[MDEV-35055] ASAN errors in TABLE_SHARE::lock_share upon committing transaction after FLUSH on table with vector key - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: N/A
Fix Version/s: 11.7.1
Component/s: Storage Engine - InnoDB, Vector search
Labels:
None

Description

--source include/have_innodb.inc

CREATE TABLE t (pk INT PRIMARY KEY, v BLOB NOT NULL, VECTOR INDEX(v)) ENGINE=InnoDB;

--connect (con1,localhost,root,,)

START TRANSACTION;

INSERT INTO t VALUES (1,x'00000000');

--connection default

FLUSH TABLES;

--connection con1

COMMIT;

# Cleanup

DROP TABLE t;

--disconnect con1

bb-11.6-MDEV-32887-vector 0ddb67a1
==2235903==ERROR: AddressSanitizer: heap-use-after-free on address 0x61c0000305b0 at pc 0x55bb8752bd87 bp 0x7f9451f407c0 sp 0x7f9451f407b8
READ of size 4 at 0x61c0000305b0 thread T11
#0 0x55bb8752bd86 in TABLE_SHARE::lock_share() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/table.h:731
#1 0x55bb884872bc in MHNSW_Share::get_from_share(TABLE_SHARE, TABLE) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/vector_mhnsw.cc:621
#2 0x55bb88486a69 in MHNSW_Trx::do_commit(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/vector_mhnsw.cc:569
#3 0x55bb8804959e in commit_one_phase_2 /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/handler.cc:2217
#4 0x55bb8804913e in ha_commit_one_phase(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/handler.cc:2159
#5 0x55bb880473a7 in ha_commit_trans(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/handler.cc:1953
#6 0x55bb87be3644 in trans_commit(THD*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/transaction.cc:265
#7 0x55bb876ca23f in mysql_execute_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:5475
#8 0x55bb876d9bf9 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:7873
#9 0x55bb876b0c1b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:1892
#10 0x55bb876ad92f in do_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:1405
#11 0x55bb87b9d188 in do_handle_one_connection(CONNECT*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_connect.cc:1448
#12 0x55bb87b9cb49 in handle_one_connection /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_connect.cc:1350
#13 0x55bb88840101 in pfs_spawn_thread /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/storage/perfschema/pfs.cc:2198
#14 0x7f9462ca8043 in start_thread nptl/pthread_create.c:442
#15 0x7f9462d2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x61c0000305b0 is located 1328 bytes inside of 1776-byte region [0x61c000030080,0x61c000030770)
freed by thread T10 here:
#0 0x7f94638b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x55bb895bbfe8 in my_free /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/mysys/my_malloc.c:221
#2 0x55bb8958d769 in root_free /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/mysys/my_alloc.c:77
#3 0x55bb89590206 in free_root /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/mysys/my_alloc.c:502
#4 0x55bb87a8fff8 in TABLE_SHARE::destroy() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/table.cc:553
#5 0x55bb87a90234 in free_table_share(TABLE_SHARE*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/table.cc:569
#6 0x55bb87e7a780 in tdc_delete_share_from_hash /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/table_cache.cc:536
#7 0x55bb87e7bac0 in tdc_purge(bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/table_cache.cc:718
#8 0x55bb874f027d in purge_tables() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_base.cc:336
#9 0x55bb874f04bf in close_cached_tables(THD, TABLE_LIST, bool, unsigned long) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_base.cc:363
#10 0x55bb87c414bf in reload_acl_and_cache(THD, unsigned long long, TABLE_LIST, int*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_reload.cc:358
#11 0x55bb876c8b6f in mysql_execute_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:5314
#12 0x55bb876d9bf9 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:7873
#13 0x55bb876b0c1b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:1892
#14 0x55bb876ad92f in do_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:1405
#15 0x55bb87b9d188 in do_handle_one_connection(CONNECT*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_connect.cc:1448
#16 0x55bb87b9cb49 in handle_one_connection /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_connect.cc:1350
#17 0x55bb88840101 in pfs_spawn_thread /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/storage/perfschema/pfs.cc:2198
#18 0x7f9462ca8043 in start_thread nptl/pthread_create.c:442

previously allocated by thread T11 here:
#0 0x7f94638b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55bb895bb119 in my_malloc /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/mysys/my_malloc.c:93
#2 0x55bb8958d6e5 in root_alloc /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/mysys/my_alloc.c:66
#3 0x55bb8958f0d5 in alloc_root /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/mysys/my_alloc.c:333
#4 0x55bb8958f941 in multi_alloc_root /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/mysys/my_alloc.c:406
#5 0x55bb87a8e667 in alloc_table_share(char const, char const, char const*, unsigned int) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/table.cc:367
#6 0x55bb87e7c8b9 in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/table_cache.cc:850
#7 0x55bb874f9730 in open_table(THD, TABLE_LIST, Open_table_context*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_base.cc:2091
#8 0x55bb87505a1a in open_and_process_table /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_base.cc:4179
#9 0x55bb8750856a in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_base.cc:4665
#10 0x55bb8750d429 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_base.cc:5634
#11 0x55bb8753360c in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_base.h:532
#12 0x55bb875ef3d5 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_insert.cc:782
#13 0x55bb876c2037 in mysql_execute_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:4458
#14 0x55bb876d9bf9 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:7873
#15 0x55bb876b0c1b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:1892
#16 0x55bb876ad92f in do_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_parse.cc:1405
#17 0x55bb87b9d188 in do_handle_one_connection(CONNECT*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_connect.cc:1448
#18 0x55bb87b9cb49 in handle_one_connection /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/sql_connect.cc:1350
#19 0x55bb88840101 in pfs_spawn_thread /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/storage/perfschema/pfs.cc:2198
#20 0x7f9462ca8043 in start_thread nptl/pthread_create.c:442

Thread T11 created by T0 here:
#0 0x7f9463849726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55bb8883bea3 in my_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/storage/perfschema/my_thread.h:38
#2 0x55bb888404f0 in pfs_spawn_thread_v1 /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/storage/perfschema/pfs.cc:2249
#3 0x55bb872c9c33 in inline_mysql_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/include/mysql/psi/mysql_thread.h:1139
#4 0x55bb872e23fa in create_thread_to_handle_connection(CONNECT*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6267
#5 0x55bb872e2a1f in create_new_thread(CONNECT*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6329
#6 0x55bb872e2d0a in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6391
#7 0x55bb872e3992 in handle_connections_sockets() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6504
#8 0x55bb872e1c77 in mysqld_main(int, char**) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6162
#9 0x55bb872c8d58 in main /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/main.cc:34
#10 0x7f9462c461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Thread T10 created by T0 here:
#0 0x7f9463849726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55bb8883bea3 in my_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/storage/perfschema/my_thread.h:38
#2 0x55bb888404f0 in pfs_spawn_thread_v1 /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/storage/perfschema/pfs.cc:2249
#3 0x55bb872c9c33 in inline_mysql_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/include/mysql/psi/mysql_thread.h:1139
#4 0x55bb872e23fa in create_thread_to_handle_connection(CONNECT*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6267
#5 0x55bb872e2a1f in create_new_thread(CONNECT*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6329
#6 0x55bb872e2d0a in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6391
#7 0x55bb872e3992 in handle_connections_sockets() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6504
#8 0x55bb872e1c77 in mysqld_main(int, char**) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/mysqld.cc:6162
#9 0x55bb872c8d58 in main /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/main.cc:34
#10 0x7f9462c461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-tmp/sql/table.h:731 in TABLE_SHARE::lock_share()
Shadow bytes around the buggy address:
0x0c387fffe060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffe070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffe080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffe090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffe0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c387fffe0b0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c387fffe0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffe0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c387fffe0e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c387fffe0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fffe100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2235903==ABORTING

Attachments

Issue Links

is caused by

MDEV-34939 vector search in 11.7

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-10-01 10:46

Updated:: 2024-11-06 13:53

Resolved:: 2024-11-06 13:53

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.