Skip to content

tuple: don't use offset_slot_cache in vinyl threads#10124

Merged
locker merged 1 commit intotarantool:masterfrom
locker:vy-tuple-field-lookup-fix
Jun 13, 2024
Merged

tuple: don't use offset_slot_cache in vinyl threads#10124
locker merged 1 commit intotarantool:masterfrom
locker:vy-tuple-field-lookup-fix

Conversation

@locker
Copy link
Member

@locker locker commented Jun 10, 2024

key_part::offset_slot_cache and key_part::format_epoch are used for speeding up tuple field lookup in tuple_field_raw_by_part(). These structure members are accessed and updated without any locks, assuming this code is executed exclusively in the tx thread. However, this isn't necessarily true because we also perform tuple field lookups in vinyl read threads. Apparently, this can result in unexpected races and bugs, for example:

  #1  0x590be9f7eb6d in crash_collect+256
  #2  0x590be9f7f5a9 in crash_signal_cb+100
  #3  0x72b111642520 in __sigaction+80
  #4  0x590bea385e3c in load_u32+35
  #5  0x590bea231eba in field_map_get_offset+46
  #6  0x590bea23242a in tuple_field_raw_by_path+417
  #7  0x590bea23282b in tuple_field_raw_by_part+203
  #8  0x590bea23288c in tuple_field_by_part+91
  #9  0x590bea24cd2d in unsigned long tuple_hint<(field_type)5, false, false>(tuple*, key_def*)+103
  #10 0x590be9d4fba3 in tuple_hint+40
  #11 0x590be9d50acf in vy_stmt_hint+178
  #12 0x590be9d53531 in vy_page_stmt+168
  #13 0x590be9d535ea in vy_page_find_key+142
  #14 0x590be9d545e6 in vy_page_read_cb+210
  #15 0x590be9f94ef0 in cbus_call_perform+44
  #16 0x590be9f94eae in cmsg_deliver+52
  #17 0x590be9f9583e in cbus_process+100
  #18 0x590be9f958a5 in cbus_loop+28
  #19 0x590be9d512da in vy_run_reader_f+381
  #20 0x590be9cb4147 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*)+34
  #21 0x590be9f8b697 in fiber_loop+219
  #22 0x590bea374bb6 in coro_init+120

Fix this by skipping this optimization for threads other than tx.

No test is added because reproducing this race is tricky. Ideally, bugs like this one should be caught by fuzzing tests or thread sanitizers.

Closes #10123

@locker locker requested a review from a team as a code owner June 10, 2024 15:33
@locker locker requested a review from nshy June 10, 2024 15:37
@coveralls
Copy link

coveralls commented Jun 10, 2024

Coverage Status

coverage: 87.098% (+0.02%) from 87.08%
when pulling 02f2ed5 on locker:vy-tuple-field-lookup-fix
into 530aa82
on tarantool:master.

@locker locker assigned locker and unassigned nshy Jun 11, 2024
lenkis
lenkis approved these changes Jun 11, 2024
View reviewed changes
@locker
tuple: don't use offset_slot_cache in vinyl threads
2563690 
`key_part::offset_slot_cache` and `key_part::format_epoch` are used for
speeding up tuple field lookup in `tuple_field_raw_by_part()`. These
structure members are accessed and updated without any locks, assuming
this code is executed exclusively in the tx thread. However, this isn't
necessarily true because we also perform tuple field lookups in vinyl
read threads. Apparently, this can result in unexpected races and bugs,
for example:

```
  tarantool#1  0x590be9f7eb6d in crash_collect+256
  tarantool#2  0x590be9f7f5a9 in crash_signal_cb+100
  tarantool#3  0x72b111642520 in __sigaction+80
  tarantool#4  0x590bea385e3c in load_u32+35
  tarantool#5  0x590bea231eba in field_map_get_offset+46
  tarantool#6  0x590bea23242a in tuple_field_raw_by_path+417
  tarantool#7  0x590bea23282b in tuple_field_raw_by_part+203
  tarantool#8  0x590bea23288c in tuple_field_by_part+91
  tarantool#9  0x590bea24cd2d in unsigned long tuple_hint<(field_type)5, false, false>(tuple*, key_def*)+103
  tarantool#10 0x590be9d4fba3 in tuple_hint+40
  tarantool#11 0x590be9d50acf in vy_stmt_hint+178
  tarantool#12 0x590be9d53531 in vy_page_stmt+168
  tarantool#13 0x590be9d535ea in vy_page_find_key+142
  tarantool#14 0x590be9d545e6 in vy_page_read_cb+210
  tarantool#15 0x590be9f94ef0 in cbus_call_perform+44
  tarantool#16 0x590be9f94eae in cmsg_deliver+52
  tarantool#17 0x590be9f9583e in cbus_process+100
  tarantool#18 0x590be9f958a5 in cbus_loop+28
  tarantool#19 0x590be9d512da in vy_run_reader_f+381
  tarantool#20 0x590be9cb4147 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*)+34
  tarantool#21 0x590be9f8b697 in fiber_loop+219
  tarantool#22 0x590bea374bb6 in coro_init+120
```

Fix this by skipping this optimization for threads other than tx.

No test is added because reproducing this race is tricky. Ideally, bugs
like this one should be caught by fuzzing tests or thread sanitizers.

Closes tarantool#10123

NO_DOC=bug fix
NO_TEST=tested manually with fuzzer
@locker locker force-pushed the vy-tuple-field-lookup-fix branch from 02f2ed5 to 2563690 Compare June 11, 2024 18:13
@locker locker added the full-ci Enables all tests for a pull request label Jun 11, 2024
@coveralls
Copy link

coveralls commented Jun 11, 2024

Coverage Status

coverage: 87.116% (+0.006%) from 87.11%
when pulling 2563690 on locker:vy-tuple-field-lookup-fix
into 9b63ced
on tarantool:master.

@locker locker merged commit 19d1f1c into tarantool:master Jun 13, 2024
@locker locker deleted the vy-tuple-field-lookup-fix branch June 13, 2024 07:26
@locker
Copy link
Member Author

locker commented Jun 13, 2024

Cherry-picked to 2.11 and 3.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nshy nshy nshy approved these changes

@lenkis lenkis lenkis approved these changes

Assignees

@locker locker

Labels

full-ci Enables all tests for a pull request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Segmentation fault in field_map_get_offset

4 participants

@locker @coveralls @nshy @lenkis