Rebase 811 - spdb memtable use after free bug

[Yuval-Ariel]

during a stress test run, the following error happened:

[2023-05-09 19:59:11.609955] WARNING: db_stress (pid=155455) ended before kill: exitcode=1                                                 
                                                                                                                                                                                                                                                                                          
check_mode=0, kill option=88889, exitcode=1                                                                                                  
                                                                                                                                             
                                                                      
WARNING: prefix_size is non-zero but memtablerep != prefix_hash                                                                              
=================================================================
==155455==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110006dd9a0 at pc 0x7f4a9b6fca37 bp 0x7f4a59cd7df0 sp 0x7f4a59cd7de0
READ of size 1 at 0x6110006dd9a0 thread T235                                                                                                 
    #0 0x7f4a9b6fca36 in std::__atomic_base<bool>::load(std::memory_order) const /usr/include/c++/9/bits/atomic_base.h:419
    #1 0x7f4a9b6fca36 in std::atomic<bool>::operator bool() const /usr/include/c++/9/atomic:88               
    #2 0x7f4a9b6fca36 in Add plugin/speedb/memtable/hash_spd_rep.cc:201                           
    #3 0x7f4a9b6fca36 in InternalInsert plugin/speedb/memtable/hash_spd_rep.cc:280
    #4 0x7f4a9b702f21 in Insert plugin/speedb/memtable/hash_spd_rep.cc:288
    #5 0x7f4a9b702f21 in InsertKey plugin/speedb/memtable/hash_spd_rep.cc:564
    #6 0x7f4a9a5148b5 in rocksdb::MemTable::Add(unsigned long, rocksdb::ValueType, rocksdb::Slice const&, rocksdb::Slice const&, rocksdb::ProtectionInfoKVOS<unsigned long> const*, bool, rocksdb::MemTablePostProcessInfo*, void**) db/memtable.cc:774
    #7 0x7f4a9a8c95e2 in PutCFImpl db/write_batch.cc:2024
    #8 0x7f4a9a8ce991 in PutCF db/write_batch.cc:2143                                                                                        
    #9 0x7f4a9a8873b2 in rocksdb::WriteBatchInternal::Iterate(rocksdb::WriteBatch const*, rocksdb::WriteBatch::Handler*, unsigned long, unsigned long) db/write_batch.cc:535
    #10 0x7f4a9a8899ed in rocksdb::WriteBatch::Iterate(rocksdb::WriteBatch::Handler*) const db/write_batch.cc:475
    #11 0x7f4a9a894a71 in rocksdb::WriteBatchInternal::InsertInto(rocksdb::WriteThread::WriteGroup&, unsigned long, rocksdb::ColumnFamilyMemTables*, rocksdb::FlushScheduler*, rocksdb::TrimHistoryScheduler*, bool, unsigned long, rocksdb::DB*, bool, bool, bool) db/write_batch.cc:2898
    #12 0x7f4a9a3350d8 in rocksdb::DBImpl::PipelinedWriteImpl(rocksdb::WriteOptions const&, rocksdb::WriteBatch*, rocksdb::WriteCallback*, unsigned long*, unsigned long, bool, unsigned long*) db/db_impl/db_impl_write.cc:796
    #13 0x7f4a9a3429a5 in rocksdb::DBImpl::WriteImpl(rocksdb::WriteOptions const&, rocksdb::WriteBatch*, rocksdb::WriteCallback*, unsigned long*, unsigned long, bool, unsigned long*, unsigned long, rocksdb::PreReleaseCallback*, rocksdb::PostMemTableCallback*) db/db_impl/db_impl_wri
te.cc:309                                                
    #14 0x7f4a9a34ae60 in rocksdb::DBImpl::Write(rocksdb::WriteOptions const&, rocksdb::WriteBatch*) db/db_impl/db_impl_write.cc:146
    #15 0x7f4a9a34d071 in rocksdb::DB::Put(rocksdb::WriteOptions const&, rocksdb::ColumnFamilyHandle*, rocksdb::Slice const&, rocksdb::Slice const&, rocksdb::Slice const&) db/db_impl/db_impl_write.cc:2364
    #16 0x7f4a9a34d867 in rocksdb::DBImpl::Put(rocksdb::WriteOptions const&, rocksdb::ColumnFamilyHandle*, rocksdb::Slice const&, rocksdb::Slice const&, rocksdb::Slice const&) db/db_impl/db_impl_write.cc:37
    #17 0x564a38cfe739 in rocksdb::NonBatchedOpsStressTest::TestPut(rocksdb::ThreadState*, rocksdb::WriteOptions&, rocksdb::ReadOptions const&, std::vector<int, std::allocator<int> > const&, std::vector<long, std::allocator<long> > const&, char (&) [100]) db_stress_tool/no_batched_
ops_stress.cc:1025                                                                                                                                                                                                                                                                        
    #18 0x564a38e1d788 in rocksdb::StressTest::OperateDb(rocksdb::ThreadState*) db_stress_tool/db_stress_test_base.cc:1069
    #19 0x564a38da1398 in rocksdb::ThreadBody(void*) db_stress_tool/db_stress_driver.cc:33
    #20 0x7f4a9a9c11ce in StartThreadWrapper env/env_posix.cc:461
    #21 0x7f4a99610608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
    #22 0x7f4a990bf132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
                                                                      
0x6110006dd9a0 is located 32 bytes inside of 200-byte region [0x6110006dd980,0x6110006dda48)
freed by thread T251 here:                                       
    #0 0x7f4a9c037c65 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:177
    #1 0x7f4a9b700f10 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/9/bits/shared_ptr_base.h:155
    #2 0x7f4a9b700f10 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/9/bits/shared_ptr_base.h:148
    #3 0x7f4a9b700f10 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/9/bits/shared_ptr_base.h:730
    #4 0x7f4a9b700f10 in ~__shared_ptr /usr/include/c++/9/bits/shared_ptr_base.h:1169
    #5 0x7f4a9b700f10 in ~shared_ptr /usr/include/c++/9/bits/shared_ptr.h:103
    #6 0x7f4a9b700f10 in ~SortHeapItem plugin/speedb/memtable/spdb_sorted_vector.h:99
    #7 0x7f4a9b700f10 in ~SpdbVectorIterator plugin/speedb/memtable/spdb_sorted_vector.h:288
    #8 0x7f4a9a529f35 in rocksdb::MemTableIterator::~MemTableIterator() db/memtable.cc:404
    #9 0x7f4a9aff533a in rocksdb::IteratorWrapperBase<rocksdb::Slice>::DeleteIter(bool) table/iterator_wrapper.h:53
    #10 0x7f4a9aff533a in rocksdb::MergingIterator::~MergingIterator() table/merging_iterator.cc:133
    #11 0x564a38d523a6 in rocksdb::IteratorWrapperBase<rocksdb::Slice>::DeleteIter(bool) table/iterator_wrapper.h:53
    #12 0x564a38d523a6 in rocksdb::DBIter::~DBIter() db/db_iter.h:136
    #13 0x7f4a99c8637e in rocksdb::ArenaWrappedDBIter::~ArenaWrappedDBIter() db/arena_wrapped_db_iter.h:40
    #14 0x7f4a99c8637e in rocksdb::ArenaWrappedDBIter::~ArenaWrappedDBIter() db/arena_wrapped_db_iter.h:44
    #15 0x564a38de4cd0 in std::unique_ptr<rocksdb::Iterator, std::default_delete<rocksdb::Iterator> >::~unique_ptr() /usr/include/c++/9/bits/unique_ptr.h:81
    #16 0x564a38de4cd0 in rocksdb::StressTest::TestIterate(rocksdb::ThreadState*, rocksdb::ReadOptions const&, std::vector<int, std::allocator<int> > const&, std::vector<long, std::allocator<long> > const&) db_stress_tool/db_stress_test_base.cc:1298
    #17 0x564a38e21c60 in rocksdb::StressTest::OperateDb(rocksdb::ThreadState*) db_stress_tool/db_stress_test_base.cc:1095
    #18 0x564a38da1398 in rocksdb::ThreadBody(void*) db_stress_tool/db_stress_driver.cc:33
    #19 0x7f4a9a9c11ce in StartThreadWrapper env/env_posix.cc:461
    #20 0x7f4a99610608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T241 here:
    #0 0x7f4a9c036587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x7f4a9b707863 in InitIterator plugin/speedb/memtable/hash_spd_rep.cc:336
    #2 0x7f4a9b707863 in SpdbVectorIterator plugin/speedb/memtable/spdb_sorted_vector.h:271
    #3 0x7f4a9b707863 in GetIterator plugin/speedb/memtable/hash_spd_rep.cc:603
    #4 0x7f4a9a503830 in rocksdb::MemTableRep::GetDynamicPrefixIterator(rocksdb::Arena*) include/rocksdb/memtablerep.h:279
    #5 0x7f4a9a503830 in rocksdb::MemTableIterator::MemTableIterator(rocksdb::MemTable const&, rocksdb::ReadOptions const&, rocksdb::Arena*, bool) db/memtable.cc:384
    #6 0x7f4a9a503830 in rocksdb::MemTable::NewIterator(rocksdb::ReadOptions const&, rocksdb::Arena*) db/memtable.cc:552
    #7 0x7f4a9a02856f in rocksdb::DBImpl::NewInternalIterator(rocksdb::ReadOptions const&, rocksdb::ColumnFamilyData*, rocksdb::SuperVersion*, rocksdb::Arena*, unsigned long, bool, rocksdb::ArenaWrappedDBIter*) db/db_impl/db_impl.cc:1970
    #8 0x7f4a9a029443 in rocksdb::DBImpl::NewIteratorImpl(rocksdb::ReadOptions const&, rocksdb::ColumnFamilyData*, unsigned long, rocksdb::ReadCallback*, bool, bool) db/db_impl/db_impl.cc:3594
    #9 0x7f4a9a029e30 in rocksdb::DBImpl::NewIterator(rocksdb::ReadOptions const&, rocksdb::ColumnFamilyHandle*) db/db_impl/db_impl.cc:3511
    #10 0x564a38ce52fb in rocksdb::NonBatchedOpsStressTest::TestPrefixScan(rocksdb::ThreadState*, rocksdb::ReadOptions const&, std::vector<int, std::allocator<int> > const&, std::vector<long, std::allocator<long> > const&) db_stress_tool/no_batched_ops_stress.cc:879
    #11 0x564a38e1ca89 in rocksdb::StressTest::OperateDb(rocksdb::ThreadState*) db_stress_tool/db_stress_test_base.cc:1065
    #12 0x564a38da1398 in rocksdb::ThreadBody(void*) db_stress_tool/db_stress_driver.cc:33
    #13 0x7f4a9a9c11ce in StartThreadWrapper env/env_posix.cc:461
    #14 0x7f4a99610608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

[ayulas]

its the same race with the set vector to immutable and insert new item. the iterator just hods the shared pointer to the vectors but if a merge vector procedure happened in the background shared pointer is being released and the moment the iterator is released and the race happened the vector is not valid and i try to access it

[erez-speedb]

Perf tests (small/large) shows less memory consumption with no degradation
about 100MB less in the large and 300MB in the small