Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19066

AddressSanitizer: use-after-poison in innobase_build_col_map after upgrade from 10.1

Details

    Description

      Note: Affected servers already have a patch for MDEV-18090.

      10.2 c676f58c

      		 
      ==23343==ERROR: AddressSanitizer: use-after-poison on address 0x61e00001e208 at pc 0x558b85a975fd bp 0x7fe8792027e0 sp 0x7fe8792027d8
      		 
      WRITE of size 8 at 0x61e00001e208 thread T31
      		 
          #0 0x558b85a975fc in innobase_build_col_map /data/src/10.2/storage/innobase/handler/handler0alter.cc:3075
      		 
          #1 0x558b85aa1858 in prepare_inplace_alter_table_dict /data/src/10.2/storage/innobase/handler/handler0alter.cc:4774
      		 
          #2 0x558b85aaa980 in ha_innobase::prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/storage/innobase/handler/handler0alter.cc:6262
      		 
          #3 0x558b8529c821 in handler::ha_prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.cc:4293
      		 
          #4 0x558b86264fe7 in ha_partition::prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/ha_partition.cc:8346
      		 
          #5 0x558b8529c821 in handler::ha_prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.cc:4293
      		 
          #6 0x558b84e9d1aa in mysql_inplace_alter_table /data/src/10.2/sql/sql_table.cc:7329
      		 
          #7 0x558b84eaa6cc in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9452
      		 
          #8 0x558b84eb0068 in mysql_recreate_table(THD*, TABLE_LIST*, bool) /data/src/10.2/sql/sql_table.cc:10277
      		 
          #9 0x558b84fedfb3 in admin_recreate_table /data/src/10.2/sql/sql_admin.cc:58
      		 
          #10 0x558b84ff4f9f in mysql_admin_table /data/src/10.2/sql/sql_admin.cc:1022
      		 
          #11 0x558b84ff7af7 in Sql_cmd_optimize_table::execute(THD*) /data/src/10.2/sql/sql_admin.cc:1366
      		 
          #12 0x558b84c9f59a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6226
      		 
          #13 0x558b84caa103 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8013
      		 
          #14 0x558b84c84cab in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
      		 
          #15 0x558b84c81d1a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1386
      		 
          #16 0x558b84fc8764 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
      		 
          #17 0x558b84fc8179 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
      		 
          #18 0x7fe8a3a30493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #19 0x7fe8a1bfe93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      		 
       
      		 
      0x61e00001e208 is located 392 bytes inside of 2456-byte region [0x61e00001e080,0x61e00001ea18)
      		 
      allocated by thread T31 here:
      		 
          #0 0x7fe8a3c9a73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x558b85b7ba83 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:294
      		 
          #2 0x558b85b7c1cb in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:400
      		 
          #3 0x558b85f69661 in mem_heap_alloc /data/src/10.2/storage/innobase/include/mem0mem.ic:201
      		 
          #4 0x558b85f6b7f3 in dict_add_col_name /data/src/10.2/storage/innobase/dict/dict0mem.cc:260
      		 
          #5 0x558b85f6bd84 in dict_mem_table_add_col(dict_table_t*, mem_block_info_t*, char const*, unsigned long, unsigned long, unsigned long) /data/src/10.2/storage/innobase/dict/dict0mem.cc:309
      		 
          #6 0x558b85aa0c32 in prepare_inplace_alter_table_dict /data/src/10.2/storage/innobase/handler/handler0alter.cc:4684
      		 
          #7 0x558b85aaa980 in ha_innobase::prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/storage/innobase/handler/handler0alter.cc:6262
      		 
          #8 0x558b8529c821 in handler::ha_prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.cc:4293
      		 
          #9 0x558b86264fe7 in ha_partition::prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/ha_partition.cc:8346
      		 
          #10 0x558b8529c821 in handler::ha_prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.cc:4293
      		 
          #11 0x558b84e9d1aa in mysql_inplace_alter_table /data/src/10.2/sql/sql_table.cc:7329
      		 
          #12 0x558b84eaa6cc in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9452
      		 
          #13 0x558b84eb0068 in mysql_recreate_table(THD*, TABLE_LIST*, bool) /data/src/10.2/sql/sql_table.cc:10277
      		 
          #14 0x558b84fedfb3 in admin_recreate_table /data/src/10.2/sql/sql_admin.cc:58
      		 
          #15 0x558b84ff4f9f in mysql_admin_table /data/src/10.2/sql/sql_admin.cc:1022
      		 
          #16 0x558b84ff7af7 in Sql_cmd_optimize_table::execute(THD*) /data/src/10.2/sql/sql_admin.cc:1366
      		 
          #17 0x558b84c9f59a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6226
      		 
          #18 0x558b84caa103 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8013
      		 
          #19 0x558b84c84cab in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
      		 
          #20 0x558b84c81d1a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1386
      		 
          #21 0x558b84fc8764 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
      		 
          #22 0x558b84fc8179 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
      		 
          #23 0x7fe8a3a30493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
       
      		 
      Thread T31 created by T0 here:
      		 
          #0 0x7fe8a3c69bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
      		 
          #1 0x558b86333bc7 in spawn_thread_noop /data/src/10.2/mysys/psi_noop.c:187
      		 
          #2 0x558b84a7e10e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
      		 
          #3 0x558b84a93176 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6482
      		 
          #4 0x558b84a9387b in create_new_thread /data/src/10.2/sql/mysqld.cc:6552
      		 
          #5 0x558b84a94892 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6827
      		 
          #6 0x558b84a926cb in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6101
      		 
          #7 0x558b84a7c4af in main /data/src/10.2/sql/main.cc:25
      		 
          #8 0x7fe8a1b362b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/storage/innobase/handler/handler0alter.cc:3075 innobase_build_col_map
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c3c7fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c3c7fffbc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c3c7fffbc10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c3c7fffbc20: 00 00 00 00 00 07 00 00 00 00 00 03 00 00 00 00
      		 
        0x0c3c7fffbc30: 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c3c7fffbc40: 00[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c3c7fffbc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c3c7fffbc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c3c7fffbc70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c3c7fffbc80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c3c7fffbc90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==23343==ABORTING

      To reproduce:

      Reproducible on 10.2+.
      Not reproducible on 10.1.
      The datadir was created with 10.1.38 release build.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. MDEV-14046 Allow ALGORITHM=INPLACE for 10.1 tables that contain virtual columns

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19027 create_table_def fails when virtual column is present between stored columns

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19085 Assertion failures in dtuple_get_nth_field or row_merge_read_clustered_index or row_merge_buf_add after normal upgrade from 10.1

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            marko Marko Mäkelä added a comment -

            I was unable to repeat this with 10.2 f055da9b84bc9481917003a1ed0a702072c0f452 (the MDEV-19085 fix) or its parent commit. Maybe something was recently fixed in the partitioning engine?

            marko Marko Mäkelä added a comment - I was unable to repeat this with 10.2 f055da9b84bc9481917003a1ed0a702072c0f452 (the MDEV-19085 fix) or its parent commit. Maybe something was recently fixed in the partitioning engine?
            elenst Elena Stepanova added a comment - - edited

            Sorry about this. Just yesterday in a desperate attempt to work around the problems, I symlinked test data sets to ones without generated columns (possibly other data is somehow different as well). The right link is
            ftp://perro.askmonty.org/public/innodb_upgrade_data/10.1.38/format-Antelope/innodb-builtin/4K/compression-none/encryption-off/normal.tar.gz
            (I'm also changing it in the description).

            I'll try to create separate links for bug reports in future, rather than paste those used by tests.

            elenst Elena Stepanova added a comment - - edited Sorry about this. Just yesterday in a desperate attempt to work around the problems, I symlinked test data sets to ones without generated columns (possibly other data is somehow different as well). The right link is ftp://perro.askmonty.org/public/innodb_upgrade_data/10.1.38/format-Antelope/innodb-builtin/4K/compression-none/encryption-off/normal.tar.gz (I'm also changing it in the description). I'll try to create separate links for bug reports in future, rather than paste those used by tests.
            thiru Thirunarayanan Balathandayuthapani added a comment -

            The issue is already fixed by the following:

            commit f055da9b84bc9481917003a1ed0a702072c0f452 (HEAD)
            		 
            Author: Marko Mäkelä <marko.makela@mariadb.com>
            		 
            Date:   Mon Apr 1 14:24:15 2019 +0300
            		 
             
            		 
                MDEV-19085 Assertion failures due to virtual columns after upgrading from 10.1

            thiru Thirunarayanan Balathandayuthapani added a comment - The issue is already fixed by the following: commit f055da9b84bc9481917003a1ed0a702072c0f452 (HEAD) Author: Marko Mäkelä <marko.makela@mariadb.com> Date: Mon Apr 1 14:24:15 2019 +0300   MDEV-19085 Assertion failures due to virtual columns after upgrading from 10.1

            People

              thiru Thirunarayanan Balathandayuthapani
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.