[MDEV-19192] Draft: XA: SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/7/bits/list.tcc:69 Created: 2019-04-05  Updated: 2019-04-05

Status: Open
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.4.4
Fix Version/s: 10.4

Type: Bug Priority: Major
Reporter: Matthias Leich Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None

Attachments: File MDEV-7974-1.out.tgz     File MDEV-7974-1.tgz     HTML File prt    

 Description    

Problem found during RQG testing.
 
Thread1:
 
   CREATE TABLE IF NOT EXISTS t1 ( col1 INT, col2 INT, col_int INTEGER, col_int_g INTEGER GENERATED ALWAYS AS (col_int) VIRTUAL ) ENGINE = InnoDB ROW_FORMAT = Dynamic ;
 
  ...
 
   XA BEGIN 'xid1';
 
followed by looping with
 
   UPDATE t1 SET col1_copy = col1  ; 
   ALTER TABLE t1 CHANGE COLUMN IF EXISTS col1_copy col1 INT, LOCK = DEFAULT ;
 
   
Thread2:
 
   Looping with
 
    ALTER TABLE t1 ADD COLUMN col1_copy INT , LOCK = DEFAULT  ;
 
   ALTER TABLE t1 DROP COLUMN IF EXISTS col1, LOCK = DEFAULT  ;
 
 
 
The statements executed within the loops fail quite often which is IMHO to be expected.
 
But after rather short time comes a
 
==15203==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300003aae0 at pc 0x564ff4abd6df bp 0x7f70c7aceed0 sp 0x7f70c7aceec0
 
READ of size 8 at 0x60300003aae0 thread T29
 
    #0 0x564ff4abd6de in std::__cxx11::_List_base<dict_v_idx_t, ut_allocator<dict_v_idx_t, true> >::_M_clear() /usr/include/c++/7/bits/list.tcc:69
 
#1 0x564ff4abbcb3 in std::__cxx11::_List_base<dict_v_idx_t, ut_allocator<dict_v_idx_t, true> >::~_List_base() /usr/include/c++/7/bits/stl_list.h:442
 
    #2 0x564ff4aaafcd in std::__cxx11::list<dict_v_idx_t, ut_allocator<dict_v_idx_t, true> >::~list() /usr/include/c++/7/bits/stl_list.h:733
 
    #3 0x564ff4aae3f1 in ha_innobase_inplace_ctx::~ha_innobase_inplace_ctx() (/home/mleich/Server/10.4/bld_asan/sql/mysqld+0x20203f1)
 
    #4 0x564ff4aae499 in ha_innobase_inplace_ctx::~ha_innobase_inplace_ctx() (/home/mleich/Server/10.4/bld_asan/sql/mysqld+0x2020499)
 
    #5 0x564ff3f0a1fa in Alter_inplace_info::~Alter_inplace_info() /home/mleich/Server/10.4/sql/handler.h:2461
 
    #6 0x564ff3effa72 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /home/mleich/Server/10.4/sql/sql_table.cc:9868
 
    #7 0x564ff406f315 in Sql_cmd_alter_table::execute(THD*) /home/mleich/Server/10.4/sql/sql_alter.cc:490
 
    #8 0x564ff3cb8594 in mysql_execute_command(THD*) /home/mleich/Server/10.4/sql/sql_parse.cc:6344
 
    #9 0x564ff3cc4194 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/mleich/Server/10.4/sql/sql_parse.cc:8154
 
    #10 0x564ff3c98746 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/mleich/Server/10.4/sql/sql_parse.cc:1831
 
    #11 0x564ff3c94f61 in do_command(THD*) /home/mleich/Server/10.4/sql/sql_parse.cc:1364
 
    #12 0x564ff4057596 in do_handle_one_connection(CONNECT*) /home/mleich/Server/10.4/sql/sql_connect.cc:1398
 
    #13 0x564ff4056e51 in handle_one_connection /home/mleich/Server/10.4/sql/sql_connect.cc:1301
 
    #14 0x564ff55c1a94 in pfs_spawn_thread /home/mleich/Server/10.4/storage/perfschema/pfs.cc:1862
 
    #15 0x7f70de8f77fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
 
    #16 0x7f70ddb2db5e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x114b5e)
 
....
 
 
 
Observations:
 
1. In case I remove the XA BEGIN 'xid1';  from the actions of Thread1
 
    than nothing bad happens.
 
2. In case I rewrite the DDLs to
 
     ALTER .... ALGORITHM = COPY
 
     than nothing bad happens.


Generated at Thu Feb 08 08:49:44 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.