SIGSEGV in vy_run_writer_append_stmt

[ligurio]

• OS: Linux
• OS Version: Ubuntu 22.04
• Architecture: amd64

tarantool commit fc3196d

Tarantool 3.2.0-entrypoint-154-gfc3196dca
Target: Linux-x86_64-RelWithDebInfo
Build options: cmake . -DCMAKE_INSTALL_PREFIX=/usr/local -DENABLE_BACKTRACE=TRUE
Compiler: GNU-13.2.0
C_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/ubuntu/tarantool=. -std=c11 -Wall -Wextra -Wno-gnu-alignof-expression -fno-gnu89-inline -Wno-cast-function-type -O2 -g -DNDEBUG -ggdb -O2
CXX_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/ubuntu/tarantool=. -std=c++11 -Wall -Wextra -Wno-invalid-offsetof -Wno-gnu-alignof-expression -Wno-cast-function-type -O2 -g -DNDEBUG -ggdb -O2

Steps to reproduce

Take a test script in #10264.

How to run:

Just type ./build/src/tarantool test_engine.lua --workers 100 --engine vinyl --test_duration 30 --seed 29079 --verbose .

Actual behavior

crash

tarantool binary and coredump: https://drive.google.com/file/d/1PycXkSsOCp7NDDH76hyLaJVQYs8-0gzk/view?usp=sharing

tarabort archive: https://drive.google.com/file/d/1jcxmpM6kSvguv_qck0NdzE25e52tbkUq/view?usp=sharing

Segmentation fault             
  code: SEGV_MAPERR            
  addr: (nil)                                                            
  context: 0x76cdf400e300       
  siginfo: 0x76cdf400e430
  rax      0x0                0                                          
  rbx      0x76ce02a7f5b0     130627179902384                       
  rcx      0x18               24
  rdx      0x2                2                                          
  rsi      0x76cdf4029ea0     130626934185632
  rdi      0x0                0                                          
  rsp      0x76ce02a7f4d0     130627179902160
  rbp      0x76cdf4030d20     130626934213920
  r8       0x76cdf4030d7b     130626934214011                                                                                                      
  r9       0x76ce02a7f484     130627179902084
  r10      0x76ce02a7f480     130627179902080
  r11      0x1                1                                                                                                                    
  r12      0x76ce035fd358     130627191952216
  r13      0x306d6d6178736c61 3489565551682088033
  r14      0x0                0
  r15      0x0                0
  rip      0x64bd45ab070c     110764080432908
  eflags   0x10246            66118
  cs       0x33               51
  gs       0x0                0
  fs       0x0                0
  cr2      0x0                0
  err      0x4                4
  oldmask  0xfffffffe7ffbfa37 -6442714569
  trapno   0xe                14
Current time: 1721385331
Please file a bug at https://github.com/tarantool/tarantool/issues
Attempting backtrace... Note: since the server has already crashed, 
this may fail as well
#1  0x64bd45c09e22 in crash_signal_cb+162
#2  0x76ce74e45320 in __sigaction+80
#3  0x64bd45ab070c in vy_run_writer_append_stmt+700
#4  0x64bd45ada32a in vy_task_write_run+234
#5  0x64bd45ad84fe in vy_task_f+46
#6  0x64bd45a4aba0 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*)+16
#7  0x64bd45c13e66 in fiber_loop+70
#8  0x64bd45e83b9c in coro_init+76

(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x000076ce74e4526e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x000076ce74e288ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x000064bd45c09eca in crash_signal_cb (signo=<optimized out>, siginfo=<optimized out>, context=<optimized out>)
    at /home/ubuntu/tarantool/src/lib/core/crash.c:203
#6  <signal handler called>
#7  0x000064bd45ab070c in tuple_delete (tuple=0x76cdf4029ea0) at /home/ubuntu/tarantool/src/box/tuple.h:815
#8  tuple_unref (tuple=0x76cdf4029ea0) at /home/ubuntu/tarantool/src/box/tuple.h:1488
#9  tuple_unref (tuple=0x76cdf4029ea0) at /home/ubuntu/tarantool/src/box/tuple.h:1481
#10 vy_stmt_unref_if_possible (stmt=0x76cdf4029ea0) at /home/ubuntu/tarantool/src/box/vy_stmt.h:383
#11 vy_run_writer_write_to_page (entry=..., writer=0x76ce02a7f5b0) at /home/ubuntu/tarantool/src/box/vy_run.c:2218
#12 vy_run_writer_append_stmt (writer=writer@entry=0x76ce02a7f5b0, entry=...) at /home/ubuntu/tarantool/src/box/vy_run.c:2289
#13 0x000064bd45ada32a in vy_task_write_run (task=<optimized out>, no_compression=<optimized out>)
    at /home/ubuntu/tarantool/src/box/vy_scheduler.c:1134
#14 0x000064bd45ad84fe in vy_task_f (va=<error reading variable: value has been optimized out>)
    at /home/ubuntu/tarantool/src/box/vy_scheduler.c:1797
#15 0x000064bd45a4aba0 in fiber_cxx_invoke(fiber_func, typedef __va_list_tag __va_list_tag *) (f=<optimized out>, ap=<optimized out>)
    at /home/ubuntu/tarantool/src/lib/core/fiber.h:1324
#16 0x000064bd45c13e66 in fiber_loop (data=<optimized out>) at /home/ubuntu/tarantool/src/lib/core/fiber.c:1162
#17 0x000064bd45e83b9c in coro_init () at /home/ubuntu/tarantool/third_party/coro/coro.c:108

Expected behavior

no crash

[locker]

Tarantool crashed while trying to access a tuple format by id from a vinyl writer thread. It got NULL but the format is actually set in the tuple_formats map:

(gdb) frame 5
#5  0x000064bd45ab070c in tuple_delete (tuple=0x76cdf4029ea0) at /home/ubuntu/tarantool/src/box/tuple.h:815
815             format->vtab.tuple_delete(format, tuple);
(gdb) l
810     {
811             assert(tuple->local_refs == 0);
812             assert(!tuple_has_flag(tuple, TUPLE_HAS_UPLOADED_REFS));
813             assert(!tuple_has_flag(tuple, TUPLE_IS_DIRTY));
814             struct tuple_format *format = tuple_format(tuple);
815             format->vtab.tuple_delete(format, tuple);
816     }
817
818     /**
819      * Check tuple data correspondence to space format.
(gdb) p format
$31 = (struct tuple_format *) 0x0
(gdb) p tuple_formats[tuple.format_id]
$32 = (struct tuple_format *) 0x64bd46ee7b90

Looks like this happened because when we grow the tuple_formats map we don't use memory barriers:

tarantool/src/box/tuple_format.c

Lines 659 to 698 in 33670ea

	static int
	tuple_format_register(struct tuple_format *format)
	{
	if (recycled_format_ids != FORMAT_ID_NIL) {
	format->id = (uint16_t) recycled_format_ids;
	recycled_format_ids = (intptr_t) tuple_formats[recycled_format_ids];
	} else {
	if (formats_size == formats_capacity) {
	uint32_t new_capacity = formats_capacity ?
	formats_capacity * 2 : 16;
	struct tuple_format **formats;
	formats = (struct tuple_format **)
	realloc(tuple_formats, new_capacity *
	sizeof(tuple_formats[0]));
	if (formats == NULL) {
	diag_set(OutOfMemory,
	sizeof(struct tuple_format), "malloc",
	"tuple_formats");
	return -1;
	}
	formats_capacity = new_capacity;
	tuple_formats = formats;
	}
	uint32_t formats_size_max = FORMAT_ID_MAX + 1;
	struct errinj *inj = errinj(ERRINJ_TUPLE_FORMAT_COUNT,
	ERRINJ_INT);
	if (inj != NULL && inj->iparam > 0)
	formats_size_max = inj->iparam;
	if (formats_size >= formats_size_max) {
	diag_set(ClientError, ER_TUPLE_FORMAT_LIMIT,
	(unsigned) formats_capacity);
	return -1;
	}
	format->id = formats_size++;
	}
	tuple_formats[format->id] = format;
	return 0;
	}