Redis [CRASH]Redis 4.0.14 crashed by signal: 11

Crash report

Paste the complete crash log between the quotes below. Please include a few lines from the log preceding the crash report to provide some context.

=== REDIS BUG REPORT START: Cut & paste starting from here ===
23260:M 16 Apr 22:34:01.753 # Redis 4.0.14 crashed by signal: 11
23260:M 16 Apr 22:34:01.753 # Crashed running the instruction at: 0x46aee5
23260:M 16 Apr 22:34:01.753 # Accessing address: 0x2b19ee400000
23260:M 16 Apr 22:34:01.753 # Failed assertion: <no assertion failed> (<no file>:0)

------ STACK TRACE ------
EIP:
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](intsetGet+0x15)[0x46aee5]

Backtrace:
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](logStackTrace+0x29)[0x468ad9]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](sigsegvHandler+0xac)[0x46917c]
/lib64/libpthread.so.0(+0xf370)[0x2b19e7085370]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](intsetGet+0x15)[0x46aee5]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](setTypeNext+0x2e)[0x44f91e]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](sinterGenericCommand+0x1b2)[0x4505a2]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](call+0x9e)[0x42c11e]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](processCommand+0x3c7)[0x42c827]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](processInputBuffer+0x105)[0x43b965]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](aeProcessEvents+0x2a0)[0x426840]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](aeMain+0x2b)[0x426b0b]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster](main+0x49f)[0x42390f]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x2b19e72b3b35]
/apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster][0x423c02]

------ CURRENT CLIENT INFO ------
id=1199664 addr=127.0.0.1:8698 fd=98 name= age=433755 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=0 qbuf-free=32768 obl=0 oll=1112 omem=18219511 events=r cmd=smembers
argv[0]: 'SMEMBERS'
argv[1]: 'ug:1:1:443209786'
23260:M 16 Apr 22:34:01.755 # key 'ug:1:1:443209786' found in DB containing the following object:
23260:M 16 Apr 22:34:01.755 # Object type: 2
23260:M 16 Apr 22:34:01.755 # Object encoding: 6
23260:M 16 Apr 22:34:01.755 # Object refcount: 1
23260:M 16 Apr 22:34:01.755 # Set size: 976304690

------ REGISTERS ------
23260:M 16 Apr 22:34:01.755 # 
RAX:00000000000000d0 RBX:00002b1a7eaefc10
RCX:00002b1aa03b9370 RDX:00007ffcb7f0d098
RDI:00002b19ee01b0a0 RSI:00000000001f27ac
RBP:00007ffcb7f0d090 RSP:00007ffcb7f0d038
R8 :0000000000000001 R9 :0000000000000000
R10:0000000000000000 R11:00002b19e7414150
R12:00002b1a7eaefc10 R13:0000000000000006
R14:0000000000000001 R15:00002b1a319ed900
RIP:000000000046aee5 EFL:0000000000010296
CSGSFS:0000000000000033
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d047) -> 0000000000000000
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d046) -> 00002b1b24df1680
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d045) -> 00002b1b24df1680
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d044) -> 0000000000000001
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d043) -> 0000000000000000
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d042) -> 00000000001f27ac
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d041) -> 00002b1b88595690
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d040) -> 0000000000000000
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d03f) -> 0000000000000000
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d03e) -> 00000000004505a2
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d03d) -> 0000000000000001
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d03c) -> 00002b1b24df1680
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d03b) -> 0000000000000001
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d03a) -> 000000000044f853
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d039) -> 00002b1aa03b9370
23260:M 16 Apr 22:34:01.755 # (00007ffcb7f0d038) -> 000000000044f91e

------ FAST MEMORY TEST ------
23260:M 16 Apr 22:34:01.756 # Bio thread for job type #0 terminated
23260:M 16 Apr 22:34:01.756 # Bio thread for job type #1 terminated
23260:M 16 Apr 22:34:01.756 # Bio thread for job type #2 terminated
*** Preparing to test memory region 745000 (98304 bytes)
*** Preparing to test memory region 21ed000 (135168 bytes)
*** Preparing to test memory region 2b19e696e000 (4096 bytes)
*** Preparing to test memory region 2b19e696f000 (4096 bytes)
*** Preparing to test memory region 2b19e6979000 (16384 bytes)
*** Preparing to test memory region 2b19e6b6f000 (4096 bytes)
*** Preparing to test memory region 2b19e728e000 (16384 bytes)
*** Preparing to test memory region 2b19e764e000 (20480 bytes)
*** Preparing to test memory region 2b19e7800000 (2097152 bytes)
*** Preparing to test memory region 2b19ee000000 (2097152 bytes)
*** Preparing to test memory region 2b19ee200000 (2097152 bytes)
*** Preparing to test memory region 2b19ee401000 (4194304 bytes)
*** Preparing to test memory region 2b19ee802000 (4194304 bytes)
*** Preparing to test memory region 2b19eec03000 (4194304 bytes)
*** Preparing to test memory region 2b19ef200000 (6933184512 bytes)
.O.O.O.O.O.O.O.O.O.O.O.O.O.O.O
Fast memory test PASSED, however your memory can still be broken. Please run a memory test for several hours if possible.

------ DUMPING CODE AROUND EIP ------
Symbol: intsetGet (base: 0x46aed0)
Module: /apps/svr/redis-4.0.14/bin/redis-server 0.0.0.0:6383 [cluster] (base 0x400000)
$ xxd -r -p /tmp/dump.hex /tmp/dump.bin
$ objdump --adjust-vma=0x46aed0 -D -b binary -m i386:x86-64 /tmp/dump.bin
------
23260:M 16 Apr 22:34:34.875 # dump of function (hexdump of 149 bytes):
31c0397704761c0fb6074863f63c0874173c04741b480fbf447708488902b801000000f3c30f1f00488b44f708ebec90486344b708ebe4660f1f8400000000008b4704c36690662e0f1f8400000000008b070faf47044883c008c30f1f440000415741bf0a000000415641554189fd41544989cc4d89e6554889f5534889d34883ec2848895424
18e8a3f2fbff4889442408eb340f

=== REDIS BUG REPORT END. Make sure to include from START to END. ===

       Please report the crash by opening an issue on github:

           http://github.com/antirez/redis/issues

  Suspect RAM error? Use redis-server --test-memory to verify it.

Additional information

1. OS distribution and version CentOS Linux release 7.3.1611 (Core) redis-server 4.0.14

question 1: after failover,I get this key and find that is only 33 BYTES(3 values) argv[0]: 'SMEMBERS' argv[1]: 'ug:1:1:443209786' 23260:M 16 Apr 22:34:01.755 # key 'ug:1:1:443209786' found in DB containing the following object: 23260:M 16 Apr 22:34:01.755 # Object type: 2 23260:M 16 Apr 22:34:01.755 # Object encoding: 6 23260:M 16 Apr 22:34:01.755 # Object refcount: 1 23260:M 16 Apr 22:34:01.755 # Set size: 976304690

question 2: I didn't find any memory error from my machine

Comment From: oranagra

@825644691 any chance this is reproducible? if it is, i'd like you try a newer version of redis.

after failover,I get this key and find that is only 33 BYTES(3 values)

i assume 3 values is closer to what you would expect (rather than 976304690), right? i imagine somehow this memory got corrupted, which is also why SMEMBERS crashed. sadly, the only way to move forward with this is if we learn how to reproduce it.