[MDEV-36475] ASAN errors in ha_innobase::can_be_renamed_to_backup - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: N/A
Fix Version/s: 12.0
Component/s: Data Definition - Create Table
Labels:

Description

The test case is non-deterministic, run with --repeat=N. It usually fails within a few attempts for me, but it can vary on different machines and builds. In case it doesn't fail for you, an rr profile will also be provided.

--send in the test case is important, the failure happens upon shutdown which MTR triggers after the test ends. However, I couldn't convert it into explicit restart_mysqld on some reason.

--source include/have_sequence.inc

--source include/have_innodb.inc

CREATE TABLE t ENGINE=InnoDB AS SELECT 1 AS a;

--connect (con1,localhost,root,,)

--send

  CREATE OR REPLACE TABLE t ENGINE=InnoDB AS SELECT * FROM seq_1_to_10000;

bb-main-monty efaa497684bcaf6d389447ce64f0c3cf1979b788
==3835053==ERROR: AddressSanitizer: use-after-poison on address 0x65724ad8fcb8 at pc 0x55e554722d4b bp 0x776540e48760 sp 0x776540e48750
WRITE of size 8 at 0x65724ad8fcb8 thread T11
2025-04-03 21:25:25 0 [Note] /data/for_monty/bb-main-monty/sql/mariadbd (initiated by: unknown): Normal shutdown
#0 0x55e554722d4a in ha_innobase::can_be_renamed_to_backup() const /data/for_monty/bb-main-monty/storage/innobase/handler/ha_innodb.cc:15879
#1 0x55e553bbf5b2 in ha_can_be_renamed_to_backup /data/for_monty/bb-main-monty/sql/handler.cc:6922
#2 0x55e553bbf9b2 in ha_check_if_table_can_be_renamed_to_backup(THD, handlerton, TABLE_LIST*) /data/for_monty/bb-main-monty/sql/handler.cc:6953
#3 0x55e5534b685d in create_table_impl /data/for_monty/bb-main-monty/sql/sql_table.cc:5045
#4 0x55e5534b9197 in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /data/for_monty/bb-main-monty/sql/sql_table.cc:5383
#5 0x55e5530ef886 in select_create::create_table_from_items(THD, List<Item>, st_mysql_lock**) /data/for_monty/bb-main-monty/sql/sql_insert.cc:4830
#6 0x55e5530f0ee1 in select_create::prepare(List<Item>&, st_select_lex_unit*) /data/for_monty/bb-main-monty/sql/sql_insert.cc:5013
#7 0x55e5532a9dda in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/for_monty/bb-main-monty/sql/sql_select.cc:1858
#8 0x55e5532ceca6 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/for_monty/bb-main-monty/sql/sql_select.cc:5351
#9 0x55e55329cae0 in handle_select(THD, LEX, select_result*, unsigned long long) /data/for_monty/bb-main-monty/sql/sql_select.cc:634
#10 0x55e5534faa4b in Sql_cmd_create_table_like::execute(THD*) /data/for_monty/bb-main-monty/sql/sql_table.cc:13879
#11 0x55e5531b39ea in mysql_execute_command(THD*, bool) /data/for_monty/bb-main-monty/sql/sql_parse.cc:5887
#12 0x55e5531c111b in mysql_parse(THD, char, unsigned int, Parser_state*) /data/for_monty/bb-main-monty/sql/sql_parse.cc:7917
#13 0x55e553197949 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/for_monty/bb-main-monty/sql/sql_parse.cc:1903
#14 0x55e5531945fc in do_command(THD*, bool) /data/for_monty/bb-main-monty/sql/sql_parse.cc:1416
#15 0x55e5536b44dd in do_handle_one_connection(CONNECT*, bool) /data/for_monty/bb-main-monty/sql/sql_connect.cc:1415
#16 0x55e5536b4030 in handle_one_connection /data/for_monty/bb-main-monty/sql/sql_connect.cc:1327
#17 0x55e55449d773 in pfs_spawn_thread /data/for_monty/bb-main-monty/storage/perfschema/pfs.cc:2198
#18 0x561e3e3edac2 in start_thread nptl/pthread_create.c:442
#19 0x561e3e47ea03 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x125a03)

0x65724ad8fcb8 is located 5304 bytes inside of 4194304-byte region [0x65724ad8e800,0x65724b18e800)
allocated by thread T0 here:
#0 0x7f203db500d7 in __interceptor_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:178
#1 0x55e5539b77f5 in aligned_malloc(unsigned long, unsigned long) /data/for_monty/bb-main-monty/include/aligned.h:26
#2 0x55e554d2d69a in Pool<trx_t, TrxFactory, TrxPoolLock>::Pool(unsigned long) /data/for_monty/bb-main-monty/storage/innobase/include/ut0pool.h:68
#3 0x55e554d2a9ec in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::add_pool(unsigned long) /data/for_monty/bb-main-monty/storage/innobase/include/ut0pool.h:313
#4 0x55e554d2a16c in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::create() /data/for_monty/bb-main-monty/storage/innobase/include/ut0pool.h:338
#5 0x55e554d27c3a in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::PoolManager(unsigned long) /data/for_monty/bb-main-monty/storage/innobase/include/ut0pool.h:224
#6 0x55e554d11191 in trx_pool_init() /data/for_monty/bb-main-monty/storage/innobase/trx/trx0trx.cc:313
#7 0x55e554c78e9f in srv_boot() /data/for_monty/bb-main-monty/storage/innobase/srv/srv0srv.cc:611
#8 0x55e554c8cac8 in srv_start(bool) /data/for_monty/bb-main-monty/storage/innobase/srv/srv0start.cc:1294
#9 0x55e5546d6816 in innodb_init /data/for_monty/bb-main-monty/storage/innobase/handler/ha_innodb.cc:4327
#10 0x55e553b8b551 in ha_initialize_handlerton(void*) /data/for_monty/bb-main-monty/sql/handler.cc:737
#11 0x55e553222185 in plugin_do_initialize /data/for_monty/bb-main-monty/sql/sql_plugin.cc:1455
#12 0x55e553222b4a in plugin_initialize /data/for_monty/bb-main-monty/sql/sql_plugin.cc:1509
#13 0x55e5532245b5 in plugin_init(int, char*, int) /data/for_monty/bb-main-monty/sql/sql_plugin.cc:1751
#14 0x55e552d9a2e8 in init_server_components /data/for_monty/bb-main-monty/sql/mysqld.cc:5313
#15 0x55e552d9c8f1 in mysqld_main(int, char**) /data/for_monty/bb-main-monty/sql/mysqld.cc:6009
#16 0x55e552d8338c in main /data/for_monty/bb-main-monty/sql/main.cc:34
#17 0x561e3e382d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Thread T11 created by T0 here:
#0 0x7f203daf3685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x55e554499267 in my_thread_create /data/for_monty/bb-main-monty/storage/perfschema/my_thread.h:38
#2 0x55e55449db66 in pfs_spawn_thread_v1 /data/for_monty/bb-main-monty/storage/perfschema/pfs.cc:2249
#3 0x55e552d84106 in inline_mysql_thread_create /data/for_monty/bb-main-monty/include/mysql/psi/mysql_thread.h:1139
#4 0x55e552d9dae1 in create_thread_to_handle_connection(CONNECT*) /data/for_monty/bb-main-monty/sql/mysqld.cc:6266
#5 0x55e552d9e18a in create_new_thread(CONNECT*) /data/for_monty/bb-main-monty/sql/mysqld.cc:6328
#6 0x55e552d9e4fc in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/for_monty/bb-main-monty/sql/mysqld.cc:6390
#7 0x55e552d9f1d6 in handle_connections_sockets() /data/for_monty/bb-main-monty/sql/mysqld.cc:6502
#8 0x55e552d9bbd3 in run_main_loop /data/for_monty/bb-main-monty/sql/mysqld.cc:5744
#9 0x55e552d9d31b in mysqld_main(int, char**) /data/for_monty/bb-main-monty/sql/mysqld.cc:6167
#10 0x55e552d8338c in main /data/for_monty/bb-main-monty/sql/main.cc:34
#11 0x561e3e382d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/for_monty/bb-main-monty/storage/innobase/handler/ha_innodb.cc:15879 in ha_innobase::can_be_renamed_to_backup() const
Shadow bytes around the buggy address:
0x0caec95a9f40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0caec95a9f50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0caec95a9f60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0caec95a9f70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0caec95a9f80: f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00
=>0x0caec95a9f90: 00 00 00 00 00 f7 00[f7]00 f7 00 f7 f7 f7 f7 f7
0x0caec95a9fa0: f7 04 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 f7 f7
0x0caec95a9fb0: f7 f7 f7 f7 f7 f7 00 f7 f7 04 f7 f7 f7 f7 f7 f7
0x0caec95a9fc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0caec95a9fd0: f7 f7 f7 f7 f7 f7 f7 f7 00 00 f7 00 00 00 00 00
0x0caec95a9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3835053==ABORTING

Attachments

Issue Links

is caused by

MDEV-25292 Atomic CREATE OR REPLACE TABLE

Stalled

Activity

Roel Van de Paar added a comment - 2025-04-04 22:53 - edited

Also ran into this. Deterministic testcase:

--source include/have_innodb.inc

CREATE TABLE t (c INT) ENGINE=InnoDB;

INSERT DELAYED INTO t VALUES (1);

CREATE OR REPLACE TABLE t (c INT) ENGINE=InnoDB;

Leads to:

preview-12.0-preview CS 12.0.0 61c96785d1910976fd740aa0724105b16952786d (Debug, UBASAN) Build 29/03/2025
Core was generated by `/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd --defaul'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 6096)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=6)at ./nptl/pthread_kill.c:89
#3 0x000060e5938946e5 in handle_fatal_signal (sig=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/signal_handler.cc:298
#4 <signal handler called>
#5 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#6 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#7 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#8 0x00007cb3f464526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#9 0x00007cb3f46288ff in __GI_abort () at ./stdlib/abort.c:79
#10 0x000060e5923e2c4b in __sanitizer::Abort() ()
#11 0x000060e5923e0dd5 in __sanitizer::Die() ()
#12 0x000060e5923c14ff in __asan::ScopedInErrorReport::~ScopedInErrorReport()()
#13 0x000060e5923c4585 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
#14 0x000060e5923c56af in __asan_report_store8 ()
#15 0x000060e59477307f in ha_innobase::can_be_renamed_to_backup (this=0x52500020f948)at /test/preview-12.0-preview_dbg_san/storage/innobase/handler/ha_innodb.cc:15879
#16 0x000060e5938efcc3 in ha_can_be_renamed_to_backup (thd=thd@entry=0x52c0001b0218, table=0x51900005fa98)at /test/preview-12.0-preview_dbg_san/sql/handler.cc:6922
#17 0x000060e5938ef92a in ha_check_if_table_can_be_renamed_to_backup (thd=0x52c0001b0218, hton=<optimized out>, create_table=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/handler.cc:6953
#18 0x000060e592e0f1d0 in create_table_impl (thd=<optimized out>, ddl_log_state_create=0x7cb33374c440, ddl_log_state_rm=0x7cb33374c480, orig_db=<optimized out>, orig_table_name=<optimized out>, db=<optimized out>, table_name=<optimized out>, path=<optimized out>, options=<optimized out>, create_info=<optimized out>, alter_info=<optimized out>, create_table_mode=<optimized out>, is_trans=<optimized out>, key_info=<optimized out>, key_count=<optimized out>, frm=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5035
#19 0x000060e592e0dc50 in mysql_create_table_no_lock (thd=<optimized out>, ddl_log_state_create=<optimized out>, ddl_log_state_rm=<optimized out>, create_info=<optimized out>, alter_info=<optimized out>, is_trans=<optimized out>, create_table_mode=<optimized out>, table_list=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5373
#20 0x000060e592e6d197 in mysql_create_table (thd=<optimized out>, create_table=<optimized out>, create_info=0x7cb333986090, alter_info=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5598
#21 0x000060e592e672cf in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x52c0001b0218)at /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:13932
#22 0x000060e592a0a4e7 in mysql_execute_command (thd=0x52c0001b0218, is_called_from_prepared_stmt=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:5859
#23 0x000060e5929ea2d9 in mysql_parse (thd=thd@entry=0x52c0001b0218, rawbuf=rawbuf@entry=0x52d0003c0438 "CREATE OR REPLACE TABLE t (c INT) ENGINE=InnoDB", length=<optimized out>, parser_state=parser_state@entry=0x7cb333bef8d0)at /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:7889
#24 0x000060e5929de242 in dispatch_command (command=<optimized out>, thd=0x52c0001b0218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:1875
#25 0x000060e5929eccfe in do_command (thd=thd@entry=0x52c0001b0218, blocking=true) at /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:1416
#26 0x000060e5930be17d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5080000050b8, put_in_cache=true)at /test/preview-12.0-preview_dbg_san/sql/sql_connect.cc:1415
#27 0x000060e5930bda38 in handle_one_connection (arg=0x5080000050b8)at /test/preview-12.0-preview_dbg_san/sql/sql_connect.cc:1327
#28 0x000060e5923ba19d in asan_thread_start(void*) ()
#29 0x00007cb3f469ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#30 0x00007cb3f4729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

preview-12.0-preview CS 12.0.0 61c96785d1910976fd740aa0724105b16952786d (Debug, UBASAN) Build 29/03/2025
==6076==ERROR: AddressSanitizer: use-after-poison on address 0x7cb3ebc036d0 at pc 0x60e59477307f bp 0x7cb334affff0 sp 0x7cb334afffe8
WRITE of size 8 at 0x7cb3ebc036d0 thread T11
#0 0x60e59477307e in ha_innobase::can_be_renamed_to_backup() const /test/preview-12.0-preview_dbg_san/storage/innobase/handler/ha_innodb.cc:15879:28
#1 0x60e5938efcc2 in ha_can_be_renamed_to_backup(THD, TABLE) /test/preview-12.0-preview_dbg_san/sql/handler.cc:6922:26
#2 0x60e5938ef929 in ha_check_if_table_can_be_renamed_to_backup(THD, handlerton, TABLE_LIST*) /test/preview-12.0-preview_dbg_san/sql/handler.cc:6953:8
#3 0x60e592e0f1cf in create_table_impl(THD, st_ddl_log_state, st_ddl_log_state, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO, Alter_info, int, bool, st_key*, unsigned int, st_mysql_const_unsigned_lex_string*) /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5035:19
#4 0x60e592e0dc4f in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5373:8
#5 0x60e592e6d196 in mysql_create_table(THD, TABLE_LIST, Table_specification_st, Alter_info) /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5598:11
#6 0x60e592e672ce in Sql_cmd_create_table_like::execute(THD*) /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:13932:12
#7 0x60e592a0a4e6 in mysql_execute_command(THD*, bool) /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:5859:26
#8 0x60e5929ea2d8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:7889:18
#9 0x60e5929de241 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:1875:7
#10 0x60e5929eccfd in do_command(THD*, bool) /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:1416:17
#11 0x60e5930be17c in do_handle_one_connection(CONNECT*, bool) /test/preview-12.0-preview_dbg_san/sql/sql_connect.cc:1415:11
#12 0x60e5930bda37 in handle_one_connection /test/preview-12.0-preview_dbg_san/sql/sql_connect.cc:1327:5
#13 0x60e5923ba19c in asan_thread_start(void*) asan_interceptors.cpp.o
#14 0x7cb3f469ca93 in start_thread nptl/pthread_create.c:447:8
#15 0x7cb3f4729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x7cb3ebc036d0 is located 7888 bytes inside of 4194304-byte region [0x7cb3ebc01800,0x7cb3ec001800)
allocated by thread T0 here:
#0 0x60e5923bce26 in memalign (/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd+0x255fe26) (BuildId: 7ae30b6ddff792dc2645d2b7fb7ba6e37bd8385b)
#1 0x60e594c8c881 in aligned_malloc(unsigned long, unsigned long) /test/preview-12.0-preview_dbg_san/include/aligned.h:26:10
#2 0x60e594c8c881 in Pool<trx_t, TrxFactory, TrxPoolLock>::Pool(unsigned long) /test/preview-12.0-preview_dbg_san/storage/innobase/include/ut0pool.h:68:4
#3 0x60e594c8c23c in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::add_pool(unsigned long) /test/preview-12.0-preview_dbg_san/storage/innobase/include/ut0pool.h:313:11
#4 0x60e594c874dc in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::create() /test/preview-12.0-preview_dbg_san/storage/innobase/include/ut0pool.h:338:3
#5 0x60e594c874dc in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::PoolManager(unsigned long) /test/preview-12.0-preview_dbg_san/storage/innobase/include/ut0pool.h:224:3
#6 0x60e594c77844 in trx_pool_init() /test/preview-12.0-preview_dbg_san/storage/innobase/trx/trx0trx.cc:313:14
#7 0x60e594c0a2ea in srv_boot() /test/preview-12.0-preview_dbg_san/storage/innobase/srv/srv0srv.cc:611:3
#8 0x60e594c14f55 in srv_start(bool) /test/preview-12.0-preview_dbg_san/storage/innobase/srv/srv0start.cc:1294:2
#9 0x60e5947830e9 in innodb_init(void*) /test/preview-12.0-preview_dbg_san/storage/innobase/handler/ha_innodb.cc:4327:8
#10 0x60e59389a87e in ha_initialize_handlerton(void*) /test/preview-12.0-preview_dbg_san/sql/handler.cc:737:37
#11 0x60e592aa6a1b in plugin_do_initialize(st_plugin_int*, unsigned int&) /test/preview-12.0-preview_dbg_san/sql/sql_plugin.cc:1455:18
#12 0x60e592aa5f8b in plugin_initialize(st_mem_root, st_plugin_int, int, char*, bool) /test/preview-12.0-preview_dbg_san/sql/sql_plugin.cc:1509:10
#13 0x60e592aa50b6 in plugin_init(int, char*, int) /test/preview-12.0-preview_dbg_san/sql/sql_plugin.cc:1751:18
#14 0x60e59240a80e in init_server_components() /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:5312:7
#15 0x60e59240381d in mysqld_main(int, char**) /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:6012:7
#16 0x7cb3f462a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7cb3f462a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#18 0x60e592321864 in _start (/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd+0x24c4864) (BuildId: 7ae30b6ddff792dc2645d2b7fb7ba6e37bd8385b)

Thread T11 created by T0 here:
#0 0x60e5923a2025 in pthread_create (/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd+0x2545025) (BuildId: 7ae30b6ddff792dc2645d2b7fb7ba6e37bd8385b)
#1 0x60e59240e59a in create_thread_to_handle_connection(CONNECT*) /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:6269:19
#2 0x60e59240f565 in handle_connections_sockets() /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:6505:9
#3 0x60e59240d7fa in run_main_loop() /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:5747:3
#4 0x60e59240431b in mysqld_main(int, char**) /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:6170:3
#5 0x7cb3f462a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7cb3f462a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x60e592321864 in _start (/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd+0x24c4864) (BuildId: 7ae30b6ddff792dc2645d2b7fb7ba6e37bd8385b)

SUMMARY: AddressSanitizer: use-after-poison /test/preview-12.0-preview_dbg_san/storage/innobase/handler/ha_innodb.cc:15879:28 in ha_innobase::can_be_renamed_to_backup() const
Shadow bytes around the buggy address:
0x7cb3ebc03400: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7cb3ebc03480: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7cb3ebc03500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7cb3ebc03580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7cb3ebc03600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x7cb3ebc03680: 00 00 00 00 00 00 00 00 f7 00[f7]00 f7 00 f7 f7
0x7cb3ebc03700: f7 f7 f7 f7 04 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7cb3ebc03780: 00 f7 f7 f7 f7 f7 f7 f7 f7 00 f7 f7 04 f7 f7 f7
0x7cb3ebc03800: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7cb3ebc03880: f7 f7 f7 f7 f7 f7 f7 f7 00 00 f7 00 00 00 00 00
0x7cb3ebc03900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6076==ABORTING

Present only in preview-12.0-preview. Using Clang 18.1

Roel Van de Paar added a comment - 2025-04-04 22:53 - edited Also ran into this. Deterministic testcase: --source include/have_innodb.inc CREATE TABLE t (c INT ) ENGINE=InnoDB; INSERT DELAYED INTO t VALUES (1); CREATE OR REPLACE TABLE t (c INT ) ENGINE=InnoDB; Leads to: preview-12.0-preview CS 12.0.0 61c96785d1910976fd740aa0724105b16952786d (Debug, UBASAN) Build 29/03/2025 Core was generated by `/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd --defaul'. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 [Current thread is 1 (LWP 6096)] (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=<optimized out>, signo=6)at ./nptl/pthread_kill.c:89 #3 0x000060e5938946e5 in handle_fatal_signal (sig=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/signal_handler.cc:298 #4 <signal handler called> #5 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 #6 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78 #7 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89 #8 0x00007cb3f464526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26 #9 0x00007cb3f46288ff in __GI_abort () at ./stdlib/abort.c:79 #10 0x000060e5923e2c4b in __sanitizer::Abort() () #11 0x000060e5923e0dd5 in __sanitizer::Die() () #12 0x000060e5923c14ff in __asan::ScopedInErrorReport::~ScopedInErrorReport()() #13 0x000060e5923c4585 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) () #14 0x000060e5923c56af in __asan_report_store8 () #15 0x000060e59477307f in ha_innobase::can_be_renamed_to_backup (this=0x52500020f948)at /test/preview-12.0-preview_dbg_san/storage/innobase/handler/ha_innodb.cc:15879 #16 0x000060e5938efcc3 in ha_can_be_renamed_to_backup (thd=thd@entry=0x52c0001b0218, table=0x51900005fa98)at /test/preview-12.0-preview_dbg_san/sql/handler.cc:6922 #17 0x000060e5938ef92a in ha_check_if_table_can_be_renamed_to_backup (thd=0x52c0001b0218, hton=<optimized out>, create_table=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/handler.cc:6953 #18 0x000060e592e0f1d0 in create_table_impl (thd=<optimized out>, ddl_log_state_create=0x7cb33374c440, ddl_log_state_rm=0x7cb33374c480, orig_db=<optimized out>, orig_table_name=<optimized out>, db=<optimized out>, table_name=<optimized out>, path=<optimized out>, options=<optimized out>, create_info=<optimized out>, alter_info=<optimized out>, create_table_mode=<optimized out>, is_trans=<optimized out>, key_info=<optimized out>, key_count=<optimized out>, frm=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5035 #19 0x000060e592e0dc50 in mysql_create_table_no_lock (thd=<optimized out>, ddl_log_state_create=<optimized out>, ddl_log_state_rm=<optimized out>, create_info=<optimized out>, alter_info=<optimized out>, is_trans=<optimized out>, create_table_mode=<optimized out>, table_list=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5373 #20 0x000060e592e6d197 in mysql_create_table (thd=<optimized out>, create_table=<optimized out>, create_info=0x7cb333986090, alter_info=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5598 #21 0x000060e592e672cf in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x52c0001b0218)at /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:13932 #22 0x000060e592a0a4e7 in mysql_execute_command (thd=0x52c0001b0218, is_called_from_prepared_stmt=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:5859 #23 0x000060e5929ea2d9 in mysql_parse (thd=thd@entry=0x52c0001b0218, rawbuf=rawbuf@entry=0x52d0003c0438 "CREATE OR REPLACE TABLE t (c INT) ENGINE=InnoDB", length=<optimized out>, parser_state=parser_state@entry=0x7cb333bef8d0)at /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:7889 #24 0x000060e5929de242 in dispatch_command (command=<optimized out>, thd=0x52c0001b0218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)at /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:1875 #25 0x000060e5929eccfe in do_command (thd=thd@entry=0x52c0001b0218, blocking=true) at /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:1416 #26 0x000060e5930be17d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5080000050b8, put_in_cache=true)at /test/preview-12.0-preview_dbg_san/sql/sql_connect.cc:1415 #27 0x000060e5930bda38 in handle_one_connection (arg=0x5080000050b8)at /test/preview-12.0-preview_dbg_san/sql/sql_connect.cc:1327 #28 0x000060e5923ba19d in asan_thread_start(void*) () #29 0x00007cb3f469ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #30 0x00007cb3f4729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 preview-12.0-preview CS 12.0.0 61c96785d1910976fd740aa0724105b16952786d (Debug, UBASAN) Build 29/03/2025 ==6076==ERROR: AddressSanitizer: use-after-poison on address 0x7cb3ebc036d0 at pc 0x60e59477307f bp 0x7cb334affff0 sp 0x7cb334afffe8 WRITE of size 8 at 0x7cb3ebc036d0 thread T11 #0 0x60e59477307e in ha_innobase::can_be_renamed_to_backup() const /test/preview-12.0-preview_dbg_san/storage/innobase/handler/ha_innodb.cc:15879:28 #1 0x60e5938efcc2 in ha_can_be_renamed_to_backup(THD*, TABLE*) /test/preview-12.0-preview_dbg_san/sql/handler.cc:6922:26 #2 0x60e5938ef929 in ha_check_if_table_can_be_renamed_to_backup(THD*, handlerton*, TABLE_LIST*) /test/preview-12.0-preview_dbg_san/sql/handler.cc:6953:8 #3 0x60e592e0f1cf in create_table_impl(THD*, st_ddl_log_state*, st_ddl_log_state*, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5035:19 #4 0x60e592e0dc4f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5373:8 #5 0x60e592e6d196 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:5598:11 #6 0x60e592e672ce in Sql_cmd_create_table_like::execute(THD*) /test/preview-12.0-preview_dbg_san/sql/sql_table.cc:13932:12 #7 0x60e592a0a4e6 in mysql_execute_command(THD*, bool) /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:5859:26 #8 0x60e5929ea2d8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:7889:18 #9 0x60e5929de241 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:1875:7 #10 0x60e5929eccfd in do_command(THD*, bool) /test/preview-12.0-preview_dbg_san/sql/sql_parse.cc:1416:17 #11 0x60e5930be17c in do_handle_one_connection(CONNECT*, bool) /test/preview-12.0-preview_dbg_san/sql/sql_connect.cc:1415:11 #12 0x60e5930bda37 in handle_one_connection /test/preview-12.0-preview_dbg_san/sql/sql_connect.cc:1327:5 #13 0x60e5923ba19c in asan_thread_start(void*) asan_interceptors.cpp.o #14 0x7cb3f469ca93 in start_thread nptl/pthread_create.c:447:8 #15 0x7cb3f4729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 0x7cb3ebc036d0 is located 7888 bytes inside of 4194304-byte region [0x7cb3ebc01800,0x7cb3ec001800) allocated by thread T0 here: #0 0x60e5923bce26 in memalign (/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd+0x255fe26) (BuildId: 7ae30b6ddff792dc2645d2b7fb7ba6e37bd8385b) #1 0x60e594c8c881 in aligned_malloc(unsigned long, unsigned long) /test/preview-12.0-preview_dbg_san/include/aligned.h:26:10 #2 0x60e594c8c881 in Pool<trx_t, TrxFactory, TrxPoolLock>::Pool(unsigned long) /test/preview-12.0-preview_dbg_san/storage/innobase/include/ut0pool.h:68:4 #3 0x60e594c8c23c in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::add_pool(unsigned long) /test/preview-12.0-preview_dbg_san/storage/innobase/include/ut0pool.h:313:11 #4 0x60e594c874dc in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::create() /test/preview-12.0-preview_dbg_san/storage/innobase/include/ut0pool.h:338:3 #5 0x60e594c874dc in PoolManager<Pool<trx_t, TrxFactory, TrxPoolLock>, TrxPoolManagerLock>::PoolManager(unsigned long) /test/preview-12.0-preview_dbg_san/storage/innobase/include/ut0pool.h:224:3 #6 0x60e594c77844 in trx_pool_init() /test/preview-12.0-preview_dbg_san/storage/innobase/trx/trx0trx.cc:313:14 #7 0x60e594c0a2ea in srv_boot() /test/preview-12.0-preview_dbg_san/storage/innobase/srv/srv0srv.cc:611:3 #8 0x60e594c14f55 in srv_start(bool) /test/preview-12.0-preview_dbg_san/storage/innobase/srv/srv0start.cc:1294:2 #9 0x60e5947830e9 in innodb_init(void*) /test/preview-12.0-preview_dbg_san/storage/innobase/handler/ha_innodb.cc:4327:8 #10 0x60e59389a87e in ha_initialize_handlerton(void*) /test/preview-12.0-preview_dbg_san/sql/handler.cc:737:37 #11 0x60e592aa6a1b in plugin_do_initialize(st_plugin_int*, unsigned int&) /test/preview-12.0-preview_dbg_san/sql/sql_plugin.cc:1455:18 #12 0x60e592aa5f8b in plugin_initialize(st_mem_root*, st_plugin_int*, int*, char**, bool) /test/preview-12.0-preview_dbg_san/sql/sql_plugin.cc:1509:10 #13 0x60e592aa50b6 in plugin_init(int*, char**, int) /test/preview-12.0-preview_dbg_san/sql/sql_plugin.cc:1751:18 #14 0x60e59240a80e in init_server_components() /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:5312:7 #15 0x60e59240381d in mysqld_main(int, char**) /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:6012:7 #16 0x7cb3f462a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #17 0x7cb3f462a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #18 0x60e592321864 in _start (/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd+0x24c4864) (BuildId: 7ae30b6ddff792dc2645d2b7fb7ba6e37bd8385b) Thread T11 created by T0 here: #0 0x60e5923a2025 in pthread_create (/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd+0x2545025) (BuildId: 7ae30b6ddff792dc2645d2b7fb7ba6e37bd8385b) #1 0x60e59240e59a in create_thread_to_handle_connection(CONNECT*) /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:6269:19 #2 0x60e59240f565 in handle_connections_sockets() /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:6505:9 #3 0x60e59240d7fa in run_main_loop() /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:5747:3 #4 0x60e59240431b in mysqld_main(int, char**) /test/preview-12.0-preview_dbg_san/sql/mysqld.cc:6170:3 #5 0x7cb3f462a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x7cb3f462a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #7 0x60e592321864 in _start (/test/P12_UBASAN_MD290325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd+0x24c4864) (BuildId: 7ae30b6ddff792dc2645d2b7fb7ba6e37bd8385b) SUMMARY: AddressSanitizer: use-after-poison /test/preview-12.0-preview_dbg_san/storage/innobase/handler/ha_innodb.cc:15879:28 in ha_innobase::can_be_renamed_to_backup() const Shadow bytes around the buggy address: 0x7cb3ebc03400: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x7cb3ebc03480: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x7cb3ebc03500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x7cb3ebc03580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x7cb3ebc03600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x7cb3ebc03680: 00 00 00 00 00 00 00 00 f7 00[f7]00 f7 00 f7 f7 0x7cb3ebc03700: f7 f7 f7 f7 04 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x7cb3ebc03780: 00 f7 f7 f7 f7 f7 f7 f7 f7 00 f7 f7 04 f7 f7 f7 0x7cb3ebc03800: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x7cb3ebc03880: f7 f7 f7 f7 f7 f7 f7 f7 00 00 f7 00 00 00 00 00 0x7cb3ebc03900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6076==ABORTING Present only in preview-12.0-preview . Using Clang 18.1

MariaDB Server

ASAN errors in ha_innobase::can_be_renamed_to_backup

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration