Panic in pairs_ffi() due to FFI sandwich with enabled MVCC. #10775
Description
Take a look into #4427 to get acquainted with FFI sandwiches. This particular comment is the most helpful.
The FFI sandwidch is possible when:
- We successfully recorded a trace with
space:pairs(), - Generate replace on another space with a functional index to be processed by the memtx GC later,
- Run the trace (Lua) with the first space entering
space:pairs()(FFI), which triggers the memtx GC step, which calls replace on the space with functional index, which calls a Lua function. (Lua -> FFI -> Lua)
Thanks a lot, @drewdzzz and @locker, for the insights for the reproducer!
-- Clear all snaps and xlogs.
os.execute('rm 000*')
local fiber = require('fiber')
local log = require('log')
box.cfg{memtx_use_mvcc_engine = true}
box.schema.func.create('test', {
is_deterministic = true,
body = [[function(tuple)
return {tuple[1]}
end]]
})
-- Simple space for which trace is recorded.
local simple = box.schema.space.create('simple')
simple:create_index('primary', {type = 'hash'})
simple:replace{1}
simple:replace{2}
local s = box.schema.space.create('test', {format = {{'key', 'unsigned'},}})
s:create_index('primary')
local function pairs_loop(space)
-- Big table with content of pairs, preallocated to avoid
-- aborting of the trace.
local tab = table.new(1024, 0)
for i = 1, 100 do
for _, i in space:pairs(nil, {fullscan = true}) do
table.insert(tab, i)
end
end
return tab
end
-- Setup VM state.
collectgarbage()
collectgarbage()
jit.flush()
jit.opt.start('hotloop=1')
-- require"jit.dump".start("isx")
-- Stop LuaJIT GC to record trace properly.
collectgarbage('stop')
local t1 = pairs_loop(simple)
-- No need for future recording.
jit.off()
-- Restart LuaJIT GC to avoid OOM.
collectgarbage('restart')
s:create_index('value', {
func = 'test',
parts = {{1, 'unsigned'}},
})
-- Trigger memtx GC.
s:replace{1}
s:replace{2}
local reader = fiber.create(function()
box.begin()
-- Select from the space with findex.
s:select(nil, {fullscan = true})
fiber.sleep(1)
box.commit()
end)
reader:set_joinable(true)
box.begin()
s:delete(1)
box.commit()
reader:join()
box.begin()
-- If I comment out the `s:insert{101}` below it leads to the following assertion failure:
-- LuaJIT ASSERT third_party/luajit/src/lj_api.c:43: index2adr: bad stack slot -1
-- I suppose that this is related to the #10770 or #10771, but I'm not sure.
s:insert{101}
log.info('Gonna do a pairs loop')
-- Do select for the simple space again.
pairs_loop(simple)
log.info('Select is pairs loop')
os.exit(0)As a result, we see the following PANIC inside the LuaJIT trace:
2024-11-01 14:21:26.844 [8766] main/104/ffi_sandwich_functional_index.lua/tmp.ffi_sandwich_functional_index I> Gonna do a pairs loop
#1 0x561588b5c8a2 in tarantool_panic_handler+1098
#2 0x561588fa7aa0 in lua_pcall+3280
#3 0x561588bad5db in luaT_call+115
#4 0x561588bb0f86 in luaT_newthread+350
#5 0x5615889f2e03 in box_process_lua+155
#6 0x561588a03c17 in func_persistent_lua_call+2767
#7 0x561588060dfe in func_call_no_access_check+2870
#8 0x5615880aea5c in key_list_iterator_create+2884
#9 0x56158798d058 in memtx_tree_func_index_replace(index*, tuple*, tuple*, dup_replace_mode, tuple**, tuple**)+16272
#10 0x561587af4747 in index_replace+831
#11 0x561587aeaf83 in memtx_tx_story_full_unlink_story_gc_step+2747
#12 0x561587ae9b42 in memtx_tx_story_gc_step+7898
#13 0x561587aeebb4 in memtx_tx_story_gc+220
#14 0x56158797b6aa in hash_iterator_ge(iterator*, tuple**)+1538
#15 0x561587b85498 in memtx_iterator_next+464
#16 0x5615879394f2 in iterator_next+1034
#17 0x561587938e94 in box_iterator_next+508
#18 0x5615c743ecd1 in ??+0
2024-11-01 14:21:26.877 [8766] main/104/ffi_sandwich_functional_index.lua C> Lua VM re-entrancy is detected while executing the trace
2024-11-01 14:21:26.877 [8766] main/104/ffi_sandwich_functional_index.lua C> #2 (null) (), /tmp/ffi_sandwich_functional_index.lua:86
Also, if I comment out the following line:
s:insert{101}I get the following assertion failure:
LuaJIT ASSERT third_party/luajit/src/lj_api.c:43: index2adr: bad stack slot -1
It may be another symptom of this issue or be related to the #10770, #10771, I am not sure about that.