Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.1, 10.2, 10.3, 10.4, 10.5, 10.6
-
None
Description
SET @segments.save= @@key_cache_segments, @buffer.save= @@key_buffer_size; |
|
|
SET GLOBAL key_buffer_size= 128*1024*1024; |
CREATE TABLE t1 (a INT); |
|
|
--connect (con1,localhost,root,,test)
|
--send
|
CREATE OR REPLACE TABLE t1 (b INT); |
|
|
--connection default
|
SET GLOBAL key_cache_segments= 4; |
|
|
--connection con1
|
--reap
|
|
|
# Cleanup
|
--disconnect con1
|
--connection default
|
DROP TABLE t1; |
SET GLOBAL key_cache_segments= @segments.save, key_buffer_size= @buffer.save; |
|
10.3 2cae58f8 |
==18453==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300000aa80 at pc 0x55cc33e3be09 bp 0x7f3791126350 sp 0x7f3791126348
|
READ of size 8 at 0x61300000aa80 thread T6
|
#0 0x55cc33e3be08 in my_hash_first /data/src/10.3/mysys/hash.c:260
|
#1 0x55cc33e3bc5e in my_hash_search /data/src/10.3/mysys/hash.c:235
|
#2 0x55cc33eb4a50 in safe_mutex_lock /data/src/10.3/mysys/thr_mutex.c:358
|
#3 0x55cc33e51e38 in inline_mysql_mutex_lock /data/src/10.3/include/mysql/psi/mysql_thread.h:702
|
#4 0x55cc33e67663 in flush_simple_key_cache_blocks /data/src/10.3/mysys/mf_keycache.c:4378
|
#5 0x55cc33e6cd8b in flush_key_blocks /data/src/10.3/mysys/mf_keycache.c:6399
|
#6 0x55cc33c62844 in mi_lock_database /data/src/10.3/storage/myisam/mi_locking.c:74
|
#7 0x55cc33c068f9 in ha_myisam::external_lock(THD*, int) /data/src/10.3/storage/myisam/ha_myisam.cc:2107
|
#8 0x55cc32cd78b3 in handler::ha_external_lock(THD*, int) /data/src/10.3/sql/handler.cc:6391
|
#9 0x55cc32f97697 in unlock_external /data/src/10.3/sql/lock.cc:708
|
#10 0x55cc32f951b2 in mysql_unlock_tables(THD*, st_mysql_lock*, bool) /data/src/10.3/sql/lock.cc:429
|
#11 0x55cc32f95003 in mysql_unlock_tables(THD*, st_mysql_lock*) /data/src/10.3/sql/lock.cc:415
|
#12 0x55cc324533f4 in close_thread_tables(THD*) /data/src/10.3/sql/sql_base.cc:854
|
#13 0x55cc3247ed5b in close_system_tables(THD*, Open_tables_backup*) /data/src/10.3/sql/sql_base.cc:8933
|
#14 0x55cc3278b7e5 in delete_statistics_for_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*) /data/src/10.3/sql/sql_statistics.cc:3254
|
#15 0x55cc327c286d in create_table_impl /data/src/10.3/sql/sql_table.cc:4914
|
#16 0x55cc327c3d11 in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.3/sql/sql_table.cc:5144
|
#17 0x55cc327c4792 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /data/src/10.3/sql/sql_table.cc:5233
|
#18 0x55cc327ea8e9 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.3/sql/sql_table.cc:11275
|
#19 0x55cc325c1c67 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6022
|
#20 0x55cc325ccfee in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
|
#21 0x55cc325a79b0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1848
|
#22 0x55cc325a485c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
|
#23 0x55cc3291f7cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#24 0x55cc3291f196 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#25 0x55cc33d97745 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#26 0x7f37a51974a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#27 0x7f37a32cbd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
|
|
0x61300000aa80 is located 128 bytes inside of 324-byte region [0x61300000aa00,0x61300000ab44)
|
freed by thread T5 here:
|
#0 0x7f37a546ea10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
|
#1 0x55cc33ec8dbb in free_memory /data/src/10.3/mysys/safemalloc.c:279
|
#2 0x55cc33ec84a5 in sf_free /data/src/10.3/mysys/safemalloc.c:197
|
#3 0x55cc33e9a396 in my_free /data/src/10.3/mysys/my_malloc.c:223
|
#4 0x55cc33eb6ad2 in safe_mutex_free_deadlock_data /data/src/10.3/mysys/thr_mutex.c:667
|
#5 0x55cc33eb67f2 in safe_mutex_destroy /data/src/10.3/mysys/thr_mutex.c:604
|
#6 0x55cc33e51ca1 in inline_mysql_mutex_destroy /data/src/10.3/include/mysql/psi/mysql_thread.h:676
|
#7 0x55cc33e54d2e in end_simple_key_cache /data/src/10.3/mysys/mf_keycache.c:995
|
#8 0x55cc33e6c7e1 in end_key_cache_internal /data/src/10.3/mysys/mf_keycache.c:6148
|
#9 0x55cc33e6d0de in repartition_key_cache_internal /data/src/10.3/mysys/mf_keycache.c:6517
|
#10 0x55cc33e6d166 in repartition_key_cache /data/src/10.3/mysys/mf_keycache.c:6568
|
#11 0x55cc32cd0e0a in ha_repartition_key_cache(st_key_cache*) /data/src/10.3/sql/handler.cc:5322
|
#12 0x55cc32953e59 in update_keycache /data/src/10.3/sql/sys_vars.ic:1085
|
#13 0x55cc32953f71 in repartition_keycache /data/src/10.3/sql/sys_vars.ic:1110
|
#14 0x55cc32973e5f in Sys_var_keycache::global_update(THD*, set_var*) /data/src/10.3/sql/sys_vars.ic:1011
|
#15 0x55cc3236dc46 in sys_var::update(THD*, set_var*) /data/src/10.3/sql/set_var.cc:208
|
#16 0x55cc32371fa5 in set_var::update(THD*) /data/src/10.3/sql/set_var.cc:837
|
#17 0x55cc32371742 in sql_set_variables(THD*, List<set_var_base>*, bool) /data/src/10.3/sql/set_var.cc:740
|
#18 0x55cc325ba064 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4875
|
#19 0x55cc325ccfee in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
|
#20 0x55cc325a79b0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1848
|
#21 0x55cc325a485c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
|
#22 0x55cc3291f7cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#23 0x55cc3291f196 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#24 0x55cc33d97745 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#25 0x7f37a51974a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
|
previously allocated by thread T0 here:
|
#0 0x7f37a546ed28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x55cc33ec7ebe in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
|
#2 0x55cc33e99aa6 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
#3 0x55cc33e77ef4 in my_multi_malloc /data/src/10.3/mysys/mulalloc.c:51
|
#4 0x55cc33eb3b8a in safe_mutex_lazy_init_deadlock_detection /data/src/10.3/mysys/thr_mutex.c:159
|
#5 0x55cc33eb47a3 in safe_mutex_lock /data/src/10.3/mysys/thr_mutex.c:319
|
#6 0x55cc33e51e38 in inline_mysql_mutex_lock /data/src/10.3/include/mysql/psi/mysql_thread.h:702
|
#7 0x55cc33e67663 in flush_simple_key_cache_blocks /data/src/10.3/mysys/mf_keycache.c:4378
|
#8 0x55cc33e6cd8b in flush_key_blocks /data/src/10.3/mysys/mf_keycache.c:6399
|
#9 0x55cc33c349d4 in mi_close /data/src/10.3/storage/myisam/mi_close.c:70
|
#10 0x55cc33bfb8cb in ha_myisam::close() /data/src/10.3/storage/myisam/ha_myisam.cc:911
|
#11 0x55cc32cbc9d4 in handler::ha_close() /data/src/10.3/sql/handler.cc:2833
|
#12 0x55cc32864f2c in closefrm(TABLE*) /data/src/10.3/sql/table.cc:3657
|
#13 0x55cc32ad31a1 in intern_close_table /data/src/10.3/sql/table_cache.cc:222
|
#14 0x55cc32ad3408 in tc_remove_table /data/src/10.3/sql/table_cache.cc:260
|
#15 0x55cc32ad488b in tc_release_table(TABLE*) /data/src/10.3/sql/table_cache.cc:474
|
#16 0x55cc32453dad in close_thread_table(THD*, TABLE**) /data/src/10.3/sql/sql_base.cc:920
|
#17 0x55cc32453481 in close_thread_tables(THD*) /data/src/10.3/sql/sql_base.cc:862
|
#18 0x55cc3247edd8 in close_mysql_tables(THD*) /data/src/10.3/sql/sql_base.cc:8960
|
#19 0x55cc325e982a in plugin_load /data/src/10.3/sql/sql_plugin.cc:1863
|
#20 0x55cc325e87a7 in plugin_init(int*, char**, int) /data/src/10.3/sql/sql_plugin.cc:1691
|
#21 0x55cc32322084 in init_server_components /data/src/10.3/sql/mysqld.cc:5421
|
#22 0x55cc32323f7e in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6030
|
#23 0x55cc3230e68f in main /data/src/10.3/sql/main.cc:25
|
#24 0x7f37a32032e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
|
|
Thread T6 created by T0 here:
|
#0 0x7f37a53ddf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x55cc33d97b81 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
#2 0x55cc3230ff70 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
|
#3 0x55cc3232545f in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6607
|
#4 0x55cc32325b42 in create_new_thread /data/src/10.3/sql/mysqld.cc:6677
|
#5 0x55cc32326b5a in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6952
|
#6 0x55cc3232492f in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6229
|
#7 0x55cc3230e68f in main /data/src/10.3/sql/main.cc:25
|
#8 0x7f37a32032e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f37a53ddf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x55cc33d97b81 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
#2 0x55cc3230ff70 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
|
#3 0x55cc3232545f in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6607
|
#4 0x55cc32325b42 in create_new_thread /data/src/10.3/sql/mysqld.cc:6677
|
#5 0x55cc32326b5a in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6952
|
#6 0x55cc3232492f in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6229
|
#7 0x55cc3230e68f in main /data/src/10.3/sql/main.cc:25
|
#8 0x7f37a32032e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/mysys/hash.c:260 in my_hash_first
|
Shadow bytes around the buggy address:
|
0x0c267fff9500: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c267fff9510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c267fff9520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c267fff9530: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c267fff9540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c267fff9550:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c267fff9560: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
|
0x0c267fff9570: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c267fff9580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c267fff9590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c267fff95a0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==18453==ABORTING
|
or
#3 <signal handler called>
|
#4 0x000055bd18a16124 in my_hash_first (hash=0x55bd1b2a62b0, key=0x7f5ec801a770 "\311", length=0, current_record=0x7f5ee0cb174c) at /data/src/10.3/mysys/hash.c:262
|
#5 0x000055bd18a16049 in my_hash_search (hash=0x55bd1b2a62b0, key=0x7f5ec801a770 "\311", length=0) at /data/src/10.3/mysys/hash.c:235
|
#6 0x000055bd18a486ca in safe_mutex_lock (mp=0x55bd1b270d58, my_flags=0, file=0x55bd18e95370 "/data/src/10.3/mysys/mf_keycache.c", line=4378) at /data/src/10.3/mysys/thr_mutex.c:358
|
#7 0x000055bd18a1ee2f in inline_mysql_mutex_lock (that=0x55bd1b270d58, src_file=0x55bd18e95370 "/data/src/10.3/mysys/mf_keycache.c", src_line=4378) at /data/src/10.3/include/mysql/psi/mysql_thread.h:702
|
#8 0x000055bd18a28116 in flush_simple_key_cache_blocks (keycache=0x55bd1b270ca0, file=57, file_extra=0x7f5ec801a490, type=FLUSH_KEEP) at /data/src/10.3/mysys/mf_keycache.c:4378
|
#9 0x000055bd18a2a104 in flush_key_blocks (keycache=0x55bd1b22da40, file=57, file_extra=0x7f5ec801a490, type=FLUSH_KEEP) at /data/src/10.3/mysys/mf_keycache.c:6399
|
#10 0x000055bd1895722b in mi_lock_database (info=0x7f5ec801abf0, lock_type=2) at /data/src/10.3/storage/myisam/mi_locking.c:74
|
#11 0x000055bd18931370 in ha_myisam::external_lock (this=0x7f5ec8019628, thd=0x7f5ec8000af0, lock_type=2) at /data/src/10.3/storage/myisam/ha_myisam.cc:2107
|
#12 0x000055bd181d58e7 in handler::ha_external_lock (this=0x7f5ec8019628, thd=0x7f5ec8000af0, lock_type=2) at /data/src/10.3/sql/handler.cc:6391
|
#13 0x000055bd182fe032 in unlock_external (thd=0x7f5ec8000af0, table=0x7f5ec8012030, count=3) at /data/src/10.3/sql/lock.cc:708
|
#14 0x000055bd182fd42f in mysql_unlock_tables (thd=0x7f5ec8000af0, sql_lock=0x7f5ec8011fe0, free_lock=false) at /data/src/10.3/sql/lock.cc:429
|
#15 0x000055bd182fd386 in mysql_unlock_tables (thd=0x7f5ec8000af0, sql_lock=0x7f5ec8011fe0) at /data/src/10.3/sql/lock.cc:415
|
#16 0x000055bd17e0f473 in close_thread_tables (thd=0x7f5ec8000af0) at /data/src/10.3/sql/sql_base.cc:854
|
#17 0x000055bd17e22bb0 in close_system_tables (thd=0x7f5ec8000af0, backup=0x7f5ee0cb1c40) at /data/src/10.3/sql/sql_base.cc:8933
|
#18 0x000055bd17f6c3b8 in delete_statistics_for_table (thd=0x7f5ec8000af0, db=0x7f5ec8011580, tab=0x7f5ec8011590) at /data/src/10.3/sql/sql_statistics.cc:3254
|
#19 0x000055bd17f848c0 in create_table_impl (thd=0x7f5ec8000af0, orig_db=0x7f5ec8011580, orig_table_name=0x7f5ec8011590, db=0x7f5ec8011580, table_name=0x7f5ec8011590, path=0x7f5ee0cb46f0 "./test/t1", options=..., create_info=0x7f5ee0cb4b30, alter_info=0x7f5ee0cb4a70, create_table_mode=0, is_trans=0x7f5ee0cb494e, key_info=0x7f5ee0cb46d0, key_count=0x7f5ee0cb46c4, frm=0x7f5ee0cb46e0) at /data/src/10.3/sql/sql_table.cc:4914
|
#20 0x000055bd17f854b0 in mysql_create_table_no_lock (thd=0x7f5ec8000af0, db=0x7f5ec8011580, table_name=0x7f5ec8011590, create_info=0x7f5ee0cb4b30, alter_info=0x7f5ee0cb4a70, is_trans=0x7f5ee0cb494e, create_table_mode=0, table_list=0x7f5ec8011568) at /data/src/10.3/sql/sql_table.cc:5144
|
#21 0x000055bd17f858b4 in mysql_create_table (thd=0x7f5ec8000af0, create_table=0x7f5ec8011568, create_info=0x7f5ee0cb4b30, alter_info=0x7f5ee0cb4a70) at /data/src/10.3/sql/sql_table.cc:5233
|
#22 0x000055bd17f9737c in Sql_cmd_create_table_like::execute (this=0x7f5ec8011548, thd=0x7f5ec8000af0) at /data/src/10.3/sql/sql_table.cc:11275
|
#23 0x000055bd17eb1708 in mysql_execute_command (thd=0x7f5ec8000af0) at /data/src/10.3/sql/sql_parse.cc:6022
|
#24 0x000055bd17eb6ebd in mysql_parse (thd=0x7f5ec8000af0, rawbuf=0x7f5ec8011458 "CREATE OR REPLACE TABLE t1 (b INT)", length=34, parser_state=0x7f5ee0cb55e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7810
|
#25 0x000055bd17ea3704 in dispatch_command (command=COM_QUERY, thd=0x7f5ec8000af0, packet=0x7f5ec8008c71 "CREATE OR REPLACE TABLE t1 (b INT)", packet_length=34, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1848
|
#26 0x000055bd17ea201c in do_command (thd=0x7f5ec8000af0) at /data/src/10.3/sql/sql_parse.cc:1393
|
#27 0x000055bd1801b5f1 in do_handle_one_connection (connect=0x55bd1b3afef0) at /data/src/10.3/sql/sql_connect.cc:1403
|
#28 0x000055bd1801b353 in handle_one_connection (arg=0x55bd1b3afef0) at /data/src/10.3/sql/sql_connect.cc:1308
|
#29 0x000055bd189d27cc in pfs_spawn_thread (arg=0x55bd1b39a6b0) at /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#30 0x00007f5ee763f4a4 in start_thread (arg=0x7f5ee0cb6700) at pthread_create.c:456
|
#31 0x00007f5ee5773d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
or
safe_mutex: Trying to destroy a mutex keycache->cache_lock that was locked at /data/src/10.3/mysys/mf_keycache.c, line 4378 at /data/src/10.3/mysys/mf_keycache.c, line 995
|
200719 1:28:55 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.3.24-MariaDB-debug-log
|
key_buffer_size=134217728
|
read_buffer_size=131072
|
max_used_connections=2
|
max_threads=153
|
thread_count=3
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 193334 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
|
Thread pointer: 0x62a000048270
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7fd70a395980 thread_stack 0x5fc00
|
/usr/lib/x86_64-linux-gnu/libasan.so.3(backtrace+0x41)[0x7fd71644c681]
|
/data/bld/10.3-asan-nightly/bin/mysqld(my_print_stacktrace+0xb5)[0x555afd220139]
|
/data/bld/10.3-asan-nightly/bin/mysqld(handle_fatal_signal+0x8a7)[0x555afc02150d]
|
/lib/x86_64-linux-gnu/libpthread.so.0(+0x110e0)[0x7fd7161f30e0]
|
linux/raise.c:51(__GI_raise)[0x7fd714267fff]
|
stdlib/abort.c:91(__GI_abort)[0x7fd71426942a]
|
mysys/thr_mutex.c:604(safe_mutex_destroy)[0x555afd22e7e4]
|
psi/mysql_thread.h:680(inline_mysql_mutex_destroy)[0x555afd1c9ca2]
|
mysys/mf_keycache.c:996(end_simple_key_cache)[0x555afd1ccd2f]
|
mysys/mf_keycache.c:6149(end_key_cache_internal)[0x555afd1e47e2]
|
mysys/mf_keycache.c:6518(repartition_key_cache_internal)[0x555afd1e50df]
|
mysys/mf_keycache.c:6568(repartition_key_cache)[0x555afd1e5167]
|
sql/handler.cc:5322(ha_repartition_key_cache(st_key_cache*))[0x555afc048e0b]
|
sql/sys_vars.ic:1085(update_keycache(THD*, st_key_cache*, long, unsigned long long, int (*)(st_key_cache*)))[0x555afbccbe5a]
|
sql/sys_vars.ic:1111(repartition_keycache(THD*, st_key_cache*, long, unsigned long long))[0x555afbccbf72]
|
sql/sys_vars.ic:1012(Sys_var_keycache::global_update(THD*, set_var*))[0x555afbcebe60]
|
sql/set_var.cc:208(sys_var::update(THD*, set_var*))[0x555afb6e5c47]
|
sql/set_var.cc:837(set_var::update(THD*))[0x555afb6e9fa6]
|
sql/set_var.cc:740(sql_set_variables(THD*, List<set_var_base>*, bool))[0x555afb6e9743]
|
sql/sql_parse.cc:4875(mysql_execute_command(THD*))[0x555afb932065]
|
sql/sql_parse.cc:7810(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x555afb944fef]
|
sql/sql_parse.cc:1850(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x555afb91f9b1]
|
sql/sql_parse.cc:1393(do_command(THD*))[0x555afb91c85d]
|
sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x555afbc977d0]
|
sql/sql_connect.cc:1309(handle_one_connection)[0x555afbc97197]
|
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x555afd10f746]
|
nptl/pthread_create.c:456(start_thread)[0x7fd7161e94a4]
|
x86_64/clone.S:99(clone)[0x7fd71431dd0f]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b000000290): SET GLOBAL key_cache_segments= 4
|
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
or
==24276==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300000d988 at pc 0x557f9c5d84d1 bp 0x7fb72c5b2910 sp 0x7fb72c5b2908
|
READ of size 4 at 0x61300000d988 thread T6
|
#0 0x557f9c5d84d0 in flush_simple_key_cache_blocks /data/src/10.3/mysys/mf_keycache.c:4380
|
#1 0x557f9c459734 in mi_lock_database /data/src/10.3/storage/myisam/mi_locking.c:74
|
#2 0x557f9b87880f in handler::ha_external_lock(THD*, int) /data/src/10.3/sql/handler.cc:6391
|
#3 0x557f9baf8394 in unlock_external /data/src/10.3/sql/lock.cc:708
|
#4 0x557f9baf88ee in mysql_unlock_tables(THD*, st_mysql_lock*, bool) /data/src/10.3/sql/lock.cc:429
|
#5 0x557f9b22f7d9 in close_thread_tables(THD*) /data/src/10.3/sql/sql_base.cc:854
|
#6 0x557f9b24bf30 in close_system_tables(THD*, Open_tables_backup*) /data/src/10.3/sql/sql_base.cc:8933
|
#7 0x557f9b49f122 in delete_statistics_for_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*) /data/src/10.3/sql/sql_statistics.cc:3254
|
#8 0x557f9b4d6c85 in create_table_impl /data/src/10.3/sql/sql_table.cc:4914
|
#9 0x557f9b4d7ac0 in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.3/sql/sql_table.cc:5144
|
#10 0x557f9b4d811e in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /data/src/10.3/sql/sql_table.cc:5233
|
#11 0x557f9b4da886 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.3/sql/sql_table.cc:11275
|
#12 0x557f9b34a3b7 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6022
|
#13 0x557f9b35c3a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
|
#14 0x557f9b3605aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1848
|
#15 0x557f9b36444c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
|
#16 0x557f9b5be60f in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#17 0x557f9b5bea3a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#18 0x557f9c5404f3 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#19 0x7fb7404af4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#20 0x7fb73e5e3d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
|
|
0x61300000d988 is located 72 bytes inside of 344-byte region [0x61300000d940,0x61300000da98)
|
freed by thread T5 here:
|
#0 0x7fb740786a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
|
#1 0x557f9c5d0a47 in end_key_cache_internal /data/src/10.3/mysys/mf_keycache.c:6153
|
#2 0x557f9c5d0a47 in repartition_key_cache_internal /data/src/10.3/mysys/mf_keycache.c:6517
|
|
|
previously allocated by thread T0 here:
|
#0 0x7fb740786d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x557f9c5f6a7c in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
|
|
Thread T6 created by T0 here:
|
#0 0x7fb7406f5f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x557f9c548772 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fb7406f5f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x557f9c548772 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/mysys/mf_keycache.c:4380 in flush_simple_key_cache_blocks
|
Shadow bytes around the buggy address:
|
0x0c267fff9ae0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c267fff9af0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c267fff9b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c267fff9b10: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
|
0x0c267fff9b20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
=>0x0c267fff9b30: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c267fff9b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c267fff9b50: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c267fff9b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c267fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c267fff9b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==24276==ABORTING
|
or server hangs in
Thread 7 (Thread 0x7f37e57d9700 (LWP 9210)):
|
#0 __lll_lock_wait () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
|
#1 0x00007f37ec164ce6 in __GI___pthread_mutex_lock (mutex=0x56527d611d80) at ../nptl/pthread_mutex_lock.c:135
|
#2 0x000056527a32c456 in safe_mutex_lock (mp=0x56527d611d58, my_flags=0, file=0x56527a779370 "/data/src/10.3/mysys/mf_keycache.c", line=4378) at /data/src/10.3/mysys/thr_mutex.c:293
|
#3 0x000056527a302e2f in inline_mysql_mutex_lock (that=0x56527d611d58, src_file=0x56527a779370 "/data/src/10.3/mysys/mf_keycache.c", src_line=4378) at /data/src/10.3/include/mysql/psi/mysql_thread.h:702
|
#4 0x000056527a30c116 in flush_simple_key_cache_blocks (keycache=0x56527d611ca0, file=57, file_extra=0x7f37c001a490, type=FLUSH_KEEP) at /data/src/10.3/mysys/mf_keycache.c:4378
|
#5 0x000056527a30e104 in flush_key_blocks (keycache=0x56527d5cea40, file=57, file_extra=0x7f37c001a490, type=FLUSH_KEEP) at /data/src/10.3/mysys/mf_keycache.c:6399
|
#6 0x000056527a23b22b in mi_lock_database (info=0x7f37c001ac90, lock_type=2) at /data/src/10.3/storage/myisam/mi_locking.c:74
|
#7 0x000056527a215370 in ha_myisam::external_lock (this=0x7f37c0019628, thd=0x7f37c0000af0, lock_type=2) at /data/src/10.3/storage/myisam/ha_myisam.cc:2107
|
#8 0x0000565279ab98e7 in handler::ha_external_lock (this=0x7f37c0019628, thd=0x7f37c0000af0, lock_type=2) at /data/src/10.3/sql/handler.cc:6391
|
#9 0x0000565279be2032 in unlock_external (thd=0x7f37c0000af0, table=0x7f37c0012050, count=3) at /data/src/10.3/sql/lock.cc:708
|
#10 0x0000565279be142f in mysql_unlock_tables (thd=0x7f37c0000af0, sql_lock=0x7f37c0012000, free_lock=false) at /data/src/10.3/sql/lock.cc:429
|
#11 0x0000565279be1386 in mysql_unlock_tables (thd=0x7f37c0000af0, sql_lock=0x7f37c0012000) at /data/src/10.3/sql/lock.cc:415
|
#12 0x00005652796f3473 in close_thread_tables (thd=0x7f37c0000af0) at /data/src/10.3/sql/sql_base.cc:854
|
#13 0x0000565279706bb0 in close_system_tables (thd=0x7f37c0000af0, backup=0x7f37e57d4c40) at /data/src/10.3/sql/sql_base.cc:8933
|
#14 0x00005652798503b8 in delete_statistics_for_table (thd=0x7f37c0000af0, db=0x7f37c0011598, tab=0x7f37c00115a8) at /data/src/10.3/sql/sql_statistics.cc:3254
|
#15 0x00005652798688c0 in create_table_impl (thd=0x7f37c0000af0, orig_db=0x7f37c0011598, orig_table_name=0x7f37c00115a8, db=0x7f37c0011598, table_name=0x7f37c00115a8, path=0x7f37e57d76f0 "./test/t1", options=..., create_info=0x7f37e57d7b30, alter_info=0x7f37e57d7a70, create_table_mode=0, is_trans=0x7f37e57d794e, key_info=0x7f37e57d76d0, key_count=0x7f37e57d76c4, frm=0x7f37e57d76e0) at /data/src/10.3/sql/sql_table.cc:4914
|
#16 0x00005652798694b0 in mysql_create_table_no_lock (thd=0x7f37c0000af0, db=0x7f37c0011598, table_name=0x7f37c00115a8, create_info=0x7f37e57d7b30, alter_info=0x7f37e57d7a70, is_trans=0x7f37e57d794e, create_table_mode=0, table_list=0x7f37c0011580) at /data/src/10.3/sql/sql_table.cc:5144
|
#17 0x00005652798698b4 in mysql_create_table (thd=0x7f37c0000af0, create_table=0x7f37c0011580, create_info=0x7f37e57d7b30, alter_info=0x7f37e57d7a70) at /data/src/10.3/sql/sql_table.cc:5233
|
#18 0x000056527987b37c in Sql_cmd_create_table_like::execute (this=0x7f37c0011560, thd=0x7f37c0000af0) at /data/src/10.3/sql/sql_table.cc:11275
|
#19 0x0000565279795708 in mysql_execute_command (thd=0x7f37c0000af0) at /data/src/10.3/sql/sql_parse.cc:6022
|
#20 0x000056527979aebd in mysql_parse (thd=0x7f37c0000af0, rawbuf=0x7f37c0011458 "CREATE OR REPLACE TABLE t1 (b INT) ENGINE=MyISAM", length=48, parser_state=0x7f37e57d85e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7810
|
#21 0x0000565279787704 in dispatch_command (command=COM_QUERY, thd=0x7f37c0000af0, packet=0x7f37c0008c71 "CREATE OR REPLACE TABLE t1 (b INT) ENGINE=MyISAM", packet_length=48, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1848
|
#22 0x000056527978601c in do_command (thd=0x7f37c0000af0) at /data/src/10.3/sql/sql_parse.cc:1393
|
#23 0x00005652798ff5f1 in do_handle_one_connection (connect=0x56527d750ef0) at /data/src/10.3/sql/sql_connect.cc:1403
|
#24 0x00005652798ff353 in handle_one_connection (arg=0x56527d750ef0) at /data/src/10.3/sql/sql_connect.cc:1308
|
#25 0x000056527a2b67cc in pfs_spawn_thread (arg=0x56527d73b6b0) at /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#26 0x00007f37ec1624a4 in start_thread (arg=0x7f37e57d9700) at pthread_create.c:456
|
#27 0x00007f37ea296d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
All variations above are reproducible on different builds of 10.3 (ASAN-debug, ASAN-non-debug, debug-non-ASAN) by rerunning the same test.
The crash and ASAN failure were also observed on 10.2.
10.1 tends to hang.
Couldn't reproduce with the test cases above on 10.4 or 10.5, but see comments for more test cases.
Attachments
Issue Links
- relates to
-
-
- Open
-