You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by GitBox <gi...@apache.org> on 2022/12/19 02:52:06 UTC
[GitHub] [doris] jacktengg opened a new issue, #15159: [Bug] AddressSanitizer: heap-use-after-free in DataStreamRecvr::SenderQueue::add_block
jacktengg opened a new issue, #15159:
URL: https://github.com/apache/doris/issues/15159
### Search before asking
- [X] I had searched in the [issues](https://github.com/apache/doris/issues?q=is%3Aissue) and found no similar issues.
### Version
master0b6054a4ce9dd5e2ecbf83e300f4e31a3bf502a1
### What's Wrong?
regression test failed, be.out:
```
==2611039==ERROR: AddressSanitizer: heap-use-after-free on address 0x603089623a50 at pc 0x5614a415dab0 bp 0x7fafac8e8670 sp 0x7fafac8e8660
READ of size 8 at 0x603089623a50 thread T56002 (FragmentMgrThre)
#0 0x5614a415daaf in doris::vectorized::VDataStreamRecvr::SenderQueue::add_block(doris::vectorized::Block*, bool) /home/zcp/repo_center/doris_master/doris/be/src/vec/runtime/vdata_stream_recvr.cpp:192
#1 0x5614a4162666 in doris::vectorized::VDataStreamRecvr::add_block(doris::vectorized::Block*, int, bool) /home/zcp/repo_center/doris_master/doris/be/src/vec/runtime/vdata_stream_recvr.cpp:366
#2 0x5614a407237c in doris::vectorized::Channel::send_local_block(doris::vectorized::Block*) /home/zcp/repo_center/doris_master/doris/be/src/vec/sink/vdata_stream_sender.cpp:132
#3 0x5614a407bc34 in doris::vectorized::VDataStreamSender::send(doris::RuntimeState*, doris::vectorized::Block*, bool) /home/zcp/repo_center/doris_master/doris/be/src/vec/sink/vdata_stream_sender.cpp:479
#4 0x5614984e26f1 in doris::PlanFragmentExecutor::open_vectorized_internal() /home/zcp/repo_center/doris_master/doris/be/src/runtime/plan_fragment_executor.cpp:310
#5 0x5614984e123a in doris::PlanFragmentExecutor::open() /home/zcp/repo_center/doris_master/doris/be/src/runtime/plan_fragment_executor.cpp:250
#6 0x561498468471 in doris::FragmentExecState::execute() /home/zcp/repo_center/doris_master/doris/be/src/runtime/fragment_mgr.cpp:251
#7 0x561498470a73 in doris::FragmentMgr::_exec_actual(std::shared_ptr<doris::FragmentExecState>, std::function<void (doris::RuntimeState*, doris::Status*)>) /home/zcp/repo_center/doris_master/doris/be/src/runtime/fragment_mgr.cpp:495
#8 0x561498472e00 in operator() /home/zcp/repo_center/doris_master/doris/be/src/runtime/fragment_mgr.cpp:732
#9 0x561498481be5 in __invoke_impl<void, doris::FragmentMgr::exec_plan_fragment(const doris::TExecPlanFragmentParams&, doris::FragmentMgr::FinishCallback)::<lambda()>&> /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:61
#10 0x5614984816c1 in __invoke_r<void, doris::FragmentMgr::exec_plan_fragment(const doris::TExecPlanFragmentParams&, doris::FragmentMgr::FinishCallback)::<lambda()>&> /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:111
#11 0x561498480e0f in _M_invoke /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:291
#12 0x561498303a4d in std::function<void ()>::operator()() const /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:560
#13 0x561498e4c8fd in doris::FunctionRunnable::run() /home/zcp/repo_center/doris_master/doris/be/src/util/threadpool.cpp:46
#14 0x561498e479ef in doris::ThreadPool::dispatch_thread() /home/zcp/repo_center/doris_master/doris/be/src/util/threadpool.cpp:535
#15 0x561498e699d5 in void std::_invoke_impl<void, void (doris::ThreadPool::&)(), doris::ThreadPool&>(std::_invoke_memfun_deref, void (doris::ThreadPool::&)(), doris::ThreadPool&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:74
#16 0x561498e69274 in std::_invoke_result<void (doris::ThreadPool::&)(), doris::ThreadPool&>::type std::_invoke<void (doris::ThreadPool::&)(), doris::ThreadPool&>(void (doris::ThreadPool::&)(), doris::ThreadPool&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:96
#17 0x561498e68613 in void std::Bind<void (doris::ThreadPool::(doris::ThreadPool))()>::_call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /var/local/ldb_toolchain/include/c++/11/functional:420
#18 0x561498e67124 in void std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>::operator()<, void>() /var/local/ldb_toolchain/include/c++/11/functional:503
#19 0x561498e63d15 in void std::_invoke_impl<void, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>(std::_invoke_other, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:61
#20 0x561498e611cd in std::enable_if<is_invocable_r_v<void, std::Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>, void>::type std::_invoke_r<void, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>(std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:111
#21 0x561498e5c4cc in std::_Function_handler<void (), std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()> >::_M_invoke(std::_Any_data const&) /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:291
#22 0x561498303a4d in std::function<void ()>::operator()() const /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:560
#23 0x561498e277d9 in doris::Thread::supervise_thread(void*) /home/zcp/repo_center/doris_master/doris/be/src/util/thread.cpp:454
#24 0x7fb7d9093608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#25 0x7fb7d91cd162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
0x603089623a50 is located 0 bytes inside of 32-byte region [0x603089623a50,0x603089623a70)
freed by thread T56026 (FragmentMgrThre) here:
#0 0x561495f06767 in operator delete(void*, unsigned long) (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x10e21767)
#1 0x561495f91568 in doris::RuntimeProfile::HighWaterMarkCounter::~HighWaterMarkCounter() /home/zcp/repo_center/doris_master/doris/be/src/util/runtime_profile.h:118
#2 0x561498caa530 in doris::ObjectPool::add<doris::RuntimeProfile::HighWaterMarkCounter>(doris::RuntimeProfile::HighWaterMarkCounter*)::{lambda(void*)#1}::operator()(void*) const /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:40
#3 0x561498caa550 in doris::ObjectPool::add<doris::RuntimeProfile::HighWaterMarkCounter>(doris::RuntimeProfile::HighWaterMarkCounter*)::{lambda(void*)#1}::_FUN(void*) /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:40
#4 0x56149611cb10 in doris::ObjectPool::clear() /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:53
#5 0x56149611c947 in doris::ObjectPool::~ObjectPool() /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:34
#6 0x5614968e0407 in std::default_delete<doris::ObjectPool>::operator()(doris::ObjectPool*) const /var/local/ldb_toolchain/include/c++/11/bits/unique_ptr.h:85
#7 0x5614968d2c90 in std::unique_ptr<doris::ObjectPool, std::default_delete<doris::ObjectPool> >::~unique_ptr() /var/local/ldb_toolchain/include/c++/11/bits/unique_ptr.h:361
#8 0x561498c95fb9 in doris::RuntimeProfile::~RuntimeProfile() /home/zcp/repo_center/doris_master/doris/be/src/util/runtime_profile.cpp:57
#9 0x5614985243d9 in doris::ObjectPool::add<doris::RuntimeProfile>(doris::RuntimeProfile*)::{lambda(void*)#1}::operator()(void*) const /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:40
#10 0x56149852440a in doris::ObjectPool::add<doris::RuntimeProfile>(doris::RuntimeProfile*)::{lambda(void*)#1}::_FUN(void*) /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:40
#11 0x56149611cb10 in doris::ObjectPool::clear() /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:53
#12 0x56149611c947 in doris::ObjectPool::~ObjectPool() /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:34
#13 0x5614968e0407 in std::default_delete<doris::ObjectPool>::operator()(doris::ObjectPool*) const /var/local/ldb_toolchain/include/c++/11/bits/unique_ptr.h:85
#14 0x5614968d2c90 in std::unique_ptr<doris::ObjectPool, std::default_delete<doris::ObjectPool> >::~unique_ptr() /var/local/ldb_toolchain/include/c++/11/bits/unique_ptr.h:361
#15 0x561498c95fb9 in doris::RuntimeProfile::~RuntimeProfile() /home/zcp/repo_center/doris_master/doris/be/src/util/runtime_profile.cpp:57
#16 0x5614978838e1 in std::default_delete<doris::RuntimeProfile>::operator()(doris::RuntimeProfile*) const /var/local/ldb_toolchain/include/c++/11/bits/unique_ptr.h:85
#17 0x561497878eac in std::unique_ptr<doris::RuntimeProfile, std::default_delete<doris::RuntimeProfile> >::~unique_ptr() /var/local/ldb_toolchain/include/c++/11/bits/unique_ptr.h:361
#18 0x5614978622ce in doris::ExecNode::~ExecNode() /home/zcp/repo_center/doris_master/doris/be/src/exec/exec_node.cpp:153
#19 0x56149b4e4078 in doris::vectorized::VExchangeNode::~VExchangeNode() /home/zcp/repo_center/doris_master/doris/be/src/vec/exec/vexchange_node.h:36
#20 0x56149b4e4093 in doris::vectorized::VExchangeNode::~VExchangeNode() /home/zcp/repo_center/doris_master/doris/be/src/vec/exec/vexchange_node.h:36
#21 0x56149787eb70 in doris::ObjectPool::add<doris::vectorized::VExchangeNode>(doris::vectorized::VExchangeNode*)::{lambda(void*)#1}::operator()(void*) const /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:40
#22 0x56149787ebdb in doris::ObjectPool::add<doris::vectorized::VExchangeNode>(doris::vectorized::VExchangeNode*)::{lambda(void*)#1}::_FUN(void*) /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:40
#23 0x56149611cb10 in doris::ObjectPool::clear() /home/zcp/repo_center/doris_master/doris/be/src/common/object_pool.h:53
#24 0x5614983bcfa4 in doris::RuntimeState::~RuntimeState() /home/zcp/repo_center/doris_master/doris/be/src/runtime/runtime_state.cpp:163
#25 0x561497816bb7 in std::default_delete<doris::RuntimeState>::operator()(doris::RuntimeState*) const /var/local/ldb_toolchain/include/c++/11/bits/unique_ptr.h:85
#26 0x561497812566 in std::unique_ptr<doris::RuntimeState, std::default_delete<doris::RuntimeState> >::~unique_ptr() /var/local/ldb_toolchain/include/c++/11/bits/unique_ptr.h:361
#27 0x5614984dc162 in doris::PlanFragmentExecutor::~PlanFragmentExecutor() /home/zcp/repo_center/doris_master/doris/be/src/runtime/plan_fragment_executor.cpp:75
#28 0x5614984b537b in doris::FragmentExecState::~FragmentExecState() /home/zcp/repo_center/doris_master/doris/be/src/runtime/fragment_mgr.cpp:80
#29 0x5614984c4c84 in std::Sp_counted_ptr<doris::FragmentExecState*, (_gnu_cxx::_Lock_policy)2>::_M_dispose() /var/local/ldb_toolchain/include/c++/11/bits/shared_ptr_base.h:348
previously allocated by thread T1124 here:
#0 0x561495f05707 in operator new(unsigned long) (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x10e20707)
Thread T56002 (FragmentMgrThre) created by T1124 here:
#0 0x561495ea8061 in pthread_create (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x10dc3061)
Thread T1124 created by T0 here:
#0 0x561495ea8061 in pthread_create (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x10dc3061)
#1 0x5614a5793c2b in bthread::TaskControl::add_workers(int) (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x206aec2b)
#2 0x5614a579070c in bthread_setconcurrency (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x206ab70c)
#3 0x5614a5901529 in brpc::Server::StartInternal(butil::EndPoint const&, brpc::PortRange const&, brpc::ServerOptions const*) (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x2081c529)
#4 0x5614a5903419 in brpc::Server::Start(butil::EndPoint const&, brpc::ServerOptions const*) (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x2081e419)
#5 0x5614a59035b1 in brpc::Server::Start(int, brpc::ServerOptions const*) (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x2081e5b1)
#6 0x561498a9187b in doris::BRpcService::start(int, int) /home/zcp/repo_center/doris_master/doris/be/src/service/brpc_service.cpp:52
#7 0x561495f55769 in main /home/zcp/repo_center/doris_master/doris/be/src/service/doris_main.cpp:435
#8 0x7fb7d90d20b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
Thread T56026 (FragmentMgrThre) created by T1101 here:
#0 0x561495ea8061 in pthread_create (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x10dc3061)
Thread T1101 created by T0 here:
#0 0x561495ea8061 in pthread_create (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x10dc3061)
#1 0x5614a57935ec in bthread::TaskControl::init(int) (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x206ae5ec)
#2 0x5614a5790d5c in bthread::get_or_new_task_control() (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x206abd5c)
#3 0x5614a579026c in bthread_start_background (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x206ab26c)
#4 0x5614a580caae (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0x20727aae)
#5 0x7fb7d909c47e in __pthread_once_slow /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_once.c:116
SUMMARY: AddressSanitizer: heap-use-after-free /home/zcp/repo_center/doris_master/doris/be/src/vec/runtime/vdata_stream_recvr.cpp:192 in doris::vectorized::VDataStreamRecvr::SenderQueue::add_block(doris::vectorized::Block*, bool)
Shadow bytes around the buggy address:
0x0c06912bc6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c06912bc700: fa fa 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
0x0c06912bc710: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
0x0c06912bc720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c06912bc730: fa fa fd fd fd fd fa fa fa fa fa fa fa fa 00 00
=>0x0c06912bc740: 00 fa fa fa fa fa fa fa fa fa[fd]fd fd fd fa fa
0x0c06912bc750: 00 00 00 fa fa fa 00 00 00 fa fa fa fa fa fa fa
0x0c06912bc760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
0x0c06912bc770: 00 fa fa fa fa fa fa fa fa fa 00 00 00 fa fa fa
0x0c06912bc780: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c06912bc790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2611039==ABORTING
```
### What You Expected?
No coredump
### How to Reproduce?
_No response_
### Anything Else?
_No response_
### Are you willing to submit PR?
- [X] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org
[GitHub] [doris] yiguolei closed issue #15159: [Bug] AddressSanitizer: heap-use-after-free in DataStreamRecvr::SenderQueue::add_block
Posted by GitBox <gi...@apache.org>.
yiguolei closed issue #15159: [Bug] AddressSanitizer: heap-use-after-free in DataStreamRecvr::SenderQueue::add_block
URL: https://github.com/apache/doris/issues/15159
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org