[MDEV-19194] Server crash or ASAN use-after-poison in fk_prepare_copy_alter_table upon dropping FK - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5(EOL), 10.6, 10.11, 11.4, 11.7(EOL)
Fix Version/s: 10.6.26, 10.11.17, 11.4.11, 11.8.7, 12.3.2
Component/s: Data Definition - Alter Table
Labels:
None

Bug Category:
Can result in unexpected behaviour
Release Note Summary:
Fixes the issue occurred when ALTER TABLE contained duplicate DROP FOREIGN KEY operations (e.g., "DROP FOREIGN KEY f1, DROP FOREIGN KEY f1").

Description

--source include/have_innodb.inc

CREATE TABLE tx (pk INT PRIMARY KEY) ENGINE=InnoDB;

CREATE TABLE t1 (a INT, CONSTRAINT fk FOREIGN KEY (a) REFERENCES tx(pk)) ENGINE=InnoDB;

ALTER IGNORE TABLE t1 DROP FOREIGN KEY fk, DROP FOREIGN KEY fk, ALGORITHM=COPY;

# Cleanup

DROP TABLE t1, tx;

10.3 d5a2bc6a ASAN
==21826==ERROR: AddressSanitizer: use-after-poison on address 0x557aba8bd568 at pc 0x557ab775e79f bp 0x7f5597b04240 sp 0x7f5597b04238
READ of size 8 at 0x557aba8bd568 thread T27
#0 0x557ab775e79e in base_list_iterator::next_fast() /data/src/10.3/sql/sql_list.h:433
#1 0x557ab7c140d6 in List_iterator_fast<Alter_drop>::operator++(int) /data/src/10.3/sql/sql_list.h:554
#2 0x557ab7c02708 in fk_prepare_copy_alter_table /data/src/10.3/sql/sql_table.cc:8770
#3 0x557ab7c077b7 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.3/sql/sql_table.cc:9771
#4 0x557ab7d52ecd in Sql_cmd_alter_table::execute(THD*) /data/src/10.3/sql/sql_alter.cc:494
#5 0x557ab79ee21a in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6285
#6 0x557ab79f90a9 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
#7 0x557ab79d31d1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
#8 0x557ab79d0227 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
#9 0x557ab7d43f7f in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
#10 0x557ab7d4398b in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#11 0x557ab887a131 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
#12 0x7f55a3660493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#13 0x7f55a182e93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x557aba8bd568 is located 8 bytes inside of global variable 'end_of_list' from '/data/src/10.3/sql/sql_list.cc' (0x557aba8bd560) of size 16
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/sql_list.h:433 base_list_iterator::next_fast()
Shadow bytes around the buggy address:
0x0aafd750fa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafd750fa60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafd750fa70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafd750fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafd750fa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aafd750faa0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f7[f7]f9 f9
0x0aafd750fab0: f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x0aafd750fac0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0aafd750fad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafd750fae0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0aafd750faf0: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
Thread T27 created by T0 here:
#0 0x7f55a3899bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x557ab887a6f9 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
#2 0x557ab773bb88 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
#3 0x557ab775151e in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
#4 0x557ab7751c23 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
#5 0x557ab7752c3a in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
#6 0x557ab77509db in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
#7 0x557ab7739c0f in main /data/src/10.3/sql/main.cc:25
#8 0x7f55a17662b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

==21826==ABORTING

10.3 d5a2bc6a debug
#3 <signal handler called>
#4 0x0000559ff23c3e06 in fk_prepare_copy_alter_table (thd=0x7f9a70000b00, table=0x7f9a700a8690, alter_info=0x7f9abeb50be0, alter_ctx=0x7f9abeb500b0) at /data/src/10.3/sql/sql_table.cc:8773
#5 0x0000559ff23c6783 in mysql_alter_table (thd=0x7f9a70000b00, new_db=0x7f9a700051d0, new_name=0x7f9a70005590, create_info=0x7f9abeb50ca0, table_list=0x7f9a70014e30, alter_info=0x7f9abeb50be0, order_num=0, order=0x0, ignore=true) at /data/src/10.3/sql/sql_table.cc:9771
#6 0x0000559ff244e902 in Sql_cmd_alter_table::execute (this=0x7f9a700154d8, thd=0x7f9a70000b00) at /data/src/10.3/sql/sql_alter.cc:494
#7 0x0000559ff22ef4ca in mysql_execute_command (thd=0x7f9a70000b00) at /data/src/10.3/sql/sql_parse.cc:6285
#8 0x0000559ff22f456f in mysql_parse (thd=0x7f9a70000b00, rawbuf=0x7f9a70014ce8 "ALTER IGNORE TABLE t1 DROP FOREIGN KEY fk, DROP FOREIGN KEY fk, ALGORITHM=COPY", length=78, parser_state=0x7f9abeb525f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8091
#9 0x0000559ff22e183e in dispatch_command (command=COM_QUERY, thd=0x7f9a70000b00, packet=0x7f9a70162261 "ALTER IGNORE TABLE t1 DROP FOREIGN KEY fk, DROP FOREIGN KEY fk, ALGORITHM=COPY", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1857
#10 0x0000559ff22e0228 in do_command (thd=0x7f9a70000b00) at /data/src/10.3/sql/sql_parse.cc:1403
#11 0x0000559ff2448ec1 in do_handle_one_connection (connect=0x559ff4b9add0) at /data/src/10.3/sql/sql_connect.cc:1402
#12 0x0000559ff2448c45 in handle_one_connection (arg=0x559ff4b9add0) at /data/src/10.3/sql/sql_connect.cc:1308
#13 0x0000559ff28e5519 in pfs_spawn_thread (arg=0x559ff4ae0190) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#14 0x00007f9acb6ff494 in start_thread (arg=0x7f9abeb53700) at pthread_create.c:333
#15 0x00007f9ac98cd93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Non-debug build doesn't crash on my machine, but since it's SIGSEGV, it might be the matter of luck.

Attachments

Issue Links

relates to

MDEV-20493 Server fails to produce a crash report with a stack trace in the error log

Open

MDEV-23686 ASAN heap-use-after-free or server crash in id_name_t::operator / get_foreign_key_info / ha_innobase::get_parent_foreign_key_list

Confirmed

MDEV-23679 Server crashes in base_list_iterator::next_fast upon 2nd execution of SP after adding system versioning between calls

Confirmed

Activity

People

Assignee:: Thirunarayanan Balathandayuthapani

Reporter:: Elena Stepanova

Assigned for Implementation:: Thirunarayanan Balathandayuthapani

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019-04-05 19:38

Updated:: 2026-03-23 08:10

Resolved:: 2026-03-11 06:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.