AddressSanitizer: heap-use-after-free on address 0x5140002f77ec at pc 0x62b92f82fb5b bp 0x73673f27d7c0 sp 0x73673f27d7b8

[ligurio]

Bug description

heap-use-after-free

• OS: Linux
• OS Version: Ubuntu 24.04
• Architecture: amd64

Tarantool 3.3.0-entrypoint-161-gbf09135880
Target: Linux-x86_64-Debug
Build options: cmake . -DCMAKE_INSTALL_PREFIX=/usr/local -DENABLE_BACKTRACE=TRUE
Compiler: Clang-18.1.3
C_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -fsanitize=address -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/ubuntu/tarantool=. -std=c11 -Wall -Wextra -Wno-gnu-alignof-expression -Wno-cast-function-type -Werror -g -ggdb -O0
CXX_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -fsanitize=address -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/ubuntu/tarantool=. -std=c++11 -Wall -Wextra -Wno-invalid-offsetof -Wno-gnu-alignof-expression -Wno-cast-function-type -Werror -g -ggdb -O0

Steps to reproduce

./build/src/tarantool ./test/fuzz/lua/test_engine.lua --workers 800 --test_duration $((60*60*10)) --engine vinyl --verbose --seed 5582

Actual behavior

==574672==ERROR: AddressSanitizer: heap-use-after-free on address 0x5140002f77ec at pc 0x62b92f82fb5b bp 0x73673f27d7c0 sp 0x73673f27d7b8
READ of size 1 at 0x5140002f77ec thread T0                                                                                                         
    #0 0x62b92f82fb5a in space_is_sync /home/ubuntu/tarantool/src/box/space.h:424:22
    #1 0x62b92f834f6e in txn_journal_entry_new /home/ubuntu/tarantool/src/box/txn.c:1008:12      
    #2 0x62b92f82c655 in txn_commit_impl /home/ubuntu/tarantool/src/box/txn.c:1179:8
    #3 0x62b92f82e691 in box_txn_commit_ex /home/ubuntu/tarantool/src/box/txn.c:1405:9                                                    
    #4 0x62b92fb133b0 in lbox_commit /home/ubuntu/tarantool/src/box/lua/init.c:518:6
    #5 0x62b92fd31586 in lj_BC_FUNCC /home/ubuntu/tarantool/build/third_party/luajit/src/lj_vm.S:811
    #6 0x62b92fd5c11a in lua_pcall /home/ubuntu/tarantool/third_party/luajit/src/lj_api.c:1173:12
    #7 0x62b92fbcb202 in luaT_call /home/ubuntu/tarantool/src/lua/utils.c:695:6
    #8 0x62b92fbb5cce in lua_fiber_run_f /home/ubuntu/tarantool/src/lua/fiber.c:435:11
    #9 0x62b92f504049 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*) /home/ubuntu/tarantool/src/lib/core/fiber.h:1324:10
    #10 0x62b92fc2f3f9 in fiber_loop /home/ubuntu/tarantool/src/lib/core/fiber.c:1162:18
    #11 0x62b93067f559 in coro_init /home/ubuntu/tarantool/third_party/coro/coro.c:108:3

0x5140002f77ec is located 428 bytes inside of 436-byte region [0x5140002f7640,0x5140002f77f4)
freed by thread T0 here:
    #0 0x62b92f4bf3ba in free (/home/ubuntu/tarantool/build/src/tarantool+0x2cd3ba) (BuildId: ad3fa14f33098c75c1c9c78c695a98f1be89dd8e)
    #1 0x62b9306104da in small_asan_free /home/ubuntu/tarantool/src/lib/small/small/util.c:137:2
    #2 0x62b93060c40e in mempool_free /home/ubuntu/tarantool/src/lib/small/small/mempool_asan.c:83:2
    #3 0x62b92f93710b in tx_complete_batch /home/ubuntu/tarantool/src/box/wal.c:378:2
    #4 0x62b92fc4a3bd in cmsg_deliver /home/ubuntu/tarantool/src/lib/core/cbus.c:350:2
    #5 0x62b92fc4c2ba in cbus_process /home/ubuntu/tarantool/src/lib/core/cbus.c:601:3
    #6 0x62b92f884473 in tx_prio_cb(ev_loop*, ev_watcher*, int) /home/ubuntu/tarantool/src/box/box.cc:5642:2
    #7 0x62b93064fae5 in ev_invoke_pending /home/ubuntu/tarantool/third_party/libev/ev.c:3797:11
    #8 0x62b93065104d in ev_run /home/ubuntu/tarantool/third_party/libev/ev.c:4221:7
    #9 0x62b92fbaafdb in tarantool_lua_run_script /home/ubuntu/tarantool/src/lua/init.c:1218:2
    #10 0x62b92f50319a in main /home/ubuntu/tarantool/src/main.cc:1060:7
    #11 0x73678022a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x73678022a28a in __libc_start_main csu/../csu/libc-start.c:360:3 
    #13 0x62b92f424804 in _start (/home/ubuntu/tarantool/build/src/tarantool+0x232804) (BuildId: ad3fa14f33098c75c1c9c78c695a98f1be89dd8e)

previously allocated by thread T0 here:
    #0 0x62b92f4bf653 in malloc (/home/ubuntu/tarantool/build/src/tarantool+0x2cd653) (BuildId: ad3fa14f33098c75c1c9c78c695a98f1be89dd8e)
    #1 0x62b93061001c in small_asan_alloc /home/ubuntu/tarantool/src/lib/small/small/util.c:94:24
    #2 0x62b93060c305 in mempool_alloc /home/ubuntu/tarantool/src/lib/small/small/mempool_asan.c:67:4
    #3 0x62b92f933a8d in wal_write_async /home/ubuntu/tarantool/src/box/wal.c:1353:29
    #4 0x62b92f835c5c in journal_write_submit /home/ubuntu/tarantool/src/box/journal.h:277:9
    #5 0x62b92f82cea9 in txn_commit_impl /home/ubuntu/tarantool/src/box/txn.c:1221:6
    #6 0x62b92f82d756 in txn_commit /home/ubuntu/tarantool/src/box/txn.c:1291:9
    #7 0x62b92f852bc3 in box_process_rw /home/ubuntu/tarantool/src/box/box.cc:516:23
    #8 0x62b92f866855 in box_process1 /home/ubuntu/tarantool/src/box/box.cc:3785:9
    #9 0x62b92f869182 in box_delete /home/ubuntu/tarantool/src/box/box.cc:3996:9
    #10 0x62b92fb3d290 in lbox_index_delete /home/ubuntu/tarantool/src/box/lua/index.c:168:11
    #11 0x62b92fd31586 in lj_BC_FUNCC /home/ubuntu/tarantool/build/third_party/luajit/src/lj_vm.S:811

SUMMARY: AddressSanitizer: heap-use-after-free /home/ubuntu/tarantool/src/box/space.h:424:22 in space_is_sync
Shadow bytes around the buggy address:
  0x5140002f7500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5140002f7580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5140002f7600: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x5140002f7680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5140002f7700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x5140002f7780: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fa
  0x5140002f7800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5140002f7880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5140002f7900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5140002f7980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5140002f7a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==574672==ABORTING

log and tarantool binary: https://drive.google.com/file/d/1ZRlGXpOoliSt6J_2th3N2tGnJAWAdjJ2/view?usp=drive_link

Expected behavior

no heap-use-after-free

[Gumix]

Reproduced on master, i.e. this fix is applied:

• box: handle consequent DDL operations #10559

==2192172==ERROR: AddressSanitizer: heap-use-after-free on address 0x514000149fec at pc 0x55b3d420e093 bp 0x7f2ec65db7c0 sp 0x7f2ec65db7b8
READ of size 1 at 0x514000149fec thread T0
    #0 0x55b3d420e092 in space_is_sync ./src/box/space.h:424:22
    #1 0x55b3d4212e40 in txn_journal_entry_new ./src/box/txn.c:1008:12
    #2 0x55b3d420afd2 in txn_commit_impl ./src/box/txn.c:1179:8
    #3 0x55b3d420cd40 in box_txn_commit_ex ./src/box/txn.c:1405:9
    #4 0x55b3d44b799a in lbox_commit ./src/box/lua/init.c:518:6

0x514000149fec is located 428 bytes inside of 432-byte region [0x514000149e40,0x514000149ff0)
freed by thread T0 here:
    #0 0x55b3d3ed7826 in free (./build_clang_19_asan/src/tarantool+0x2d5826)
    #1 0x55b3d4049ac7 in vinyl_space_destroy ./src/box/vinyl.c:659:2
    #2 0x55b3d41756ba in space_delete ./src/box/space.c:767:2
    #3 0x55b3d41d1cc0 in alter_space_commit(trigger*, void*) ./src/box/alter.cc:915:2
    #4 0x55b3d462cdcd in trigger_run_list(rlist*, void*) ./src/lib/core/trigger.cc:100:7
    #5 0x55b3d462d010 in trigger_run_reverse ./src/lib/core/trigger.cc:147:9
    #6 0x55b3d420acaf in txn_complete_success ./src/box/txn.c:868:7
    #7 0x55b3d4214ae6 in txn_on_journal_write ./src/box/txn.c:928:3
    #8 0x55b3d42ff2c1 in journal_async_complete ./src/box/journal.h:253:2

previously allocated by thread T0 here:
    #0 0x55b3d3ed7abf in malloc (./build_clang_19_asan/src/tarantool+0x2d5abf)
    #1 0x55b3d404583d in vinyl_engine_create_space ./src/box/vinyl.c:613:24
    #2 0x55b3d4174d8b in engine_create_space ./src/box/engine.h:389:9
    #3 0x55b3d4174ba9 in space_new ./src/box/space.c:722:9
    #4 0x55b3d41d22ec in space_new_xc(space_def*, rlist*) ./src/box/space.h:795:24
    #5 0x55b3d41cf688 in alter_space_do(txn_stmt*, alter_space*) ./src/box/alter.cc:1033:21
    #6 0x55b3d41ba912 in on_replace_dd_space(trigger*, void*) ./src/box/alter.cc:2460:4
    #7 0x55b3d462cdcd in trigger_run_list(rlist*, void*) ./src/lib/core/trigger.cc:100:7
    #8 0x55b3d462c658 in trigger_run ./src/lib/core/trigger.cc:133:9
    #9 0x55b3d41769b3 in space_on_replace ./src/box/space.c:1036:11
    #10 0x55b3d4208e8e in txn_commit_stmt ./src/box/txn.c:758:13
    #11 0x55b3d422e53e in box_process_rw ./src/box/box.cc:513:6
    #12 0x55b3d4240910 in box_process1 ./src/box/box.cc:3785:9
    #13 0x55b3d424321a in box_update ./src/box/box.cc:4017:9
    #14 0x55b3d44ddcf3 in lbox_index_update ./src/box/lua/index.c:113:7

SUMMARY: AddressSanitizer: heap-use-after-free ./src/box/space.h:424:22 in space_is_sync

So, what happens:

1. A vinyl space is destroyed during successful alter_space_commit();
2. But concurrent txn still references it through stmt->space.

[locker]

Reproducer:

os.execute('rm -rf [0-9]*')

local fiber = require('fiber')

box.cfg{log_level = 'warn'}

local s = box.schema.space.create('test', {engine = 'vinyl'})
s:create_index('pk')
s:insert{1}

box.begin()
s:update({2}, {})
pcall(s.insert, s, {1})

fiber.create(s.rename, s, 'test1')
fiber.sleep(0.1)
box.commit()

Actual output:

2024-12-06 13:06:38.869 [204450] main test.lua:17 E> ER_SYNC_QUEUE_UNCLAIMED: The synchronous transaction queue doesn't belong to any instance
2024-12-06 13:06:38.869 [204450] main main.cc:1088 F> fatal error, exiting the event loop

Expected output:

2024-12-06 13:07:32.744 [204474] main test.lua:17 E> ER_TRANSACTION_CONFLICT: Transaction has been aborted by conflict
2024-12-06 13:07:32.744 [204474] main main.cc:1088 F> fatal error, exiting the event loop

Should be fixed by addressing #10786.