Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bugfix](memtable) arena is freed early and will cause use after free #46997

Merged
merged 2 commits into from
Jan 15, 2025
Merged

[bugfix](memtable) arena is freed early and will cause use after free #46997

merged 2 commits into from
Jan 15, 2025

Conversation

yiguolei
Copy link
Contributor

@yiguolei yiguolei commented Jan 14, 2025
edited
Loading

What problem does this PR solve?

Related PR: #40912

Problem Summary:

Do not reset _arena in MemTable::to_block(), because it is still used in ~MemTable() when releasing agg places

Fix the following use-after-free

Use:

==3628099==ERROR: AddressSanitizer: heap-use-after-free on address 0x52100381be60 at pc 0x5648f30893f8 bp 0x7f8842433310 sp 0x7f8842433308
READ of size 8 at 0x52100381be60 thread T4767 (wg_flush_broker)
#0 0x5648f30893f7 in phmap::priv::raw_hash_set<phmap::priv::FlatHashSetPolicy, phmap::Hash, phmap::EqualTo, std::allocator>::destroy_slots() doris/thirdparty/installed/include/parallel_hashmap/phmap.h:1992:14
#1 0x5648f30936f6 in phmap::priv::raw_hash_set<phmap::priv::FlatHashSetPolicy, phmap::Hash, phmap::EqualTo, std::allocator>::~raw_hash_set() doris/thirdparty/installed/include/parallel_hashmap/phmap.h:1236:23
#2 0x5648f3089276 in phmap::flat_hash_set<unsigned long, phmap::Hash, phmap::EqualTo, std::allocator>::~flat_hash_set() doris/thirdparty/installed/include/parallel_hashmap/phmap.h:4577:7
#3 0x5648f308922a in doris::BitmapValue::~BitmapValue() doris/be/src/util/bitmap_value.h:824:7
#4 0x56490d319fa6 in doris::vectorized::AggregateFunctionBitmapDatadoris::vectorized::AggregateFunctionBitmapUnionOp::~AggregateFunctionBitmapData() doris/be/src/vec/aggregate_functions/aggregate_function_bitmap.h:127:8
#5 0x56490d49636a in doris::vectorized::IAggregateFunctionDataHelper<doris::vectorized::AggregateFunctionBitmapDatadoris::vectorized::AggregateFunctionBitmapUnionOp, doris::vectorized::AggregateFunctionBitmapOpdoris::vectorized::AggregateFunctionBitmapUnionOp>::destroy(char*) const doris/be/src/vec/aggregate_functions/aggregate_function.h:563:92
#6 0x5648f68376e9 in doris::MemTable::~MemTable() doris/be/src/olap/memtable.cpp:159:27
Free:

0x52100381be60 is located 352 bytes inside of 4096-byte region [0x52100381bd00,0x52100381cd00)
freed by thread T4767 (wg_flush_broker) here:
#0 0x5648f2f3ee46 in free (doris/output/be/lib/doris_be+0x57418e46) (BuildId: 298b9c91a1ec8fe0)
#1 0x5648f3080dfc in DefaultMemoryAllocator::free(void*) doris/be/src/vec/common/allocator.h:108:41
#2 0x5648f3080b3f in Allocator<false, false, false, DefaultMemoryAllocator>::free(void*, unsigned long) doris/be/src/vec/common/allocator.h:323:13
#3 0x5648f30b6dee in doris::vectorized::Arena::Chunk::~Chunk() doris/be/src/vec/common/arena.h:77:31
#4 0x5648f30b6d1f in doris::vectorized::Arena::~Arena() doris/be/src/vec/common/arena.h:151:16
#5 0x5648f30b695a in std::default_deletedoris::vectorized::Arena::operator()(doris::vectorized::Arena*) const env/ldb_toolchain/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:99:2
#6 0x5648f30b67c8 in std::__uniq_ptr_impl<doris::vectorized::Arena, std::default_deletedoris::vectorized::Arena>::reset(doris::vectorized::Arena*) env/ldb_toolchain/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:211:4
#7 0x5648f30b5d8c in std::unique_ptr<doris::vectorized::Arena, std::default_deletedoris::vectorized::Arena>::reset(doris::vectorized::Arena*) env/ldb_toolchain/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:509:7
#8 0x5648f684253b in doris::MemTable::_to_block(std::unique_ptr<doris::vectorized::Block, std::default_deletedoris::vectorized::Block>) doris/be/src/olap/memtable.cpp:522:12
#9 0x5648f6842ac5 in doris::MemTable::to_block(std::unique_ptr<doris::vectorized::Block, std::default_deletedoris::vectorized::Block>) doris/be/src/olap/memtable.cpp:528:5
#10 0x5648f6907a72 in doris::FlushToken::_do_flush_memtable(doris::MemTable*, int, long*) doris/be/src/olap/memtable_flush_executor.cpp:144:9
#11 0x5648f690932c in doris::FlushToken::_flush_memtable(std::shared_ptrdoris::MemTable, int, long) doris/be/src/olap/memtable_flush_executor.cpp:183:16
#12 0x5648f6915d18 in doris::MemtableFlushTask::run() doris/be/src/olap/memtable_flush_executor.cpp:60:20
Release note

Release note

None

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason

  • Behavior changed:

    • No.
    • Yes.

  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

@Thearas
Copy link
Contributor

Thearas commented Jan 14, 2025

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@yiguolei yiguolei changed the title [bugfix](memtable) arena is freed quickly and will cause use after free [bugfix](memtable) arena is freed early and will cause use after free Jan 14, 2025
@yiguolei
Copy link
Contributor Author

run buildall

@doris-robot
Copy link

TPC-H: Total hot run time: 32807 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit aed177167ec69e06f1f5637cc87c618ddd59fc53, data reload: false

------ Round 1 ----------------------------------
q1	17600	6163	6018	6018
q2	2048	323	168	168
q3	10401	1270	736	736
q4	10216	852	434	434
q5	7865	2217	1995	1995
q6	217	187	149	149
q7	917	777	613	613
q8	9235	1305	1205	1205
q9	5300	4918	4963	4918
q10	6756	2306	1863	1863
q11	484	273	264	264
q12	350	354	228	228
q13	17797	3756	3109	3109
q14	229	230	214	214
q15	576	534	528	528
q16	639	630	609	609
q17	573	845	328	328
q18	6982	6386	6338	6338
q19	1545	955	552	552
q20	317	328	200	200
q21	2975	2219	2020	2020
q22	363	344	318	318
Total cold run time: 103385 ms
Total hot run time: 32807 ms

----- Round 2, with runtime_filter_mode=off -----
q1	6310	6297	6305	6297
q2	243	334	236	236
q3	2359	2870	2492	2492
q4	1461	1889	1487	1487
q5	4504	4891	5014	4891
q6	192	184	151	151
q7	2110	2031	1886	1886
q8	2735	2973	2763	2763
q9	7490	7343	7210	7210
q10	3006	3363	2882	2882
q11	603	528	502	502
q12	635	744	575	575
q13	3468	3939	3234	3234
q14	281	298	288	288
q15	589	534	531	531
q16	660	685	650	650
q17	1231	1717	1254	1254
q18	7713	7484	7253	7253
q19	816	1064	1149	1064
q20	1976	2050	1897	1897
q21	5795	5272	4863	4863
q22	626	627	601	601
Total cold run time: 54803 ms
Total hot run time: 53007 ms

@doris-robot
Copy link

TeamCity be ut coverage result:
Function Coverage: 40.57% (10573/26062)
Line Coverage: 31.25% (89520/286440)
Region Coverage: 30.37% (45780/150765)
Branch Coverage: 26.66% (23286/87344)
Coverage Report: http://coverage.selectdb-in.cc/coverage/aed177167ec69e06f1f5637cc87c618ddd59fc53_aed177167ec69e06f1f5637cc87c618ddd59fc53/report/index.html

@doris-robot
Copy link

TPC-DS: Total hot run time: 195253 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit aed177167ec69e06f1f5637cc87c618ddd59fc53, data reload: false

query1	1305	957	948	948
query2	6266	2150	1979	1979
query3	10994	4237	4492	4237
query4	61752	29272	23272	23272
query5	5458	595	435	435
query6	415	211	199	199
query7	5555	524	294	294
query8	318	244	223	223
query9	8573	2800	2765	2765
query10	455	321	271	271
query11	17499	15156	15589	15156
query12	164	117	112	112
query13	1436	524	428	428
query14	11399	6947	7120	6947
query15	213	202	190	190
query16	7309	650	496	496
query17	1182	751	586	586
query18	1877	421	315	315
query19	200	193	167	167
query20	131	116	113	113
query21	209	134	105	105
query22	4718	4581	4626	4581
query23	34452	33761	33310	33310
query24	5580	2281	2289	2281
query25	463	455	405	405
query26	636	275	153	153
query27	1856	482	343	343
query28	4192	2535	2488	2488
query29	530	565	432	432
query30	208	191	154	154
query31	924	891	832	832
query32	71	61	63	61
query33	417	371	298	298
query34	743	879	514	514
query35	809	843	762	762
query36	996	1041	965	965
query37	116	96	77	77
query38	4294	4340	4193	4193
query39	1543	1449	1493	1449
query40	223	117	101	101
query41	51	50	47	47
query42	120	100	104	100
query43	512	536	504	504
query44	1375	837	835	835
query45	176	175	167	167
query46	903	1065	672	672
query47	1951	1980	1905	1905
query48	398	416	317	317
query49	755	502	395	395
query50	659	685	399	399
query51	7045	7049	6921	6921
query52	104	106	102	102
query53	240	254	185	185
query54	499	499	414	414
query55	86	83	83	83
query56	273	279	259	259
query57	1230	1196	1169	1169
query58	241	233	232	232
query59	3225	3259	3122	3122
query60	269	260	253	253
query61	146	126	128	126
query62	798	767	712	712
query63	225	185	179	179
query64	1308	1028	649	649
query65	3281	3166	3176	3166
query66	729	396	310	310
query67	16039	15677	15545	15545
query68	4844	828	527	527
query69	498	299	259	259
query70	1187	1127	1123	1123
query71	410	295	259	259
query72	6077	3841	3871	3841
query73	794	766	362	362
query74	10134	9350	9092	9092
query75	3206	3166	2674	2674
query76	3612	1185	779	779
query77	496	359	281	281
query78	10060	10172	9396	9396
query79	3039	826	597	597
query80	739	532	431	431
query81	504	280	242	242
query82	619	152	119	119
query83	175	171	246	171
query84	287	102	76	76
query85	779	368	312	312
query86	414	332	302	302
query87	4597	4427	4408	4408
query88	4775	2233	2202	2202
query89	407	327	289	289
query90	1590	193	193	193
query91	141	141	108	108
query92	64	59	53	53
query93	2786	864	528	528
query94	772	410	306	306
query95	332	258	256	256
query96	496	614	293	293
query97	2835	2875	2765	2765
query98	224	209	199	199
query99	1408	1478	1405	1405
Total cold run time: 316420 ms
Total hot run time: 195253 ms

@doris-robot
Copy link

ClickBench: Total hot run time: 31.87 s 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit aed177167ec69e06f1f5637cc87c618ddd59fc53, data reload: false

query1	0.04	0.04	0.04
query2	0.07	0.03	0.03
query3	0.24	0.07	0.06
query4	1.62	0.11	0.11
query5	0.42	0.44	0.43
query6	1.17	0.69	0.68
query7	0.02	0.02	0.02
query8	0.04	0.03	0.03
query9	0.59	0.51	0.50
query10	0.56	0.57	0.56
query11	0.15	0.10	0.10
query12	0.14	0.11	0.11
query13	0.63	0.61	0.61
query14	2.72	2.83	2.75
query15	0.93	0.86	0.85
query16	0.39	0.38	0.36
query17	1.09	1.03	1.07
query18	0.22	0.20	0.21
query19	1.97	1.89	2.04
query20	0.02	0.01	0.01
query21	15.37	0.90	0.57
query22	0.76	0.84	0.76
query23	15.11	1.46	0.62
query24	2.92	0.97	1.35
query25	0.22	0.08	0.16
query26	0.31	0.15	0.13
query27	0.06	0.05	0.05
query28	13.63	1.62	1.07
query29	12.57	4.05	3.32
query30	0.26	0.09	0.06
query31	2.81	0.63	0.40
query32	3.23	0.58	0.48
query33	3.02	3.05	3.09
query34	16.74	5.43	4.58
query35	4.58	4.56	4.58
query36	0.65	0.51	0.49
query37	0.09	0.06	0.06
query38	0.04	0.03	0.04
query39	0.03	0.02	0.02
query40	0.17	0.14	0.12
query41	0.08	0.03	0.03
query42	0.04	0.02	0.02
query43	0.04	0.03	0.03
Total cold run time: 105.76 s
Total hot run time: 31.87 s

@yiguolei
Copy link
Contributor Author

run buildall

@doris-robot
Copy link

TPC-H: Total hot run time: 33934 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 566bc6f16bad297c8343b699aa24d38fb1fad70c, data reload: false

------ Round 1 ----------------------------------
q1	18250	6453	6346	6346
q2	2044	328	178	178
q3	10584	1395	757	757
q4	10668	919	444	444
q5	7544	2365	2150	2150
q6	231	199	147	147
q7	997	796	607	607
q8	9765	1553	1274	1274
q9	5951	5326	5253	5253
q10	6995	2399	1964	1964
q11	525	287	270	270
q12	365	425	224	224
q13	18682	3806	3163	3163
q14	246	225	209	209
q15	621	545	536	536
q16	651	626	590	590
q17	679	905	325	325
q18	6968	6387	6438	6387
q19	3877	1116	600	600
q20	311	326	185	185
q21	3133	2288	2011	2011
q22	371	338	314	314
Total cold run time: 109458 ms
Total hot run time: 33934 ms

----- Round 2, with runtime_filter_mode=off -----
q1	6990	6655	6675	6655
q2	254	351	237	237
q3	2339	2786	2337	2337
q4	1487	1908	1408	1408
q5	4680	5020	5028	5020
q6	211	199	141	141
q7	2175	1941	1777	1777
q8	2864	2997	2904	2904
q9	7487	7403	7092	7092
q10	3131	3387	2859	2859
q11	654	518	511	511
q12	684	798	616	616
q13	3586	3946	3242	3242
q14	318	325	305	305
q15	635	541	515	515
q16	668	666	654	654
q17	1295	1877	1293	1293
q18	7675	7655	7294	7294
q19	825	1098	1359	1098
q20	2060	2023	1833	1833
q21	5777	5325	5237	5237
q22	614	637	561	561
Total cold run time: 56409 ms
Total hot run time: 53589 ms

@doris-robot
Copy link

TeamCity be ut coverage result:
Function Coverage: 40.57% (10573/26062)
Line Coverage: 31.24% (89485/286443)
Region Coverage: 30.36% (45773/150765)
Branch Coverage: 26.65% (23277/87344)
Coverage Report: http://coverage.selectdb-in.cc/coverage/566bc6f16bad297c8343b699aa24d38fb1fad70c_566bc6f16bad297c8343b699aa24d38fb1fad70c/report/index.html

@doris-robot
Copy link

TPC-DS: Total hot run time: 194656 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 566bc6f16bad297c8343b699aa24d38fb1fad70c, data reload: false

query1	1296	980	920	920
query2	6236	2161	1996	1996
query3	10992	4521	4369	4369
query4	61426	29904	23203	23203
query5	5484	657	466	466
query6	443	185	181	181
query7	5520	504	292	292
query8	327	233	238	233
query9	8219	2758	2766	2758
query10	449	301	253	253
query11	17332	15180	15691	15180
query12	165	113	117	113
query13	1452	546	438	438
query14	11097	7060	6507	6507
query15	224	203	182	182
query16	7224	643	486	486
query17	1106	760	587	587
query18	1803	425	326	326
query19	205	188	166	166
query20	121	114	122	114
query21	227	128	109	109
query22	4489	4560	4575	4560
query23	34123	33851	33703	33703
query24	5508	2373	2325	2325
query25	479	455	408	408
query26	645	282	157	157
query27	1598	497	332	332
query28	4305	2519	2497	2497
query29	546	566	420	420
query30	210	193	172	172
query31	921	932	827	827
query32	67	58	56	56
query33	429	389	299	299
query34	747	856	538	538
query35	820	850	729	729
query36	1048	1030	977	977
query37	124	99	81	81
query38	4256	4365	4157	4157
query39	1526	1472	1435	1435
query40	206	111	103	103
query41	51	50	50	50
query42	121	100	106	100
query43	526	548	514	514
query44	1362	867	850	850
query45	190	178	185	178
query46	893	1080	675	675
query47	1893	1902	1820	1820
query48	381	441	333	333
query49	712	494	431	431
query50	687	671	413	413
query51	7032	6975	7026	6975
query52	105	108	94	94
query53	231	254	186	186
query54	495	527	408	408
query55	92	85	83	83
query56	273	264	270	264
query57	1251	1192	1142	1142
query58	265	246	234	234
query59	3131	3212	2983	2983
query60	264	282	258	258
query61	115	116	120	116
query62	787	780	709	709
query63	220	199	189	189
query64	1239	1026	655	655
query65	3322	3163	3197	3163
query66	717	408	307	307
query67	15922	15697	15371	15371
query68	5636	818	539	539
query69	474	287	256	256
query70	1237	1148	1139	1139
query71	416	286	260	260
query72	6117	3824	3781	3781
query73	780	771	368	368
query74	10220	9174	9112	9112
query75	3216	3166	2665	2665
query76	3776	1183	757	757
query77	471	386	298	298
query78	10038	9866	9274	9274
query79	3157	805	602	602
query80	690	543	452	452
query81	496	329	241	241
query82	508	150	118	118
query83	167	169	152	152
query84	288	86	71	71
query85	814	381	309	309
query86	389	318	312	312
query87	4463	4466	4373	4373
query88	4801	2229	2171	2171
query89	395	337	287	287
query90	1645	188	186	186
query91	133	145	109	109
query92	68	55	55	55
query93	3080	853	532	532
query94	717	402	292	292
query95	324	258	274	258
query96	489	621	285	285
query97	2860	2899	2678	2678
query98	215	207	195	195
query99	1432	1509	1373	1373
Total cold run time: 315184 ms
Total hot run time: 194656 ms

@doris-robot
Copy link

ClickBench: Total hot run time: 30.98 s 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit 566bc6f16bad297c8343b699aa24d38fb1fad70c, data reload: false

query1	0.03	0.05	0.04
query2	0.07	0.03	0.04
query3	0.24	0.07	0.07
query4	1.62	0.11	0.11
query5	0.41	0.43	0.41
query6	1.15	0.64	0.65
query7	0.02	0.02	0.01
query8	0.03	0.03	0.03
query9	0.59	0.51	0.50
query10	0.55	0.57	0.56
query11	0.14	0.10	0.10
query12	0.15	0.11	0.10
query13	0.61	0.59	0.60
query14	2.76	2.86	2.76
query15	0.88	0.82	0.82
query16	0.37	0.38	0.38
query17	0.98	0.98	1.05
query18	0.24	0.20	0.21
query19	1.98	1.77	1.98
query20	0.02	0.01	0.02
query21	15.36	0.92	0.56
query22	0.77	0.83	0.71
query23	15.23	1.42	0.59
query24	2.52	0.72	1.73
query25	0.12	0.16	0.11
query26	0.43	0.15	0.14
query27	0.08	0.05	0.05
query28	14.13	1.53	1.04
query29	12.58	3.94	3.29
query30	0.25	0.09	0.06
query31	2.83	0.60	0.39
query32	3.23	0.57	0.46
query33	2.97	2.96	3.14
query34	16.61	5.15	4.46
query35	4.53	4.54	4.50
query36	0.66	0.52	0.52
query37	0.09	0.06	0.06
query38	0.05	0.04	0.03
query39	0.03	0.03	0.02
query40	0.18	0.14	0.13
query41	0.08	0.02	0.03
query42	0.03	0.02	0.02
query43	0.03	0.03	0.03
Total cold run time: 105.63 s
Total hot run time: 30.98 s

kaijchen
kaijchen approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@kaijchen kaijchen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions GitHub Actions
Copy link
Contributor

PR approved by anyone and no changes requested.

This was referenced Jan 15, 2025
Closed
Closed
xinyiZzz
xinyiZzz approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@xinyiZzz xinyiZzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions GitHub Actions
Copy link
Contributor

PR approved by at least one committer and no changes requested.

@github-actions github-actions bot added the approved Indicates a PR has been approved by one committer. label Jan 15, 2025
liaoxin01
liaoxin01 approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@liaoxin01 liaoxin01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yiguolei yiguolei merged commit 81534dd into apache:master Jan 15, 2025
29 of 31 checks passed
github-actions bot pushed a commit that referenced this pull request Jan 15, 2025
@yiguolei
[bugfix](memtable) arena is freed early and will cause use after free (
8aa5d66 
…#46997)

### What problem does this PR solve?

Related PR: #40912

Problem Summary:

Do not reset _arena in MemTable::to_block(), because it is still used in
~MemTable() when releasing agg places

Fix the following use-after-free

Use:

==3628099==ERROR: AddressSanitizer: heap-use-after-free on address
0x52100381be60 at pc 0x5648f30893f8 bp 0x7f8842433310 sp 0x7f8842433308
READ of size 8 at 0x52100381be60 thread T4767 (wg_flush_broker)
#0 0x5648f30893f7 in
phmap::priv::raw_hash_set<phmap::priv::FlatHashSetPolicy<unsigned long>,
phmap::Hash<unsigned long>, phmap::EqualTo<unsigned long>,
std::allocator<unsigned long>>::destroy_slots()
doris/thirdparty/installed/include/parallel_hashmap/phmap.h:1992:14
#1 0x5648f30936f6 in
phmap::priv::raw_hash_set<phmap::priv::FlatHashSetPolicy<unsigned long>,
phmap::Hash<unsigned long>, phmap::EqualTo<unsigned long>,
std::allocator<unsigned long>>::~raw_hash_set()
doris/thirdparty/installed/include/parallel_hashmap/phmap.h:1236:23
#2 0x5648f3089276 in phmap::flat_hash_set<unsigned long,
phmap::Hash<unsigned long>, phmap::EqualTo<unsigned long>,
std::allocator<unsigned long>>::~flat_hash_set()
doris/thirdparty/installed/include/parallel_hashmap/phmap.h:4577:7
#3 0x5648f308922a in doris::BitmapValue::~BitmapValue()
doris/be/src/util/bitmap_value.h:824:7
#4 0x56490d319fa6 in
doris::vectorized::AggregateFunctionBitmapData<doris::vectorized::AggregateFunctionBitmapUnionOp>::~AggregateFunctionBitmapData()
doris/be/src/vec/aggregate_functions/aggregate_function_bitmap.h:127:8
#5 0x56490d49636a in
doris::vectorized::IAggregateFunctionDataHelper<doris::vectorized::AggregateFunctionBitmapData<doris::vectorized::AggregateFunctionBitmapUnionOp>,
doris::vectorized::AggregateFunctionBitmapOp<doris::vectorized::AggregateFunctionBitmapUnionOp>>::destroy(char*)
const doris/be/src/vec/aggregate_functions/aggregate_function.h:563:92
#6 0x5648f68376e9 in doris::MemTable::~MemTable()
doris/be/src/olap/memtable.cpp:159:27
Free:

0x52100381be60 is located 352 bytes inside of 4096-byte region
[0x52100381bd00,0x52100381cd00)
freed by thread T4767 (wg_flush_broker) here:
#0 0x5648f2f3ee46 in free (doris/output/be/lib/doris_be+0x57418e46)
(BuildId: 298b9c91a1ec8fe0)
#1 0x5648f3080dfc in DefaultMemoryAllocator::free(void*)
doris/be/src/vec/common/allocator.h:108:41
#2 0x5648f3080b3f in Allocator<false, false, false,
DefaultMemoryAllocator>::free(void*, unsigned long)
doris/be/src/vec/common/allocator.h:323:13
#3 0x5648f30b6dee in doris::vectorized::Arena::Chunk::~Chunk()
doris/be/src/vec/common/arena.h:77:31
#4 0x5648f30b6d1f in doris::vectorized::Arena::~Arena()
doris/be/src/vec/common/arena.h:151:16
#5 0x5648f30b695a in
std::default_delete<doris::vectorized::Arena>::operator()(doris::vectorized::Arena*)
const
env/ldb_toolchain/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:99:2
#6 0x5648f30b67c8 in std::__uniq_ptr_impl<doris::vectorized::Arena,
std::default_delete<doris::vectorized::Arena>>::reset(doris::vectorized::Arena*)
env/ldb_toolchain/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:211:4
#7 0x5648f30b5d8c in std::unique_ptr<doris::vectorized::Arena,
std::default_delete<doris::vectorized::Arena>>::reset(doris::vectorized::Arena*)
env/ldb_toolchain/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:509:7
#8 0x5648f684253b in
doris::MemTable::_to_block(std::unique_ptr<doris::vectorized::Block,
std::default_delete<doris::vectorized::Block>>*)
doris/be/src/olap/memtable.cpp:522:12
#9 0x5648f6842ac5 in
doris::MemTable::to_block(std::unique_ptr<doris::vectorized::Block,
std::default_delete<doris::vectorized::Block>>*)
doris/be/src/olap/memtable.cpp:528:5
#10 0x5648f6907a72 in
doris::FlushToken::_do_flush_memtable(doris::MemTable*, int, long*)
doris/be/src/olap/memtable_flush_executor.cpp:144:9
#11 0x5648f690932c in
doris::FlushToken::_flush_memtable(std::shared_ptr<doris::MemTable>,
int, long) doris/be/src/olap/memtable_flush_executor.cpp:183:16
#12 0x5648f6915d18 in doris::MemtableFlushTask::run()
doris/be/src/olap/memtable_flush_executor.cpp:60:20
@github-actions github-actions bot mentioned this pull request Jan 15, 2025
Merged
yiguolei added a commit that referenced this pull request Jan 15, 2025
@github-actions @yiguolei
branch-3.0: [bugfix](memtable) arena is freed early and will cause us…
e7f095e 
…e after free #46997 (#47006)

Cherry-picked from #46997

Co-authored-by: yiguolei <guolei@selectdb.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liaoxin01 liaoxin01 liaoxin01 approved these changes

@xinyiZzz xinyiZzz xinyiZzz approved these changes

@kaijchen kaijchen kaijchen approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by one committer. dev/3.0.4-merged not-merge/2.1 reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@yiguolei @Thearas @doris-robot @kaijchen @xinyiZzz @liaoxin01