jacktengg opened a new issue, #14360: URL: https://github.com/apache/doris/issues/14360
### Search before asking - [X] I had searched in the [issues](https://github.com/apache/doris/issues?q=is%3Aissue) and found no similar issues. ### Version master a4d4fc8c02fc1c513ad10031eb35180d4f107407 ### What's Wrong? be core dump when runniing P1 regression: ``` start time: Tue Nov 15 22:54:55 CST 2022 ================================================================= ==2845958==ERROR: AddressSanitizer: heap-use-after-free on address 0x61c00154e504 at pc 0x55da5e006f32 bp 0x7e8f2fa74c70 sp 0x7e8f2fa74c60 READ of size 1 at 0x61c00154e504 thread T830 #0 0x55da5e006f31 in doris::RuntimeState::enable_vectorized_exec() const /mnt/disk1/tengjianping/doris-test/be/src/runtime/runtime_state.h:321 #1 0x55da5e446874 in doris::RuntimePredicateWrapper::RuntimePredicateWrapper(doris::RuntimeState*, doris::ObjectPool*, doris::PrimitiveType, doris::RuntimeFilterType, doris::UniqueId, unsigned int) /mnt/disk1/tengjianping/doris-test/be/src/exprs/runtime_filter.cpp:425 #2 0x55da5e459e4b in doris::Status doris::IRuntimeFilter::_create_wrapper<doris::MergeRuntimeFilterParams>(doris::RuntimeState*, doris::MergeRuntimeFilterParams const*, doris::ObjectPool*, std::unique_ptr<doris::RuntimePredicateWrapper, std::default_delete<doris::RuntimePredicateWrapper> >*) /mnt/disk1/tengjianping/doris-test/be/src/exprs/runtime_filter.cpp:1349 #3 0x55da5e42fc19 in doris::IRuntimeFilter::create_wrapper(doris::RuntimeState*, doris::MergeRuntimeFilterParams const*, doris::ObjectPool*, std::unique_ptr<doris::RuntimePredicateWrapper, std::default_delete<doris::RuntimePredicateWrapper> >*) /mnt/disk1/tengjianping/doris-test/be/src/exprs/runtime_filter.cpp:1324 #4 0x55da5ebcb817 in doris::RuntimeFilterMergeControllerEntity::merge(doris::PMergeFilterRequest const*, butil::IOBufAsZeroCopyInputStream*) /mnt/disk1/tengjianping/doris-test/be/src/runtime/runtime_filter_mgr.cpp:202 #5 0x55da5ec88694 in doris::FragmentMgr::merge_filter(doris::PMergeFilterRequest const*, butil::IOBufAsZeroCopyInputStream*) /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:1030 #6 0x55da5f2c8baa in doris::PInternalServiceImpl::merge_filter(google::protobuf::RpcController*, doris::PMergeFilterRequest const*, doris::PMergeFilterResponse*, google::protobuf::Closure*) /mnt/disk1/tengjianping/doris-test/be/src/service/internal_service.cpp:587 #7 0x55da5fed6215 in doris::PBackendService::CallMethod(google::protobuf::MethodDescriptor const*, google::protobuf::RpcController*, google::protobuf::Message const*, google::protobuf::Message*, google::protobuf::Closure*) /mnt/disk1/tengjianping/doris-test/gensrc/build/gen_cpp/internal_service.pb.cc:24477 #8 0x55da694667d4 in brpc::policy::ProcessRpcRequest(brpc::InputMessageBase*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19b617d4) #9 0x55da6945b8a6 in brpc::ProcessInputMessage(void*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19b568a6) #10 0x55da6945c7c0 in brpc::InputMessenger::OnNewMessages(brpc::Socket*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19b577c0) #11 0x55da6957effd in brpc::Socket::ProcessEvent(void*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c79ffd) #12 0x55da693ef03e in bthread::TaskGroup::task_runner(long) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19aea03e) #13 0x55da693ec4b0 in bthread_make_fcontext (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19ae74b0) 0x61c00154e504 is located 1156 bytes inside of 1784-byte region [0x61c00154e080,0x61c00154e778) freed by thread T77040 (FragmentMgrThre) here: #0 0x55da5c6da767 in operator delete(void*, unsigned long) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0xcdd5767) #1 0x55da5dff5ece in std::default_delete<doris::RuntimeState>::operator()(doris::RuntimeState*) const /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/unique_ptr.h:85 #2 0x55da5dff1e9e in std::unique_ptr<doris::RuntimeState, std::default_delete<doris::RuntimeState> >::~unique_ptr() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/unique_ptr.h:361 #3 0x55da5ecdd8fb in doris::PlanFragmentExecutor::~PlanFragmentExecutor() /mnt/disk1/tengjianping/doris-test/be/src/runtime/plan_fragment_executor.cpp:74 #4 0x55da5ecba9c9 in doris::FragmentExecState::~FragmentExecState() /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:80 #5 0x55da5ecc650c in std::_Sp_counted_ptr<doris::FragmentExecState*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:348 #6 0x55da5c74d41a in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:168 #7 0x55da5c745f6b in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:702 #8 0x55da5ec9d5a9 in std::__shared_ptr<doris::FragmentExecState, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:1149 #9 0x55da5ec9d62d in std::shared_ptr<doris::FragmentExecState>::~shared_ptr() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr.h:122 #10 0x55da5ec7d119 in ~<lambda> /mnt/disk1/tengjianping/doris-test/be/src/runtime/fragment_mgr.cpp:728 #11 0x55da5ec8a9e6 in _M_destroy /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/std_function.h:174 #12 0x55da5ec8a3e7 in _M_manager /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/std_function.h:200 #13 0x55da5ec89ae8 in _M_manager /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/std_function.h:283 #14 0x55da5c7906c9 in std::_Function_base::~_Function_base() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/std_function.h:245 #15 0x55da5c790c81 in std::function<void ()>::~function() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/std_function.h:328 #16 0x55da5f66d8cc in doris::FunctionRunnable::~FunctionRunnable() /mnt/disk1/tengjianping/doris-test/be/src/util/threadpool.cpp:41 #17 0x55da5f66dc57 in void __gnu_cxx::new_allocator<doris::FunctionRunnable>::destroy<doris::FunctionRunnable>(doris::FunctionRunnable*) /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/ext/new_allocator.h:162 #18 0x55da5f66dbde in void std::allocator_traits<std::allocator<doris::FunctionRunnable> >::destroy<doris::FunctionRunnable>(std::allocator<doris::FunctionRunnable>&, doris::FunctionRunnable*) /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/alloc_traits.h:531 #19 0x55da5f66d9c4 in std::_Sp_counted_ptr_inplace<doris::FunctionRunnable, std::allocator<doris::FunctionRunnable>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:528 #20 0x55da5c74d41a in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:168 #21 0x55da5c745f6b in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:702 #22 0x55da5d6d02e9 in std::__shared_ptr<doris::Runnable, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:1149 #23 0x55da5f6552d7 in std::__shared_ptr<doris::Runnable, (__gnu_cxx::_Lock_policy)2>::reset() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/shared_ptr_base.h:1267 #24 0x55da5f64bafa in doris::ThreadPool::dispatch_thread() /mnt/disk1/tengjianping/doris-test/be/src/util/threadpool.cpp:542 #25 0x55da5f66d46d in void std::__invoke_impl<void, void (doris::ThreadPool::*&)(), doris::ThreadPool*&>(std::__invoke_memfun_deref, void (doris::ThreadPool::*&)(), doris::ThreadPool*&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/invoke.h:74 #26 0x55da5f66cd0c in std::__invoke_result<void (doris::ThreadPool::*&)(), doris::ThreadPool*&>::type std::__invoke<void (doris::ThreadPool::*&)(), doris::ThreadPool*&>(void (doris::ThreadPool::*&)(), doris::ThreadPool*&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/invoke.h:96 #27 0x55da5f66c0ab in void std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/functional:420 #28 0x55da5f66abbc in void std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>::operator()<, void>() /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/functional:503 #29 0x55da5f6677ad in void std::__invoke_impl<void, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&>(std::__invoke_other, std::_Bind<void (doris::ThreadPool::*(doris::ThreadPool*))()>&) /mnt/disk1/tengjianping/local/ldb_toolchain_clang13/include/c++/11/bits/invoke.h:61 previously allocated by thread T853 here: #0 0x55da5c6d9707 in operator new(unsigned long) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0xcdd4707) Thread T830 created by T0 here: #0 0x55da5c67c061 in pthread_create (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0xcd77061) #1 0x55da693da4fb in bthread::TaskControl::add_workers(int) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19ad54fb) #2 0x55da693d6fdc in bthread_setconcurrency (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19ad1fdc) #3 0x55da695492b9 in brpc::Server::StartInternal(butil::EndPoint const&, brpc::PortRange const&, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c442b9) #4 0x55da6954b1a9 in brpc::Server::Start(butil::EndPoint const&, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c461a9) #5 0x55da6954b341 in brpc::Server::Start(int, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c46341) #6 0x55da5f2952cf in doris::BRpcService::start(int, int) /mnt/disk1/tengjianping/doris-test/be/src/service/brpc_service.cpp:52 #7 0x55da5c729866 in main /mnt/disk1/tengjianping/doris-test/be/src/service/doris_main.cpp:435 #8 0x7f438e956492 in __libc_start_main (/lib64/libc.so.6+0x23492) Thread T77040 (FragmentMgrThre) created by T819 here: #0 0x55da5c67c061 in pthread_create (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0xcd77061) Thread T819 created by T0 here: #0 0x55da5c67c061 in pthread_create (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0xcd77061) #1 0x55da693da4fb in bthread::TaskControl::add_workers(int) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19ad54fb) #2 0x55da693d6fdc in bthread_setconcurrency (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19ad1fdc) #3 0x55da695492b9 in brpc::Server::StartInternal(butil::EndPoint const&, brpc::PortRange const&, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c442b9) #4 0x55da6954b1a9 in brpc::Server::Start(butil::EndPoint const&, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c461a9) #5 0x55da6954b341 in brpc::Server::Start(int, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c46341) #6 0x55da5f2952cf in doris::BRpcService::start(int, int) /mnt/disk1/tengjianping/doris-test/be/src/service/brpc_service.cpp:52 #7 0x55da5c729866 in main /mnt/disk1/tengjianping/doris-test/be/src/service/doris_main.cpp:435 #8 0x7f438e956492 in __libc_start_main (/lib64/libc.so.6+0x23492) Thread T853 created by T0 here: #0 0x55da5c67c061 in pthread_create (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0xcd77061) #1 0x55da693da4fb in bthread::TaskControl::add_workers(int) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19ad54fb) #2 0x55da693d6fdc in bthread_setconcurrency (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19ad1fdc) #3 0x55da695492b9 in brpc::Server::StartInternal(butil::EndPoint const&, brpc::PortRange const&, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c442b9) #4 0x55da6954b1a9 in brpc::Server::Start(butil::EndPoint const&, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c461a9) #5 0x55da6954b341 in brpc::Server::Start(int, brpc::ServerOptions const*) (/mnt/disk1/tengjianping/doris/output/be/lib/doris_be+0x19c46341) #6 0x55da5f2952cf in doris::BRpcService::start(int, int) /mnt/disk1/tengjianping/doris-test/be/src/service/brpc_service.cpp:52 #7 0x55da5c729866 in main /mnt/disk1/tengjianping/doris-test/be/src/service/doris_main.cpp:435 #8 0x7f438e956492 in __libc_start_main (/lib64/libc.so.6+0x23492) SUMMARY: AddressSanitizer: heap-use-after-free /mnt/disk1/tengjianping/doris-test/be/src/runtime/runtime_state.h:321 in doris::RuntimeState::enable_vectorized_exec() const Shadow bytes around the buggy address: 0x0c38802a1c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c38802a1c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c38802a1c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c38802a1c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c38802a1c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c38802a1ca0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c38802a1cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c38802a1cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c38802a1cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c38802a1ce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c38802a1cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2845958==ABORTING ``` ### What You Expected? Run p1 OK ### How to Reproduce? _No response_ ### Anything Else? _No response_ ### Are you willing to submit PR? - [X] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
