You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by GitBox <gi...@apache.org> on 2022/05/16 08:09:06 UTC
[GitHub] [incubator-doris] dataroaring opened a new issue, #9591: [Bug] use after free on page cache
dataroaring opened a new issue, #9591:
URL: https://github.com/apache/incubator-doris/issues/9591
### Search before asking
- [X] I had searched in the [issues](https://github.com/apache/incubator-doris/issues?q=is%3Aissue) and found no similar issues.
### Version
dev-1.0.1
### What's Wrong?
be core dump
### What You Expected?
be works.
### How to Reproduce?
_No response_
### Anything Else?
=================================================================
==955204==ERROR: AddressSanitizer: heap-use-after-free on address 0x63116d56db84 at pc 0x5653015af8fb bp 0x7f05e1e1aff0 sp 0x7f05e1e1afe0
READ of size 4 at 0x63116d56db84 thread T276
#0 0x5653015af8fa in doris::HashUtil::murmur_hash3_32(void const*, int, unsigned int) /home/zcp/selectdb/be/src/util/hash_util.hpp:147
#1 0x565301f918e8 in doris::BlockBloomFilter::find(doris::Slice const&) const /home/zcp/selectdb/be/src/exprs/block_bloom_filter.hpp:67
#2 0x565301faf510 in bool doris::detail::BlockBloomFilterAdaptor::test<doris::Slice>(doris::Slice) const /home/zcp/selectdb/be/src/exprs/bloomfilter_predicate.h:66
#3 0x565301f9980a in doris::StringFindOp<doris::detail::BlockBloomFilterAdaptor>::find(doris::detail::BlockBloomFilterAdaptor const&, void const*) const /home/zcp/selectdb/be/src/exprs/bloomfilter_predicate.h:201
#4 0x565301f9980a in doris::StringFindOp<doris::detail::BlockBloomFilterAdaptor>::find_olap_engine(doris::detail::BlockBloomFilterAdaptor const&, void const*) const /home/zcp/selectdb/be/src/exprs/bloomfilter_predicate.h:205
#5 0x565301f9980a in doris::BloomFilterFunc<(doris::PrimitiveType)23, doris::detail::BlockBloomFilterAdaptor>::find_olap_engine(void const*) const /home/zcp/selectdb/be/src/exprs/bloomfilter_predicate.h:324
#6 0x565301fa2406 in doris::BloomFilterColumnPredicate<(doris::PrimitiveType)23>::evaluate(doris::vectorized::IColumn&, unsigned short*, unsigned short*) const /home/zcp/selectdb/be/src/olap/bloom_filter_predicate.h:156
#7 0x565303c521ef in doris::segment_v2::SegmentIterator::_evaluate_short_circuit_predicate(unsigned short*, unsigned short*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/segment_iterator.cpp:871
#8 0x565303c53e20 in doris::segment_v2::SegmentIterator::next_batch(doris::vectorized::Block*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/segment_iterator.cpp:964
#9 0x56530359f8db in doris::vectorized::VUnionIterator::next_batch(doris::vectorized::Block*) /home/zcp/selectdb/be/src/vec/olap/vgeneric_iterators.cpp:397
#10 0x565302189597 in doris::BetaRowsetReader::next_block(doris::vectorized::Block*) /home/zcp/selectdb/be/src/olap/rowset/beta_rowset_reader.cpp:193
#11 0x565306a7e26a in doris::vectorized::VCollectIterator::Level0Iterator::next(doris::vectorized::Block*) /home/zcp/selectdb/be/src/vec/olap/vcollect_iterator.cpp:215
#12 0x565306a826f0 in doris::vectorized::VCollectIterator::Level1Iterator::_normal_next(doris::vectorized::Block*) /home/zcp/selectdb/be/src/vec/olap/vcollect_iterator.cpp:366
#13 0x565306a7e8b4 in doris::vectorized::VCollectIterator::Level1Iterator::next(doris::vectorized::Block*) /home/zcp/selectdb/be/src/vec/olap/vcollect_iterator.cpp:264
#14 0x565306a7d6b5 in doris::vectorized::VCollectIterator::next(doris::vectorized::Block*) /home/zcp/selectdb/be/src/vec/olap/vcollect_iterator.cpp:165
#15 0x565306a8bc6d in doris::vectorized::BlockReader::_direct_next_block(doris::vectorized::Block*, doris::MemPool*, doris::ObjectPool*, bool*) /home/zcp/selectdb/be/src/vec/olap/block_reader.cpp:175
#16 0x565306a9743d in doris::vectorized::BlockReader::next_block_with_aggregation(doris::vectorized::Block*, doris::MemPool*, doris::ObjectPool*, bool*) /home/zcp/selectdb/be/src/vec/olap/block_reader.h:49
#17 0x56530406f19e in doris::vectorized::VOlapScanner::get_block(doris::RuntimeState*, doris::vectorized::Block*, bool*) /home/zcp/selectdb/be/src/vec/exec/volap_scanner.cpp:55
#18 0x56530403e328 in doris::vectorized::VOlapScanNode::scanner_thread(doris::vectorized::VOlapScanner*) /home/zcp/selectdb/be/src/vec/exec/volap_scan_node.cpp:210
#19 0x56530405b83a in void std::__invoke_impl<void, void (doris::vectorized::VOlapScanNode::*&)(doris::vectorized::VOlapScanner*), doris::vectorized::VOlapScanNode*&, doris::vectorized::VOlapScanner*&>(std::__invoke_memfun_deref, void (doris::vectorized::VOlapScanNode::*&)(doris::vectorized::VOlapScanner*), doris::vectorized::VOlapScanNode*&, doris::vectorized::VOlapScanner*&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:74
#20 0x56530405b3f2 in std::__invoke_result<void (doris::vectorized::VOlapScanNode::*&)(doris::vectorized::VOlapScanner*), doris::vectorized::VOlapScanNode*&, doris::vectorized::VOlapScanner*&>::type std::__invoke<void (doris::vectorized::VOlapScanNode::*&)(doris::vectorized::VOlapScanner*), doris::vectorized::VOlapScanNode*&, doris::vectorized::VOlapScanner*&>(void (doris::vectorized::VOlapScanNode::*&)(doris::vectorized::VOlapScanner*), doris::vectorized::VOlapScanNode*&, doris::vectorized::VOlapScanner*&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:96
#21 0x56530405ad24 in void std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris::vectorized::VOlapScanner*))(doris::vectorized::VOlapScanner*)>::__call<void, , 0ul, 1ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul>) /var/local/ldb_toolchain/include/c++/11/functional:420
#22 0x56530405a6ea in void std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris::vectorized::VOlapScanner*))(doris::vectorized::VOlapScanner*)>::operator()<, void>() /var/local/ldb_toolchain/include/c++/11/functional:503
#23 0x5653040599c3 in void std::__invoke_impl<void, std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris::vectorized::VOlapScanner*))(doris::vectorized::VOlapScanner*)>&>(std::__invoke_other, std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris::vectorized::VOlapScanner*))(doris::vectorized::VOlapScanner*)>&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:61
#24 0x5653040588a1 in std::enable_if<is_invocable_r_v<void, std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris::vectorized::VOlapScanner*))(doris::vectorized::VOlapScanner*)>&>, void>::type std::__invoke_r<void, std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris::vectorized::VOlapScanner*))(doris::vectorized::VOlapScanner*)>&>(std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris::vectorized::VOlapScanner*))(doris::vectorized::VOlapScanner*)>&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:111
#25 0x56530405768f in std::_Function_handler<void (), std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris:
#25 0x56530405768f in std::_Function_handler<void (), std::_Bind<void (doris::vectorized::VOlapScanNode::*(doris::vectorized::VOlapScanNode*, doris::vectorized::VOlapScanner*))(doris::vectorized::VOlapScanner*)> >::_M_invoke(std::_Any_data const&) /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:291
#26 0x565302308eb9 in std::function<void ()>::operator()() const /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:560
#27 0x565302305d41 in doris::PriorityWorkStealingThreadPool::work_thread(int) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5c94d41)
#28 0x56530232ae21 in void std::__invoke_impl<void, void (doris::PriorityWorkStealingThreadPool::* const&)(int), doris::PriorityWorkStealingThreadPool*&, int&>(std::__invoke_memfun_deref, void (doris::PriorityWorkStealingThreadPool::* const&)(int), doris::PriorityWorkStealingThreadPool*&, int&) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5cb9e21)
#29 0x56530232abfa in std::__invoke_result<void (doris::PriorityWorkStealingThreadPool::* const&)(int), doris::PriorityWorkStealingThreadPool*&, int&>::type std::__invoke<void (doris::PriorityWorkStealingThreadPool::* const&)(int), doris::PriorityWorkStealingThreadPool*&, int&>(void (doris::PriorityWorkStealingThreadPool::* const&)(int), doris::PriorityWorkStealingThreadPool*&, int&) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5cb9bfa)
#30 0x56530232ab2c in decltype (__invoke((*this)._M_pmf, (forward<doris::PriorityWorkStealingThreadPool*&>)({parm#1}), (forward<int&>)({parm#1}))) std::_Mem_fn_base<void (doris::PriorityWorkStealingThreadPool::*)(int), true>::operator()<doris::PriorityWorkStealingThreadPool*&, int&>(doris::PriorityWorkStealingThreadPool*&, int&) const (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5cb9b2c)
#31 0x56530232aa15 in void std::__invoke_impl<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)>&, doris::PriorityWorkStealingThreadPool*&, int&>(std::__invoke_other, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)>&, doris::PriorityWorkStealingThreadPool*&, int&) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5cb9a15)
#32 0x56530232a8ae in std::enable_if<is_invocable_r_v<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)>&, doris::PriorityWorkStealingThreadPool*&, int&>, void>::type std::__invoke_r<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)>&, doris::PriorityWorkStealingThreadPool*&, int&>(std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)>&, doris::PriorityWorkStealingThreadPool*&, int&) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5cb98ae)
#33 0x56530232a5be in void std::_Bind_result<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)> (doris::PriorityWorkStealingThreadPool*, int)>::__call<void, , 0ul, 1ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul>) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5cb95be)
#34 0x56530232a320 in void std::_Bind_result<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)> (doris::PriorityWorkStealingThreadPool*, int)>::operator()<>() (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5cb9320)
#35 0x56530232a204 in void std::__invoke_impl<void, std::_Bind_result<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)> (doris::PriorityWorkStealingThreadPool*, int)>>(std::__invoke_other, std::_Bind_result<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)> (doris::PriorityWorkStealingThreadPool*, int)>&&) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x5cb9204)
#36 0x56530232a158 in std::__invoke_result<std::_Bind_result<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)> (doris::PriorityWorkStealingThreadPool*, int)>>::type std::__invoke<std::_Bind_result<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)> (doris::PriorityWorkStealingThreadPool*, int)>>(std::_Bind_result<void, std::_Mem_fn<void (doris::PriorityWorkStealingThreadPool::*)(int)> (doris::PriorityWorkSte:
0x63116d56db84 is located 37764 bytes inside of 65577-byte region [0x63116d564800,0x63116d574829)
freed by thread T276 here:
#0 0x56530147ea67 in operator delete[](void*) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x4e0da67)
#1 0x56530201b194 in operator() /home/zcp/selectdb/be/src/olap/page_cache.cpp:57
#2 0x56530201b1bc in _FUN /home/zcp/selectdb/be/src/olap/page_cache.cpp:57
#3 0x565301c40997 in doris::LRUHandle::free() /home/zcp/selectdb/be/src/olap/lru_cache.h:257
#4 0x565301c384ab in doris::LRUCache::release(doris::Cache::Handle*) /home/zcp/selectdb/be/src/olap/lru_cache.cpp:260
#5 0x565301c3b990 in doris::ShardedLRUCache::release(doris::Cache::Handle*) /home/zcp/selectdb/be/src/olap/lru_cache.cpp:487
#6 0x565301fecfbc in doris::PageCacheHandle::~PageCacheHandle() /home/zcp/selectdb/be/src/olap/page_cache.h:124
#7 0x565301fed0ef in doris::segment_v2::PageHandle::~PageHandle() /home/zcp/selectdb/be/src/olap/rowset/segment_v2/page_handle.h:65
#8 0x565301fed3da in doris::segment_v2::ParsedPage::~ParsedPage() /home/zcp/selectdb/be/src/olap/rowset/segment_v2/parsed_page.h:73
#9 0x565301ff8399 in doris::segment_v2::ParsedPage::create(doris::segment_v2::PageHandle, doris::Slice const&, doris::segment_v2::DataPageFooterPB const&, doris::segment_v2::EncodingInfo const*, doris::segment_v2::PagePointer const&, unsigned int, doris::segment_v2::ParsedPage*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/parsed_page.h:41
#10 0x565303d9c0a0 in doris::segment_v2::FileColumnIterator::_read_data_page(doris::segment_v2::OrdinalPageIndexIterator const&) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.cpp:651
#11 0x565303d9ba51 in doris::segment_v2::FileColumnIterator::_load_next_page(bool*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.cpp:638
#12 0x565303d9a86b in doris::segment_v2::FileColumnIterator::next_batch(unsigned long*, COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>&, bool*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.cpp:587
#13 0x565303c5c14d in doris::segment_v2::ColumnIterator::next_batch(unsigned long*, COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>&) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.h:222
#14 0x565303c50112 in doris::segment_v2::SegmentIterator::_read_columns(std::vector<unsigned int, std::allocator<unsigned int> > const&, std::vector<COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>, std::allocator<COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn> > >&, unsigned long) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/segment_iterator.cpp:750
#15 0x565303c5130d in doris::segment_v2::SegmentIterator::_read_columns_by_index(unsigned int, unsigned int&, bool) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/segment_iterator.cpp:801
#16 0x565303c5361f in doris::segment_v2::SegmentIterator::next_batch(doris::vectorized::Block*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/segment_iterator.cpp:927
#17 0x56530359f8db in doris::vectorized::VUnionIterator::next_batch(doris::vectorized::Block*) /home/zcp/selectdb/be/src/vec/olap/vgeneric_iterators.:
previously allocated by thread T267 here:
#0 0x56530147df67 in operator new[](unsigned long) (/mnt/hdd01/VEC_ASAN/be/lib/palo_be+0x4e0cf67)
#1 0x565301ffc0fa in doris::segment_v2::PageIO::read_and_decompress_page(doris::segment_v2::PageReadOptions const&, doris::segment_v2::PageHandle*, doris::Slice*, doris::segment_v2::PageFooterPB*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/page_io.cpp:142
#2 0x565303d91996 in doris::segment_v2::ColumnReader::read_page(doris::segment_v2::ColumnIteratorOptions const&, doris::segment_v2::PagePointer const&, doris::segment_v2::PageHandle*, doris::Slice*, doris::segment_v2::PageFooterPB*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.cpp:156
#3 0x565303d9bf02 in doris::segment_v2::FileColumnIterator::_read_data_page(doris::segment_v2::OrdinalPageIndexIterator const&) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.cpp:649
#4 0x565303d9ba51 in doris::segment_v2::FileColumnIterator::_load_next_page(bool*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.cpp:638
#5 0x565303d9a86b in doris::segment_v2::FileColumnIterator::next_batch(unsigned long*, COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>&, bool*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.cpp:587
#6 0x565303c5c14d in doris::segment_v2::ColumnIterator::next_batch(unsigned long*, COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>&) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/column_reader.h:222
#7 0x565303c50112 in doris::segment_v2::SegmentIterator::_read_columns(std::vector<unsigned int, std::allocator<unsigned int> > const&, std::vector<COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>, std::allocator<COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn> > >&, unsigned long) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/segment_iterator.cpp:750
#8 0x565303c5130d in doris::segment_v2::SegmentIterator::_read_columns_by_index(unsigned int, unsigned int&, bool) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/segment_iterator.cpp:801
#9 0x565303c5361f in doris::segment_v2::SegmentIterator::next_batch(doris::vectorized::Block*) /home/zcp/selectdb/be/src/olap/rowset/segment_v2/segment_iterator.cpp:927
#10 0x56530359f8db in doris::vectorized::VUnionIterator::next_batch(doris::vectorized::Block*) /home/zcp/selectdb/be/src/vec/olap/vgeneric_iterators.cpp:397
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org