Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28462

AddressSanitizer: use-after-poison dict_index_t::get_n_nullable(unsigned long) const

    XMLWordPrintable

Details

    Description

      One thread is trying to add a new column into the table. In the meantime, other thread
      does hash table validation, it builds the offset and tries to access the column which was newly
      added by instant operation.

      (gdb) t 120
      [Switching to thread 120 (Thread 0x7fea7f813700 (LWP 556985))]
      #0  __lll_lock_wait (futex=futex@entry=0x56260051f1a8 <buf_pool+40>, private=0) at lowlevellock.c:52
      52	lowlevellock.c: No such file or directory.
      (gdb) where
      #0  __lll_lock_wait (futex=futex@entry=0x56260051f1a8 <buf_pool+40>, private=0) at lowlevellock.c:52
      #1  0x00007feaa4cbe235 in __GI___pthread_mutex_lock (mutex=0x56260051f1a8 <buf_pool+40>) at ../nptl/pthread_mutex_lock.c:135
      #2  0x00005625fe88cf1c in safe_mutex_lock (mp=0x56260051f180 <buf_pool>, my_flags=0, 
          file=0x5625ff635340 "/data/Server/bb-10.6-thiru/storage/innobase/buf/buf0lru.cc", line=767)
          at /data/Server/bb-10.6-thiru/mysys/thr_mutex.c:290
      #3  0x00005625fe4e99db in inline_mysql_mutex_lock (that=0x56260051f180 <buf_pool>, 
          src_file=0x5625ff635340 "/data/Server/bb-10.6-thiru/storage/innobase/buf/buf0lru.cc", src_line=767)
          at /data/Server/bb-10.6-thiru/include/mysql/psi/mysql_thread.h:750
      #4  0x00005625fe4ef60a in buf_page_make_young (bpage=0x7fea97d37ea0) at /data/Server/bb-10.6-thiru/storage/innobase/buf/buf0lru.cc:767
      #5  0x00005625fe48865c in buf_page_make_young_if_needed (bpage=0x7fea97d37ea0)
          at /data/Server/bb-10.6-thiru/storage/innobase/include/buf0buf.h:315
      #6  0x00005625fe4a46b7 in buf_page_get_low (page_id=..., zip_size=0, rw_latch=1, guess=0x7fea97d37ea0, mode=10, mtr=0x7fea7f80b1d0, 
          err=0x7fea7f809a90, allow_ibuf_merge=false) at /data/Server/bb-10.6-thiru/storage/innobase/buf/buf0buf.cc:2937
      #7  0x00005625fe4a5366 in buf_page_get_gen (page_id=..., zip_size=0, rw_latch=1, guess=0x7fea97d37ea0, mode=10, mtr=0x7fea7f80b1d0, 
          err=0x7fea7f809a90, allow_ibuf_merge=false) at /data/Server/bb-10.6-thiru/storage/innobase/buf/buf0buf.cc:3045
      #8  0x00005625fe43f9f4 in btr_cur_search_to_nth_level_func (index=0x616000038e08, level=0, tuple=0x616000cc5208, mode=PAGE_CUR_LE, latch_mode=2, 
          cursor=0x7fea7f80adc0, ahi_latch=0x0, mtr=0x7fea7f80b1d0, autoinc=0) at /data/Server/bb-10.6-thiru/storage/innobase/btr/btr0cur.cc:1602
      #9  0x00005625fe222405 in btr_pcur_open_low (index=0x616000038e08, level=0, tuple=0x616000cc5208, mode=PAGE_CUR_LE, latch_mode=2, 
          cursor=0x7fea7f80adc0, autoinc=0, mtr=0x7fea7f80b1d0) at /data/Server/bb-10.6-thiru/storage/innobase/include/btr0pcur.inl:369
      #10 0x00005625fe230e12 in row_ins_clust_index_entry_low (flags=0, mode=2, index=0x616000038e08, n_uniq=2, entry=0x616000cc5208, n_ext=0, 
          thr=0x6280006a0d48) at /data/Server/bb-10.6-thiru/storage/innobase/row/row0ins.cc:2584
      #11 0x00005625fe234306 in row_ins_clust_index_entry (index=0x616000038e08, entry=0x616000cc5208, thr=0x6280006a0d48, n_ext=0)
          at /data/Server/bb-10.6-thiru/storage/innobase/row/row0ins.cc:3137
      #12 0x00005625fe234c05 in row_ins_index_entry (index=0x616000038e08, entry=0x616000cc5208, thr=0x6280006a0d48)
          at /data/Server/bb-10.6-thiru/storage/innobase/row/row0ins.cc:3263
      #13 0x00005625fe235c75 in row_ins_index_entry_step (node=0x6280006a0a90, thr=0x6280006a0d48)
          at /data/Server/bb-10.6-thiru/storage/innobase/row/row0ins.cc:3431
      #14 0x00005625fe2366c9 in row_ins (node=0x6280006a0a90, thr=0x6280006a0d48) at /data/Server/bb-10.6-thiru/storage/innobase/row/row0ins.cc:3578
      #15 0x00005625fe2377f9 in row_ins_step (thr=0x6280006a0d48) at /data/Server/bb-10.6-thiru/storage/innobase/row/row0ins.cc:3724
      #16 0x00005625fe1ad62b in que_thr_step (thr=0x6280006a0d48) at /data/Server/bb-10.6-thiru/storage/innobase/que/que0que.cc:632
      #17 0x00005625fe1adb80 in que_run_threads_low (thr=0x6280006a0d48) at /data/Server/bb-10.6-thiru/storage/innobase/que/que0que.cc:709
      #18 0x00005625fe1add22 in que_run_threads (thr=0x6280006a0d48) at /data/Server/bb-10.6-thiru/storage/innobase/que/que0que.cc:729
      #19 0x00005625fe1ae048 in que_eval_sql (info=0x616007048608, 
          sql=0x5625ff3bdf20 "PROCEDURE ADD_COL () IS\nBEGIN\nINSERT INTO SYS_COLUMNS VALUES(:id,:pos,:name,:mtype,:prtype,:len,:base);\nEND;\n", 
          trx=0x7fea98e10c40) at /data/Server/bb-10.6-thiru/storage/innobase/que/que0que.cc:768
      #20 0x00005625fdf78dbe in innodb_insert_sys_columns (table_id=43, pos=9, field_name=0x6190013eb37c "col_text_copy", mtype=5, prtype=524540, 
          len=10, n_base=0, trx=0x7fea98e10c40, update=false) at /data/Server/bb-10.6-thiru/storage/innobase/handler/handler0alter.cc:5245
      --Type <RET> for more, q to quit, c to continue without paging--
      #21 0x00005625fdf7b609 in innobase_instant_try (ha_alter_info=0x7fea7f80db90, ctx=0x62b000199518, altered_table=0x7fea7f80e290, 
          table=0x619000974098, trx=0x7fea98e10c40) at /data/Server/bb-10.6-thiru/storage/innobase/handler/handler0alter.cc:5807
      #22 0x00005625fdfcd2be in commit_try_norebuild (ha_alter_info=0x7fea7f80db90, ctx=0x62b000199518, altered_table=0x7fea7f80e290, 
          old_table=0x619000974098, trx=0x7fea98e10c40, table_name=0x61b000214d55 "t3")
          at /data/Server/bb-10.6-thiru/storage/innobase/handler/handler0alter.cc:10436
      #23 0x00005625fdfa6d61 in ha_innobase::commit_inplace_alter_table (this=0x61d0015afeb8, altered_table=0x7fea7f80e290, 
          ha_alter_info=0x7fea7f80db90, commit=true) at /data/Server/bb-10.6-thiru/storage/innobase/handler/handler0alter.cc:11162
      #24 0x00005625fd60679a in handler::ha_commit_inplace_alter_table (this=0x61d0015afeb8, altered_table=0x7fea7f80e290, 
          ha_alter_info=0x7fea7f80db90, commit=true) at /data/Server/bb-10.6-thiru/sql/handler.cc:5218
      #25 0x00005625fd080092 in mysql_inplace_alter_table (thd=0x62b00018f218, table_list=0x62b000196418, table=0x619000974098, 
          altered_table=0x7fea7f80e290, ha_alter_info=0x7fea7f80db90, target_mdl_request=0x7fea7f80dc90, ddl_log_state=0x7fea7f80d9b0, 
          trigger_param=0x7fea7f80e700, alter_ctx=0x7fea7f80f1a0) at /data/Server/bb-10.6-thiru/sql/sql_table.cc:7471
      #26 0x00005625fd093a5b in mysql_alter_table (thd=0x62b00018f218, new_db=0x62b000193c18, new_name=0x62b000194030, create_info=0x7fea7f810650, 
          table_list=0x62b000196418, alter_info=0x7fea7f810520, order_num=0, order=0x0, ignore=false, if_exists=false)
          at /data/Server/bb-10.6-thiru/sql/sql_table.cc:10267
      #27 0x00005625fd222a62 in Sql_cmd_alter_table::execute (this=0x62b000196c68, thd=0x62b00018f218)
          at /data/Server/bb-10.6-thiru/sql/sql_alter.cc:542
      #28 0x00005625fce2448e in mysql_execute_command (thd=0x62b00018f218, is_called_from_prepared_stmt=false)
          at /data/Server/bb-10.6-thiru/sql/sql_parse.cc:6012
      #29 0x00005625fce30876 in mysql_parse (thd=0x62b00018f218, 
          rawbuf=0x62b000196238 "ALTER TABLE t3 ADD COLUMN IF NOT EXISTS col_text_copy TEXT, LOCK = EXCLUSIVE, ALGORITHM = NOCOPY  /* E_R Thread6 QNO 4576 CON_ID 968 */", length=135, parser_state=0x7fea7f811b20) at /data/Server/bb-10.6-thiru/sql/sql_parse.cc:8045
      #30 0x00005625fce08c6f in dispatch_command (command=COM_QUERY, thd=0x62b00018f218, 
          packet=0x629001f6d219 " ALTER TABLE t3 ADD COLUMN IF NOT EXISTS col_text_copy TEXT, LOCK = EXCLUSIVE, ALGORITHM = NOCOPY  /* E_R Thread6 QNO 4576 CON_ID 968 */ ", packet_length=137, blocking=true) at /data/Server/bb-10.6-thiru/sql/sql_parse.cc:1912
      #31 0x00005625fce05ea5 in do_command (thd=0x62b00018f218, blocking=true) at /data/Server/bb-10.6-thiru/sql/sql_parse.cc:1409
      #32 0x00005625fd208e98 in do_handle_one_connection (connect=0x6080000dc5b8, put_in_cache=true)
          at /data/Server/bb-10.6-thiru/sql/sql_connect.cc:1418
      #33 0x00005625fd208724 in handle_one_connection (arg=0x6080000036b8) at /data/Server/bb-10.6-thiru/sql/sql_connect.cc:1312
      #34 0x00007feaa4cbb609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #35 0x00007feaa488e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
       
      t 1:
       
       
      (gdb) t 1
      [Switching to thread 1 (Thread 0x7fea7faac700 (LWP 556970))]
      #0  __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      56	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
      (gdb) where
      #0  __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x00005625fe882e57 in my_write_core (sig=6) at /data/Server/bb-10.6-thiru/mysys/stacktrace.c:424
      #2  0x00005625fd5e4803 in handle_fatal_signal (sig=6) at /data/Server/bb-10.6-thiru/sql/signal_handler.cc:345
      #3  <signal handler called>
      #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
      #5  0x00007feaa4791859 in __GI_abort () at abort.c:79
      #6  0x00007feaa527e6a2 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
      #7  0x00007feaa528924c in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
      #8  0x00007feaa526a8ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
      #9  0x00007feaa526a363 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
      #10 0x00007feaa526b1ab in __asan_report_load8 () from /usr/lib/x86_64-linux-gnu/libasan.so.5
      #11 0x00005625fdfad0b8 in dict_index_t::get_n_nullable (this=0x616002113908, n_prefix=11)
          at /data/Server/bb-10.6-thiru/storage/innobase/include/dict0mem.h:1239
      #12 0x00005625fe1d65a5 in rec_init_offsets_comp_ordinary<>(const rec_t *, const dict_index_t *, rec_offs *, ulint, const dict_col_t::def_t *, rec_leaf_format) (rec=0x7fea97e21e72 "\200", index=0x616002113908, offsets=0x7fea7faa8740, n_core=8, def_val=0x0, format=REC_LEAF_INSTANT)
          at /data/Server/bb-10.6-thiru/storage/innobase/rem/rem0rec.cc:338
      #13 0x00005625fe1c8ec0 in rec_init_offsets (rec=0x7fea97e21e72 "\200", index=0x616002113908, n_core=8, offsets=0x7fea7faa8740)
          at /data/Server/bb-10.6-thiru/storage/innobase/rem/rem0rec.cc:650
      #14 0x00005625fe1cb5f1 in rec_get_offsets_func (rec=0x7fea97e21e72 "\200", index=0x616002113908, offsets=0x7fea7faa8740, n_core=8, n_fields=1, 
          file=0x5625ff5f5120 "/data/Server/bb-10.6-thiru/storage/innobase/btr/btr0sea.cc", line=2243, heap=0x7fea7faa84a0)
          at /data/Server/bb-10.6-thiru/storage/innobase/rem/rem0rec.cc:947
      #15 0x00005625fe487aa2 in btr_search_hash_table_validate (hash_table_id=3) at /data/Server/bb-10.6-thiru/storage/innobase/btr/btr0sea.cc:2243
      #16 0x00005625fe48848e in btr_search_validate () at /data/Server/bb-10.6-thiru/storage/innobase/btr/btr0sea.cc:2337
      #17 0x00005625fdf13be0 in ha_innobase::check (this=0x61d001c926b8, thd=0x62b00016c218, check_opt=0x62b000171618)
          at /data/Server/bb-10.6-thiru/storage/innobase/handler/ha_innodb.cc:15380
      #18 0x00005625fd604607 in handler::ha_check (this=0x61d001c926b8, thd=0x62b00016c218, check_opt=0x62b000171618)
          at /data/Server/bb-10.6-thiru/sql/handler.cc:4949
      #19 0x00005625fd23c7d2 in mysql_admin_table (thd=0x62b00016c218, tables=0x62b000173370, check_opt=0x62b000171618, 
          operator_name=0x5625ffbf0840 <msg_check>, lock_type=TL_READ_NO_INSERT, org_open_for_modify=false, repair_table_use_frm=false, 
          extra_open_options=32, prepare_func=0x0, operator_func=
          (int (handler::*)(class handler * const, class THD *, HA_CHECK_OPT *)) 0x5625fd60417e <handler::ha_check(THD*, st_ha_check_opt*)>, 
          view_operator_func=0x5625fd11a3aa <view_check(THD*, TABLE_LIST*, st_ha_check_opt*)>, is_cmd_replicated=false)
          at /data/Server/bb-10.6-thiru/sql/sql_admin.cc:875
      #20 0x00005625fd2412f9 in Sql_cmd_check_table::execute (this=0x62b000173a68, thd=0x62b00016c218)
          at /data/Server/bb-10.6-thiru/sql/sql_admin.cc:1486
      #21 0x00005625fce2448e in mysql_execute_command (thd=0x62b00016c218, is_called_from_prepared_stmt=false)
          at /data/Server/bb-10.6-thiru/sql/sql_parse.cc:6012
      --Type <RET> for more, q to quit, c to continue without paging--
      #22 0x00005625fce30876 in mysql_parse (thd=0x62b00016c218, 
          rawbuf=0x62b000173238 "CHECK TABLE t2 EXTENDED  /* E_R Thread10 QNO 4385 CON_ID 986 */", length=63, parser_state=0x7fea7faaab20)
          at /data/Server/bb-10.6-thiru/sql/sql_parse.cc:8045
      #23 0x00005625fce08c6f in dispatch_command (command=COM_QUERY, thd=0x62b00016c218, packet=0x629001d1f219 "", packet_length=65, blocking=true)
          at /data/Server/bb-10.6-thiru/sql/sql_parse.cc:1912
      #24 0x00005625fce05ea5 in do_command (thd=0x62b00016c218, blocking=true) at /data/Server/bb-10.6-thiru/sql/sql_parse.cc:1409
      #25 0x00005625fd208e98 in do_handle_one_connection (connect=0x6080000dceb8, put_in_cache=true)
          at /data/Server/bb-10.6-thiru/sql/sql_connect.cc:1418
      #26 0x00005625fd208724 in handle_one_connection (arg=0x6080000035b8) at /data/Server/bb-10.6-thiru/sql/sql_connect.cc:1312
      #27 0x00007feaa4cbb609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #28 0x00007feaa488e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
      (gdb) f 15
      #15 0x00005625fe487aa2 in btr_search_hash_table_validate (hash_table_id=3) at /data/Server/bb-10.6-thiru/storage/innobase/btr/btr0sea.cc:2243
      2243				offsets = rec_get_offsets(
       
      (gdb) p block->index->table->name
      $3 = {m_name = 0x6020000299b0 "test/t3", static part_suffix = "#P#"}
       
       
       
      (gdb) f 11
      #11 0x00005625fdfad0b8 in dict_index_t::get_n_nullable (this=0x616002113908, n_prefix=11)
          at /data/Server/bb-10.6-thiru/storage/innobase/include/dict0mem.h:1239
      1239				const dict_col_t* col = fields[n_prefix].col;
      (gdb) p n_prefix
      $4 = 11
      (gdb) p fields[11]
      $5 = {col = 0x6200000f5228, name = {m_name = 0x61c000351e2b "col_text_copy"}, prefix_len = 0, fixed_len = 0}
      
      

      t 120 is adding the new column 'col_text_copy' into the table via instant alter algorithm.
      I think it is race condition between instant alter + hash table validation

      Attachments

        Issue Links

          Activity

            People

              thiru Thirunarayanan Balathandayuthapani
              thiru Thirunarayanan Balathandayuthapani
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.