Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18256

InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N upon DROP FOREIGN KEY

Details

    Description

      Note: See also MDEV-18222.

      --source include/have_innodb.inc
      		 
       
      		 
      CREATE TABLE t1 (a INT PRIMARY KEY) ENGINE=InnoDB;
      		 
      CREATE TABLE t2 (b INT PRIMARY KEY, FOREIGN KEY fk1 (b) REFERENCES t1 (a)) ENGINE=InnoDB;
      		 
      ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t2, t1;

      10.0 d0d0f88f2

      		 
      2019-01-15 20:14:51 7ff2f41fa700  InnoDB: Assertion failure in thread 140681454528256 in file mem0dbg.cc line 680
      		 
      InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N
      		 
       
      		 
      #5  0x00007ff2f213d3fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #6  0x00007ff2eabb442b in mem_heap_check (heap=0x7ff2de368800) at /data/src/10.0/storage/innobase/mem/mem0dbg.cc:680
      		 
      #7  0x00007ff2eaabbf3d in mem_heap_free_func (heap=0x7ff2de368800, file_name=0x7ff2eace01c0 "/data/src/10.0/storage/innobase/include/dict0mem.h", line=872) at /data/src/10.0/storage/innobase/include/mem0mem.ic:482
      		 
      #8  0x00007ff2eaace2d4 in dict_foreign_free (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/include/dict0mem.h:872
      		 
      #9  0x00007ff2eaac5ac5 in dict_foreign_remove_from_cache (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/dict/dict0dict.cc:3284
      		 
      #10 0x00007ff2eab67d98 in innobase_update_foreign_cache (ctx=0x7ff2de0f9468, user_thd=0x7ff2e6769070) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:4991
      		 
      #11 0x00007ff2eab694a3 in ha_innodb::commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:6017
      		 
      #12 0x000000000084512d in handler::ha_commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/sql/handler.cc:4228
      		 
      #13 0x00000000007029c6 in mysql_inplace_alter_table (thd=0x7ff2e6769070, table_list=0x7ff2de0f81a8, table=0x7ff2de09e470, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, inplace_supported=HA_ALTER_INPLACE_NO_LOCK_AFTER_PREPARE, target_mdl_request=0x7ff2f41f6c70, alter_ctx=0x7ff2f41f7800) at /data/src/10.0/sql/sql_table.cc:7176
      		 
      #14 0x0000000000706ffc in mysql_alter_table (thd=0x7ff2e6769070, new_db=0x7ff2de0f8788 "test", new_name=0x0, create_info=0x7ff2f41f84e0, table_list=0x7ff2de0f81a8, alter_info=0x7ff2f41f8450, order_num=0, order=0x0, ignore=false) at /data/src/10.0/sql/sql_table.cc:8982
      		 
      #15 0x0000000000770361 in Sql_cmd_alter_table::execute (this=0x7ff2de0f87e0, thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_alter.cc:312
      		 
      #16 0x0000000000654d27 in mysql_execute_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:5125
      		 
      #17 0x000000000065837e in mysql_parse (thd=0x7ff2e6769070, rawbuf=0x7ff2de0f8088 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", length=57, parser_state=0x7ff2f41f9640) at /data/src/10.0/sql/sql_parse.cc:6644
      		 
      #18 0x000000000064ac38 in dispatch_command (command=COM_QUERY, thd=0x7ff2e6769070, packet=0x7ff2ec230071 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", packet_length=57) at /data/src/10.0/sql/sql_parse.cc:1301
      		 
      #19 0x0000000000649f2c in do_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:1003
      		 
      #20 0x000000000076bab4 in do_handle_one_connection (thd_arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1377
      		 
      #21 0x000000000076b826 in handle_one_connection (arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1292
      		 
      #22 0x0000000000acd6ea in pfs_spawn_thread (arg=0x7ff2e6719670) at /data/src/10.0/storage/perfschema/pfs.cc:1861
      		 
      #23 0x00007ff2f3e38494 in start_thread (arg=0x7ff2f41fa700) at pthread_create.c:333
      		 
      #24 0x00007ff2f21f193f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Non-debug builds don't show any obvious symptoms, but non-debug ASAN build does:

      10.4 a8eb0c76bf RelWithDebInfo ASAN

      		 
      ==14835==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000073038 at pc 0x5645b6ca6932 bp 0x7f34f2f34fb0 sp 0x7f34f2f34fa8
      		 
      READ of size 8 at 0x616000073038 thread T27
      		 
          #0 0x5645b6ca6931 in dict_foreign_remove_from_cache(dict_foreign_t*) /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198
      		 
          #1 0x5645b68656ce in innobase_update_foreign_cache /data/src/10.4/storage/innobase/handler/handler0alter.cc:9389
      		 
          #2 0x5645b686e2a9 in ha_innobase::commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.4/storage/innobase/handler/handler0alter.cc:10907
      		 
          #3 0x5645b5867f8a in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7590
      		 
          #4 0x5645b5d28568 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9690
      		 
          #5 0x5645b5e1cbee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:497
      		 
          #6 0x5645b5b441ed in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6302
      		 
          #7 0x5645b5b5bbdd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8104
      		 
          #8 0x5645b5b64ced in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1851
      		 
          #9 0x5645b5b67695 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1396
      		 
          #10 0x5645b5e137b7 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
      		 
          #11 0x5645b5e13cba in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
      		 
          #12 0x5645b67d5296 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
      		 
          #13 0x7f34fe517493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #14 0x7f34fcb1893e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      		 
       
      		 
      0x616000073038 is located 184 bytes inside of 544-byte region [0x616000072f80,0x6160000731a0)
      		 
      freed by thread T27 here:
      		 
          #0 0x7f34fe781527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
      		 
          #1 0x5645b6938aed in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.4/storage/innobase/mem/mem0mem.cc:415
      		 
       
      		 
      previously allocated by thread T27 here:
      		 
          #0 0x7f34fe78173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x5645b6937cad in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:269
      		 
       
      		 
      Thread T27 created by T0 here:
      		 
          #0 0x7f34fe750bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
      		 
          #1 0x5645b67dd9b6 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198 dict_foreign_remove_from_cache(dict_foreign_t*)
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c2c800065b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c2c800065c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c2c800065d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
      		 
        0x0c2c800065e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c800065f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x0c2c80006600: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
      		 
        0x0c2c80006610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c2c80006620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c2c80006630: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c80006640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c80006650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==14835==ABORTING

      5.5 doesn't crash (maybe it doesn't have the assertion failure), but it also fails:

      mysqltest: At line 5: query 'ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1' failed: 1025: Error on rename of './test/t2' to './test/#sql2-35c7-2' (errno: 152)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-18222 InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N or ASAN heap-use-after-free in dict_foreign_remove_from_cache upon CHANGE COLUMN

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova created issue -
            elenst Elena Stepanova made changes -
            Field Original Value New Value
            elenst Elena Stepanova made changes -
            Description {code:sql}
            --source include/have_innodb.inc

            CREATE TABLE t1 (a INT PRIMARY KEY) ENGINE=InnoDB;
            CREATE TABLE t2 (b INT PRIMARY KEY, FOREIGN KEY fk1 (b) REFERENCES t1 (a)) ENGINE=InnoDB;
            ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1;

            # Cleanup
            DROP TABLE t2, t1;
            {code}

            {noformat:title=10.0 d0d0f88f2}
            2019-01-15 20:14:51 7ff2f41fa700 InnoDB: Assertion failure in thread 140681454528256 in file mem0dbg.cc line 680
            InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N

            #5 0x00007ff2f213d3fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
            #6 0x00007ff2eabb442b in mem_heap_check (heap=0x7ff2de368800) at /data/src/10.0/storage/innobase/mem/mem0dbg.cc:680
            #7 0x00007ff2eaabbf3d in mem_heap_free_func (heap=0x7ff2de368800, file_name=0x7ff2eace01c0 "/data/src/10.0/storage/innobase/include/dict0mem.h", line=872) at /data/src/10.0/storage/innobase/include/mem0mem.ic:482
            #8 0x00007ff2eaace2d4 in dict_foreign_free (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/include/dict0mem.h:872
            #9 0x00007ff2eaac5ac5 in dict_foreign_remove_from_cache (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/dict/dict0dict.cc:3284
            #10 0x00007ff2eab67d98 in innobase_update_foreign_cache (ctx=0x7ff2de0f9468, user_thd=0x7ff2e6769070) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:4991
            #11 0x00007ff2eab694a3 in ha_innodb::commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:6017
            #12 0x000000000084512d in handler::ha_commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/sql/handler.cc:4228
            #13 0x00000000007029c6 in mysql_inplace_alter_table (thd=0x7ff2e6769070, table_list=0x7ff2de0f81a8, table=0x7ff2de09e470, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, inplace_supported=HA_ALTER_INPLACE_NO_LOCK_AFTER_PREPARE, target_mdl_request=0x7ff2f41f6c70, alter_ctx=0x7ff2f41f7800) at /data/src/10.0/sql/sql_table.cc:7176
            #14 0x0000000000706ffc in mysql_alter_table (thd=0x7ff2e6769070, new_db=0x7ff2de0f8788 "test", new_name=0x0, create_info=0x7ff2f41f84e0, table_list=0x7ff2de0f81a8, alter_info=0x7ff2f41f8450, order_num=0, order=0x0, ignore=false) at /data/src/10.0/sql/sql_table.cc:8982
            #15 0x0000000000770361 in Sql_cmd_alter_table::execute (this=0x7ff2de0f87e0, thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_alter.cc:312
            #16 0x0000000000654d27 in mysql_execute_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:5125
            #17 0x000000000065837e in mysql_parse (thd=0x7ff2e6769070, rawbuf=0x7ff2de0f8088 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", length=57, parser_state=0x7ff2f41f9640) at /data/src/10.0/sql/sql_parse.cc:6644
            #18 0x000000000064ac38 in dispatch_command (command=COM_QUERY, thd=0x7ff2e6769070, packet=0x7ff2ec230071 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", packet_length=57) at /data/src/10.0/sql/sql_parse.cc:1301
            #19 0x0000000000649f2c in do_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:1003
            #20 0x000000000076bab4 in do_handle_one_connection (thd_arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1377
            #21 0x000000000076b826 in handle_one_connection (arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1292
            #22 0x0000000000acd6ea in pfs_spawn_thread (arg=0x7ff2e6719670) at /data/src/10.0/storage/perfschema/pfs.cc:1861
            #23 0x00007ff2f3e38494 in start_thread (arg=0x7ff2f41fa700) at pthread_create.c:333
            #24 0x00007ff2f21f193f in clone () from /lib/x86_64-linux-gnu/libc.so.6
            {noformat}

            Non-debug builds don't show any obvious symptoms, but non-debug ASAN build does:
            {noformat:title=10.4 a8eb0c76bf RelWithDebInfo ASAN}
            ==14835==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000073038 at pc 0x5645b6ca6932 bp 0x7f34f2f34fb0 sp 0x7f34f2f34fa8
            READ of size 8 at 0x616000073038 thread T27
                #0 0x5645b6ca6931 in dict_foreign_remove_from_cache(dict_foreign_t*) /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198
                #1 0x5645b68656ce in innobase_update_foreign_cache /data/src/10.4/storage/innobase/handler/handler0alter.cc:9389
                #2 0x5645b686e2a9 in ha_innobase::commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.4/storage/innobase/handler/handler0alter.cc:10907
                #3 0x5645b5867f8a in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7590
                #4 0x5645b5d28568 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9690
                #5 0x5645b5e1cbee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:497
                #6 0x5645b5b441ed in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6302
                #7 0x5645b5b5bbdd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8104
                #8 0x5645b5b64ced in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1851
                #9 0x5645b5b67695 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1396
                #10 0x5645b5e137b7 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
                #11 0x5645b5e13cba in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
                #12 0x5645b67d5296 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
                #13 0x7f34fe517493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #14 0x7f34fcb1893e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x616000073038 is located 184 bytes inside of 544-byte region [0x616000072f80,0x6160000731a0)
            freed by thread T27 here:
                #0 0x7f34fe781527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
                #1 0x5645b6938aed in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.4/storage/innobase/mem/mem0mem.cc:415

            previously allocated by thread T27 here:
                #0 0x7f34fe78173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
                #1 0x5645b6937cad in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:269

            Thread T27 created by T0 here:
                #0 0x7f34fe750bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
                #1 0x5645b67dd9b6 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912

            SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198 dict_foreign_remove_from_cache(dict_foreign_t*)
            Shadow bytes around the buggy address:
              0x0c2c800065b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c2c800065c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c2c800065d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
              0x0c2c800065e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c2c800065f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            =>0x0c2c80006600: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
              0x0c2c80006610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c2c80006620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c2c80006630: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c2c80006640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c2c80006650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Heap right redzone: fb
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack partial redzone: f4
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Contiguous container OOB:fc
              ASan internal: fe
            ==14835==ABORTING
            {noformat}

            5.5 doesn't crash (maybe it doesn't have the assertion failure), but it also fails:
            {noformat}
            mysqltest: At line 5: query 'ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1' failed: 1025: Error on rename of './test/t2' to './test/#sql2-35c7-2' (errno: 152)
            {noformat}             		_Note: See also MDEV-18222._

            {code:sql}
            --source include/have_innodb.inc

            CREATE TABLE t1 (a INT PRIMARY KEY) ENGINE=InnoDB;
            CREATE TABLE t2 (b INT PRIMARY KEY, FOREIGN KEY fk1 (b) REFERENCES t1 (a)) ENGINE=InnoDB;
            ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1;

            # Cleanup
            DROP TABLE t2, t1;
            {code}

            {noformat:title=10.0 d0d0f88f2}
            2019-01-15 20:14:51 7ff2f41fa700 InnoDB: Assertion failure in thread 140681454528256 in file mem0dbg.cc line 680
            InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N

            #5 0x00007ff2f213d3fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
            #6 0x00007ff2eabb442b in mem_heap_check (heap=0x7ff2de368800) at /data/src/10.0/storage/innobase/mem/mem0dbg.cc:680
            #7 0x00007ff2eaabbf3d in mem_heap_free_func (heap=0x7ff2de368800, file_name=0x7ff2eace01c0 "/data/src/10.0/storage/innobase/include/dict0mem.h", line=872) at /data/src/10.0/storage/innobase/include/mem0mem.ic:482
            #8 0x00007ff2eaace2d4 in dict_foreign_free (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/include/dict0mem.h:872
            #9 0x00007ff2eaac5ac5 in dict_foreign_remove_from_cache (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/dict/dict0dict.cc:3284
            #10 0x00007ff2eab67d98 in innobase_update_foreign_cache (ctx=0x7ff2de0f9468, user_thd=0x7ff2e6769070) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:4991
            #11 0x00007ff2eab694a3 in ha_innodb::commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:6017
            #12 0x000000000084512d in handler::ha_commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/sql/handler.cc:4228
            #13 0x00000000007029c6 in mysql_inplace_alter_table (thd=0x7ff2e6769070, table_list=0x7ff2de0f81a8, table=0x7ff2de09e470, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, inplace_supported=HA_ALTER_INPLACE_NO_LOCK_AFTER_PREPARE, target_mdl_request=0x7ff2f41f6c70, alter_ctx=0x7ff2f41f7800) at /data/src/10.0/sql/sql_table.cc:7176
            #14 0x0000000000706ffc in mysql_alter_table (thd=0x7ff2e6769070, new_db=0x7ff2de0f8788 "test", new_name=0x0, create_info=0x7ff2f41f84e0, table_list=0x7ff2de0f81a8, alter_info=0x7ff2f41f8450, order_num=0, order=0x0, ignore=false) at /data/src/10.0/sql/sql_table.cc:8982
            #15 0x0000000000770361 in Sql_cmd_alter_table::execute (this=0x7ff2de0f87e0, thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_alter.cc:312
            #16 0x0000000000654d27 in mysql_execute_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:5125
            #17 0x000000000065837e in mysql_parse (thd=0x7ff2e6769070, rawbuf=0x7ff2de0f8088 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", length=57, parser_state=0x7ff2f41f9640) at /data/src/10.0/sql/sql_parse.cc:6644
            #18 0x000000000064ac38 in dispatch_command (command=COM_QUERY, thd=0x7ff2e6769070, packet=0x7ff2ec230071 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", packet_length=57) at /data/src/10.0/sql/sql_parse.cc:1301
            #19 0x0000000000649f2c in do_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:1003
            #20 0x000000000076bab4 in do_handle_one_connection (thd_arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1377
            #21 0x000000000076b826 in handle_one_connection (arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1292
            #22 0x0000000000acd6ea in pfs_spawn_thread (arg=0x7ff2e6719670) at /data/src/10.0/storage/perfschema/pfs.cc:1861
            #23 0x00007ff2f3e38494 in start_thread (arg=0x7ff2f41fa700) at pthread_create.c:333
            #24 0x00007ff2f21f193f in clone () from /lib/x86_64-linux-gnu/libc.so.6
            {noformat}

            Non-debug builds don't show any obvious symptoms, but non-debug ASAN build does:
            {noformat:title=10.4 a8eb0c76bf RelWithDebInfo ASAN}
            ==14835==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000073038 at pc 0x5645b6ca6932 bp 0x7f34f2f34fb0 sp 0x7f34f2f34fa8
            READ of size 8 at 0x616000073038 thread T27
                #0 0x5645b6ca6931 in dict_foreign_remove_from_cache(dict_foreign_t*) /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198
                #1 0x5645b68656ce in innobase_update_foreign_cache /data/src/10.4/storage/innobase/handler/handler0alter.cc:9389
                #2 0x5645b686e2a9 in ha_innobase::commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.4/storage/innobase/handler/handler0alter.cc:10907
                #3 0x5645b5867f8a in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7590
                #4 0x5645b5d28568 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9690
                #5 0x5645b5e1cbee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:497
                #6 0x5645b5b441ed in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6302
                #7 0x5645b5b5bbdd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8104
                #8 0x5645b5b64ced in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1851
                #9 0x5645b5b67695 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1396
                #10 0x5645b5e137b7 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
                #11 0x5645b5e13cba in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
                #12 0x5645b67d5296 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
                #13 0x7f34fe517493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #14 0x7f34fcb1893e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x616000073038 is located 184 bytes inside of 544-byte region [0x616000072f80,0x6160000731a0)
            freed by thread T27 here:
                #0 0x7f34fe781527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
                #1 0x5645b6938aed in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.4/storage/innobase/mem/mem0mem.cc:415

            previously allocated by thread T27 here:
                #0 0x7f34fe78173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
                #1 0x5645b6937cad in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:269

            Thread T27 created by T0 here:
                #0 0x7f34fe750bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
                #1 0x5645b67dd9b6 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912

            SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198 dict_foreign_remove_from_cache(dict_foreign_t*)
            Shadow bytes around the buggy address:
              0x0c2c800065b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c2c800065c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c2c800065d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
              0x0c2c800065e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c2c800065f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            =>0x0c2c80006600: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
              0x0c2c80006610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c2c80006620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c2c80006630: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c2c80006640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c2c80006650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Heap right redzone: fb
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack partial redzone: f4
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Contiguous container OOB:fc
              ASan internal: fe
            ==14835==ABORTING
            {noformat}

            5.5 doesn't crash (maybe it doesn't have the assertion failure), but it also fails:
            {noformat}
            mysqltest: At line 5: query 'ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1' failed: 1025: Error on rename of './test/t2' to './test/#sql2-35c7-2' (errno: 152)
            {noformat}
            marko Marko Mäkelä made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            marko Marko Mäkelä added a comment -

            In 10.0+, we can simply filter out duplicate foreign key definitions in ha_innobase::prepare_inplace_alter_table().
            In 5.5, the code is completely different, and I would not fix this unless there is a strong demand.

            marko Marko Mäkelä added a comment - In 10.0+, we can simply filter out duplicate foreign key definitions in ha_innobase::prepare_inplace_alter_table() . In 5.5, the code is completely different, and I would not fix this unless there is a strong demand.
            marko Marko Mäkelä added a comment -

            This double-free was introduced by a merge of the following change from MySQL 5.6.23 into 10.0.17,10.1.4,10.2.0,10.3.0 (InnoDB 5.6.23) and 10.0.18,10.1.5 (XtraDB 5.6.23-72.1):
            Bug #20031243 CREATE TABLE FAILS TO CHECK IF FOREIGN KEY COLUMN NULL/NOT NULL MISMATCH

            The variable fk_evict should have been declared as std::set instead of std::list, in order to avoid duplicates.

            marko Marko Mäkelä added a comment - This double-free was introduced by a merge of the following change from MySQL 5.6.23 into 10.0.17,10.1.4,10.2.0,10.3.0 (InnoDB 5.6.23) and 10.0.18,10.1.5 (XtraDB 5.6.23-72.1) : Bug #20031243 CREATE TABLE FAILS TO CHECK IF FOREIGN KEY COLUMN NULL/NOT NULL MISMATCH The variable fk_evict should have been declared as std::set instead of std::list , in order to avoid duplicates.
            marko Marko Mäkelä made changes -
            Labels ASAN upstream valgrind
            marko Marko Mäkelä made changes -
            issue.field.resolutiondate 2019-01-29 13:27:32.0 2019-01-29 13:27:32.978
            marko Marko Mäkelä made changes -
            Fix Version/s 10.4.3 [ 23230 ]
            Fix Version/s 10.1.38 [ 23209 ]
            Fix Version/s 10.0.38 [ 23211 ]
            Fix Version/s 10.3.13 [ 23215 ]
            Fix Version/s 10.2.22 [ 23250 ]
            Fix Version/s 10.2 [ 14601 ]
            Fix Version/s 10.0 [ 16000 ]
            Fix Version/s 10.1 [ 16100 ]
            Fix Version/s 10.3 [ 22126 ]
            Fix Version/s 10.4 [ 22408 ]
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Closed [ 6 ]
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 91731 ] MariaDB v4 [ 155527 ]

            People

              marko Marko Mäkelä
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.