regression: use-after-free sanitizer error in dtest #1072

nyh · 2016-03-21T13:13:25Z

I'm running one of the repair dtests with smp==2 and built in debug mode, with the following command

pkill -9 scylla; sleep 10;  time CASSANDRA_DIR=$HOME/scylla/build/debug SCYLLA_EXT_OPTS="--smp 2" KEEP_TEST_DIR=true  DEBUG=true PRINT_DEBUG=true nosetests repair_test.py:TestRepair.dc_repair_test -v -s

This crashes in the setup phase (when the test is checking some data it wrote), before even repair starts, so the problem is probably not repair-specific. The errors I see in the log are different at different runs, but always at the same time (at the "checking data" phase, before starting any repair - I think during shutdown of a node):

Sometimes I get a lot of info:

==31765==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000087c28 
at pc 0x000001d08bf9 bp 0x7fffb0336f50 sp 0x7fffb0336f40
READ of size 4 at 0x60f000087c28 thread T0
==31765==AddressSanitizer: while reporting a bug found another one. Ignoring.
    #0 0x1d08bf8 in sstables::sstable::read_indexes(unsigned long, io_priority_c
lass const&)::{lambda(sstables::index_consumer&)#1}::operator()(sstables::index_
consumer&) const (/home/nyh/.dtest/dtest-hYkYb_/test/node2/bin/scylla+0x1d08bf8)
    #1 0x1d09c62 in do_with<sstables::index_consumer, sstables::sstable::read_in
dexes(uint64_t, const io_priority_class&)::<lambda(sstables::index_consumer&)> >
 /home/nyh/scylla/seastar/core/do_with.hh:55
    #2 0x1d0a712 in sstables::sstable::read_indexes(unsigned long, io_priority_c
lass const&) sstables/sstables.cc:881
    #3 0x226b736 in sstables::sstable::data_end_position(unsigned long, io_prior
ity_class const&) sstables/partition.cc:451
    #4 0x226efde in sstables::sstable::lower_bound(lw_shared_ptr<schema const>, 
dht::ring_position const&, io_priority_class const&)::{lambda(std::vector<sstables::index_entry, std::allocator<sstables::index_entry> >)#1}::operator()(std::vector<sstables::index_entry, std::allocator<sstables::index_entry> >) const (/home/nyh/.dtest/dtest-hYkYb_/test/node2/bin/scylla+0x226efde)
    #5 0x22895c7 in apply /home/nyh/scylla/seastar/core/apply.hh:34
    #6 0x22896ea in apply<sstables::sstable::lower_bound(schema_ptr, const dht::ring_position&, const io_priority_class&)::<lambda(sstables::index_list)>, std::vector<sstables::index_entry, std::allocator<sstables::index_entry> > > /home/nyh/scylla/seastar/core/apply.hh:42
    #7 0x22897e7 in apply<sstables::sstable::lower_bound(schema_ptr, const dht::ring_position&, const io_priority_class&)::<lambda(sstables::index_list)>, std::vector<sstables::index_entry, std::allocator<sstables::index_entry> > > /home/nyh/scylla/seastar/core/future.hh:1197
    #8 0x229f5ef in _ZZN6futureIJSt6vectorIN8sstables11index_entryESaIS2_EEEE4thenIZNS1_7sstable11lower_boundE13lw_shared_ptrIK6schemaERKN3dht13ring_positionERK17io_priority_classEUlS4_E_S_IJmEEEET0_OT_ENUlSN_E_clI12future_stateIJS4_EEEEDaSN_ (/home/nyh/.dtest/dtest-hYkYb_/test/node2/bin/scylla+0x229f5ef)
    #9 0x229fa7c in run /home/nyh/scylla/seastar/core/future.hh:400
    #10 0x436726 in reactor::run_tasks(circular_buffer<std::unique_ptr<task, std::default_delete<task> >, std::allocator<std::unique_ptr<task, std::default_delete<task> > > >&) core/reactor.cc:1450
    #11 0x43ac51 in reactor::run() core/reactor.cc:1754
    #12 0x9606d2 in app_template::run_deprecated(int, char**, std::function<void ()>&&) core/app-template.cc:127

Sometimes almost no info:

==434==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000076108 at pc 0x000001d08bf9 bp 0x7ffcf45f0740 sp 0x7ffcf45f0730
READ of size 4 at 0x60f000076108 thread T0
==434==AddressSanitizer: while reporting a bug found another one. Ignoring.

==2001==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00003c4a8 at pc 0x000001d08bf9 bp 0x7f644c9f8b60 sp 0x7f644c9f8b50
READ of size 4 at 0x60f00003c4a8 thread T1

The text was updated successfully, but these errors were encountered:

slivne · 2016-03-21T14:28:15Z

Is thi on head or the side branch of Glauber's version

On Mon, Mar 21, 2016 at 3:13 PM, nyh notifications@github.com wrote:

I'm running one of the repair dtests with smp==2 and built in debug mode,
with the following command

pkill -9 scylla; sleep 10; time CASSANDRA_DIR=$HOME/scylla/build/debug SCYLLA_EXT_OPTS="--smp 2" KEEP_TEST_DIR=true DEBUG=true PRINT_DEBUG=true nosetests repair_test.py:TestRepair -v -s

This crashes in the setup phase (when the test is checking some data it
wrote), before even repair starts, so the problem is probably not
repair-specific. The errors I see in the log are different at different
runs, but always at the same time (at the "checking data" phase, before
starting any repair - I think during shutdown of a node):

Sometimes I get a lot of info:

==31765==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000087c28
at pc 0x000001d08bf9 bp 0x7fffb0336f50 sp 0x7fffb0336f40
READ of size 4 at 0x60f000087c28 thread T0
==31765==AddressSanitizer: while reporting a bug found another one. Ignoring.
#0 0x1d08bf8 in sstables::sstable::read_indexes(unsigned long, io_priority_c
lass const&)::{lambda(sstables::index_consumer&)#1}::operator()(sstables::index_
consumer&) const (/home/nyh/.dtest/dtest-hYkYb_/test/node2/bin/scylla+0x1d08bf8)
#1 0x1d09c62 in do_with<sstables::index_consumer, sstables::sstable::read_in
dexes(uint64_t, const io_priority_class&)::<lambda(sstables::index_consumer&)> >
/home/nyh/scylla/seastar/core/do_with.hh:55
#2 0x1d0a712 in sstables::sstable::read_indexes(unsigned long, io_priority_c
lass const&) sstables/sstables.cc:881
#3 0x226b736 in sstables::sstable::data_end_position(unsigned long, io_prior
ity_class const&) sstables/partition.cc:451
#4 0x226efde in sstables::sstable::lower_bound(lw_shared_ptr,
dht::ring_position const&, io_priority_class const&)::{lambda(std::vector<sstables::index_entry, std::allocatorsstables::index_entry >)#1}::operator()(std::vector<sstables::index_entry, std::allocatorsstables::index_entry >) const (/home/nyh/.dtest/dtest-hYkYb_/test/node2/bin/scylla+0x226efde)
#5 0x22895c7 in apply /home/nyh/scylla/seastar/core/apply.hh:34
#6 0x22896ea in apply<sstables::sstable::lower_bound(schema_ptr, const dht::ring_position&, const io_priority_class&)::<lambda(sstables::index_list)>, std::vector<sstables::index_entry, std::allocatorsstables::index_entry > > /home/nyh/scylla/seastar/core/apply.hh:42
#7 0x22897e7 in apply<sstables::sstable::lower_bound(schema_ptr, const dht::ring_position&, const io_priority_class&)::<lambda(sstables::index_list)>, std::vector<sstables::index_entry, std::allocatorsstables::index_entry > > /home/nyh/scylla/seastar/core/future.hh:1197
#8 0x229f5ef in ZZN6futureIJSt6vectorIN8sstables11index_entryESaIS2_EEEE4thenIZNS1_7sstable11lower_boundE13lw_shared_ptrIK6schemaERKN3dht13ring_positionERK17io_priority_classEUlS4_E_S_IJmEEEET0_OT_ENUlSN_E_clI12future_stateIJS4_EEEEDaSN (/home/nyh/.dtest/dtest-hYkYb_/test/node2/bin/scylla+0x229f5ef)
#9 0x229fa7c in run /home/nyh/scylla/seastar/core/future.hh:400
#10 0x436726 in reactor::run_tasks(circular_buffer<std::unique_ptr<task, std::default_delete >, std::allocator<std::unique_ptr<task, std::default_delete > > >&) core/reactor.cc:1450
#11 0x43ac51 in reactor::run() core/reactor.cc:1754
#12 0x9606d2 in app_template::run_deprecated(int, char**, std::function<void ()>&&) core/app-template.cc:127

Sometimes almost no info:

==434==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000076108 at pc 0x000001d08bf9 bp 0x7ffcf45f0740 sp 0x7ffcf45f0730
READ of size 4 at 0x60f000076108 thread T0
==434==AddressSanitizer: while reporting a bug found another one. Ignoring.

==2001==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00003c4a8 at pc 0x000001d08bf9 bp 0x7f644c9f8b60 sp 0x7f644c9f8b50
READ of size 4 at 0x60f00003c4a8 thread T1

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#1072

nyh · 2016-03-21T14:34:19Z

On Mon, Mar 21, 2016 at 4:28 PM, slivne notifications@github.com wrote:

Is thi on head or the side branch of Glauber's version

Glauber's version.

nyh · 2016-03-21T14:42:18Z

I just checked, and I get the same sanitizer failure with "--smp 1". It's not specific to smp 2.

slivne · 2016-03-21T15:06:23Z

we found its a regression via jenkins

build http://jenkins.cloudius-systems.com:8080/job/urchin-dtest/label=monster,mode=debug,smp=1/795/ has this test pass

build http://jenkins.cloudius-systems.com:8080/job/urchin-dtest/label=monster,mode=debug,smp=1/796/ has this tests fail

its not related to glaubers branch

nyh · 2016-03-21T15:16:57Z

I'm bisecting this now. As usual, the compilation is excruciatingly slow (I only set up one compilation machine - I need to set up the second one to get a little more speed....)

nyh · 2016-03-21T15:57:37Z

@slivne @glommer the result of the bisection is:

6a3872b35598321006c60151609b8213ec01eee5 is the first bad commit
commit 6a3872b35598321006c60151609b8213ec01eee5
Author: Glauber Costa <glauber@scylladb.com>
Date:   Wed Mar 16 09:42:55 2016 -0400

    sstables: do not assume mutation_reader will be kept alive

So somehow, while this patch fixed one problem, it created another one - apparently starting a call for lower_bound() and not keeping the sstable alive before it completes. I'll investigate.

glommer · 2016-03-21T16:16:26Z

On Mon, Mar 21, 2016 at 11:57 AM, nyh notifications@github.com wrote:

@slivne https://github.com/slivne @glommer https://github.com/glommer
the result of the bisection is:

6a3872b is the first bad commit
commit 6a3872b
Author: Glauber Costa glauber@scylladb.com
Date: Wed Mar 16 09:42:55 2016 -0400
sstables: do not assume mutation_reader will be kept alive
So somehow, while this patch fixed one problem, it created another one -
apparently starting a call for lower_bound() and not keeping the sstable
alive before it completes. I'll investigate.

Thanks Nadav.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#1072 (comment)

nyh · 2016-03-21T20:38:35Z

In one of the runs with smp==1, I was lucky to get much more information about the use-after-free bug:

==10070==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000015f88 at pc 0x000001d08bf9 bp 0x7ffe0df0f2a0 sp 0x7ffe0df0f290
READ of size 4 at 0x60f000015f88 thread T0
    #0 0x1d08bf8 in sstables::sstable::read_indexes(unsigned long, io_priority_class const&)::{lambda(sstables::index_consumer&)#1}::operator()(sstables::index_consumer&) const (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x1d08bf8)
    #1 0x1d09c62 in do_with<sstables::index_consumer, sstables::sstable::read_indexes(uint64_t, const io_priority_class&)::<lambda(sstables::index_consumer&)> > /home/nyh/scylla/seastar/core/do_with.hh:55
    #2 0x1d0a712 in sstables::sstable::read_indexes(unsigned long, io_priority_class const&) sstables/sstables.cc:881
    #3 0x226b736 in sstables::sstable::data_end_position(unsigned long, io_priority_class const&) sstables/partition.cc:451
    #4 0x226efde in sstables::sstable::lower_bound(lw_shared_ptr<schema const>, dht::ring_position const&, io_priority_class const&)::{lambda(std::vector<sstables::index_entry, std::allocator<sstables::index_entry> >)#1}::operator()(std::vector<sstables::index_entry, std::allocator<sstables::index_entry> >) const (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x226efde)
    #5 0x22895c7 in apply /home/nyh/scylla/seastar/core/apply.hh:34
    #6 0x22896ea in apply<sstables::sstable::lower_bound(schema_ptr, const dht::ring_position&, const io_priority_class&)::<lambda(sstables::index_list)>, std::vector<sstables::index_entry, std::allocator<sstables::index_entry> > > /home/nyh/scylla/seastar/core/apply.hh:42
    #7 0x22897e7 in apply<sstables::sstable::lower_bound(schema_ptr, const dht::ring_position&, const io_priority_class&)::<lambda(sstables::index_list)>, std::vector<sstables::index_entry, std::allocator<sstables::index_entry> > > /home/nyh/scylla/seastar/core/future.hh:1197
    #8 0x229f5ef in _ZZN6futureIJSt6vectorIN8sstables11index_entryESaIS2_EEEE4thenIZNS1_7sstable11lower_boundE13lw_shared_ptrIK6schemaERKN3dht13ring_positionERK17io_priority_classEUlS4_E_S_IJmEEEET0_OT_ENUlSN_E_clI12future_stateIJS4_EEEEDaSN_ (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x229f5ef)
    #9 0x229fa7c in run /home/nyh/scylla/seastar/core/future.hh:400
    #10 0x436726 in reactor::run_tasks(circular_buffer<std::unique_ptr<task, std::default_delete<task> >, std::allocator<std::unique_ptr<task, std::default_delete<task> > > >&) core/reactor.cc:1450
    #11 0x43ac51 in reactor::run() core/reactor.cc:1754
    #12 0x9606d2 in app_template::run_deprecated(int, char**, std::function<void ()>&&) core/app-template.cc:127
    #13 0xdfc977 in main /home/nyh/scylla/main.cc:548
    #14 0x7f27f9ed757f in __libc_start_main (/lib64/libc.so.6+0x2057f)
    #15 0x415bc8 in _start (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x415bc8)

0x60f000015f88 is located 168 bytes inside of 176-byte region [0x60f000015ee0,0x60f000015f90)
freed by thread T0 here:
    #0 0x7f27ff162472 in operator delete(void*, unsigned long) (/lib64/libasan.so.2+0x9a472)
    #1 0x229ae52 in _M_destroy /usr/include/c++/5.3.1/functional:1726
    #2 0x22913ae in _M_manager /usr/include/c++/5.3.1/functional:1750
    #3 0x6554f4 in std::_Function_base::~_Function_base() /usr/include/c++/5.3.1/functional:1830
    #4 0x22ab2fe in std::function<future<unsigned long> ()>::~function() /usr/include/c++/5.3.1/functional:1974
    #5 0x22ab366 in sstables::mutation_reader::impl::impl(sstables::sstable&, lw_shared_ptr<schema const>, std::function<future<unsigned long> ()>, std::function<future<unsigned long> ()>, io_priority_class const&)::{lambda()#1}::operator()() const::{lambda(unsigned long)#1}::~io_priority_class() (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x22ab366)
    #6 0x22b55e0 in _ZZN6futureIJmEE4thenIZZN8sstables15mutation_reader4implC4ERNS2_7sstableE13lw_shared_ptrIK6schemaESt8functionIFS0_vEESD_RK17io_priority_classENKUlvE_clEvEUlmE_S_IJNS2_20data_consume_contextEEEEET0_OT_ENUlSN_E_D2Ev (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x22b55e0)
    #7 0x22d0cbe in _ZN12continuationIZN6futureIJmEE4thenIZZN8sstables15mutation_reader4implC4ERNS3_7sstableE13lw_shared_ptrIK6schemaESt8functionIFS1_vEESE_RK17io_priority_classENKUlvE_clEvEUlmE_S0_IJNS3_20data_consume_contextEEEEET0_OT_EUlSO_E_JmEED2Ev /home/nyh/scylla/seastar/core/future.hh:396
    #8 0x22d0e73 in _ZN12continuationIZN6futureIJmEE4thenIZZN8sstables15mutation_reader4implC4ERNS3_7sstableE13lw_shared_ptrIK6schemaESt8functionIFS1_vEESE_RK17io_priority_classENKUlvE_clEvEUlmE_S0_IJNS3_20data_consume_contextEEEEET0_OT_EUlSO_E_JmEED0Ev /home/nyh/scylla/seastar/core/future.hh:396
    #9 0x6bc461 in std::default_delete<task>::operator()(task*) const /usr/include/c++/5.3.1/bits/unique_ptr.h:76
    #10 0x695abc in std::unique_ptr<task, std::default_delete<task> >::reset(task*) /usr/include/c++/5.3.1/bits/unique_ptr.h:344
    #11 0x436737 in reactor::run_tasks(circular_buffer<std::unique_ptr<task, std::default_delete<task> >, std::allocator<std::unique_ptr<task, std::default_delete<task> > > >&) core/reactor.cc:1451
    #12 0x43ac51 in reactor::run() core/reactor.cc:1754
    #13 0x9606d2 in app_template::run_deprecated(int, char**, std::function<void ()>&&) core/app-template.cc:127
    #14 0xdfc977 in main /home/nyh/scylla/main.cc:548
    #15 0x7f27f9ed757f in __libc_start_main (/lib64/libc.so.6+0x2057f)

previously allocated by thread T0 here:
    #0 0x7f27ff161872 in operator new(unsigned long) (/lib64/libasan.so.2+0x99872)
    #1 0x229accc in _M_clone /usr/include/c++/5.3.1/functional:1710
    #2 0x2291374 in _M_manager /usr/include/c++/5.3.1/functional:1746
    #3 0x22b51d1 in std::function<future<unsigned long> ()>::function(std::function<future<unsigned long> ()> const&) /usr/include/c++/5.3.1/functional:2242
    #4 0x22aa6db in sstables::mutation_reader::impl::impl(sstables::sstable&, lw_shared_ptr<schema const>, std::function<future<unsigned long> ()>, std::function<future<unsigned long> ()>, io_priority_class const&)::{lambda()#1}::operator()() const sstables/partition.cc:520
    #5 0x22c2374 in std::_Function_handler<future<sstables::data_consume_context> (), sstables::mutation_reader::impl::impl(sstables::sstable&, lw_shared_ptr<schema const>, std::function<future<unsigned long> ()>, std::function<future<unsigned long> ()>, io_priority_class const&)::{lambda()#1}>::_M_invoke(std::_Any_data const&) /usr/include/c++/5.3.1/functional:1857
    #6 0x22b7a25 in std::function<future<sstables::data_consume_context> ()>::operator()() const /usr/include/c++/5.3.1/functional:2271
    #7 0x22abd6a in sstables::mutation_reader::impl::read() sstables/partition.cc:536
    #8 0x226ec49 in sstables::mutation_reader::read() sstables/partition.cc:560
    #9 0x17c2be8 in sstable_range_wrapping_reader::operator()() (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x17c2be8)
    #10 0x17b144e in mutation_reader::operator()() mutation_reader.hh:63
    #11 0x19c2412 in filtering_reader<bool (&)(mutation const&)>::operator()()::{lambda()#1}::operator()() const (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x19c2412)
    #12 0x19d263e in future<stop_iteration> futurize<future<stop_iteration> >::apply<filtering_reader<bool (&)(mutation const&)>::operator()()::{lambda()#1}&>(filtering_reader<bool (&)(mutation const&)>::operator()()::{lambda()#1}&) /home/nyh/scylla/seastar/core/future.hh:1207
    #13 0x1793512 in repeat<filtering_reader<MutationFilter>::operator()() [with MutationFilter = bool (&)(const mutation&)]::<lambda()> > /home/nyh/scylla/seastar/core/future-util.hh:194
    #14 0x19c2d41 in filtering_reader<bool (&)(mutation const&)>::operator()() (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x19c2d41)
    #15 0x17b144e in mutation_reader::operator()() mutation_reader.hh:63
    #16 0x1c6568b in combined_reader::operator()()::{lambda(mutation_reader&)#1}::operator()(mutation_reader&) const (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x1c6568b)
    #17 0x1c7394b in future<> parallel_for_each<__gnu_cxx::__normal_iterator<mutation_reader*, std::vector<mutation_reader, std::allocator<mutation_reader> > >, combined_reader::operator()()::{lambda(mutation_reader&)#1}>(__gnu_cxx::__normal_iterator<mutation_reader*, std::vector<mutation_reader, std::allocator<mutation_reader> > >, future<>, combined_reader::operator()()::{lambda(mutation_reader&)#1}&&)::{lambda(parallel_for_each_state&)#1}::operator()(parallel_for_each_state) const (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x1c7394b)
    #18 0x1c74eb2 in auto do_with<parallel_for_each_state, future<> parallel_for_each<__gnu_cxx::__normal_iterator<mutation_reader*, std::vector<mutation_reader, std::allocator<mutation_reader> > >, combined_reader::operator()()::{lambda(mutation_reader&)#1}>(__gnu_cxx::__normal_iterator<mutation_reader*, std::vector<mutation_reader, std::allocator<mutation_reader> > >, future<>, combined_reader::operator()()::{lambda(mutation_reader&)#1}&&)::{lambda(parallel_for_each_state&)#1}>(future<>&&, future<> parallel_for_each<__gnu_cxx::__normal_iterator<mutation_reader*, std::vector<mutation_reader, std::allocator<mutation_reader> > >, combined_reader::operator()()::{lambda(mutation_reader&)#1}>(__gnu_cxx::__normal_iterator<mutation_reader*, std::vector<mutation_reader, std::allocator<mutation_reader> > >, future<>, combined_reader::operator()()::{lambda(mutation_reader&)#1}&&)::{lambda(parallel_for_each_state&)#1}) /home/nyh/scylla/seastar/core/do_with.hh:55
    #19 0x1c7553a in future<> parallel_for_each<__gnu_cxx::__normal_iterator<mutation_reader*, std::vector<mutation_reader, std::allocator<mutation_reader> > >, combined_reader::operator()()::{lambda(mutation_reader&)#1}>(__gnu_cxx::__normal_iterator<mutation_reader*, std::vector<mutation_reader, std::allocator<mutation_reader> > >, future<>, combined_reader::operator()()::{lambda(mutation_reader&)#1}&&) /home/nyh/scylla/seastar/core/future-util.hh:113
    #20 0x1c6c295 in future<> parallel_for_each<std::vector<mutation_reader, std::allocator<mutation_reader> >&, combined_reader::operator()()::{lambda(mutation_reader&)#1}>(std::vector<mutation_reader, std::allocator<mutation_reader> >&, combined_reader::operator()()::{lambda(mutation_reader&)#1}&&) /home/nyh/scylla/seastar/core/future-util.hh:135
    #21 0x1c66063 in combined_reader::operator()() /home/nyh/scylla/mutation_reader.cc:89
    #22 0x17b144e in mutation_reader::operator()() mutation_reader.hh:63
    #23 0x17cde22 in range_sstable_reader::operator()() (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x17cde22)
    #24 0x17b144e in mutation_reader::operator()() mutation_reader.hh:63
    #25 0x1ad1909 in scanning_and_populating_reader::next_secondary() /home/nyh/scylla/row_cache.cc:337
    #26 0x1acf2ff in scanning_and_populating_reader::operator()()::{lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}::operator()(std::experimental::fundamentals_v1::optional<dht::decorated_key>)::{lambda(mutation_opt&&)#1}::operator()(mutation_opt) const (/home/nyh/.dtest/dtest-vELCuk/test/node2/bin/scylla+0x1acf2ff)
    #27 0x1aec1d8 in apply_helper<scanning_and_populating_reader::operator()()::{lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}::operator()(std::experimental::fundamentals_v1::optional<dht::decorated_key>)::{lambda(mutation_opt&&)#1}, std::tuple<{lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}>&&, std::integer_sequence<unsigned long, 0ul> >::apply(mutation_opt&&, std::tuple) seastar/core/apply.hh:34
    #28 0x1aec2d3 in auto apply<scanning_and_populating_reader::operator()()::{lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}::operator()(std::experimental::fundamentals_v1::optional<dht::decorated_key>)::{lambda(mutation_opt&&)#1}, {lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}>(scanning_and_populating_reader::operator()()::{lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}::operator()(std::experimental::fundamentals_v1::optional<dht::decorated_key>)::{lambda(mutation_opt&&)#1}&&, std::tuple<{lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}>&&) seastar/core/apply.hh:42
    #29 0x1aec3d1 in future<mutation_opt> futurize<future<mutation_opt> >::apply<scanning_and_populating_reader::operator()()::{lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}::operator()(std::experimental::fundamentals_v1::optional<dht::decorated_key>)::{lambda(mutation_opt&&)#1}, mutation_opt>(scanning_and_populating_reader::operator()()::{lambda(std::experimental::fundamentals_v1::optional<dht::decorated_key>)#1}::operator()(std::experimental::fundamentals_v1::optional<dht::decorated_key>)::{lambda(mutation_opt&&)#1}&&, std::tuple<mutation_opt>&&) seastar/core/future.hh:1197

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 sstables::sstable::read_indexes(unsigned long, io_priority_class const&)::{lambda(sstables::index_consumer&)#1}::operator()(sstables::index_consumer&) const
Shadow bytes around the buggy address:
  0x0c1e7fffaba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fffabb0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fd fd
  0x0c1e7fffabc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fffabc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fffabd0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1e7fffabe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e7fffabf0: fd[fd]fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1e7fffac00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1e7fffac10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1e7fffac20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1e7fffac30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fffac40: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10070==ABORTING

tgrabiec · 2016-03-21T21:00:38Z

Perhaps 'pc' should be captured by reference here (and similarly for end):

    auto start = [this, range, schema, pc] {
        return range.start() ? (range.start()->is_inclusive()
                 ? lower_bound(schema, range.start()->value(), pc)
                 : upper_bound(schema, range.start()->value(), pc))
        : make_ready_future<uint64_t>(0);
    };

nyh · 2016-03-21T21:08:34Z

Exactly :-) I found the same thing....

Commit 6a3872b fixed some use-after-free bugs but introduced a new one because of a typo: Instead of capturing a reference to the long-living io-class object, as all the code does, one place in the code accidentally captured a *copy* of this object. This copy had a very temporary life, and when a reference to that *copy* was passed to sstable reading code which assumed that it lives at least as long as the read call, a use-after-free resulted. Fixes #1072 Signed-off-by: Nadav Har'El <nyh@scylladb.com> Message-Id: <1458595629-9314-1-git-send-email-nyh@scylladb.com> (cherry picked from commit 2eb0627)

slivne added bug showstopper labels Mar 21, 2016

slivne assigned nyh Mar 21, 2016

slivne added this to the GA milestone Mar 21, 2016

nyh changed the title ~~sanitizer error on dtest with smp=2~~ regression: use-after-free sanitizer error in dtest Mar 21, 2016

tgrabiec closed this as completed in 2eb0627 Mar 21, 2016

nyh mentioned this issue Mar 21, 2016

More sstable code need a close() method to avoid use-after-free bugs #1076

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

regression: use-after-free sanitizer error in dtest #1072

regression: use-after-free sanitizer error in dtest #1072

nyh commented Mar 21, 2016

slivne commented Mar 21, 2016

nyh commented Mar 21, 2016

nyh commented Mar 21, 2016

slivne commented Mar 21, 2016

nyh commented Mar 21, 2016

nyh commented Mar 21, 2016

glommer commented Mar 21, 2016

nyh commented Mar 21, 2016

tgrabiec commented Mar 21, 2016

nyh commented Mar 21, 2016

regression: use-after-free sanitizer error in dtest #1072

regression: use-after-free sanitizer error in dtest #1072

Comments

nyh commented Mar 21, 2016

slivne commented Mar 21, 2016

nyh commented Mar 21, 2016

nyh commented Mar 21, 2016

slivne commented Mar 21, 2016

nyh commented Mar 21, 2016

nyh commented Mar 21, 2016

glommer commented Mar 21, 2016

nyh commented Mar 21, 2016

tgrabiec commented Mar 21, 2016

nyh commented Mar 21, 2016