Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30341

heap-use-after-free error occurs during commit operation of tables containing fulltext index

Details

    Description

      InnoDB internal fulltext transaction uses bulk insert and fails with heap use after free error.
      Problem is that InnoDB fails to reset the check_foreigns and check_unique_secondary while
      freeing the transaction or after commiting the transaction. This transaction object
      is being used by the internal fulltext transaction, lead to un-necessary
      bulk insert operation.

      origin/10.7 8356fb68c366b7f515f9060d964ee598653756a6 2023-01-04T14:52:25+02:00
      		 
      Some RQG test where 33 sessions run a DDL/DML mix.
      		 
       
      		 
      ==1862238==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160114a5a20 at pc 0x563149ea3643 bp 0x31ff375c5cf0 sp 0x31ff375c5ce0
      		 
      READ of size 8 at 0x6160114a5a20 thread T45
      		 
      #0 0x563149ea3642 in row_merge_bulk_t::~row_merge_bulk_t() /data/Server/10.7A/storage/innobase/row/row0merge.cc:5125
      		 
      #1 0x56314a093016 in trx_t::commit_cleanup() /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1398
      		 
      #2 0x56314a09ed3a in trx_t::commit() /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1496
      		 
      #3 0x56314a09f273 in trx_commit_for_mysql(trx_t*) /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1610
      		 
      #4 0x56314a3f5a53 in fts_commit_table /data/Server/10.7A/storage/innobase/fts/fts0fts.cc:2966
      		 
      #5 0x56314a3f5bad in fts_commit(trx_t*) /data/Server/10.7A/storage/innobase/fts/fts0fts.cc:2999
      		 
      #6 0x56314a09a99a in trx_t::commit_low(mtr_t*) /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1431
      		 
      #7 0x56314a09e39f in trx_t::commit_persist() /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1481
      		 
      #8 0x56314a09e9c6 in trx_t::commit() /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1490
      		 
      #9 0x56314a09f273 in trx_commit_for_mysql(trx_t*) /data/Server/10.7A/storage/innobase/trx/trx0trx.cc:1610
      		 
      #10 0x563149ac8b32 in innobase_commit_low(trx_t*) /data/Server/10.7A/storage/innobase/handler/ha_innodb.cc:4375
      		 
      #11 0x563149ac8c42 in innobase_commit_ordered_2 /data/Server/10.7A/storage/innobase/handler/ha_innodb.cc:4481
      		 
      #12 0x563149ac942d in innobase_commit_ordered /data/Server/10.7A/storage/innobase/handler/ha_innodb.cc:4530
      		 
      #13 0x56314962e9fc in TC_LOG::run_commit_ordered(THD*, bool) /data/Server/10.7A/sql/log.cc:9328
      		 
      #14 0x563149644112 in MYSQL_BIN_LOG::trx_group_commit_leader(MYSQL_BIN_LOG::group_commit_entry*) /data/Server/10.7A/sql/log.cc:8557
      		 
      #15 0x56314964572f in MYSQL_BIN_LOG::write_transaction_to_binlog_events(MYSQL_BIN_LOG::group_commit_entry*) /data/Server/10.7A/sql/log.cc:8134
      		 
      #16 0x5631496464e2 in MYSQL_BIN_LOG::write_transaction_to_binlog(THD*, binlog_cache_mngr*, Log_event*, bool, bool, bool, bool) /data/Server/10.7A/sql/log.cc:7731
      		 
      #17 0x56314964684d in binlog_flush_cache /data/Server/10.7A/sql/log.cc:1774
      		 
      #18 0x56314964e13f in binlog_commit_flush_xid_caches /data/Server/10.7A/sql/log.cc:1924
      		 
      #19 0x56314964e13f in MYSQL_BIN_LOG::log_and_order(THD*, unsigned long long, bool, bool, bool) /data/Server/10.7A/sql/log.cc:10268
      		 
      # 2023-01-04T14:45:23 [1856282] | [rr 1862238 734941]    #20 0x5631491b25b3 in ha_commit_trans(THD*, bool) /data/Server/10.7A/sql/handler.cc:1892
      		 
      ...
      		 
      0x6160114a5a20 is located 160 bytes inside of 592-byte region [0x6160114a5980,0x6160114a5bd0)
      		 
      freed by thread T45 here:
      		 
      #0 0x563146fb37cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
      		 
      #1 0x563149d33b86 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/Server/10.7A/storage/innobase/mem/mem0mem.cc:416
      		 
      ...
      		 
       
      		 
      # git clone https://github.com/mleich1/rqg --branch <pick the right branch> RQG
      		 
      #
      		 
      # GIT_SHOW: HEAD -> master, origin/master, origin/HEAD 3e746fb256826b1ce9344039ca9f5986068f86f5 2023-01-03T13:44:43+01:00
      		 
      # rqg.pl  : Version 4.2.1 (2022-12)
      		 
      #
      		 
      # $RQG_HOME/rqg.pl \
      		 
      # --grammar=conf/mariadb/table_stress_innodb.yy \
      		 
      # --gendata=conf/mariadb/table_stress.zz \
      		 
      # --gendata_sql=conf/mariadb/table_stress.sql \
      		 
      # --mysqld=--transaction-isolation=SERIALIZABLE \
      		 
      # --validator=SelectStability \
      		 
      # --mysqld=--loose-innodb_lock_schedule_algorithm=fcfs \
      		 
      # --mysqld=--loose-idle_write_transaction_timeout=0 \
      		 
      # --mysqld=--loose-idle_transaction_timeout=0 \
      		 
      # --mysqld=--loose-idle_readonly_transaction_timeout=0 \
      		 
      # --mysqld=--connect_timeout=60 \
      		 
      # --mysqld=--interactive_timeout=28800 \
      		 
      # --mysqld=--slave_net_timeout=60 \
      		 
      # --mysqld=--net_read_timeout=30 \
      		 
      # --mysqld=--net_write_timeout=60 \
      		 
      # --mysqld=--loose-table_lock_wait_timeout=50 \
      		 
      # --mysqld=--wait_timeout=28800 \
      		 
      # --mysqld=--lock-wait-timeout=86400 \
      		 
      # --mysqld=--innodb-lock-wait-timeout=50 \
      		 
      # --no-mask \
      		 
      # --queries=10000000 \
      		 
      # --seed=random \
      		 
      # --reporters=Backtrace \
      		 
      # --reporters=ErrorLog \
      		 
      # --reporters=Deadlock \
      		 
      # --validators=None \
      		 
      # --mysqld=--log_output=none \
      		 
      # --mysqld=--log_bin_trust_function_creators=1 \
      		 
      # --mysqld=--loose-debug_assert_on_not_freed_memory=0 \
      		 
      # --engine=InnoDB \
      		 
      # --restart_timeout=240 \
      		 
      # --mysqld=--plugin-load-add=file_key_management.so \
      		 
      # --mysqld=--loose-file-key-management-filename=$RQG_HOME/conf/mariadb/encryption_keys.txt \
      		 
      # --mysqld=--plugin-load-add=provider_lzo.so \
      		 
      # --mysqld=--plugin-load-add=provider_bzip2.so \
      		 
      # --mysqld=--plugin-load-add=provider_lzma.so \
      		 
      # --mysqld=--plugin-load-add=provider_snappy.so \
      		 
      # --mysqld=--plugin-load-add=provider_lz4.so \
      		 
      # --duration=300 \
      		 
      # --mysqld=--loose-innodb_fatal_semaphore_wait_threshold=300 \
      		 
      # --mysqld=--innodb_file_per_table=1 \
      		 
      # --mysqld=--loose-innodb_read_only_compressed=OFF \
      		 
      # --mysqld=--innodb_stats_persistent=off \
      		 
      # --mysqld=--innodb_adaptive_hash_index=off \
      		 
      # --redefine=conf/mariadb/redefine_checks_off.yy \
      		 
      # --mysqld=--log-bin \
      		 
      # --mysqld=--sync-binlog=1 \
      		 
      # --mysqld=--loose-innodb_evict_tables_on_commit_debug=on \
      		 
      # --mysqld=--loose-max-statement-time=30 \
      		 
      # --threads=33 \
      		 
      # --mysqld=--innodb-use-native-aio=0 \
      		 
      # --mysqld=--loose-gdb \
      		 
      # --mysqld=--loose-debug-gdb \
      		 
      # --rr=Extended \
      		 
      # --rr_options=--chaos --wait \
      		 
      # --mysqld=--loose_innodb_change_buffering=all \
      		 
      # --mysqld=--innodb_rollback_on_timeout=OFF \
      		 
      # --mysqld=--innodb_page_size=64K \
      		 
      # --mysqld=--innodb-buffer-pool-size=24M \
      		 
      #  <local settings>
      		 
       
      		 
      pluto:/data/results/1672841958/TBR-1710$ _RR_TRACE_DIR=./1/rr/ rr replay --mark-stdio
      		 
       
      		 
      pluto:/data/results/1672841958/TBR-1710/rqg.log ~ line 9329 ASAN output

      Attachments

        Activity

          mleich Matthias Leich added a comment - 

          RQG testing results:
          		 
          The tree
          		 
          origin/bb-10.8-thiru a7303d23a318e2493b03d734c2db0880cfaf0232 2023-02-21T17:07:49+05:30
          		 
          which contains the fix for MDEV-30341 behaves roughly as good (*) as
          		 
          origin/10.8 b62123e0d517a63fb7a1192093fd3cafcfe9d480 2023-02-23T23
          		 
          except that I hit a bad effect characterized by the error pattern
          		 
          [ 'TBR-1259', 'mysqld: .{1,250}rem0cmp.cc.{1,10}: int cmp_dtuple_rec_with_match_bytes.{1,250}: Assertion \`\!index->is_ibuf\(\)\' failed.+RESULT: The RQG run ended with status STATUS_SERVER_CRASHED' ],
          		 
          serious more frequent.
          		 
           
          		 
          (*) Most bad effects hit happen on both trees with quite similar frequency.
          		 
                Some bad effects hit were caught on one tree only and extreme rare like once or twice.
          		 
                It very likely that running one or two big test campaigns on the other tree will replay the problem too.

          mleich Matthias Leich added a comment - RQG testing results: The tree origin/bb-10.8-thiru a7303d23a318e2493b03d734c2db0880cfaf0232 2023-02-21T17:07:49+05:30 which contains the fix for MDEV-30341 behaves roughly as good (*) as origin/10.8 b62123e0d517a63fb7a1192093fd3cafcfe9d480 2023-02-23T23 except that I hit a bad effect characterized by the error pattern [ 'TBR-1259', 'mysqld: .{1,250}rem0cmp.cc.{1,10}: int cmp_dtuple_rec_with_match_bytes.{1,250}: Assertion \`\!index->is_ibuf\(\)\' failed.+RESULT: The RQG run ended with status STATUS_SERVER_CRASHED' ], serious more frequent.   (*) Most bad effects hit happen on both trees with quite similar frequency. Some bad effects hit were caught on one tree only and extreme rare like once or twice. It very likely that running one or two big test campaigns on the other tree will replay the problem too.

          People

            thiru Thirunarayanan Balathandayuthapani
            mleich Matthias Leich
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.