Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18222

InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N or ASAN heap-use-after-free in dict_foreign_remove_from_cache upon CHANGE COLUMN

    Details

      Description

      Note: It looks very similar to MDEV-18256, likely to be a duplicate. But the location of the failure and the test case are somewhat different, and since these particular assertion failures tend to never end and lurk somewhere forever, I'm filing it separately to make sure that both are fixed.

      --source include/have_innodb.inc
       
      CREATE TABLE t1 (a INT, UNIQUE(a), KEY(a)) ENGINE=InnoDB;
      ALTER TABLE t1 ADD FOREIGN KEY (a) REFERENCES t1 (a);
      SET SESSION FOREIGN_KEY_CHECKS = OFF ;
      ALTER TABLE t1 CHANGE COLUMN a a TIME NOT NULL;
      ALTER TABLE t1 ADD pk INT NOT NULL AUTO_INCREMENT PRIMARY KEY;
      ALTER TABLE t1 CHANGE COLUMN a b TIME;
       
      # Cleanup
      DROP TABLE t1;
      

      10.0 12f362c3338

      2019-01-17 21:52:24 7efe224f1700  InnoDB: Assertion failure in thread 139629962401536 in file mem0dbg.cc line 680
      InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N
       
      #5  0x00007efe204343fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
      #6  0x00007efe18fb4421 in mem_heap_check (heap=0x7efe0c368560) at /data/src/10.0/storage/innobase/mem/mem0dbg.cc:680
      #7  0x00007efe18ebbf3d in mem_heap_free_func (heap=0x7efe0c368560, file_name=0x7efe190e01c0 "/data/src/10.0/storage/innobase/include/dict0mem.h", line=872) at /data/src/10.0/storage/innobase/include/mem0mem.ic:482
      #8  0x00007efe18ece2d4 in dict_foreign_free (foreign=0x7efe0c3685d8) at /data/src/10.0/storage/innobase/include/dict0mem.h:872
      #9  0x00007efe18ec5ac5 in dict_foreign_remove_from_cache (foreign=0x7efe0c3685d8) at /data/src/10.0/storage/innobase/dict/dict0dict.cc:3284
      #10 0x00007efe18f6c67f in std::for_each<std::_List_iterator<dict_foreign_t*>, void (*)(dict_foreign_t*)> (__first=0x7efe0c3685d8, __last=0x7efe0c398cf8, __f=0x7efe18ec59fe <dict_foreign_remove_from_cache(dict_foreign_t*)>) at /usr/include/c++/4.9/bits/stl_algo.h:3755
      #11 0x00007efe18f672bd in innobase_rename_column_try (user_table=0x7efe0c398c78, trx=0x7efe0c151c78, table_name=0x7efe0c061175 "t1", nth_col=0, from=0x7efe0c02bee1 "a", to=0x7efe0c0f8770 "b", new_clustered=true) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:4670
      #12 0x00007efe18f67471 in innobase_rename_columns_try (ha_alter_info=0x7efe224ee220, ctx=0x7efe0c0f9a28, table=0x7efe0c09e470, trx=0x7efe0c151c78, table_name=0x7efe0c061175 "t1") at /data/src/10.0/storage/innobase/handler/handler0alter.cc:4711
      #13 0x00007efe18f6b54a in commit_try_rebuild (ha_alter_info=0x7efe224ee220, ctx=0x7efe0c0f9a28, altered_table=0x7efe0c39f070, old_table=0x7efe0c09e470, trx=0x7efe0c151c78, table_name=0x7efe0c061175 "t1") at /data/src/10.0/storage/innobase/handler/handler0alter.cc:5137
      #14 0x00007efe18f68dac in ha_innodb::commit_inplace_alter_table (this=0x7efe0c081088, altered_table=0x7efe0c39f070, ha_alter_info=0x7efe224ee220, commit=true) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:5840
      #15 0x000000000084512d in handler::ha_commit_inplace_alter_table (this=0x7efe0c081088, altered_table=0x7efe0c39f070, ha_alter_info=0x7efe224ee220, commit=true) at /data/src/10.0/sql/handler.cc:4228
      #16 0x00000000007029c6 in mysql_inplace_alter_table (thd=0x7efe14b69070, table_list=0x7efe0c0f8180, table=0x7efe0c09e470, altered_table=0x7efe0c39f070, ha_alter_info=0x7efe224ee220, inplace_supported=HA_ALTER_INPLACE_NO_LOCK_AFTER_PREPARE, target_mdl_request=0x7efe224edc70, alter_ctx=0x7efe224ee800) at /data/src/10.0/sql/sql_table.cc:7176
      #17 0x0000000000706ffc in mysql_alter_table (thd=0x7efe14b69070, new_db=0x7efe0c0f8760 "test", new_name=0x0, create_info=0x7efe224ef4e0, table_list=0x7efe0c0f8180, alter_info=0x7efe224ef450, order_num=0, order=0x0, ignore=false) at /data/src/10.0/sql/sql_table.cc:8982
      #18 0x0000000000770361 in Sql_cmd_alter_table::execute (this=0x7efe0c0f8850, thd=0x7efe14b69070) at /data/src/10.0/sql/sql_alter.cc:312
      #19 0x0000000000654d27 in mysql_execute_command (thd=0x7efe14b69070) at /data/src/10.0/sql/sql_parse.cc:5125
      #20 0x000000000065837e in mysql_parse (thd=0x7efe14b69070, rawbuf=0x7efe0c0f8088 "ALTER TABLE t1 CHANGE COLUMN a b TIME", length=37, parser_state=0x7efe224f0640) at /data/src/10.0/sql/sql_parse.cc:6644
      #21 0x000000000064ac38 in dispatch_command (command=COM_QUERY, thd=0x7efe14b69070, packet=0x7efe1a630071 "ALTER TABLE t1 CHANGE COLUMN a b TIME", packet_length=37) at /data/src/10.0/sql/sql_parse.cc:1301
      #22 0x0000000000649f2c in do_command (thd=0x7efe14b69070) at /data/src/10.0/sql/sql_parse.cc:1003
      #23 0x000000000076bab4 in do_handle_one_connection (thd_arg=0x7efe14b69070) at /data/src/10.0/sql/sql_connect.cc:1377
      #24 0x000000000076b826 in handle_one_connection (arg=0x7efe14b69070) at /data/src/10.0/sql/sql_connect.cc:1292
      #25 0x0000000000acd6ea in pfs_spawn_thread (arg=0x7efe14b19670) at /data/src/10.0/storage/perfschema/pfs.cc:1861
      #26 0x00007efe2212f494 in start_thread (arg=0x7efe224f1700) at pthread_create.c:333
      #27 0x00007efe204e893f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      10.0 ASAN 12f362c3338

      ==28298==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100003a580 at pc 0x7f6f560dc0b3 bp 0x7f6f490dd670 sp 0x7f6f490dd668
      READ of size 8 at 0x61100003a580 thread T21
          #0 0x7f6f560dc0b2 in dict_foreign_remove_from_cache(dict_foreign_t*) /data/src/10.0/storage/innobase/dict/dict0dict.cc:3276
          #1 0x7f6f56224477 in for_each<std::_List_iterator<dict_foreign_t*>, void (*)(dict_foreign_t*)> /usr/include/c++/4.9/bits/stl_algo.h:3755
          #2 0x7f6f56224477 in innobase_rename_column_try /data/src/10.0/storage/innobase/handler/handler0alter.cc:4670
          #3 0x7f6f56224477 in innobase_rename_columns_try /data/src/10.0/storage/innobase/handler/handler0alter.cc:4711
          #4 0x7f6f56227e0d in commit_try_rebuild /data/src/10.0/storage/innobase/handler/handler0alter.cc:5137
          #5 0x7f6f56227e0d in ha_innodb::commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.0/storage/innobase/handler/handler0alter.cc:5840
          #6 0xb7eb69 in handler::ha_commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.0/sql/handler.cc:4228
          #7 0x87aece in mysql_inplace_alter_table /data/src/10.0/sql/sql_table.cc:7176
          #8 0x889b47 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.0/sql/sql_table.cc:8982
          #9 0x988101 in Sql_cmd_alter_table::execute(THD*) /data/src/10.0/sql/sql_alter.cc:312
          #10 0x6e2524 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:5125
          #11 0x6e500e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.0/sql/sql_parse.cc:6644
          #12 0x6e8c2d in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.0/sql/sql_parse.cc:1301
          #13 0x6ed526 in do_command(THD*) /data/src/10.0/sql/sql_parse.cc:1003
          #14 0x97dddb in do_handle_one_connection(THD*) /data/src/10.0/sql/sql_connect.cc:1377
          #15 0x97e042 in handle_one_connection /data/src/10.0/sql/sql_connect.cc:1292
          #16 0x11b830a in pfs_spawn_thread /data/src/10.0/storage/perfschema/pfs.cc:1861
          #17 0x7f6f60918493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #18 0x7f6f5ecd193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x61100003a580 is located 192 bytes inside of 224-byte region [0x61100003a4c0,0x61100003a5a0)
      freed by thread T21 here:
          #0 0x7f6f60b82527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x7f6f562bf801 in mem_area_free(void*, mem_pool_t*) /data/src/10.0/storage/innobase/mem/mem0pool.cc:519
          #2 0x7f6f565090e8 (/data/bld/10.0-asan/lib/plugin/ha_innodb.so+0x6640e8)
       
      previously allocated by thread T21 here:
          #0 0x7f6f60b8273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x7f6f562bedba in mem_area_alloc(unsigned long*, mem_pool_t*) /data/src/10.0/storage/innobase/mem/mem0pool.cc:381
       
      Thread T21 created by T0 here:
          #0 0x7f6f60b51bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x11c3b61 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.0/storage/innobase/dict/dict0dict.cc:3276 dict_foreign_remove_from_cache(dict_foreign_t*)
      Shadow bytes around the buggy address:
        0x0c227ffff460: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c227ffff470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c227ffff480: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
        0x0c227ffff490: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c227ffff4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c227ffff4b0:[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c227ffff4c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c227ffff4d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
        0x0c227ffff4e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c227ffff4f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c227ffff500: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==28298==ABORTING
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                marko Marko Mäkelä
                Reporter:
                elenst Elena Stepanova
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: