You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by "jacktengg (via GitHub)" <gi...@apache.org> on 2023/01/30 15:58:53 UTC
[GitHub] [doris] jacktengg opened a new issue, #16266: [Bug] Topn sorter heap-use-after-free
jacktengg opened a new issue, #16266:
URL: https://github.com/apache/doris/issues/16266
### Search before asking
- [X] I had searched in the [issues](https://github.com/apache/doris/issues?q=is%3Aissue) and found no similar issues.
### Version
master 4b6a4b3cf76de146bcdec34f3e6e7d65cfe72fdb
### What's Wrong?
asan heap-use-after-free error for test:
regressiont test database: regression_test_datatype_p0_scalar_types
sql:
SELECT * FROM tbl_scalar_types_unique1 ORDER BY c_double DESC, c_bigint DESC LIMIT 20
```
start time: Mon Jan 30 17:22:05 CST 2023
=================================================================
==2713519==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400eb875d0 at pc 0x563e953b324a bp 0x7e9a22ed0b70 sp 0x7e9a22ed0b60
READ of size 8 at 0x60400eb875d0 thread T6081 (FragmentMgrThre)
#0 0x563e953b3249 in doris::vectorized::MergeSortBlockCursor::less_at(doris::vectorized::MergeSortBlockCursor const&, int) const /mnt/disk1/tengjianping/doris-test/be/src/vec/core/sort_cursor.h:331
#1 0x563e953b34fe in doris::vectorized::MergeSortBlockCursor::operator<(doris::vectorized::MergeSortBlockCursor const&) const /mnt/disk1/tengjianping/doris-test/be/src/vec/core/sort_cursor.h:356
#2 0x563e953ba444 in std::less<doris::vectorized::MergeSortBlockCursor>::operator()(doris::vectorized::MergeSortBlockCursor const&, doris::vectorized::MergeSortBlockCursor const&) const /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/stl_function.h:386
#3 0x563e953b9d24 in bool __gnu_cxx::__ops::_Iter_comp_val<std::less<doris::vectorized::MergeSortBlockCursor> >::operator()<__gnu_cxx::__normal_iterator<doris::vectorized::MergeSortBlockCursor*, std::vector<doris::vectorized::MergeSortBlockCursor, std::allocator<doris::vectorized::MergeSortBlockCursor> > >, doris::vectorized::MergeSortBlockCursor>(__gnu_cxx::__normal_iterator<doris::vectorized::MergeSortBlockCursor*, std::vector<doris::vectorized::MergeSortBlockCursor, std::allocator<doris::vectorized::MergeSortBlockCursor> > >, doris::vectorized::MergeSortBlockCursor&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/predefined_ops.h:196
#4 0x563e953b8bf5 in void std::__push_heap<__gnu_cxx::__normal_iterator<doris::vectorized::MergeSortBlockCursor*, std::vector<doris::vectorized::MergeSortBlockCursor, std::allocator<doris::vectorized::MergeSortBlockCursor> > >, long, doris::vectorized::MergeSortBlockCursor, __gnu_cxx::__ops::_Iter_comp_val<std::less<doris::vectorized::MergeSortBlockCursor> > >(__gnu_cxx::__normal_iterator<doris::vectorized::MergeSortBlockCursor*, std::vector<doris::vectorized::MergeSortBlockCursor, std::allocator<doris::vectorized::MergeSortBlockCursor> > >, long, long, doris::vectorized::MergeSortBlockCursor, __gnu_cxx::__ops::_Iter_comp_val<std::less<doris::vectorized::MergeSortBlockCursor> >&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/stl_heap.h:139
#5 0x563e953b74c1 in void std::push_heap<__gnu_cxx::__normal_iterator<doris::vectorized::MergeSortBlockCursor*, std::vector<doris::vectorized::MergeSortBlockCursor, std::allocator<doris::vectorized::MergeSortBlockCursor> > >, std::less<doris::vectorized::MergeSortBlockCursor> >(__gnu_cxx::__normal_iterator<doris::vectorized::MergeSortBlockCursor*, std::vector<doris::vectorized::MergeSortBlockCursor, std::allocator<doris::vectorized::MergeSortBlockCursor> > >, __gnu_cxx::__normal_iterator<doris::vectorized::MergeSortBlockCursor*, std::vector<doris::vectorized::MergeSortBlockCursor, std::allocator<doris::vectorized::MergeSortBlockCursor> > >, std::less<doris::vectorized::MergeSortBlockCursor>) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/stl_heap.h:215
#6 0x563e953b5d0d in void std::priority_queue<doris::vectorized::MergeSortBlockCursor, std::vector<doris::vectorized::MergeSortBlockCursor, std::allocator<doris::vectorized::MergeSortBlockCursor> >, std::less<doris::vectorized::MergeSortBlockCursor> >::emplace<doris::vectorized::MergeSortCursorImpl*>(doris::vectorized::MergeSortCursorImpl*&&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/stl_queue.h:659
#7 0x563e953ae08f in doris::vectorized::TopNSorter::_do_sort(doris::vectorized::Block*) /mnt/disk1/tengjianping/doris-test/be/src/vec/common/sort/topn_sorter.cpp:56
#8 0x563e953ad9d1 in doris::vectorized::TopNSorter::append_block(doris::vectorized::Block*) /mnt/disk1/tengjianping/doris-test/be/src/vec/common/sort/topn_sorter.cpp:33
#9 0x563e95358778 in doris::vectorized::VSortNode::sink(doris::RuntimeState*, doris::vectorized::Block*, bool) /mnt/disk1/tengjianping/doris-test/be/src/vec/exec/vsort_node.cpp:112
#10 0x563e9535a086 in doris::vectorized::VSortNode::open(doris::RuntimeState*) /mnt/disk1/tengjianping/doris-test/be/src/vec/exec/vsort_node.cpp:160
#11 0x563e9237f45f in doris::PlanFragmentExecutor::open_vectorized_internal() /mnt/disk1/tengjianping/doris-test/be/src/runtime/plan_fragment_executor.cpp:266
#12 0x563e9237eac1 in doris::PlanFragmentExecutor::open() /mnt/disk1/tengjianping/doris-test/be/src/runtime/plan_fragment_executor.cpp:241
#13 0x563e922f833d in doris::FragmentExecState::execute() /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:250
#14 0x563e923006ad in doris::FragmentMgr::_exec_actual(std::shared_ptr<doris::FragmentExecState>, std::function<void (doris::RuntimeState*, doris::Status*)>) /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:490
#15 0x563e92302ed4 in operator() /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:746
#16 0x563e92313e8b in __invoke_impl<void, doris::FragmentMgr::exec_plan_fragment(const doris::TExecPlanFragmentParams&, doris::FragmentMgr::FinishCallback)::<lambda()>&> /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:61
#17 0x563e92313967 in __invoke_r<void, doris::FragmentMgr::exec_plan_fragment(const doris::TExecPlanFragmentParams&, doris::FragmentMgr::FinishCallback)::<lambda()>&> /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:111
#18 0x563e92312d8b in _M_invoke /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:291
#19 0x563e9257d6e7 in std::function<void ()>::operator()() const /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:560
#20 0x563e92af5085 in doris::FunctionRunnable::run() /mnt/disk1/tengjianping/doris-test/be/src/util/threadpool.cpp:46
#21 0x563e92af0177 in doris::ThreadPool::dispatch_thread() /mnt/disk1/tengjianping/doris-test/be/src/util/threadpool.cpp:535
#22 0x563e92b1215d in void std::__invoke_impl<void, void (doris::ThreadPool::*&)(), doris::ThreadPool*&>(std::__invoke_memfun_deref, void (doris::ThreadPool::*&)(), doris::ThreadPool*&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:74
#23 0x563e92b119fc in std::__invoke_result<void (doris::ThreadPool::*&)(), doris::ThreadPool*&>::type std::__invoke<void (doris::ThreadPool::*&)(), doris::ThreadPool*&>(void (doris::ThreadPool::*&)(), doris::ThreadPool*&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:96
#24 0x563e92b10d9b in void std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/functional:420
#25 0x563e92b0f8ac in void std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>::operator()<, void>() /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/functional:503
#26 0x563e92b0c49d in void std::__invoke_impl<void, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&>(std::__invoke_other, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:61
#27 0x563e92b09955 in std::enable_if<is_invocable_r_v<void, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&>, void>::type std::__invoke_r<void, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&>(std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:111
#28 0x563e92b04c54 in std::_Function_handler<void (), std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()> >::_M_invoke(std::_Any_data const&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:291
#29 0x563e9257d6e7 in std::function<void ()>::operator()() const /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:560
#30 0x563e92acfc43 in doris::Thread::supervise_thread(void*) /mnt/disk1/tengjianping/doris-test/be/src/util/thread.cpp:453
#31 0x7f77860d4179 in start_thread (/lib64/libpthread.so.0+0x8179)
#32 0x7f7785a81df2 in __GI___clone (/lib64/libc.so.6+0xfcdf2)
0x60400eb875d0 is located 0 bytes inside of 40-byte region [0x60400eb875d0,0x60400eb875f8)
freed by thread T6081 (FragmentMgrThre) here:
#0 0x563e90a64767 in operator delete(void*, unsigned long) (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x1181e767)
#1 0x563e94cc6e20 in doris::vectorized::ColumnNullable::~ColumnNullable() /mnt/disk1/tengjianping/doris-test/be/src/vec/columns/column_nullable.h:47
#2 0x563e90e95b0e in COW<doris::vectorized::IColumn>::release_ref() /mnt/disk1/tengjianping/doris-test/be/src/vec/common/cow.h:99
#3 0x563e90e8f5c9 in COW<doris::vectorized::IColumn>::intrusive_ptr<doris::vectorized::IColumn const>::~intrusive_ptr() /mnt/disk1/tengjianping/doris-test/be/src/vec/common/cow.h:133
#4 0x563e90e8c8cb in COW<doris::vectorized::IColumn>::immutable_ptr<doris::vectorized::IColumn>::~immutable_ptr() /mnt/disk1/tengjianping/doris-test/be/src/vec/common/cow.h:255
#5 0x563e90ea0f75 in doris::vectorized::ColumnWithTypeAndName::~ColumnWithTypeAndName() /mnt/disk1/tengjianping/doris-test/be/src/vec/core/column_with_type_and_name.h:35
#6 0x563e90ea0f90 in void std::_Destroy<doris::vectorized::ColumnWithTypeAndName>(doris::vectorized::ColumnWithTypeAndName*) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/stl_construct.h:140
#7 0x563e90e9fd74 in void std::_Destroy_aux<false>::__destroy<doris::vectorized::ColumnWithTypeAndName*>(doris::vectorized::ColumnWithTypeAndName*, doris::vectorized::ColumnWithTypeAndName*) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/stl_construct.h:152
#8 0x563e90e9d31f in void std::_Destroy<doris::vectorized::ColumnWithTypeAndName*>(doris::vectorized::ColumnWithTypeAndName*, doris::vectorized::ColumnWithTypeAndName*) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/stl_construct.h:185
#9 0x563e90e993d2 in void std::_Destroy<doris::vectorized::ColumnWithTypeAndName*, doris::vectorized::ColumnWithTypeAndName>(doris::vectorized::ColumnWithTypeAndName*, doris::vectorized::ColumnWithTypeAndName*, std::allocator<doris::vectorized::ColumnWithTypeAndName>&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/alloc_traits.h:746
#10 0x563e90e92b81 in std::vector<doris::vectorized::ColumnWithTypeAndName, std::allocator<doris::vectorized::ColumnWithTypeAndName> >::~vector() /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/stl_vector.h:680
#11 0x563e90e8ed81 in doris::vectorized::Block::~Block() /mnt/disk1/tengjianping/doris-test/be/src/vec/core/block.h:56
#12 0x563e953ae3c0 in doris::vectorized::TopNSorter::_do_sort(doris::vectorized::Block*) /mnt/disk1/tengjianping/doris-test/be/src/vec/common/sort/topn_sorter.cpp:71
#13 0x563e953ad9d1 in doris::vectorized::TopNSorter::append_block(doris::vectorized::Block*) /mnt/disk1/tengjianping/doris-test/be/src/vec/common/sort/topn_sorter.cpp:33
#14 0x563e95358778 in doris::vectorized::VSortNode::sink(doris::RuntimeState*, doris::vectorized::Block*, bool) /mnt/disk1/tengjianping/doris-test/be/src/vec/exec/vsort_node.cpp:112
#15 0x563e9535a086 in doris::vectorized::VSortNode::open(doris::RuntimeState*) /mnt/disk1/tengjianping/doris-test/be/src/vec/exec/vsort_node.cpp:160
#16 0x563e9237f45f in doris::PlanFragmentExecutor::open_vectorized_internal() /mnt/disk1/tengjianping/doris-test/be/src/runtime/plan_fragment_executor.cpp:266
#17 0x563e9237eac1 in doris::PlanFragmentExecutor::open() /mnt/disk1/tengjianping/doris-test/be/src/runtime/plan_fragment_executor.cpp:241
#18 0x563e922f833d in doris::FragmentExecState::execute() /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:250
#19 0x563e923006ad in doris::FragmentMgr::_exec_actual(std::shared_ptr<doris::FragmentExecState>, std::function<void (doris::RuntimeState*, doris::Status*)>) /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:490
#20 0x563e92302ed4 in operator() /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:746
#21 0x563e92313e8b in __invoke_impl<void, doris::FragmentMgr::exec_plan_fragment(const doris::TExecPlanFragmentParams&, doris::FragmentMgr::FinishCallback)::<lambda()>&> /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:61
#22 0x563e92313967 in __invoke_r<void, doris::FragmentMgr::exec_plan_fragment(const doris::TExecPlanFragmentParams&, doris::FragmentMgr::FinishCallback)::<lambda()>&> /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:111
#23 0x563e92312d8b in _M_invoke /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:291
#24 0x563e9257d6e7 in std::function<void ()>::operator()() const /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:560
#25 0x563e92af5085 in doris::FunctionRunnable::run() /mnt/disk1/tengjianping/doris-test/be/src/util/threadpool.cpp:46
#26 0x563e92af0177 in doris::ThreadPool::dispatch_thread() /mnt/disk1/tengjianping/doris-test/be/src/util/threadpool.cpp:535
#27 0x563e92b1215d in void std::__invoke_impl<void, void (doris::ThreadPool::*&)(), doris::ThreadPool*&>(std::__invoke_memfun_deref, void (doris::ThreadPool::*&)(), doris::ThreadPool*&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:74
#28 0x563e92b119fc in std::__invoke_result<void (doris::ThreadPool::*&)(), doris::ThreadPool*&>::type std::__invoke<void (doris::ThreadPool::*&)(), doris::ThreadPool*&>(void (doris::ThreadPool::*&)(), doris::ThreadPool*&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:96
#29 0x563e92b10d9b in void std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/functional:420
previously allocated by thread T6081 (FragmentMgrThre) here:
#0 0x563e90a63707 in operator new(unsigned long) (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x1181d707)
#1 0x563e94bf92ad in COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::ColumnNullable> COWHelper<doris::vectorized::IColumn, doris::vectorized::ColumnNullable>::create<COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>, COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn> >(COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>&&, COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>&&) /mnt/disk1/tengjianping/doris-test/be/src/vec/common/cow.h:412
#2 0x563e94bee6f8 in COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::ColumnNullable> doris::vectorized::ColumnNullable::create<COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>, COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>, void>(COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>&&, COW<doris::vectorized::IColumn>::mutable_ptr<doris::vectorized::IColumn>&&) /mnt/disk1/tengjianping/doris-test/be/src/vec/columns/column_nullable.h:67
#3 0x563e94becc19 in doris::vectorized::ColumnNullable::create(COW<doris::vectorized::IColumn>::immutable_ptr<doris::vectorized::IColumn> const&, COW<doris::vectorized::IColumn>::immutable_ptr<doris::vectorized::IColumn> const&) /mnt/disk1/tengjianping/doris-test/be/src/vec/columns/column_nullable.h:60
#4 0x563e94cb52e0 in doris::vectorized::ColumnNullable::permute(doris::vectorized::PODArray<unsigned long, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, unsigned long) const /mnt/disk1/tengjianping/doris-test/be/src/vec/columns/column_nullable.cpp:326
#5 0x563e953e309c in doris::vectorized::sort_block(doris::vectorized::Block&, doris::vectorized::Block&, std::vector<doris::vectorized::SortColumnDescription, std::allocator<doris::vectorized::SortColumnDescription> > const&, unsigned long) /mnt/disk1/tengjianping/doris-test/be/src/vec/core/sort_block.cpp:116
#6 0x563e953c7676 in doris::vectorized::Sorter::partial_sort(doris::vectorized::Block&, doris::vectorized::Block&) /mnt/disk1/tengjianping/doris-test/be/src/vec/common/sort/sorter.cpp:279
#7 0x563e953ade83 in doris::vectorized::TopNSorter::_do_sort(doris::vectorized::Block*) /mnt/disk1/tengjianping/doris-test/be/src/vec/common/sort/topn_sorter.cpp:47
#8 0x563e953ad9d1 in doris::vectorized::TopNSorter::append_block(doris::vectorized::Block*) /mnt/disk1/tengjianping/doris-test/be/src/vec/common/sort/topn_sorter.cpp:33
#9 0x563e95358778 in doris::vectorized::VSortNode::sink(doris::RuntimeState*, doris::vectorized::Block*, bool) /mnt/disk1/tengjianping/doris-test/be/src/vec/exec/vsort_node.cpp:112
#10 0x563e9535a086 in doris::vectorized::VSortNode::open(doris::RuntimeState*) /mnt/disk1/tengjianping/doris-test/be/src/vec/exec/vsort_node.cpp:160
#11 0x563e9237f45f in doris::PlanFragmentExecutor::open_vectorized_internal() /mnt/disk1/tengjianping/doris-test/be/src/runtime/plan_fragment_executor.cpp:266
#12 0x563e9237eac1 in doris::PlanFragmentExecutor::open() /mnt/disk1/tengjianping/doris-test/be/src/runtime/plan_fragment_executor.cpp:241
#13 0x563e922f833d in doris::FragmentExecState::execute() /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:250
#14 0x563e923006ad in doris::FragmentMgr::_exec_actual(std::shared_ptr<doris::FragmentExecState>, std::function<void (doris::RuntimeState*, doris::Status*)>) /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:490
#15 0x563e92302ed4 in operator() /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:746
#16 0x563e92313e8b in __invoke_impl<void, doris::FragmentMgr::exec_plan_fragment(const doris::TExecPlanFragmentParams&, doris::FragmentMgr::FinishCallback)::<lambda()>&> /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:61
#17 0x563e92313967 in __invoke_r<void, doris::FragmentMgr::exec_plan_fragment(const doris::TExecPlanFragmentParams&, doris::FragmentMgr::FinishCallback)::<lambda()>&> /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:111
#18 0x563e92312d8b in _M_invoke /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:291
#19 0x563e9257d6e7 in std::function<void ()>::operator()() const /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:560
#20 0x563e92af5085 in doris::FunctionRunnable::run() /mnt/disk1/tengjianping/doris-test/be/src/util/threadpool.cpp:46
#21 0x563e92af0177 in doris::ThreadPool::dispatch_thread() /mnt/disk1/tengjianping/doris-test/be/src/util/threadpool.cpp:535
#22 0x563e92b1215d in void std::__invoke_impl<void, void (doris::ThreadPool::*&)(), doris::ThreadPool*&>(std::__invoke_memfun_deref, void (doris::ThreadPool::*&)(), doris::ThreadPool*&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:74
#23 0x563e92b119fc in std::__invoke_result<void (doris::ThreadPool::*&)(), doris::ThreadPool*&>::type std::__invoke<void (doris::ThreadPool::*&)(), doris::ThreadPool*&>(void (doris::ThreadPool::*&)(), doris::ThreadPool*&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:96
#24 0x563e92b10d9b in void std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/functional:420
#25 0x563e92b0f8ac in void std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>::operator()<, void>() /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/functional:503
#26 0x563e92b0c49d in void std::__invoke_impl<void, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&>(std::__invoke_other, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:61
#27 0x563e92b09955 in std::enable_if<is_invocable_r_v<void, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&>, void>::type std::__invoke_r<void, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&>(std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/invoke.h:111
#28 0x563e92b04c54 in std::_Function_handler<void (), std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()> >::_M_invoke(std::_Any_data const&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:291
#29 0x563e9257d6e7 in std::function<void ()>::operator()() const /mnt/disk1/tengjianping/local/ldb_toolchain_clang15/include/c++/11/bits/std_function.h:560
Thread T6081 (FragmentMgrThre) created by T814 here:
#0 0x563e90a06061 in __interceptor_pthread_create (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x117c0061)
Thread T814 created by T0 here:
#0 0x563e90a06061 in __interceptor_pthread_create (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x117c0061)
#1 0x563ea29b365b in bthread::TaskControl::add_workers(int) (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x2376d65b)
#2 0x563ea29a195c in bthread_setconcurrency (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x2375b95c)
#3 0x563ea2b13b19 in brpc::Server::StartInternal(butil::EndPoint const&, brpc::PortRange const&, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x238cdb19)
#4 0x563ea2b15a09 in brpc::Server::Start(butil::EndPoint const&, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x238cfa09)
#5 0x563ea2b15ba1 in brpc::Server::Start(int, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris-test/output/be/lib/doris_be+0x238cfba1)
#6 0x563e926e4baf in doris::BRpcService::start(int, int) /mnt/disk1/tengjianping/doris-test/be/src/service/brpc_service.cpp:52
#7 0x563e90ab4d88 in main /mnt/disk1/tengjianping/doris-test/be/src/service/doris_main.cpp:474
#8 0x7f77859a8492 in __libc_start_main (/lib64/libc.so.6+0x23492)
SUMMARY: AddressSanitizer: heap-use-after-free /mnt/disk1/tengjianping/doris-test/be/src/vec/core/sort_cursor.h:331 in doris::vectorized::MergeSortBlockCursor::less_at(doris::vectorized::MergeSortBlockCursor const&, int) const
Shadow bytes around the buggy address:
0x0c0881d68e60: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c0881d68e70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c0881d68e80: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
0x0c0881d68e90: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c0881d68ea0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
=>0x0c0881d68eb0: fa fa 00 00 00 00 00 fa fa fa[fd]fd fd fd fd fa
0x0c0881d68ec0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c0881d68ed0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c0881d68ee0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
0x0c0881d68ef0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c0881d68f00: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2713519==ABORTING
```
### What You Expected?
sql execute OK
### How to Reproduce?
_No response_
### Anything Else?
_No response_
### Are you willing to submit PR?
- [X] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org
[GitHub] [doris] yiguolei closed issue #16266: [Bug] Topn sorter heap-use-after-free
Posted by "yiguolei (via GitHub)" <gi...@apache.org>.
yiguolei closed issue #16266: [Bug] Topn sorter heap-use-after-free
URL: https://github.com/apache/doris/issues/16266
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org