[MDEV-24030] SUMMARY: AddressSanitizer: heap-use-after-free failure in hash_get_lock - Jira

XML

Word

Printable

buffer pool page hash is being accessed after freeing it.

Thread 61:

#0  0x000055f89f2cf52b in hash_get_lock (table=0x607000021a40,

    fold=24117287)

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/include/hash0hash.ic:213

#1  0x000055f89f30031c in buf_page_hash_lock_get (page_id=...,

    buf_pool=0x61b000001580)

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/include/buf0types.h:167

#2  buf_page_get_low (page_id=..., page_size=...,

    rw_latch=rw_latch@entry=1, guess=guess@entry=0x0,

    mode=mode@entry=10,

    file=file@entry=0x55f8a023baa0 "/home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/btr/btr0cur.cc", line=<optimized out>,

    mtr=<optimized out>, err=<optimized out>)

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:4298

#3  0x000055f89f30450a in buf_page_get_gen (page_id=...,

    page_size=..., rw_latch=rw_latch@entry=1, guess=guess@entry=0x0,

    mode=mode@entry=10,

    file=file@entry=0x55f8a023baa0 "/home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/btr/btr0cur.cc", line=7980, mtr=0x14b2c39fa750,

    err=0x0)

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:4927

#4  0x000055f89f25b7be in btr_copy_blob_prefix (

    buf=buf@entry=0x625000791c88 '\276' <repeats 200 times>...,

    len=len@entry=3329, space_id=space_id@entry=23,

    page_no=page_no@entry=16, offset=offset@entry=38)

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/include/buf0types.h:139

#5  0x000055f89f260b03 in btr_copy_externally_stored_field_prefix_low (

    buf=buf@entry=0x625000791c88 '\276' <repeats 200 times>...,

    len=len@entry=3329, page_size=..., space_id=space_id@entry=23,

    page_no=page_no@entry=16, offset=offset@entry=38)

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/btr/btr0cur.cc:8190

(rr) when

Current event: 849992

Another thread does buffer pool resizing and it replaces buf_pool->page_hash also.

Thread 28 hit Breakpoint 3, buf_pool_resize_hash (

    buf_pool=0x61b000001580)

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:2630

2630		buf_pool->page_hash_old = buf_pool->page_hash;

(rr) where

#0  buf_pool_resize_hash (buf_pool=0x61b000001580)

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:2630

#1  0x000055f89f311ee5 in buf_pool_resize ()

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:3076

#2  0x000055f89f3139ad in buf_resize_thread ()

    at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:3189

#3  0x000014b2cf0f2609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#4  0x0000143d39509103 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(rr) when

Current event: 850000

buf_pool_resize():

It frees the page_hash_old table too.

if (buf_pool->page_hash_old != NULL) {

                        hash_table_free(buf_pool->page_hash_old);

                        buf_pool->page_hash_old = NULL;

So t61 ended up accessing the freed page_hash of buf_pool.

is duplicated by

MDEV-26033 Race condition between buf_pool.page_hash and buffer pool resizing

relates to

MDEV-23693 Failing assertion: my_atomic_load32_explicit(&lock->lock_word, MY_MEMORY_ORDER_RELAXED) == X_LOCK_DECR

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.