[MDEV-18256] InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N upon DROP FOREIGN KEY Created: 2019-01-15  Updated: 2019-01-29  Resolved: 2019-01-29

Status: Closed
Project: MariaDB Server
Component/s: Data Definition - Alter Table, Storage Engine - InnoDB
Affects Version/s: 5.5, 10.0, 10.1, 10.2, 10.3, 10.4
Fix Version/s: 10.4.3, 10.1.38, 10.0.38, 10.2.22, 10.3.13

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: ASAN, upstream, valgrind

Issue Links:
Relates
relates to MDEV-18222 InnoDB: Failing assertion: heap->magi... Closed

 Description   

Note: See also MDEV-18222.

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a INT PRIMARY KEY) ENGINE=InnoDB;
 
CREATE TABLE t2 (b INT PRIMARY KEY, FOREIGN KEY fk1 (b) REFERENCES t1 (a)) ENGINE=InnoDB;
 
ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1;
 
 
 
# Cleanup
 
DROP TABLE t2, t1;

10.0 d0d0f88f2

 
2019-01-15 20:14:51 7ff2f41fa700  InnoDB: Assertion failure in thread 140681454528256 in file mem0dbg.cc line 680
 
InnoDB: Failing assertion: heap->magic_n == MEM_BLOCK_MAGIC_N
 
 
 
#5  0x00007ff2f213d3fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
 
#6  0x00007ff2eabb442b in mem_heap_check (heap=0x7ff2de368800) at /data/src/10.0/storage/innobase/mem/mem0dbg.cc:680
 
#7  0x00007ff2eaabbf3d in mem_heap_free_func (heap=0x7ff2de368800, file_name=0x7ff2eace01c0 "/data/src/10.0/storage/innobase/include/dict0mem.h", line=872) at /data/src/10.0/storage/innobase/include/mem0mem.ic:482
 
#8  0x00007ff2eaace2d4 in dict_foreign_free (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/include/dict0mem.h:872
 
#9  0x00007ff2eaac5ac5 in dict_foreign_remove_from_cache (foreign=0x7ff2de368878) at /data/src/10.0/storage/innobase/dict/dict0dict.cc:3284
 
#10 0x00007ff2eab67d98 in innobase_update_foreign_cache (ctx=0x7ff2de0f9468, user_thd=0x7ff2e6769070) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:4991
 
#11 0x00007ff2eab694a3 in ha_innodb::commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/storage/innobase/handler/handler0alter.cc:6017
 
#12 0x000000000084512d in handler::ha_commit_inplace_alter_table (this=0x7ff2de07e888, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, commit=true) at /data/src/10.0/sql/handler.cc:4228
 
#13 0x00000000007029c6 in mysql_inplace_alter_table (thd=0x7ff2e6769070, table_list=0x7ff2de0f81a8, table=0x7ff2de09e470, altered_table=0x7ff2de1bc070, ha_alter_info=0x7ff2f41f7220, inplace_supported=HA_ALTER_INPLACE_NO_LOCK_AFTER_PREPARE, target_mdl_request=0x7ff2f41f6c70, alter_ctx=0x7ff2f41f7800) at /data/src/10.0/sql/sql_table.cc:7176
 
#14 0x0000000000706ffc in mysql_alter_table (thd=0x7ff2e6769070, new_db=0x7ff2de0f8788 "test", new_name=0x0, create_info=0x7ff2f41f84e0, table_list=0x7ff2de0f81a8, alter_info=0x7ff2f41f8450, order_num=0, order=0x0, ignore=false) at /data/src/10.0/sql/sql_table.cc:8982
 
#15 0x0000000000770361 in Sql_cmd_alter_table::execute (this=0x7ff2de0f87e0, thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_alter.cc:312
 
#16 0x0000000000654d27 in mysql_execute_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:5125
 
#17 0x000000000065837e in mysql_parse (thd=0x7ff2e6769070, rawbuf=0x7ff2de0f8088 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", length=57, parser_state=0x7ff2f41f9640) at /data/src/10.0/sql/sql_parse.cc:6644
 
#18 0x000000000064ac38 in dispatch_command (command=COM_QUERY, thd=0x7ff2e6769070, packet=0x7ff2ec230071 "ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1", packet_length=57) at /data/src/10.0/sql/sql_parse.cc:1301
 
#19 0x0000000000649f2c in do_command (thd=0x7ff2e6769070) at /data/src/10.0/sql/sql_parse.cc:1003
 
#20 0x000000000076bab4 in do_handle_one_connection (thd_arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1377
 
#21 0x000000000076b826 in handle_one_connection (arg=0x7ff2e6769070) at /data/src/10.0/sql/sql_connect.cc:1292
 
#22 0x0000000000acd6ea in pfs_spawn_thread (arg=0x7ff2e6719670) at /data/src/10.0/storage/perfschema/pfs.cc:1861
 
#23 0x00007ff2f3e38494 in start_thread (arg=0x7ff2f41fa700) at pthread_create.c:333
 
#24 0x00007ff2f21f193f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Non-debug builds don't show any obvious symptoms, but non-debug ASAN build does:

10.4 a8eb0c76bf RelWithDebInfo ASAN

 
==14835==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000073038 at pc 0x5645b6ca6932 bp 0x7f34f2f34fb0 sp 0x7f34f2f34fa8
 
READ of size 8 at 0x616000073038 thread T27
 
    #0 0x5645b6ca6931 in dict_foreign_remove_from_cache(dict_foreign_t*) /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198
 
    #1 0x5645b68656ce in innobase_update_foreign_cache /data/src/10.4/storage/innobase/handler/handler0alter.cc:9389
 
    #2 0x5645b686e2a9 in ha_innobase::commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.4/storage/innobase/handler/handler0alter.cc:10907
 
    #3 0x5645b5867f8a in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7590
 
    #4 0x5645b5d28568 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9690
 
    #5 0x5645b5e1cbee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:497
 
    #6 0x5645b5b441ed in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6302
 
    #7 0x5645b5b5bbdd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8104
 
    #8 0x5645b5b64ced in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1851
 
    #9 0x5645b5b67695 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1396
 
    #10 0x5645b5e137b7 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
 
    #11 0x5645b5e13cba in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
 
    #12 0x5645b67d5296 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #13 0x7f34fe517493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #14 0x7f34fcb1893e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x616000073038 is located 184 bytes inside of 544-byte region [0x616000072f80,0x6160000731a0)
 
freed by thread T27 here:
 
    #0 0x7f34fe781527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
 
    #1 0x5645b6938aed in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.4/storage/innobase/mem/mem0mem.cc:415
 
 
 
previously allocated by thread T27 here:
 
    #0 0x7f34fe78173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x5645b6937cad in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:269
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f34fe750bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x5645b67dd9b6 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/dict/dict0dict.cc:3198 dict_foreign_remove_from_cache(dict_foreign_t*)
 
Shadow bytes around the buggy address:
 
  0x0c2c800065b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c800065c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c800065d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
 
  0x0c2c800065e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2c800065f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c2c80006600: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
 
  0x0c2c80006610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c80006620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c80006630: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2c80006640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2c80006650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==14835==ABORTING

5.5 doesn't crash (maybe it doesn't have the assertion failure), but it also fails:

mysqltest: At line 5: query 'ALTER TABLE t2 DROP FOREIGN KEY fk1, DROP FOREIGN KEY fk1' failed: 1025: Error on rename of './test/t2' to './test/#sql2-35c7-2' (errno: 152)



 Comments   
Comment by Marko Mäkelä [ 2019-01-29 ]

In 10.0+, we can simply filter out duplicate foreign key definitions in ha_innobase::prepare_inplace_alter_table().
In 5.5, the code is completely different, and I would not fix this unless there is a strong demand.

Comment by Marko Mäkelä [ 2019-01-29 ]

This double-free was introduced by a merge of the following change from MySQL 5.6.23 into 10.0.17,10.1.4,10.2.0,10.3.0 (InnoDB 5.6.23) and 10.0.18,10.1.5 (XtraDB 5.6.23-72.1):
Bug #20031243 CREATE TABLE FAILS TO CHECK IF FOREIGN KEY COLUMN NULL/NOT NULL MISMATCH

The variable fk_evict should have been declared as std::set instead of std::list, in order to avoid duplicates.

Generated at Thu Feb 08 08:42:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.