Segmentation fault in space_fill_index_map()

[ligurio]

Bug description

• OS: Linux
• OS Version: Ubuntu 22.04
• Architecture: amd64

Tarantool 3.2.0-entrypoint-124-g5208ea473b
Target: Linux-x86_64-Debug
Build options: cmake . -DCMAKE_INSTALL_PREFIX=/usr/local -DENABLE_BACKTRACE=TRUE
Compiler: GNU-11.4.0
C_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/sergeyb/sources/MRG/tarantool=. -std=c11 -Wall -Wextra -Wno-gnu-alignof-expression -fno-gnu89-inline -Wno-cast-function-type -Werror -g -ggdb -O0
CXX_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/sergeyb/sources/MRG/tarantool=. -std=c++11 -Wall -Wextra -Wno-invalid-offsetof -Wno-gnu-alignof-expression -Wno-cast-function-type -Werror -g -ggdb -O0

Steps to reproduce

no exact steps

$ ./build/src/tarantool test/fuzz/lua/test_engine.lua --test_duration 10 --engine memtx --workers 10

<snipped>

2024-07-11 22:25:58.370 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> INDEX_COMPACT_OP [{"unique":true,"parts":[{"fieldno":1,"sort_order":
"asc","type":"double","exclude_null":false,"is_nullable":false},{"fieldno":2,"sort_order":"asc","type":"unsigned","exclude_null":false,"is_nullable
":false},{"fieldno":3,"sort_order":"asc","type":"uuid","exclude_null":false,"is_nullable":false}],"hint":true,"id":0,"space_id":512,"type":"TREE","
name":"idx_1"}]                                                                                                                                    
2024-07-11 22:25:58.370 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> INDEX_CREATE_OP []                                                  
2024-07-11 22:25:58.371 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> ERROR: opname "INDEX_CREATE_OP", err "Can't modify space 'test_1': t
he space is already being modified", args []                                                                                                       
2024-07-11 22:25:58.371 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> UPSERT_OP [[797459199733.71,289144787834,"fa6efb3d-a117-4d07-a8d0-4e
355d5df3b9",914235073122,"moskustcgr",996772513566,true,"754766418081","2024-07-11T19:25:58Z",[1,2,3,4,5,6,7,8],{"4":4,"8":8,"1":1,"5":5,"2":2,"6":
6,"7":7,"3":3}],[["!",5,"ioddenfovw"],["=",7,true],["+",2,269059006321],["+",6,187174578375],["=",9,"2024-07-11T19:25:58Z"],["=",3,"799cab86-abfe-4
df4-aefc-d54745b8395b"],["-",8,"94213713247"]]]                                                                                                    
2024-07-11 22:25:58.371 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> UPDATE_OP [[558449124319.29,519928218834,"3a6eff55-c2e1-424e-ba75-9e
6d7f6fea45"],[["-",1,749471971943.5]]]                                                                                                             
2024-07-11 22:25:58.371 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> PUT_OP [[585049813831.57,975991261946,"fa562442-95ab-43b4-95ac-f694e
6a5cf7b",661327255273,"ctztzizfvu",554160479502,false,"74652702613","2024-07-11T19:25:58Z",[1,2,3,4,5,6,7,8],{"4":4,"8":8,"1":1,"5":5,"2":2,"6":6,"
7":7,"3":3}]]                                                                                                                                      
2024-07-11 22:25:58.372 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> BSIZE_OP []                                                         
2024-07-11 22:25:58.372 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> TX_ROLLBACK []                                                      
2024-07-11 22:25:58.372 [3847356] main/119/WRK #6/test.fuzz.lua.test_engine I> DELETE_OP [[100662351574.09,424079033855,"aee344c2-df9c-4628-8454-10
5703753e48"]]                                                                                                                                      
2024-07-11 22:25:58.372 [3847356] main/106/checkpoint_daemon I> scheduled next checkpoint for Thu Jul 11 22:27:02 2024                             
Segmentation fault 

Actual behavior

#1  0x555efff80492 in crash_collect+256
#2  0x555efff80ece in crash_signal_cb+100
#3  0x7fc1ab442520 in __sigaction+80
#4  0x555effda9b70 in space_fill_index_map+56
#5  0x555effdc63b4 in alter_space_do(txn_stmt*, alter_space*)+1106
#6  0x555effdcae55 in on_replace_dd_index(trigger*, void*)+3527
#7  0x555efffb69e2 in trigger_run_list(rlist*, void*)+62
#8  0x555efffb6b04 in trigger_run+185
#9  0x555effdac890 in space_on_replace+130
#10 0x555effde7c8a in txn_commit_stmt+439
#11 0x555effdfb700 in box_process_rw+427
#12 0x555effe0858d in box_process1+462
#13 0x555effe091d3 in box_replace+181
#14 0x555efff136f6 in lbox_replace+466
#15 0x555efffeb247 in lj_BC_FUNCC+70
#16 0x555effff8dbf in lua_pcall+968
#17 0x555efff5c5cc in luaT_call+45
#18 0x555efff51399 in lua_fiber_run_f+189
#19 0x555effcb5187 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*)+34
#20 0x555efff8d1bc in fiber_loop+219
#21 0x555f00381576 in coro_init+120
Aborted (core dumped)

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140469798804160) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140469798804160) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140469798804160, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007fc1ab442476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007fc1ab4287f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x0000555efff80f77 in crash_signal_cb (signo=11, siginfo=0x555f014de8f0, context=0x555f014de7c0)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/crash.c:203
#6  <signal handler called>
#7  space_fill_index_map (space=0x555f01a10ca0) at /home/sergeyb/sources/MRG/tarantool/src/box/space.c:119
#8  0x0000555effdc63b4 in alter_space_do (stmt=0x7fc1a8c6b290, alter=0x7fc1a8c6b420) at /home/sergeyb/sources/MRG/tarantool/src/box/alter.cc:1047
#9  0x0000555effdcae55 in on_replace_dd_index (event=0x7fc1a8c6b038) at /home/sergeyb/sources/MRG/tarantool/src/box/alter.cc:2654
#10 0x0000555efffb69e2 in trigger_run_list (list=0x7fc168780ab0, event=0x7fc1a8c6b038)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/trigger.cc:100
#11 0x0000555efffb6b04 in trigger_run (list=0x555f01514460, event=0x7fc1a8c6b038)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/trigger.cc:133
#12 0x0000555effdac890 in space_on_replace (space=0x555f015143c0, txn=0x7fc1a8c6b038) at /home/sergeyb/sources/MRG/tarantool/src/box/space.c:997
#13 0x0000555effde7c8a in txn_commit_stmt (txn=0x7fc1a8c6b038, request=0x7fc168780c30) at /home/sergeyb/sources/MRG/tarantool/src/box/txn.c:678
#14 0x0000555effdfb700 in box_process_rw (request=0x7fc168780c30, space=0x555f015143c0, result=0x7fc168780d38)
    at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:508
#15 0x0000555effe0858d in box_process1 (request=0x7fc168780c30, result=0x7fc168780d38) at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:3731
#16 0x0000555effe091d3 in box_replace (space_id=288, tuple=0x7fc1a8c61240 "\226\315\002", tuple_end=0x7fc1a8c612a1 'P' <repeats 200 times>..., 
    result=0x7fc168780d38) at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:3931
#17 0x0000555efff136f6 in lbox_replace (L=0x412e2e68) at /home/sergeyb/sources/MRG/tarantool/src/box/lua/index.c:84
#18 0x0000555efffeb247 in lj_BC_FUNCC () at buildvm_x86.dasc:811
#19 0x0000555effff8dbf in lua_pcall (L=0x412e2e68, nargs=4, nresults=-1, errfunc=0)
    at /home/sergeyb/sources/MRG/tarantool/third_party/luajit/src/lj_api.c:1173
#20 0x0000555efff5c5cc in luaT_call (L=0x412e2e68, nargs=4, nreturns=-1) at /home/sergeyb/sources/MRG/tarantool/src/lua/utils.c:689
#21 0x0000555efff51399 in lua_fiber_run_f (ap=0x7fc1a8c11ca0) at /home/sergeyb/sources/MRG/tarantool/src/lua/fiber.c:435
#22 0x0000555effcb5187 in fiber_cxx_invoke(fiber_func, typedef __va_list_tag __va_list_tag *) (f=0x555efff512dc <lua_fiber_run_f>, 
    ap=0x7fc1a8c11ca0) at /home/sergeyb/sources/MRG/tarantool/src/lib/core/fiber.h:1311
#23 0x0000555efff8d1bc in fiber_loop (data=0x0) at /home/sergeyb/sources/MRG/tarantool/src/lib/core/fiber.c:1162
#24 0x0000555f00381576 in coro_init () at /home/sergeyb/sources/MRG/tarantool/third_party/coro/coro.c:108

tarantool binary and coredump
gh-10235.zip

Expected behavior

please, don't crash

[ligurio]

tarabrt archive https://drive.google.com/file/d/1S7Vl2YN39vTcdoWI_iJJnDrCmZsNQrcc/view?usp=sharing

[nshy]

Crashed caused by use after free of previous space version (alter->old_space of alter_space_do) in yielding index alter. There was another transaction that put this space in space cache but later was rolled back and deleted the space.

We have a restrictions that ruled out such situation most of time. After DDL in transaction yields are disabled (with exception of heavy DDL operations like building index, but at this time we protected with AlterSpaceLock). Yet there is still a chance. On writing to WAL transaction yields and DDL in another transaction become possible. If WAL write is failed - boom!

Repro:

local fiber = require('fiber')

box.cfg{log_level = 'error'}
local space = box.schema.space.create('test')
local ch = fiber.channel(1)
box.error.injection.set('ERRINJ_WAL_WRITE', true)
box.error.injection.set('ERRINJ_BUILD_INDEX_TIMEOUT', 0.01)
local index
fiber.create(function()
    box.begin()
    index = space:create_index('pk')
    for i=1,100 do
        space:replace({i, 2})
    end
    ch:put(true)
    box.commit()
end)
ch:get()
index:alter({parts = {{1, 'unsigned'}, {2, 'unsigned'}}})
os.exit()