Skip to content

Seems quantile overflow with undefined behaivior #235

New issue
New issue
Closed
#241
Closed
Seems quantile overflow with undefined behaivior#235
#241
Labels
bugSomething isn't workingcustomer
@filonenko-mikhail

Description

@filonenko-mikhail
filonenko-mikhail
opened on May 12, 2021
quantile = require('metrics.quantile')
fiber = require('fiber')

q = quantile.NewTargeted({[0.5]=0.01, [0.9]=0.01, [0.99]=0.01})
print(q)

for i=1,1e6 do quantile.Insert(q, math.random(1)) end

for i=1,200 do 
    fiber.new(function()
        for i=1,1e2 do quantile.Insert(q, math.random(1000)) end
    end)
end

for i=1,1e6 do quantile.Insert(q, math.random(1000)) end

require('console').start()
LuajitError: ../test2.lua:11: attempt to call field 'Insert' (a nil value)
Segmentation fault
  code: 128
  addr: (nil)
  context: 0x7f64519ff780
  siginfo: 0x7f64519ff8b0
  rax      0x40173800         1075263488
  rbx      0x4165c010         1097187344
  rcx      0x4                4
  rdx      0x1800             6144
  rsi      0x4063a00000000000 4639727962982187008
  rdi      0x0                0
  rsp      0x7f64519ffd30     140068842896688
  rbp      0x0                0
  r8       0x4063a00000000000 4639727962982187008
  r9       0x633aa0           6503072
  r10      0x414ebf30         1095679792
  r11      0x414fe470         1095754864
  r12      0xffffffff         4294967295
  r13      0x22               34
  r14      0x4165c3b8         1097188280
  r15      0x417b91f0         1098617328
  rip      0x633266           6500966
  eflags   0x10206            66054
  cs       0x33               51
  gs       0x0                0
  fs       0x0                0
  cr2      0x0                0
  err      0x0                0
  oldmask  0x0                0
  trapno   0xd                13
Current time: 1620824508
Please file a bug at http://github.com/tarantool/tarantool/issues
Attempting backtrace... Note: since the server has already crashed, 
this may fail as well
#0  0x5e9f19 in print_backtrace+9
#1  0x455ff7 in _ZL12sig_fatal_cbiP9siginfo_tPv+c7
#2  0x7f645a6e8630 in _L_unlock_13+34
#3  0x633266 in lj_alloc_free+326
#4  0x641700 in lj_cdata_free+80
#5  0x613c90 in gc_sweep+a0
#6  0x6146d4 in gc_onestep+44
#7  0x614e64 in lj_gc_step+54
#8  0x627ae8 in lj_cf_ffi_meta___index+b8
#9  0x64989b in lj_BC_FUNCC+34
#10 0x60fdc8 in lua_pcall+78
#11 0x5cbce3 in luaT_call+13
#12 0x5c4a29 in lua_main+59
#13 0x5c4ea3 in run_script_f+463
#14 0x4554cc in _ZL16fiber_cxx_invokePFiP13__va_list_tagES0_+c
#15 0x5e6440 in fiber_loop+30
#16 0x80d8af in coro_init+3f
Aborted

Seems that array out of bound using

-- Insert inserts v into the stream.
function quantile.Insert(stream_obj, v)
    assert(stream_obj.b_len < ffi.sizeof(stream_obj.b)/16, 'b_len ' .. tostring(stream_obj.b_len) .. ' out of array bound ' ..  ffi.sizeof(stream_obj.b)/16)
	stream_obj.b[stream_obj.b_len] = v
	stream_obj.b_len = stream_obj.b_len + 1
	stream_obj.compress_cnt = stream_obj.compress_cnt + 1
	stream_obj.sorted = false
	if stream_obj.b_len == stream_obj.__max_samples or
		stream_obj.compress_cnt == stream_obj.__max_samples then
		stream_obj:flush()
		stream_obj:compress()
    end
end

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingcustomer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions