complex way to segfault #928

funny-falcon · 2015-07-14T06:02:16Z

I've found SIGSEGV with relatively complex reproduction (perhaps could be simpler, i've not found yet)
Tarantool 1.6.5-249-g06d4d66
https://gist.github.com/funny-falcon/47d4133cadaf4319bc7e
sh test.sh
occasionally it doesn't fails, but most of times it does.

The text was updated successfully, but these errors were encountered:

kostja · 2015-07-14T07:52:50Z

Could you please paste the backtrace here?

funny-falcon · 2015-07-14T08:19:05Z

shell script from a gist starts gdb and make SIGSEGV happen right to your hands.

$ sh test.sh
GNU gdb (Ubuntu 7.9-1ubuntu1) 7.9
...
Reading symbols from tarantool...done
...
Program received signal SIGSEGV, Segmentation fault.
0x000000000044c01c in alter_space_commit (trigger=0x7ffff5821355)
    at /home/yura/Projects/tarantool/tarantool/src/box/alter.cc:301
301                                     old_index->key_def) == 0) {
(gdb) bt
#0  0x000000000044c01c in alter_space_commit (trigger=0x7ffff5821355)
    at /home/yura/Projects/tarantool/tarantool/src/box/alter.cc:301
#1  0x000000000045585d in trigger_run (list=0x7ffff5821180, event=0x7ffff5821138)
    at /home/yura/Projects/tarantool/tarantool/src/trigger.h:60
#2  0x0000000000456322 in txn_commit (txn=0x7ffff5821138)
    at /home/yura/Projects/tarantool/tarantool/src/box/txn.cc:168
#3  0x00000000004541c9 in txn_commit_stmt (txn=0x7ffff5821138)
    at /home/yura/Projects/tarantool/tarantool/src/box/txn.h:123
#4  0x00000000004549f9 in execute_delete (request=0x7ffff589fe00, port=0x7ffff589fe50)
    at /home/yura/Projects/tarantool/tarantool/src/box/request.cc:137
#5  0x0000000000454ee1 in process_rw (request=0x7ffff589fe00, port=0x7ffff589fe50)
    at /home/yura/Projects/tarantool/tarantool/src/box/request.cc:211
#6  0x00000000004581a7 in lbox_delete (L=0x400c7370)
    at /home/yura/Projects/tarantool/tarantool/src/box/lua/call.cc:350
#7  0x00000000004f7d5a in lj_BC_FUNCC ()
#8  0x00000000004e2590 in lua_call ()
#9  0x0000000000487c73 in lbox_call (L=0x400c7370, nargs=3, nreturns=-1)
    at /home/yura/Projects/tarantool/tarantool/src/lua/utils.h:447
#10 0x0000000000488640 in box_lua_fiber_run(typedef __va_list_tag __va_list_tag *) (ap=0x7ffff5800540)
    at /home/yura/Projects/tarantool/tarantool/src/lua/fiber.cc:286
#11 0x0000000000496b1b in fiber_loop (data=0x0) at /home/yura/Projects/tarantool/tarantool/src/fiber.cc:402
#12 0x0000000000580598 in coro_init () at /home/yura/Projects/tarantool/tarantool/third_party/coro/coro.c:96

kostja · 2015-07-14T09:02:18Z

Thank you for your time, confirmed.

funny-falcon · 2015-07-19T09:16:52Z

Simplified test case a little. Things that matters:

two secondary indices
call to truncate from two concurrent console connections

mejedi · 2016-09-12T12:29:10Z

Crashes virtually identical in 1.6 and 1.7.

==58151==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000a9c at pc 0x0001000b8785 bp 0x00000385f470 sp 0x00000385f468
READ of size 4 at 0x611000000a9c thread T0
    #0 0x1000b8784 in space_index(space*, unsigned int) space.h:171
    #1 0x1000c5e9d in alter_space_commit(trigger*, void*) alter.cc:615
    #2 0x1000e0e5b in trigger_run(rlist*, void*) trigger.h:67
    #3 0x1000e1136 in txn_commit(txn*) txn.cc:243
    #4 0x1000e077f in txn_commit_stmt(txn*, request*) txn.cc:175
    #5 0x1000e40ff in process_rw(request*, tuple**) box.cc:183
    #6 0x1000e68a6 in box_process1(request*, tuple**) box.cc:583
    #7 0x1000e7606 in box_delete box.cc:650
    #8 0x1001310f9 in lbox_index_delete index.c:133
    #9 0x1003095ca in lj_BC_FUNCC (tarantool+0x1003095ca)

0x611000000a9c is located 92 bytes inside of 248-byte region [0x611000000a40,0x611000000b38)
freed by thread T0 here:
    #0 0x5bf39 in wrap_free sanitizer_malloc_mac.inc:107
    #1 0x1000b2e9f in space_delete(space*) space.cc:148
    #2 0x1000c6349 in alter_space_commit(trigger*, void*) alter.cc:652
    #3 0x1000e0e5b in trigger_run(rlist*, void*) trigger.h:67
    #4 0x1000e1136 in txn_commit(txn*) txn.cc:243
    #5 0x1000e077f in txn_commit_stmt(txn*, request*) txn.cc:175
    #6 0x1000e40ff in process_rw(request*, tuple**) box.cc:183
    #7 0x1000e68a6 in box_process1(request*, tuple**) box.cc:583
    #8 0x1000e7606 in box_delete box.cc:650
    #9 0x1001310f9 in lbox_index_delete index.c:133
    #10 0x1003095ca in lj_BC_FUNCC (tarantool+0x1003095ca)

previously allocated by thread T0 here:
    #0 0x5c2f6 in wrap_calloc sanitizer_malloc_mac.inc:118
    #1 0x1000b1d9b in space_new(space_def*, rlist*) space.cc:103
    #2 0x1000c52c1 in alter_space_do(txn*, alter_space*, space*) alter.cc:755
    #3 0x1000bf96b in on_replace_dd_index(trigger*, void*) alter.cc:1421
    #4 0x1000e0e5b in trigger_run(rlist*, void*) trigger.h:67
    #5 0x1000e06a0 in txn_commit_stmt(txn*, request*) txn.cc:171
    #6 0x1000e40ff in process_rw(request*, tuple**) box.cc:183
    #7 0x1000e68a6 in box_process1(request*, tuple**) box.cc:583
    #8 0x1000e7109 in box_insert box.cc:623
    #9 0x1001308d7 in lbox_insert index.c:55
    #10 0x1003095ca in lj_BC_FUNCC (tarantool+0x1003095ca)

SUMMARY: AddressSanitizer: heap-use-after-free space.h:171 in space_index(space*, unsigned int)

Tarantool should not crash if one space was truncated simultaneosly from two fibers. See #928

GeorgyKirichenko · 2017-06-14T08:18:32Z

Fixed by 5a200cb
Test added by 1fca0ee

Tarantool should not crash if one space was truncated simultaneosly from two fibers. Closes #928

Extracted tests: - box/ddl-[1-3].test.lua - box/gh-928-ddl.test.lua

Extracted tests: - box/ddl-[1-7].test.lua - box/gh-928-ddl.test.lua - box/gh-2336-ddl.test.lua - box/gh-2783-ddl.test.lua - box/gh-2839-ddl.test.lua - box/gh-2937-ddl.test.lua - box/gh-3290-ddl.test.lua

Divided into tests: - box/ddl_alter.test.lua - box/ddl_collation.test.lua - box/ddl_collation_types.test.lua - box/ddl_collation_wrong_id.test.lua - box/ddl_no_collation.test.lua - box/ddl_parallel.test.lua - box/ddl_tuple.test.lua - box/gh-2336-ddl_call_twice.test.lua - box/gh-2783-ddl_lock.test.lua - box/gh-2839-ddl_custom_fields.test.lua - box/gh-2937-ddl_collation_field_def.test.lua - box/gh-3290-ddl_collation_deleted.test.lua - box/gh-928-ddl_truncate.test.lua t

Divided into tests: - box/ddl_alter.test.lua - box/ddl_collation.test.lua - box/ddl_collation_types.test.lua - box/ddl_collation_wrong_id.test.lua - box/ddl_no_collation.test.lua - box/ddl_parallel.test.lua - box/ddl_tuple.test.lua - box/gh-2336-ddl_call_twice.test.lua - box/gh-2783-ddl_lock.test.lua - box/gh-2839-ddl_custom_fields.test.lua - box/gh-2937-ddl_collation_field_def.test.lua - box/gh-3290-ddl_collation_deleted.test.lua - box/gh-928-ddl_truncate.test.lua

kostja added the bug Something isn't working label Jul 14, 2015

kostja self-assigned this Jul 14, 2015

kostja added this to the 1.6.6 milestone Jul 14, 2015

kostja modified the milestones: 1.6.7, 1.6.6 Aug 26, 2015

kostja added the crash label Aug 28, 2015

kostja modified the milestones: 1.6.7, 1.7 Aug 31, 2015

kostja assigned feldsherov and unassigned kostja Apr 1, 2016

kostja modified the milestones: 1.6.9, 1.8 Apr 1, 2016

kostja modified the milestones: 1.6.9, 1.7.3 Sep 23, 2016

kostja added the prio3 label Sep 27, 2016

rtsisyk modified the milestones: 1.7.4, 1.7.3 Dec 23, 2016

kostja modified the milestones: 1.7.5, 1.7.4 Jan 24, 2017

rtsisyk added ddl and removed prio3 labels Apr 4, 2017

rtsisyk assigned GeorgyKirichenko and unassigned feldsherov Apr 4, 2017

kostja added the prio1 label Apr 17, 2017

GeorgyKirichenko added a commit that referenced this issue Jun 14, 2017

Test case for simulataneosly truncates

1fca0ee

Tarantool should not crash if one space was truncated simultaneosly from two fibers. See #928

GeorgyKirichenko closed this as completed Jun 14, 2017

rtsisyk pushed a commit that referenced this issue Jun 19, 2017

alter: add a test case for simultaneous truncates

bd2a23f

Tarantool should not crash if one space was truncated simultaneosly from two fibers. Closes #928

This was referenced Aug 22, 2017

1.7.5 changelog rtsisyk/tarantool-archive#2

Open

Tarantool 1.7.5 (stable) changelog tarantool/doc#289

Closed

avtikhon added a commit that referenced this issue Mar 16, 2020

Extract tests for box/gh-2336-ddl

f7dbfe9

Extracted tests: - box/ddl-[1-3].test.lua - box/gh-928-ddl.test.lua

avtikhon added a commit that referenced this issue Mar 16, 2020

Extract tests from box/gh-2336-ddl.test.lua

21b38de

Extracted tests: - box/ddl-[1-3].test.lua - box/gh-928-ddl.test.lua

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

complex way to segfault #928

complex way to segfault #928

funny-falcon commented Jul 14, 2015

kostja commented Jul 14, 2015

funny-falcon commented Jul 14, 2015

kostja commented Jul 14, 2015

funny-falcon commented Jul 19, 2015

mejedi commented Sep 12, 2016 •

edited

GeorgyKirichenko commented Jun 14, 2017

complex way to segfault #928

complex way to segfault #928

Comments

funny-falcon commented Jul 14, 2015

kostja commented Jul 14, 2015

funny-falcon commented Jul 14, 2015

kostja commented Jul 14, 2015

funny-falcon commented Jul 19, 2015

mejedi commented Sep 12, 2016 • edited

GeorgyKirichenko commented Jun 14, 2017

mejedi commented Sep 12, 2016 •

edited