[MDEV-32449] Server crashes in Alter_info::add_stat_drop_index upon CREATE TABLE - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.6
Fix Version/s: 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3
Component/s: Data Definition - Alter Table
Labels:
- regression
- rr-profile

Description

I have set it tentatively to blocker and regression, as very similar issues were observed and fixed during testing of ~~MDEV-31957~~ – so similar in fact that I think one of the fixes made in bb-10.6-monty may have gotten lost while force-pushing or merging into main.

10.6 8bf17c579b9a2d8d2f3c611f4b22fa5edb8e117c
0x000055f5938ab1f1 in Alter_info::add_stat_drop_index (this=0x7f5c95976f90, thd=0x30c044000aa8, key_name=0x30c044014250) at /data/for_monty/10.6/sql/sql_alter.cc:343
343 if (key_info->name.length &&
(rr) bt
#0 0x000055f5938ab1f1 in Alter_info::add_stat_drop_index (this=0x7f5c95976f90, thd=0x30c044000aa8, key_name=0x30c044014250) at /data/for_monty/10.6/sql/sql_alter.cc:343
#1 0x000055f5937ea3c3 in mysql_prepare_create_table (thd=0x30c044000aa8, create_info=0x7f5c95977100, alter_info=0x7f5c95976f90, db_options=0x7f5c9597628c, file=0x30c044014360,
key_info_buffer=0x7f5c95976bd0, key_count=0x7f5c95976bc4, create_table_mode=0) at /data/for_monty/10.6/sql/sql_table.cc:2904
#2 0x000055f5937ee059 in mysql_create_frm_image (thd=0x30c044000aa8, create_info=0x7f5c95977100, alter_info=0x7f5c95976f90, create_table_mode=0, key_info=0x7f5c95976bd0, key_count=0x7f5c95976bc4,
frm=0x7f5c95976c00) at /data/for_monty/10.6/sql/sql_table.cc:4094
#3 0x000055f5937eed3a in create_table_impl (thd=0x30c044000aa8, ddl_log_state_create=0x7f5c95976e90, ddl_log_state_rm=0x7f5c95976eb0, orig_db=..., orig_table_name=..., db=..., table_name=..., path=...,
options=..., create_info=0x7f5c95977100, alter_info=0x7f5c95976f90, create_table_mode=0, is_trans=0x7f5c95976e63, key_info=0x7f5c95976bd0, key_count=0x7f5c95976bc4, frm=0x7f5c95976c00)
at /data/for_monty/10.6/sql/sql_table.cc:4408
#4 0x000055f5937ef2d0 in mysql_create_table_no_lock (thd=0x30c044000aa8, ddl_log_state_create=0x7f5c95976e90, ddl_log_state_rm=0x7f5c95976eb0, create_info=0x7f5c95977100, alter_info=0x7f5c95976f90,
is_trans=0x7f5c95976e63, create_table_mode=0, table_list=0x30c044013030) at /data/for_monty/10.6/sql/sql_table.cc:4533
#5 0x000055f5937f1251 in mysql_create_like_table (thd=0x30c044000aa8, table=0x30c044013030, src_table=0x30c0440137d0, create_info=0x7f5c959789e0) at /data/for_monty/10.6/sql/sql_table.cc:5210
#6 0x000055f59380532e in Sql_cmd_create_table_like::execute (this=0x30c044012fd0, thd=0x30c044000aa8) at /data/for_monty/10.6/sql/sql_table.cc:11995
#7 0x000055f593703856 in mysql_execute_command (thd=0x30c044000aa8, is_called_from_prepared_stmt=false) at /data/for_monty/10.6/sql/sql_parse.cc:6026
#8 0x000055f5937093f0 in mysql_parse (thd=0x30c044000aa8, rawbuf=0x30c044012ed0 "/* WRK-1 QNO 2007 */ CREATE TABLE IF NOT EXISTS r LIKE `alt_table_db`.`alt_t1`", length=79, parser_state=0x7f5c95979390)
at /data/for_monty/10.6/sql/sql_parse.cc:8050
#9 0x000055f5936f5f74 in dispatch_command (command=COM_QUERY, thd=0x30c044000aa8, packet=0x30c04400ab29 "/* WRK-1 QNO 2007 */ CREATE TABLE IF NOT EXISTS r LIKE `alt_table_db`.`alt_t1`",
packet_length=79, blocking=true) at /data/for_monty/10.6/sql/sql_parse.cc:1896
#10 0x000055f5936f4995 in do_command (thd=0x30c044000aa8, blocking=true) at /data/for_monty/10.6/sql/sql_parse.cc:1410
#11 0x000055f5938a17de in do_handle_one_connection (connect=0x55f59782efd8, put_in_cache=true) at /data/for_monty/10.6/sql/sql_connect.cc:1416
#12 0x000055f5938a153f in handle_one_connection (arg=0x55f59782efd8) at /data/for_monty/10.6/sql/sql_connect.cc:1318
#13 0x000055f593dcb642 in pfs_spawn_thread (arg=0x55f5976794f8) at /data/for_monty/10.6/storage/perfschema/pfs.cc:2201
#14 0x000055f595b216ba in start_thread (arg=0x7f5c9597a700) at pthread_create.c:333
#15 0x00001d205aa7251d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Attachments

Activity

Ascending order - Click to sort in descending order

Elena Stepanova added a comment - 2023-10-15 21:26

After the fix in 10.6 I am getting another failure (before the fix the test case was failing as in the description):

CREATE TABLE t (a POINT, b POINT, KEY(a)) ENGINE=Aria;

ALTER TABLE t ADD FOREIGN KEY (a) REFERENCES t (b);

CREATE TEMPORARY TABLE tmp LIKE t;

# Cleanup

DROP TABLE t;

10.6 1c554459b382479cca3045b4cc6b5d1e3a858664
==3616486==ERROR: AddressSanitizer: use-after-poison on address 0x62b000086f48 at pc 0x56006e3e4c88 bp 0x7f1ebe081da0 sp 0x7f1ebe081d98
WRITE of size 8 at 0x62b000086f48 thread T5
#0 0x56006e3e4c87 in mysql_prepare_create_table /data/src/10.6-bug/sql/sql_table.cc:2939
#1 0x56006e3eee3b in mysql_create_frm_image(THD, HA_CREATE_INFO, Alter_info, int, st_key, unsigned int, st_mysql_const_unsigned_lex_string*) /data/src/10.6-bug/sql/sql_table.cc:4094
#2 0x56006e3f0c95 in create_table_impl /data/src/10.6-bug/sql/sql_table.cc:4407
#3 0x56006e3f190a in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /data/src/10.6-bug/sql/sql_table.cc:4529
#4 0x56006e3f6770 in mysql_create_like_table(THD, TABLE_LIST, TABLE_LIST, Table_specification_st) /data/src/10.6-bug/sql/sql_table.cc:5206
#5 0x56006e429c2a in Sql_cmd_create_table_like::execute(THD*) /data/src/10.6-bug/sql/sql_table.cc:11995
#6 0x56006e172f81 in mysql_execute_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:6026
#7 0x56006e1803a8 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6-bug/sql/sql_parse.cc:8050
#8 0x56006e156047 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6-bug/sql/sql_parse.cc:1896
#9 0x56006e152d7b in do_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:1409
#10 0x56006e5c2cb1 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1416
#11 0x56006e5c2672 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1318
#12 0x56006f2246eb in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201
#13 0x7f1ec58a7fd3 in start_thread nptl/pthread_create.c:442
#14 0x7f1ec59285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x62b000086f48 is located 7496 bytes inside of 24624-byte region [0x62b000085200,0x62b00008b230)
allocated by thread T5 here:
#0 0x7f1ec64b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x56006fe2a0db in my_malloc /data/src/10.6-bug/mysys/my_malloc.c:91
#2 0x56006fe06073 in reset_root_defaults /data/src/10.6-bug/mysys/my_alloc.c:156
#3 0x56006e02a58c in THD::init_for_queries() /data/src/10.6-bug/sql/sql_class.cc:1413
#4 0x56006e5c1f56 in prepare_new_connection_state(THD*) /data/src/10.6-bug/sql/sql_connect.cc:1245
#5 0x56006e5c26f3 in thd_prepare_connection(THD*) /data/src/10.6-bug/sql/sql_connect.cc:1339
#6 0x56006e5c2c0b in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1406
#7 0x56006e5c2672 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1318
#8 0x56006f2246eb in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201
#9 0x7f1ec58a7fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f1ec6449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x56006f220426 in my_thread_create /data/src/10.6-bug/storage/perfschema/my_thread.h:52
#2 0x56006f224ada in pfs_spawn_thread_v1 /data/src/10.6-bug/storage/perfschema/pfs.cc:2252
#3 0x56006de4189b in inline_mysql_thread_create /data/src/10.6-bug/include/mysql/psi/mysql_thread.h:1139
#4 0x56006de58b0a in create_thread_to_handle_connection(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5995
#5 0x56006de5911b in create_new_thread(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:6054
#6 0x56006de59406 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6-bug/sql/mysqld.cc:6116
#7 0x56006de59d96 in handle_connections_sockets() /data/src/10.6-bug/sql/mysqld.cc:6240
#8 0x56006de58387 in mysqld_main(int, char**) /data/src/10.6-bug/sql/mysqld.cc:5890
#9 0x56006de409a8 in main /data/src/10.6-bug/sql/main.cc:34
#10 0x7f1ec5846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.6-bug/sql/sql_table.cc:2939 in mysql_prepare_create_table
Shadow bytes around the buggy address:
0x0c5680008d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680008da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680008db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680008dc0: 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00
0x0c5680008dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5680008de0: 00 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
0x0c5680008df0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680008e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680008e10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680008e20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680008e30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3616486==ABORTING

Elena Stepanova added a comment - 2023-10-15 21:26 After the fix in 10.6 I am getting another failure (before the fix the test case was failing as in the description): CREATE TABLE t (a POINT, b POINT, KEY (a)) ENGINE=Aria; ALTER TABLE t ADD FOREIGN KEY (a) REFERENCES t (b); CREATE TEMPORARY TABLE tmp LIKE t; # Cleanup DROP TABLE t; 10.6 1c554459b382479cca3045b4cc6b5d1e3a858664 ==3616486==ERROR: AddressSanitizer: use-after-poison on address 0x62b000086f48 at pc 0x56006e3e4c88 bp 0x7f1ebe081da0 sp 0x7f1ebe081d98 WRITE of size 8 at 0x62b000086f48 thread T5 #0 0x56006e3e4c87 in mysql_prepare_create_table /data/src/10.6-bug/sql/sql_table.cc:2939 #1 0x56006e3eee3b in mysql_create_frm_image(THD*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /data/src/10.6-bug/sql/sql_table.cc:4094 #2 0x56006e3f0c95 in create_table_impl /data/src/10.6-bug/sql/sql_table.cc:4407 #3 0x56006e3f190a in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.6-bug/sql/sql_table.cc:4529 #4 0x56006e3f6770 in mysql_create_like_table(THD*, TABLE_LIST*, TABLE_LIST*, Table_specification_st*) /data/src/10.6-bug/sql/sql_table.cc:5206 #5 0x56006e429c2a in Sql_cmd_create_table_like::execute(THD*) /data/src/10.6-bug/sql/sql_table.cc:11995 #6 0x56006e172f81 in mysql_execute_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:6026 #7 0x56006e1803a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6-bug/sql/sql_parse.cc:8050 #8 0x56006e156047 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6-bug/sql/sql_parse.cc:1896 #9 0x56006e152d7b in do_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:1409 #10 0x56006e5c2cb1 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1416 #11 0x56006e5c2672 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1318 #12 0x56006f2246eb in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201 #13 0x7f1ec58a7fd3 in start_thread nptl/pthread_create.c:442 #14 0x7f1ec59285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 0x62b000086f48 is located 7496 bytes inside of 24624-byte region [0x62b000085200,0x62b00008b230) allocated by thread T5 here: #0 0x7f1ec64b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x56006fe2a0db in my_malloc /data/src/10.6-bug/mysys/my_malloc.c:91 #2 0x56006fe06073 in reset_root_defaults /data/src/10.6-bug/mysys/my_alloc.c:156 #3 0x56006e02a58c in THD::init_for_queries() /data/src/10.6-bug/sql/sql_class.cc:1413 #4 0x56006e5c1f56 in prepare_new_connection_state(THD*) /data/src/10.6-bug/sql/sql_connect.cc:1245 #5 0x56006e5c26f3 in thd_prepare_connection(THD*) /data/src/10.6-bug/sql/sql_connect.cc:1339 #6 0x56006e5c2c0b in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1406 #7 0x56006e5c2672 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1318 #8 0x56006f2246eb in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201 #9 0x7f1ec58a7fd3 in start_thread nptl/pthread_create.c:442 Thread T5 created by T0 here: #0 0x7f1ec6449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207 #1 0x56006f220426 in my_thread_create /data/src/10.6-bug/storage/perfschema/my_thread.h:52 #2 0x56006f224ada in pfs_spawn_thread_v1 /data/src/10.6-bug/storage/perfschema/pfs.cc:2252 #3 0x56006de4189b in inline_mysql_thread_create /data/src/10.6-bug/include/mysql/psi/mysql_thread.h:1139 #4 0x56006de58b0a in create_thread_to_handle_connection(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5995 #5 0x56006de5911b in create_new_thread(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:6054 #6 0x56006de59406 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6-bug/sql/mysqld.cc:6116 #7 0x56006de59d96 in handle_connections_sockets() /data/src/10.6-bug/sql/mysqld.cc:6240 #8 0x56006de58387 in mysqld_main(int, char**) /data/src/10.6-bug/sql/mysqld.cc:5890 #9 0x56006de409a8 in main /data/src/10.6-bug/sql/main.cc:34 #10 0x7f1ec5846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: use-after-poison /data/src/10.6-bug/sql/sql_table.cc:2939 in mysql_prepare_create_table Shadow bytes around the buggy address: 0x0c5680008d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680008da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680008db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680008dc0: 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 0x0c5680008dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c5680008de0: 00 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 0x0c5680008df0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680008e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680008e10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680008e20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680008e30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3616486==ABORTING

Michael Widenius added a comment - 2023-10-16 08:15

Fixed

Michael Widenius added a comment - 2023-10-16 08:15 Fixed

Elena Stepanova added a comment - 2023-10-16 08:46

monty,
Please note the comment above, it doesn't look like this one was fixed, there are no additional commits in 10.6 as of now.

Elena Stepanova added a comment - 2023-10-16 08:46 monty , Please note the comment above , it doesn't look like this one was fixed, there are no additional commits in 10.6 as of now.

Michael Widenius added a comment - 2023-10-16 12:32

Pushed trivial fix

Michael Widenius added a comment - 2023-10-16 12:32 Pushed trivial fix

MariaDB Server

Server crashes in Alter_info::add_stat_drop_index upon CREATE TABLE

Details

Description

Attachments

Activity

People

Dates

Git Integration