[PR] [bugfix](pipeline) Fix core dump in ExchangeSendCallback destruction [doris]

via GitHub Wed, 07 May 2025 05:02:33 -0700


felixwluo opened a new pull request, #50665:
URL: https://github.com/apache/doris/pull/50665


   ### What problem does this PR solve?
   
   Problem Summary:
   1. core
   ```
   (gdb) bt
   #0  atomic_load_u (a=0x8, mo=atomic_memory_order_relaxed) at 
../include/jemalloc/internal/atomic.h:91
   #1  rtree_leaf_elm_read (elm=0x0, dependent=true, tsdn=<optimized out>, 
rtree=<optimized out>) at ../include/jemalloc/internal/rtree.h:247
   #2  rtree_metadata_read (rtree_ctx=<optimized out>, key=<optimized out>, 
tsdn=<optimized out>, rtree=<optimized out>) at 
../include/jemalloc/internal/rtree.h:446
   #3  emap_alloc_ctx_lookup (ptr=<optimized out>, tsdn=<optimized out>, 
emap=<optimized out>, alloc_ctx=<optimized out>) at 
../include/jemalloc/internal/emap.h:238
   #4  ifree (ptr=<optimized out>, tcache=<optimized out>, slow_path=false, 
tsd=<optimized out>) at ../src/jemalloc.c:2877
   #5  je_free_default (ptr=<optimized out>) at ../src/jemalloc.c:3014
   #6  0x000056022fc851df in brpc::URI::~URI() ()
   #7  0x000056022fb24f43 in brpc::HttpHeader::~HttpHeader() ()
   #8  0x000056022fb20c63 in brpc::Controller::ResetNonPods() ()
   #9  0x000056022fb208d8 in brpc::Controller::~Controller() ()
   #10 0x000056022dab452a in 
std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release 
(this=0x7fedfb69fd00)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:168
   #11 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count 
(this=<optimized out>)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:702
   #12 std::__shared_ptr<brpc::Controller, 
(__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=<optimized out>)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1149
   #13 doris::DummyBrpcCallback<doris::PTransmitDataResult>::~DummyBrpcCallback 
(this=<optimized out>) at /root/be/src/util/ref_count_closure.h:40
   #14 
doris::pipeline::ExchangeSendCallback<doris::PTransmitDataResult>::~ExchangeSendCallback
 (this=<optimized out>) at /root/be/src/pipeline/exec/exchange_sink_buffer.h:151
   #15 0x000056022daa76fe in 
std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release 
(this=0x7febd6f18e00)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:168
   #16 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count 
(this=0x7fec08e115e0)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:702
   #17 
std::__shared_ptr<doris::pipeline::ExchangeSendCallback<doris::PTransmitDataResult>,
 (__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=0x7fec08e115d8)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1149
   #18 
doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>::~PipChannel
 (this=0x7fec08e11380) at /root/be/src/vec/sink/vdata_stream_sender.h:482
   #19 0x000056022dbac1b7 in 
std::_Sp_counted_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>*,
 (__gnu_cxx::_Lock_policy)2>::_M_dispose (this=<optimized out>)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:348
   #20 0x000056022dbaa219 in 
std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release 
(this=0x7fec093be4e0)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:168
   #21 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count 
(this=0x7fec093bf088)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:702
   #22 
std::__shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>,
 (__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=0x7fec093bf080)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1149
   #23 
std::destroy_at<std::shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>
 > > (__location=0x7fec093bf080)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_construct.h:88
   #24 
std::_Destroy<std::shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>
 > > (__pointer=0x7fec093bf080)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_construct.h:138
   #25 
std::_Destroy_aux<false>::__destroy<std::shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>
 >*> (__first=0x7fec093bf080, __last=0x7fec093bf0b0)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_construct.h:152
   #26 
std::_Destroy<std::shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>
 >*> (__first=<optimized out>, __last=0x7fec093bf0b0)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_construct.h:184
   #27 
std::_Destroy<std::shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>
 >*, 
std::shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>
 > > (__first=<optimized out>, __last=0x7fec093bf0b0) at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/alloc_traits.h:746
   #28 
std::vector<std::shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>
 >, 
std::allocator<std::shared_ptr<doris::vectorized::PipChannel<doris::pipeline::ExchangeSinkLocalState>
 > > >::~vector (this=0x7fec0921b4c0) at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_vector.h:680
   #29 doris::pipeline::ExchangeSinkLocalState::~ExchangeSinkLocalState 
(this=0x7fec0921b400) at /root/be/src/pipeline/exec/exchange_sink_operator.h:68
   #30 0x000056022dbaa34e in 
doris::pipeline::ExchangeSinkLocalState::~ExchangeSinkLocalState 
(this=0x7feec3ff1d80) at /root/be/src/pipeline/exec/exchange_sink_operator.h:68
   #31 0x0000560224660b2a in 
std::default_delete<doris::pipeline::PipelineXSinkLocalStateBase>::operator() 
(this=<optimized out>, __ptr=0x7feec3ff1d80)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:85
   --Type <RET> for more, q to quit, c to continue without paging--
   #32 std::unique_ptr<doris::pipeline::PipelineXSinkLocalStateBase, 
std::default_delete<doris::pipeline::PipelineXSinkLocalStateBase> 
>::~unique_ptr (this=0x7fec091c2af0)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:361
   #33 doris::RuntimeState::~RuntimeState (this=0x7fec091c2000) at 
/root/be/src/runtime/runtime_state.cpp:280
   #34 0x000056022e2d0b87 in 
std::default_delete<doris::RuntimeState>::operator() (this=0x7fcd7ca8e9b8, 
__ptr=0x7fec091c2000)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:85
   #35 std::__uniq_ptr_impl<doris::RuntimeState, 
std::default_delete<doris::RuntimeState> >::reset (this=0x7fcd7ca8e9b8, __p=0x0)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:182
   #36 std::unique_ptr<doris::RuntimeState, 
std::default_delete<doris::RuntimeState> >::reset (this=0x7fcd7ca8e9b8, __p=0x0)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:456
   #37 doris::pipeline::PipelineXFragmentContext::~PipelineXFragmentContext 
(this=0x7fcd75bc9410) at 
/root/be/src/pipeline/pipeline_x/pipeline_x_fragment_context.cpp:123
   #38 0x000056022e30c322 in 
std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release 
(this=0x7fcd75bc9400)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:168
   #39 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count 
(this=0x7feec3ff0fa0)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:702
   #40 std::__shared_ptr<doris::TaskExecutionContext, 
(__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=0x7feec3ff0f98)
       at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1149
   #41 doris::pipeline::_close_task (task=task@entry=0x7fec0921d700, 
state=doris::pipeline::PipelineTaskState::FINISHED, exec_status=...) at 
/root/be/src/pipeline/task_scheduler.cpp:262
   #42 0x000056022e30ca7f in doris::pipeline::TaskScheduler::_do_work 
(this=0x7ff5d95a2000, index=49) at /root/be/src/pipeline/task_scheduler.cpp:288
   #43 0x0000560224829758 in doris::ThreadPool::dispatch_thread 
(this=0x7ff5d95a1600) at /root/be/src/util/threadpool.cpp:544
   #44 0x000056022481ea51 in std::function<void()>::operator() 
(this=0x7feec3ff1d80) at 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:560
   #45 doris::Thread::supervise_thread (arg=0x7feecb1240e0) at 
/root/be/src/util/thread.cpp:498
   #46 0x00007ff5f7a3cea5 in start_thread () from /lib64/libpthread.so.0
   #47 0x00007ff5f846b9fd in clone () from /lib64/libc.so.6
   ```
   2. Possible causes of the problem
    `During the data exchange process of Doris, when PipChannel is destructed, 
a memory access error (use-after-free) caused by a dangling pointer may occur. 
The specific problem occurs in the following scenarios`
    `2-1. When the Channel object is destroyed, the _send_callback held inside 
it may still hold a raw pointer reference to the RpcInstance`
   `2-2. In the destructor of ExchangeSendCallback, these raw pointers may be 
accessed, but the memory they point to is invalid`
   `2-3. This caused jemalloc to core dump when trying to access an invalid 
address`
   
   ### Release note
   
   None
   
   ### Check List (For Author)
   
   - Test <!-- At least one of them must be included. -->
       - [ ] Regression test
       - [ ] Unit Test
       - [ ] Manual test (add detailed scripts or steps below)
       - [ ] No need to test or manual test. Explain why:
           - [ ] This is a refactor/code format and no logic has been changed.
           - [ ] Previous test can cover this change.
           - [ ] No code files have been changed.
           - [ ] Other reason <!-- Add your reason?  -->
   
   - Behavior changed:
       - [ ] No.
       - [ ] Yes. <!-- Explain the behavior change -->
   
   - Does this need documentation?
       - [ ] No.
       - [ ] Yes. <!-- Add document PR link here. eg: 
https://github.com/apache/doris-website/pull/1214 -->
   
   ### Check List (For Reviewer who merge this PR)
   
   - [ ] Confirm the release note
   - [ ] Confirm test cases
   - [ ] Confirm document
   - [ ] Add branch pick label <!-- Add branch pick label that this PR should 
merge into -->
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[PR] [bugfix](pipeline) Fix core dump in ExchangeSendCallback destruction [doris]

Reply via email to