Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16376

ASAN: heap-use-after-free in gcol.innodb_virtual_debug

Details

    Description

      This test in the test file:

      CREATE TABLE t (a INT, b INT, c INT GENERATED ALWAYS AS(a+b), h VARCHAR(10));
      		 
      INSERT INTO t VALUES (11, 3, DEFAULT, 'mm');
      		 
      INSERT INTO t VALUES (18, 1, DEFAULT, 'mm');
      		 
      INSERT INTO t VALUES (28, 1, DEFAULT, 'mm');
      		 
      INSERT INTO t VALUES (null, null, DEFAULT, 'mm');
      		 
      CREATE INDEX idx_1 on t(c);
      		 
      SET SESSION debug_dbug="+d,create_index_fail";
      		 
      --error ER_DUP_ENTRY
      		 
      ALTER TABLE t ADD COLUMN x INT GENERATED ALWAYS AS(a+b), ADD INDEX idx (x);
      		 
      SET SESSION debug_dbug="";
      		 
      SHOW CREATE TABLE t;
      		 
      SELECT c FROM t;
      		 
      DROP TABLE t;

      The index (dict_index_t) is added to the table and not removed when the ALTER TABLE fails. When the table is dropped, dict_index_remove_from_cache_low is invoked. It contains the following:

      	/* Remove the index from affected virtual column index list */
      		 
      	if (dict_index_has_virtual(index)) {
      		 
      		const dict_col_t*	col;
      		 
      		const dict_v_col_t*	vcol;
      		 
       
      		 
      		for (ulint i = 0; i < dict_index_get_n_fields(index); i++) {
      		 
      			col =  dict_index_get_nth_col(index, i);
      		 
      			if (dict_col_is_virtual(col)) {
      		 
      			...

      except when the ALTER TABLE failed, the not-really-added virtual column (that this not-really-added index refers to) was allocated in the ha_innobase_inplace_ctx and freed at the end of the ALTER TABLE. So, dereferencing col in DROP TABLE accessed freed memory and ASAN complains.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19114 gcol.innodb_virtual_debug failed in buildbot with Assertion `n_fields > 0' failure

          • Major - Major loss of function.
          • Closed
          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16119 InnoDB lock->index refers to a freed object after failed ADD INDEX

          • Major - Major loss of function.
          • Closed

          Activity

            There are no comments yet on this issue.

            People

              marko Marko Mäkelä
              serg Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.