Segmentation fault in small_mempool_get_group_index ()

[ligurio]

Bug description

A clear and concise description of what the bug is.

• OS: Linux
• OS Version: Ubuntu 22.04
• Architecture: amd64

Tarantool 3.2.0-entrypoint-84-g9d3859b246
Target: Linux-x86_64-RelWithDebInfo
Build options: cmake . -DCMAKE_INSTALL_PREFIX=/usr/local -DENABLE_BACKTRACE=TRUE
Compiler: GNU-11.4.0
C_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/sergeyb/sources/MRG/tarantool=. -std=c11 -Wall -Wextra -Wno-gnu-alignof-expression -fno-gnu89-inline -Wno-cast-function-type -O2 -g -DNDEBUG -ggdb -O2
CXX_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/sergeyb/sources/MRG/tarantool=. -std=c++11 -Wall -Wextra -Wno-invalid-offsetof -Wno-gnu-alignof-expression -Wno-cast-function-type -O2 -g -DNDEBUG -ggdb -O2

Steps to reproduce

Sorry, there are no exact steps.

Actual behavior

coredump and tarantool binary: https://drive.google.com/file/d/1Gg1AatEMhebae6SsnmwRLIo2w8XZpaJb/view?usp=sharing

2024-06-19 18:29:53.961 [1916305] main/325/WRK #212/..vinyl I> UPSERT_OP [[956973622292.22,715973209073,"f37a39a3-c7a9-4f51-a49f-7e21b5163fd3",9690
38369411,"buqraqnhqu",84135920952,true,"782525337970","2024-06-19T15:29:53Z",[1,2,3],{"1":1,"2":2}],[["^",2,21457022032]]]
Segmentation fault             
  code: SEGV_MAPERR            
  addr: (nil)                   
  context: 0x563ee22f3780
  siginfo: 0x563ee22f38b0                                                
  rax      0x0                0                                          
  rbx      0xd                13
  rcx      0x563ee1100878     94828063885432
  rdx      0x80               128                                        
  rsi      0x563ee11003b8     94828063884216
  rdi      0x1                1                                                                                                                    
  rsp      0x7f523c280b10     139991173303056        
  rbp      0x563ee10e8420     94828063786016
  r8       0x0                0                                          
  r9       0x7f523c280bb0     139991173303216
  r10      0x0                0                                          
  r11      0xfffffffc         4294967292
  r12      0x563ee1100878     94828063885432
  r13      0x28e              654 
  r14      0x563ee10e8be0     94828063788000
  r15      0x86bca1af286bca1b -8737931403336103397                                                                                                 
  rip      0x563ee0e2500d     94828060889101
  eflags   0x10287            66183
  cs       0x33               51
  gs       0x0                0    
  gs       0x0                0                                          
  fs       0x0                0
  cr2      0x0                0
  err      0x4                4
  oldmask  0x0                0
  trapno   0xe                14
Current time: 1718810993
Please file a bug at https://github.com/tarantool/tarantool/issues
Attempting backtrace... Note: since the server has already crashed, 
this may fail as well
#1  0x563ee0bb602d in crash_signal_cb+157
#2  0x7f529a642520 in __sigaction+80 
#3  0x563ee0e2500d in smalloc+429
#4  0x563ee0a3126b in tuple* memtx_tuple_new_raw_impl<SmallAlloc>(tuple_format*, char const*, char const*, bool)+459
#5  0x563ee0a35f23 in memtx_space_execute_upsert+1043
#6  0x563ee0a8bb84 in space_execute_dml+740
#7  0x563ee0ac292a in box_process_rw+346
#8  0x563ee0ac9316 in box_upsert+118 
#9  0x563ee0b67c5a in lbox_upsert+570
#10 0x563ee0bf8d73 in lj_BC_FUNCC+70 
#11 0x563ee0bffb25 in lua_pcall+117
#12 0x563ee0b99f6f in luaT_call+15
#13 0x563ee0b9046a in lua_fiber_run_f+106
#14 0x563ee09f3f41 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*)+17
#15 0x563ee0bc0726 in fiber_loop+70
#16 0x563ee0e38bcc in coro_init+76
Aborted (core dumped)

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=139992767224512) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=139992767224512) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=139992767224512, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007f529a642476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007f529a6287f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x0000563ee0bb60d5 in crash_signal_cb (signo=<optimized out>, siginfo=<optimized out>, context=<optimized out>)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/crash.c:203
#6  <signal handler called>
#7  0x0000563ee0e2500d in small_mempool_get_group_index (small_mempool=0x563ee1100878 <SmallAlloc::small_alloc+99416>)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/small/small/small.c:66
#8  small_mempool_can_be_deactivated (small_mempool=0x563ee1100878 <SmallAlloc::small_alloc+99416>)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/small/small/small.c:105
#9  small_mempool_group_sweep_sparse (alloc=<optimized out>) at /home/sergeyb/sources/MRG/tarantool/src/lib/small/small/small.c:132
#10 smalloc (alloc=0x563ee10e8420 <SmallAlloc::small_alloc>, size=<optimized out>)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/small/small/small.c:355
#11 0x0000563ee0a3126b in SmallAlloc::alloc (size=120) at /home/sergeyb/sources/MRG/tarantool/src/box/allocator.h:110
#12 MemtxAllocator<SmallAlloc>::alloc (size=120) at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_allocator.h:365
#13 MemtxAllocator<SmallAlloc>::alloc_tuple (size=116) at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_allocator.h:295
#14 memtx_tuple_new_raw_impl<SmallAlloc> (format=0x563ee24ffc00, data=0x7f5297c36038 "\233\313Bk\332\002T\202\207", <incomplete sequence \317>, 
    end=<optimized out>, validate=<optimized out>) at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_engine.cc:1828
#15 0x0000563ee0a35f23 in memtx_space_execute_upsert (space=0x563ee24f12a0, txn=<optimized out>, request=0x7f523c280d90)
    at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_space.c:610
#16 0x0000563ee0a8bb84 in space_execute_dml (space=0x563ee24f12a0, txn=0x7f5296b3c038, request=0x7f523c280d90, result=0x7f523c280d40)
    at /home/sergeyb/sources/MRG/tarantool/src/box/space.c:1392
#17 0x0000563ee0ac292a in box_process_rw (request=request@entry=0x7f523c280d90, space=0x563ee24f12a0, result=result@entry=0x7f523c280e90)
    at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:491
#18 0x0000563ee0ac7cc9 in box_process1 (request=request@entry=0x7f523c280d90, result=result@entry=0x7f523c280e90)
    at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:373
#19 0x0000563ee0ac9316 in box_upsert (space_id=space_id@entry=512, index_id=index_id@entry=0, 
    tuple=tuple@entry=0x7f5297c36038 "\233\313Bk\332\002T\202\207", <incomplete sequence \317>, tuple_end=<optimized out>, ops=<optimized out>, 
    ops_end=<optimized out>, index_base=1, result=0x7f523c280e90) at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:3987
#20 0x0000563ee0b67c5a in lbox_upsert (L=0x41a39210) at /home/sergeyb/sources/MRG/tarantool/src/box/lua/index.c:143
#21 0x0000563ee0bf8d73 in lj_BC_FUNCC () at buildvm_x86.dasc:811
#22 0x0000563ee0bffb25 in lua_pcall (L=L@entry=0x41a39210, nargs=<optimized out>, nresults=<optimized out>, errfunc=errfunc@entry=0)
    at /home/sergeyb/sources/MRG/tarantool/third_party/luajit/src/lj_api.c:1173
#23 0x0000563ee0b99f6f in luaT_call (L=0x41a39210, nargs=<optimized out>, nreturns=<optimized out>)
    at /home/sergeyb/sources/MRG/tarantool/src/lua/utils.c:689
#24 0x0000563ee0b9046a in lua_fiber_run_f (ap=<error reading variable: value has been optimized out>)
    at /home/sergeyb/sources/MRG/tarantool/src/lua/fiber.c:430
#25 0x0000563ee09f3f41 in fiber_cxx_invoke(fiber_func, typedef __va_list_tag __va_list_tag *) (f=<optimized out>, ap=<optimized out>)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/fiber.h:1308
#26 0x0000563ee0bc0726 in fiber_loop (data=<optimized out>) at /home/sergeyb/sources/MRG/tarantool/src/lib/core/fiber.c:1153
#27 0x0000563ee0e38bcc in coro_init () at /home/sergeyb/sources/MRG/tarantool/third_party/coro/coro.c:108
(gdb) 

Expected behavior

no crash

[ligurio]

coredump and tarantool binary: https://drive.google.com/file/d/1Gg1AatEMhebae6SsnmwRLIo2w8XZpaJb/view?usp=sharing

[nshy]

The issue is group of small mempool is not initialized:

 (gdb) f 5
#5  0x0000563ee0e2500d in small_mempool_get_group_index (
    small_mempool=0x563ee1100878 <SmallAlloc::small_alloc+99416>)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/small/small/small.c:66
66		return small_mempool - small_mempool->group->first;
 (gdb) p small_mempool->group
$2 = (struct small_mempool_group *) 0x0

due to unexpectedly small slab_alloc_factor = 1.00100005. small_mempool_create fails to initialize last group if SMALL_MEMPOOL_MAX is reached.

Repro:

box.cfg{
    slab_alloc_factor = 1.00100005,
    memtx_memory = 64 * 1024 * 1024,
}
local test = box.schema.create_space('test')
test:create_index('pri')
for i=1,1000000 do
    test:insert{i, string.rep('x', 1000)}
end