Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24030

SUMMARY: AddressSanitizer: heap-use-after-free failure in hash_get_lock

    XMLWordPrintable

    Details

      Description

      buffer pool page hash is being accessed after freeing it.

      Thread 61:
       
      #0  0x000055f89f2cf52b in hash_get_lock (table=0x607000021a40, 
          fold=24117287)
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/include/hash0hash.ic:213
      #1  0x000055f89f30031c in buf_page_hash_lock_get (page_id=..., 
          buf_pool=0x61b000001580)
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/include/buf0types.h:167
      #2  buf_page_get_low (page_id=..., page_size=..., 
          rw_latch=rw_latch@entry=1, guess=guess@entry=0x0, 
          mode=mode@entry=10, 
          file=file@entry=0x55f8a023baa0 "/home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/btr/btr0cur.cc", line=<optimized out>, 
          mtr=<optimized out>, err=<optimized out>)
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:4298
      #3  0x000055f89f30450a in buf_page_get_gen (page_id=..., 
          page_size=..., rw_latch=rw_latch@entry=1, guess=guess@entry=0x0, 
          mode=mode@entry=10, 
          file=file@entry=0x55f8a023baa0 "/home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/btr/btr0cur.cc", line=7980, mtr=0x14b2c39fa750, 
          err=0x0)
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:4927
      #4  0x000055f89f25b7be in btr_copy_blob_prefix (
          buf=buf@entry=0x625000791c88 '\276' <repeats 200 times>..., 
          len=len@entry=3329, space_id=space_id@entry=23, 
          page_no=page_no@entry=16, offset=offset@entry=38)
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/include/buf0types.h:139
      #5  0x000055f89f260b03 in btr_copy_externally_stored_field_prefix_low (
          buf=buf@entry=0x625000791c88 '\276' <repeats 200 times>..., 
          len=len@entry=3329, page_size=..., space_id=space_id@entry=23, 
          page_no=page_no@entry=16, offset=offset@entry=38)
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/btr/btr0cur.cc:8190
       
      (rr) when
      Current event: 849992
      

      Another thread does buffer pool resizing and it replaces buf_pool->page_hash also.

      Thread 28 hit Breakpoint 3, buf_pool_resize_hash (
          buf_pool=0x61b000001580)
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:2630
      2630		buf_pool->page_hash_old = buf_pool->page_hash;
      (rr) where
      #0  buf_pool_resize_hash (buf_pool=0x61b000001580)
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:2630
      #1  0x000055f89f311ee5 in buf_pool_resize ()
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:3076
      #2  0x000055f89f3139ad in buf_resize_thread ()
          at /home/mleich/Server/bb-10.3-MDEV-23693/storage/innobase/buf/buf0buf.cc:3189
      #3  0x000014b2cf0f2609 in start_thread (arg=<optimized out>)
          at pthread_create.c:477
      #4  0x0000143d39509103 in clone ()
          at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
      (rr) when
      Current event: 850000
      

      buf_pool_resize():

      It frees the page_hash_old table too.

      if (buf_pool->page_hash_old != NULL) {
                              hash_table_free(buf_pool->page_hash_old);
                              buf_pool->page_hash_old = NULL;
      }
      

      So t61 ended up accessing the freed page_hash of buf_pool.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              thiru Thirunarayanan Balathandayuthapani
              Reporter:
              thiru Thirunarayanan Balathandayuthapani
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: