[MDEV-35302] ASAN errors or assertion failure in mhnsw_read_first upon vector search with join - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: N/A
Fix Version/s: 11.7.1
Component/s: Vector search
Labels:
None

Description

--source include/have_sequence.inc

SET rand_seed1=244605797, rand_seed2=366306094;

SET join_cache_level=0;

CREATE TABLE t (v VECTOR(12) NOT NULL, VECTOR(v));

INSERT INTO t SELECT VEC_FromText(concat('[', GROUP_CONCAT(ROUND(RAND(),3)), ']')) FROM seq_1_to_12 s1, seq_1_to_40000 s2 GROUP BY s2.seq;

SELECT VEC_ToText(t1.v) FROM t t1 LEFT JOIN t t2 ON (0)

  ORDER BY VEC_DISTANCE_EUCLIDEAN(t1.v, VEC_FROMTEXT('[14.669,24.801,46.343,42.260,39.291,34.258,16.603,54.897,11.140,15.772,11.845,59.976]')) LIMIT 5;

# Cleanup

DROP TABLE t;

6038e1babcdfd2c7762dc83a3256afefc0985b84 non-debug ASAN
==2492631==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63200f6ec0a0 at pc 0x55d07bc2f844 bp 0x7fbf6944d3a0 sp 0x7fbf6944d398
WRITE of size 8 at 0x63200f6ec0a0 thread T5
#0 0x55d07bc2f843 in insert_at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/mysys/queues.c:201
#1 0x55d07ae630ee in Queue<Visited, void>::push(Visited const*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_queue.h:46
#2 0x55d07ae630ee in search_layer /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/vector_mhnsw.cc:1088
#3 0x55d07ae68aef in mhnsw_read_first(TABLE, st_key, Item*, unsigned long long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/vector_mhnsw.cc:1296
#4 0x55d07a12734a in join_read_first /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:25154
#5 0x55d07a0e2052 in sub_select(JOIN, st_join_table, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:24041
#6 0x55d07a1aef5a in do_select /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:23555
#7 0x55d07a1aef5a in JOIN::exec_inner() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:5035
#8 0x55d07a1b06b9 in JOIN::exec() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:4818
#9 0x55d07a1a85db in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:5351
#10 0x55d07a1aa0e8 in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:633
#11 0x55d079f8eae0 in execute_sqlcom_select /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:6164
#12 0x55d079fc7eed in mysql_execute_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:3953
#13 0x55d079fcd341 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:7886
#14 0x55d079fd4724 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:1892
#15 0x55d079fdc41e in do_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:1405
#16 0x55d07a4526e5 in do_handle_one_connection(CONNECT*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_connect.cc:1448
#17 0x55d07a452fe4 in handle_one_connection /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_connect.cc:1350
#18 0x55d07b1e9227 in pfs_spawn_thread /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/storage/perfschema/pfs.cc:2198
#19 0x7fbf744a8043 in start_thread nptl/pthread_create.c:442
#20 0x7fbf7452861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x63200f6ec0a0 is located 0 bytes to the right of 80032-byte region [0x63200f6d8800,0x63200f6ec0a0)
allocated by thread T5 here:
#0 0x7fbf74ab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55d07bc28103 in my_malloc /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/mysys/my_malloc.c:93
#2 0x55d07bc2f8bf in init_queue /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/mysys/queues.c:78
#3 0x55d07ae627f9 in Queue<Visited, void>::init(unsigned int, bool, int ()(void, Visited const, Visited const), void*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_queue.h:36
#4 0x55d07ae627f9 in search_layer /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/vector_mhnsw.cc:1043
#5 0x55d07ae68aef in mhnsw_read_first(TABLE, st_key, Item*, unsigned long long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/vector_mhnsw.cc:1296
#6 0x55d07a12734a in join_read_first /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:25154
#7 0x55d07a0e2052 in sub_select(JOIN, st_join_table, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:24041
#8 0x55d07a1aef5a in do_select /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:23555
#9 0x55d07a1aef5a in JOIN::exec_inner() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:5035
#10 0x55d07a1b06b9 in JOIN::exec() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:4818
#11 0x55d07a1a85db in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:5351
#12 0x55d07a1aa0e8 in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_select.cc:633
#13 0x55d079f8eae0 in execute_sqlcom_select /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:6164
#14 0x55d079fc7eed in mysql_execute_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:3953
#15 0x55d079fcd341 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:7886
#16 0x55d079fd4724 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:1892
#17 0x55d079fdc41e in do_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_parse.cc:1405
#18 0x55d07a4526e5 in do_handle_one_connection(CONNECT*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_connect.cc:1448
#19 0x55d07a452fe4 in handle_one_connection /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/sql_connect.cc:1350
#20 0x55d07b1e9227 in pfs_spawn_thread /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/storage/perfschema/pfs.cc:2198
#21 0x7fbf744a8043 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7fbf74a49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55d07b1f58e6 in my_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/storage/perfschema/my_thread.h:38
#2 0x55d07b1f58e6 in pfs_spawn_thread_v1 /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/storage/perfschema/pfs.cc:2249
#3 0x55d079bd9581 in inline_mysql_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x55d079bd9581 in create_thread_to_handle_connection(CONNECT*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/mysqld.cc:6271
#5 0x55d079be6895 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/mysqld.cc:6395
#6 0x55d079be74e7 in handle_connections_sockets() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/mysqld.cc:6508
#7 0x55d079be8fac in mysqld_main(int, char**) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/sql/mysqld.cc:6166
#8 0x7fbf744461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-rel-asan/mysys/queues.c:201 in insert_at
Shadow bytes around the buggy address:
0x0c6481ed57c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6481ed57d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6481ed57e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6481ed57f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6481ed5800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c6481ed5810: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c6481ed5820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6481ed5830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6481ed5840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6481ed5850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6481ed5860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2492631==ABORTING

non-ASAN debug
mariadbd: /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/mysys/queues.c:218: queue_insert: Assertion `queue->elements < queue->max_elements' failed.
241031 15:06:56 [ERROR] mysqld got signal 6 ;

#9 0x00007fb9f6a53e32 in __GI___assert_fail (assertion=0x5563b7eabd08 "queue->elements < queue->max_elements", file=0x5563b7eabc90 "/data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/mysys/queues.c", line=218, function=0x5563b7eabd50 <__PRETTY_FUNCTION__.1> "queue_insert") at ./assert/assert.c:101
#10 0x00005563b77f2221 in queue_insert (queue=0x7fb9f018eb40, element=0x7fb9e12b70c0 "\200\343\355\340\271\177") at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/mysys/queues.c:218
#11 0x00005563b701e505 in Queue<Visited, void>::push (this=0x7fb9f018eb40, element=0x7fb9e12b70c0) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_queue.h:46
#12 0x00005563b7018534 in search_layer (ctx=0x7fb9e0089d20, graph=0x7fb9e006ec50, target=0x7fb9e0073238, threshold=-1, result_size=20000, layer=0, inout=0x7fb9f018edb0, construction=false) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/vector_mhnsw.cc:1088
#13 0x00005563b7019c0e in mhnsw_read_first (table=0x7fb9e0041d28, keyinfo=0x7fb9e01060f0, dist=0x7fb9e001ad88, limit=20000) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/vector_mhnsw.cc:1296
#14 0x00005563b695a37f in TABLE::hlindex_read_first (this=0x7fb9e0041d28, nr=0, item=0x7fb9e001ad88, limit=18446744073709551615) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_base.cc:10000
#15 0x00005563b6ab906e in join_read_first (tab=0x7fb9e0071468) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:25154
#16 0x00005563b6ab6155 in sub_select (join=0x7fb9e001aff8, join_tab=0x7fb9e0071468, end_of_records=false) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:24041
#17 0x00005563b6ab5282 in do_select (join=0x7fb9e001aff8, procedure=0x0) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:23555
#18 0x00005563b6a7fee5 in JOIN::exec_inner (this=0x7fb9e001aff8) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:5035
#19 0x00005563b6a7eec5 in JOIN::exec (this=0x7fb9e001aff8) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:4818
#20 0x00005563b6a80980 in mysql_select (thd=0x7fb9e0000dc8, tables=0x7fb9e0018750, fields=..., conds=0x0, og_num=1, order=0x7fb9e001ae50, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x7fb9e001afd0, unit=0x7fb9e00052d8, select_lex=0x7fb9e0017fb8) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:5351
#21 0x00005563b6a6e940 in handle_select (thd=0x7fb9e0000dc8, lex=0x7fb9e00051f8, result=0x7fb9e001afd0, setup_tables_done_option=0) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_select.cc:633
#22 0x00005563b6a10e39 in execute_sqlcom_select (thd=0x7fb9e0000dc8, all_tables=0x7fb9e0018750) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:6164
#23 0x00005563b6a089ff in mysql_execute_command (thd=0x7fb9e0000dc8, is_called_from_prepared_stmt=false) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:3953
#24 0x00005563b6a15dfa in mysql_parse (thd=0x7fb9e0000dc8, rawbuf=0x7fb9e0017dc0 "SELECT VEC_ToText(t1.v) FROM t t1 LEFT JOIN t t2 ON (0)\nORDER BY VEC_DISTANCE_EUCLIDEAN(t1.v, VEC_FROMTEXT('[14.669,24.801,46.343,42.260,39.291,34.258,16.603,54.897,11.140,15.772,11.845,59.976]')) LIM"..., length=204, parser_state=0x7fb9f01902e0) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:7886
#25 0x00005563b6a021c4 in dispatch_command (command=COM_QUERY, thd=0x7fb9e0000dc8, packet=0x7fb9e000be79 "", packet_length=204, blocking=true) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:1892
#26 0x00005563b6a00b1d in do_command (thd=0x7fb9e0000dc8, blocking=true) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_parse.cc:1405
#27 0x00005563b6c0c53a in do_handle_one_connection (connect=0x5563baadbed8, put_in_cache=true) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_connect.cc:1448
#28 0x00005563b6c0c2aa in handle_one_connection (arg=0x5563baabf038) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/sql/sql_connect.cc:1350
#29 0x00005563b718c8d6 in pfs_spawn_thread (arg=0x5563baab9108) at /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-debug/storage/perfschema/pfs.cc:2198
#30 0x00007fb9f6aa8044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#31 0x00007fb9f6b2861c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Since I happen to have another test case, I'll add it here too:

--source include/have_sequence.inc

SET rand_seed1=700004729, rand_seed2=103353865;

CREATE TABLE t (pk INT PRIMARY KEY, v VECTOR(10) NOT NULL, VECTOR(v));

INSERT INTO t SELECT s2.seq, VEC_FromText(CONCAT('[', GROUP_CONCAT(ROUND(RAND(),3)), ']')) FROM seq_1_to_10 s1, seq_1_to_30000 s2 GROUP BY s2.seq;

SELECT t1.pk FROM t t1 NATURAL JOIN t t2 ORDER BY VEC_DISTANCE_EUCLIDEAN(0x53F164F74379DD2CF1781C5BBD542F9790EAD97AE86145F5AD9727B220D09CB277EA5670E32C821E, t1.v) LIMIT 20;

# Cleanup

DROP TABLE t;

Same effect.

The failures were initially observed on data from vector benchmarks, i.e. "realistic".

Attachments

Issue Links

is caused by

MDEV-34939 vector search in 11.7

Closed

Activity

There are no comments yet on this issue.

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-10-31 13:15

Updated:: 2024-11-06 13:53

Resolved:: 2024-11-06 13:53

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server