Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Description
We got the following crash:
|
10.6 8840583a92243f6ac543689148ca79c85fa0a09d |
==2978529==ERROR: AddressSanitizer: heap-use-after-free on address 0x616001730228 at pc 0x56180d3d30b0 bp 0x7ff01aac03b0 sp 0x7ff01aac03a0
|
READ of size 18 at 0x616001730228 thread T4
|
2022-03-18 5:54:49 131 [Warning] Aborted connection 131 to db: 'test' user: 'root' host: 'localhost' (This connection closed normally)
|
#0 0x56180d3d30af in dict_index_t::freed() const /data/Server/bb-10.6-MDEV-27909/storage/innobase/include/dict0mem.h:1323
|
#1 0x56180d741a34 in buf_pool_t::clear_hash_index() /data/Server/bb-10.6-MDEV-27909/storage/innobase/btr/btr0sea.cc:946
|
#2 0x56180d732933 in btr_search_disable() /data/Server/bb-10.6-MDEV-27909/storage/innobase/btr/btr0sea.cc:262
|
#3 0x56180d771c87 in buf_pool_t::resize() /data/Server/bb-10.6-MDEV-27909/storage/innobase/buf/buf0buf.cc:1663
|
#4 0x56180d756bff in buf_resize_callback /data/Server/bb-10.6-MDEV-27909/storage/innobase/buf/buf0buf.cc:1998
|
Yes, the memory was freed even though we have block->index pointing to it:
|
10.6 8840583a92243f6ac543689148ca79c85fa0a09d |
#2 0x00007ff02b5eb799 in free () from /usr/lib/x86_64-linux-gnu/libasan.so.5
|
#3 0x000056180d3c6832 in mem_heap_block_free (heap=0x61100018d700, block=0x616001730180) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/mem/mem0mem.cc:416
|
#4 0x000056180d81a264 in mem_heap_free (heap=0x61100018d700) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/include/mem0mem.inl:419
|
#5 0x000056180d822b97 in dict_mem_index_free (index=0x616001730208) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/dict/dict0mem.cc:1096
|
#6 0x000056180d7e5b81 in dict_index_remove_from_cache_low (table=0x618000012908, index=0x616001730208, lru_evict=0) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/dict/dict0dict.cc:2132
|
#7 0x000056180d7e2f64 in dict_sys_t::remove (this=0x56180f82a840 <dict_sys>, table=0x618000012908, lru=false, keep=false) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/dict/dict0dict.cc:1850
|
#8 0x000056180d259c68 in innobase_reload_table (thd=0x62b000230218, table=0x618000012908, table_name=..., ctx=...) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/handler/handler0alter.cc:10189
|
#9 0x000056180d25f51b in ha_innobase::commit_inplace_alter_table (this=0x61d000d3aeb8, altered_table=0x7ff0053d62d0, ha_alter_info=0x7ff0053d5bd0, commit=true)
|
at /data/Server/bb-10.6-MDEV-27909/storage/innobase/handler/handler0alter.cc:11254
|
The actual cause of this error is the following assignment that was done earlier by the thread that would end up dereferencing a block->index that points to the freed object:
|
10.6 8840583a92243f6ac543689148ca79c85fa0a09d |
Thread 3 hit Hardware watchpoint 4: -location index.search_info.ref_count
|
 |
Old value = 6
|
New value = 0
|
btr_search_disable_ref_count (table=0x618000012908) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/btr/btr0sea.cc:199
|
199 index= dict_table_get_next_index(index))
|
(rr) backtrace
|
#0 btr_search_disable_ref_count (table=0x618000012908) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/btr/btr0sea.cc:199
|
#1 0x000056180d7328de in btr_search_disable () at /data/Server/bb-10.6-MDEV-27909/storage/innobase/btr/btr0sea.cc:256
|
#2 0x000056180d771c88 in buf_pool_t::resize (this=0x56180f7e6b80 <buf_pool>) at /data/Server/bb-10.6-MDEV-27909/storage/innobase/buf/buf0buf.cc:1663
|
#3 0x000056180d756c00 in buf_resize_callback () at /data/Server/bb-10.6-MDEV-27909/storage/innobase/buf/buf0buf.cc:1998
|
I think that the logic of btr_search_disable() must be revised. We should first clear all buf_block_t::index pointers and only after that reset the reference counts.