Query that crashes redis server

[yunsongmeng]

The following query crashes redis searcher：
FT.SEARCH index "(@Attribute:stringA @id:524) | @Attribute:stringB @id:524"

The following is bug report from the redis sever:

=== REDIS BUG REPORT START: Cut & paste starting from here ===
5479:M 16 Aug 14:55:52.800 # Redis 4.0.1 crashed by signal: 11
5479:M 16 Aug 14:55:52.800 # Crashed running the instuction at: 0x10967e912
5479:M 16 Aug 14:55:52.800 # Accessing address: 0x0
5479:M 16 Aug 14:55:52.800 # Failed assertion: (:0)

------ STACK TRACE ------
EIP:
0 redisearch.so 0x000000010967e912 II_SkipTo + 322

Backtrace:
0 redis-server 0x00000001094be3ad logStackTrace + 109
1 redis-server 0x00000001094be75c sigsegvHandler + 236
2 libsystem_platform.dylib 0x00007fffa798fbba _sigtramp + 26
3 ??? 0x00000001095aae00 0x0 + 4451905024
4 redisearch.so 0x000000010967e27d UI_SkipTo + 173
5 redisearch.so 0x000000010967e70a II_Read + 170
6 redisearch.so 0x000000010968877f Query_Execute + 383
7 redisearch.so 0x000000010968acb0 runQueryGeneric + 224
8 redisearch.so 0x000000010968ade8 threadProcessQuery + 120
9 redisearch.so 0x0000000109694daa thread_do + 554
10 libsystem_pthread.dylib 0x00007fffa7999aab _pthread_body + 180
11 libsystem_pthread.dylib 0x00007fffa79999f7 _pthread_body + 0
12 libsystem_pthread.dylib 0x00007fffa79991fd thread_start + 13

------ INFO OUTPUT ------

Server

redis_version:4.0.1
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:cca5ab0a70c59c9e
redis_mode:standalone
os:Darwin 16.3.0 x86_64
arch_bits:64
multiplexing_api:kqueue
atomicvar_api:atomic-builtin
gcc_version:4.2.1
process_id:5479
run_id:2917ef3000c7cd44422ed43fd430afdc1fb586d4
tcp_port:26379
uptime_in_seconds:175472
uptime_in_days:2
hz:10
lru_clock:9748328
executable:/RediSearch/src/redis-server
config_file:

Clients

connected_clients:1
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:1

Memory

used_memory:118191088
used_memory_human:112.72M
used_memory_rss:128962560
used_memory_rss_human:122.99M
used_memory_peak:131958528
used_memory_peak_human:125.85M
used_memory_peak_perc:89.57%
used_memory_overhead:11021494
used_memory_startup:963312
used_memory_dataset:107169594
used_memory_dataset_perc:91.42%
total_system_memory:17179869184
total_system_memory_human:16.00G
used_memory_lua:37888
used_memory_lua_human:37.00K
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
mem_fragmentation_ratio:1.09
mem_allocator:libc
active_defrag_running:0
lazyfree_pending_objects:0

Persistence

loading:0
rdb_changes_since_last_save:188931
rdb_bgsave_in_progress:0
rdb_last_save_time:1502745080
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

Stats

total_connections_received:43
total_commands_processed:1530445
instantaneous_ops_per_sec:0
total_net_input_bytes:624761932
total_net_output_bytes:6739529
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:1328434
keyspace_misses:12
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

Replication

role:master
connected_slaves:0
master_replid:1556cb8c4d5bd597cf83bdd8434cc60385749739
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

CPU

used_cpu_sys:52.05
used_cpu_user:129.18
used_cpu_sys_children:0.00
used_cpu_user_children:0.00

Commandstats

cmdstat_del:calls=188931,usec=483600,usec_per_call=2.56
cmdstat_hgetall:calls=201,usec=3978,usec_per_call=19.79
cmdstat_scan:calls=13066,usec=1097152,usec_per_call=83.97
cmdstat_command:calls=1,usec=545,usec_per_call=545.00

Cluster

cluster_enabled:0

Keyspace

db0:keys=197785,expires=0,avg_ttl=0

------ CLIENT LIST OUTPUT ------
id=3 addr=127.0.0.1:51327 fd=8 name= age=175256 idle=0 flags=b db=0 sub=0 psub=0 multi=-1 qbuf=0 qbuf-free=32768 obl=0 oll=0 omem=0 events=r cmd=FT.SEARCH

------ REGISTERS ------
5479:M 16 Aug 14:55:52.813 #
RAX:0000000000000002 RBX:00007fc94ac9b970
RCX:0000000000000000 RDX:00000000000052f1
RDI:00007fc94ac9c300 RSI:00007fc94ac9c500
RBP:000070000908cc40 RSP:000070000908cc00
R8 :00000000000000dc R9 :00007fc9448bf4e2
R10:0000000000001000 R11:00007fc9448bf4dc
R12:00000000000052f0 R13:0000000000000000
R14:00007fc94ac9c3b0 R15:0000000000000000
RIP:000000010967e912 EFL:0000000000010206
CS :000000000000002b FS:0000000000000000 GS:0000000000000000
5479:M 16 Aug 14:55:52.813 # (000070000908cc0f) -> 00007fc94ac9bc50
5479:M 16 Aug 14:55:52.813 # (000070000908cc0e) -> 00000000000052f0
5479:M 16 Aug 14:55:52.813 # (000070000908cc0d) -> 000070000908ccd0
5479:M 16 Aug 14:55:52.813 # (000070000908cc0c) -> 0000000000000000
5479:M 16 Aug 14:55:52.813 # (000070000908cc0b) -> 0000000000000002
5479:M 16 Aug 14:55:52.813 # (000070000908cc0a) -> 0000000000000002
5479:M 16 Aug 14:55:52.813 # (000070000908cc09) -> 000000010967e27d
5479:M 16 Aug 14:55:52.813 # (000070000908cc08) -> 000070000908ccb0
5479:M 16 Aug 14:55:52.813 # (000070000908cc07) -> 000070000908ccd0
5479:M 16 Aug 14:55:52.813 # (000070000908cc06) -> 00007fc94ac9b9f0
5479:M 16 Aug 14:55:52.813 # (000070000908cc05) -> 00000000ffffffff
5479:M 16 Aug 14:55:52.813 # (000070000908cc04) -> 0000000000000000
5479:M 16 Aug 14:55:52.813 # (000070000908cc03) -> 0000000000000000
5479:M 16 Aug 14:55:52.813 # (000070000908cc02) -> 000070000908cc60
5479:M 16 Aug 14:55:52.813 # (000070000908cc01) -> 00007fc94ac9c2d0
5479:M 16 Aug 14:55:52.813 # (000070000908cc00) -> 000070000908ccc0

------ DUMPING CODE AROUND EIP ------
Symbol: II_SkipTo (base: 0x10967e7d0)
Module: /RediSearch/src/redisearch.so (base 0x109679000)
$ xxd -r -p /tmp/dump.hex /tmp/dump.bin
$ objdump --adjust-vma=0x10967e7d0 -D -b binary -m i386:x86-64 /tmp/dump.bin

5479:M 16 Aug 14:55:52.813 # dump of function (hexdump of 450 bytes):
554889e54157415641554154534883ec184189f44889fb4585e40f84c7000000488955d0488b7b18e8930b00008b43204531ed85c00f8eda0000004531ff4531ed6666666666662e0f1f840000000000488b034e8b34f84d85f60f84a0000000498b3e41ff562885c00f8491000000498b3e41ff5608488945c8488b53088b4b3842390cba750485c97527498b3e4489e6488d55c841ff561889c185c97465488b45c88b10488b7308428914be83f901751e488b7b184889c6e8620800004489633841ffc5eb0e660f1f8400000000003b5338773a49ffc7486343204939c70f8c6bffffffeb2e4889df4889d64883c4185b415c415d415e415f5de990fdffff31c0eb44c7434c0100000031c0eb398953388b43204139c57517b801000000488b4dd04885c97420488b5318488911eb17b802000000488b4dd04885c97409488b09c701000000004883c4185b415c415d415e415f5dc3660f1f840000000000554889e5488b47185dc3660f1f440000554889e58b474c5dc30f1f8000000000554889e5488b47285dc3660f1f440000554889e531f65de9f4fcffff0f1f4000554889e5488b07488b385dff60406690554889e54156534889fb4c8b33498b3e4885
Function at 0x10967f390 is AggregateResult_Reset
Function at 0x10967f0f0 is AggregateResult_AddChild

=== REDIS BUG REPORT END. Make sure to include from START to END. ===

   Please report the crash by opening an issue on github:

       http://github.com/antirez/redis/issues

Suspect RAM error? Use redis-server --test-memory to verify it.

Segmentation fault: 11

[mnunberg]

Can you file this bug on https://github.com/RedisLabsModules/RediSearch ? this is obviously not a redisearch-py issue in itself.

[mnunberg]

Oh, and when do you do post it, can you please show your schema? (the output from FT.INFO index

[yunsongmeng]

Thanks for reply Mark. Will post it there.

[dvirsky]

This was fixed in redisearch itself.