search

MaterializeInc / materialize

The Cloud Operational Data Store: use SQL to transform, deliver, and act on fast-changing data.
https://materialize.com
Other
5.72k stars 466 forks source link

stack-use-after-return in mz_sql::plan::lowering::_$LT$impl$u20$mz_sql..plan..expr..HirRelationExpr$GT$::applied_to::_$u7b$$u7b$closure$u7d$$u7d$::h6b09e70233dbf228 #17804

Open def- opened 1 year ago

def- commented 1 year ago

What version of Materialize are you using?

5aabd6e8c4cdf81f945d3920a8aced814710d48c

How did you install Materialize?

Built from source

What is the issue?

Using https://github.com/MaterializeInc/materialize/pull/17670

$ git checkout e72790dbc24bfc530e27f2d4027dcc6393272ee1
$ export RUSTFLAGS="-Zsanitizer=address -C debug-assertions=false"
$ RUST_BACKTRACE=1 bin/sqllogictest -- test/sqllogictest/cast.slt

I'm mostly interested if this kind of report is valuable, contains enough information and is worth pursuing further. I'm lacking experience with how Rust interacts with ASan.

Relevant log output

=================================================================
==756769==ERROR: AddressSanitizer: stack-use-after-return on address 0x7fab4e48c6f0 at pc 0x56395900c78a bp 0x7fab4e486c50 sp 0x7fab4e486420
WRITE of size 616 at 0x7fab4e48c6f0 thread T52
    #0 0x56395900c789 in __asan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x56396218798b in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_stack_safe::h09858caf776e75ba /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:1443:21
    #2 0x56396217b432 in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_inner::_$u7b$$u7b$closure$u7d$$u7d$::hd37a035c9114b36e /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:952:38
    #3 0x56396217b11d in stacker::maybe_grow::hb2cba546551e299b /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/stacker-0.1.15/src/lib.rs:55:9
    #4 0x56396217b11d in mz_ore::stack::maybe_grow::hdadc962b0b66607a /home/deen/git/materialize/src/ore/src/stack.rs:100:5
    #5 0x56396217b11d in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_inner::h9973d5a140019d69 /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:952:9
    #6 0x56396218ebef in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_stack_safe::h09858caf776e75ba /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:1170:40
    #7 0x56396217b432 in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_inner::_$u7b$$u7b$closure$u7d$$u7d$::hd37a035c9114b36e /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:952:38
    #8 0x56396217b11d in stacker::maybe_grow::hb2cba546551e299b /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/stacker-0.1.15/src/lib.rs:55:9
    #9 0x56396217b11d in mz_ore::stack::maybe_grow::hdadc962b0b66607a /home/deen/git/materialize/src/ore/src/stack.rs:100:5
    #10 0x56396217b11d in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_inner::h9973d5a140019d69 /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:952:9
    #11 0x56396218717c in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_stack_safe::h09858caf776e75ba /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:1059:39
    #12 0x56396217b432 in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_inner::_$u7b$$u7b$closure$u7d$$u7d$::hd37a035c9114b36e /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:952:38
    #13 0x56396217b11d in stacker::maybe_grow::hb2cba546551e299b /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/stacker-0.1.15/src/lib.rs:55:9
    #14 0x56396217b11d in mz_ore::stack::maybe_grow::hdadc962b0b66607a /home/deen/git/materialize/src/ore/src/stack.rs:100:5
    #15 0x56396217b11d in mz_compute_client::plan::Plan$LT$T$GT$::from_mir_inner::h9973d5a140019d69 /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:952:9
    #16 0x5639621a1197 in mz_compute_client::plan::Plan$LT$T$GT$::from_mir::hbead809c19562895 /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:935:9
    #17 0x56396217ebbf in mz_compute_client::plan::Plan$LT$T$GT$::finalize_dataflow::h3b672f40f7e0b75c /home/deen/git/materialize/src/compute-client/src/plan/mod.rs:1607:32
    #18 0x563961b5671f in mz_adapter::coord::dataflows::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::finalize_dataflow::h3f138c11f80b1677 /home/deen/git/materialize/src/adapter/src/coord/dataflows.rs:265:9
    #19 0x56396230f45a in mz_adapter::coord::peek::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::create_peek_plan::_$u7b$$u7b$closure$u7d$$u7d$::h33d8bfec6c014cb4 /home/deen/git/materialize/src/adapter/src/coord/peek.rs:271:32
    #20 0x5639619892e3 in core::option::Option$LT$T$GT$::map_or_else::h7513665e97e3967e /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/option.rs:1066:21
    #21 0x563961b3b0b7 in mz_adapter::coord::peek::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::create_peek_plan::h36a7e9df04dfa792 /home/deen/git/materialize/src/adapter/src/coord/peek.rs:268:25
    #22 0x563961b8f507 in mz_adapter::coord::sequencer::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::plan_peek::hdcbe99d2235bd9f8 /home/deen/git/materialize/src/adapter/src/coord/sequencer.rs:2547:25
    #23 0x56395b2d937b in mz_adapter::coord::sequencer::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::sequence_peek_finish::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hde3b845c36dee82f /home/deen/git/materialize/src/adapter/src/coord/sequencer.rs:2339:29
    #24 0x56395b2d6f07 in mz_adapter::coord::sequencer::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::sequence_peek_finish::_$u7b$$u7b$closure$u7d$$u7d$::h8c1fe8a70a380d4c /home/deen/git/materialize/src/adapter/src/coord/sequencer.rs:2321:5
    #25 0x56395b2b39cb in mz_adapter::coord::sequencer::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::sequence_peek_begin::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h2770980ac2b0b72a /home/deen/git/materialize/src/adapter/src/coord/sequencer.rs:2225:21
    #26 0x56395b2ae04e in mz_adapter::coord::sequencer::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::sequence_peek_begin::_$u7b$$u7b$closure$u7d$$u7d$::h075f4cb47baa182d /home/deen/git/materialize/src/adapter/src/coord/sequencer.rs:2148:5
    #27 0x56395b2649ff in mz_adapter::coord::sequencer::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::sequence_plan::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hee4d31e2d047251d /home/deen/git/materialize/src/adapter/src/coord/sequencer.rs:289:60
    #28 0x56395b23d8dd in mz_adapter::coord::sequencer::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::sequence_plan::_$u7b$$u7b$closure$u7d$$u7d$::h7ee6b92daf2bd27c /home/deen/git/materialize/src/adapter/src/coord/sequencer.rs:116:5
    #29 0x56395a8120a4 in mz_adapter::coord::command_handler::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::handle_execute_inner::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hbe40de797ef959d1 /home/deen/git/materialize/src/adapter/src/coord/command_handler.rs:469:78
    #30 0x56395a80ce00 in mz_adapter::coord::command_handler::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::handle_execute_inner::_$u7b$$u7b$closure$u7d$$u7d$::h3fb5df0758dc8beb /home/deen/git/materialize/src/adapter/src/coord/command_handler.rs:273:5
    #31 0x56395a7ff8f8 in mz_adapter::coord::command_handler::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::handle_execute::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3ab56b2789c59bb1 /home/deen/git/materialize/src/adapter/src/coord/command_handler.rs:270:61
    #32 0x56395a7fbbb2 in mz_adapter::coord::command_handler::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::handle_execute::_$u7b$$u7b$closure$u7d$$u7d$::h5e06772eef54e7e0 /home/deen/git/materialize/src/adapter/src/coord/command_handler.rs:229:5
    #33 0x56395c3d717a in _$LT$tracing..instrument..Instrumented$LT$T$GT$$u20$as$u20$core..future..future..Future$GT$::poll::h2ca4018f4b728f3a /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tracing-0.1.37/src/instrument.rs:272:9
    #34 0x56395a7f6cc1 in mz_adapter::coord::command_handler::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::handle_command::_$u7b$$u7b$closure$u7d$$u7d$::he9dcd20264179c0e /home/deen/git/materialize/src/adapter/src/coord/command_handler.rs:65:21
    #35 0x563959e7285a in mz_adapter::coord::message_handler::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::message_command::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h09f2613e6b3ab8c4 /home/deen/git/materialize/src/adapter/src/coord/message_handler.rs:249:33
    #36 0x563959e6d8ef in mz_adapter::coord::message_handler::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::message_command::_$u7b$$u7b$closure$u7d$$u7d$::h8b4390bfb09a20ef /home/deen/git/materialize/src/adapter/src/coord/message_handler.rs:246:5
    #37 0x563959e6a83e in mz_adapter::coord::message_handler::_$LT$impl$u20$mz_adapter..coord..Coordinator$GT$::handle_message::_$u7b$$u7b$closure$u7d$$u7d$::hbd220dfd64217bd6 /home/deen/git/materialize/src/adapter/src/coord/message_handler.rs:44:63
    #38 0x56395ee822e3 in mz_adapter::coord::Coordinator::serve::_$u7b$$u7b$closure$u7d$$u7d$::hc4ffe403db694db0 /home/deen/git/materialize/src/adapter/src/coord.rs:1229:37
    #39 0x56395e215669 in tokio::runtime::park::CachedParkThread::block_on::_$u7b$$u7b$closure$u7d$$u7d$::h9d7cbc1e82ad6b7e /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/park.rs:283:63
    #40 0x56395e2125a8 in tokio::runtime::coop::with_budget::h0e61751bbaa44f71 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/coop.rs:102:5
    #41 0x56395e2125a8 in tokio::runtime::coop::budget::heeada4dddf649e3b /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/coop.rs:68:5
    #42 0x56395e2125a8 in tokio::runtime::park::CachedParkThread::block_on::hac17441cf3974fa1 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/park.rs:283:31
    #43 0x56395e2198e7 in tokio::runtime::context::BlockingRegionGuard::block_on::h6d45c207c0a64d47 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/context.rs:315:13
    #44 0x56395a0c2d1a in tokio::runtime::handle::Handle::block_on::hcde58050e63d6f29 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/handle.rs:264:9
    #45 0x56395ef158fe in mz_adapter::coord::serve::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h7d6725736fbafdc6 /home/deen/git/materialize/src/adapter/src/coord.rs:1408:17
    #46 0x563959fd01a0 in std::sys_common::backtrace::__rust_begin_short_backtrace::hca32b9a1881b962d /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:121:18
    #47 0x56395ddfc3d5 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h6b07ae862d2bb3bf /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:560:17
    #48 0x56395bd89478 in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h6ff01870c1038e15 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9
    #49 0x56395df9ec9b in std::panicking::try::do_call::hb542aeddd07f191e /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:487:40
    #50 0x56395e26dd7a in __rust_try sqllogictest.db829536-cgu.6
    #51 0x56395de43ae9 in std::panicking::try::h31cdfb11dbc92c95 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:451:19
    #52 0x56395b540915 in std::panic::catch_unwind::h6c60c82ffd09c2db /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:140:14
    #53 0x56395ddfbc00 in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::hbaa32158f576bdee /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:559:30
    #54 0x56395accaa6d in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hb728956156ca73fb /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
    #55 0x5639779a2e88 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h6a1b820114d58a54 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1988:9
    #56 0x5639779a3186 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf276040d16eaceff /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1988:9
    #57 0x5639779e2be8 in std::sys::unix::thread::Thread::new::thread_start::h1dfa6f90b22d7d0e /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:108:17
    #58 0x7fab7d090401  (/lib/x86_64-linux-gnu/libc.so.6+0x90401) (BuildId: d1704d25fbbb72fa95d517b883131828c0883fe9)
    #59 0x7fab7d11f58f  (/lib/x86_64-linux-gnu/libc.so.6+0x11f58f) (BuildId: d1704d25fbbb72fa95d517b883131828c0883fe9)

Address 0x7fab4e48c6f0 is located in stack of thread T52 at offset 22256 in frame
    #0 0x56396625e01f in mz_sql::plan::lowering::_$LT$impl$u20$mz_sql..plan..expr..HirRelationExpr$GT$::applied_to::_$u7b$$u7b$closure$u7d$$u7d$::h6b09e70233dbf228 /home/deen/git/materialize/src/sql/src/plan/lowering.rs:182

  This frame has 338 object(s):
    [32, 48) ''
    [64, 80) ''
    [96, 112) 'expected_group_size.dbg.spill'
    [128, 144) 'limit.dbg.spill'
    [160, 176) '' (line 182)
    [192, 320) 'val75'
    [352, 480) 'residual74'
    [512, 640) '_602' (line 732)
    [672, 824) '_601' (line 731)
    [896, 1032) '_600' (line 731)
    [1104, 1240) '_599' (line 731)
    [1312, 1440) 'val73'
    [1472, 1600) 'residual72'
    [1632, 1760) '_594' (line 726)
    [1792, 1944) '_593' (line 725)
    [2016, 2152) '_592' (line 725)
    [2224, 2360) '_591' (line 725)
    [2432, 2456) '_589' (line 721)
    [2496, 2520) '_588' (line 721)
    [2560, 2688) '_587' (line 721)
    [2720, 2744) '_580' (line 713)
    [2784, 2808) 'applied_order_key' (line 713)
    [2848, 2872) '_572' (line 711)
    [2912, 2928) '_569' (line 710)
    [2944, 2992) '_568' (line 710)
    [3024, 3048) 'applied_group_key71' (line 710)
    [3088, 3216) 'val70' (line 709)
    [3248, 3376) 'residual69'
    [3408, 3536) '_562' (line 709)
    [3568, 3720) '_561' (line 709)
    [3792, 3928) '_560' (line 709)
    [4000, 4136) '_559' (line 709)
    [4208, 4336) 'input68' (line 709)
    [4368, 4392) 'order_key' (line 704)
    [4432, 4456) 'group_key67' (line 703)
    [4496, 4624) 'val66'
    [4656, 4784) 'residual65'
    [4816, 4944) '_549' (line 698)
    [4976, 5128) '_548' (line 697)
    [5200, 5336) '_547' (line 697)
    [5408, 5544) '_546' (line 697)
    [5616, 5640) '_544' (line 691)
    [5680, 5808) '_543' (line 691)
    [5840, 5968) '_542' (line 691)
    [6000, 6128) '_541' (line 691)
    [6160, 6184) '_538' (line 687)
    [6224, 6248) '_537' (line 687)
    [6288, 6416) '_536' (line 687)
    [6448, 6576) 'reduced' (line 686)
    [6608, 6632) '_528' (line 676)
    [6672, 6696) 'default' (line 676)
    [6736, 6784) 'input_type' (line 675)
    [6816, 6840) 'val64' (line 671)
    [6880, 7008) 'residual63'
    [7040, 7072) '_520' (line 673)
    [7104, 7128) '_519' (line 671)
    [7168, 7200) '_518' (line 671)
    [7232, 7296) '_517' (line 671)
    [7328, 7456) '_516' (line 671)
    [7488, 7616) '_515' (line 671)
    [7648, 7672) 'applied_aggregates' (line 671)
    [7712, 7736) '_507' (line 669)
    [7776, 7792) '_504' (line 668)
    [7808, 7856) '_503' (line 668)
    [7888, 7912) 'applied_group_key' (line 668)
    [7952, 8080) 'val62' (line 667)
    [8112, 8240) 'residual61'
    [8272, 8400) '_497' (line 667)
    [8432, 8584) '_496' (line 667)
    [8656, 8792) '_495' (line 667)
    [8864, 9000) '_494' (line 667)
    [9072, 9200) 'input60' (line 666)
    [9232, 9256) 'aggregates' (line 660)
    [9296, 9320) 'group_key' (line 659)
    [9360, 9384) 'val59'
    [9424, 9552) 'residual58'
    [9584, 9616) '_484' (line 651)
    [9648, 9672) '_483' (line 649)
    [9712, 9744) '_482' (line 649)
    [9776, 9840) '_481' (line 649)
    [9872, 10000) '_480' (line 649)
    [10032, 10160) '_479' (line 649)
    [10192, 10320) 'val57'
    [10352, 10480) 'residual56'
    [10512, 10640) '_474' (line 645)
    [10672, 10824) '_473' (line 643)
    [10896, 11032) '_472' (line 643)
    [11104, 11240) '_471' (line 643)
    [11312, 11320) '_470' (line 643)
    [11344, 11368) 'inputs' (line 640)
    [11408, 11536) 'val55' (line 550)
    [11568, 11696) 'residual54'
    [11728, 11936) '_460' (line 550)
    [12000, 12128) '_459' (line 550)
    [12160, 12296) '_458' (line 550)
    [12368, 12504) '_457' (line 550)
    [12576, 12584) 'la' (line 549)
    [12608, 12656) '_452' (line 548)
    [12688, 12712) '_451' (line 548)
    [12752, 12784) '_450' (line 548)
    [12816, 12856) '_449' (line 548)
    [12896, 12920) 'lt' (line 548)
    [12960, 13088) 'val53' (line 547)
    [13120, 13248) 'residual52'
    [13280, 13408) '_443' (line 547)
    [13440, 13592) '_442' (line 547)
    [13664, 13800) '_441' (line 547)
    [13872, 14008) '_440' (line 547)
    [14080, 14208) 'left51' (line 547)
    [14240, 14248) 'oa50' (line 546)
    [14272, 14273) 'kind49' (line 535)
    [14288, 14416) 'on48' (line 534)
    [14448, 14456) 'right47' (line 533)
    [14480, 14608) 'val45' (line 490)
    [14640, 14768) 'residual44'
    [14800, 14960) '_428' (line 490)
    [15024, 15152) '_427' (line 490)
    [15184, 15320) '_426' (line 490)
    [15392, 15528) '_425' (line 490)
    [15600, 15728) 'val43' (line 489)
    [15760, 15888) 'residual42'
    [15920, 16048) '_421' (line 489)
    [16080, 16232) '_420' (line 489)
    [16304, 16440) '_419' (line 489)
    [16512, 16648) '_418' (line 489)
    [16720, 16848) 'left41' (line 489)
    [16880, 16881) 'kind' (line 476)
    [16896, 17024) 'on' (line 475)
    [17056, 17064) 'right' (line 474)
    [17088, 17104) '_401' (line 467)
    [17120, 17144) '_400' (line 467)
    [17184, 17312) '_399' (line 467)
    [17344, 17472) '_398' (line 467)
    [17504, 17632) '_394' (line 464)
    [17664, 17688) '_388' (line 464)
    [17728, 17856) '_387' (line 464)
    [17888, 18016) '_386' (line 464)
    [18048, 18176) 'val40' (line 462)
    [18208, 18336) 'residual39'
    [18368, 18496) '_379' (line 462)
    [18528, 18664) '_378' (line 462)
    [18736, 18872) '_377' (line 462)
    [18944, 19072) 'predicate38' (line 461)
    [19104, 19232) 'predicate' (line 459)
    [19264, 19392) '_370' (line 459)
    [19424, 19456) 'iter37' (line 459)
    [19488, 19512) '_368' (line 459)
    [19552, 19584) '_367' (line 459)
    [19616, 19744) 'val36' (line 458)
    [19776, 19904) 'residual35'
    [19936, 20064) '_363' (line 458)
    [20096, 20248) '_362' (line 458)
    [20320, 20456) '_361' (line 458)
    [20528, 20664) '_360' (line 458)
    [20736, 20864) 'input34' (line 458)
    [20896, 20920) 'predicates' (line 454)
    [20960, 20976) '_352' (line 448)
    [20992, 21008) '_350' (line 447)
    [21024, 21072) '_349' (line 447)
    [21104, 21128) '_348' (line 447)
    [21168, 21296) '_347' (line 446)
    [21328, 21456) '_346' (line 446)
    [21488, 21512) '_342' (line 443)
    [21552, 21600) '_341' (line 443)
    [21632, 21760) '_340' (line 443)
    [21792, 21920) '_339' (line 443)
    [21952, 21976) 'val33' (line 436)
    [22016, 22144) 'residual32'
    [22176, 22208) '_330' (line 438)
    [22240, 22264) '_329' (line 436) <== Memory access at offset 22256 partially overflows this variable
    [22304, 22336) '_328' (line 436) <== Memory access at offset 22256 partially underflows this variable
    [22368, 22432) '_327' (line 436) <== Memory access at offset 22256 partially underflows this variable
    [22464, 22592) '_326' (line 436) <== Memory access at offset 22256 partially underflows this variable
    [22624, 22752) '_325' (line 436) <== Memory access at offset 22256 partially underflows this variable
    [22784, 22808) 'exprs31' (line 436) <== Memory access at offset 22256 partially underflows this variable
    [22848, 22976) 'input30' (line 433) <== Memory access at offset 22256 partially underflows this variable
    [23008, 23032) 'exprs' (line 427)
    [23072, 23120) 'func' (line 427)
    [23152, 23176) '_318' (line 422)
    [23216, 23232) '_316' (line 422)
    [23248, 23304) '_315' (line 422)
    [23344, 23368) '_314' (line 422)
    [23408, 23536) '_313' (line 422)
    [23568, 23696) '_312' (line 422)
    [23728, 23856) '_306' (line 417)
    [23888, 24016) '_305' (line 417)
    [24048, 24176) '_304' (line 417)
    [24208, 24336) 'val29' (line 410)
    [24368, 24496) 'residual28'
    [24528, 24536) '_299' (line 415)
    [24560, 24696) '_296' (line 410)
    [24768, 24904) '_295' (line 410)
    [24976, 25104) 'scalar27' (line 410)
    [25136, 25264) 'scalar'
    [25296, 25424) '_290' (line 409)
    [25456, 25488) 'iter26' (line 409)
    [25520, 25544) '_288' (line 409)
    [25584, 25616) '_287' (line 409)
    [25648, 25672) 'scalar_columns' (line 408)
    [25712, 25840) '_285' (line 398)
    [25872, 26024) 'val25'
    [26096, 26224) 'residual24'
    [26256, 26384) '_281' (line 396)
    [26416, 26576) '_277' (line 395)
    [26640, 26800) '_276' (line 395)
    [26864, 26888) 'subquery_map' (line 395)
    [26928, 27056) 'with_subqueries' (line 395)
    [27088, 27104) '_270' (line 392)
    [27120, 27160) '_268' (line 392)
    [27200, 27224) 'scalars23' (line 392)
    [27264, 27280) '_257' (line 377)
    [27296, 27424) 'val22' (line 369)
    [27456, 27584) 'residual21'
    [27616, 27744) '_247' (line 369)
    [27776, 27928) '_246' (line 369)
    [28000, 28136) '_245' (line 369)
    [28208, 28344) '_244' (line 369)
    [28416, 28544) 'input20' (line 369)
    [28576, 28584) 'lowered_arity' (line 367)
    [28608, 28632) 'scalars' (line 362)
    [28672, 28696) '_238' (line 360)
    [28736, 28864) '_237' (line 360)
    [28896, 28920) '_234' (line 358)
    [28960, 28992) '_233' (line 358)
    [29024, 29064) '_232' (line 358)
    [29104, 29120) '_229' (line 357)
    [29136, 29200) '_228' (line 357)
    [29232, 29256) 'outputs18' (line 357)
    [29296, 29424) 'val17' (line 356)
    [29456, 29584) 'residual16'
    [29616, 29744) '_222' (line 356)
    [29776, 29928) '_221' (line 356)
    [30000, 30136) '_220' (line 356)
    [30208, 30344) '_219' (line 356)
    [30416, 30544) 'input' (line 356)
    [30576, 30600) 'outputs' (line 353)
    [30640, 30768) '_215' (line 350)
    [30800, 30824) '_213' (line 349)
    [30864, 30888) '_212' (line 348)
    [30928, 31112) '_210' (line 343)
    [31184, 31368) '_209' (line 341)
    [31440, 31624) 'shadowed15'
    [31696, 31880) 'shadowed14' (line 339)
    [31952, 31960) 'id13'
    [31984, 32176) '_202' (line 339)
    [32240, 32272) 'iter12' (line 339)
    [32304, 32328) '_200' (line 339)
    [32368, 32400) '_199' (line 339)
    [32432, 32560) 'val11' (line 336)
    [32592, 32720) 'residual10'
    [32752, 32880) '_195' (line 336)
    [32912, 33064) '_194' (line 336)
    [33136, 33272) '_193' (line 336)
    [33344, 33480) '_192' (line 336)
    [33552, 33680) 'mir_body' (line 336)
    [33712, 33840) 'val9'
    [33872, 34000) 'residual8'
    [34032, 34160) '_186' (line 330)
    [34192, 34344) '_185' (line 328)
    [34416, 34552) '_184' (line 328)
    [34624, 34760) '_183' (line 328)
    [34832, 34880) '_typ' (line 327)
    [34912, 35064) 'value7' (line 327)
    [35136, 35160) '_name' (line 327)
    [35200, 35432) '_174' (line 327)
    [35504, 35536) 'iter6' (line 327)
    [35568, 35592) '_172' (line 327)
    [35632, 35664) '_171' (line 327)
    [35696, 35728) '_170' (line 327)
    [35760, 35784) 'mir_values' (line 326)
    [35824, 36008) '_166' (line 323)
    [36080, 36272) '_164' (line 323)
    [36336, 36464) '_160' (line 320)
    [36496, 36528) '_149' (line 314)
    [36560, 36584) '_148' (line 314)
    [36624, 36672) '_147' (line 313)
    [36704, 36888) '_145' (line 311)
    [36960, 37144) 'shadowed' (line 309)
    [37216, 37232) 'iter' (line 306)
    [37248, 37272) 'mir_ids' (line 305)
    [37312, 37336) 'shadowed_bindings' (line 304)
    [37376, 37424) '_117' (line 301)
    [37456, 37480) 'outer_column_types' (line 301)
    [37520, 37544) 'bindings' (line 299)
    [37584, 37712) 'val4' (line 266)
    [37744, 37872) 'residual3'
    [37904, 38064) '_109' (line 266)
    [38128, 38256) '_108' (line 266)
    [38288, 38424) '_107' (line 266)
    [38496, 38632) '_106' (line 266)
    [38704, 38832) 'val' (line 265)
    [38864, 38992) 'residual'
    [39024, 39152) '_101' (line 265)
    [39184, 39336) '_100' (line 265)
    [39408, 39544) '_99' (line 265)
    [39616, 39752) '_98' (line 265)
    [39824, 39952) 'value' (line 265)
    [39984, 39992) 'body' (line 263)
    [40016, 40024) 'id2' (line 261)
    [40048, 40096) '_93' (line 256)
    [40128, 40256) '_92' (line 256)
    [40288, 40416) '_91' (line 256)
    [40448, 40472) '_90' (line 251)
    [40512, 40536) '_89' (line 250)
    [40576, 40704) '_88' (line 250)
    [40736, 40864) '_87' (line 250)
    [40896, 40920) '_81' (line 250)
    [40960, 41088) '_80' (line 250)
    [41120, 41136) '_72' (line 248)
    [41152, 41168) '_70' (line 247)
    [41184, 41232) '_69' (line 247)
    [41264, 41288) 'projection' (line 247)
    [41328, 41344) '_65' (line 236)
    [41360, 41384) '_64' (line 236)
    [41424, 41448) 'equivalences' (line 236)
    [41488, 41496) 'oa' (line 234)
    [41520, 41568) '_51' (line 206)
    [41600, 41616) '_48' (line 205)
    [41632, 41760) 'get_cte' (line 204)
    [41792, 41800) 'local_id' (line 202)
    [41824, 41872) 'typ1' (line 201)
    [41904, 41920) 'id'
    [41936, 41984) '_38' (line 198)
    [42016, 42048) '_36' (line 197)
    [42080, 42112) '_35' (line 197)
    [42144, 42168) '_34' (line 197)
    [42208, 42288) '_33' (line 197)
    [42320, 42448) '_32' (line 196)
    [42480, 42608) '_31' (line 196)
    [42640, 42688) 'typ' (line 194)
    [42720, 42744) 'rows'
    [42784, 42912) '_27' (line 193)
    [42944, 42992) '_26' (line 192)
    [43024, 43032) '_16' (line 192)
    [43056, 43064) '_14' (line 192)
    [43088, 43104) '_12' (line 192)
    [43120, 43136) '_9' (line 187)
    [43152, 43200) '_5' (line 187)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T52 created by T34 here:
    #0 0x563958ff62bc in __interceptor_pthread_create /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x5639779e21ed in std::sys::unix::thread::Thread::new::hcda1b832aa6e1118 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:87:19
    #2 0x56395ddf7471 in std::thread::Builder::spawn_unchecked_::h8650a1d944ad6d30 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:594:17
    #3 0x56395ddf5a7b in std::thread::Builder::spawn_unchecked::h02c5d75db52f5123 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:488:32
    #4 0x56395ddfc59c in std::thread::Builder::spawn::h23e13f2d559c7c60 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:420:18
    #5 0x56395bdf3ef1 in mz_environmentd::serve::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1e8aa245795b827e /home/deen/git/materialize/src/environmentd/src/lib.rs:413:5
    #6 0x56395bdd947e in mz_environmentd::serve::_$u7b$$u7b$closure$u7d$$u7d$::h97a2e3a7ab061130 /home/deen/git/materialize/src/environmentd/src/lib.rs:242:1
    #7 0x56395e215c21 in tokio::runtime::park::CachedParkThread::block_on::_$u7b$$u7b$closure$u7d$$u7d$::hb70f6ff9f9c8e33b /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/park.rs:283:63
    #8 0x56395e20e8d9 in tokio::runtime::coop::with_budget::h73153c21d1f1bd1f /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/coop.rs:102:5
    #9 0x56395e20e8d9 in tokio::runtime::coop::budget::hbcc819e3abe55254 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/coop.rs:68:5
    #10 0x56395e20e8d9 in tokio::runtime::park::CachedParkThread::block_on::h65f3e79b0438aa65 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/park.rs:283:31
    #11 0x56395e21a647 in tokio::runtime::context::BlockingRegionGuard::block_on::hce3c030ea46310c6 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/context.rs:315:13
    #12 0x56395c2baaba in tokio::runtime::scheduler::multi_thread::MultiThread::block_on::ha67df98282c3022f /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/scheduler/multi_thread/mod.rs:66:9
    #13 0x56395b5b9f8d in tokio::runtime::runtime::Runtime::block_on::h3b07aa218ecb135d /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/runtime.rs:284:45
    #14 0x56395f0a85b2 in mz_sqllogictest::runner::RunnerInner::start::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h788c3c2351ebf5ca /home/deen/git/materialize/src/sqllogictest/src/runner.rs:890:32
    #15 0x563959fd0650 in std::sys_common::backtrace::__rust_begin_short_backtrace::hfb41fb71756e2178 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:121:18
    #16 0x56395ddfc53c in std::thread::Builder::spawn_unchecked_::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hf433089233ceec65 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:560:17
    #17 0x56395bd97e1f in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::haab007d9323896f6 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9
    #18 0x56395df6215b in std::panicking::try::do_call::h087d092a770e2dc9 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:487:40
    #19 0x56395e26dd7a in __rust_try sqllogictest.db829536-cgu.6
    #20 0x56395b530595 in std::panic::catch_unwind::h1f4920c85966da9a /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:140:14
    #21 0x56395acca5dd in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h754fed0ffd92b6ca /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
    #22 0x5639779a3186 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::hf276040d16eaceff /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1988:9
    #23 0x5639779e2be8 in std::sys::unix::thread::Thread::new::thread_start::h1dfa6f90b22d7d0e /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:108:17
    #24 0x7fab7d090401  (/lib/x86_64-linux-gnu/libc.so.6+0x90401) (BuildId: d1704d25fbbb72fa95d517b883131828c0883fe9)

Thread T34 created by T0 here:
    #0 0x563958ff62bc in __interceptor_pthread_create /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x5639779e21ed in std::sys::unix::thread::Thread::new::hcda1b832aa6e1118 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:87:19
    #2 0x56395ddf91a1 in std::thread::Builder::spawn_unchecked_::hbcc3e081dd0ae7f3 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:594:17
    #3 0x56395ddf5d5b in std::thread::Builder::spawn_unchecked::h5213da5aad956797 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:488:32
    #4 0x56395ddfc5bc in std::thread::Builder::spawn::h5214c0c291fcc7d3 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/mod.rs:420:18
    #5 0x56395f0a182a in mz_sqllogictest::runner::RunnerInner::start::_$u7b$$u7b$closure$u7d$$u7d$::h48af301d86868829 /home/deen/git/materialize/src/sqllogictest/src/runner.rs:880:29
    #6 0x56395f0d0941 in mz_sqllogictest::runner::Runner::reset::_$u7b$$u7b$closure$u7d$$u7d$::h0ff082fb24b4067a /home/deen/git/materialize/src/sqllogictest/src/runner.rs:649:58
    #7 0x56395f0d1c2a in mz_sqllogictest::runner::Runner::start::_$u7b$$u7b$closure$u7d$$u7d$::hbffe24ce5a8745e7 /home/deen/git/materialize/src/sqllogictest/src/runner.rs:641:23
    #8 0x56395dca04ee in sqllogictest::main::_$u7b$$u7b$closure$u7d$$u7d$::hd29f115a7c454281 /home/deen/git/materialize/src/sqllogictest/src/bin/sqllogictest.rs:167:44
    #9 0x56395e2150b9 in tokio::runtime::park::CachedParkThread::block_on::_$u7b$$u7b$closure$u7d$$u7d$::h70b5f9f0c02ed2f1 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/park.rs:283:63
    #10 0x56395e20ac37 in tokio::runtime::coop::with_budget::ha8accfb6672a2266 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/coop.rs:102:5
    #11 0x56395e20ac37 in tokio::runtime::coop::budget::h959f6c6ae098aab9 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/coop.rs:68:5
    #12 0x56395e20ac37 in tokio::runtime::park::CachedParkThread::block_on::h04d52ae1a77aa3a7 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/park.rs:283:31
    #13 0x56395e219f4f in tokio::runtime::context::BlockingRegionGuard::block_on::hb6ca63e22d62879b /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/context.rs:315:13
    #14 0x56395c2bb005 in tokio::runtime::scheduler::multi_thread::MultiThread::block_on::hd4096611a06f2066 /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/scheduler/multi_thread/mod.rs:66:9
    #15 0x56395b5bab9c in tokio::runtime::runtime::Runtime::block_on::hb3a829f69bb6e55d /home/deen/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.24.2/src/runtime/runtime.rs:284:45
    #16 0x56395dc9c1e3 in sqllogictest::main::hd0837e714466ff49 /home/deen/git/materialize/src/sqllogictest/src/bin/sqllogictest.rs:242:5
    #17 0x56395acea02a in core::ops::function::FnOnce::call_once::h373785fec4a2f5bd /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
    #18 0x56395ea9f5d3 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::hdfa263a3e04240d8 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:166:18
    #19 0x563977c0aeae in std::panicking::try::do_call::hd9763cceb168e3c1 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:487:40
    #20 0x563977c1dbca in __rust_try std.0965fa2d-cgu.4
    #21 0x5639779a3a79 in std::panic::catch_unwind::h927b2159f5aab5d8 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:140:14
    #22 0x563977aeefe0 in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h67a52ff58ce21841 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:48
    #23 0x563977c0ac36 in std::panicking::try::do_call::h4c990b6c7ed54ef5 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:487:40
    #24 0x563977c1dbca in __rust_try std.0965fa2d-cgu.4
    #25 0x5639779a3bf9 in std::panic::catch_unwind::hc6f62d5f0fffefcf /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:140:14
    #26 0x563977aeea15 in std::rt::lang_start_internal::hca72830b3d8c0f79 /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:148:20
    #27 0x56395ea9f52f in std::rt::lang_start::hcbb134011439f73b /home/deen/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:165:17
    #28 0x56395dca76cd in main (/home/deen/git/materialize/target/x86_64-unknown-linux-gnu/debug/sqllogictest+0x69116cd) (BuildId: 78ac01fe6c3477a7b055802d272a0607f87d70e2)

SUMMARY: AddressSanitizer: stack-use-after-return /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0ff5e9c89880: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x0ff5e9c89890: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x0ff5e9c898a0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x0ff5e9c898b0: f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x0ff5e9c898c0: f2 f2 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8
=>0x0ff5e9c898d0: f8 f2 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2[f5]f5
  0x0ff5e9c898e0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff5e9c898f0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff5e9c89900: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff5e9c89910: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff5e9c89920: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==756769==ABORTING
def- commented 1 year ago

Since I see mz_ore::stack in the backtrace, I guess we are rolling our own stack?

teskje commented 1 year ago

Something like that! We are using stacker to dynamically grow the stack when working with deeply recursive structures, like query plans. That crate definitely uses unsafe code, but I can't say whether there is actually a use-after-free here or asan just gets confused by the non-standard approach.

teskje commented 1 year ago

PSA for everyone trying to reproduce this: If the ASan stack trace doesn't have symbols, make sure that you have llvm-symbolizer on your path!

teskje commented 1 year ago

One thing I noticed is that the repro disables debug assertions. Compiling in debug mode with disabled debug assertions can be expected to cause problems because of https://github.com/MaterializeInc/materialize/blob/575af42b535819c4ef958eb6fe7254bfba2a3781/src/ore/src/stack.rs#L22-L61

The gist is that in debug mode (or rather: at a low opt-level) stack frames are much larger than in release mode, so we want to increase the size of the red zone within which we decide to grow the stack. In Rust code you cannot directly check which opt-level the build is using, so we instead use debug assertions as a proxy. So when you disable debug assertions, you make MZ use the smaller red zone size, while still having the huge stack frames.

The thing this can lead to are stack overflows, if a stack frame is larger than the red zone. In the asan output above we have a stack frame of 43 kB, which is larger than the non-debug assertions red zone size of 32 kB, so that checks out. The only things that's not clear to me is whether a stack overflow causes a use-after-return error under asan. Normally, we would expect a stack overflow to segfault when the program tries to access the guard page. But if the guard page is too small, the program might just "hop over" without accessing it. Or, even if the guard page is large enough, maybe asan's instrumentation affects the handling of stack overflows somehow?

teskje commented 1 year ago

Case in point for that this actually is a stack overflow in disguise: Try running the same command but without asan (on main).

$ env RUSTFLAGS="-C debug-assertions=off" bin/sqllogictest -- test/sqllogictest/cast.slt
[...]

thread 'coordinator' has overflowed its stack
fatal runtime error: stack overflow
def- commented 1 year ago

Thanks for looking into this @teskje . The reason I disabled debug-assertions was https://github.com/MaterializeInc/materialize/issues/17802 Let me see if we can enable debug-assertions again when that is fixed.