heap-use-after-free error occurs during commit operation of tables containing fulltext index

origin/10.7 8356fb68c366b7f515f9060d964ee598653756a6 2023-01-04T14:52:25+02:00

Some RQG test where 33 sessions run a DDL/DML mix.

==1862238==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160114a5a20 at pc 0x563149ea3643 bp 0x31ff375c5cf0 sp 0x31ff375c5ce0

READ of size 8 at 0x6160114a5a20 thread T45

#0 0x563149ea3642 in row_merge_bulk_t::~row_merge_bulk_t() /data/Server/10.7A/storage/innobase/row/row0merge.cc:5125

#1 0x56314a093016 in trx_t::commit_cleanup() /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1398

#2 0x56314a09ed3a in trx_t::commit() /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1496

#3 0x56314a09f273 in trx_commit_for_mysql(trx_t*) /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1610

#4 0x56314a3f5a53 in fts_commit_table /data/Server/10.7A/storage/innobase/fts/fts0fts.cc:2966

#5 0x56314a3f5bad in fts_commit(trx_t*) /data/Server/10.7A/storage/innobase/fts/fts0fts.cc:2999

#6 0x56314a09a99a in trx_t::commit_low(mtr_t*) /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1431

#7 0x56314a09e39f in trx_t::commit_persist() /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1481

#8 0x56314a09e9c6 in trx_t::commit() /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1490

#9 0x56314a09f273 in trx_commit_for_mysql(trx_t*) /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1610

#10 0x563149ac8b32 in innobase_commit_low(trx_t*) /data/Server/10.7A/storage/innobase/handler/ha_innodb.cc:4375

#11 0x563149ac8c42 in innobase_commit_ordered_2 /data/Server/10.7A/storage/innobase/handler/ha_innodb.cc:4481

#12 0x563149ac942d in innobase_commit_ordered /data/Server/10.7A/storage/innobase/handler/ha_innodb.cc:4530

#13 0x56314962e9fc in TC_LOG::run_commit_ordered(THD*, bool) /data/Server/10.7A/sql/log.cc:9328

#14 0x563149644112 in MYSQL_BIN_LOG::trx_group_commit_leader(MYSQL_BIN_LOG::group_commit_entry*) /data/Server/10.7A/sql/log.cc:8557

#15 0x56314964572f in MYSQL_BIN_LOG::write_transaction_to_binlog_events(MYSQL_BIN_LOG::group_commit_entry*) /data/Server/10.7A/sql/log.cc:8134

#16 0x5631496464e2 in MYSQL_BIN_LOG::write_transaction_to_binlog(THD*, binlog_cache_mngr*, Log_event*, bool, bool, bool, bool) /data/Server/10.7A/sql/log.cc:7731

#17 0x56314964684d in binlog_flush_cache /data/Server/10.7A/sql/log.cc:1774

#18 0x56314964e13f in binlog_commit_flush_xid_caches /data/Server/10.7A/sql/log.cc:1924

#19 0x56314964e13f in MYSQL_BIN_LOG::log_and_order(THD*, unsigned long long, bool, bool, bool) /data/Server/10.7A/sql/log.cc:10268

# 2023-01-04T14:45:23 [1856282] | [rr 1862238 734941]    #20 0x5631491b25b3 in ha_commit_trans(THD*, bool) /data/Server/10.7A/sql/handler.cc:1892

...

0x6160114a5a20 is located 160 bytes inside of 592-byte region [0x6160114a5980,0x6160114a5bd0)

freed by thread T45 here:

#0 0x563146fb37cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)

#1 0x563149d33b86 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/Server/10.7A/storage/innobase/mem/mem0mem.cc:416

...

# git clone https://github.com/mleich1/rqg --branch <pick the right branch> RQG

#

# GIT_SHOW: HEAD -> master, origin/master, origin/HEAD 3e746fb256826b1ce9344039ca9f5986068f86f5 2023-01-03T13:44:43+01:00

# rqg.pl  : Version 4.2.1 (2022-12)

#

# $RQG_HOME/rqg.pl \

# --grammar=conf/mariadb/table_stress_innodb.yy \

# --gendata=conf/mariadb/table_stress.zz \

# --gendata_sql=conf/mariadb/table_stress.sql \

# --mysqld=--transaction-isolation=SERIALIZABLE \

# --validator=SelectStability \

# --mysqld=--loose-innodb_lock_schedule_algorithm=fcfs \

# --mysqld=--loose-idle_write_transaction_timeout=0 \

# --mysqld=--loose-idle_transaction_timeout=0 \

# --mysqld=--loose-idle_readonly_transaction_timeout=0 \

# --mysqld=--connect_timeout=60 \

# --mysqld=--interactive_timeout=28800 \

# --mysqld=--slave_net_timeout=60 \

# --mysqld=--net_read_timeout=30 \

# --mysqld=--net_write_timeout=60 \

# --mysqld=--loose-table_lock_wait_timeout=50 \

# --mysqld=--wait_timeout=28800 \

# --mysqld=--lock-wait-timeout=86400 \

# --mysqld=--innodb-lock-wait-timeout=50 \

# --no-mask \

# --queries=10000000 \

# --seed=random \

# --reporters=Backtrace \

# --reporters=ErrorLog \

# --reporters=Deadlock \

# --validators=None \

# --mysqld=--log_output=none \

# --mysqld=--log_bin_trust_function_creators=1 \

# --mysqld=--loose-debug_assert_on_not_freed_memory=0 \

# --engine=InnoDB \

# --restart_timeout=240 \

# --mysqld=--plugin-load-add=file_key_management.so \

# --mysqld=--loose-file-key-management-filename=$RQG_HOME/conf/mariadb/encryption_keys.txt \

# --mysqld=--plugin-load-add=provider_lzo.so \

# --mysqld=--plugin-load-add=provider_bzip2.so \

# --mysqld=--plugin-load-add=provider_lzma.so \

# --mysqld=--plugin-load-add=provider_snappy.so \

# --mysqld=--plugin-load-add=provider_lz4.so \

# --duration=300 \

# --mysqld=--loose-innodb_fatal_semaphore_wait_threshold=300 \

# --mysqld=--innodb_file_per_table=1 \

# --mysqld=--loose-innodb_read_only_compressed=OFF \

# --mysqld=--innodb_stats_persistent=off \

# --mysqld=--innodb_adaptive_hash_index=off \

# --redefine=conf/mariadb/redefine_checks_off.yy \

# --mysqld=--log-bin \

# --mysqld=--sync-binlog=1 \

# --mysqld=--loose-innodb_evict_tables_on_commit_debug=on \

# --mysqld=--loose-max-statement-time=30 \

# --threads=33 \

# --mysqld=--innodb-use-native-aio=0 \

# --mysqld=--loose-gdb \

# --mysqld=--loose-debug-gdb \

# --rr=Extended \

# --rr_options=--chaos --wait \

# --mysqld=--loose_innodb_change_buffering=all \

# --mysqld=--innodb_rollback_on_timeout=OFF \

# --mysqld=--innodb_page_size=64K \

# --mysqld=--innodb-buffer-pool-size=24M \

#  <local settings>

pluto:/data/results/1672841958/TBR-1710$ _RR_TRACE_DIR=./1/rr/ rr replay --mark-stdio

pluto:/data/results/1672841958/TBR-1710/rqg.log ~ line 9329 ASAN output