Details
-
Bug
-
Status: In Review (View Workflow)
-
Critical
-
Resolution: Unresolved
-
10.6, 10.11, 11.4, 11.8
-
None
-
Not for Release Notes
Description
Something changed in clang-21 -fsanitize=memory, flagging a lot of trouble already at InnoDB startup. To add insult to injury, a stack overflow would occur while trying to unwind a stack trace:
|
10.6 6892722577f3e37ea62506d4e38a7ff5ea8fe148 |
2025-12-23 9:09:56 0 [Note] InnoDB: Database physically writes the file full: wait...
|
MemorySanitizer:DEADLYSIGNAL
|
==136452==ERROR: MemorySanitizer: stack-overflow on address 0x7ffd91113c48 (pc 0x560c4278c5bb bp 0x7ffd91114490 sp 0x7ffd91113c50 T136452)
|
MemorySanitizer:DEADLYSIGNAL
|
MemorySanitizer: nested bug in the same thread, aborting.
|
The first obstacle would be fixed by the following cleanup (which I tested on 10.6 and 11.4):
diff --git a/storage/innobase/buf/buf0buf.cc b/storage/innobase/buf/buf0buf.cc
|
index c053970b090..67bac28ce3f 100644
|
--- a/storage/innobase/buf/buf0buf.cc
|
+++ b/storage/innobase/buf/buf0buf.cc
|
@@ -3474,7 +3474,7 @@ buf_block_t*
|
buf_page_create(fil_space_t *space, uint32_t offset,
|
ulint zip_size, mtr_t *mtr, buf_block_t *free_block) noexcept
|
{
|
- space->free_page(offset, false);
|
+ space->free_page<false>(offset);
|
return buf_page_create_low({space->id, offset}, zip_size, mtr, free_block);
|
}
|
|
diff --git a/storage/innobase/include/fil0fil.h b/storage/innobase/include/fil0fil.h
|
index e757231a64e..8c957e64cbb 100644
|
--- a/storage/innobase/include/fil0fil.h
|
+++ b/storage/innobase/include/fil0fil.h
|
@@ -995,19 +995,16 @@ struct fil_space_t final
|
@retval nullptr if the tablespace is missing or inaccessible */
|
static fil_space_t *get_for_write(ulint id) noexcept;
|
|
- /** Add/remove the free page in the freed ranges list.
|
- @param[in] offset page number to be added
|
- @param[in] free true if page to be freed */
|
- void free_page(uint32_t offset, bool add=true)
|
+ /** Add/remove a page in freed_ranges.
|
+ @tparam add true=add, false=remove
|
+ @param offset page number */
|
+ template<bool add=true> void free_page(uint32_t offset) noexcept
|
{
|
std::lock_guard<std::mutex> freed_lock(freed_range_mutex);
|
if (add)
|
- return freed_ranges.add_value(offset);
|
-
|
- if (freed_ranges.empty())
|
- return;
|
-
|
- return freed_ranges.remove_value(offset);
|
+ freed_ranges.add_value(offset);
|
+ else
|
+ freed_ranges.remove_value(offset);
|
}
|
|
/** Add the range of freed pages */
|
diff --git a/storage/innobase/log/log0recv.cc b/storage/innobase/log/log0recv.cc
|
index 52a5a0a457c..effb3ced673 100644
|
--- a/storage/innobase/log/log0recv.cc
|
+++ b/storage/innobase/log/log0recv.cc
|
@@ -2358,8 +2358,10 @@ static void store_freed_or_init_rec(page_id_t page_id, bool freed)
|
space= fil_system.sys_space;
|
else
|
space= fil_space_get(space_id);
|
-
|
- space->free_page(page_no, freed);
|
+ if (freed)
|
+ space->free_page<true>(page_no);
|
+ else
|
+ space->free_page<false>(page_no);
|
return;
|
}
|
|
|
There is more to come:
|
10.6 6892722577f3e37ea62506d4e38a7ff5ea8fe148 patched as above |
#0 0x0000564bba9dcb28 in __msan_warning_with_origin_noreturn ()
|
#1 0x0000564bbca1d090 in flst_add_last (base=base@entry=0x7f06ab200000, boffset=boffset@entry=0x3e, add=0x7f06ab200000, aoffset=0xee, limit=0xc0, mtr=mtr@entry=0x7ffebeb603b0)
|
at /mariadb/10.6/storage/innobase/fut/fut0lst.cc:286
|
#2 0x0000564bba8c5f4c in fsp_fill_free_list (init_space=0x0, space=space@entry=0x712000001c98, header=header@entry=0x7f06ab200000, mtr=mtr@entry=0x7ffebeb603b0)
|
at /mariadb/10.6/storage/innobase/fsp/fsp0fsp.cc:907
|
#3 0x0000564bbc9e8809 in fsp_header_init (space=0x712000001c98, size=0x300, mtr=mtr@entry=0x7ffebeb603b0) at /mariadb/10.6/storage/innobase/fsp/fsp0fsp.cc:568
|
#4 0x0000564bbc6f6f65 in srv_start (create_new_db=0x1) at /mariadb/10.6/storage/innobase/srv/srv0start.cc:1460
|
#5 0x0000564bbc244674 in innodb_init (p=0x714000000e18) at /mariadb/10.6/storage/innobase/handler/ha_innodb.cc:4340
|
#6 0x0000564bbb62d1ce in ha_initialize_handlerton (plugin_=0x70c0000013b0) at /mariadb/10.6/sql/handler.cc:664
|
#7 0x0000564bbad9f3db in plugin_do_initialize (plugin=plugin@entry=0x70c0000013b0, state=@0x7ffebeb60a68: 0x4) at /mariadb/10.6/sql/sql_plugin.cc:1456
|
#8 0x0000564bbad9c70a in plugin_initialize (tmp_root=tmp_root@entry=0x7ffebeb60d50, plugin=plugin@entry=0x70c0000013b0, argc=argc@entry=0x564bc268abe0 <remaining_argc>, argv=argv@entry=0x715000000070,
|
options_only=0x0) at /mariadb/10.6/sql/sql_plugin.cc:1510
|
#9 0x0000564bbad9b15a in plugin_init (argc=argc@entry=0x564bc268abe0 <remaining_argc>, argv=0x715000000070, flags=0x1) at /mariadb/10.6/sql/sql_plugin.cc:1766
|
#10 0x0000564bbaa6176b in init_server_components () at /mariadb/10.6/sql/mysqld.cc:5119
|
#11 0x0000564bbaa56a3d in mysqld_main (argc=0x39, argv=0x715000000070) at /mariadb/10.6/sql/mysqld.cc:5762
|
#12 0x00007f06c7229f75 in __libc_start_call_main (main=main@entry=0x564bbaa4cee0 <main(int, char**)>, argc=argc@entry=0x38, argv=argv@entry=0x7ffebeb63038) at ../sysdeps/nptl/libc_start_call_main.h:58
|
#13 0x00007f06c722a027 in __libc_start_main_impl (main=0x564bbaa4cee0 <main(int, char**)>, argc=0x38, argv=0x7ffebeb63038, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
|
stack_end=0x7ffebeb63028) at ../csu/libc-start.c:360
|
The latter one is something that I discussed with danblack several months ago, but didn't have time to debug or fix at that time.
Note: This time I am using a clang-21 package of Debian Sid, instead of a preview that was downloaded from apt.llvm.org.
Attachments
Issue Links
- relates to
-
-
- Closed
-