[MDEV-33972] Memory corruption in innodb.insert_into_empty - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: N/A
Fix Version/s: 10.11.8, 11.0.6, 11.1.5, 11.2.4, 11.4.2
Component/s: Storage Engine - InnoDB
Labels:
- regression

Description

The fix of ~~MDEV-33868~~ causes a deterministic crash on our IA-32 based Debian Sid builders. The root cause turned out to be that the most significant bit of a pointer trx->rw_trx_hash_element was being inadvertently cleared due to accessing an invalid iterator:

diff --git a/storage/innobase/row/row0merge.cc b/storage/innobase/row/row0merge.cc

index bcb93970ffc..c513d77e52f 100644

--- a/storage/innobase/row/row0merge.cc

+++ b/storage/innobase/row/row0merge.cc

@@ -5374,13 +5374,15 @@ dberr_t trx_t::bulk_insert_apply_for_table(dict_table_t *table)

   if (UNIV_UNLIKELY(!bulk_insert))

     return DB_SUCCESS;

   auto it= mod_tables.find(table);

-  if (it != mod_tables.end() && it->second.bulk_store)

+  if (it != mod_tables.end()

+  {

     if (dberr_t err= it->second.write_bulk(table, this))

       bulk_rollback_low();

       return err;

-  it->second.end_bulk_insert();

+    it->second.end_bulk_insert();

+  }

   return DB_SUCCESS;

Thanks to thiru for proposing the above fix.

This bug would be caught much more conveniently by defining -D_GLIBCXX_DEBUG of GNU libstdc++:

/usr/include/c++/13/debug/safe_iterator.h:312:

In function:

    gnu_debug::_Safe_iterator<_Iterator, _Sequence, _Category>::pointer

    gnu_debug::_Safe_iterator<_Iterator, _Sequence, _Category>::operator->()

    const [with _Iterator = std::_Rb_tree_iterator<std::pair<dict_table_t*

    const, trx_mod_table_time_t> >; _Sequence = std::

    debug::map<dict_table_t*, trx_mod_table_time_t,

    std::less<dict_table_t*>, ut_allocator<std::pair<dict_table_t* const,

    trx_mod_table_time_t> > >; _Category = std::forward_iterator_tag;

    pointer = std::pair<dict_table_t* const, trx_mod_table_time_t>*]

Error: attempt to dereference a past-the-end iterator.

Objects involved in the operation:

    iterator "this" @ 0x7f4563ffd7c0 {

      type = std::_Rb_tree_iterator<std::pair<dict_table_t* const, trx_mod_table_time_t> > (mutable iterator);

      state = past-the-end;

      references sequence with type 'std::debug::map<dict_table_t*, trx_mod_table_time_t, std::less<dict_table_t*>, ut_allocator<std::pair<dict_table_t* const, trx_mod_table_time_t>, true> >' @ 0x7f45626016b0

I suppose that this could also be caught by -D_LIBCPP_DEBUG with clang libc++, or -D_ITERATOR_DEBUG_LEVEL=1 on MSVC.

Attachments

Issue Links

is caused by

MDEV-33868 Assertion `trx->bulk_insert' failed in innodb_prepare_commit_versioned

Closed

relates to

MDEV-33974 Enable GNU libstdc++ debugging

Closed

Activity

People

Assignee:: Marko Mäkelä

Reporter:: Marko Mäkelä

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-04-23 08:59

Updated:: 2024-04-23 11:33

Resolved:: 2024-04-23 11:18

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.