Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24982

heap-use-after-free in rec_get_offsets_func

    XMLWordPrintable

Details

    Description

      10.6 7953bae22a8f1054acce9a74e089401f7e93e579 2021-02-24T09:30:17+02:00
      RQG test where several concurrent sessions run a DDL/DML mix including
      frequent buffer pool resizing.
      [rr 2412117 469420]==2412117==ERROR: AddressSanitizer: heap-use-after-free on address 0x616002c84e38 at pc 0x55ed4b5da536 bp 0x7fa9a9f745d0 sp 0x7fa9a9f745c0
      [rr 2412117 469425]READ of size 8 at 0x616002c84e38 thread T20
      [rr 2412117 477021]    #0 0x55ed4b5da535 in rec_get_offsets_func(unsigned char const*, dict_index_t const*, unsigned short*, bool, unsigned long, char const*, unsigned int, mem_block_info_t**) /Server/10.6D/storage/innobase/rem/rem0rec.cc:830
      [rr 2412117 477042]    #1 0x55ed4b8bed24 in btr_search_drop_page_hash_index(buf_block_t*) /Server/10.6D/storage/innobase/btr/btr0sea.cc:1319
      [rr 2412117 477071]    #2 0x55ed4b5215b3 in mtr_defer_drop_ahi /Server/10.6D/storage/innobase/mtr/mtr0mtr.cc:986
      [rr 2412117 477089]    #3 0x55ed4b521d6c in mtr_t::page_lock(buf_block_t*, unsigned long) /Server/10.6D/storage/innobase/mtr/mtr0mtr.cc:1082
      [rr 2412117 477135]    #4 0x55ed4b8e3df2 in buf_page_get_low(page_id_t, unsigned long, unsigned long, buf_block_t*, unsigned long, mtr_t*, dberr_t*, bool) /Server/10.6D/storage/innobase/buf/buf0buf.cc:3278
      [rr 2412117 477137]    #5 0x55ed4b8e4396 in buf_page_get_gen(page_id_t, unsigned long, unsigned long, buf_block_t*, unsigned long, mtr_t*, dberr_t*, bool) /Server/10.6D/storage/innobase/buf/buf0buf.cc:3341
      [rr 2412117 477158]    #6 0x55ed4b9c8dd1 in dict_stats_analyze_index_below_cur /Server/10.6D/storage/innobase/dict/dict0stats.cc:1517
      [rr 2412117 477168]    #7 0x55ed4b9c9c73 in dict_stats_analyze_index_for_n_prefix /Server/10.6D/storage/innobase/dict/dict0stats.cc:1790
      [rr 2412117 477170]    #8 0x55ed4b9cbe87 in dict_stats_analyze_index /Server/10.6D/storage/innobase/dict/dict0stats.cc:2192
      [rr 2412117 477172]    #9 0x55ed4b9cc3b5 in dict_stats_update_persistent /Server/10.6D/storage/innobase/dict/dict0stats.cc:2250
      [rr 2412117 477174]    #10 0x55ed4b9d1ce5 in dict_stats_update(dict_table_t*, dict_stats_upd_option_t) /Server/10.6D/storage/innobase/dict/dict0stats.cc:3223
      [rr 2412117 477176]    #11 0x55ed4b9d243c in dict_stats_update(dict_table_t*, dict_stats_upd_option_t) /Server/10.6D/storage/innobase/dict/dict0stats.cc:3344
      [rr 2412117 477261]    #12 0x55ed4b2f71f2 in dict_stats_init /Server/10.6D/storage/innobase/include/dict0stats.ic:165
      [rr 2412117 477263]    #13 0x55ed4b35e9c8 in ha_innobase::reload_statistics() (/data/Server_bin/10.6D_asan/bin/mariadbd+0x2c279c8)
      [rr 2412117 477265]    #14 0x55ed4b2f8f04 in innodb_notify_tabledef_changed /Server/10.6D/storage/innobase/handler/ha_innodb.cc:1394
      [rr 2412117 477299]    #15 0x55ed4a3868b2 in mysql_inplace_alter_table /Server/10.6D/sql/sql_table.cc:8161
      [rr 2412117 477313]    #16 0x55ed4a397b32 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /Server/10.6D/sql/sql_table.cc:10677
      [rr 2412117 477330]    #17 0x55ed4a512793 in Sql_cmd_alter_table::execute(THD*) /Server/10.6D/sql/sql_alter.cc:539
      [rr 2412117 477380]    #18 0x55ed4a129693 in mysql_execute_command(THD*) /Server/10.6D/sql/sql_parse.cc:5946
      [rr 2412117 477412]2021-02-25  4:14:20 25 [Note] InnoDB: Online DDL : Start reading clustered index of the table and create temporary files
      [rr 2412117 477422]    #19 0x55ed4a135fd6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /Server/10.6D/sql/sql_parse.cc:7972
      [rr 2412117 477424]    #20 0x55ed4a10e62d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /Server/10.6D/sql/sql_parse.cc:1886
      [rr 2412117 477426]    #21 0x55ed4a10b8ff in do_command(THD*, bool) /Server/10.6D/sql/sql_parse.cc:1397
      [rr 2412117 477472]    #22 0x55ed4a4f9a71 in do_handle_one_connection(CONNECT*, bool) /Server/10.6D/sql/sql_connect.cc:1410
      [rr 2412117 477474]    #23 0x55ed4a4f93d5 in handle_one_connection /Server/10.6D/sql/sql_connect.cc:1312
      [rr 2412117 477532]    #24 0x55ed4b125aec in pfs_spawn_thread /Server/10.6D/storage/perfschema/pfs.cc:2201
      [rr 2412117 477538]    #25 0x7fa9d9ad5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
      [rr 2412117 477562]    #26 0x7fa9d96a9292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      (rr) bt
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      #1  0x00007fa9d95ac859 in __GI_abort () at abort.c:79
      #2  0x00007fa9d9f216a2 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
      #3  0x00007fa9d9f2c24c in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
      #4  0x00007fa9d9f0d8ec in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
      #5  0x00007fa9d9f0d363 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
      #6  0x00007fa9d9f0e1ab in __asan_report_load8 () from /lib/x86_64-linux-gnu/libasan.so.5
      #7  0x000055ed4b5da536 in rec_get_offsets_func (rec=0x7fa9bfb396cb "\200", index=0x616002c84e20, offsets=0x61500001fca0, leaf=true, n_fields=1, file=0x55ed4ce432e0 "/Server/10.6D/storage/innobase/btr/btr0sea.cc", line=1319, heap=0x7fa9a9f747f0)
          at /Server/10.6D/storage/innobase/rem/rem0rec.cc:830
      #8  0x000055ed4b8bed25 in btr_search_drop_page_hash_index (block=0x7fa9bc64d0c0) at /Server/10.6D/storage/innobase/btr/btr0sea.cc:1319
      #9  0x000055ed4b5215b4 in mtr_defer_drop_ahi (block=0x7fa9bc64d0c0, fix_type=MTR_MEMO_PAGE_S_FIX) at /Server/10.6D/storage/innobase/mtr/mtr0mtr.cc:986
      #10 0x000055ed4b521d6d in mtr_t::page_lock (this=0x7fa9a9f74de0, block=0x7fa9bc64d0c0, rw_latch=1) at /Server/10.6D/storage/innobase/mtr/mtr0mtr.cc:1082
      #11 0x000055ed4b8e3df3 in buf_page_get_low (page_id=..., zip_size=0, rw_latch=1, guess=0x0, mode=10, mtr=0x7fa9a9f74de0, err=0x7fa9a9f74d70, allow_ibuf_merge=false) at /Server/10.6D/storage/innobase/buf/buf0buf.cc:3278
      #12 0x000055ed4b8e4397 in buf_page_get_gen (page_id=..., zip_size=0, rw_latch=1, guess=0x0, mode=10, mtr=0x7fa9a9f74de0, err=0x7fa9a9f74d70, allow_ibuf_merge=false) at /Server/10.6D/storage/innobase/buf/buf0buf.cc:3341
      #13 0x000055ed4b9c8dd2 in dict_stats_analyze_index_below_cur (cur=0x7fa9a9f75470, n_prefix=1, n_diff=0x7fa9a9f75430, n_external_pages=0x7fa9a9f75450) at /Server/10.6D/storage/innobase/dict/dict0stats.cc:1517
      #14 0x000055ed4b9c9c74 in dict_stats_analyze_index_for_n_prefix (index=0x616003cf6a20, n_prefix=1, boundaries=0x6060000697b8, n_diff_data=0x6070000e3288, mtr=0x7fa9a9f75750) at /Server/10.6D/storage/innobase/dict/dict0stats.cc:1790
      #15 0x000055ed4b9cbe88 in dict_stats_analyze_index (index=0x616003cf6a20) at /Server/10.6D/storage/innobase/dict/dict0stats.cc:2192
      #16 0x000055ed4b9cc3b6 in dict_stats_update_persistent (table=0x618000071520) at /Server/10.6D/storage/innobase/dict/dict0stats.cc:2250
      #17 0x000055ed4b9d1ce6 in dict_stats_update (table=0x618000071520, stats_upd_option=DICT_STATS_RECALC_PERSISTENT) at /Server/10.6D/storage/innobase/dict/dict0stats.cc:3223
      #18 0x000055ed4b9d243d in dict_stats_update (table=0x618000071520, stats_upd_option=DICT_STATS_FETCH_ONLY_IF_NOT_IN_MEMORY) at /Server/10.6D/storage/innobase/dict/dict0stats.cc:3344
      #19 0x000055ed4b2f71f3 in dict_stats_init (table=0x618000071520) at /Server/10.6D/storage/innobase/include/dict0stats.ic:165
      #20 0x000055ed4b35e9c9 in ha_innobase::reload_statistics (this=0x61d0014992b8) at /Server/10.6D/storage/innobase/handler/ha_innodb.cc:1380
      #21 0x000055ed4b2f8f05 in innodb_notify_tabledef_changed (handler=0x61d0014992b8) at /Server/10.6D/storage/innobase/handler/ha_innodb.cc:1394
      #22 0x000055ed4a3868b3 in mysql_inplace_alter_table (thd=0x62b00011f218, table_list=0x62b0001263e8, table=0x61900049c098, altered_table=0x7fa9a9f78430, ha_alter_info=0x7fa9a9f77f50, target_mdl_request=0x7fa9a9f78030, alter_ctx=0x7fa9a9f78e90)
          at /Server/10.6D/sql/sql_table.cc:8161
      #23 0x000055ed4a397b33 in mysql_alter_table (thd=0x62b00011f218, new_db=0x62b000123c90, new_name=0x62b000124090, create_info=0x7fa9a9f7a210, table_list=0x62b0001263e8, alter_info=0x7fa9a9f7a100, order_num=0, order=0x0, ignore=false, 
          if_exists=false) at /Server/10.6D/sql/sql_table.cc:10677
      #24 0x000055ed4a512794 in Sql_cmd_alter_table::execute (this=0x62b000126b50, thd=0x62b00011f218) at /Server/10.6D/sql/sql_alter.cc:539
      #25 0x000055ed4a129694 in mysql_execute_command (thd=0x62b00011f218) at /Server/10.6D/sql/sql_parse.cc:5946
      #26 0x000055ed4a135fd7 in mysql_parse (thd=0x62b00011f218, rawbuf=0x62b000126238 "ALTER TABLE t4 DROP INDEX `idx1`, LOCK = EXCLUSIVE, ALGORITHM = NOCOPY /* E_R Thread8 QNO 2375 CON_ID 24 */", length=107, parser_state=0x7fa9a9f7b870)
          at /Server/10.6D/sql/sql_parse.cc:7972
      #27 0x000055ed4a10e62e in dispatch_command (command=COM_QUERY, thd=0x62b00011f218, packet=0x62900073f219 "ALTER TABLE t4 DROP INDEX `idx1`, LOCK = EXCLUSIVE, ALGORITHM = NOCOPY /* E_R Thread8 QNO 2375 CON_ID 24 */ ", packet_length=108, 
          blocking=true) at /Server/10.6D/sql/sql_parse.cc:1886
      #28 0x000055ed4a10b900 in do_command (thd=0x62b00011f218, blocking=true) at /Server/10.6D/sql/sql_parse.cc:1397
      #29 0x000055ed4a4f9a72 in do_handle_one_connection (connect=0x6080000037b8, put_in_cache=true) at /Server/10.6D/sql/sql_connect.cc:1410
      #30 0x000055ed4a4f93d6 in handle_one_connection (arg=0x6080000037b8) at /Server/10.6D/sql/sql_connect.cc:1312
      #31 0x000055ed4b125aed in pfs_spawn_thread (arg=0x61500000be98) at /Server/10.6D/storage/perfschema/pfs.cc:2201
      #32 0x00007fa9d9ad5609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #33 0x00007fa9d96a9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      (rr)
       
      Query: ALTER TABLE t4 DROP INDEX `idx1`, LOCK = EXCLUSIVE, ALGORITHM = NOCOPY
      Status: KILL_TIMEOUT
       
      sdp:/home/mleich/RQG_O/storage/1614254107/TBR-905/dev/shm/vardir/1614254107/107/1/rr
      _RR_TRACE_DIR="." rr replay --mark-stdio
       
      RQG
      ====
      git clone https://github.com/mleich1/rqg --branch experimental RQG
       
      perl rqg.pl \               
      --duration=300 \
      --queries=10000000 \
      --no_mask \
      --seed=random \
      --gendata_sql=conf/mariadb/table_stress.sql \
      --gendata=conf/mariadb/table_stress.zz \
      --engine=InnoDB \
      --rpl_mode=none \
      --mysqld=--loose-max-statement-time=30 \
      --mysqld=--innodb_adaptive_hash_index=on \
      --mysqld=--loose-debug_assert_on_not_freed_memory=0 \
      --mysqld=--innodb_stats_persistent=on \
      --mysqld=--innodb_page_size=64K \
      --mysqld=--net_read_timeout=30 \
      --mysqld=--log-bin \
      --mysqld=--loose-idle_transaction_timeout=0 \
      --mysqld=--innodb-lock-wait-timeout=50 \
      --mysqld=--loose-table_lock_wait_timeout=50 \
      --mysqld=--file-key-management-filename=$RQG_HOME/conf/mariadb/encryption_keys.txt \
      --mysqld=--lock-wait-timeout=86400 \
      --mysqld=--log_bin_trust_function_creators=1 \
      --mysqld=--loose-idle_write_transaction_timeout=0 \
      --mysqld=--log-output=none \
      --mysqld=--wait_timeout=28800 \
      --mysqld=--innodb-buffer-pool-size=256M \
      --mysqld=--interactive_timeout=28800 \
      --mysqld=--loose-idle_readonly_transaction_timeout=0 \
      --mysqld=--loose_innodb_lock_schedule_algorithm=fcfs \
      --mysqld=--plugin-load-add=file_key_management.so \
      --mysqld=--net_write_timeout=60 \
      --mysqld=--slave_net_timeout=60 \
      --mysqld=--connect_timeout=60 \
      --reporters=Deadlock1,ErrorLog,ServerDead \
      --validators=None \
      --grammar=TBR-905.yy \
      --threads=10 \
      --workdir=<local settings> \
      --vardir=<local settings> \
      --mtr-build-thread=<local settings> \
      --basedir1=<local settings> \
      --script_debug=_nix_ \
      --rr=Server
       
      
      

      Attachments

        1. TBR-905.yy
          5 kB
          Matthias Leich
        2. TBR-90n.cfg
          43 kB
          Matthias Leich

        Issue Links

          Activity

            People

              marko Marko Mäkelä
              mleich Matthias Leich
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.