Segmentation fault in rtree_branch_copy()

[ligurio]

Bug description

• OS: Linux
• OS Version: Ubuntu 24.04 LTS
• Architecture: amd64

Tarantool 3.2.0-entrypoint-105-g6d8563472
Target: Linux-x86_64-RelWithDebInfo
Build options: cmake . -DCMAKE_INSTALL_PREFIX=/usr/local -DENABLE_BACKTRACE=TRUE
Compiler: GNU-13.2.0
C_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/ubuntu/tarantool=. -std=c11 -Wall -Wextra -Wno-gnu-alignof-expression -fno-gnu89-inline -Wno-cast-function-type -O2 -g -DNDEBUG -ggdb -O2
CXX_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/ubuntu/tarantool=. -std=c++11 -Wall -Wextra -Wno-invalid-offsetof -Wno-gnu-alignof-expression -Wno-cast-function-type -O2 -g -DNDEBUG -ggdb -O2

Steps to reproduce

random operations on a space with memtx engine:
taskset 0xef ./build/src/tarantool vinyl_1.lua --engine memtx --test_duration=$((24*60*60)) --workers=1000

Actual behavior

there is an archive with coredump, tarantool binary and full log, but size of archive is exceeded Github's limit. Ask me and I'll share archive.

Current time: 1718959118
Please file a bug at https://github.com/tarantool/tarantool/issues
Attempting backtrace... Note: since the server has already crashed, 
this may fail as well
#1  0x63110556ff62 in crash_signal_cb+162
#2  0x7e4afd645320 in __sigaction+80
#3  0x6311056a3796 in rtree_split_page+2966
#4  0x6311056a3d5d in rtree_page_insert+733
#5  0x6311056a3c47 in rtree_page_insert+455
#6  0x6311056a3c47 in rtree_page_insert+455
#7  0x6311056a3c47 in rtree_page_insert+455
#8  0x6311056a5d54 in rtree_insert+68
#9  0x6311053de211 in memtx_rtree_index_replace(index*, tuple*, tuple*, dup_replace_mode, tuple**, tuple**)+289
#10 0x6311053f2c5a in memtx_space_build_index+458
#11 0x6311054547d5 in RebuildIndex::prepare(alter_space*)+165
#12 0x6311054615cd in alter_space_do(txn_stmt*, alter_space*)+461
#13 0x631105464fd8 in on_replace_dd_index(trigger*, void*)+952
#14 0x631105591256 in trigger_run_list(rlist*, void*)+134
#15 0x63110559135a in trigger_run+170
#16 0x6311054470ed in space_on_replace+77
#17 0x631105470449 in txn_commit_stmt+217
#18 0x63110547da9d in box_process_rw+253
#19 0x631105483b09 in box_replace+89
#20 0x631105520fc8 in lbox_replace+440

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007e4afd64526e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007e4afd6288ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x000063110557000a in crash_signal_cb (signo=<optimized out>, siginfo=<optimized out>, context=<optimized out>)
    at /home/ubuntu/tarantool/src/lib/core/crash.c:203
#6  <signal handler called>
#7  0x00006311056a3796 in rtree_branch_copy (dimension=<optimized out>, from=0x7e4ae0f80100, to=0x8)
    at /home/ubuntu/tarantool/src/lib/salad/rtree.c:377
#8  rtree_split_page (tree=tree@entry=0x63110c72a240, page=page@entry=0x7e4af0f87000, br=br@entry=0x7e4ae0f80100)
    at /home/ubuntu/tarantool/src/lib/salad/rtree.c:562
#9  0x00006311056a3a1c in rtree_page_add_branch (tree=tree@entry=0x63110c72a240, page=page@entry=0x7e4af0f87000, br=br@entry=0x7e4ae0f80100)
    at /home/ubuntu/tarantool/src/lib/salad/rtree.c:595
#10 0x00006311056a3d5d in rtree_page_insert (tree=tree@entry=0x63110c72a240, page=page@entry=0x7e4af0f87000, rect=rect@entry=0x7e4ae0f80850, 
    obj=<optimized out>, level=0, level@entry=1) at /home/ubuntu/tarantool/src/lib/salad/rtree.c:661
#11 0x00006311056a3c47 in rtree_page_insert (tree=tree@entry=0x63110c72a240, page=page@entry=0x7e4af0fb5000, rect=rect@entry=0x7e4ae0f80850, 
    obj=<optimized out>, level=1, level@entry=2) at /home/ubuntu/tarantool/src/lib/salad/rtree.c:645
#12 0x00006311056a3c47 in rtree_page_insert (tree=tree@entry=0x63110c72a240, page=page@entry=0x7e4af0eb0000, rect=rect@entry=0x7e4ae0f80850, 
    obj=<optimized out>, level=2, level@entry=3) at /home/ubuntu/tarantool/src/lib/salad/rtree.c:645
#13 0x00006311056a3c47 in rtree_page_insert (tree=tree@entry=0x63110c72a240, page=0x7e4af0eb1000, rect=rect@entry=0x7e4ae0f80850, 
    obj=obj@entry=0x631108fa3f8c, level=3) at /home/ubuntu/tarantool/src/lib/salad/rtree.c:645
#14 0x00006311056a5d54 in rtree_insert (tree=0x63110c72a240, rect=0x7e4ae0f80850, obj=0x631108fa3f8c)
    at /home/ubuntu/tarantool/src/lib/salad/rtree.c:994
#15 0x00006311053de211 in memtx_rtree_index_replace (base=0x63110c72a200, old_tuple=0x0, new_tuple=0x631108fa3f8c, mode=<optimized out>, 
    result=0x7e4ae0f80a20, successor=<optimized out>) at /home/ubuntu/tarantool/src/box/memtx_rtree.cc:271
#16 0x00006311053f2c5a in index_replace (successor=0x7e4ae0f80a28, result=0x7e4ae0f80a20, mode=DUP_INSERT, new_tuple=<optimized out>, 
#17 memtx_space_build_index (src_space=<optimized out>, new_index=0x63110c72a200, new_format=0x631106b9ef60, 
    check_unique_constraint=<optimized out>) at /home/ubuntu/tarantool/src/box/memtx_space.c:1351
#18 0x00006311054547d5 in space_build_index (new_space=<optimized out>, new_index=0x63110c72a200, src_space=0x631106b58830)
    at /home/ubuntu/tarantool/src/box/space.h:632
#19 space_build_index_xc (new_space=0x631106cf2910, new_index=0x63110c72a200, src_space=0x631106b58830)
    at /home/ubuntu/tarantool/src/box/space.h:819
#20 space_build_index_with_yield (new_index=0x63110c72a200, new_space=0x631106cf2910, old_space=0x631106b58830)
    at /home/ubuntu/tarantool/src/box/alter.cc:1393
#21 RebuildIndex::prepare (this=<optimized out>, alter=<optimized out>) at /home/ubuntu/tarantool/src/box/alter.cc:1497
#22 0x00006311054615cd in alter_space_do (stmt=stmt@entry=0x7e4afb0202e8, alter=alter@entry=0x7e4afb020458)
    at /home/ubuntu/tarantool/src/box/alter.cc:1035
#23 0x0000631105464fd8 in on_replace_dd_index (event=<optimized out>) at /home/ubuntu/tarantool/src/box/alter.cc:2654
#24 0x0000631105591256 in trigger_run_list (list=list@entry=0x7e4ae0f80c60, event=event@entry=0x7e4afb020038)
    at /home/ubuntu/tarantool/src/lib/core/trigger.cc:100
#25 0x000063110559135a in trigger_run (list=<optimized out>, event=event@entry=0x7e4afb020038)
    at /home/ubuntu/tarantool/src/lib/core/trigger.cc:133
#26 0x00006311054470ed in space_on_replace (space=<optimized out>, txn=txn@entry=0x7e4afb020038) at /home/ubuntu/tarantool/src/box/space.c:997
#27 0x0000631105470449 in txn_commit_stmt (txn=0x7e4afb020038, request=0x7e4ae0f80da0) at /home/ubuntu/tarantool/src/box/txn.c:678
#28 0x000063110547da9d in box_process_rw (request=request@entry=0x7e4ae0f80da0, space=<optimized out>, result=result@entry=0x7e4ae0f80e90)
    at /home/ubuntu/tarantool/src/box/box.cc:508
#29 0x0000631105482af1 in box_process1 (request=request@entry=0x7e4ae0f80da0, result=result@entry=0x7e4ae0f80e90)
    at /home/ubuntu/tarantool/src/box/box.cc:3731
#30 0x0000631105483b09 in box_replace (space_id=space_id@entry=288, tuple=<optimized out>, tuple_end=<optimized out>, 
    result=result@entry=0x7e4ae0f80e90) at /home/ubuntu/tarantool/src/box/box.cc:3931
#31 0x0000631105520fc8 in lbox_replace (L=0x413b3ec8) at /home/ubuntu/tarantool/src/box/lua/index.c:84
#32 0x00006311055b2373 in lj_BC_FUNCC () at buildvm_x86.dasc:811
#33 0x00006311055b90c7 in lua_pcall (L=L@entry=0x413b3ec8, nargs=<optimized out>, nresults=<optimized out>, errfunc=errfunc@entry=0)
    at /home/ubuntu/tarantool/third_party/luajit/src/lj_api.c:1173
#34 0x000063110555455f in luaT_call (L=0x413b3ec8, nargs=<optimized out>, nreturns=<optimized out>) at /home/ubuntu/tarantool/src/lua/utils.c:689
#35 0x000063110554ac9a in lua_fiber_run_f (ap=<error reading variable: value has been optimized out>)
    at /home/ubuntu/tarantool/src/lua/fiber.c:430
#36 0x00006311053b0ca0 in fiber_cxx_invoke(fiber_func, typedef __va_list_tag __va_list_tag *) (f=<optimized out>, ap=<optimized out>)
    at /home/ubuntu/tarantool/src/lib/core/fiber.h:1308
#37 0x0000631105579e96 in fiber_loop (data=<optimized out>) at /home/ubuntu/tarantool/src/lib/core/fiber.c:1153
#38 0x00006311057e95dc in coro_init () at /home/ubuntu/tarantool/third_party/coro/coro.c:108

Expected behavior

no crash

[ligurio]

reproduced on tarantool 7db4de7
coredump https://bronevichok.ru/static/gh-10153.gz

[nshy]

Unfortunately coredump is lost. But it looks like memtx memory OOM issue in this code:

tarantool/src/lib/salad/rtree.c

Lines 550 to 563 in 1129c75

	struct rtree_page *new_page = rtree_page_alloc(tree);
	tree->n_pages++;
	char taken[RTREE_MAXIMUM_BRANCHES_IN_PAGE];
	memset(taken, 0, sizeof(taken));
	for (unsigned i = 0; i < k1; i++) {
	struct rtree_page_branch *new_b =
	rtree_branch_get(tree, new_page, i);
	const struct rtree_page_branch *from_b = br;
	if (ids[i]) {
	from_b = rtree_branch_get(tree, page, ids[i] - 1);
	taken[ids[i] - 1] = 1;
	}
	rtree_branch_copy(new_b, from_b, d);
	}

new_page is NULL and thus new_b is 0x8 as seen in backtrace. Yet another memtx memory OOM issue. See also https://github.com/tarantool/tarantool-ee/issues/842, #10245, #10237.