Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: stack-use-after-scope in ExecutorTopNTestRunner.TopN and ExecutorTopNTestRunner.TopNFunction #5298

Closed
hehechen opened this issue Jul 6, 2022 · 1 comment
Closed

AddressSanitizer: stack-use-after-scope in ExecutorTopNTestRunner.TopN and ExecutorTopNTestRunner.TopNFunction #5298

hehechen opened this issue Jul 6, 2022 · 1 comment
Assignees
@xzhangxian1008
Labels
type/enhancement The issue or PR belongs to an enhancement.

Comments

@hehechen
Copy link
Contributor

hehechen commented Jul 6, 2022
edited
Loading

Enhancement

cmake $WORKSPACE/tiflash -DENABLE_TESTS=ON -DCMAKE_BUILD_TYPE=ASan
make gtests_dbms
./dbms/gtests_dbms --gtest_filter=ExecutorTopNTestRunner.TopNFunction

=================================================================
==4239==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fff7adc0c80 at pc 0x000003b8e5df bp 0x7fff7adbfb70 sp 0x7fff7adbfb68
READ of size 8 at 0x7fff7adc0c80 thread T0
    #0 0x3b8e5de in std::__1::shared_ptr<DB::IAST>::shared_ptr(std::__1::shared_ptr<DB::IAST> const&) /data1/chentongli/tiflash-env/sysroot/bin/../include/c++/v1/__memory/shared_ptr.h:846:18
    #1 0x3b8e5de in void std::__1::allocator<std::__1::shared_ptr<DB::IAST> >::construct<std::__1::shared_ptr<DB::IAST>, std::__1::shared_ptr<DB::IAST> const&>(std::__1::shared_ptr<DB::IAST>*, std::__1::shared_ptr<DB::IAST> const&) /data1/chentongli/tiflash-env/sysroot/bin/../include/c++/v1/__memory/allocator.h:154:28
    #2 0x3b8e5de in void std::__1::allocator_traits<std::__1::allocator<std::__1::shared_ptr<DB::IAST> > >::construct<std::__1::shared_ptr<DB::IAST>, std::__1::shared_ptr<DB::IAST> const&, void>(std::__1::allocator<std::__1::shared_ptr<DB::IAST> >&, std::__1::shared_ptr<DB::IAST>*, std::__1::shared_ptr<DB::IAST> const&) /data1/chentongli/tiflash-env/sysroot/bin/../include/c++/v1/__memory/allocator_traits.h:290:13
    #3 0x3b8e5de in void std::__1::vector<std::__1::shared_ptr<DB::IAST>, std::__1::allocator<std::__1::shared_ptr<DB::IAST> > >::__push_back_slow_path<std::__1::shared_ptr<DB::IAST> const&>(std::__1::shared_ptr<DB::IAST> const&) /data1/chentongli/tiflash-env/sysroot/bin/../include/c++/v1/vector:1648:5
    #4 0x7e6e79b in std::__1::vector<std::__1::shared_ptr<DB::IAST>, std::__1::allocator<std::__1::shared_ptr<DB::IAST> > >::push_back(std::__1::shared_ptr<DB::IAST> const&) /data1/chentongli/tiflash-env/sysroot/bin/../include/c++/v1/vector:1663:9
    #5 0x7e6e79b in DB::tests::DAGRequestBuilder::project(std::initializer_list<std::__1::shared_ptr<DB::IAST> >) /data1/chentongli/tics_new/tics/dbms/src/TestUtils/mockExecutor.cpp:215:28
    #6 0x3c25f07 in DB::tests::ExecutorTopNTestRunner::buildDAGRequest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::initializer_list<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool> >, int, std::initializer_list<std::__1::shared_ptr<DB::IAST> >, std::initializer_list<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >) /data1/chentongli/tics_new/tics/dbms/src/Flash/tests/gtest_topn_executor.cpp:60:54
    #7 0x3c15cd9 in DB::tests::ExecutorTopNTestRunner_TopNFunction_Test::TestBody() /data1/chentongli/tics_new/tics/dbms/src/Flash/tests/gtest_topn_executor.cpp:175:23
    #8 0x14167230 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:2401:10
    #9 0x14167230 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:2437:14
    #10 0x14117418 in testing::Test::Run() /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:2473:5
    #11 0x1411a527 in testing::TestInfo::Run() /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:2655:11
    #12 0x1411ba8f in testing::TestCase::Run() /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:2773:28
    #13 0x14136c88 in testing::internal::UnitTestImpl::RunAllTests() /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:4673:43
    #14 0x14169260 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:2401:10
    #15 0x14169260 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:2437:14
    #16 0x141358aa in testing::UnitTest::Run() /data1/chentongli/tics_new/tics/contrib/googletest/googletest/src/gtest.cc:4281:10
    #17 0x7c8a3c5 in RUN_ALL_TESTS() /data1/chentongli/tics_new/tics/contrib/googletest/googletest/include/gtest/gtest.h:2237:46
    #18 0x7c8a3c5 in main /data1/chentongli/tics_new/tics/dbms/src/TestUtils/gtests_dbms_main.cpp:36:16
    #19 0x7f24fbffad99 in __libc_start_main /root/yuzhao/glibc-2.17/csu/libc-start.c:258
    #20 0x3600b28 in _start /root/yuzhao/glibc-2.17/csu/../sysdeps/x86_64/start.S:123

Address 0x7fff7adc0c80 is located in stack of thread T0 at offset 2784 in frame
    #0 0x3c127ff in DB::tests::ExecutorTopNTestRunner_TopNFunction_Test::TestBody() /data1/chentongli/tics_new/tics/dbms/src/Flash/tests/gtest_topn_executor.cpp:149

  This frame has 86 object(s):
    [32, 48) 'ref.tmp.i1164'
    [64, 96) 'ref.tmp.i1151'
    [128, 144) 'ref.tmp.i'
    [160, 176) 'request' (line 151)
    [192, 216) 'expect_cols' (line 152)
    [256, 352) 'ref.tmp' (line 153)
    [384, 400) 'col0_ast' (line 156)
    [416, 432) 'col1_ast' (line 157)
    [448, 464) 'col2_ast' (line 158)
    [480, 496) 'col3_ast' (line 159)
    [512, 536) 'ref.tmp30' (line 164)
    [576, 1152) 'ref.tmp34' (line 164)
    [1280, 1304) 'agg.tmp37'
    [1344, 1368) 'ref.tmp42' (line 164)
    [1408, 1504) 'ref.tmp44' (line 164)
    [1536, 1560) 'agg.tmp54'
    [1600, 1624) 'ref.tmp58' (line 164)
    [1664, 1856) 'ref.tmp60' (line 164)
    [1920, 1944) 'agg.tmp89'
    [1984, 2008) 'ref.tmp93' (line 164)
    [2048, 2240) 'ref.tmp95' (line 164)
    [2304, 2328) 'agg.tmp124'
    [2368, 2392) 'ref.tmp128' (line 164)
    [2432, 2528) 'ref.tmp130' (line 164)
    [2560, 2592) 'ref.tmp236' (line 171)
    [2624, 2640) 'ref.tmp265' (line 172)
    [2656, 2680) 'ref.tmp266' (line 172)
    [2720, 2736) 'ref.tmp269' (line 172)
    [2752, 2768) 'ref.tmp274' (line 172)
    [2784, 2864) 'ref.tmp290' (line 173) <== Memory access at offset 2784 is inside this variable
    [2896, 2912) 'ref.tmp306' (line 175)
    [2928, 2944) 'agg.tmp308'
    [2960, 2976) 'agg.tmp309'
    [2992, 3016) 'ref.tmp318' (line 182)
    [3056, 3632) 'ref.tmp322' (line 182)
    [3760, 3784) 'agg.tmp325'
    [3824, 3848) 'ref.tmp330' (line 182)
    [3888, 3984) 'ref.tmp332' (line 182)
    [4016, 4040) 'agg.tmp342'
    [4080, 4104) 'ref.tmp346' (line 182)
    [4144, 4336) 'ref.tmp348' (line 182)
    [4400, 4424) 'agg.tmp378'
    [4464, 4488) 'ref.tmp382' (line 182)
    [4528, 4720) 'ref.tmp384' (line 182)
    [4784, 4808) 'agg.tmp414'
    [4848, 4872) 'ref.tmp418' (line 182)
    [4912, 5008) 'ref.tmp420' (line 182)
    [5040, 5072) 'ref.tmp533' (line 189)
    [5104, 5120) 'ref.tmp562' (line 190)
    [5136, 5160) 'ref.tmp563' (line 190)
    [5200, 5216) 'ref.tmp566' (line 190)
    [5232, 5248) 'ref.tmp571' (line 190)
    [5264, 5344) 'ref.tmp587' (line 191)
    [5376, 5392) 'ref.tmp603' (line 193)
    [5408, 5424) 'agg.tmp606'
    [5440, 5456) 'agg.tmp607'
    [5472, 5496) 'ref.tmp615' (line 200)
    [5536, 6112) 'ref.tmp619' (line 200)
    [6240, 6264) 'agg.tmp622'
    [6304, 6328) 'ref.tmp627' (line 200)
    [6368, 6464) 'ref.tmp629' (line 200)
    [6496, 6520) 'agg.tmp639'
    [6560, 6584) 'ref.tmp643' (line 200)
    [6624, 6816) 'ref.tmp645' (line 200)
    [6880, 6904) 'agg.tmp675'
    [6944, 6968) 'ref.tmp679' (line 200)
    [7008, 7200) 'ref.tmp681' (line 200)
    [7264, 7288) 'agg.tmp711'
    [7328, 7352) 'ref.tmp715' (line 200)
    [7392, 7488) 'ref.tmp717' (line 200)
    [7520, 7552) 'ref.tmp830' (line 207)
    [7584, 7600) 'ref.tmp859' (line 208)
    [7616, 7640) 'ref.tmp860' (line 208)
    [7680, 7696) 'ref.tmp863' (line 208)
    [7712, 7728) 'ref.tmp868' (line 208)
    [7744, 7824) 'ref.tmp884' (line 209)
    [7856, 7872) 'ref.tmp900' (line 211)
    [7888, 7904) 'agg.tmp903'
    [7920, 7936) 'agg.tmp904'
    [7952, 7976) 'text' (line 218)
    [8016, 8040) 'ref.tmp958' (line 218)
    [8080, 8104) 'text977' (line 218)
    [8144, 8168) 'ref.tmp986' (line 218)
    [8208, 8232) 'ref.tmp990' (line 218)
    [8272, 8280) 'ref.tmp1005' (line 218)
    [8304, 8312) 'ref.tmp1011' (line 218)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /data1/chentongli/tiflash-env/sysroot/bin/../include/c++/v1/__memory/shared_ptr.h:846:18 in std::__1::shared_ptr<DB::IAST>::shared_ptr(std::__1::shared_ptr<DB::IAST> const&)
Shadow bytes around the buggy address:
  0x10006f5b0140: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
  0x10006f5b0150: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f8 f8 f2
  0x10006f5b0160: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10006f5b0170: f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f2 f2
  0x10006f5b0180: f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2
=>0x10006f5b0190:[f8]f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 00 00
  0x10006f5b01a0: f2 f2 00 00 f2 f2 00 00 f2 f2 f8 f8 f8 f2 f2 f2
  0x10006f5b01b0: f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10006f5b01c0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10006f5b01d0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10006f5b01e0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4239==ABORTING
@hehechen hehechen added the type/enhancement The issue or PR belongs to an enhancement. label Jul 6, 2022
@hehechen
Copy link
Contributor Author

hehechen commented Jul 6, 2022

Same with #5295

@hehechen hehechen closed this as completed Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xzhangxian1008 xzhangxian1008

Labels
type/enhancement The issue or PR belongs to an enhancement.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hehechen @xzhangxian1008