[PR] [fix](coalesce) fix 'heap-use-after-free' of function coalesce [doris]

via GitHub Mon, 28 Oct 2024 19:18:29 -0700


jacktengg opened a new pull request, #42666:
URL: https://github.com/apache/doris/pull/42666


   ## Proposed changes
   
   Should not modify state of vexpr when executing the expr, since it may be 
executed in parallel.
   
   Issue introduced by  #42136
   
   ```
    ==75397==ERROR: AddressSanitizer: heap-use-after-free on address 
0x60700294b060 at pc 0x56507fb8a370 bp 0x7fc861cd7050 sp 0x7fc861cd7048
   19:58:49   READ of size 8 at 0x60700294b060 thread T1463 (Pipe_normal [wo)
   19:58:49       #0 0x56507fb8a36f in 
doris::vectorized::FunctionCoalesce::execute_impl(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long) const 
/root/doris/be/src/vec/functions/function_coalesce.cpp:163:13
   19:58:49       #1 0x56507958edfe in 
doris::vectorized::DefaultExecutable::execute_impl(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long) const 
/root/doris/be/src/vec/functions/function.h:463:26
   19:58:49       #2 0x56507dbcbf5c in 
doris::vectorized::PreparedFunctionImpl::_execute_skipped_constant_deal(doris::FunctionContext*,
 doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp
   19:58:49       #3 0x56507dbc65e3 in 
doris::vectorized::PreparedFunctionImpl::execute_without_low_cardinality_columns(doris::FunctionContext*,
 doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp:245:12
   19:58:49       #4 0x56507dbc683b in 
doris::vectorized::PreparedFunctionImpl::execute(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp:251:12
   19:58:49       #5 0x56507958c81c in 
doris::vectorized::IFunctionBase::execute(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.h:194:19
   19:58:49       #6 0x565079578bee in 
doris::vectorized::VectorizedFnCall::_do_execute(doris::vectorized::VExprContext*,
 doris::vectorized::Block*, int*, std::vector<unsigned long, 
std::allocator<unsigned long> >&) 
/root/doris/be/src/vec/exprs/vectorized_fn_call.cpp:188:5
   19:58:49       #7 0x56507957a3e4 in 
doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, 
doris::vectorized::Block*, int*) 
/root/doris/be/src/vec/exprs/vectorized_fn_call.cpp:203:12
   19:58:49       #8 0x56507964994a in 
doris::vectorized::VExprContext::execute(doris::vectorized::Block*, int*) 
/root/doris/be/src/vec/exprs/vexpr_context.cpp:55:5
   19:58:49       #9 0x56508f8d7496 in 
doris::pipeline::OperatorXBase::do_projections(doris::RuntimeState*, 
doris::vectorized::Block*, doris::vectorized::Block*) const 
/root/doris/be/src/pipeline/exec/operator.cpp:294:13
   19:58:49       #10 0x56508f8d96ba in 
doris::pipeline::OperatorXBase::get_block_after_projects(doris::RuntimeState*, 
doris::vectorized::Block*, bool*) 
/root/doris/be/src/pipeline/exec/operator.cpp:335:18
   19:58:49       #11 0x565093c2560b in 
doris::pipeline::PipelineTask::execute(bool*) 
/root/doris/be/src/pipeline/pipeline_task.cpp:374:13
   19:58:49       #12 0x565093c6a164 in 
doris::pipeline::TaskScheduler::_do_work(int) 
/root/doris/be/src/pipeline/task_scheduler.cpp:138:9
   19:58:49       #13 0x565062529d1d in doris::ThreadPool::dispatch_thread() 
/root/doris/be/src/util/threadpool.cpp:543:24
   19:58:49       #14 0x5650625021ce in std::function<void ()>::operator()() 
const 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:560:9
   19:58:49       #15 0x5650625021ce in doris::Thread::supervise_thread(void*) 
/root/doris/be/src/util/thread.cpp:498:5
   19:58:49       #16 0x7fca1844a608 in start_thread 
/build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
   19:58:49       #17 0x7fca186f7132 in __clone 
/build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
   19:58:49   
   19:58:49   0x60700294b060 is located 16 bytes inside of 80-byte region 
[0x60700294b050,0x60700294b0a0)
   19:58:49   freed by thread T1462 (Pipe_normal [wo) here:
   19:58:49       #0 0x56505dd2f80d in operator delete(void*) 
(/mnt/ssd01/pipline/OpenSourceDoris/clusterEnv/P0/Cluster0/be/lib/doris_be+0x2f79e80d)
 (BuildId: 60cc2a41212f4e75)
   19:58:49       #1 0x565079596a6f in 
std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:702:11
   19:58:49       #2 0x565079596a6f in 
std::__shared_ptr<doris::vectorized::IFunctionBase, 
(__gnu_cxx::_Lock_policy)2>::~__shared_ptr() 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1149:31
   19:58:49       #3 0x565079596a6f in 
std::__shared_ptr<doris::vectorized::IFunctionBase, 
(__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<doris::vectorized::IFunctionBase,
 (__gnu_cxx::_Lock_policy)2>&&) 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1245:2
   19:58:49       #4 0x56507fb89acd in 
std::shared_ptr<doris::vectorized::IFunctionBase>::operator=(std::shared_ptr<doris::vectorized::IFunctionBase>&&)
 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr.h:385:27
   19:58:49       #5 0x56507fb89acd in 
doris::vectorized::FunctionCoalesce::execute_impl(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long) const 
/root/doris/be/src/vec/functions/function_coalesce.cpp:89:30
   19:58:49       #6 0x56507958edfe in 
doris::vectorized::DefaultExecutable::execute_impl(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long) const 
/root/doris/be/src/vec/functions/function.h:463:26
   19:58:49       #7 0x56507dbcbf5c in 
doris::vectorized::PreparedFunctionImpl::_execute_skipped_constant_deal(doris::FunctionContext*,
 doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp
   19:58:49       #8 0x56507dbc65e3 in 
doris::vectorized::PreparedFunctionImpl::execute_without_low_cardinality_columns(doris::FunctionContext*,
 doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp:245:12
   19:58:49       #9 0x56507dbc683b in 
doris::vectorized::PreparedFunctionImpl::execute(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp:251:12
   19:58:49       #10 0x56507958c81c in 
doris::vectorized::IFunctionBase::execute(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.h:194:19
   19:58:49       #11 0x565079578bee in 
doris::vectorized::VectorizedFnCall::_do_execute(doris::vectorized::VExprContext*,
 doris::vectorized::Block*, int*, std::vector<unsigned long, 
std::allocator<unsigned long> >&) 
/root/doris/be/src/vec/exprs/vectorized_fn_call.cpp:188:5
   19:58:49       #12 0x56507957a3e4 in 
doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, 
doris::vectorized::Block*, int*) 
/root/doris/be/src/vec/exprs/vectorized_fn_call.cpp:203:12
   19:58:49       #13 0x56507964994a in 
doris::vectorized::VExprContext::execute(doris::vectorized::Block*, int*) 
/root/doris/be/src/vec/exprs/vexpr_context.cpp:55:5
   19:58:49       #14 0x56508f8d7496 in 
doris::pipeline::OperatorXBase::do_projections(doris::RuntimeState*, 
doris::vectorized::Block*, doris::vectorized::Block*) const 
/root/doris/be/src/pipeline/exec/operator.cpp:294:13
   19:58:49       #15 0x56508f8d96ba in 
doris::pipeline::OperatorXBase::get_block_after_projects(doris::RuntimeState*, 
doris::vectorized::Block*, bool*) 
/root/doris/be/src/pipeline/exec/operator.cpp:335:18
   19:58:49       #16 0x565093c2560b in 
doris::pipeline::PipelineTask::execute(bool*) 
/root/doris/be/src/pipeline/pipeline_task.cpp:374:13
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

[PR] [fix](coalesce) fix 'heap-use-after-free' of function coalesce [doris]

Reply via email to