Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Description
Note: See also MDEV-18222.
--source include/have_innodb.inc
|
|
|
CREATE TABLE t1 (a INT PRIMARY KEY) ENGINE=InnoDB; |
CREATE TABLE t2 (b INT PRIMARY KEY, FOREIGN KEY fk1 (b) REFERENCES t1 (a)) ENGINE=InnoDB; |
ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1; |
|
|
# Cleanup
|
DROP TABLE t2, t1; |
|
10.0 d0d0f88f2 |
2019-01-15 20:14:51 7ff2f41fa700 InnoDB: Assertion failure in thread 140681454528256 in file mem0dbg.cc line 680
|
InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N
|
|
|
#5 0x00007ff2f213d3fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
|
#6 0x00007ff2eabb442b in mem_heap_check (heap=0x7ff2de368800) at /data/src/10.0/storage/innobase/mem/mem0dbg.cc:680
|
#7 0x00007ff2eaabbf3d in mem_heap_free_func (heap=0x7ff2de368800, file_name=0x7ff2eace01c0 "/data/src/10.0/storage/innobase/include/dict0mem.h", line=872) at /data/src/10.0/storage/innobase/include/mem0mem.ic:482
|
#8 0x00007ff2eaace2d4 in dict_foreign_free (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/include/dict0mem.h:872
|
#9 0x00007ff2eaac5ac5 in dict_foreign_remove_from_cache (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/dict/dict0dict.cc:3284
|
#10 0x00007ff2eab67d98 in innobase_update_foreign_cache (ctx=0x7ff2de0f9468, user_thd=0x7ff2e6769070) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:4991
|
#11 0x00007ff2eab694a3 in ha_innodb::commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:6017
|
#12 0x000000000084512d in handler::ha_commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/sql/handler.cc:4228
|
#13 0x00000000007029c6 in mysql_inplace_alter_table (thd=0x7ff2e6769070, table_list=0x7ff2de0f81a8, table=0x7ff2de09e470, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, inplace_supported=HA_ALTER_INPLACE_NO_LOCK_AFTER_PREPARE, target_mdl_request=0x7ff2f41f6c70, alter_ctx=0x7ff2f41f7800) at /data/src/10.0/sql/sql_table.cc:7176
|
#14 0x0000000000706ffc in mysql_alter_table (thd=0x7ff2e6769070, new_db=0x7ff2de0f8788 "test", new_name=0x0, create_info=0x7ff2f41f84e0, table_list=0x7ff2de0f81a8, alter_info=0x7ff2f41f8450, order_num=0, order=0x0, ignore=false) at /data/src/10.0/sql/sql_table.cc:8982
|
#15 0x0000000000770361 in Sql_cmd_alter_table::execute (this=0x7ff2de0f87e0, thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_alter.cc:312
|
#16 0x0000000000654d27 in mysql_execute_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:5125
|
#17 0x000000000065837e in mysql_parse (thd=0x7ff2e6769070, rawbuf=0x7ff2de0f8088 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", length=57, parser_state=0x7ff2f41f9640) at /data/src/10.0/sql/sql_parse.cc:6644
|
#18 0x000000000064ac38 in dispatch_command (command=COM_QUERY, thd=0x7ff2e6769070, packet=0x7ff2ec230071 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", packet_length=57) at /data/src/10.0/sql/sql_parse.cc:1301
|
#19 0x0000000000649f2c in do_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:1003
|
#20 0x000000000076bab4 in do_handle_one_connection (thd_arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1377
|
#21 0x000000000076b826 in handle_one_connection (arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1292
|
#22 0x0000000000acd6ea in pfs_spawn_thread (arg=0x7ff2e6719670) at /data/src/10.0/storage/perfschema/pfs.cc:1861
|
#23 0x00007ff2f3e38494 in start_thread (arg=0x7ff2f41fa700) at pthread_create.c:333
|
#24 0x00007ff2f21f193f in clone () from /lib/x86_64-linux-gnu/libc.so.6
|
Non-debug builds don't show any obvious symptoms, but non-debug ASAN build does:
|
10.4 a8eb0c76bf RelWithDebInfo ASAN |
==14835==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000073038 at pc 0x5645b6ca6932 bp 0x7f34f2f34fb0 sp 0x7f34f2f34fa8
|
READ of size 8 at 0x616000073038 thread T27
|
#0 0x5645b6ca6931 in dict_foreign_remove_from_cache(dict_foreign_t*) /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198
|
#1 0x5645b68656ce in innobase_update_foreign_cache /data/src/10.4/storage/innobase/handler/handler0alter.cc:9389
|
#2 0x5645b686e2a9 in ha_innobase::commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.4/storage/innobase/handler/handler0alter.cc:10907
|
#3 0x5645b5867f8a in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7590
|
#4 0x5645b5d28568 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9690
|
#5 0x5645b5e1cbee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:497
|
#6 0x5645b5b441ed in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6302
|
#7 0x5645b5b5bbdd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8104
|
#8 0x5645b5b64ced in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1851
|
#9 0x5645b5b67695 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1396
|
#10 0x5645b5e137b7 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
|
#11 0x5645b5e13cba in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
|
#12 0x5645b67d5296 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#13 0x7f34fe517493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#14 0x7f34fcb1893e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x616000073038 is located 184 bytes inside of 544-byte region [0x616000072f80,0x6160000731a0)
|
freed by thread T27 here:
|
#0 0x7f34fe781527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x5645b6938aed in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.4/storage/innobase/mem/mem0mem.cc:415
|
|
|
previously allocated by thread T27 here:
|
#0 0x7f34fe78173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x5645b6937cad in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:269
|
|
|
Thread T27 created by T0 here:
|
#0 0x7f34fe750bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x5645b67dd9b6 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198 dict_foreign_remove_from_cache(dict_foreign_t*)
|
Shadow bytes around the buggy address:
|
0x0c2c800065b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c2c800065c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c2c800065d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
|
0x0c2c800065e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c2c800065f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c2c80006600: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
|
0x0c2c80006610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c2c80006620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c2c80006630: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c2c80006640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c2c80006650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==14835==ABORTING
|
5.5 doesn't crash (maybe it doesn't have the assertion failure), but it also fails:
mysqltest: At line 5: query 'ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1' failed: 1025: Error on rename of './test/t2' to './test/#sql2-35c7-2' (errno: 152)
|
Attachments
Issue Links
- relates to
-
-
- Closed
-
Activity
This double-free was introduced by a merge of the following change from MySQL 5.6.23 into 10.0.17,10.1.4,10.2.0,10.3.0 (InnoDB 5.6.23) and 10.0.18,10.1.5 (XtraDB 5.6.23-72.1):
Bug #20031243 CREATE TABLE FAILS TO CHECK IF FOREIGN KEY COLUMN NULL/NOT NULL MISMATCH
The variable fk_evict should have been declared as std::set instead of std::list, in order to avoid duplicates.
In 10.0+, we can simply filter out duplicate foreign key definitions in ha_innobase::prepare_inplace_alter_table().
In 5.5, the code is completely different, and I would not fix this unless there is a strong demand.