Segmentation fault due to illegal_instruction

[ligurio]

Bug description

• OS: Linux
• OS Version: Ubuntu 22.04
• Architecture: amd64

Tarantool 3.2.0-entrypoint-124-g5208ea473b
Target: Linux-x86_64-Debug
Build options: cmake . -DCMAKE_INSTALL_PREFIX=/usr/local -DENABLE_BACKTRACE=TRUE
Compiler: GNU-11.4.0
C_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/sergeyb/sources/MRG/tarantool=. -std=c11 -Wall -Wextra -Wno-gnu-alignof-expression -fno-gnu89-inline -Wno-cast-function-type -Werror -g -ggdb -O0
CXX_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/sergeyb/sources/MRG/tarantool=. -std=c++11 -Wall -Wextra -Wno-invalid-offsetof -Wno-gnu-alignof-expression -Wno-cast-function-type -Werror -g -ggdb -O0

Steps to reproduce

<snipped>

2024-07-11 22:47:49.564 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> INSERT_OP [[955837212703.09,614107249897,"bbbe6731-4272-4b4c-9e81-
bbd82b1b735a",309785566062,"nxaaxgysai",329682773007,false,"800134939610","2024-07-11T19:47:49Z",[1,2],{"4":4,"8":8,"1":1,"5":5,"2":2,"6":6,"7":7,"
3":3}]]                                                                  
2024-07-11 22:47:49.564 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> INDEX_COMPACT_OP [{"unique":true,"parts":[{"fieldno":5,"sort_order
":"asc","type":"string","exclude_null":false,"is_nullable":false},{"fieldno":8,"sort_order":"asc","type":"decimal","exclude_null":false,"is_nullabl
e":false},{"fieldno":7,"sort_order":"asc","type":"boolean","exclude_null":false,"is_nullable":false},{"fieldno":1,"sort_order":"asc","type":"double
","exclude_null":false,"is_nullable":false},{"fieldno":2,"sort_order":"asc","type":"unsigned","exclude_null":false,"is_nullable":false},{"fieldno":
9,"sort_order":"asc","type":"datetime","exclude_null":false,"is_nullable":false},{"fieldno":4,"sort_order":"asc","type":"integer","exclude_null":fa
lse,"is_nullable":false},{"fieldno":3,"sort_order":"asc","type":"uuid","exclude_null":false,"is_nullable":false},{"fieldno":6,"sort_order":"asc","t
ype":"number","exclude_null":false,"is_nullable":false}],"hint":true,"id":0,"type":"TREE","space_id":512,"name":"swottxqzpp"}]                     
2024-07-11 22:47:49.564 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> INDEX_CREATE_OP []                                                
2024-07-11 22:47:49.564 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> ERROR: opname "INDEX_CREATE_OP", err "Can not perform index build 
in a multi-statement transaction", args []                                                                                                         
2024-07-11 22:47:49.565 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> UPSERT_OP [[539852487626.22,493701533969,"95fa1022-1865-4190-8350-
e634989274eb",16405910233,"xwsoinbkjg",207803704697,true,"238550431976","2024-07-11T19:47:49Z",[1,2],{"4":4,"1":1,"5":5,"2":2,"6":6,"7":7,"3":3}],[
["-",1,581439471202.39],["+",2,569352144117]]]                                                                                                     
2024-07-11 22:47:49.565 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> UPDATE_OP [["faaeutfpuq","540216204531",false,633258179431.47,9949
30610047,"2024-07-11T19:47:49Z",31151757241,"31a2df0c-c232-42e2-ad4f-ab2b4105ad87",95783932642],[["=",3,"edfb941d-e286-48d7-b9d9-8fa19257cea3"]]]  
2024-07-11 22:47:49.565 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> PUT_OP [[775757568035.7,942266044934,"a2daeff3-f8eb-47bc-9790-1d9e
130bd4ce",831552313452,"pwqfxpsmwc",62379394763,true,"773655652197","2024-07-11T19:47:49Z",[1,2],{"2":2,"4":4,"1":1,"3":3}]]                       
2024-07-11 22:47:49.566 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> BSIZE_OP []
2024-07-11 22:47:49.566 [3857891] main/855/WRK #742/test.fuzz.lua.test_engine I> TX_ROLLBACK []
Illegal instruction

Actual behavior

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140468859312832) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140468859312832) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140468859312832, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007fc173442476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007fc1734287f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x000055c8df719f77 in crash_signal_cb (signo=11, siginfo=0x55c8e13c08f0, context=0x55c8e13c07c0)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/crash.c:203
#6  <signal handler called>
#7  0x00007fc1640301c4 in ?? ()
#8  0x000055c8df4b9d26 in index_replace (index=0x7fc0e8180730, old_tuple=0x7fc164054614, new_tuple=0x0, mode=DUP_REPLACE_OR_INSERT, 
    result=0x7ffe43b66110, successor=0x7ffe43b66118) at /home/sergeyb/sources/MRG/tarantool/src/box/index.h:917
#9  0x000055c8df4be673 in memtx_build_on_replace_rollback (trigger=0x7fc0d3daa430, event=0x7fc0d3daa290)
    at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_space.c:1145
#10 0x000055c8df74f9e2 in trigger_run_list (list=0x7ffe43b661d0, event=0x7fc0d3daa290)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/trigger.cc:100
#11 0x000055c8df74fb04 in trigger_run (list=0x7fc0d3daa308, event=0x7fc0d3daa290)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/trigger.cc:133
#12 0x000055c8df57f71a in txn_rollback_one_stmt (txn=0x7fc0d3daa038, stmt=0x7fc0d3daa290) at /home/sergeyb/sources/MRG/tarantool/src/box/txn.c:362
#13 0x000055c8df580fe7 in txn_complete_fail (txn=0x7fc0d3daa038) at /home/sergeyb/sources/MRG/tarantool/src/box/txn.c:744
#14 0x000055c8df581728 in txn_on_journal_write (entry=0x7fc0d3daa478) at /home/sergeyb/sources/MRG/tarantool/src/box/txn.c:829
#15 0x000055c8df5e84c2 in journal_async_complete (entry=0x7fc0d3daa478) at /home/sergeyb/sources/MRG/tarantool/src/box/journal.h:257
#16 0x000055c8df5e8f51 in tx_schedule_queue (queue=0x55c8dfeead60 <wal_writer_singleton+32>)
    at /home/sergeyb/sources/MRG/tarantool/src/box/wal.c:284
#17 0x000055c8df5e9010 in tx_complete_rollback () at /home/sergeyb/sources/MRG/tarantool/src/box/wal.c:345
#18 0x000055c8df5e90af in tx_complete_batch (msg=0x7fc0d3f37680) at /home/sergeyb/sources/MRG/tarantool/src/box/wal.c:376
#19 0x000055c8df72f9e4 in cmsg_deliver (msg=0x7fc0d3f37680) at /home/sergeyb/sources/MRG/tarantool/src/lib/core/cbus.c:350
#20 0x000055c8df730374 in cbus_process (endpoint=0x55c8dfee5d40 <tx_prio_endpoint>) at /home/sergeyb/sources/MRG/tarantool/src/lib/core/cbus.c:601
#21 0x000055c8df5a8d25 in tx_prio_cb (loop=0x55c8dff303e0 <default_loop_struct>, watcher=0x55c8dfee5e90 <tx_prio_endpoint+336>, events=524288)
    at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:5473
#22 0x000055c8dfb0f81f in ev_invoke_pending (loop=0x55c8dff303e0 <default_loop_struct>)
    at /home/sergeyb/sources/MRG/tarantool/third_party/libev/ev.c:3797
#23 0x000055c8dfb107c5 in ev_run (loop=0x55c8dff303e0 <default_loop_struct>, flags=0)
    at /home/sergeyb/sources/MRG/tarantool/third_party/libev/ev.c:4221
#24 0x000055c8df6e7c69 in tarantool_lua_run_script (path=0x55c8e13b158e "test/fuzz/lua/test_engine.lua", 
    instance=0x55c8dfeb08f0 <main::instance>, opt_mask=0, optc=0, optv=0x0, argc=7, argv=0x55c8e13b1538)
    at /home/sergeyb/sources/MRG/tarantool/src/lua/init.c:1209
#25 0x000055c8df450d7f in main (argc=7, argv=0x55c8e13b1538) at /home/sergeyb/sources/MRG/tarantool/src/main.cc:1057

#1  0x5633d2d46492 in crash_collect+256                                                                                                            
#2  0x5633d2d46ece in crash_signal_cb+100                                                                                                          
#3  0x7ff0cb842520 in __sigaction+80                                                                                                               
#4  0x5633d2d4dd50 in illegal_instruction+4                                                                                                        
#5  0x5633d2d56e7a in cord_thread_func+1783                                                                                                        
#6  0x7ff0cb894ac3 in pthread_condattr_setpshared+1299                                                                                             
#7  0x7ff0cb926850 in __xmknodat+560 

tarantool binary and coredump
gh-10236.zip

Expected behavior

no crash

[Gumix]

#4 0x5633d2d4dd50 in illegal_instruction+4

This is a special function that is intended for triggering Illegal instruction exception.

Maybe the fuzzer accidentally enabled the corresponding error injection?

[ligurio]

@Gumix

This is a special function that is intended for triggering Illegal instruction exception.

May be, because currently fuzzing test uses all error injections returned by box.error.injection.info(). We agreed to @locker to review all error injections and use only part of them because not all error injections are useful.

[locker]

Here's the list of error injections that should be safe to set:

### Should be safe to set:

ERRINJ_BUILD_INDEX: set to index id (0, 1, 2, ...) to fail index (re)build on alter
ERRINJ_BUILD_INDEX_DELAY: set to true to inject delay during index (re)build on alter
ERRINJ_BUILD_INDEX_ON_ROLLBACK_ALLOC: set to true to fail index (re)build on alter
ERRINJ_BUILD_INDEX_TIMEOUT: set to timeout in seconds to inject after each tuple processed on index (re)build on alter
ERRINJ_CHECK_FORMAT_DELAY: set to true to inject delay during space format check on alter
ERRINJ_INDEX_ALLOC: set to true to inject OOM while allocating an index extend in memtx
ERRINJ_INDEX_ITERATOR_NEW: set to true to fail index iterator creation
ERRINJ_HASH_INDEX_REPLACE: set to true to fail insertion into memtx hash index
ERRINJ_MEMTX_DELAY_GC: set to true to delay freeing memory after dropped memtx index
ERRINJ_SNAP_COMMIT_DELAY: set to true to delay materialization of memtx snapshot
ERRINJ_SNAP_WRITE_DELAY: set to true to delay write of memtx snapshot
ERRINJ_SNAP_WRITE_TIMEOUT: set to timeout in seconds to inject after each tuple written to memtx snapshot
ERRINJ_TESTING: set to true to fail index select
ERRINJ_TUPLE_ALLOC: set to true to fail allocation of memtx tuple
ERRINJ_TUPLE_FORMAT_COUNT: set to max number of space formats (~spaces)
ERRINJ_TX_DELAY_PRIO_ENDPOINT: set to timeout to inject before processing each internal cbus message
ERRINJ_VYRUN_DATA_READ: set to true to fail reading vinyl page from disk
ERRINJ_VY_COMPACTION_DELAY: set to true to delay vinyl compaction
ERRINJ_VY_DELAY_PK_LOOKUP: set to true to delay lookup of tuple in primary index by secondary key
ERRINJ_VY_DUMP_DELAY: set to true to delay vinyl dump
ERRINJ_VY_GC: set to true to disable vinyl garbage colletion
ERRINJ_VY_INDEX_DUMP: set to true to fail vinyl index dump
ERRINJ_VY_INDEX_FILE_RENAME: set to true to fail materialization of vinyl index file
ERRINJ_VY_LOG_FILE_RENAME: set to true to fail materialization of vinyl log file
ERRINJ_VY_LOG_FLUSH: set to true to fail write to vinyl log file
ERRINJ_VY_QUOTA_DELAY: set to timeout to inject before consuming vinyl memory quota
ERRINJ_VY_READ_PAGE: set to true to fail reading vinyl page from disk
ERRINJ_VY_READ_PAGE_DELAY: set to true to delay reading vinyl page from disk
ERRINJ_VY_READ_PAGE_TIMEOUT: set to timeout to inject while reading vinyl page from disk
ERRINJ_VY_READ_VIEW_MERGE_FAIL: set to true to fail read view merge during vinyl dump/compaction due to oom
ERRINJ_VY_RUN_DISCARD: set to true to disable purging empty/failed run files from log after vinyl dump/compaction
ERRINJ_VY_RUN_FILE_RENAME: set to true to fail materialization of vinyl run file
ERRINJ_VY_RUN_WRITE: set to true to fail vinyl run file write
ERRINJ_VY_RUN_WRITE_DELAY: set to true to delay vinyl run file write
ERRINJ_VY_RUN_WRITE_STMT_TIMEOUT: set to timeout to inject after writing each tuple during vinyl dump/compaction
ERRINJ_VY_SCHED_TIMEOUT: set to timeout to throttle scheduler for after failed vinyl dump/compaction
ERRINJ_VY_SQUASH_TIMEOUT: set to timeout to inject before squashing vinyl upsert in background
ERRINJ_VY_STMT_ALLOC: set to true to fail allocation of vinyl tuple
ERRINJ_VY_TASK_COMPLETE: set to true to fail completion of vinyl dump/compaction
ERRINJ_VY_WRITE_ITERATOR_START_FAIL: set to true to fail creation of vinyl dump/compaction task due to oom
ERRINJ_WAL_DELAY: set to true to delay write to WAL
ERRINJ_WAL_FALLOCATE: set to true to fail WAL write due to error allocating disk space
ERRINJ_WAL_IO: set to true to fail WAL write
ERRINJ_WAL_ROTATE: set to true to fail creation of new WAL file
ERRINJ_WAL_SYNC: set to true to fail WAL sync
ERRINJ_WAL_SYNC_DELAY: set to true to inject delay after WAL sync
ERRINJ_WAL_WRITE: set to true to fail write to xlog file
ERRINJ_WAL_WRITE_DISK: set to true to fail write to xlog file
ERRINJ_WAL_WRITE_PARTIAL: set to true to fail write to xlog file
ERRINJ_XLOG_META: set to true to fail xlog meta read
ERRINJ_XLOG_READ: set to true to fail xlog data read
ERRINJ_XLOG_RENAME_DELAY: set to true to delay xlog file materialization

### Could be set, but needs to be fixed first

ERRINJ_TUPLE_FIELD_COUNT_LIMIT

### Do not set

ERRINJ_APPLIER_DESTROY_DELAY
ERRINJ_APPLIER_READ_TX_ROW_DELAY
ERRINJ_APPLIER_SLOW_ACK
ERRINJ_APPLIER_STOP_DELAY
ERRINJ_COIO_SENDFILE_CHUNK
ERRINJ_COIO_WRITE_CHUNK
ERRINJ_DYN_MODULE_COUNT
ERRINJ_ENGINE_JOIN_DELAY
ERRINJ_FIBER_MADVISE
ERRINJ_FIBER_MPROTECT
ERRINJ_FLIGHTREC_RECREATE_RENAME
ERRINJ_FLIGHTREC_LOG_DELAY
ERRINJ_HTTPC_EXECUTE
ERRINJ_HTTP_RESPONSE_ADD_WAIT
ERRINJ_INDEX_RESERVE
ERRINJ_IPROTO_CFG_LISTEN
ERRINJ_IPROTO_DISABLE_ID
ERRINJ_IPROTO_DISABLE_WATCH
ERRINJ_IPROTO_FLIP_FEATURE
ERRINJ_IPROTO_SET_VERSION
ERRINJ_IPROTO_TX_DELAY
ERRINJ_IPROTO_WRITE_ERROR_DELAY
ERRINJ_LOG_ROTATE
ERRINJ_NETBOX_DISABLE_ID
ERRINJ_NETBOX_FLIP_FEATURE
ERRINJ_NETBOX_IO_DELAY
ERRINJ_NETBOX_IO_ERROR
ERRINJ_RAFT_WAIT_TERM_PERSISTED_DELAY
ERRINJ_RELAY_BREAK_LSN
ERRINJ_RELAY_EXIT_DELAY
ERRINJ_RELAY_FASTER_THAN_TX
ERRINJ_RELAY_FINAL_JOIN
ERRINJ_RELAY_FINAL_SLEEP
ERRINJ_RELAY_FROM_TX_DELAY
ERRINJ_RELAY_REPORT_INTERVAL
ERRINJ_RELAY_SEND_DELAY
ERRINJ_RELAY_TIMEOUT
ERRINJ_RELAY_WAL_START_DELAY
ERRINJ_RELAY_READ_ACK_DELAY
ERRINJ_REPLICASET_VCLOCK
ERRINJ_REPLICA_JOIN_DELAY
ERRINJ_SIGILL_MAIN_THREAD
ERRINJ_SIGILL_NONMAIN_THREAD
ERRINJ_SIO_READ_MAX
ERRINJ_TUPLE_FIELD
ERRINJ_SNAP_COMMIT_FAIL
ERRINJ_SNAP_SKIP_ALL_ROWS
ERRINJ_SNAP_SKIP_DDL_ROWS
ERRINJ_SNAP_WRITE_CORRUPTED_INSERT_ROW
ERRINJ_SNAP_WRITE_INVALID_SYSTEM_ROW
ERRINJ_SNAP_WRITE_MISSING_SPACE_ROW
ERRINJ_SNAP_WRITE_UNKNOWN_ROW_TYPE
ERRINJ_SPACE_UPGRADE_DELAY
ERRINJ_SWIM_FD_ONLY
ERRINJ_TXN_COMMIT_ASYNC
ERRINJ_TXN_LIMBO_BEGIN_DELAY
ERRINJ_VY_POINT_ITER_WAIT
ERRINJ_VY_RUN_OPEN
ERRINJ_WAIT_QUORUM_COUNT
ERRINJ_WAL_BREAK_LSN
ERRINJ_WAL_DELAY_COUNTDOWN
ERRINJ_WAL_IO_COUNTDOWN
ERRINJ_WAL_WRITE_COUNT
ERRINJ_WAL_WRITE_EOF
ERRINJ_XLOG_GARBAGE
ERRINJ_XLOG_WRITE_CORRUPTED_BODY
ERRINJ_XLOG_WRITE_CORRUPTED_HEADER
ERRINJ_XLOG_WRITE_INVALID_BODY
ERRINJ_XLOG_WRITE_INVALID_HEADER
ERRINJ_XLOG_WRITE_INVALID_KEY
ERRINJ_XLOG_WRITE_INVALID_VALUE
ERRINJ_XLOG_WRITE_UNKNOWN_KEY
ERRINJ_XLOG_WRITE_UNKNOWN_TYPE

[ligurio]

Here's the list of error injections that should be safe to set:

test has been updated

I suspect this issue is invalid and should be closed, right?

[sergepetrenko]

test has been updated

I suspect this issue is invalid and should be closed, right?

Closing after a verbal discussion with @Gumix