Segmentation fault on destroy_consumer_msg

[omikee]

Segmentation fault
code: SEGV_MAPERR
addr: 0x108
context: 0x7f6cc99ff540
siginfo: 0x7f6cc99ff670
rax 0x0 0
rbx 0x7f6cb0004110 140104786002192
rcx 0x2 2
rdx 0x41356000 1094017024
rsi 0x41356000 1094017024
rdi 0x110 272
rsp 0x7f6cc99ffae8 140105215900392
rbp 0x40bcd378 1086116728
r8 0x40bcd3b8 1086116792
r9 0x40bcd378 1086116728
r10 0x41356000 1094017024
r11 0x41e9b010 1105834000
r12 0x40bcd378 1086116728
r13 0x0 0
r14 0x40bce000 1086119936
r15 0x7f6cfd53a530 140106083312944
rip 0x7f6d01972aec 140106154846956
eflags 0x10202 66050
cs 0x33 51
gs 0x0 0
fs 0x0 0
cr2 0x108 264
err 0x4 4
oldmask 0x0 0
trapno 0xe 14
Current time: 1611043480
Please file a bug at http://github.com/tarantool/tarantool/issues
Attempting backtrace... Note: since the server has already crashed,
this may fail as well
#0 0x6a6259 in print_backtrace+9
#1 0x56cc4d in _ZL12sig_fatal_cbiP9siginfo_tPv+bd
#2 0x7f6d01fcc630 in _L_unlock_13+34
#3 0x7f6d01972aec in cfree+1c
#4 0x7f6cfd53a507 in destroy_consumer_msg+17
#5 0x7f6cfd53a55a in lua_consumer_msg_gc+2a
#6 0x6f83b7 in lj_BC_FUNCC+34
#7 0x6cc62e in gc_call_finalizer+6e
#8 0x6cc718 in gc_finalize+a8
#9 0x6cd169 in gc_onestep+99
#10 0x6cd84c in lj_gc_step+5c
#11 0x6da76c in lua_newthread+5c
#12 0x6840c9 in luaT_newthread_wrapper+9
#13 0x6f83b7 in lj_BC_FUNCC+34
#14 0x6db446 in lua_pcall+76
#15 0x686323 in luaT_call+13
#16 0x6868cb in luaT_newthread+2b
#17 0x5ad0a7 in box_lua_call+27
#18 0x5aa2d9 in box_process_call+259
#19 0x5c4bc3 in _ZL15tx_process_callP4cmsg+e3
#20 0x6a7ce4 in cmsg_deliver+14
#21 0x6a8898 in fiber_pool_f+c8
#22 0x56c63c in ZL16fiber_cxx_invokePFiP13__va_list_tagES0+c
#23 0x6a24d0 in fiber_loop+30
#24 0xcb425f in coro_init+3f
/bin/sh: line 1: 7 Aborted (core dumped) ./tarantool init.lua --bootstrap true 2>&1

Coredump:

#0 0x00007f6d01923387 in raise () from /lib64/libc.so.6
#1 0x00007f6d01924a78 in abort () from /lib64/libc.so.6
#2 0x000000000056cc89 in sig_fatal_cb (signo=, siginfo=, context=) at /__w/sdk/sdk/tarantool-2.4/src/main.cc:301
#3
#4 0x00007f6d01972aec in free () from /lib64/libc.so.6
#5 0x00007f6cfd53a507 in destroy_consumer_msg (msg=0x7f6cb0004110) at /tmp/luarocks_kafka-1.3.0-1-PGeZjs/kafka/kafka/consumer_msg.c:152
#6 0x00007f6cfd53a55a in lua_consumer_msg_gc (L=) at /tmp/luarocks_kafka-1.3.0-1-PGeZjs/kafka/kafka/consumer_msg.c:111
#7 0x00000000006f83b7 in lj_BC_FUNCC ()
#8 0x00000000006cc62e in gc_call_finalizer ()
#9 0x00000000006cc718 in gc_finalize ()
#10 0x00000000006cd169 in gc_onestep ()
#11 0x00000000006cd84c in lj_gc_step ()
#12 0x00000000006da76c in lua_newthread ()
#13 0x00000000006840c9 in luaT_newthread_wrapper (L=) at /__w/sdk/sdk/tarantool-2.4/src/lua/utils.c:1286
#14 0x00000000006f83b7 in lj_BC_FUNCC ()
#15 0x00000000006db446 in lua_pcall ()
#16 0x0000000000686323 in luaT_call (L=0x40bcd378, nargs=, nreturns=) at /__w/sdk/sdk/tarantool-2.4/src/lua/utils.c:1062
#17 0x00000000006868cb in luaT_newthread (L=0x40bcd378) at /__w/sdk/sdk/tarantool-2.4/src/lua/utils.c:1296
#18 0x00000000005ad0a7 in box_process_lua (ret=0x7f6cc99ffea0, ctx=0x7f6cc99ffd60, handler=HANDLER_CALL) at /__w/sdk/sdk/tarantool-2.4/src/box/lua/call.c:551
#19 box_lua_call (
name=name@entry=0x7f6ccca00c40 "__netbox_call_with_fiber_storage!\223\201\257request_context\202\242id\331$8d4a7b3a-d457-4cc2-b274-7c1deab03fc7\247account\201\254is_anonymous\303\263vshard_proxy.delete\224\252PickupTask\221\223\243$id\242==\331$467485ee-d85d-4f68-9ee7-a5137f0f9ed9\202\260per"..., name_len=name_len@entry=32, args=args@entry=0x7f6cc99ffdc0, ret=ret@entry=0x7f6cc99ffea0) at /__w/sdk/sdk/tarantool-2.4/src/box/lua/call.c:603
#20 0x00000000005aa2d9 in box_process_call (request=, port=0x7f6cc99ffea0) at /__w/sdk/sdk/tarantool-2.4/src/box/call.c:163
#21 0x00000000005c4bc3 in tx_process_call (m=0x7f6ccbc10140) at /__w/sdk/sdk/tarantool-2.4/src/box/iproto.cc:1629
#22 0x00000000006a7ce4 in cmsg_deliver (msg=msg@entry=0x7f6ccbc10140) at /__w/sdk/sdk/tarantool-2.4/src/lib/core/cbus.c:375
#23 0x00000000006a8898 in fiber_pool_f (ap=) at /__w/sdk/sdk/tarantool-2.4/src/lib/core/fiber_pool.c:64
#24 0x000000000056c63c in fiber_cxx_invoke(fiber_func, typedef __va_list_tag __va_list_tag *) (f=, ap=) at /__w/sdk/sdk/tarantool-2.4/src/lib/core/fiber.h:870
#25 0x00000000006a24d0 in fiber_loop (data=) at /__w/sdk/sdk/tarantool-2.4/src/lib/core/fiber.c:879
#26 0x0000000000cb425f in coro_init () at /__w/sdk/sdk/tarantool-2.4/third_party/coro/coro.c:110

(gdb) p (msg_t) 0x7f6cb0004110
$1 = {topic = 0x7f6cb8020520, partition = 0,
value = 0x7f6cb0006040 "{"@Class": "ru.x5.omni.shipment.api.v1.messaging.JourneyCargoLegAnalyticsEvent", "payload": {"journeyCargoLeg": {"id": "2492311c-aa85-4c02-bef3-5ef6ffc6508d", "source": "TEST_SOURCE_001", "journeyId":"..., value_len = 435, key = 0x110 <Address 0x110 out of bounds>, key_len = 0, offset = 1}

destroy_consumer_msg (msg=0x7f6cb0004110) at /tmp/luarocks_kafka-1.3.0-1-PGeZjs/kafka/kafka/consumer_msg.c:152

if (msg->key != NULL) {
    free(msg->key);   // msg->key = 0x110 <Address 0x110 out of bounds>
}