Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14864

Server crashes in mysql_prepare_create_table

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.2(EOL), 10.3(EOL)
    • N/A
    • Partitioning
    • None

    Description

      --source include/have_partition.inc
      		 
       
      		 
      CREATE TABLE t1 (t TEXT DEFAULT '') CHARSET=latin1;
      		 
      ALTER TABLE t1 COLLATE utf8_bin;
      		 
      --error ER_BAD_FIELD_ERROR
      		 
      ALTER TABLE t1 PARTITION BY HASH(f);
      		 
      ALTER TABLE t1 ADD COLUMN i INT;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t1;

      10.2 aed2050e40cb3

      		 
      #3  <signal handler called>
      		 
      #4  0x000055834906c61a in mysql_prepare_create_table (thd=0x7ff70c000b00, create_info=0x7ff728527e50, alter_info=0x7ff728527da0, db_options=0x7ff728524f64, file=0x7ff70c013060, key_info_buffer=0x7ff728526588, key_count=0x7ff72852655c, create_table_mode=-2) at /data/src/10.2/sql/sql_table.cc:3379
      		 
      #5  0x00005583490703c3 in mysql_create_frm_image (thd=0x7ff70c000b00, db=0x7ff70c012be0 "test", table_name=0x7ff70c012598 "t1", create_info=0x7ff728527e50, alter_info=0x7ff728527da0, create_table_mode=-2, key_info=0x7ff728526588, key_count=0x7ff72852655c, frm=0x7ff7285265e0) at /data/src/10.2/sql/sql_table.cc:4653
      		 
      #6  0x0000558349070dde in create_table_impl (thd=0x7ff70c000b00, orig_db=0x7ff70c012be0 "test", orig_table_name=0x7ff70c012598 "t1", db=0x7ff70c012be0 "test", table_name=0x7ff728527280 "#sql-1966_4", path=0x7ff728527aec "./test/#sql-1966_4", options=..., create_info=0x7ff728527e50, alter_info=0x7ff728527da0, create_table_mode=-2, is_trans=0x0, key_info=0x7ff728526588, key_count=0x7ff72852655c, frm=0x7ff7285265e0) at /data/src/10.2/sql/sql_table.cc:4895
      		 
      #7  0x000055834907c01d in mysql_alter_table (thd=0x7ff70c000b00, new_db=0x7ff70c012be0 "test", new_name=0x0, create_info=0x7ff728527e50, table_list=0x7ff70c0125d0, alter_info=0x7ff728527da0, order_num=0, order=0x0, ignore=false) at /data/src/10.2/sql/sql_table.cc:9173
      		 
      #8  0x00005583490f5fa8 in Sql_cmd_alter_table::execute (this=0x7ff70c012cd0, thd=0x7ff70c000b00) at /data/src/10.2/sql/sql_alter.cc:324
      		 
      #9  0x0000558348fb1c3d in mysql_execute_command (thd=0x7ff70c000b00) at /data/src/10.2/sql/sql_parse.cc:6209
      		 
      #10 0x0000558348fb6568 in mysql_parse (thd=0x7ff70c000b00, rawbuf=0x7ff70c0124e8 "ALTER TABLE t1 ADD COLUMN i INT", length=31, parser_state=0x7ff728529200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7900
      		 
      #11 0x0000558348fa4476 in dispatch_command (command=COM_QUERY, thd=0x7ff70c000b00, packet=0x7ff70c16b281 "ALTER TABLE t1 ADD COLUMN i INT", packet_length=31, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1805
      		 
      #12 0x0000558348fa2dd4 in do_command (thd=0x7ff70c000b00) at /data/src/10.2/sql/sql_parse.cc:1360
      		 
      #13 0x00005583490f0c99 in do_handle_one_connection (connect=0x55834c51d5c0) at /data/src/10.2/sql/sql_connect.cc:1335
      		 
      #14 0x00005583490f0a26 in handle_one_connection (arg=0x55834c51d5c0) at /data/src/10.2/sql/sql_connect.cc:1241
      		 
      #15 0x000055834950fde2 in pfs_spawn_thread (arg=0x55834c4f8090) at /data/src/10.2/storage/perfschema/pfs.cc:1863
      		 
      #16 0x00007ff72f723494 in start_thread (arg=0x7ff72852a700) at pthread_create.c:333
      		 
      #17 0x00007ff72db0993f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      On a release build I'm getting weird errors instead:

      with InnoDB

      		 
      query 'ALTER TABLE t1 ADD COLUMN i INT' failed: 1064: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'ibd'

      with MyISAM

      		 
      query 'ALTER TABLE t1 ADD COLUMN i INT' failed: 1064: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '?C'

      Reproducible with at least InnoDB and MyISAM.
      Reproducible with 10.2 and 10.3, not reproducible with 10.1.

      Some more stack traces, to make them searchable:

      10.3 c664c48726cdf

      		 
      #3  <signal handler called>
      		 
      #4  0x000055873cafa343 in Column_definition::prepare_stage1_string (this=0x7fa36c015630, thd=0x7fa36c000b00, mem_root=0x7fa36c005e00, file=0x7fa36c015748, table_flags=176665231781329) at /data/src/10.3/sql/sql_table.cc:3186
      		 
      #5  0x000055873cc07fb3 in Type_handler_string_result::Column_definition_prepare_stage1 (this=0x55873e1921d0 <type_handler_blob>, thd=0x7fa36c000b00, mem_root=0x7fa36c005e00, def=0x7fa36c015630, file=0x7fa36c015748, table_flags=176665231781329) at /data/src/10.3/sql/sql_type.cc:1678
      		 
      #6  0x000055873cafa47b in Column_definition::prepare_stage1 (this=0x7fa36c015630, thd=0x7fa36c000b00, mem_root=0x7fa36c005e00, file=0x7fa36c015748, table_flags=176665231781329) at /data/src/10.3/sql/sql_table.cc:3216
      		 
      #7  0x000055873cafb02f in mysql_prepare_create_table (thd=0x7fa36c000b00, create_info=0x7fa37d012d60, alter_info=0x7fa37d012cb0, db_options=0x7fa37d00fe54, file=0x7fa36c015748, key_info_buffer=0x7fa37d011498, key_count=0x7fa37d01146c, create_table_mode=-2) at /data/src/10.3/sql/sql_table.cc:3448
      		 
      #8  0x000055873cafe9dc in mysql_create_frm_image (thd=0x7fa36c000b00, db=0x7fa36c015250 "test", table_name=0x7fa36c014c08 "t1", create_info=0x7fa37d012d60, alter_info=0x7fa37d012cb0, create_table_mode=-2, key_info=0x7fa37d011498, key_count=0x7fa37d01146c, frm=0x7fa37d0114f0) at /data/src/10.3/sql/sql_table.cc:4643
      		 
      #9  0x000055873caff421 in create_table_impl (thd=0x7fa36c000b00, orig_db=0x7fa36c015250 "test", orig_table_name=0x7fa36c014c08 "t1", db=0x7fa36c015250 "test", table_name=0x7fa37d012190 "#sql-1ba6_4", path=0x7fa37d0129fc "./test/#sql-1ba6_4", options=..., create_info=0x7fa37d012d60, alter_info=0x7fa37d012cb0, create_table_mode=-2, is_trans=0x0, key_info=0x7fa37d011498, key_count=0x7fa37d01146c, frm=0x7fa37d0114f0) at /data/src/10.3/sql/sql_table.cc:4885
      		 
      #10 0x000055873cb0aa97 in mysql_alter_table (thd=0x7fa36c000b00, new_db=0x7fa36c015250 "test", new_name=0x0, create_info=0x7fa37d012d60, table_list=0x7fa36c014c40, alter_info=0x7fa37d012cb0, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9245
      		 
      #11 0x000055873cb8b61b in Sql_cmd_alter_table::execute (this=0x7fa36c015368, thd=0x7fa36c000b00) at /data/src/10.3/sql/sql_alter.cc:331
      		 
      #12 0x000055873ca3c688 in mysql_execute_command (thd=0x7fa36c000b00) at /data/src/10.3/sql/sql_parse.cc:6251
      		 
      #13 0x000055873ca41098 in mysql_parse (thd=0x7fa36c000b00, rawbuf=0x7fa36c014b58 "ALTER TABLE t1 ADD COLUMN i INT", length=31, parser_state=0x7fa37d014610, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7966
      		 
      #14 0x000055873ca2ea0d in dispatch_command (command=COM_QUERY, thd=0x7fa36c000b00, packet=0x7fa36c11ec21 "ALTER TABLE t1 ADD COLUMN i INT", packet_length=31, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1824
      		 
      #15 0x000055873ca2d441 in do_command (thd=0x7fa36c000b00) at /data/src/10.3/sql/sql_parse.cc:1369
      		 
      #16 0x000055873cb86190 in do_handle_one_connection (connect=0x55873fc02680) at /data/src/10.3/sql/sql_connect.cc:1420
      		 
      #17 0x000055873cb85f1d in handle_one_connection (arg=0x55873fc02680) at /data/src/10.3/sql/sql_connect.cc:1326
      		 
      #18 0x000055873d01583e in pfs_spawn_thread (arg=0x55873fca3b00) at /data/src/10.3/storage/perfschema/pfs.cc:1863
      		 
      #19 0x00007fa384a7c494 in start_thread (arg=0x7fa37d015700) at pthread_create.c:333
      		 
      #20 0x00007fa382e6293f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      10.2.11 release

      		 
      #2  <signal handler called>
      		 
      #3  alloc_root (mem_root=0xa, length=208) at /home/buildbot/buildbot/build/mysys/my_alloc.c:216
      		 
      #4  0x000055eac7a6129b in operator new (mem_root=<optimized out>, size=<optimized out>) at /home/buildbot/buildbot/build/sql/field.h:706
      		 
      #5  Type_handler_int_result::make_num_distinct_aggregator_field (this=<optimized out>, mem_root=<optimized out>, item=0x0) at /home/buildbot/buildbot/build/sql/sql_type.cc:283
      		 
      #6  0x000055eac79ce70a in mysql_prepare_create_table (thd=thd@entry=0x7fce7c0009a8, create_info=create_info@entry=0x7fce8e747400, alter_info=alter_info@entry=0x7fce8e747350, db_options=db_options@entry=0x7fce8e744580, file=file@entry=0x7fce7c00fc28, key_info_buffer=key_info_buffer@entry=0x7fce8e745b58, key_count=key_count@entry=0x7fce8e745b1c, create_table_mode=create_table_mode@entry=-2) at /home/buildbot/buildbot/build/sql/sql_table.cc:3379
      		 
      #7  0x000055eac79d1014 in mysql_create_frm_image (thd=thd@entry=0x7fce7c0009a8, db=db@entry=0x7fce7c00f7a8 "test", table_name=table_name@entry=0x7fce7c00f160 "t1", create_info=create_info@entry=0x7fce8e747400, alter_info=alter_info@entry=0x7fce8e747350, create_table_mode=create_table_mode@entry=-2, key_info=key_info@entry=0x7fce8e745b58, key_count=key_count@entry=0x7fce8e745b1c, frm=frm@entry=0x7fce8e745b60) at /home/buildbot/buildbot/build/sql/sql_table.cc:4656
      		 
      #8  0x000055eac79d4deb in create_table_impl (thd=thd@entry=0x7fce7c0009a8, orig_db=0x7fce7c00f7a8 "test", orig_table_name=0x7fce7c00f160 "t1", db=0x7fce7c00f7a8 "test", table_name=table_name@entry=0x7fce8e746860 "#sql-1c10_4", path=path@entry=0x7fce8e7470cc "./test/#sql-1c10_4", options=..., create_info=create_info@entry=0x7fce8e747400, alter_info=alter_info@entry=0x7fce8e747350, create_table_mode=create_table_mode@entry=-2, is_trans=0x0, is_trans@entry=0x55eaca234638, key_info=key_info@entry=0x7fce8e745b58, key_count=key_count@entry=0x7fce8e745b1c, frm=frm@entry=0x7fce8e745b60) at /home/buildbot/buildbot/build/sql/sql_table.cc:4898
      		 
      #9  0x000055eac79d7c11 in mysql_alter_table (thd=thd@entry=0x7fce7c0009a8, new_db=<optimized out>, new_name=<optimized out>, create_info=create_info@entry=0x7fce8e747400, table_list=table_list@entry=0x7fce7c00f198, alter_info=alter_info@entry=0x7fce8e747350, order_num=0, order=0x0, ignore=false) at /home/buildbot/buildbot/build/sql/sql_table.cc:9176
      		 
      #10 0x000055eac7a1d38e in Sql_cmd_alter_table::execute (this=<optimized out>, thd=0x7fce7c0009a8) at /home/buildbot/buildbot/build/sql/sql_alter.cc:324
      		 
      #11 0x000055eac7952f49 in mysql_execute_command (thd=thd@entry=0x7fce7c0009a8) at /home/buildbot/buildbot/build/sql/sql_parse.cc:6197
      		 
      #12 0x000055eac795a48a in mysql_parse (thd=thd@entry=0x7fce7c0009a8, rawbuf=<optimized out>, length=31, parser_state=parser_state@entry=0x7fce8e749260, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /home/buildbot/buildbot/build/sql/sql_parse.cc:7887
      		 
      #13 0x000055eac795c7fe in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fce7c0009a8, packet=<optimized out>, packet_length=2080436400, packet_length@entry=31, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /home/buildbot/buildbot/build/sql/sql_parse.cc:1805
      		 
      #14 0x000055eac795cdbe in do_command (thd=0x7fce7c0009a8) at /home/buildbot/buildbot/build/sql/sql_parse.cc:1360
      		 
      #15 0x000055eac7a1a40f in do_handle_one_connection (connect=connect@entry=0x55eaca35c3b8) at /home/buildbot/buildbot/build/sql/sql_connect.cc:1354
      		 
      #16 0x000055eac7a1a534 in handle_one_connection (arg=arg@entry=0x55eaca35c3b8) at /home/buildbot/buildbot/build/sql/sql_connect.cc:1260
      		 
      #17 0x000055eac7c548ed in pfs_spawn_thread (arg=0x55eaca2fa0a8) at /home/buildbot/buildbot/build/storage/perfschema/pfs.cc:1863
      		 
      #18 0x00007fce95085494 in start_thread (arg=0x7fce8e74a700) at pthread_create.c:333
      		 
      #19 0x00007fce9474293f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19300 Server crashes while executing ALTER TABLE in sql_mode=oracle

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            marko Marko Mäkelä added a comment -

            cmake -DWITH_ASAN=1 provides a little more information when running the test with ASAN_OPTIONS=abort_on_error=1,disable_coredump=0:

            SUMMARY: AddressSanitizer: heap-use-after-free /mariadb/10.2/sql/sql_table.cc:3379:41 in mysql_prepare_create_table(THD*, HA_CREATE_INFO*, Alter_info*, unsigned int*, handler*, st_key**, unsigned int*, int)
            		 
            Shadow bytes around the buggy address:
            		 
              0x0c1e7fffc300: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
            		 
              0x0c1e7fffc310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            		 
              0x0c1e7fffc320: fd fd fd fd fd fa fa fa fa fa fa fa fa fa 00 00
            		 
              0x0c1e7fffc330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c1e7fffc340: 00 00 00 fa fa fa fa fa fa fa fa fa fd fd fd fd
            		 
            =>0x0c1e7fffc350:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            		 
              0x0c1e7fffc360: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
            		 
              0x0c1e7fffc370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
            		 
              0x0c1e7fffc380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c1e7fffc390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c1e7fffc3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
            Shadow byte legend (one shadow byte represents 8 application bytes):
            		 
              Addressable:           00
            		 
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
            		 
              Freed heap region:       fd
            		 
            …
            		 
            0x60f000021a80 is located 32 bytes inside of 168-byte region [0x60f000021a60,0x60f000021b08)
            		 
            freed by thread T5 here:
            		 
                #0 0x6cd758 in __interceptor_free.localalias.0 (/mariadb/10.2/build/sql/mysqld+0x6cd758)
            		 
                #1 0x2a16f83 in my_free /mariadb/10.2/mysys/my_malloc.c:217:5
            		 
                #2 0x29e9391 in free_root /mariadb/10.2/mysys/my_alloc.c:389:7
            		 
                #3 0x9e534e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /mariadb/10.2/sql/sql_parse.cc:2399:3
            		 
                #4 0x9e94ae in do_command(THD*) /mariadb/10.2/sql/sql_parse.cc:1359:17
            		 
                #5 0xe87b2a in do_handle_one_connection(CONNECT*) /mariadb/10.2/sql/sql_connect.cc:1335:11
            		 
                #6 0xe87251 in handle_one_connection /mariadb/10.2/sql/sql_connect.cc:1241:3
            		 
                #7 0x28e0214 in pfs_spawn_thread /mariadb/10.2/storage/perfschema/pfs.cc:1862:3
            		 
                #8 0x6db3c2 in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/mariadb/10.2/build/sql/mysqld+0x6db3c2)
            		 
             
            		 
            previously allocated by thread T5 here:
            		 
                #0 0x6cd910 in __interceptor_malloc (/mariadb/10.2/build/sql/mysqld+0x6cd910)
            		 
                #1 0x2a169d5 in my_malloc /mariadb/10.2/mysys/my_malloc.c:101:10
            		 
                #2 0x29e80df in alloc_root /mariadb/10.2/mysys/my_alloc.c:184:28
            		 
                #3 0x7725fc in Item::operator new(unsigned long, st_mem_root*) /mariadb/10.2/sql/item.h:663:12
            		 
                #4 0x126f2aa in Item::const_charset_converter(THD*, charset_info_st const*, bool, char const*) /mariadb/10.2/sql/item.cc:1264:23
            		 
                #5 0x779408 in Item::const_charset_converter(THD*, charset_info_st const*, bool) /mariadb/10.2/sql/item.h:1811:12
            		 
                #6 0x7782d4 in Item_string::safe_charset_converter(THD*, charset_info_st const*) /mariadb/10.2/sql/item.h:3344:12
            		 
                #7 0xca5784 in mysql_prepare_create_table(THD*, HA_CREATE_INFO*, Alter_info*, unsigned int*, handler*, st_key**, unsigned int*, int) /mariadb/10.2/sql/sql_table.cc:3392:13
            		 
                #8 0xcbe433 in mysql_create_frm_image(THD*, char const*, char const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /mariadb/10.2/sql/sql_table.cc:4651:7
            		 
                #9 0xcc0a3f in create_table_impl(THD*, char const*, char const*, char const*, char const*, char const*, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /mariadb/10.2/sql/sql_table.cc:4893:11
            		 
                #10 0xcd61e9 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /mariadb/10.2/sql/sql_table.cc:9168:10
            		 
                #11 0xe9d04b in Sql_cmd_alter_table::execute(THD*) /mariadb/10.2/sql/sql_alter.cc:318:11
            		 
                #12 0xa14399 in mysql_execute_command(THD*) /mariadb/10.2/sql/sql_parse.cc:6208:26
            		 
                #13 0x9edee3 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /mariadb/10.2/sql/sql_parse.cc:7898:18
            		 
            …
            		 
            #9  0x00000000006d7138 in __asan_report_load8 ()
            		 
            #10 0x0000000000ca51fb in mysql_prepare_create_table (thd=0x62a000060208, create_info=0x7f8617b7c400, alter_info=0x7f8617b7c590, db_options=0x7f8617b76080, file=0x61c0000558a0, key_info_buffer=0x7f8617b7a5c0, key_count=0x7f8617b7a5e0, create_table_mode=-2) at /mariadb/10.2/sql/sql_table.cc:3379
            		 
            #11 0x0000000000cbe434 in mysql_create_frm_image (thd=0x62a000060208, db=0x60400003a1f0 "test", table_name=0x60400003a170 "t1", create_info=0x7f8617b7c400, alter_info=0x7f8617b7c590, create_table_mode=-2, key_info=0x7f8617b7a5c0, key_count=0x7f8617b7a5e0, frm=0x7f8617b7a5f0) at /mariadb/10.2/sql/sql_table.cc:4651
            		 
            #12 0x0000000000cc0a40 in create_table_impl (thd=0x62a000060208, orig_db=0x60400003a1f0 "test", orig_table_name=0x60400003a170 "t1", db=0x60400003a1f0 "test", table_name=0x7f8617b791f0 "#sql-5498_4", path=0x7f8617b79a5c "./test/#sql-5498_4", options=..., create_info=0x7f8617b7c400, alter_info=0x7f8617b7c590, create_table_mode=-2, is_trans=0x0, key_info=0x7f8617b7a5c0, key_count=0x7f8617b7a5e0, frm=0x7f8617b7a5f0) at /mariadb/10.2/sql/sql_table.cc:4893
            		 
            #13 0x0000000000cd61ea in mysql_alter_table (thd=0x62a000060208, new_db=0x60400003a1f0 "test", new_name=0x0, create_info=0x7f8617b7c400, table_list=0x61b000047ca0, alter_info=0x7f8617b7c590, order_num=0, order=0x0, ignore=false) at /mariadb/10.2/sql/sql_table.cc:9168
            		 
            #14 0x0000000000e9d04c in Sql_cmd_alter_table::execute (this=0x60400003a270, thd=0x62a000060208) at /mariadb/10.2/sql/sql_alter.cc:318
            		 
            #15 0x0000000000a1439a in mysql_execute_command (thd=0x62a000060208) at /mariadb/10.2/sql/sql_parse.cc:6208
            		 
            #16 0x00000000009edee4 in mysql_parse (thd=0x62a000060208, rawbuf=0x60e00000b120 "ALTER TABLE t1 ADD COLUMN i INT", length=31, parser_state=0x7f8617b85e20, is_com_multi=false, is_next_command=false) at /mariadb/10.2/sql/sql_parse.cc:7898

            marko Marko Mäkelä added a comment - cmake -DWITH_ASAN=1 provides a little more information when running the test with ASAN_OPTIONS=abort_on_error=1,disable_coredump=0 : SUMMARY: AddressSanitizer: heap-use-after-free /mariadb/10.2/sql/sql_table.cc:3379:41 in mysql_prepare_create_table(THD*, HA_CREATE_INFO*, Alter_info*, unsigned int*, handler*, st_key**, unsigned int*, int) Shadow bytes around the buggy address: 0x0c1e7fffc300: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c1e7fffc310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e7fffc320: fd fd fd fd fd fa fa fa fa fa fa fa fa fa 00 00 0x0c1e7fffc330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fffc340: 00 00 00 fa fa fa fa fa fa fa fa fa fd fd fd fd =>0x0c1e7fffc350:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e7fffc360: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x0c1e7fffc370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c1e7fffc380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fffc390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fffc3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd … 0x60f000021a80 is located 32 bytes inside of 168-byte region [0x60f000021a60,0x60f000021b08) freed by thread T5 here: #0 0x6cd758 in __interceptor_free.localalias.0 (/mariadb/10.2/build/sql/mysqld+0x6cd758) #1 0x2a16f83 in my_free /mariadb/10.2/mysys/my_malloc.c:217:5 #2 0x29e9391 in free_root /mariadb/10.2/mysys/my_alloc.c:389:7 #3 0x9e534e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /mariadb/10.2/sql/sql_parse.cc:2399:3 #4 0x9e94ae in do_command(THD*) /mariadb/10.2/sql/sql_parse.cc:1359:17 #5 0xe87b2a in do_handle_one_connection(CONNECT*) /mariadb/10.2/sql/sql_connect.cc:1335:11 #6 0xe87251 in handle_one_connection /mariadb/10.2/sql/sql_connect.cc:1241:3 #7 0x28e0214 in pfs_spawn_thread /mariadb/10.2/storage/perfschema/pfs.cc:1862:3 #8 0x6db3c2 in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/mariadb/10.2/build/sql/mysqld+0x6db3c2)   previously allocated by thread T5 here: #0 0x6cd910 in __interceptor_malloc (/mariadb/10.2/build/sql/mysqld+0x6cd910) #1 0x2a169d5 in my_malloc /mariadb/10.2/mysys/my_malloc.c:101:10 #2 0x29e80df in alloc_root /mariadb/10.2/mysys/my_alloc.c:184:28 #3 0x7725fc in Item::operator new(unsigned long, st_mem_root*) /mariadb/10.2/sql/item.h:663:12 #4 0x126f2aa in Item::const_charset_converter(THD*, charset_info_st const*, bool, char const*) /mariadb/10.2/sql/item.cc:1264:23 #5 0x779408 in Item::const_charset_converter(THD*, charset_info_st const*, bool) /mariadb/10.2/sql/item.h:1811:12 #6 0x7782d4 in Item_string::safe_charset_converter(THD*, charset_info_st const*) /mariadb/10.2/sql/item.h:3344:12 #7 0xca5784 in mysql_prepare_create_table(THD*, HA_CREATE_INFO*, Alter_info*, unsigned int*, handler*, st_key**, unsigned int*, int) /mariadb/10.2/sql/sql_table.cc:3392:13 #8 0xcbe433 in mysql_create_frm_image(THD*, char const*, char const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /mariadb/10.2/sql/sql_table.cc:4651:7 #9 0xcc0a3f in create_table_impl(THD*, char const*, char const*, char const*, char const*, char const*, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /mariadb/10.2/sql/sql_table.cc:4893:11 #10 0xcd61e9 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /mariadb/10.2/sql/sql_table.cc:9168:10 #11 0xe9d04b in Sql_cmd_alter_table::execute(THD*) /mariadb/10.2/sql/sql_alter.cc:318:11 #12 0xa14399 in mysql_execute_command(THD*) /mariadb/10.2/sql/sql_parse.cc:6208:26 #13 0x9edee3 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /mariadb/10.2/sql/sql_parse.cc:7898:18 … #9 0x00000000006d7138 in __asan_report_load8 () #10 0x0000000000ca51fb in mysql_prepare_create_table (thd=0x62a000060208, create_info=0x7f8617b7c400, alter_info=0x7f8617b7c590, db_options=0x7f8617b76080, file=0x61c0000558a0, key_info_buffer=0x7f8617b7a5c0, key_count=0x7f8617b7a5e0, create_table_mode=-2) at /mariadb/10.2/sql/sql_table.cc:3379 #11 0x0000000000cbe434 in mysql_create_frm_image (thd=0x62a000060208, db=0x60400003a1f0 "test", table_name=0x60400003a170 "t1", create_info=0x7f8617b7c400, alter_info=0x7f8617b7c590, create_table_mode=-2, key_info=0x7f8617b7a5c0, key_count=0x7f8617b7a5e0, frm=0x7f8617b7a5f0) at /mariadb/10.2/sql/sql_table.cc:4651 #12 0x0000000000cc0a40 in create_table_impl (thd=0x62a000060208, orig_db=0x60400003a1f0 "test", orig_table_name=0x60400003a170 "t1", db=0x60400003a1f0 "test", table_name=0x7f8617b791f0 "#sql-5498_4", path=0x7f8617b79a5c "./test/#sql-5498_4", options=..., create_info=0x7f8617b7c400, alter_info=0x7f8617b7c590, create_table_mode=-2, is_trans=0x0, key_info=0x7f8617b7a5c0, key_count=0x7f8617b7a5e0, frm=0x7f8617b7a5f0) at /mariadb/10.2/sql/sql_table.cc:4893 #13 0x0000000000cd61ea in mysql_alter_table (thd=0x62a000060208, new_db=0x60400003a1f0 "test", new_name=0x0, create_info=0x7f8617b7c400, table_list=0x61b000047ca0, alter_info=0x7f8617b7c590, order_num=0, order=0x0, ignore=false) at /mariadb/10.2/sql/sql_table.cc:9168 #14 0x0000000000e9d04c in Sql_cmd_alter_table::execute (this=0x60400003a270, thd=0x62a000060208) at /mariadb/10.2/sql/sql_alter.cc:318 #15 0x0000000000a1439a in mysql_execute_command (thd=0x62a000060208) at /mariadb/10.2/sql/sql_parse.cc:6208 #16 0x00000000009edee4 in mysql_parse (thd=0x62a000060208, rawbuf=0x60e00000b120 "ALTER TABLE t1 ADD COLUMN i INT", length=31, parser_state=0x7f8617b85e20, is_com_multi=false, is_next_command=false) at /mariadb/10.2/sql/sql_parse.cc:7898
            elenst Elena Stepanova added a comment -

            It doesn't seem to be reproducible anymore (as of 10.3 141a5b2484, 10.2 9827c5e10 at least). There have been plenty of fixes in the area. I'll check when this got fixed.

            elenst Elena Stepanova added a comment - It doesn't seem to be reproducible anymore (as of 10.3 141a5b2484, 10.2 9827c5e10 at least). There have been plenty of fixes in the area. I'll check when this got fixed.

            People

              elenst Elena Stepanova
              elenst Elena Stepanova
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.