[MDEV-15880] Server crash or ASAN heap-use-after-free in lock_check_dict_lock Created: 2018-04-16  Updated: 2020-07-29  Resolved: 2020-07-21

Status: Closed
Project: MariaDB Server
Component/s: Locking, Storage Engine - InnoDB
Affects Version/s: 10.3, 10.4, 10.5
Fix Version/s: 10.3.24, 10.4.14, 10.5.5

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: None

Attachments: HTML File threads    
Issue Links:
Relates
relates to MDEV-23239 InnoDB: Failing assertion: ((list).in... Closed
relates to MDEV-23240 Assertion `!table->is_temporary()' fa... Closed
relates to MDEV-23241 Assertion `lock->trx->dict_operation ... Closed

 Description   

Originally the crash was observed in regular concurrent tests on a debug build, but couldn't be reproduced. The stack trace from the original crash is at the end of the description.
The test case from MDEV-23239 produces a similarly-looking ASAN failure on the current 10.3 ASAN builds:

--source include/have_innodb.inc
 
--source include/have_log_bin.inc
 
 
SET @innodb_var.save= @@innodb_evict_tables_on_commit_debug;
 
 
--connect (con1,localhost,root,,test)
 
CREATE TABLE t_error_prone (f INT) ENGINE=InnoDB;
 
 
--connection default
 
INSERT INTO t_error_prone (f) VALUES (1);
 
 
--connection con1
 
START TRANSACTION;
 
UPDATE t_error_prone SET f = 2;
 
 
--connection default
 
SET innodb_lock_wait_timeout= 0;
 
START TRANSACTION;
 
--error ER_LOCK_WAIT_TIMEOUT
 
UPDATE t_error_prone SET f = NULL;
 
 
--connect (con2,localhost,root,,test)
 
FLUSH TABLES;
 
SET GLOBAL innodb_evict_tables_on_commit_debug= 1;
 
 
--connection con1
 
--error ER_NO_SUCH_TABLE
 
ALTER TABLE x FORCE;
 
 
--connection default
 
DROP TABLE t_error_prone;
 
 
# Cleanup
 
--disconnect con1
 
--disconnect con2
 
SET GLOBAL innodb_evict_tables_on_commit_debug= @innodb_var.save;

10.3 ASAN af83ed9f

 
==27684==ERROR: AddressSanitizer: heap-use-after-free on address 0x61800005fd08 at pc 0x55dd7c3c089f bp 0x7f922b08cfe0 sp 0x7f922b08cfd8
 
READ of size 8 at 0x61800005fd08 thread T27
 
    #0 0x55dd7c3c089e in lock_check_dict_lock /data/src/10.3/storage/innobase/lock/lock0lock.cc:4266
 
    #1 0x55dd7c3c0b98 in lock_release(trx_t*) /data/src/10.3/storage/innobase/lock/lock0lock.cc:4290
 
    #2 0x55dd7c7065c4 in trx_t::release_locks() /data/src/10.3/storage/innobase/trx/trx0trx.cc:505
 
    #3 0x55dd7c6fdcac in trx_commit_in_memory /data/src/10.3/storage/innobase/trx/trx0trx.cc:1384
 
    #4 0x55dd7c7003a1 in trx_commit_low(trx_t*, mtr_t*) /data/src/10.3/storage/innobase/trx/trx0trx.cc:1591
 
    #5 0x55dd7c7004ca in trx_commit(trx_t*) /data/src/10.3/storage/innobase/trx/trx0trx.cc:1615
 
    #6 0x55dd7c700f6a in trx_commit_for_mysql(trx_t*) /data/src/10.3/storage/innobase/trx/trx0trx.cc:1751
 
    #7 0x55dd7c26fa39 in innobase_commit_low(trx_t*) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:4355
 
    #8 0x55dd7c2701e4 in innobase_commit_ordered_2 /data/src/10.3/storage/innobase/handler/ha_innodb.cc:4476
 
    #9 0x55dd7c270bc1 in innobase_commit /data/src/10.3/storage/innobase/handler/ha_innodb.cc:4592
 
    #10 0x55dd7bd47a0e in commit_one_phase_2 /data/src/10.3/sql/handler.cc:1642
 
    #11 0x55dd7bd47767 in ha_commit_one_phase(THD*, bool) /data/src/10.3/sql/handler.cc:1622
 
    #12 0x55dd7bd466be in ha_commit_trans(THD*, bool) /data/src/10.3/sql/handler.cc:1484
 
    #13 0x55dd7b9e1979 in trans_commit_implicit(THD*) /data/src/10.3/sql/transaction.cc:361
 
    #14 0x55dd7b645f75 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3660
 
    #15 0x55dd7b6609bc in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
 
    #16 0x55dd7b63b37e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1848
 
    #17 0x55dd7b63822a in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
 
    #18 0x55dd7b9b3141 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #19 0x55dd7b9b2b08 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #20 0x55dd7ce2cd2f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
 
    #21 0x7f9242bea4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #22 0x7f9240d1ed0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x61800005fd08 is located 136 bytes inside of 808-byte region [0x61800005fc80,0x61800005ffa8)
 
freed by thread T28 here:
 
    #0 0x7f9242ec1a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
 
    #1 0x55dd7c41cf82 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.3/storage/innobase/mem/mem0mem.cc:416
 
    #2 0x55dd7c8d82bf in mem_heap_free /data/src/10.3/storage/innobase/include/mem0mem.ic:417
 
    #3 0x55dd7c8db631 in dict_mem_table_free(dict_table_t*) /data/src/10.3/storage/innobase/dict/dict0mem.cc:249
 
    #4 0x55dd7c898c09 in dict_table_remove_from_cache_low(dict_table_t*, unsigned long) /data/src/10.3/storage/innobase/dict/dict0dict.cc:2097
 
    #5 0x55dd7c6fd227 in trx_update_mod_tables_timestamp /data/src/10.3/storage/innobase/trx/trx0trx.cc:1311
 
    #6 0x55dd7c6fe032 in trx_commit_in_memory /data/src/10.3/storage/innobase/trx/trx0trx.cc:1396
 
    #7 0x55dd7c7003a1 in trx_commit_low(trx_t*, mtr_t*) /data/src/10.3/storage/innobase/trx/trx0trx.cc:1591
 
    #8 0x55dd7c7004ca in trx_commit(trx_t*) /data/src/10.3/storage/innobase/trx/trx0trx.cc:1615
 
    #9 0x55dd7c700f6a in trx_commit_for_mysql(trx_t*) /data/src/10.3/storage/innobase/trx/trx0trx.cc:1751
 
    #10 0x55dd7c26fa39 in innobase_commit_low(trx_t*) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:4355
 
    #11 0x55dd7c2701e4 in innobase_commit_ordered_2 /data/src/10.3/storage/innobase/handler/ha_innodb.cc:4476
 
    #12 0x55dd7c270bc1 in innobase_commit /data/src/10.3/storage/innobase/handler/ha_innodb.cc:4592
 
    #13 0x55dd7bd47a0e in commit_one_phase_2 /data/src/10.3/sql/handler.cc:1642
 
    #14 0x55dd7bd47767 in ha_commit_one_phase(THD*, bool) /data/src/10.3/sql/handler.cc:1622
 
    #15 0x55dd7bd466be in ha_commit_trans(THD*, bool) /data/src/10.3/sql/handler.cc:1484
 
    #16 0x55dd7b9e1979 in trans_commit_implicit(THD*) /data/src/10.3/sql/transaction.cc:361
 
    #17 0x55dd7b645f75 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3660
 
    #18 0x55dd7b6609bc in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
 
    #19 0x55dd7b63b37e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1848
 
    #20 0x55dd7b63822a in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
 
    #21 0x55dd7b9b3141 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #22 0x55dd7b9b2b08 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #23 0x55dd7ce2cd2f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
 
    #24 0x7f9242bea4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
previously allocated by thread T28 here:
 
    #0 0x7f9242ec1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x55dd7c41c484 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.3/storage/innobase/mem/mem0mem.cc:277
 
    #2 0x55dd7c41cc1b in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.3/storage/innobase/mem/mem0mem.cc:378
 
    #3 0x55dd7c8d7d78 in mem_heap_alloc /data/src/10.3/storage/innobase/include/mem0mem.ic:191
 
    #4 0x55dd7c8d7ac2 in mem_heap_zalloc /data/src/10.3/storage/innobase/include/mem0mem.ic:160
 
    #5 0x55dd7c8da723 in dict_mem_table_create(char const*, fil_space_t*, unsigned long, unsigned long, unsigned long, unsigned long) /data/src/10.3/storage/innobase/dict/dict0mem.cc:146
 
    #6 0x55dd7c2c94c6 in create_table_info_t::create_table_def() (/data/bld/10.3-asan-nightly/bin/mysqld+0x1cd24c6)
 
    #7 0x55dd7c298ea1 in create_table_info_t::create_table(bool) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:12318
 
    #8 0x55dd7c2cdc5a in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*, bool, trx_t*) (/data/bld/10.3-asan-nightly/bin/mysqld+0x1cd6c5a)
 
    #9 0x55dd7c29b32d in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:12920
 
    #10 0x55dd7bd5f6ff in handler::ha_create(char const*, TABLE*, HA_CREATE_INFO*) /data/src/10.3/sql/handler.cc:4734
 
    #11 0x55dd7bd638ae in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /data/src/10.3/sql/handler.cc:5197
 
    #12 0x55dd7b9410c5 in rea_create_table(THD*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, HA_CREATE_INFO*, handler*, bool) /data/src/10.3/sql/unireg.cc:515
 
    #13 0x55dd7b856c09 in create_table_impl /data/src/10.3/sql/sql_table.cc:5022
 
    #14 0x55dd7b8576df in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.3/sql/sql_table.cc:5144
 
    #15 0x55dd7b858160 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /data/src/10.3/sql/sql_table.cc:5233
 
    #16 0x55dd7b87e2b7 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.3/sql/sql_table.cc:11275
 
    #17 0x55dd7b655635 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6022
 
    #18 0x55dd7b6609bc in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
 
    #19 0x55dd7b63b37e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1848
 
    #20 0x55dd7b63822a in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
 
    #21 0x55dd7b9b3141 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #22 0x55dd7b9b2b08 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #23 0x55dd7ce2cd2f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
 
    #24 0x7f9242bea4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f9242e30f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x55dd7ce2d16b in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
 
    #2 0x55dd7b3a3840 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55dd7b3b8d9d in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6609
 
    #4 0x55dd7b3b9480 in create_new_thread /data/src/10.3/sql/mysqld.cc:6679
 
    #5 0x55dd7b3ba498 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6954
 
    #6 0x55dd7b3b826d in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6231
 
    #7 0x55dd7b3a1f5f in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7f9240c562e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
Thread T28 created by T0 here:
 
    #0 0x7f9242e30f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x55dd7ce2d16b in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
 
    #2 0x55dd7b3a3840 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55dd7b3b8d9d in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6609
 
    #4 0x55dd7b3b9480 in create_new_thread /data/src/10.3/sql/mysqld.cc:6679
 
    #5 0x55dd7b3ba498 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6954
 
    #6 0x55dd7b3b826d in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6231
 
    #7 0x55dd7b3a1f5f in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7f9240c562e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/storage/innobase/lock/lock0lock.cc:4266 in lock_check_dict_lock
 
Shadow bytes around the buggy address:
 
  0x0c3080003f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3080003f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c3080003fa0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003ff0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==27684==ABORTING

and a slightly different ASAN failures on 10.4-10.5 ASAN builds:

10.4 ASAN c4d5b6b1

 
==31679==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900011a448 at pc 0x5601dfecc32a bp 0x7f18f58ec040 sp 0x7f18f58ec038
 
READ of size 16 at 0x61900011a448 thread T27
 
    #0 0x5601dfecc329 in dict_table_t::is_temporary() const /data/src/10.4/storage/innobase/include/dict0mem.h:1776
 
    #1 0x5601dffd8890 in lock_check_dict_lock /data/src/10.4/storage/innobase/lock/lock0lock.cc:4257
 
    #2 0x5601dffd8c16 in lock_release(trx_t*) /data/src/10.4/storage/innobase/lock/lock0lock.cc:4286
 
    #3 0x5601e02d0908 in trx_t::release_locks() /data/src/10.4/storage/innobase/trx/trx0trx.cc:512
 
    #4 0x5601e02d15e5 in trx_t::commit_in_memory(mtr_t const*) /data/src/10.4/storage/innobase/trx/trx0trx.cc:1390
 
    #5 0x5601e02c9c66 in trx_t::commit_low(mtr_t*) /data/src/10.4/storage/innobase/trx/trx0trx.cc:1579
 
    #6 0x5601e02c9d65 in trx_t::commit() /data/src/10.4/storage/innobase/trx/trx0trx.cc:1593
 
    #7 0x5601e02ca743 in trx_commit_for_mysql(trx_t*) /data/src/10.4/storage/innobase/trx/trx0trx.cc:1725
 
    #8 0x5601dfe7914c in innobase_commit_low(trx_t*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:4348
 
    #9 0x5601dfe7992b in innobase_commit_ordered_2 /data/src/10.4/storage/innobase/handler/ha_innodb.cc:4477
 
    #10 0x5601dfe7a30d in innobase_commit /data/src/10.4/storage/innobase/handler/ha_innodb.cc:4593
 
    #11 0x5601df946716 in commit_one_phase_2 /data/src/10.4/sql/handler.cc:1776
 
    #12 0x5601df94649a in ha_commit_one_phase(THD*, bool) /data/src/10.4/sql/handler.cc:1756
 
    #13 0x5601df944ebd in ha_commit_trans(THD*, bool) /data/src/10.4/sql/handler.cc:1564
 
    #14 0x5601df58b9d0 in trans_commit_implicit(THD*) /data/src/10.4/sql/transaction.cc:301
 
    #15 0x5601df1db6be in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3700
 
    #16 0x5601df1f5762 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7899
 
    #17 0x5601df1d06f6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1834
 
    #18 0x5601df1cd6d4 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1352
 
    #19 0x5601df5574bf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #20 0x5601df556e73 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #21 0x5601e09b96b3 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #22 0x7f190d4ec4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #23 0x7f190b620d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x61900011a448 is located 200 bytes inside of 1080-byte region [0x61900011a380,0x61900011a7b8)
 
freed by thread T28 here:
 
    #0 0x7f190d7c3a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
 
    #1 0x5601e0032741 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.4/storage/innobase/mem/mem0mem.cc:416
 
    #2 0x5601e0480b07 in mem_heap_free /data/src/10.4/storage/innobase/include/mem0mem.ic:417
 
    #3 0x5601e048353d in dict_mem_table_free(dict_table_t*) /data/src/10.4/storage/innobase/dict/dict0mem.cc:250
 
    #4 0x5601e04455ed in dict_sys_t::remove(dict_table_t*, bool, bool) /data/src/10.4/storage/innobase/dict/dict0dict.cc:1794
 
    #5 0x5601e02c8aaf in trx_update_mod_tables_timestamp /data/src/10.4/storage/innobase/trx/trx0trx.cc:1301
 
    #6 0x5601e02d1995 in trx_t::commit_in_memory(mtr_t const*) /data/src/10.4/storage/innobase/trx/trx0trx.cc:1407
 
    #7 0x5601e02c9c66 in trx_t::commit_low(mtr_t*) /data/src/10.4/storage/innobase/trx/trx0trx.cc:1579
 
    #8 0x5601e02c9d65 in trx_t::commit() /data/src/10.4/storage/innobase/trx/trx0trx.cc:1593
 
    #9 0x5601e02ca743 in trx_commit_for_mysql(trx_t*) /data/src/10.4/storage/innobase/trx/trx0trx.cc:1725
 
    #10 0x5601dfe7914c in innobase_commit_low(trx_t*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:4348
 
    #11 0x5601dfe7992b in innobase_commit_ordered_2 /data/src/10.4/storage/innobase/handler/ha_innodb.cc:4477
 
    #12 0x5601dfe7a30d in innobase_commit /data/src/10.4/storage/innobase/handler/ha_innodb.cc:4593
 
    #13 0x5601df946716 in commit_one_phase_2 /data/src/10.4/sql/handler.cc:1776
 
    #14 0x5601df94649a in ha_commit_one_phase(THD*, bool) /data/src/10.4/sql/handler.cc:1756
 
    #15 0x5601df944ebd in ha_commit_trans(THD*, bool) /data/src/10.4/sql/handler.cc:1564
 
    #16 0x5601df58b9d0 in trans_commit_implicit(THD*) /data/src/10.4/sql/transaction.cc:301
 
    #17 0x5601df1db6be in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3700
 
    #18 0x5601df1f5762 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7899
 
    #19 0x5601df1d06f6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1834
 
    #20 0x5601df1cd6d4 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1352
 
    #21 0x5601df5574bf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #22 0x5601df556e73 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #23 0x5601e09b96b3 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #24 0x7f190d4ec4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
previously allocated by thread T28 here:
 
    #0 0x7f190d7c3d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x5601e0031d3b in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:277
 
    #2 0x5601e0032431 in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:379
 
    #3 0x5601e0480794 in mem_heap_alloc /data/src/10.4/storage/innobase/include/mem0mem.ic:191
 
    #4 0x5601e04805a5 in mem_heap_zalloc /data/src/10.4/storage/innobase/include/mem0mem.ic:160
 
    #5 0x5601e04826cd in dict_mem_table_create(char const*, fil_space_t*, unsigned long, unsigned long, unsigned long, unsigned long) /data/src/10.4/storage/innobase/dict/dict0mem.cc:155
 
    #6 0x5601dfecf4d2 in create_table_info_t::create_table_def() (/data/bld/10.4-asan-nightly/bin/mysqld+0x1fae4d2)
 
    #7 0x5601dfea16e7 in create_table_info_t::create_table(bool) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:12330
 
    #8 0x5601dfed3a44 in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*, bool, trx_t*) (/data/bld/10.4-asan-nightly/bin/mysqld+0x1fb2a44)
 
    #9 0x5601dfea3d99 in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:12935
 
    #10 0x5601df95d395 in handler::ha_create(char const*, TABLE*, HA_CREATE_INFO*) /data/src/10.4/sql/handler.cc:4755
 
    #11 0x5601df9614d3 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /data/src/10.4/sql/handler.cc:5219
 
    #12 0x5601df3f548a in create_table_impl /data/src/10.4/sql/sql_table.cc:5092
 
    #13 0x5601df3f5ca0 in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.4/sql/sql_table.cc:5179
 
    #14 0x5601df3f6704 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /data/src/10.4/sql/sql_table.cc:5268
 
    #15 0x5601df41d190 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.4/sql/sql_table.cc:11492
 
    #16 0x5601df1eb007 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6099
 
    #17 0x5601df1f5762 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7899
 
    #18 0x5601df1d06f6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1834
 
    #19 0x5601df1cd6d4 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1352
 
    #20 0x5601df5574bf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #21 0x5601df556e73 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #22 0x5601e09b96b3 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #23 0x7f190d4ec4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f190d732f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x5601e09b9aa0 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x5601def264c8 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x5601def3a9cf in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6262
 
    #4 0x5601def3b0b2 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6332
 
    #5 0x5601def3b43d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6430
 
    #6 0x5601def3c08f in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6588
 
    #7 0x5601def3a231 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5920
 
    #8 0x5601def243af in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f190b5582e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
Thread T28 created by T0 here:
 
    #0 0x7f190d732f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x5601e09b9aa0 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x5601def264c8 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x5601def3a9cf in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6262
 
    #4 0x5601def3b0b2 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6332
 
    #5 0x5601def3b43d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6430
 
    #6 0x5601def3c08f in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6588
 
    #7 0x5601def3a231 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5920
 
    #8 0x5601def243af in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f190b5582e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/include/dict0mem.h:1776 in dict_table_t::is_temporary() const
 
Shadow bytes around the buggy address:
 
  0x0c328001b430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c328001b440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c328001b450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c328001b460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c328001b470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c328001b480: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
 
  0x0c328001b490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c328001b4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c328001b4b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c328001b4c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c328001b4d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==31679==ABORTING

The original crash from 2018:

https://api.travis-ci.org/v3/job/338563258/log.txt

10.3 f0e4f94c230326a2f2e608e4119530d775c37b21

 
#3  <signal handler called>
 
#4  0x000055d58a733fd0 in lock_check_dict_lock (lock=0x55d58c792fd8) at /home/travis/src/storage/innobase/lock/lock0lock.cc:4262
 
#5  0x000055d58a734255 in lock_release (trx=0x7f51668df828) at /home/travis/src/storage/innobase/lock/lock0lock.cc:4308
 
#6  0x000055d58a73a4c0 in lock_trx_release_locks (trx=0x7f51668df828) at /home/travis/src/storage/innobase/lock/lock0lock.cc:6354
 
#7  0x000055d58a8c9edb in trx_commit_in_memory (trx=0x7f51668df828, mtr=0x7f51647fd560) at /home/travis/src/storage/innobase/trx/trx0trx.cc:1337
 
#8  0x000055d58a8cae19 in trx_commit_low (trx=0x7f51668df828, mtr=0x7f51647fd560) at /home/travis/src/storage/innobase/trx/trx0trx.cc:1542
 
#9  0x000055d58a8caeda in trx_commit (trx=0x7f51668df828) at /home/travis/src/storage/innobase/trx/trx0trx.cc:1566
 
#10 0x000055d58a8b9e0e in trx_rollback_finish (trx=0x7f51668df828) at /home/travis/src/storage/innobase/trx/trx0roll.cc:70
 
#11 0x000055d58a8ba43e in trx_rollback_to_savepoint_low (trx=0x7f51668df828, savept=0x0) at /home/travis/src/storage/innobase/trx/trx0roll.cc:153
 
#12 0x000055d58a8ba886 in trx_rollback_for_mysql_low (trx=0x7f51668df828) at /home/travis/src/storage/innobase/trx/trx0roll.cc:214
 
#13 0x000055d58a8babc5 in trx_rollback_for_mysql (trx=0x7f51668df828) at /home/travis/src/storage/innobase/trx/trx0roll.cc:240
 
#14 0x000055d58a6a5fe2 in innobase_rollback (hton=0x55d58c3ba380, thd=0x7f5128000c70, rollback_trx=true) at /home/travis/src/storage/innobase/handler/ha_innodb.cc:4628
 
#15 0x000055d58a49c2e1 in ha_rollback_trans (thd=0x7f5128000c70, all=true) at /home/travis/src/sql/handler.cc:1721
 
#16 0x000055d58a32249d in xa_trans_force_rollback (thd=0x7f5128000c70) at /home/travis/src/sql/transaction.cc:140
 
#17 0x000055d58a3245b4 in trans_xa_commit (thd=0x7f5128000c70) at /home/travis/src/sql/transaction.cc:941
 
#18 0x000055d58a1ba78a in mysql_execute_command (thd=0x7f5128000c70) at /home/travis/src/sql/sql_parse.cc:6145
 
#19 0x000055d58a1bfa0e in mysql_parse (thd=0x7f5128000c70, rawbuf=0x7f5128015d58 "XA COMMIT 'xid93' ONE PHASE  /* QNO 453 CON_ID 16 */", length=52, parser_state=0x7f51647ff5e0, is_com_multi=false, is_next_command=false) at /home/travis/src/sql/sql_parse.cc:8001
 
#20 0x000055d58a1ad232 in dispatch_command (command=COM_QUERY, thd=0x7f5128000c70, packet=0x7f512801c661 "XA COMMIT 'xid93' ONE PHASE  /* QNO 453 CON_ID 16 */ ", packet_length=53, is_com_multi=false, is_next_command=false) at /home/travis/src/sql/sql_parse.cc:1846
 
#21 0x000055d58a1abc7e in do_command (thd=0x7f5128000c70) at /home/travis/src/sql/sql_parse.cc:1391
 
#22 0x000055d58a30f4f9 in do_handle_one_connection (connect=0x55d58d1e94e0) at /home/travis/src/sql/sql_connect.cc:1402
 
#23 0x000055d58a30f286 in handle_one_connection (arg=0x55d58d1e94e0) at /home/travis/src/sql/sql_connect.cc:1308
 
#24 0x00007f5177354184 in start_thread (arg=0x7f5164800700) at pthread_create.c:312
 
#25 0x00007f517686103d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111



 Comments   
Comment by Elena Stepanova [ 2020-07-21 ]

It is likely to be a duplicate of MDEV-23239 / MDEV-23240 / MDEV-23241 , but given that these problems seem to be build- or environment-dependent, I am keeping them all open for now.

Comment by Marko Mäkelä [ 2020-07-21 ]

The debug variable innodb_evict_tables_on_commit_debug was broken from its introduction, because the eviction code failed to take transactional locks into account. Tables are not allowed to be evicted while locks exist on them.

Comment by Elena Stepanova [ 2020-07-29 ]

Another variation of the failure apparently fixed by the same patch

10.4 fc48c8ff4c

 
2020-07-29 22:05:45 0x7f3d61674700  InnoDB: Assertion failure in file /data/src/10.4-bug2/storage/innobase/dict/dict0dict.cc line 1712
 
InnoDB: Failing assertion: table->n_rec_locks == 0
 
 
 
#6  0x0000560159fcd7cc in ut_dbg_assertion_failed (expr=0x56015a7bdc54 "table->n_rec_locks == 0", file=0x56015a7bd400 "/data/src/10.4-bug2/storage/innobase/dict/dict0dict.cc", line=1712) at /data/src/10.4-bug2/storage/innobase/ut/ut0dbg.cc:60
 
#7  0x000056015a0a7164 in dict_sys_t::remove (this=0x56015af8a380 <dict_sys>, table=0x7f3d1816b420, lru=true, keep=false) at /data/src/10.4-bug2/storage/innobase/dict/dict0dict.cc:1712
 
#8  0x0000560159fbbbc1 in trx_update_mod_tables_timestamp (trx=0x7f3d621a4390) at /data/src/10.4-bug2/storage/innobase/trx/trx0trx.cc:1301
 
#9  0x0000560159fc0a9a in trx_t::commit_in_memory (this=0x7f3d621a4390, mtr=0x7f3d61671ad0) at /data/src/10.4-bug2/storage/innobase/trx/trx0trx.cc:1407
 
#10 0x0000560159fbc61a in trx_t::commit_low (this=0x7f3d621a4390, mtr=0x7f3d61671ad0) at /data/src/10.4-bug2/storage/innobase/trx/trx0trx.cc:1579
 
#11 0x0000560159fbc6a7 in trx_t::commit (this=0x7f3d621a4390) at /data/src/10.4-bug2/storage/innobase/trx/trx0trx.cc:1593
 
#12 0x0000560159fbcb59 in trx_commit_for_mysql (trx=0x7f3d621a4390) at /data/src/10.4-bug2/storage/innobase/trx/trx0trx.cc:1725
 
#13 0x0000560159d3ce88 in innobase_commit_low (trx=0x7f3d621a4390) at /data/src/10.4-bug2/storage/innobase/handler/ha_innodb.cc:4348
 
#14 0x0000560159d3d299 in innobase_commit_ordered_2 (trx=0x7f3d621a4390, thd=0x7f3d10000af0) at /data/src/10.4-bug2/storage/innobase/handler/ha_innodb.cc:4477
 
#15 0x0000560159d3d8cd in innobase_commit (hton=0x56015bd6b160, thd=0x7f3d10000af0, commit_trx=true) at /data/src/10.4-bug2/storage/innobase/handler/ha_innodb.cc:4593
 
#16 0x0000560159af9d3a in commit_one_phase_2 (thd=0x7f3d10000af0, all=true, trans=0x7f3d10004088, is_real_trans=true, rw_trans=true) at /data/src/10.4-bug2/sql/handler.cc:1788
 
#17 0x0000560159af9a75 in ha_commit_one_phase (thd=0x7f3d10000af0, all=true, rw_trans=true) at /data/src/10.4-bug2/sql/handler.cc:1738
 
#18 0x0000560159af8cfe in ha_commit_trans (thd=0x7f3d10000af0, all=true) at /data/src/10.4-bug2/sql/handler.cc:1555
 
#19 0x0000560159938fcd in trans_commit_implicit (thd=0x7f3d10000af0) at /data/src/10.4-bug2/sql/transaction.cc:301
 
#20 0x000056015979e7c2 in mysql_execute_command (thd=0x7f3d10000af0) at /data/src/10.4-bug2/sql/sql_parse.cc:3698
 
#21 0x00005601597ac853 in mysql_parse (thd=0x7f3d10000af0, rawbuf=0x7f3d10011d38 "ALTER /* QNO 785 CON_ID 15 */ TABLE view_oltp5 /*!100301 */ DROP IF EXISTS k, ADD COLUMN IF NOT EXISTS k BIGINT NOT NULL DEFAULT 6 /*!100303 INVISIBLE */", length=153, parser_state=0x7f3d61673570, is_com_multi=false, is_next_command=false) at /data/src/10.4-bug2/sql/sql_parse.cc:7895
 
#22 0x0000560159798d88 in dispatch_command (command=COM_QUERY, thd=0x7f3d10000af0, packet=0x7f3d100083a1 "ALTER /* QNO 785 CON_ID 15 */ TABLE view_oltp5 /*!100301 */ DROP IF EXISTS k, ADD COLUMN IF NOT EXISTS k BIGINT NOT NULL DEFAULT 6 /*!100303 INVISIBLE */", packet_length=153, is_com_multi=false, is_next_command=false) at /data/src/10.4-bug2/sql/sql_parse.cc:1834
 
#23 0x000056015979752a in do_command (thd=0x7f3d10000af0) at /data/src/10.4-bug2/sql/sql_parse.cc:1352
 
#24 0x00005601599205e8 in do_handle_one_connection (connect=0x56015c125130) at /data/src/10.4-bug2/sql/sql_connect.cc:1412
 
#25 0x0000560159920337 in handle_one_connection (arg=0x56015c125130) at /data/src/10.4-bug2/sql/sql_connect.cc:1316
 
#26 0x000056015a32034b in pfs_spawn_thread (arg=0x56015c0b19e0) at /data/src/10.4-bug2/storage/perfschema/pfs.cc:1869
 
#27 0x00007f3d6a2e94a4 in start_thread (arg=0x7f3d61674700) at pthread_create.c:456
 
#28 0x00007f3d6841dd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Generated at Thu Feb 08 08:24:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.