[MDEV-21485] ASAN use-after-poison in dfield_get_len or Assertion `pos < index->n_def' failed - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.4, 10.5
Fix Version/s: 10.4.12, 10.5.1
Component/s: Data Definition - Alter Table, Storage Engine - InnoDB
Labels:
None

Description

--source include/have_innodb.inc

CREATE TABLE t1 (a INT, b INT, PRIMARY KEY(a,b)) ENGINE=InnoDB;

ALTER TABLE t1 MODIFY b INT FIRST;

# Cleanup

DROP TABLE t1;

10.4 ASAN 2d4b6571
==16349==ERROR: AddressSanitizer: use-after-poison on address 0x61e00002addc at pc 0x55dea553a60e bp 0x7f40e4d57410 sp 0x7f40e4d57408
READ of size 4 at 0x61e00002addc thread T27
#0 0x55dea553a60d in dfield_get_len(dfield_t const*) /data/src/10.4/storage/innobase/include/data0data.h:593
#1 0x55dea574fa5d in rec_get_converted_size_comp_prefix_low<true> /data/src/10.4/storage/innobase/rem/rem0rec.cc:1161
#2 0x55dea5742603 in rec_get_converted_size_comp(dict_index_t const, dtuple_t const, unsigned long*) /data/src/10.4/storage/innobase/rem/rem0rec.cc:1297
#3 0x55dea5a89169 in rec_get_converted_size /data/src/10.4/storage/innobase/include/rem0rec.ic:1388
#4 0x55dea5a8bdee in dtuple_convert_big_rec(dict_index_t, upd_t, dtuple_t, unsigned long) /data/src/10.4/storage/innobase/data/data0data.cc:621
#5 0x55dea59bcfb8 in btr_cur_optimistic_insert(unsigned long, btr_cur_t, unsigned short, mem_block_info_t, dtuple_t, unsigned char, big_rec_t, unsigned long, que_thr_t, mtr_t) /data/src/10.4/storage/innobase/btr/btr0cur.cc:3438
#6 0x55dea57972d3 in row_ins_clust_index_entry_low(unsigned long, unsigned long, dict_index_t, unsigned long, dtuple_t, unsigned long, que_thr_t*) /data/src/10.4/storage/innobase/row/row0ins.cc:2777
#7 0x55dea557ab50 in innobase_instant_try /data/src/10.4/storage/innobase/handler/handler0alter.cc:5917
#8 0x55dea55c2692 in commit_try_norebuild(Alter_inplace_info, ha_innobase_inplace_ctx, TABLE, TABLE const, trx_t, char const) (/data/bld/10.4-asan/bin/mysqld+0x201d692)
#9 0x55dea559dd14 in ha_innobase::commit_inplace_alter_table(TABLE, Alter_inplace_info, bool) /data/src/10.4/storage/innobase/handler/handler0alter.cc:10900
#10 0x55dea4fcfe72 in handler::ha_commit_inplace_alter_table(TABLE, Alter_inplace_info, bool) /data/src/10.4/sql/handler.cc:4568
#11 0x55dea4a7565e in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7776
#12 0x55dea4a83b08 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10119
#13 0x55dea4bdba6b in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:508
#14 0x55dea485eea3 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6102
#15 0x55dea486986d in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7901
#16 0x55dea4842b20 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
#17 0x55dea483fa20 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
#18 0x55dea4bc6730 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#19 0x55dea4bc60e4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#20 0x55dea602c919 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#21 0x7f40fc9bb4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#22 0x7f40faaefd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

0x61e00002addc is located 348 bytes inside of 2456-byte region [0x61e00002ac80,0x61e00002b618)
allocated by thread T27 here:
#0 0x7f40fcc92d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55dea569e899 in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:280
#2 0x55dea569effe in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:386
#3 0x55dea5556390 in mem_heap_alloc /data/src/10.4/storage/innobase/include/mem0mem.ic:203
#4 0x55dea5556e15 in dtuple_create_with_vcol /data/src/10.4/storage/innobase/include/data0data.ic:405
#5 0x55dea5556d5d in dtuple_create /data/src/10.4/storage/innobase/include/data0data.ic:383
#6 0x55dea55bd96b in dict_index_t::instant_metadata(dtuple_t const&, mem_block_info_t*) const (/data/bld/10.4-asan/bin/mysqld+0x201896b)
#7 0x55dea557932d in innobase_instant_try /data/src/10.4/storage/innobase/handler/handler0alter.cc:5782
#8 0x55dea55c2692 in commit_try_norebuild(Alter_inplace_info, ha_innobase_inplace_ctx, TABLE, TABLE const, trx_t, char const) (/data/bld/10.4-asan/bin/mysqld+0x201d692)
#9 0x55dea559dd14 in ha_innobase::commit_inplace_alter_table(TABLE, Alter_inplace_info, bool) /data/src/10.4/storage/innobase/handler/handler0alter.cc:10900
#10 0x55dea4fcfe72 in handler::ha_commit_inplace_alter_table(TABLE, Alter_inplace_info, bool) /data/src/10.4/sql/handler.cc:4568
#11 0x55dea4a7565e in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7776
#12 0x55dea4a83b08 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10119
#13 0x55dea4bdba6b in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:508
#14 0x55dea485eea3 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6102
#15 0x55dea486986d in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7901
#16 0x55dea4842b20 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
#17 0x55dea483fa20 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
#18 0x55dea4bc6730 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#19 0x55dea4bc60e4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#20 0x55dea602c919 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#21 0x7f40fc9bb4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

Thread T27 created by T0 here:
#0 0x7f40fcc01f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x55dea602cd06 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
#2 0x55dea4598b78 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
#3 0x55dea45ad11c in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6234
#4 0x55dea45ad7ff in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6304
#5 0x55dea45adb8a in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6402
#6 0x55dea45ae7dc in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6560
#7 0x55dea45ac99d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5892
#8 0x55dea4596a5f in main /data/src/10.4/sql/main.cc:25
#9 0x7f40faa272e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/storage/innobase/include/data0data.h:593 in dfield_get_len(dfield_t const*)
Shadow bytes around the buggy address:
0x0c3c7fffd560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fffd570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fffd580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fffd590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fffd5a0: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fffd5b0: 00 00 00 00 00 00 00 00 00 00 f7[04]f7 00 00 00
0x0c3c7fffd5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fffd5d0: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00
0x0c3c7fffd5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7
0x0c3c7fffd5f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3c7fffd600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16349==ABORTING

10.4 debug 2d4b6571
mysqld: /data/src/10.4/storage/innobase/include/dict0dict.ic:839: dict_field_t* dict_index_get_nth_field(const dict_index_t*, ulint): Assertion `pos < index->n_def' failed.
200115 15:13:09 [ERROR] mysqld got signal 6 ;

#7 0x00007f31b0d6bf12 in __GI___assert_fail (assertion=0x55a9507f2441 "pos < index->n_def", file=0x55a9507f2380 "/data/src/10.4/storage/innobase/include/dict0dict.ic", line=839, function=0x55a9507f48c0 <_ZZL24dict_index_get_nth_fieldPK12dict_index_tmE19__PRETTY_FUNCTION__> "dict_field_t* dict_index_get_nth_field(const dict_index_t*, ulint)") at assert.c:101
#8 0x000055a94ff72a8f in dict_index_get_nth_field (index=0x7f31581a0768, pos=4) at /data/src/10.4/storage/innobase/include/dict0dict.ic:839
#9 0x000055a94ff7f56f in rec_get_converted_size_comp_prefix_low<true> (index=0x7f31581a0768, dfield=0x7f31581505e8, n_fields=5, extra=0x0, status=REC_STATUS_INSTANT, temp=false) at /data/src/10.4/storage/innobase/rem/rem0rec.cc:1163
#10 0x000055a94ff77e2a in rec_get_converted_size_comp (index=0x7f31581a0768, tuple=0x7f3158150528, extra=0x0) at /data/src/10.4/storage/innobase/rem/rem0rec.cc:1297
#11 0x000055a95017139a in rec_get_converted_size (index=0x7f31581a0768, dtuple=0x7f3158150528, n_ext=0) at /data/src/10.4/storage/innobase/include/rem0rec.ic:1388
#12 0x000055a950172fea in dtuple_convert_big_rec (index=0x7f31581a0768, upd=0x0, entry=0x7f3158150528, n_ext=0x7f31ac0c41f8) at /data/src/10.4/storage/innobase/data/data0data.cc:621
#13 0x000055a9500f296a in btr_cur_optimistic_insert (flags=2, cursor=0x7f31ac0c42d0, offsets=0x7f31ac0c4268, heap=0x7f31ac0c4260, entry=0x7f3158150528, rec=0x7f31ac0c4270, big_rec=0x7f31ac0c4258, n_ext=0, thr=0x7f31581506b0, mtr=0x7f31ac0c4630) at /data/src/10.4/storage/innobase/btr/btr0cur.cc:3438
#14 0x000055a94ffa8961 in row_ins_clust_index_entry_low (flags=2, mode=33, index=0x7f31581a0768, n_uniq=2, entry=0x7f3158150528, n_ext=0, thr=0x7f31581506b0) at /data/src/10.4/storage/innobase/row/row0ins.cc:2777
#15 0x000055a94fe6bb95 in innobase_instant_try (ha_alter_info=0x7f31ac0c6770, ctx=0x7f3158014a00, altered_table=0x7f31ac0c6800, table=0x7f315819edb0, trx=0x7f31a6a74268) at /data/src/10.4/storage/innobase/handler/handler0alter.cc:5917
#16 0x000055a94fe8e9d7 in commit_try_norebuild (ha_alter_info=0x7f31ac0c6770, ctx=0x7f3158014a00, altered_table=0x7f31ac0c6800, old_table=0x7f315819edb0, trx=0x7f31a6a74268, table_name=0x7f315800ab3d "t1") at /data/src/10.4/storage/innobase/handler/handler0alter.cc:10149
#17 0x000055a94fe7c9f3 in ha_innobase::commit_inplace_alter_table (this=0x7f315819fc18, altered_table=0x7f31ac0c6800, ha_alter_info=0x7f31ac0c6770, commit=true) at /data/src/10.4/storage/innobase/handler/handler0alter.cc:10900
#18 0x000055a94fbe9be7 in handler::ha_commit_inplace_alter_table (this=0x7f315819fc18, altered_table=0x7f31ac0c6800, ha_alter_info=0x7f31ac0c6770, commit=true) at /data/src/10.4/sql/handler.cc:4568
#19 0x000055a94f96b5de in mysql_inplace_alter_table (thd=0x7f3158000af0, table_list=0x7f3158013288, table=0x7f315819edb0, altered_table=0x7f31ac0c6800, ha_alter_info=0x7f31ac0c6770, inplace_supported=HA_ALTER_INPLACE_INSTANT, target_mdl_request=0x7f31ac0c75d0, alter_ctx=0x7f31ac0c8100) at /data/src/10.4/sql/sql_table.cc:7776
#20 0x000055a94f972231 in mysql_alter_table (thd=0x7f3158000af0, new_db=0x7f31580052b0, new_name=0x7f31580056b8, create_info=0x7f31ac0c8cf0, table_list=0x7f3158013288, alter_info=0x7f31ac0c8c30, order_num=0, order=0x0, ignore=false) at /data/src/10.4/sql/sql_table.cc:10119
#21 0x000055a94fa0a341 in Sql_cmd_alter_table::execute (this=0x7f3158013a70, thd=0x7f3158000af0) at /data/src/10.4/sql/sql_alter.cc:508
#22 0x000055a94f888d95 in mysql_execute_command (thd=0x7f3158000af0) at /data/src/10.4/sql/sql_parse.cc:6102
#23 0x000055a94f88e457 in mysql_parse (thd=0x7f3158000af0, rawbuf=0x7f3158013198 "ALTER TABLE t1 MODIFY b INT FIRST", length=33, parser_state=0x7f31ac0ca160, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7901
#24 0x000055a94f8795fc in dispatch_command (command=COM_QUERY, thd=0x7f3158000af0, packet=0x7f3158137511 "ALTER TABLE t1 MODIFY b INT FIRST", packet_length=33, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1842
#25 0x000055a94f877c89 in do_command (thd=0x7f3158000af0) at /data/src/10.4/sql/sql_parse.cc:1360
#26 0x000055a94fa00c51 in do_handle_one_connection (connect=0x55a9535fd880) at /data/src/10.4/sql/sql_connect.cc:1412
#27 0x000055a94fa009a0 in handle_one_connection (arg=0x55a9535fd880) at /data/src/10.4/sql/sql_connect.cc:1316
#28 0x000055a950406b0d in pfs_spawn_thread (arg=0x55a953569f50) at /data/src/10.4/storage/perfschema/pfs.cc:1862
#29 0x00007f31b2cf44a4 in start_thread (arg=0x7f31ac0cb700) at pthread_create.c:456
#30 0x00007f31b0e28d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

No obvious effect on a non-debug build.
Not reproducible on 10.3.
Not reproducible on 10.5, probably because the failure is fairly new (I didn't bisect for the exact revision, though).

Attachments

Issue Links

is caused by

MDEV-15562 Instant DROP COLUMN or changing the order of columns

Closed

Activity

People

Assignee:: Marko Mäkelä

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020-01-15 13:16

Updated:: 2020-01-15 16:56

Resolved:: 2020-01-15 16:56

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.