Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.4(EOL)
-
None
Description
Note: Before MDEV-371 the ALTER wasn't possible.
--source include/have_innodb.inc
|
|
CREATE TABLE t1 (b BLOB, i INT) ENGINE=InnoDB; |
REPLACE INTO t1 VALUES (NULL,0); |
|
--connect (con1,localhost,root,,test)
|
ALTER TABLE t1 ADD UNIQUE (b); |
--send
|
DELETE FROM t1; |
|
--connection default
|
DELETE FROM t1; |
|
# Cleanup
|
--disconnect con1
|
--connection default
|
DROP TABLE t1; |
10.4 a796f1f ASAN |
==6095==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000107939 at pc 0x5627280c4eab bp 0x7fb2a9dd6840 sp 0x7fb2a9dd6838
|
READ of size 10 at 0x619000107939 thread T28
|
#0 0x5627280c4eaa in innobase_get_computed_value(dtuple_t const*, dict_v_col_t const*, dict_index_t const*, mem_block_info_t**, mem_block_info_t*, dict_field_t const*, THD*, TABLE*, unsigned char*, dict_table_t const*, upd_t*, dict_foreign_t*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:20786
|
#1 0x5627283d7227 in row_upd_store_v_row /data/src/10.4/storage/innobase/row/row0upd.cc:2182
|
#2 0x5627283d7879 in row_upd_store_row(upd_node_t*, THD*, TABLE*) /data/src/10.4/storage/innobase/row/row0upd.cc:2246
|
#3 0x5627283dbd6f in row_upd_del_mark_clust_rec /data/src/10.4/storage/innobase/row/row0upd.cc:2981
|
#4 0x5627283dcd8d in row_upd_clust_step /data/src/10.4/storage/innobase/row/row0upd.cc:3171
|
#5 0x5627283dd907 in row_upd /data/src/10.4/storage/innobase/row/row0upd.cc:3293
|
#6 0x5627283de622 in row_upd_step(que_thr_t*) /data/src/10.4/storage/innobase/row/row0upd.cc:3437
|
#7 0x562728344f15 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.4/storage/innobase/row/row0mysql.cc:1890
|
#8 0x562728095baf in ha_innobase::delete_row(unsigned char const*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:9025
|
#9 0x5627278c1839 in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6810
|
#10 0x562727cbb601 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:297
|
#11 0x562727cb3e7c in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:843
|
#12 0x562727100f3a in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5032
|
#13 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
|
#14 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#15 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#16 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#17 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#18 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#19 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#20 0x7fb2c470093e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
0x619000107939 is located 441 bytes inside of 1100-byte region [0x619000107780,0x619000107bcc)
|
freed by thread T28 here:
|
#0 0x7fb2c6584527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x5627289f6a69 in free_memory /data/src/10.4/mysys/safemalloc.c:279
|
#2 0x5627289f606f in sf_free /data/src/10.4/mysys/safemalloc.c:197
|
#3 0x5627289c6ab8 in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#4 0x5627289a6a0a in free_root /data/src/10.4/mysys/my_alloc.c:428
|
#5 0x5627273a4499 in TABLE_SHARE::destroy() /data/src/10.4/sql/table.cc:498
|
#6 0x5627273a46a5 in free_table_share(TABLE_SHARE*) /data/src/10.4/sql/table.cc:514
|
#7 0x56272769dc7e in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.4/sql/temporary_tables.cc:1447
|
#8 0x5627276992da in THD::drop_temporary_table(TABLE*, bool*, bool) /data/src/10.4/sql/temporary_tables.cc:646
|
#9 0x56272733950a in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10135
|
#10 0x5627274942ee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:499
|
#11 0x56272710b5d9 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6393
|
#12 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
|
#13 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
previously allocated by thread T28 here:
|
#0 0x7fb2c658473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x5627289f57df in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x5627289c60da in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x5627289a57d2 in alloc_root /data/src/10.4/mysys/my_alloc.c:250
|
#4 0x5627289a7344 in memdup_root /data/src/10.4/mysys/my_alloc.c:491
|
#5 0x5627273ac2cb in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.4/sql/table.cc:1611
|
#6 0x56272769ae5f in THD::create_temporary_table(handlerton*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*) /data/src/10.4/sql/temporary_tables.cc:965
|
#7 0x5627276964bc in THD::create_and_open_tmp_table(handlerton*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, bool, bool) /data/src/10.4/sql/temporary_tables.cc:76
|
#8 0x562727338464 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9990
|
#9 0x5627274942ee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:499
|
#10 0x56272710b5d9 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6393
|
#11 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
|
#12 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#13 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#14 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#15 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#16 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#17 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
Thread T28 created by T0 here:
|
#0 0x7fb2c6553bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x562728045e50 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x562726e36476 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x562726e4b6ed in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6141
|
#4 0x562726e4bdf2 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6211
|
#5 0x562726e4c182 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6309
|
#6 0x562726e4cdce in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6467
|
#7 0x562726e4af28 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5799
|
#8 0x562726e342ff in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fb2c46382b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/handler/ha_innodb.cc:20786 innobase_get_computed_value(dtuple_t const*, dict_v_col_t const*, dict_index_t const*, mem_block_info_t**, mem_block_info_t*, dict_field_t const*, THD*, TABLE*, unsigned char*, dict_table_t const*, upd_t*, dict_foreign_t*)
|
Shadow bytes around the buggy address:
|
0x0c3280018ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280018ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280018ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280018f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280018f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c3280018f20: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
|
0x0c3280018f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280018f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280018f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280018f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280018f70: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==6095==ABORTING
|
Attachments
Issue Links
- is caused by
-
MDEV-371 Unique indexes for blobs
- Closed
- is duplicated by
-
MDEV-18799 Long unique does not work after failed alter table
- Closed
- relates to
-
MDEV-17005 ASAN heap-use-after-free in innobase_get_computed_value
- Closed