Skip to content

Segmentation fault in bps_tree_memtx_tree_delete_from_leaf #10237

New issue
New issue
Closed as duplicate of#11602
Closed as duplicate of#11602
Segmentation fault in bps_tree_memtx_tree_delete_from_leaf#10237
Assignees
drewdzzz
Labels
bugSomething isn't workingcrashfuzzing
@ligurio

Description

@ligurio
ligurio
opened on Jul 12, 2024

Bug description

  • OS: Linux
  • OS Version: Ubuntu 22.04
  • Architecture: amd64

Tarantool 3.2.0-entrypoint-124-g5208ea473b
Target: Linux-x86_64-Debug
Build options: cmake . -DCMAKE_INSTALL_PREFIX=/usr/local -DENABLE_BACKTRACE=TRUE
Compiler: GNU-11.4.0
C_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/sergeyb/sources/MRG/tarantool=. -std=c11 -Wall -Wextra -Wno-gnu-alignof-expression -fno-gnu89-inline -Wno-cast-function-type -Werror -g -ggdb -O0
CXX_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/sergeyb/sources/MRG/tarantool=. -std=c++11 -Wall -Wextra -Wno-invalid-offsetof -Wno-gnu-alignof-expression -Wno-cast-function-type -Werror -g -ggdb -O0

Steps to reproduce

$ ./build/src/tarantool test/fuzz/lua/test_engine.lua --test_duration $((10*60)) --engine memtx --workers 1000

Actual behavior

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=139946836085440) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=139946836085440) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=139946836085440, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007f47e8442476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007f47e84287f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x000055c7edb79f77 in crash_signal_cb (signo=11, siginfo=0x55c7ef3648f0, context=0x55c7ef3647c0)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/core/crash.c:203
#6  <signal handler called>
#7  0x000055c7ed8e66d5 in NS_USE_HINT::bps_tree_memtx_tree_delete_from_leaf (tree=0x55c7ef89c2e8, leaf_path_elem=0x7f476d380510)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/salad/bps_tree.h:3956
#8  0x000055c7ed8eb2f1 in NS_USE_HINT::bps_tree_memtx_tree_process_delete_leaf (tree=0x55c7ef89c2e8, leaf_path_elem=0x7f476d380510)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/salad/bps_tree.h:5646
#9  0x000055c7ed8ec8cf in NS_USE_HINT::memtx_tree_delete (t=0x55c7ef89c2e8, elem=...)
    at /home/sergeyb/sources/MRG/tarantool/src/lib/salad/bps_tree.h:6158
#10 0x000055c7ed8eedbd in memtx_tree_index_replace<true> (base=0x55c7ef89c2b0, old_tuple=0x55c7f1ed7e4c, new_tuple=0x0, mode=DUP_INSERT, 
    result=0x7f476d3808f0, successor=0x7f476d3808f8) at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_tree.cc:1255
#11 0x000055c7ed8fe33f in index_replace (index=0x55c7ef89c2b0, old_tuple=0x55c7f1ed7e4c, new_tuple=0x0, mode=DUP_INSERT, result=0x7f476d3808f0, 
    successor=0x7f476d3808f8) at /home/sergeyb/sources/MRG/tarantool/src/box/index.h:917
#12 0x000055c7ed90414a in memtx_tx_story_full_unlink_story_gc_step (story=0x7f4786186350)
    at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_tx.c:1476
#13 0x000055c7ed9045a6 in memtx_tx_story_gc_step () at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_tx.c:1598
#14 0x000055c7ed9045cf in memtx_tx_story_gc () at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_tx.c:1606
#15 0x000055c7ed908f41 in memtx_tx_track_gap_slow (txn=0x7f4704b88038, space=0x55c7f00d4240, index=0x55c7ef89c2b0, successor=0x55c7efc3717c, 
    type=ITER_LE, key=0x0, part_count=0) at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_tx.c:3244
#16 0x000055c7ed8da23a in memtx_tx_track_gap (txn=0x7f4704b88038, space=0x55c7f00d4240, index=0x55c7ef89c2b0, successor=0x55c7efc3717c, 
    type=ITER_LE, key=0x0, part_count=0) at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_tx.h:317
#17 0x000055c7ed8f48eb in tree_iterator_prev_base<true> (iterator=0x7f47e4700180, ret=0x7f476d380c10)
    at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_tree.cc:483
#18 0x000055c7ed8f3c1b in tree_iterator_prev<true> (iterator=0x7f47e4700180, ret=0x7f476d380c10)
    at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_tree.cc:631
#19 0x000055c7ed917b11 in memtx_iterator_next (it=0x7f47e4700180, ret=0x7f476d380c10)
    at /home/sergeyb/sources/MRG/tarantool/src/box/memtx_engine.cc:2110
#20 0x000055c7ed8ceb22 in iterator_next (it=0x7f47e4700180, ret=0x7f476d380c10) at /home/sergeyb/sources/MRG/tarantool/src/box/index.cc:645
#21 0x000055c7eda01eaf in box_select (space_id=512, index_id=0, iterator=4, offset=0, limit=149, 
    key=0x7f47e4728031 "\313BJ\205\203\275\307sʪbssvbbvzf", <incomplete sequence \317>, 
    key_end=0x7f47e4728087 "100735915952,\"27865cb6-5395-4160-9cfd-ca173680cd63\",863183007544,false]]string\",\"exclude_null\":false,\"is_nullable\":false},{\"fieldno\":2,\"sort_order\":\"asc\",\"type\":\"unsigned\",\"exclude_null\":false,\"is_nul"..., packed_pos=0x408d23c8, 
    packed_pos_end=0x41258a98, update_pos=false, port=0x41339358) at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:3851
#22 0x000055c7eda0204d in box_select_ffi (space_id=512, index_id=0, 
    key=0x7f47e4728030 "\231\313BJ\205\203\275\307sʪbssvbbvzf", <incomplete sequence \317>, 
    key_end=0x7f47e4728087 "100735915952,\"27865cb6-5395-4160-9cfd-ca173680cd63\",863183007544,false]]string\",\"exclude_null\":false,\"is_nullable\":false},{\"fieldno\":2,\"sort_order\":\"asc\",\"type\":\"unsigned\",\"exclude_null\":false,\"is_nul"..., packed_pos=0x408d23c8, 
    packed_pos_end=0x41258a98, update_pos=false, port=0x41339358, iterator=4, offset=84, limit=149)
    at /home/sergeyb/sources/MRG/tarantool/src/box/box.cc:3901
#23 0x000055c7d2510477 in ?? ()
#24 0x0000000000000000 in ?? ()

tarantool binary and coredump
gh-10237.zip

Please file a bug at https://github.com/tarantool/tarantool/issues
Attempting backtrace... Note: since the server has already crashed, 
this may fail as well
#1  0x55c7edb79492 in crash_collect+256
#2  0x55c7edb79ece in crash_signal_cb+100
#3  0x7f47e8442520 in __sigaction+80
#4  0x55c7ed8e66d5 in NS_USE_HINT::bps_tree_memtx_tree_delete_from_leaf(NS_USE_HINT::bps_tree_memtx_tree_common*, NS_USE_HINT::bpsmemtx_tree_leaf_path_elem*)+129
#5  0x55c7ed8eb2f1 in NS_USE_HINT::bps_tree_memtx_tree_process_delete_leaf(NS_USE_HINT::bps_tree_memtx_tree_common*, NS_USE_HINT::bpsmemtx_tree_leaf_path_elem*)+66
#6  0x55c7ed8ec8cf in NS_USE_HINT::memtx_tree_delete(NS_USE_HINT::memtx_tree*, memtx_tree_data<true>)+196
#7  0x55c7ed8eedbd in int memtx_tree_index_replace<true>(index*, tuple*, tuple*, dup_replace_mode, tuple**, tuple**)+786
#8  0x55c7ed8fe33f in index_replace+80
#9  0x55c7ed90414a in memtx_tx_story_full_unlink_story_gc_step+290
#10 0x55c7ed9045a6 in memtx_tx_story_gc_step+734
#11 0x55c7ed9045cf in memtx_tx_story_gc+27
#12 0x55c7ed908f41 in memtx_tx_track_gap_slow+500
#13 0x55c7ed8da23a in memtx_tx_track_gap+122
#14 0x55c7ed8f48eb in int tree_iterator_prev_base<true>(itAborted (core dumped)

Expected behavior

no crash

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingcrashfuzzing

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions