[MDEV-19066] AddressSanitizer: use-after-poison in innobase_build_col_map after upgrade from 10.1 Created: 2019-03-27  Updated: 2020-03-26  Resolved: 2020-03-26

Status: Closed
Project: MariaDB Server
Component/s: Partitioning, Storage Engine - InnoDB
Affects Version/s: 10.2, 10.3, 10.4
Fix Version/s: 10.2.24, 10.3.15, 10.4.4

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Thirunarayanan Balathandayuthapani
Resolution: Duplicate Votes: 0
Labels: affects-tests

Issue Links:
Blocks
blocks MDEV-14046 Allow ALGORITHM=INPLACE for 10.1 tabl... Closed
Relates
relates to MDEV-19027 create_table_def fails when virtual c... Closed
relates to MDEV-19085 Assertion failures in dtuple_get_nth_... Closed

 Description   

Note: Affected servers already have a patch for MDEV-18090.

10.2 c676f58c

 
==23343==ERROR: AddressSanitizer: use-after-poison on address 0x61e00001e208 at pc 0x558b85a975fd bp 0x7fe8792027e0 sp 0x7fe8792027d8
 
WRITE of size 8 at 0x61e00001e208 thread T31
 
    #0 0x558b85a975fc in innobase_build_col_map /data/src/10.2/storage/innobase/handler/handler0alter.cc:3075
 
    #1 0x558b85aa1858 in prepare_inplace_alter_table_dict /data/src/10.2/storage/innobase/handler/handler0alter.cc:4774
 
    #2 0x558b85aaa980 in ha_innobase::prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/storage/innobase/handler/handler0alter.cc:6262
 
    #3 0x558b8529c821 in handler::ha_prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.cc:4293
 
    #4 0x558b86264fe7 in ha_partition::prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/ha_partition.cc:8346
 
    #5 0x558b8529c821 in handler::ha_prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.cc:4293
 
    #6 0x558b84e9d1aa in mysql_inplace_alter_table /data/src/10.2/sql/sql_table.cc:7329
 
    #7 0x558b84eaa6cc in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9452
 
    #8 0x558b84eb0068 in mysql_recreate_table(THD*, TABLE_LIST*, bool) /data/src/10.2/sql/sql_table.cc:10277
 
    #9 0x558b84fedfb3 in admin_recreate_table /data/src/10.2/sql/sql_admin.cc:58
 
    #10 0x558b84ff4f9f in mysql_admin_table /data/src/10.2/sql/sql_admin.cc:1022
 
    #11 0x558b84ff7af7 in Sql_cmd_optimize_table::execute(THD*) /data/src/10.2/sql/sql_admin.cc:1366
 
    #12 0x558b84c9f59a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6226
 
    #13 0x558b84caa103 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8013
 
    #14 0x558b84c84cab in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
 
    #15 0x558b84c81d1a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1386
 
    #16 0x558b84fc8764 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #17 0x558b84fc8179 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #18 0x7fe8a3a30493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #19 0x7fe8a1bfe93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x61e00001e208 is located 392 bytes inside of 2456-byte region [0x61e00001e080,0x61e00001ea18)
 
allocated by thread T31 here:
 
    #0 0x7fe8a3c9a73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x558b85b7ba83 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:294
 
    #2 0x558b85b7c1cb in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:400
 
    #3 0x558b85f69661 in mem_heap_alloc /data/src/10.2/storage/innobase/include/mem0mem.ic:201
 
    #4 0x558b85f6b7f3 in dict_add_col_name /data/src/10.2/storage/innobase/dict/dict0mem.cc:260
 
    #5 0x558b85f6bd84 in dict_mem_table_add_col(dict_table_t*, mem_block_info_t*, char const*, unsigned long, unsigned long, unsigned long) /data/src/10.2/storage/innobase/dict/dict0mem.cc:309
 
    #6 0x558b85aa0c32 in prepare_inplace_alter_table_dict /data/src/10.2/storage/innobase/handler/handler0alter.cc:4684
 
    #7 0x558b85aaa980 in ha_innobase::prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/storage/innobase/handler/handler0alter.cc:6262
 
    #8 0x558b8529c821 in handler::ha_prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.cc:4293
 
    #9 0x558b86264fe7 in ha_partition::prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/ha_partition.cc:8346
 
    #10 0x558b8529c821 in handler::ha_prepare_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.cc:4293
 
    #11 0x558b84e9d1aa in mysql_inplace_alter_table /data/src/10.2/sql/sql_table.cc:7329
 
    #12 0x558b84eaa6cc in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9452
 
    #13 0x558b84eb0068 in mysql_recreate_table(THD*, TABLE_LIST*, bool) /data/src/10.2/sql/sql_table.cc:10277
 
    #14 0x558b84fedfb3 in admin_recreate_table /data/src/10.2/sql/sql_admin.cc:58
 
    #15 0x558b84ff4f9f in mysql_admin_table /data/src/10.2/sql/sql_admin.cc:1022
 
    #16 0x558b84ff7af7 in Sql_cmd_optimize_table::execute(THD*) /data/src/10.2/sql/sql_admin.cc:1366
 
    #17 0x558b84c9f59a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6226
 
    #18 0x558b84caa103 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8013
 
    #19 0x558b84c84cab in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
 
    #20 0x558b84c81d1a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1386
 
    #21 0x558b84fc8764 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #22 0x558b84fc8179 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #23 0x7fe8a3a30493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T31 created by T0 here:
 
    #0 0x7fe8a3c69bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x558b86333bc7 in spawn_thread_noop /data/src/10.2/mysys/psi_noop.c:187
 
    #2 0x558b84a7e10e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x558b84a93176 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6482
 
    #4 0x558b84a9387b in create_new_thread /data/src/10.2/sql/mysqld.cc:6552
 
    #5 0x558b84a94892 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6827
 
    #6 0x558b84a926cb in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6101
 
    #7 0x558b84a7c4af in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fe8a1b362b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/storage/innobase/handler/handler0alter.cc:3075 innobase_build_col_map
 
Shadow bytes around the buggy address:
 
  0x0c3c7fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3c7fffbc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3c7fffbc10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3c7fffbc20: 00 00 00 00 00 07 00 00 00 00 00 03 00 00 00 00
 
  0x0c3c7fffbc30: 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c3c7fffbc40: 00[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3c7fffbc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3c7fffbc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3c7fffbc70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3c7fffbc80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3c7fffbc90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==23343==ABORTING

To reproduce:

Reproducible on 10.2+.
Not reproducible on 10.1.
The datadir was created with 10.1.38 release build.

 Comments   
Comment by Marko Mäkelä [ 2019-04-01 ]

I was unable to repeat this with 10.2 f055da9b84bc9481917003a1ed0a702072c0f452 (the MDEV-19085 fix) or its parent commit. Maybe something was recently fixed in the partitioning engine?

Comment by Elena Stepanova [ 2019-04-01 ]

Sorry about this. Just yesterday in a desperate attempt to work around the problems, I symlinked test data sets to ones without generated columns (possibly other data is somehow different as well). The right link is
ftp://perro.askmonty.org/public/innodb_upgrade_data/10.1.38/format-Antelope/innodb-builtin/4K/compression-none/encryption-off/normal.tar.gz
(I'm also changing it in the description).

I'll try to create separate links for bug reports in future, rather than paste those used by tests.

Comment by Thirunarayanan Balathandayuthapani [ 2020-03-26 ]

The issue is already fixed by the following:

commit f055da9b84bc9481917003a1ed0a702072c0f452 (HEAD)
 
Author: Marko Mäkelä <marko.makela@mariadb.com>
 
Date:   Mon Apr 1 14:24:15 2019 +0300
 
 
 
    MDEV-19085 Assertion failures due to virtual columns after upgrading from 10.1

Generated at Thu Feb 08 08:48:48 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.