[DocDB] heap-use-after-free in Batcher::LookupTabletFor

[hari90]

Jira Link: DB-13849

Description

Log: https://jenkins.dev.yugabyte.com/job/yugabyte-db-phabricator/305807/artifact/build/tsan-clang17-dynamic-ninja/yb-test-logs/tests-master__flush_manager-test/FlushManagerTest_TestRpcFailureSingleTserverDown.log

WARNING: ThreadSanitizer: heap-use-after-free (pid=256066) Read of size 8 at 0x7b040004c5c8 by thread T202:
#0 std::unique_ptr<yb::client::YBClient::Data, std::default_deleteyb::client::YBClient::Data>::operator->abi:ue170006 const ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__memory/unique_ptr.h:277:19 (libyb_client.so+0x30d2ff)
#1 yb::client::internal::Batcher::LookupTabletFor(yb::client::internal::InFlightOp*) ${YB_SRC_ROOT}/src/yb/client/batcher.cc:322:3 (libyb_client.so+0x30d2ff)
#2 yb::client::internal::Batcher::FlushAsync(boost::function<void (yb::Status const&)>, yb::StronglyTypedBoolyb::client::internal::IsWithinTransactionRetry_Tag) ${YB_SRC_ROOT}/src/yb/client/batcher.cc:273:7 (libyb_client.so+0x30c42b)
#3 yb::client::(anonymous namespace)::FlushBatcherAsync(std::shared_ptryb::client::internal::Batcher const&, boost::function<void (yb::client::FlushStatus*)>, yb::client::YBSession::BatcherConfig, yb::StronglyTypedBoolyb::client::internal::IsWithinTransactionRetry_Tag) ${YB_SRC_ROOT}/src/yb/client/session.cc:217:12 (libyb_client.so+0x4b1b5c)
#4 yb::client::YBSession::FlushAsync(boost::function<void (yb::client::FlushStatus*)>) ${YB_SRC_ROOT}/src/yb/client/session.cc:236:5 (libyb_client.so+0x4b178c)

Thread T202 'rpc_tp_CQLServe' (tid=256272, running) created by thread T194 at:
#0 pthread_create ${YB_LLVM_TOOLCHAIN_DIR}-build/src/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (flush_manager-test+0xa715b)
#1 yb::Thread::TryStartThread(yb::Thread*) ${YB_SRC_ROOT}/src/yb/util/thread.cc:771:3 (libyb_util.so+0x4323ac)
#2 yb::Thread::StartThread(string const&, string const&, std::function<void ()>, scoped_refptr<yb::Thread>*) ${YB_SRC_ROOT}/src/yb/util/thread.cc:799:38 (libyb_util.so+0x4342e7)
#3 yb::Status yb::Thread::Create<void (yb::rpc::(anonymous namespace)::Worker::*)(), yb::rpc::(anonymous namespace)::Worker*>(string const&, string const&, void (yb::rpc::(anonymous namespace)::Worker::* const&)(), yb::rpc::(anonymous namespace)::Worker* const&, scoped_refptr<yb::Thread>*) ${YB_SRC_ROOT}/src/yb/util/thread.h:165:12 (libyrpc.so+0x1be74e)
#4 yb::rpc::(anonymous namespace)::Worker::Start(unsigned long) ${YB_SRC_ROOT}/src/yb/rpc/thread_pool.cc:72:12 (libyrpc.so+0x1be74e)
#5 yb::rpc::ThreadPool::Impl::Enqueue(yb::rpc::ThreadPoolTask*) ${YB_SRC_ROOT}/src/yb/rpc/thread_pool.cc:208:35 (libyrpc.so+0x1be74e)
#6 yb::rpc::ThreadPool::Enqueue(yb::rpc::ThreadPoolTask*) ${YB_SRC_ROOT}/src/yb/rpc/thread_pool.cc:308:17 (libyrpc.so+0x1bb39a)
#7 yb::rpc::ServicePoolImpl::Enqueue(std::shared_ptr<yb::rpc::InboundCall> const&) ${YB_SRC_ROOT}/src/yb/rpc/service_pool.cc:198:18 (libyrpc.so+0x1a575f)
#8 yb::rpc::ServicePool::QueueInboundCall(std::shared_ptr<yb::rpc::InboundCall>) ${YB_SRC_ROOT}/src/yb/rpc/service_pool.cc:485:10 (libyrpc.so+0x1a46da)
#9 yb::rpc::Messenger::Handle(std::shared_ptr<yb::rpc::InboundCall>, yb::StronglyTypedBool<yb::rpc::Queue_Tag>) ${YB_SRC_ROOT}/src/yb/rpc/messenger.cc:522:21 (libyrpc.so+0x10be71)
#10 yb::cqlserver::CQLConnectionContext::HandleCall(std::shared_ptr<yb::rpc::Connection> const&, yb::rpc::CallData*) ${YB_SRC_ROOT}/src/yb/yql/cql/cqlserver/cql_rpc.cc:133:38 (libyb-cql.so+0x7444f)
#11 non-virtual thunk to yb::cqlserver::CQLConnectionContext::HandleCall(std::shared_ptr<yb::rpc::Connection> const&, yb::rpc::CallData*) ${YB_SRC_ROOT}/src/yb/yql/cql/cqlserver/cql_rpc.cc (libyb-cql.so+0x74ae4)
#12 yb::rpc::BinaryCallParser::Parse(std::shared_ptr<yb::rpc::Connection> const&, boost::container::small_vector<iovec, 4ul, void, void> const&, yb::StronglyTypedBool<yb::rpc::ReadBufferFull_Tag>, std::shared_ptr<yb::MemTracker> const*) ${YB_SRC_ROOT}/src/yb/rpc/binary_call_parser.cc:163:7 (libyrpc.so+0xcf7f0)
#13 yb::cqlserver::CQLConnectionContext::ProcessCalls(std::shared_ptr<yb::rpc::Connection> const&, boost::container::small_vector<iovec, 4ul, void, void> const&, yb::StronglyTypedBool<yb::rpc::ReadBufferFull_Tag>) ${YB_SRC_ROOT}/src/yb/yql/cql/cqlserver/cql_rpc.cc:103:18 (libyb-cql.so+0x73e73)
#14 yb::rpc::Connection::ProcessReceived(yb::StronglyTypedBool<yb::rpc::ReadBufferFull_Tag>) ${YB_SRC_ROOT}/src/yb/rpc/connection.cc:426:27 (libyrpc.so+0xe3ee7)
#15 yb::rpc::RefinedStream::ProcessReceived(yb::StronglyTypedBool<yb::rpc::ReadBufferFull_Tag>) ${YB_SRC_ROOT}/src/yb/rpc/refined_stream.cc:152:24 (libyrpc.so+0x15a65d)
#16 yb::rpc::RefinedStream::ProcessReceived(yb::StronglyTypedBool<yb::rpc::ReadBufferFull_Tag>) ${YB_SRC_ROOT}/src/yb/rpc/refined_stream.cc:148:14 (libyrpc.so+0x15a623)
#17 non-virtual thunk to yb::rpc::RefinedStream::ProcessReceived(yb::StronglyTypedBool<yb::rpc::ReadBufferFull_Tag>) ${YB_SRC_ROOT}/src/yb/rpc/refined_stream.cc (libyrpc.so+0x15b5ad)
#18 yb::rpc::TcpStream::TryProcessReceived() ${YB_SRC_ROOT}/src/yb/rpc/tcp_stream.cc:413:17 (libyrpc.so+0x1b7666)
#19 yb::rpc::TcpStream::ReadHandler() ${YB_SRC_ROOT}/src/yb/rpc/tcp_stream.cc:339:31 (libyrpc.so+0x1b5c45)
#20 yb::rpc::TcpStream::Handler(ev::io&, int) ${YB_SRC_ROOT}/src/yb/rpc/tcp_stream.cc:276:14 (libyrpc.so+0x1b5164)
#21 void ev::base<ev_io, ev::io>::method_thunk<yb::rpc::TcpStream, &yb::rpc::TcpStream::Handler(ev::io&, int)>(ev_loop*, ev_io*, int) ${YB_THIRDPARTY_DIR}/installed/common/include/ev++.h:479:7 (libyrpc.so+0x1b9cb8)
#22 ev_invoke_pending <null> (libev.so.4+0x871a)
#23 decltype(*std::declval<yb::rpc::Reactor*&>().*std::declval<void (yb::rpc::Reactor::*&)()>()()) std::__invoke[abi:ue170006]<void (yb::rpc::Reactor::*&)(), yb::rpc::Reactor*&, void>(void (yb::rpc::Reactor::*&)(), yb::rpc::Reactor*&) ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__type_traits/invoke.h:308:25 (libyrpc.so+0x14f62b)
#24 std::__bind_return<void (yb::rpc::Reactor::*)(), std::tuple<yb::rpc::Reactor*>, std::tuple<>, __is_valid_bind_return<void (yb::rpc::Reactor::*)(), std::tuple<yb::rpc::Reactor*>, std::tuple<>>::value>::type std::__apply_functor[abi:ue170006]<void (yb::rpc::Reactor::*)(), std::tuple<yb::rpc::Reactor*>, 0ul, std::tuple<>>(void (yb::rpc::Reactor::*&)(), std::tuple<yb::rpc::Reactor*>&, std::__tuple_indices<0ul>, std::tuple<>&&) ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__functional/bind.h:260:12 (libyrpc.so+0x14f62b)
#25 std::__bind_return<void (yb::rpc::Reactor::*)(), std::tuple<yb::rpc::Reactor*>, std::tuple<>, __is_valid_bind_return<void (yb::rpc::Reactor::*)(), std::tuple<yb::rpc::Reactor*>, std::tuple<>>::value>::type std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>::operator()[abi:ue170006]<>() ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__functional/bind.h:292:20 (libyrpc.so+0x14f62b)
#26 decltype(std::declval<std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>&>()()) std::__invoke[abi:ue170006]<std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>&>(std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>&) ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__type_traits/invoke.h:340:25 (libyrpc.so+0x14f62b)
#27 void std::__invoke_void_return_wrapper<void, true>::__call[abi:ue170006]<std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>&>(std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>&) ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__type_traits/invoke.h:415:5 (libyrpc.so+0x14f62b)
#28 std::__function::__alloc_func<std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>, std::allocator<std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>>, void ()>::operator()[abi:ue170006]() ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__functional/function.h:192:16 (libyrpc.so+0x14f62b)
#29 std::__function::__func<std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>, std::allocator<std::__bind<void (yb::rpc::Reactor::* const&)(), yb::rpc::Reactor* const&>>, void ()>::operator()() ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__functional/function.h:363:12 (libyrpc.so+0x14f62b)
#30 std::__function::__value_func<void ()>::operator()[abi:ue170006]() const ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__functional/function.h:517:16 (libyb_util.so+0x4333af)
#31 std::function<void ()>::operator()() const ${YB_THIRDPARTY_DIR}/installed/tsan/libcxx/include/c++/v1/__functional/function.h:1168:12 (libyb_util.so+0x4333af)
#32 yb::Thread::SuperviseThread(void*) ${YB_SRC_ROOT}/src/yb/util/thread.cc:884:3 (libyb_util.so+0x4333af)

Issue Type

kind/bug

Warning: Please confirm that this issue does not contain any sensitive information

• I confirm this issue does not contain any sensitive information.