SIGSEGV in bps_tree_memtx_tree_garbage_pop #11788
Description
Bug description
- OS: Linux
- OS Version: 22.04
- Architecture: amd64
Tarantool 3.5.0-entrypoint-201-ge454545e53
Target: Linux-x86_64-Debug
Build options: cmake . -DCMAKE_INSTALL_PREFIX=/usr/local -DENABLE_BACKTRACE=TRUE
Compiler: GNU-13.3.0
C_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/astronomax/dev/tarantool=. -std=c11 -Wall -Wextra -Wno-gnu-alignof-expression -fno-gnu89-inline -Wno-cast-function-type -Werror -g -ggdb -O0
CXX_FLAGS: -fexceptions -funwind-tables -fasynchronous-unwind-tables -fno-common -msse2 -Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC -fmacro-prefix-map=/home/astronomax/dev/tarantool=. -std=c++17 -Wall -Wextra -Wno-invalid-offsetof -Wno-gnu-alignof-expression -Wno-cast-function-type -Werror -g -ggdb -O0
Steps to reproduce
Apply the following patch to the fuzzer test/fuzz/lua/test_engine.lua:
--- a/test/fuzz/lua/test_engine.lua
+++ b/test/fuzz/lua/test_engine.lua
@@ -1774,10 +1774,15 @@ local function run_test(num_workers, test_duration, test_dir,
table.insert(fibers, f)
end
- if fault_injection then
- f = start_error_injections(space, deadline)
- table.insert(fibers, f)
- end
+ --if fault_injection then
+ -- f = start_error_injections(space, deadline)
+ -- table.insert(fibers, f)
+ --end
+
+ box.error.injection.set("ERRINJ_INDEX_ALLOC", true)
+ box.error.injection.set("ERRINJ_TESTING", true)
+ box.error.injection.set("ERRINJ_VY_READ_PAGE", true)
+ box.error.injection.set("ERRINJ_WAL_ROTATE", true)
local error_messages = {}
for _, fb in ipairs(fibers) doAnd run:
$ tarantool test/fuzz/lua/test_engine.lua --test_duration $((10*60)) --engine memtx --workers 1000 --seed 1756234733Actual behavior
Segmentation fault
code: SEGV_MAPERR
addr: 0x4
context: 0x629b4be12600
siginfo: 0x629b4be12730
rax 0x0 0
rbx 0x737758880860 126956423612512
rcx 0x0 0
rdx 0x0 0
rsi 0x629b4c33d638 108419137918520
rdi 0x629b4c33d638 108419137918520
rsp 0x7377588801a0 126956423610784
rbp 0x7377588801c0 126956423610816
r8 0x73 115
r9 0x0 0
r10 0xffffffff 4294967295
r11 0x0 0
r12 0x0 0
r13 0x0 0
r14 0x400ba0a0 1074503840
r15 0x629b19d2d766 108418292701030
rip 0x629b19aedff4 108418290343924
eflags 0x10246 66118
cs 0x33 51
gs 0x0 0
fs 0x0 0
cr2 0x4 4
err 0x4 4
oldmask 0x0 0
trapno 0xe 14
Current time: 1756234734
Please file a bug at https://github.com/tarantool/tarantool/issues
Attempting backtrace... Note: since the server has already crashed,
this may fail as well
#1 0x629b19d9d424 in crash_collect+256
#2 0x629b19d9de60 in crash_signal_cb+100
#3 0x73776fe45330 in __sigaction+80
#4 0x629b19aedff4 in NS_USE_HINT::bps_tree_memtx_tree_garbage_pop(NS_USE_HINT::bps_tree_memtx_tree_common*, unsigned int*)+70
#5 0x629b19aee03f in NS_USE_HINT::bps_tree_memtx_tree_create_leaf(NS_USE_HINT::bps_tree_memtx_tree_common*, unsigned int*)+35
#6 0x629b19aee2f4 in NS_USE_HINT::bps_tree_memtx_tree_insert_first_elem(NS_USE_HINT::bps_tree_memtx_tree_common*, memtx_tree_data<true>)+226
#7 0x629b19af564b in NS_USE_HINT::memtx_tree_insert(NS_USE_HINT::memtx_tree*, memtx_tree_data<true>, memtx_tree_data<true>*, memtx_tree_data<true>*)+246
#8 0x629b19af892b in int memtx_tree_index_insert_impl<true>(memtx_tree_index<true>*, memtx_tree_data<true>, memtx_tree_data<true>*, memtx_tree_data<true>*)+93
#9 0x629b19af9d94 in int memtx_tree_index_replace<true>(index*, tuple*, tuple*, dup_replace_mode, tuple**, tuple**)+256
#10 0x629b19b0a9a2 in index_replace+80
#11 0x629b19b1360e in memtx_tx_hisCoredump and logs can be found here - use corporate email.
Expected behavior
no crash