_output_kbps:0.00

instantaneous_input_repl_kbps:0.00

instantaneous_output_repl_kbps:0.00

rejected_connections:0

sync_full:0

sync_partial_ok:0

sync_partial_err:0

expired_keys:0

expired_stale_perc:0.00

expired_time_cap_reached_count:0

expire_cycle_cpu_milliseconds:0

evicted_keys:0

evicted_clients:0

total_eviction_exceeded_time:0

current_eviction_exceeded_time:0

keyspace_hits:3

keyspace_misses:1

pubsub_channels:0

pubsub_patterns:0

pubsubshard_channels:0

latest_fork_usec:0

total_forks:0

migrate_cached_sockets:0

slave_expires_tracked_keys:0

active_defrag_hits:0

active_defrag_misses:0

active_defrag_key_hits:0

active_defrag_key_misses:0

total_active_defrag_time:0

current_active_defrag_time:0

tracking_total_keys:0

tracking_total_items:0

tracking_total_prefixes:0

unexpected_error_replies:0

total_error_replies:0

dump_payload_sanitizations:0

total_reads_processed:2

total_writes_processed:1

io_threaded_reads_processed:0

io_threaded_writes_processed:0

reply_buffer_shrinks:0

reply_buffer_expands:0



# Replication

role:master

connected_slaves:0

master_failover_state:no-failover

master_replid:545e76b89a7a511fa91ced8a5dfd8c5b7429f8ee

master_replid2:0000000000000000000000000000000000000000

master_repl_offset:0

second_repl_offset:-1

repl_backlog_active:0

repl_backlog_size:1048576

repl_backlog_first_byte_offset:0

repl_backlog_histlen:0



# CPU

used_cpu_sys:0.015967

used_cpu_user:0.031885

used_cpu_sys_children:0.000000

used_cpu_user_children:0.000000

used_cpu_sys_main_thread:0.000000

used_cpu_user_main_thread:0.002797



# Modules

module:name=graph,ver=21200,api=1,filters=0,usedby=[],using=[],options=[]



# Commandstats

cmdstat_graph.QUERY:calls=2,usec=1751,usec_per_call=875.50,rejected_calls=0,failed_calls=0



# Errorstats



# Latencystats

latency_percentiles_usec_graph.QUERY:p50=1630.207,p99=1630.207,p99.9=1630.207



# Cluster

cluster_enabled:0



# Keyspace

db0:keys=1,expires=0,avg_ttl=0


------ CLIENT LIST OUTPUT ------
id=6 addr=172.17.0.1:49156 laddr=172.17.0.2:6379 fd=8 name= age=0 idle=0 flags=b db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=0 qbuf-free=20474 argv-mem=140 multi-mem=0 rbs=16384 rbp=16384 obl=0 oll=0 omem=0 tot-mem=37804 events=r cmd=graph.QUERY user=default redir=-1 resp=2

------ MODULES INFO OUTPUT ------
# graph_executing commands

graph_command:GRAPH.QUERY CYPHER TIMEOUT_DEFAULT="30000" CREATE (x) CREATE ()-[:A{n1:size([n2 IN [n3 IN [0] | x.n4] | 0])}]->()-[y:B]->() DELETE y


------ CONFIG DEBUG OUTPUT ------
io-threads-do-reads no
repl-diskless-sync yes
lazyfree-lazy-expire no
lazyfree-lazy-user-del no
client-query-buffer-limit 1gb
activedefrag no
proto-max-bulk-len 512mb
lazyfree-lazy-eviction no
io-threads 1
sanitize-dump-payload no
lazyfree-lazy-server-del no
repl-diskless-load disabled
replica-read-only yes
slave-read-only yes
list-compress-depth 0
lazyfree-lazy-user-flush no

------ FAST MEMORY TEST ------
10:M 24 Apr 2023 18:54:43.437 # main thread terminated
10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #0 terminated
10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #1 terminated
10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #2 terminated

Fast memory test PASSED, however your memory can still be broken. Please run a memory test for several hours if possible.

------ DUMPING CODE AROUND EIP ------
Symbol: DataBlock_ItemIsDeleted (base: 0x7f283d48aed0)
Module: /app/bin/linux-x64-debug-asan/src/redisgraph.so (base 0x7f283cc81000)
$ xxd -r -p /tmp/dump.hex /tmp/dump.bin
$ objdump --adjust-vma=0x7f283d48aed0 -D -b binary -m i386:x86-64 /tmp/dump.bin
------
10:M 24 Apr 2023 18:54:43.437 # dump of function (hexdump of 165 bytes):
554889e54883ec2048897df8488b45f84805ffffffff488945f0488b45f04889c148c1e9038a910080ff7f80fa00488945e88855e70f8423000000488b45e84825070000008a4de738c80f8c09000000488b7de8e87794d5ffe900000000488b45e88a0880e1010fb6d183e20183fa000f95c180e1010fb6d189d04883c4205dc3662e0f1f8400000000000f1f440000554889e54883ec3048897df8488975f0488b7df848

=== REDIS BUG REPORT END. Make sure to include from START to END. ===

Steps to reproduce

Run the following query and observe the database crashes:

CREATE (x) CREATE ()-[:A{n1:size([n2 IN [n3 IN [0] | x.n4] | 0])}]->()-[y:B]->() DELETE y

Expected behavior

The query should run successfully.

Actual behavior

The database crashes due to a segfault.