[MDEV-33167] ASAN errors in dict_sys_t::load_table / get_foreign_key_info after failing to load a table - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.0, 11.1, 11.2, 11.3
Fix Version/s: 10.6, 10.11, 11.1, 11.2
Component/s: Storage Engine - InnoDB
Labels:
- regression

Description

--source include/have_innodb.inc

CREATE DATABASE db1;

CREATE DATABASE db2;

SET FOREIGN_KEY_CHECKS = OFF;

CREATE TABLE db1.t1 (a VARCHAR(8), FOREIGN KEY(a) REFERENCES test.t(f)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3;

CREATE TABLE db2.t2 (b VARCHAR(8), FOREIGN KEY(b) REFERENCES test.t(f)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3;

CREATE TABLE test.t (f VARCHAR(8) PRIMARY KEY) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--source include/restart_mysqld.inc

ALTER TABLE db2.t2 FORCE;

# Cleanup

DROP DATABASE db1;

DROP DATABASE db2;

DROP TABLE t;

10.6 686865e112fa4840376745194349845f8d00a2a7
2024-01-03 16:06:33 3 [Warning] InnoDB: Load table `test`.`t` failed, the table has missing foreign key indexes. Turn off 'foreign_key_checks' and try again.
=================================================================
==3171533==ERROR: AddressSanitizer: heap-use-after-free on address 0x61c000021240 at pc 0x7fc17e64a731 bp 0x7fc16f6f5210 sp 0x7fc16f6f49c0
READ of size 7 at 0x61c000021240 thread T11
#0 0x7fc17e64a730 in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
#1 0x5649fe5bde23 in dict_sys_t::load_table(st_::span<char const> const&, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2574
#2 0x5649fe584894 in dict_table_open_on_name(char const*, bool, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0dict.cc:1062
#3 0x5649fdf29bc9 in get_foreign_key_info /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15540
#4 0x5649fdf2a1f7 in ha_innobase::get_foreign_key_list(THD, List<st_foreign_key_info>) /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15603
#5 0x5649fceeb8a2 in mysql_prepare_alter_table(THD, TABLE, HA_CREATE_INFO, Alter_info, Alter_table_ctx*) /data/bld/10.6-asan/sql/sql_table.cc:7874
#6 0x5649fcefe1ae in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /data/bld/10.6-asan/sql/sql_table.cc:10135
#7 0x5649fd0c518d in Sql_cmd_alter_table::execute(THD*) /data/bld/10.6-asan/sql/sql_alter.cc:675
#8 0x5649fcc51410 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6074
#9 0x5649fcc5e914 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8100
#10 0x5649fcc34349 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1896
#11 0x5649fcc3107d in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1409
#12 0x5649fd0a6660 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1415
#13 0x5649fd0a6021 in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1317
#14 0x5649fdcfca05 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
#15 0x7fc17dca8043 in start_thread nptl/pthread_create.c:442
#16 0x7fc17dd2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x61c000021240 is located 448 bytes inside of 1752-byte region [0x61c000021080,0x61c000021758)
freed by thread T11 here:
#0 0x7fc17e6b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x5649fdf56753 in ut_allocator<unsigned char, true>::deallocate(unsigned char*, unsigned long) /data/bld/10.6-asan/storage/innobase/include/ut0new.h:424
#2 0x5649fe148106 in mem_heap_block_free(mem_block_info_t, mem_block_info_t) /data/bld/10.6-asan/storage/innobase/mem/mem0mem.cc:416
#3 0x5649fe5c57e4 in mem_heap_free /data/bld/10.6-asan/storage/innobase/include/mem0mem.inl:419
#4 0x5649fe5c8a39 in dict_mem_table_free(dict_table_t*) /data/bld/10.6-asan/storage/innobase/dict/dict0mem.cc:234
#5 0x5649fe58abfe in dict_sys_t::remove(dict_table_t*, bool, bool) /data/bld/10.6-asan/storage/innobase/dict/dict0dict.cc:1910
#6 0x5649fe5bc894 in dict_load_table_one /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2457
#7 0x5649fe5bddbc in dict_sys_t::load_table(st_::span<char const> const&, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2570
#8 0x5649fe584894 in dict_table_open_on_name(char const*, bool, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0dict.cc:1062
#9 0x5649fdf29bc9 in get_foreign_key_info /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15540
#10 0x5649fdf2a1f7 in ha_innobase::get_foreign_key_list(THD, List<st_foreign_key_info>) /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15603
#11 0x5649fceeb8a2 in mysql_prepare_alter_table(THD, TABLE, HA_CREATE_INFO, Alter_info, Alter_table_ctx*) /data/bld/10.6-asan/sql/sql_table.cc:7874
#12 0x5649fcefe1ae in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /data/bld/10.6-asan/sql/sql_table.cc:10135
#13 0x5649fd0c518d in Sql_cmd_alter_table::execute(THD*) /data/bld/10.6-asan/sql/sql_alter.cc:675
#14 0x5649fcc51410 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6074
#15 0x5649fcc5e914 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8100
#16 0x5649fcc34349 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1896
#17 0x5649fcc3107d in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1409
#18 0x5649fd0a6660 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1415
#19 0x5649fd0a6021 in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1317
#20 0x5649fdcfca05 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
#21 0x7fc17dca8043 in start_thread nptl/pthread_create.c:442

previously allocated by thread T11 here:
#0 0x7fc17e6b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x5649fdf5628b in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /data/bld/10.6-asan/storage/innobase/include/ut0new.h:375
#2 0x5649fe1473f7 in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /data/bld/10.6-asan/storage/innobase/mem/mem0mem.cc:277
#3 0x5649fe147d07 in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/bld/10.6-asan/storage/innobase/mem/mem0mem.cc:378
#4 0x5649fe5c5468 in mem_heap_alloc /data/bld/10.6-asan/storage/innobase/include/mem0mem.inl:193
#5 0x5649fe5c7eda in dict_table_t::create(st_::span<char const> const&, fil_space_t*, unsigned long, unsigned long, unsigned long, unsigned long) /data/bld/10.6-asan/storage/innobase/dict/dict0mem.cc:173
#6 0x5649fe5b9d29 in dict_load_table_low(mtr_t, bool, unsigned char const, dict_table_t**) /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2213
#7 0x5649fe5bbe4d in dict_load_table_one /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2388
#8 0x5649fe5bddbc in dict_sys_t::load_table(st_::span<char const> const&, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2570
#9 0x5649fe584894 in dict_table_open_on_name(char const*, bool, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0dict.cc:1062
#10 0x5649fdf29bc9 in get_foreign_key_info /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15540
#11 0x5649fdf2a1f7 in ha_innobase::get_foreign_key_list(THD, List<st_foreign_key_info>) /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15603
#12 0x5649fceeb8a2 in mysql_prepare_alter_table(THD, TABLE, HA_CREATE_INFO, Alter_info, Alter_table_ctx*) /data/bld/10.6-asan/sql/sql_table.cc:7874
#13 0x5649fcefe1ae in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /data/bld/10.6-asan/sql/sql_table.cc:10135
#14 0x5649fd0c518d in Sql_cmd_alter_table::execute(THD*) /data/bld/10.6-asan/sql/sql_alter.cc:675
#15 0x5649fcc51410 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6074
#16 0x5649fcc5e914 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8100
#17 0x5649fcc34349 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1896
#18 0x5649fcc3107d in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1409
#19 0x5649fd0a6660 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1415
#20 0x5649fd0a6021 in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1317
#21 0x5649fdcfca05 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
#22 0x7fc17dca8043 in start_thread nptl/pthread_create.c:442

Thread T11 created by T0 here:
#0 0x7fc17e649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x5649fdcf8740 in my_thread_create /data/bld/10.6-asan/storage/perfschema/my_thread.h:52
#2 0x5649fdcfcdf4 in pfs_spawn_thread_v1 /data/bld/10.6-asan/storage/perfschema/pfs.cc:2252
#3 0x5649fc91b8ab in inline_mysql_thread_create /data/bld/10.6-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x5649fc932b3b in create_thread_to_handle_connection(CONNECT*) /data/bld/10.6-asan/sql/mysqld.cc:6003
#5 0x5649fc93314c in create_new_thread(CONNECT*) /data/bld/10.6-asan/sql/mysqld.cc:6062
#6 0x5649fc933437 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.6-asan/sql/mysqld.cc:6124
#7 0x5649fc933dc7 in handle_connections_sockets() /data/bld/10.6-asan/sql/mysqld.cc:6248
#8 0x5649fc9323b8 in mysqld_main(int, char**) /data/bld/10.6-asan/sql/mysqld.cc:5898
#9 0x5649fc91a9b8 in main /data/bld/10.6-asan/sql/main.cc:34
#10 0x7fc17dc461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389 in __interceptor_strlen
Shadow bytes around the buggy address:
0x0c387fffc1f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c387fffc200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fffc210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffc220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffc230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c387fffc240: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c387fffc250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffc260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffc270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffc280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffc290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3171533==ABORTING

No obvious immediate effect on a non-debug build on my machine (but it may be a matter of luck).

The failure started happening after this merge in 10.6.15:

commit 5ea5291d97209ed90b6721d228cd5d24a1feeb58

Merge: 691e964d235 61acb43689d

Author: Oleksandr Byelkin

Date:   Wed Aug 2 20:20:50 2023 +0200

    Merge branch '10.5' into 10.6

I couldn't reproduce it on 10.5, but apparently the culprit was this:

commit da09ae05a9a744f184715e1eb35f2755681bd6b5

Author: Sergei Golubchik

Date:   Thu Jul 13 10:59:39 2023 +0200

    MDEV-18114 Foreign Key Constraint actions don't affect Virtual Column

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-01-03 15:13

Updated:: 2024-05-03 14:32

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.