Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35302

ASAN errors or assertion failure in mhnsw_read_first upon vector search with join

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • N/A
    • 11.7.1
    • Vector search
    • None

    Description

      --source include/have_sequence.inc
      		 
       
      		 
      SET rand_seed1=244605797, rand_seed2=366306094;
      		 
      SET join_cache_level=0;
      		 
       
      		 
      CREATE TABLE t (v VECTOR(12) NOT NULL, VECTOR(v));
      		 
      INSERT INTO t SELECT VEC_FromText(concat('[', GROUP_CONCAT(ROUND(RAND(),3)), ']')) FROM seq_1_to_12 s1, seq_1_to_40000 s2 GROUP BY s2.seq;
      		 
       
      		 
      SELECT VEC_ToText(t1.v) FROM t t1 LEFT JOIN t t2 ON (0)
      		 
        ORDER BY VEC_DISTANCE_EUCLIDEAN(t1.v, VEC_FROMTEXT('[14.669,24.801,46.343,42.260,39.291,34.258,16.603,54.897,11.140,15.772,11.845,59.976]')) LIMIT 5;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t;

      6038e1babcdfd2c7762dc83a3256afefc0985b84 non-debug ASAN

      		 
      ==2492631==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63200f6ec0a0 at pc 0x55d07bc2f844 bp 0x7fbf6944d3a0 sp 0x7fbf6944d398
      		 
      WRITE of size 8 at 0x63200f6ec0a0 thread T5
      		 
          #0 0x55d07bc2f843 in insert_at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/mysys/queues.c:201
      		 
          #1 0x55d07ae630ee in Queue<Visited, void>::push(Visited const*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_queue.h:46
      		 
          #2 0x55d07ae630ee in search_layer /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/vector_mhnsw.cc:1088
      		 
          #3 0x55d07ae68aef in mhnsw_read_first(TABLE*, st_key*, Item*, unsigned long long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/vector_mhnsw.cc:1296
      		 
          #4 0x55d07a12734a in join_read_first /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:25154
      		 
          #5 0x55d07a0e2052 in sub_select(JOIN*, st_join_table*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:24041
      		 
          #6 0x55d07a1aef5a in do_select /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:23555
      		 
          #7 0x55d07a1aef5a in JOIN::exec_inner() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:5035
      		 
          #8 0x55d07a1b06b9 in JOIN::exec() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:4818
      		 
          #9 0x55d07a1a85db in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:5351
      		 
          #10 0x55d07a1aa0e8 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:633
      		 
          #11 0x55d079f8eae0 in execute_sqlcom_select /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:6164
      		 
          #12 0x55d079fc7eed in mysql_execute_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:3953
      		 
          #13 0x55d079fcd341 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:7886
      		 
          #14 0x55d079fd4724 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:1892
      		 
          #15 0x55d079fdc41e in do_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:1405
      		 
          #16 0x55d07a4526e5 in do_handle_one_connection(CONNECT*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_connect.cc:1448
      		 
          #17 0x55d07a452fe4 in handle_one_connection /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_connect.cc:1350
      		 
          #18 0x55d07b1e9227 in pfs_spawn_thread /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/storage/perfschema/pfs.cc:2198
      		 
          #19 0x7fbf744a8043 in start_thread nptl/pthread_create.c:442
      		 
          #20 0x7fbf7452861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x63200f6ec0a0 is located 0 bytes to the right of 80032-byte region [0x63200f6d8800,0x63200f6ec0a0)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7fbf74ab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x55d07bc28103 in my_malloc /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/mysys/my_malloc.c:93
      		 
          #2 0x55d07bc2f8bf in init_queue /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/mysys/queues.c:78
      		 
          #3 0x55d07ae627f9 in Queue<Visited, void>::init(unsigned int, bool, int (*)(void*, Visited const*, Visited const*), void*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_queue.h:36
      		 
          #4 0x55d07ae627f9 in search_layer /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/vector_mhnsw.cc:1043
      		 
          #5 0x55d07ae68aef in mhnsw_read_first(TABLE*, st_key*, Item*, unsigned long long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/vector_mhnsw.cc:1296
      		 
          #6 0x55d07a12734a in join_read_first /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:25154
      		 
          #7 0x55d07a0e2052 in sub_select(JOIN*, st_join_table*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:24041
      		 
          #8 0x55d07a1aef5a in do_select /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:23555
      		 
          #9 0x55d07a1aef5a in JOIN::exec_inner() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:5035
      		 
          #10 0x55d07a1b06b9 in JOIN::exec() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:4818
      		 
          #11 0x55d07a1a85db in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:5351
      		 
          #12 0x55d07a1aa0e8 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:633
      		 
          #13 0x55d079f8eae0 in execute_sqlcom_select /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:6164
      		 
          #14 0x55d079fc7eed in mysql_execute_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:3953
      		 
          #15 0x55d079fcd341 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:7886
      		 
          #16 0x55d079fd4724 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:1892
      		 
          #17 0x55d079fdc41e in do_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:1405
      		 
          #18 0x55d07a4526e5 in do_handle_one_connection(CONNECT*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_connect.cc:1448
      		 
          #19 0x55d07a452fe4 in handle_one_connection /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_connect.cc:1350
      		 
          #20 0x55d07b1e9227 in pfs_spawn_thread /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/storage/perfschema/pfs.cc:2198
      		 
          #21 0x7fbf744a8043 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7fbf74a49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x55d07b1f58e6 in my_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/storage/perfschema/my_thread.h:38
      		 
          #2 0x55d07b1f58e6 in pfs_spawn_thread_v1 /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/storage/perfschema/pfs.cc:2249
      		 
          #3 0x55d079bd9581 in inline_mysql_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x55d079bd9581 in create_thread_to_handle_connection(CONNECT*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/mysqld.cc:6271
      		 
          #5 0x55d079be6895 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/mysqld.cc:6395
      		 
          #6 0x55d079be74e7 in handle_connections_sockets() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/mysqld.cc:6508
      		 
          #7 0x55d079be8fac in mysqld_main(int, char**) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/mysqld.cc:6166
      		 
          #8 0x7fbf744461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/mysys/queues.c:201 in insert_at
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c6481ed57c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c6481ed57d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c6481ed57e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c6481ed57f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c6481ed5800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c6481ed5810: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c6481ed5820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c6481ed5830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c6481ed5840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c6481ed5850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c6481ed5860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2492631==ABORTING

      non-ASAN debug

      		 
      mariadbd: /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/mysys/queues.c:218: queue_insert: Assertion `queue->elements < queue->max_elements' failed.
      		 
      241031 15:06:56 [ERROR] mysqld got signal 6 ;
      		 
       
      		 
      #9  0x00007fb9f6a53e32 in __GI___assert_fail (assertion=0x5563b7eabd08 "queue->elements < queue->max_elements", file=0x5563b7eabc90 "/data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/mysys/queues.c", line=218, function=0x5563b7eabd50 <__PRETTY_FUNCTION__.1> "queue_insert") at ./assert/assert.c:101
      		 
      #10 0x00005563b77f2221 in queue_insert (queue=0x7fb9f018eb40, element=0x7fb9e12b70c0 "\200\343\355\340\271\177") at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/mysys/queues.c:218
      		 
      #11 0x00005563b701e505 in Queue<Visited, void>::push (this=0x7fb9f018eb40, element=0x7fb9e12b70c0) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_queue.h:46
      		 
      #12 0x00005563b7018534 in search_layer (ctx=0x7fb9e0089d20, graph=0x7fb9e006ec50, target=0x7fb9e0073238, threshold=-1, result_size=20000, layer=0, inout=0x7fb9f018edb0, construction=false) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/vector_mhnsw.cc:1088
      		 
      #13 0x00005563b7019c0e in mhnsw_read_first (table=0x7fb9e0041d28, keyinfo=0x7fb9e01060f0, dist=0x7fb9e001ad88, limit=20000) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/vector_mhnsw.cc:1296
      		 
      #14 0x00005563b695a37f in TABLE::hlindex_read_first (this=0x7fb9e0041d28, nr=0, item=0x7fb9e001ad88, limit=18446744073709551615) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_base.cc:10000
      		 
      #15 0x00005563b6ab906e in join_read_first (tab=0x7fb9e0071468) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:25154
      		 
      #16 0x00005563b6ab6155 in sub_select (join=0x7fb9e001aff8, join_tab=0x7fb9e0071468, end_of_records=false) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:24041
      		 
      #17 0x00005563b6ab5282 in do_select (join=0x7fb9e001aff8, procedure=0x0) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:23555
      		 
      #18 0x00005563b6a7fee5 in JOIN::exec_inner (this=0x7fb9e001aff8) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:5035
      		 
      #19 0x00005563b6a7eec5 in JOIN::exec (this=0x7fb9e001aff8) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:4818
      		 
      #20 0x00005563b6a80980 in mysql_select (thd=0x7fb9e0000dc8, tables=0x7fb9e0018750, fields=..., conds=0x0, og_num=1, order=0x7fb9e001ae50, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x7fb9e001afd0, unit=0x7fb9e00052d8, select_lex=0x7fb9e0017fb8) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:5351
      		 
      #21 0x00005563b6a6e940 in handle_select (thd=0x7fb9e0000dc8, lex=0x7fb9e00051f8, result=0x7fb9e001afd0, setup_tables_done_option=0) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:633
      		 
      #22 0x00005563b6a10e39 in execute_sqlcom_select (thd=0x7fb9e0000dc8, all_tables=0x7fb9e0018750) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:6164
      		 
      #23 0x00005563b6a089ff in mysql_execute_command (thd=0x7fb9e0000dc8, is_called_from_prepared_stmt=false) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:3953
      		 
      #24 0x00005563b6a15dfa in mysql_parse (thd=0x7fb9e0000dc8, rawbuf=0x7fb9e0017dc0 "SELECT VEC_ToText(t1.v) FROM t t1 LEFT JOIN t t2 ON (0)\nORDER BY VEC_DISTANCE_EUCLIDEAN(t1.v, VEC_FROMTEXT('[14.669,24.801,46.343,42.260,39.291,34.258,16.603,54.897,11.140,15.772,11.845,59.976]')) LIM"..., length=204, parser_state=0x7fb9f01902e0) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:7886
      		 
      #25 0x00005563b6a021c4 in dispatch_command (command=COM_QUERY, thd=0x7fb9e0000dc8, packet=0x7fb9e000be79 "", packet_length=204, blocking=true) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:1892
      		 
      #26 0x00005563b6a00b1d in do_command (thd=0x7fb9e0000dc8, blocking=true) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:1405
      		 
      #27 0x00005563b6c0c53a in do_handle_one_connection (connect=0x5563baadbed8, put_in_cache=true) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_connect.cc:1448
      		 
      #28 0x00005563b6c0c2aa in handle_one_connection (arg=0x5563baabf038) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_connect.cc:1350
      		 
      #29 0x00005563b718c8d6 in pfs_spawn_thread (arg=0x5563baab9108) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/storage/perfschema/pfs.cc:2198
      		 
      #30 0x00007fb9f6aa8044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      		 
      #31 0x00007fb9f6b2861c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

      Since I happen to have another test case, I'll add it here too:

      --source include/have_sequence.inc
      		 
       
      		 
      SET rand_seed1=700004729, rand_seed2=103353865;
      		 
       
      		 
      CREATE TABLE t (pk INT PRIMARY KEY, v VECTOR(10) NOT NULL, VECTOR(v));
      		 
      INSERT INTO t SELECT s2.seq, VEC_FromText(CONCAT('[', GROUP_CONCAT(ROUND(RAND(),3)), ']')) FROM seq_1_to_10 s1, seq_1_to_30000 s2 GROUP BY s2.seq;
      		 
       
      		 
      SELECT t1.pk FROM t t1 NATURAL JOIN t t2 ORDER BY VEC_DISTANCE_EUCLIDEAN(0x53F164F74379DD2CF1781C5BBD542F9790EAD97AE86145F5AD9727B220D09CB277EA5670E32C821E, t1.v) LIMIT 20;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t;

      Same effect.

      The failures were initially observed on data from vector benchmarks, i.e. "realistic".

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-34939 vector search in 11.7

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.