[MDEV-35745] Assertion failure, ASAN errors, crash in mhnsw_read_first/mhnsw_read_next - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 11.7(EOL)
Fix Version/s: 11.7.2
Component/s: Vector search
Labels:
None

Description

The test consists of one CREATE TABLE, one INSERT, one UPDATE, and one SELECT, but the data set in INSERT is 20K vectors of length 96, so the test file is big.
The scenario in the provided test case is not realistic, as the UPDATE updates all 20K vectors to the same value. I am not sure however that the problem is limited to this artificial case, it's just the first one I got to be reasonably repeatable.
There is no concurrency or randomness in the scenario, but still, sometimes it doesn't end with a crash, so try to run it with --repeat=N if it doesn't fail right away. I'll also provide an rr profile in case it doesn't fail on your machine at all.

11.7 bc32705f46fa93d9700a20c8d439e48e5c352272 debug
mariadbd: /data/bld/11.7-asan/mysys/queues.c:218: queue_insert: Assertion `queue->elements < queue->max_elements' failed.
250106 13:08:19 [ERROR] mysqld got signal 6 ;

#9 0x00007f93d3a53e32 in __GI___assert_fail (assertion=0x55820227f040 "queue->elements < queue->max_elements", file=0x55820227ee80 "/data/bld/11.7-asan/mysys/queues.c", line=218, function=0x55820227f120 <__PRETTY_FUNCTION__.1> "queue_insert") at ./assert/assert.c:101
#10 0x0000558200de1212 in queue_insert (queue=0x7f93c84ed210, element=0x62f00007bef8 "\210\313\237\306\223\177") at /data/bld/11.7-asan/mysys/queues.c:218
#11 0x00005581ffc9f9f3 in Queue<Visited, void>::push (this=0x7f93c84ed210, element=0x62f00007bef8) at /data/bld/11.7-asan/sql/sql_queue.h:44
#12 0x00005581ffc90ea7 in search_layer (ctx=0x61d0002418b8, graph=0x61d00023dcb8, target=0x6290000ea0d8, threshold=-1, result_size=150, layer=0, inout=0x7f93c84ed5b0, construction=false) at /data/bld/11.7-asan/sql/vector_mhnsw.cc:1095
#13 0x00005581ffc941d0 in mhnsw_read_first (table=0x61900009d898, keyinfo=0x61900009e870, dist=0x6290000e8a00, limit=150) at /data/bld/11.7-asan/sql/vector_mhnsw.cc:1303
#14 0x00005581fed0a326 in TABLE::hlindex_read_first (this=0x61900009d898, nr=1, item=0x6290000e8a00, limit=150) at /data/bld/11.7-asan/sql/sql_base.cc:9998
#15 0x00005581ff04e603 in join_read_first (tab=0x6290003530d0) at /data/bld/11.7-asan/sql/sql_select.cc:25207
#16 0x00005581ff045e47 in sub_select (join=0x6290000e8ca0, join_tab=0x6290003530d0, end_of_records=false) at /data/bld/11.7-asan/sql/sql_select.cc:24093
#17 0x00005581ff04388d in do_select (join=0x6290000e8ca0, procedure=0x0) at /data/bld/11.7-asan/sql/sql_select.cc:23607
#18 0x00005581fefbf2fc in JOIN::exec_inner (this=0x6290000e8ca0) at /data/bld/11.7-asan/sql/sql_select.cc:5037
#19 0x00005581fefbc666 in JOIN::exec (this=0x6290000e8ca0) at /data/bld/11.7-asan/sql/sql_select.cc:4820
#20 0x00005581fefc0db5 in mysql_select (thd=0x62c0000c0218, tables=0x6290000e7278, fields=..., conds=0x0, og_num=1, order=0x6290000e8ad8, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x6290000e8c70, unit=0x62c0000c4740, select_lex=0x6290000e6948) at /data/bld/11.7-asan/sql/sql_select.cc:5353
#21 0x00005581fef8f119 in handle_select (thd=0x62c0000c0218, lex=0x62c0000c4660, result=0x6290000e8c70, setup_tables_done_option=0) at /data/bld/11.7-asan/sql/sql_select.cc:633
#22 0x00005581feeb1370 in execute_sqlcom_select (thd=0x62c0000c0218, all_tables=0x6290000e7278) at /data/bld/11.7-asan/sql/sql_parse.cc:6177
#23 0x00005581feea0f64 in mysql_execute_command (thd=0x62c0000c0218, is_called_from_prepared_stmt=false) at /data/bld/11.7-asan/sql/sql_parse.cc:3966
#24 0x00005581feebbe02 in mysql_parse (thd=0x62c0000c0218, rawbuf=0x6290000e6238 "SELECT pk, VEC_TOTEXT(v) FROM t ORDER BY VEC_DISTANCE_EUCLIDEAN(v, 0x28A0EB912B78153BA4F6C4C5FF1CD11EA165BB6BF5F15A998F5A2EEE8B830E29AB156A9E0D223A1C6423EEE9EB2A6EC126C1081C620AC6A6416F16A50001E008326"..., length=848, parser_state=0x7f93c84efa30) at /data/bld/11.7-asan/sql/sql_parse.cc:7901
#25 0x00005581fee92d7d in dispatch_command (command=COM_QUERY, thd=0x62c0000c0218, packet=0x7f93c7640819 "", packet_length=848, blocking=true) at /data/bld/11.7-asan/sql/sql_parse.cc:1903
#26 0x00005581fee8fa85 in do_command (thd=0x62c0000c0218, blocking=true) at /data/bld/11.7-asan/sql/sql_parse.cc:1416
#27 0x00005581ff3866cb in do_handle_one_connection (connect=0x608000003638, put_in_cache=true) at /data/bld/11.7-asan/sql/sql_connect.cc:1415
#28 0x00005581ff38622a in handle_one_connection (arg=0x6080000035b8) at /data/bld/11.7-asan/sql/sql_connect.cc:1327
#29 0x00005582000446bc in pfs_spawn_thread (arg=0x617000005b98) at /data/bld/11.7-asan/storage/perfschema/pfs.cc:2198
#30 0x00007f93d3aa8044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#31 0x00007f93d3b2861c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

11.7 bc32705f46fa93d9700a20c8d439e48e5c352272 non-debug ASAN
==1659722==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6320131e40a0 at pc 0x55ec9f4d61b4 bp 0x7fd652679360 sp 0x7fd652679358
WRITE of size 8 at 0x6320131e40a0 thread T5
#0 0x55ec9f4d61b3 in insert_at /data/bld/11.7-rel-asan/mysys/queues.c:201
#1 0x55ec9e7079ae in Queue<Visited, void>::push(Visited const*) /data/bld/11.7-rel-asan/sql/sql_queue.h:44
#2 0x55ec9e7079ae in search_layer /data/bld/11.7-rel-asan/sql/vector_mhnsw.cc:1095
#3 0x55ec9e70d38f in mhnsw_read_first(TABLE, st_key, Item*, unsigned long long) /data/bld/11.7-rel-asan/sql/vector_mhnsw.cc:1303
#4 0x55ec9d9c7a42 in join_read_first /data/bld/11.7-rel-asan/sql/sql_select.cc:25207
#5 0x55ec9d982932 in sub_select(JOIN, st_join_table, bool) /data/bld/11.7-rel-asan/sql/sql_select.cc:24093
#6 0x55ec9da4f3b9 in do_select /data/bld/11.7-rel-asan/sql/sql_select.cc:23607
#7 0x55ec9da4f3b9 in JOIN::exec_inner() /data/bld/11.7-rel-asan/sql/sql_select.cc:5037
#8 0x55ec9da50b19 in JOIN::exec() /data/bld/11.7-rel-asan/sql/sql_select.cc:4820
#9 0x55ec9da4896d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/11.7-rel-asan/sql/sql_select.cc:5353
#10 0x55ec9da4a548 in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/11.7-rel-asan/sql/sql_select.cc:633
#11 0x55ec9d82f580 in execute_sqlcom_select /data/bld/11.7-rel-asan/sql/sql_parse.cc:6177
#12 0x55ec9d868b7d in mysql_execute_command(THD*, bool) /data/bld/11.7-rel-asan/sql/sql_parse.cc:3966
#13 0x55ec9d86dfd1 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.7-rel-asan/sql/sql_parse.cc:7901
#14 0x55ec9d875164 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.7-rel-asan/sql/sql_parse.cc:1903
#15 0x55ec9d87ce5e in do_command(THD*, bool) /data/bld/11.7-rel-asan/sql/sql_parse.cc:1416
#16 0x55ec9dcf260c in do_handle_one_connection(CONNECT*, bool) /data/bld/11.7-rel-asan/sql/sql_connect.cc:1415
#17 0x55ec9dcf2e04 in handle_one_connection /data/bld/11.7-rel-asan/sql/sql_connect.cc:1327
#18 0x55ec9ea8b8e7 in pfs_spawn_thread /data/bld/11.7-rel-asan/storage/perfschema/pfs.cc:2198
#19 0x7fd65d6a8043 in start_thread nptl/pthread_create.c:442
#20 0x7fd65d72861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6320131e40a0 is located 0 bytes to the right of 80032-byte region [0x6320131d0800,0x6320131e40a0)
allocated by thread T5 here:
#0 0x7fd65dcb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55ec9f4cea73 in my_malloc /data/bld/11.7-rel-asan/mysys/my_malloc.c:93
#2 0x55ec9f4d622f in init_queue /data/bld/11.7-rel-asan/mysys/queues.c:78
#3 0x55ec9e7070b9 in Queue<Visited, void>::init(unsigned int, bool, int ()(void, void const, void const), void*) /data/bld/11.7-rel-asan/sql/sql_queue.h:34
#4 0x55ec9e7070b9 in search_layer /data/bld/11.7-rel-asan/sql/vector_mhnsw.cc:1050
#5 0x55ec9e70d38f in mhnsw_read_first(TABLE, st_key, Item*, unsigned long long) /data/bld/11.7-rel-asan/sql/vector_mhnsw.cc:1303
#6 0x55ec9d9c7a42 in join_read_first /data/bld/11.7-rel-asan/sql/sql_select.cc:25207
#7 0x55ec9d982932 in sub_select(JOIN, st_join_table, bool) /data/bld/11.7-rel-asan/sql/sql_select.cc:24093
#8 0x55ec9da4f3b9 in do_select /data/bld/11.7-rel-asan/sql/sql_select.cc:23607
#9 0x55ec9da4f3b9 in JOIN::exec_inner() /data/bld/11.7-rel-asan/sql/sql_select.cc:5037
#10 0x55ec9da50b19 in JOIN::exec() /data/bld/11.7-rel-asan/sql/sql_select.cc:4820
#11 0x55ec9da4896d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/11.7-rel-asan/sql/sql_select.cc:5353
#12 0x55ec9da4a548 in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/11.7-rel-asan/sql/sql_select.cc:633
#13 0x55ec9d82f580 in execute_sqlcom_select /data/bld/11.7-rel-asan/sql/sql_parse.cc:6177
#14 0x55ec9d868b7d in mysql_execute_command(THD*, bool) /data/bld/11.7-rel-asan/sql/sql_parse.cc:3966
#15 0x55ec9d86dfd1 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.7-rel-asan/sql/sql_parse.cc:7901
#16 0x55ec9d875164 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.7-rel-asan/sql/sql_parse.cc:1903
#17 0x55ec9d87ce5e in do_command(THD*, bool) /data/bld/11.7-rel-asan/sql/sql_parse.cc:1416
#18 0x55ec9dcf260c in do_handle_one_connection(CONNECT*, bool) /data/bld/11.7-rel-asan/sql/sql_connect.cc:1415
#19 0x55ec9dcf2e04 in handle_one_connection /data/bld/11.7-rel-asan/sql/sql_connect.cc:1327
#20 0x55ec9ea8b8e7 in pfs_spawn_thread /data/bld/11.7-rel-asan/storage/perfschema/pfs.cc:2198
#21 0x7fd65d6a8043 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7fd65dc49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55ec9ea97fa6 in my_thread_create /data/bld/11.7-rel-asan/storage/perfschema/my_thread.h:38
#2 0x55ec9ea97fa6 in pfs_spawn_thread_v1 /data/bld/11.7-rel-asan/storage/perfschema/pfs.cc:2249
#3 0x55ec9d47b251 in inline_mysql_thread_create /data/bld/11.7-rel-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x55ec9d47b251 in create_thread_to_handle_connection(CONNECT*) /data/bld/11.7-rel-asan/sql/mysqld.cc:6266
#5 0x55ec9d4885b5 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.7-rel-asan/sql/mysqld.cc:6390
#6 0x55ec9d489207 in handle_connections_sockets() /data/bld/11.7-rel-asan/sql/mysqld.cc:6502
#7 0x55ec9d48ad05 in run_main_loop /data/bld/11.7-rel-asan/sql/mysqld.cc:5744
#8 0x55ec9d48ad05 in mysqld_main(int, char**) /data/bld/11.7-rel-asan/sql/mysqld.cc:6167
#9 0x7fd65d6461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/11.7-rel-asan/mysys/queues.c:201 in insert_at
Shadow bytes around the buggy address:
0x0c64826347c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c64826347d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c64826347e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c64826347f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6482634800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c6482634810: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c6482634820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6482634830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6482634840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6482634850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6482634860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1659722==ABORTING

The test also sets mhnsw_max_cache_size to 4G. Without this setting (that is, with the default mhnsw_max_cache_size value) it doesn't crash right away, but after several repetitions it ends up with corruption errors, e.g.

11.7 bc32705f46fa93d9700a20c8d439e48e5c352272 non-debug
double free or corruption (!prev)
250106 13:01:32 [ERROR] mysqld got signal 6 ;

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

mdev35745.test.gz
8.00 MB
2025-01-06 11:43

Activity

There are no comments yet on this issue.

MariaDB Server

Assertion failure, ASAN errors, crash in mhnsw_read_first/mhnsw_read_next

Details

Description

Attachments

Attachments

Activity

People

Dates

Git Integration