[sqlancer] heap-use-after-free

[andyziye]

Steps to reproduce the behavior (Required)

1. CREATE TABLE '...'
2. INSERT INTO '....'
3. SELECT '....'

Expected behavior (Required)

Real behavior (Required)

=================================================================
==27851==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700101ed78 at pc 0x00000977b8db bp 0x7f8fa4500960 sp 0x7f8fa4500958
READ of size 8 at 0x60700101ed78 thread T531
    #0 0x977b8da in __gnu_cxx::__normal_iterator<starrocks::SlotDescriptor* const*, std::vector<starrocks::SlotDescriptor*, std::allocator<starrocks::SlotDescriptor*> > >::__normal_iterator(starrocks::SlotDescriptor* const* const&) /usr/include/c++/10.3.0/bits/stl_iterator.h:976
    #1 0x9775df6 in std::vector<starrocks::SlotDescriptor*, std::allocator<starrocks::SlotDescriptor*> >::begin() const /usr/include/c++/10.3.0/bits/stl_vector.h:821
    #2 0xee8052e in starrocks::DataStreamRecvr::SenderQueue::_build_chunk_meta(starrocks::ChunkPB const&) /root/starrocks/be/src/runtime/sender_queue.cpp:50
    #3 0xee8a8fd in starrocks::DataStreamRecvr::PipelineSenderQueue::try_to_build_chunk_meta(starrocks::PTransmitChunkParams const&) /root/starrocks/be/src/runtime/sender_queue.cpp:555
    #4 0xee937f6 in starrocks::Status starrocks::DataStreamRecvr::PipelineSenderQueue::add_chunks<false>(starrocks::PTransmitChunkParams const&, google::protobuf::Closure**) (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0xee937f6)
    #5 0xee89120 in starrocks::DataStreamRecvr::PipelineSenderQueue::add_chunks(starrocks::PTransmitChunkParams const&, google::protobuf::Closure**) /root/starrocks/be/src/runtime/sender_queue.cpp:481
    #6 0xecc9f6b in starrocks::DataStreamRecvr::add_chunks(starrocks::PTransmitChunkParams const&, google::protobuf::Closure**) /root/starrocks/be/src/runtime/data_stream_recvr.cpp:212
    #7 0xeb9a7e8 in starrocks::DataStreamMgr::transmit_chunk(starrocks::PTransmitChunkParams const&, google::protobuf::Closure**) /root/starrocks/be/src/runtime/data_stream_mgr.cpp:160
    #8 0x1097ab11 in starrocks::PInternalServiceImplBase<doris::PBackendService>::transmit_chunk(google::protobuf::RpcController*, starrocks::PTransmitChunkParams const*, starrocks::PTransmitChunkResult*, google::protobuf::Closure*) /root/starrocks/be/src/service/internal_service.cpp:117
    #9 0xfa42d43 in doris::PBackendService::CallMethod(google::protobuf::MethodDescriptor const*, google::protobuf::RpcController*, google::protobuf::Message const*, google::protobuf::Message*, google::protobuf::Closure*) /root/starrocks/gensrc/build/gen_cpp/doris_internal_service.pb.cc:324
    #10 0x1154323c in brpc::policy::ProcessRpcRequest(brpc::InputMessageBase*) src/brpc/policy/baidu_rpc_protocol.cpp:512
    #11 0x11485286 in brpc::ProcessInputMessage(void*) src/brpc/input_messenger.cpp:147
    #12 0x1148615a in brpc::RunLastMessage::operator()(brpc::InputMessageBase*) src/brpc/input_messenger.cpp:153
    #13 0x1148615a in std::unique_ptr<brpc::InputMessageBase, brpc::RunLastMessage>::~unique_ptr() /usr/include/c++/10.3.0/bits/unique_ptr.h:361
    #14 0x1148615a in brpc::InputMessenger::OnNewMessages(brpc::Socket*) /usr/include/c++/10.3.0/bits/unique_ptr.h:355
    #15 0x1147696d in brpc::Socket::ProcessEvent(void*) src/brpc/socket.cpp:1050
    #16 0x114496be in bthread::TaskGroup::task_runner(long) src/bthread/task_group.cpp:295
    #17 0x115907c0 in bthread_make_fcontext (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x115907c0)

0x60700101ed78 is located 24 bytes inside of 72-byte region [0x60700101ed60,0x60700101eda8)
freed by thread T274 (pip_wg_executor) here:
    #0 0x8d26277 in operator delete(void*, unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cpp:172
    #1 0xebd1d4e in starrocks::ObjectPool::add<starrocks::TupleDescriptor>(starrocks::TupleDescriptor*)::{lambda(void*)#1}::operator()(void*) const /root/starrocks/be/src/common/object_pool.h:45
    #2 0xebd1da1 in starrocks::ObjectPool::add<starrocks::TupleDescriptor>(starrocks::TupleDescriptor*)::{lambda(void*)#1}::_FUN(void*) /root/starrocks/be/src/common/object_pool.h:45
    #3 0x917f065 in starrocks::ObjectPool::clear() /root/starrocks/be/src/common/object_pool.h:52
    #4 0x917ee77 in starrocks::ObjectPool::~ObjectPool() /root/starrocks/be/src/common/object_pool.h:34
    #5 0x917481f in starrocks::pipeline::QueryContext::~QueryContext() /root/starrocks/be/src/exec/pipeline/query_context.cpp:32
    #6 0x919b0c5 in void __gnu_cxx::new_allocator<starrocks::pipeline::QueryContext>::destroy<starrocks::pipeline::QueryContext>(starrocks::pipeline::QueryContext*) /usr/include/c++/10.3.0/ext/new_allocator.h:156
    #7 0x919af34 in void std::allocator_traits<std::allocator<starrocks::pipeline::QueryContext> >::destroy<starrocks::pipeline::QueryContext>(std::allocator<starrocks::pipeline::QueryContext>&, starrocks::pipeline::QueryContext*) /usr/include/c++/10.3.0/bits/alloc_traits.h:531
    #8 0x919a156 in std::_Sp_counted_ptr_inplace<starrocks::pipeline::QueryContext, std::allocator<starrocks::pipeline::QueryContext>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/10.3.0/bits/shared_ptr_base.h:560
    #9 0x8d6fcbc in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/10.3.0/bits/shared_ptr_base.h:158
    #10 0x8d6d9d1 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/10.3.0/bits/shared_ptr_base.h:733
    #11 0x9180f17 in std::__shared_ptr<starrocks::pipeline::QueryContext, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/10.3.0/bits/shared_ptr_base.h:1183
    #12 0x9180f33 in std::shared_ptr<starrocks::pipeline::QueryContext>::~shared_ptr() /usr/include/c++/10.3.0/bits/shared_ptr.h:121
    #13 0x9198185 in std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >::~pair() (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x9198185)
    #14 0x91981b1 in void __gnu_cxx::new_allocator<std::__detail::_Hash_node<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, true> >::destroy<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> > >(std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >*) (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x91981b1)
    #15 0x9196b94 in void std::allocator_traits<std::allocator<std::__detail::_Hash_node<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, true> > >::destroy<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> > >(std::allocator<std::__detail::_Hash_node<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, true> >&, std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >*) (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x9196b94)
    #16 0x9193eda in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, true> > >::_M_deallocate_node(std::__detail::_Hash_node<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, true>*) (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x9193eda)
    #17 0x9191654 in std::_Hashtable<starrocks::TUniqueId, std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, std::allocator<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> > >, std::__detail::_Select1st, std::equal_to<starrocks::TUniqueId>, std::hash<starrocks::TUniqueId>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_erase(unsigned long, std::__detail::_Hash_node_base*, std::__detail::_Hash_node<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, true>*) (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x9191654)
    #18 0x918d62d in std::_Hashtable<starrocks::TUniqueId, std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, std::allocator<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> > >, std::__detail::_Select1st, std::equal_to<starrocks::TUniqueId>, std::hash<starrocks::TUniqueId>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::erase(std::__detail::_Node_const_iterator<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, false, true>) (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x918d62d)
    #19 0x918925c in std::_Hashtable<starrocks::TUniqueId, std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, std::allocator<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> > >, std::__detail::_Select1st, std::equal_to<starrocks::TUniqueId>, std::hash<starrocks::TUniqueId>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::erase(std::__detail::_Node_iterator<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, false, true>) (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x918925c)
    #20 0x9184144 in std::unordered_map<starrocks::TUniqueId, std::shared_ptr<starrocks::pipeline::QueryContext>, std::hash<starrocks::TUniqueId>, std::equal_to<starrocks::TUniqueId>, std::allocator<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> > > >::erase(std::__detail::_Node_iterator<std::pair<starrocks::TUniqueId const, std::shared_ptr<starrocks::pipeline::QueryContext> >, false, true>) (/home/disk1/sr/sqlancer_branch_asan_01/be/lib/starrocks_be+0x9184144)
    #21 0x9178649 in starrocks::pipeline::QueryContextManager::remove(starrocks::TUniqueId const&) /root/starrocks/be/src/exec/pipeline/query_context.cpp:303
    #22 0x91f4509 in starrocks::pipeline::PipelineDriver::finalize(starrocks::RuntimeState*, starrocks::pipeline::DriverState) /root/starrocks/be/src/exec/pipeline/pipeline_driver.cpp:420
    #23 0x10185c0f in starrocks::pipeline::GlobalDriverExecutor::_finalize_driver(starrocks::pipeline::PipelineDriver*, starrocks::RuntimeState*, starrocks::pipeline::DriverState) /root/starrocks/be/src/exec/pipeline/pipeline_driver_executor.cpp:72
    #24 0x10186683 in starrocks::pipeline::GlobalDriverExecutor::_worker_thread() /root/starrocks/be/src/exec/pipeline/pipeline_driver_executor.cpp:119
    #25 0x101850fb in operator() /root/starrocks/be/src/exec/pipeline/pipeline_driver_executor.cpp:56
    #26 0x1018c6a9 in __invoke_impl<void, starrocks::pipeline::GlobalDriverExecutor::initialize(int)::<lambda()>&> /usr/include/c++/10.3.0/bits/invoke.h:60
    #27 0x1018bda8 in __invoke_r<void, starrocks::pipeline::GlobalDriverExecutor::initialize(int)::<lambda()>&> /usr/include/c++/10.3.0/bits/invoke.h:110
    #28 0x1018b1cc in _M_invoke /usr/include/c++/10.3.0/bits/std_function.h:291
    #29 0x8ea80f3 in std::function<void ()>::operator()() const /usr/include/c++/10.3.0/bits/std_function.h:622

previously allocated by thread T482 here:
    #0 0x8d25457 in operator new(unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cpp:99

Thread T531 created by T0 here:
    #0 0x8ccf152 in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cpp:214
    #1 0x1158e56b in bthread::TaskControl::add_workers(int) src/bthread/task_control.cpp:199
    #2 0x1145085c in bthread_setconcurrency src/bthread/bthread.cpp:310
    #3 0x11497951 in brpc::Server::StartInternal(butil::EndPoint const&, brpc::PortRange const&, brpc::ServerOptions const*) src/brpc/server.cpp:924
    #4 0x1149965c in brpc::Server::Start(butil::EndPoint const&, brpc::ServerOptions const*) src/brpc/server.cpp:1087
    #5 0x114997b2 in brpc::Server::Start(int, brpc::ServerOptions const*) src/brpc/server.cpp:1106
    #6 0xef1ce67 in start_be() /root/starrocks/be/src/service/service_be/starrocks_be.cpp:65
    #7 0x8d667f2 in main /root/starrocks/be/src/service/starrocks_main.cpp:306
    #8 0x7f9051846554 in __libc_start_main (/lib64/libc.so.6+0x22554)

Thread T274 (pip_wg_executor) created by T0 here:
    #0 0x8ccf152 in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cpp:214
    #1 0xf19695c in starrocks::Thread::start_thread(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::function<void ()> const&, unsigned long, scoped_refptr<starrocks::Thread>*) /root/starrocks/be/src/util/thread.cpp:281
    #2 0xf1b3680 in starrocks::Status starrocks::Thread::create<void (starrocks::ThreadPool::*)(), starrocks::ThreadPool*>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, void (starrocks::ThreadPool::* const&)(), starrocks::ThreadPool* const&, scoped_refptr<starrocks::Thread>*) /root/starrocks/be/src/util/thread.h:55
    #3 0xf1ae11f in starrocks::ThreadPool::create_thread() /root/starrocks/be/src/util/threadpool.cpp:566
    #4 0xf1aac6f in starrocks::ThreadPool::do_submit(std::shared_ptr<starrocks::Runnable>, starrocks::ThreadPoolToken*, starrocks::ThreadPool::Priority) /root/starrocks/be/src/util/threadpool.cpp:415
    #5 0xf1a992b in starrocks::ThreadPool::submit(std::shared_ptr<starrocks::Runnable>, starrocks::ThreadPool::Priority) /root/starrocks/be/src/util/threadpool.cpp:332
    #6 0xf1a9acc in starrocks::ThreadPool::submit_func(std::function<void ()>, starrocks::ThreadPool::Priority) /root/starrocks/be/src/util/threadpool.cpp:336
    #7 0x10185544 in starrocks::pipeline::GlobalDriverExecutor::initialize(int) /root/starrocks/be/src/exec/pipeline/pipeline_driver_executor.cpp:56
    #8 0xebdf577 in starrocks::ExecEnv::_init(std::vector<starrocks::StorePath, std::allocator<starrocks::StorePath> > const&) /root/starrocks/be/src/runtime/exec_env.cpp:194
    #9 0xebdd35f in starrocks::ExecEnv::init(starrocks::ExecEnv*, std::vector<starrocks::StorePath, std::allocator<starrocks::StorePath> > const&) /root/starrocks/be/src/runtime/exec_env.cpp:126
    #10 0x8d65f90 in main /root/starrocks/be/src/service/starrocks_main.cpp:278
    #11 0x7f9051846554 in __libc_start_main (/lib64/libc.so.6+0x22554)

Thread T482 created by T0 here:
    #0 0x8ccf152 in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cpp:214
    #1 0x1158df5c in bthread::TaskControl::init(int) src/bthread/task_control.cpp:165
    #2 0x11450ddc in bthread::get_or_new_task_control() src/bthread/bthread.cpp:91
    #3 0x114503dc in bthread::start_from_non_worker(unsigned long*, bthread_attr_t const*, void* (*)(void*), void*) src/bthread/bthread.cpp:128
    #4 0x114503dc in bthread_start_background src/bthread/bthread.cpp:193
    #5 0xece1cd6 in starrocks::LoadChannelMgr::_start_bg_worker() /root/starrocks/be/src/runtime/load_channel_mgr.cpp:178
    #6 0xecdfab5 in starrocks::LoadChannelMgr::init(starrocks::MemTracker*) /root/starrocks/be/src/runtime/load_channel_mgr.cpp:71
    #7 0xebe19be in starrocks::ExecEnv::_init(std::vector<starrocks::StorePath, std::allocator<starrocks::StorePath> > const&) /root/starrocks/be/src/runtime/exec_env.cpp:301
    #8 0xebdd35f in starrocks::ExecEnv::init(starrocks::ExecEnv*, std::vector<starrocks::StorePath, std::allocator<starrocks::StorePath> > const&) /root/starrocks/be/src/runtime/exec_env.cpp:126
    #9 0x8d65f90 in main /root/starrocks/be/src/service/starrocks_main.cpp:278
    #10 0x7f9051846554 in __libc_start_main (/lib64/libc.so.6+0x22554)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/10.3.0/bits/stl_iterator.h:976 in __gnu_cxx::__normal_iterator<starrocks::SlotDescriptor* const*, std::vector<starrocks::SlotDescriptor*, std::allocator<starrocks::SlotDescriptor*> > >::__normal_iterator(starrocks::SlotDescriptor* const* const&)
Shadow bytes around the buggy address:
  0x0c0e801fbd50: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e801fbd60: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x0c0e801fbd70: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e801fbd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e801fbd90: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c0e801fbda0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd[fd]
  0x0c0e801fbdb0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e801fbdc0: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e801fbdd0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e801fbde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e801fbdf0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27851==ABORTING

StarRocks version (Required)

• You can get the StarRocks version by executing SQL select current_version() +-------------------------+ | current_version() | +-------------------------+ | BRANCH-2.5-ASAN 3609c26 | +-------------------------+

[github-actions[bot]]

We have marked this issue as stale because it has been inactive for 6 months. If this issue is still relevant, removing the stale label or adding a comment will keep it active. Otherwise, we'll close it in 10 days to keep the issue queue tidy. Thank you for your contribution to StarRocks!