Eugene, this needs a test case. Let's discuss how and where to add it.
** Changed in: tarantool
Assignee: (unassigned) => bigbes (bigbes)
** Changed in: tarantool
Milestone: None => 1.6.1
--
You received this bug notification because you are a member of Tarantool
Development Team, which is subscribed to tarantool.
https://bugs.launchpad.net/bugs/1094053
Title:
Random iterations over sptree (TreeIndex) cause a memory corruption
Status in Tarantool - an efficient in-memory data store:
Confirmed
Bug description:
--------------------------------------------------------------------------------------------------------
[4:24:03 PM] Dmitry E. Oboukhov: Program terminated with signal 6, Aborted.
#0 0x00002ad0ea8eb475 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) #0 0x00002ad0ea8eb475 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00002ad0ea8ee6f0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00002ad0ea9252fb in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00002ad0ea92eb46 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00000000004182e3 in sptree_index_iterator_free (i=0x267f400)
at /home/unera/tarantool/src/box/tree.h:39
#5 0x000000000041a0f4 in tree_iterator_free (iterator=0x2645b60)
at /home/unera/tarantool/src/box/tree.m:760
#6 0x00000000004245e8 in lbox_iterator_gc (L=0x4114f1c0)
at /home/unera/tarantool/src/box/box_lua.m:542
#7 0x00000000004913e7 in lj_BC_FUNCC ()
#8 0x0000000000470a87 in gc_call_finalizer (g=g@entry=0x400f63b8,
L=L@entry=0x4114f1c0, mo=<optimized out>, o=o@entry=0x4010cdd8)
at lj_gc.c:472
#9 0x0000000000470c91 in gc_finalize (L=0x4114f1c0) at lj_gc.c:517
#10 0x00000000004716c1 in gc_onestep (L=L@entry=0x4114f1c0) at lj_gc.c:649
#11 0x0000000000471816 in lj_gc_step (L=0x4114f1c0) at lj_gc.c:675
#12 0x0000000000492d38 in lj_fff_gcstep ()
#13 0x000000000047c084 in lua_call (L=<optimized out>, nargs=<optimized out>,
nresults=<optimized out>) at lj_api.c:1016
#14 0x0000000000425d8c in box_lua_execute (request=0x2aaaaace5078,
port=0x2aaaaace4f00) at /home/unera/tarantool/src/box/box_lua.m:1209
#15 0x00000000004213e5 in request_execute (request=0x2aaaaace5078,
txn=0x2aaaaace5038, port=0x2aaaaace4f00)
at /home/unera/tarantool/src/box/request.m:854
#16 0x0000000000421b3d in box_process_rw (port=0x2aaaaace4f00, op=22,
data=0x2aaaaace4ec0) at /home/unera/tarantool/src/box/box.m:97
#17 0x000000000046236b in iproto_reply (port=0x2aaaaace4f00,
callback=0x421ac4 <box_process_rw>, out=0x2ad0e97f56b8,
header=0x2aaaaacc5038) at /home/unera/tarantool/src/iproto.m:593
#18 0x0000000000462447 in iproto_handler (arg=0x2ad0e97f5a50)
at /home/unera/tarantool/src/iproto.m:621
#19 0x000000000044a363 in fiber_loop (data=0x0)
at /home/unera/tarantool/src/fiber.m:367
#20 0x000000000046df0c in coro_init ()
at /home/unera/tarantool/third_party/coro/coro.c:95
--------------------------------------------------------------------------------------------------------
TreeIndex iterator traveses sptrees in-order. Every iterator
allocates a stack buffer to store a list of visited nodes. The size of
the buffer is chosen based on tree depth due to fact that at most
depth(tree) node have to be saved in the stack history during
traversal.
For the situation above valgrind reports about buffer overlow in
sptree_##name##_iterator->stack array. TreeIndex/sptree maintains
t->max_depth variable that contains actual depth of a tree. Seems that
t->max_depth initiallyhad incorrect value OR tree depth was changed
between iterations.
----------
typedef struct sptree_##name##_iterator {
\
sptree_##name *t;
\
int level;
\
int max_depth;
\
spnode_t stack[0];
\
} sptree_##name##_iterator;
\
----------
sptree_##name##_iterator_init_set: (max_depth + 1)
--------------------------------------------------------------------------------------------------------
static inline void
\
sptree_##name##_iterator_init_set(sptree_##name *t, sptree_##name##_iterator
**i, \
void *k) {
\
if ((*i) == NULL || t->max_depth > (*i)->max_depth)
\
*i = realloc(*i, sizeof(**i) + sizeof(spnode_t) * (t->max_depth +
1)); \
--------------------------------------------------------------------------------------------------------
replace: (max_depth + 2)
--------------------------------------------------------------------------------------------------------
sptree_##name##_replace(sptree_##name *t, void *v, void **p_old) {
\
spnode_t node, depth = 0;
\
spnode_t path[ t->max_depth + 2]; <!-- Why +2 ?
\
--------------------------------------------------------------------------------------------------------
To manage notifications about this bug go to:
https://bugs.launchpad.net/tarantool/+bug/1094053/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~tarantool-developers
Post to : [email protected]
Unsubscribe : https://launchpad.net/~tarantool-developers
More help : https://help.launchpad.net/ListHelp
