[MDEV-24861] Assertion `trx->rsegs.m_redo.rseg' failed in innodb_prepare_commit_versioned Created: 2021-02-13  Updated: 2021-02-15  Resolved: 2021-02-15

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB, Versioned Tables
Affects Version/s: 10.6
Fix Version/s: 10.6.0

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: regression

Issue Links:
Problem/Incident
is caused by MDEV-20612 Improve InnoDB lock_sys scalability Closed

 Description    

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (id INT PRIMARY KEY, f TEXT UNIQUE, s BIGINT UNSIGNED AS ROW START, e BIGINT UNSIGNED AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) ENGINE=InnoDB WITH SYSTEM VERSIONING;
 
CREATE TABLE t2 (id INT PRIMARY KEY) ENGINE=InnoDB;
 
ALTER TABLE t1 FORCE;
 
TRUNCATE TABLE t2;
 
 
 
# Cleanup
 
DROP TABLE t1, t2;

10.6 a1542f8a

 
mariadbd: /data/src/10.6/storage/innobase/handler/ha_innodb.cc:3168: ulonglong innodb_prepare_commit_versioned(THD*, ulonglong*): Assertion `trx->rsegs.m_redo.rseg' failed.
 
210214  0:28:49 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007f1de8676f36 in __GI___assert_fail (assertion=0x555c8421bbc4 "trx->rsegs.m_redo.rseg", file=0x555c84219b98 "/data/src/10.6/storage/innobase/handler/ha_innodb.cc", line=3168, function=0x555c8421bb88 "ulonglong innodb_prepare_commit_versioned(THD*, ulonglong*)") at assert.c:101
 
#8  0x0000555c8395c33c in innodb_prepare_commit_versioned (thd=0x7f1db4000db8, trx_id=0x7f1ddda11400) at /data/src/10.6/storage/innobase/handler/ha_innodb.cc:3168
 
#9  0x0000555c834e88f7 in ha_commit_trans (thd=0x7f1db4000db8, all=false) at /data/src/10.6/sql/handler.cc:1674
 
#10 0x0000555c8333f172 in trans_commit_stmt (thd=0x7f1db4000db8) at /data/src/10.6/sql/transaction.cc:472
 
#11 0x0000555c83184cfe in mysql_execute_command (thd=0x7f1db4000db8) at /data/src/10.6/sql/sql_parse.cc:5940
 
#12 0x0000555c8318a9ee in mysql_parse (thd=0x7f1db4000db8, rawbuf=0x7f1db4013cd0 "TRUNCATE TABLE t2", length=17, parser_state=0x7f1ddda12510) at /data/src/10.6/sql/sql_parse.cc:7906
 
#13 0x0000555c83176f31 in dispatch_command (command=COM_QUERY, thd=0x7f1db4000db8, packet=0x7f1db4008e49 "TRUNCATE TABLE t2", packet_length=17) at /data/src/10.6/sql/sql_parse.cc:1833
 
#14 0x0000555c83175948 in do_command (thd=0x7f1db4000db8) at /data/src/10.6/sql/sql_parse.cc:1365
 
#15 0x0000555c83323117 in do_handle_one_connection (connect=0x555c85e43418, put_in_cache=true) at /data/src/10.6/sql/sql_connect.cc:1410
 
#16 0x0000555c83322e7a in handle_one_connection (arg=0x555c85e55b78) at /data/src/10.6/sql/sql_connect.cc:1312
 
#17 0x0000555c83880e97 in pfs_spawn_thread (arg=0x555c85ed1a58) at /data/src/10.6/storage/perfschema/pfs.cc:2201
 
#18 0x00007f1de8b8e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#19 0x00007f1de8762293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

The failure started happening on 10.6 after this commit:

commit b08448de64f2af9c849154647bdd61d1725f8928
 
Author: Marko Mäkelä
 
Date:   Fri Feb 12 17:35:42 2021 +0200
 
 
 
    MDEV-20612: Partition lock_sys.latch



 Comments   
Comment by Marko Mäkelä [ 2021-02-15 ]

The non-empty trx->mod_tables, which is causing trouble for the TRUNCATE TABLE, was left over from the execution of the preceding ALTER TABLE t1 FORCE statement. Before MDEV-20612, that was cleared in trx_update_mod_tables_timestamp(), invoked by trx_t::commit_in_memory().

With MDEV-20612, the query cache invalidation was moved from lock_release() to trx_t::commit_tables(), which replaced trx_update_mod_tables_timestamp(). As an optimization to that function, if trx->undo_no==0, we would skip the traversal so that we would not unnecessarily invalidate the query cache. But we should not have skipped the call mod_tables.clear().

Comment by Elena Stepanova [ 2021-02-15 ]

Differently-looking failure which was also fixed by the same commit:

10.6 4df0249b9a

 
==697817==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000060130 at pc 0x55c44e43ec3d bp 0x7fd79291d4a0 sp 0x7fd79291d490
 
READ of size 8 at 0x618000060130 thread T14
 
    #0 0x55c44e43ec3c in ha_innobase::delete_table(char const*, enum_sql_command) (/data/src/10.6-bug/sql/mariadbd+0x2dccc3c)
 
    #1 0x55c44e408306 in ha_innobase::delete_table(char const*) /data/src/10.6-bug/storage/innobase/handler/ha_innodb.cc:13139
 
    #2 0x55c44d8b1ef6 in hton_drop_table /data/src/10.6-bug/sql/handler.cc:564
 
    #3 0x55c44d7085db in THD::rm_temporary_table(handlerton*, char const*) /data/src/10.6-bug/sql/temporary_tables.cc:703
 
    #4 0x55c44d70d681 in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.6-bug/sql/temporary_tables.cc:1460
 
    #5 0x55c44d707658 in THD::close_temporary_tables() /data/src/10.6-bug/sql/temporary_tables.cc:544
 
    #6 0x55c44cf7b094 in THD::cleanup(bool) /data/src/10.6-bug/sql/sql_class.cc:1566
 
    #7 0x55c44cd9b493 in unlink_thd(THD*) /data/src/10.6-bug/sql/mysqld.cc:2605
 
    #8 0x55c44d4e1c0d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1421
 
    #9 0x55c44d4e1423 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1312
 
    #10 0x55c44e1e88d0 in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201
 
    #11 0x7fd7a2acb608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #12 0x7fd7a26a1292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x618000060130 is located 176 bytes inside of 816-byte region [0x618000060080,0x6180000603b0)
 
freed by thread T13 here:
 
    #0 0x7fd7a2fb97cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
 
    #1 0x55c44e4415ab in ut_allocator<unsigned char, true>::deallocate(unsigned char*, unsigned long) /data/src/10.6-bug/storage/innobase/include/ut0new.h:426
 
    #2 0x55c44e60139b in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.6-bug/storage/innobase/mem/mem0mem.cc:416
 
    #3 0x55c44ea97a98 in mem_heap_free /data/src/10.6-bug/storage/innobase/include/mem0mem.ic:419
 
    #4 0x55c44ea9acc4 in dict_mem_table_free(dict_table_t*) /data/src/10.6-bug/storage/innobase/dict/dict0mem.cc:246
 
    #5 0x55c44ea5d0f2 in dict_sys_t::remove(dict_table_t*, bool, bool) /data/src/10.6-bug/storage/innobase/dict/dict0dict.cc:2063
 
    #6 0x55c44e7820e5 in row_drop_table_from_cache /data/src/10.6-bug/storage/innobase/row/row0mysql.cc:3227
 
    #7 0x55c44e784d0b in row_drop_table_for_mysql(char const*, trx_t*, enum_sql_command, bool, bool) /data/src/10.6-bug/storage/innobase/row/row0mysql.cc:3653
 
    #8 0x55c44e75b538 in row_merge_drop_table(trx_t*, dict_table_t*) /data/src/10.6-bug/storage/innobase/row/row0merge.cc:4330
 
    #9 0x55c44e4a76dd in ha_innobase::commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.6-bug/storage/innobase/handler/handler0alter.cc:11356
 
    #10 0x55c44d8d4d6d in handler::ha_commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.6-bug/sql/handler.cc:4855
 
    #11 0x55c44d34bf46 in mysql_inplace_alter_table /data/src/10.6-bug/sql/sql_table.cc:8137
 
    #12 0x55c44d35edd1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /data/src/10.6-bug/sql/sql_table.cc:10684
 
    #13 0x55c44d4fe0a1 in Sql_cmd_alter_table::execute(THD*) /data/src/10.6-bug/sql/sql_alter.cc:539
 
    #14 0x55c44d0be8ea in mysql_execute_command(THD*) /data/src/10.6-bug/sql/sql_parse.cc:5945
 
    #15 0x55c44d0cc2ea in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6-bug/sql/sql_parse.cc:7971
 
    #16 0x55c44d0a2e20 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6-bug/sql/sql_parse.cc:1886
 
    #17 0x55c44d09fb4f in do_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:1397
 
    #18 0x55c44d4e1ac4 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1410
 
    #19 0x55c44d4e1423 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1312
 
    #20 0x55c44e1e88d0 in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201
 
    #21 0x7fd7a2acb608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T14 here:
 
    #0 0x7fd7a2fb9bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x55c44e44115a in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /data/src/10.6-bug/storage/innobase/include/ut0new.h:377
 
    #2 0x55c44e60063f in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.6-bug/storage/innobase/mem/mem0mem.cc:277
 
    #3 0x55c44e600f8f in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.6-bug/storage/innobase/mem/mem0mem.cc:378
 
    #4 0x55c44ea97725 in mem_heap_alloc /data/src/10.6-bug/storage/innobase/include/mem0mem.ic:193
 
    #5 0x55c44ea97539 in mem_heap_zalloc /data/src/10.6-bug/storage/innobase/include/mem0mem.ic:162
 
    #6 0x55c44ea99ba5 in dict_mem_table_create(char const*, fil_space_t*, unsigned long, unsigned long, unsigned long, unsigned long) /data/src/10.6-bug/storage/innobase/dict/dict0mem.cc:152
 
    #7 0x55c44e43925b in create_table_info_t::create_table_def() (/data/src/10.6-bug/sql/mariadbd+0x2dc725b)
 
    #8 0x55c44e403d38 in create_table_info_t::create_table(bool) /data/src/10.6-bug/storage/innobase/handler/ha_innodb.cc:12189
 
    #9 0x55c44e43e504 in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*, bool, trx_t*) (/data/src/10.6-bug/sql/mariadbd+0x2dcc504)
 
    #10 0x55c44e406755 in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*) /data/src/10.6-bug/storage/innobase/handler/ha_innodb.cc:12785
 
    #11 0x55c44d8d6583 in handler::ha_create(char const*, TABLE*, HA_CREATE_INFO*) /data/src/10.6-bug/sql/handler.cc:5091
 
    #12 0x55c44d8dac56 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /data/src/10.6-bug/sql/handler.cc:5555
 
    #13 0x55c44d35f479 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /data/src/10.6-bug/sql/sql_table.cc:10744
 
    #14 0x55c44d4fe0a1 in Sql_cmd_alter_table::execute(THD*) /data/src/10.6-bug/sql/sql_alter.cc:539
 
    #15 0x55c44d0be8ea in mysql_execute_command(THD*) /data/src/10.6-bug/sql/sql_parse.cc:5945
 
    #16 0x55c44d0cc2ea in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6-bug/sql/sql_parse.cc:7971
 
    #17 0x55c44d0a2e20 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6-bug/sql/sql_parse.cc:1886
 
    #18 0x55c44d09fb4f in do_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:1397
 
    #19 0x55c44d4e1ac4 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1410
 
    #20 0x55c44d4e1423 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1312
 
    #21 0x55c44e1e88d0 in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201
 
    #22 0x7fd7a2acb608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T14 created by T0 here:
 
    #0 0x7fd7a2ee6805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x55c44e1e3874 in my_thread_create /data/src/10.6-bug/storage/perfschema/my_thread.h:38
 
    #2 0x55c44e1e8cc3 in pfs_spawn_thread_v1 /data/src/10.6-bug/storage/perfschema/pfs.cc:2252
 
    #3 0x55c44cd904fe in inline_mysql_thread_create /data/src/10.6-bug/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x55c44cda650f in create_thread_to_handle_connection(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5811
 
    #5 0x55c44cda6b8e in create_new_thread(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5870
 
    #6 0x55c44cda6eeb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6-bug/sql/mysqld.cc:5935
 
    #7 0x55c44cda7b0a in handle_connections_sockets() /data/src/10.6-bug/sql/mysqld.cc:6062
 
    #8 0x55c44cda5d1c in mysqld_main(int, char**) /data/src/10.6-bug/sql/mysqld.cc:5706
 
    #9 0x55c44cd8ed9c in main /data/src/10.6-bug/sql/main.cc:25
 
    #10 0x7fd7a25a60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
Thread T13 created by T0 here:
 
    #0 0x7fd7a2ee6805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x55c44e1e3874 in my_thread_create /data/src/10.6-bug/storage/perfschema/my_thread.h:38
 
    #2 0x55c44e1e8cc3 in pfs_spawn_thread_v1 /data/src/10.6-bug/storage/perfschema/pfs.cc:2252
 
    #3 0x55c44cd904fe in inline_mysql_thread_create /data/src/10.6-bug/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x55c44cda650f in create_thread_to_handle_connection(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5811
 
    #5 0x55c44cda6b8e in create_new_thread(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5870
 
    #6 0x55c44cda6eeb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6-bug/sql/mysqld.cc:5935
 
    #7 0x55c44cda7b0a in handle_connections_sockets() /data/src/10.6-bug/sql/mysqld.cc:6062
 
    #8 0x55c44cda5d1c in mysqld_main(int, char**) /data/src/10.6-bug/sql/mysqld.cc:5706
 
    #9 0x55c44cd8ed9c in main /data/src/10.6-bug/sql/main.cc:25
 
    #10 0x7fd7a25a60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free (/data/src/10.6-bug/sql/mariadbd+0x2dccc3c) in ha_innobase::delete_table(char const*, enum_sql_command)
 
Shadow bytes around the buggy address:
 
  0x0c3080003fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080003ff0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
 
  0x0c3080004000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3080004010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c3080004020: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
 
  0x0c3080004030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080004040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080004050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080004060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080004070: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==697817==ABORTING

.
Not reproducible on 2e84846ec.

Comment by Elena Stepanova [ 2021-02-15 ]

Yet more differently-looking failures fixed by the same commit:

10.6 a1542f8a ASAN

 
==700236==ERROR: AddressSanitizer: heap-use-after-free on address 0x6180000701a0 at pc 0x564242a9475d bp 0x7f161518dd90 sp 0x7f161518dd80
 
READ of size 2 at 0x6180000701a0 thread T14
 
    #0 0x564242a9475c in dict_table_t::versioned() const /data/src/10.6/storage/innobase/include/dict0mem.h:1920
 
    #1 0x564242a94819 in dict_table_t::versioned_by_id() const (/data/bld/10.6-asan-nightly/bin/mariadbd+0x2db8819)
 
    #2 0x564242a31fe2 in innodb_prepare_commit_versioned /data/src/10.6/storage/innobase/handler/ha_innodb.cc:3167
 
    #3 0x564241f19756 in ha_commit_trans(THD*, bool) /data/src/10.6/sql/handler.cc:1674
 
    #4 0x564241b8801e in trans_commit_stmt(THD*) /data/src/10.6/sql/transaction.cc:472
 
    #5 0x564241722193 in mysql_execute_command(THD*) /data/src/10.6/sql/sql_parse.cc:5940
 
    #6 0x56424172f2e0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:7906
 
    #7 0x564241705ece in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.6/sql/sql_parse.cc:1833
 
    #8 0x564241702d94 in do_command(THD*) /data/src/10.6/sql/sql_parse.cc:1365
 
    #9 0x564241b44ab5 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1410
 
    #10 0x564241b44419 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #11 0x56424284b494 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #12 0x7f16249e0608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #13 0x7f16245b6292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x6180000701a0 is located 288 bytes inside of 816-byte region [0x618000070080,0x6180000703b0)
 
freed by thread T15 here:
 
    #0 0x7f1624ece7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
 
    #1 0x564242aa4147 in ut_allocator<unsigned char, true>::deallocate(unsigned char*, unsigned long) /data/src/10.6/storage/innobase/include/ut0new.h:426
 
    #2 0x564242c5ebbf in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/src/10.6/storage/innobase/mem/mem0mem.cc:416
 
    #3 0x5642430f509e in mem_heap_free /data/src/10.6/storage/innobase/include/mem0mem.ic:419
 
    #4 0x5642430f82ca in dict_mem_table_free(dict_table_t*) /data/src/10.6/storage/innobase/dict/dict0mem.cc:246
 
    #5 0x5642430ba6f8 in dict_sys_t::remove(dict_table_t*, bool, bool) /data/src/10.6/storage/innobase/dict/dict0dict.cc:2063
 
    #6 0x564242ddf8f7 in row_drop_table_from_cache /data/src/10.6/storage/innobase/row/row0mysql.cc:3227
 
    #7 0x564242de251d in row_drop_table_for_mysql(char const*, trx_t*, enum_sql_command, bool, bool) /data/src/10.6/storage/innobase/row/row0mysql.cc:3653
 
    #8 0x564242aa19f1 in ha_innobase::delete_table(char const*, enum_sql_command) (/data/bld/10.6-asan-nightly/bin/mariadbd+0x2dc59f1)
 
    #9 0x564242a6aea8 in ha_innobase::delete_table(char const*) /data/src/10.6/storage/innobase/handler/ha_innodb.cc:13139
 
    #10 0x564241f149e0 in hton_drop_table /data/src/10.6/sql/handler.cc:564
 
    #11 0x564241f21a94 in ha_delete_table(THD*, handlerton*, char const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, bool) /data/src/10.6/sql/handler.cc:2770
 
    #12 0x564241986576 in mysql_rm_table_no_locks(THD*, TABLE_LIST*, bool, bool, bool, bool, bool, bool) /data/src/10.6/sql/sql_table.cc:2509
 
    #13 0x56424199b425 in create_table_impl /data/src/10.6/sql/sql_table.cc:5263
 
    #14 0x56424199ca6e in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.6/sql/sql_table.cc:5463
 
    #15 0x56424199d68c in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /data/src/10.6/sql/sql_table.cc:5564
 
    #16 0x5642419cdac6 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.6/sql/sql_table.cc:12152
 
    #17 0x5642417218e0 in mysql_execute_command(THD*) /data/src/10.6/sql/sql_parse.cc:5880
 
    #18 0x56424172f2e0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:7906
 
    #19 0x564241705ece in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.6/sql/sql_parse.cc:1833
 
    #20 0x564241702d94 in do_command(THD*) /data/src/10.6/sql/sql_parse.cc:1365
 
    #21 0x564241b44ab5 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1410
 
    #22 0x564241b44419 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #23 0x56424284b494 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #24 0x7f16249e0608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T14 here:
 
    #0 0x7f1624ecebc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x564242aa3cf6 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /data/src/10.6/storage/innobase/include/ut0new.h:377
 
    #2 0x564242c5de63 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.6/storage/innobase/mem/mem0mem.cc:277
 
    #3 0x564242c5e7b3 in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.6/storage/innobase/mem/mem0mem.cc:378
 
    #4 0x5642430f4d2b in mem_heap_alloc /data/src/10.6/storage/innobase/include/mem0mem.ic:193
 
    #5 0x5642430f4b3f in mem_heap_zalloc /data/src/10.6/storage/innobase/include/mem0mem.ic:162
 
    #6 0x5642430f71ab in dict_mem_table_create(char const*, fil_space_t*, unsigned long, unsigned long, unsigned long, unsigned long) /data/src/10.6/storage/innobase/dict/dict0mem.cc:152
 
    #7 0x564242a9bdf7 in create_table_info_t::create_table_def() (/data/bld/10.6-asan-nightly/bin/mariadbd+0x2dbfdf7)
 
    #8 0x564242a668da in create_table_info_t::create_table(bool) /data/src/10.6/storage/innobase/handler/ha_innodb.cc:12189
 
    #9 0x564242aa10a0 in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*, bool, trx_t*) (/data/bld/10.6-asan-nightly/bin/mariadbd+0x2dc50a0)
 
    #10 0x564242a692f7 in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*) /data/src/10.6/storage/innobase/handler/ha_innodb.cc:12785
 
    #11 0x564241f3906d in handler::ha_create(char const*, TABLE*, HA_CREATE_INFO*) /data/src/10.6/sql/handler.cc:5091
 
    #12 0x564241f3d740 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /data/src/10.6/sql/handler.cc:5555
 
    #13 0x5642419c246f in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /data/src/10.6/sql/sql_table.cc:10744
 
    #14 0x564241b6108d in Sql_cmd_alter_table::execute(THD*) /data/src/10.6/sql/sql_alter.cc:539
 
    #15 0x5642417218e0 in mysql_execute_command(THD*) /data/src/10.6/sql/sql_parse.cc:5880
 
    #16 0x56424172f2e0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:7906
 
    #17 0x564241705ece in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.6/sql/sql_parse.cc:1833
 
    #18 0x564241702d94 in do_command(THD*) /data/src/10.6/sql/sql_parse.cc:1365
 
    #19 0x564241b44ab5 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1410
 
    #20 0x564241b44419 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #21 0x56424284b494 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #22 0x7f16249e0608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T14 created by T0 here:
 
    #0 0x7f1624dfb805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x564242846438 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:38
 
    #2 0x56424284b887 in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
 
    #3 0x5642413f44fe in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x56424140a50f in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5811
 
    #5 0x56424140ab8e in create_new_thread(CONNECT*) /data/src/10.6/sql/mysqld.cc:5870
 
    #6 0x56424140aeeb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:5935
 
    #7 0x56424140bb0a in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6062
 
    #8 0x564241409d1c in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5706
 
    #9 0x5642413f2d9c in main /data/src/10.6/sql/main.cc:25
 
    #10 0x7f16244bb0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
Thread T15 created by T0 here:
 
    #0 0x7f1624dfb805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x564242846438 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:38
 
    #2 0x56424284b887 in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
 
    #3 0x5642413f44fe in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x56424140a50f in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5811
 
    #5 0x56424140ab8e in create_new_thread(CONNECT*) /data/src/10.6/sql/mysqld.cc:5870
 
    #6 0x56424140aeeb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:5935
 
    #7 0x56424140bb0a in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6062
 
    #8 0x564241409d1c in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5706
 
    #9 0x5642413f2d9c in main /data/src/10.6/sql/main.cc:25
 
    #10 0x7f16244bb0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.6/storage/innobase/include/dict0mem.h:1920 in dict_table_t::versioned() const
 
Shadow bytes around the buggy address:
 
  0x0c3080005fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3080005ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3080006000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3080006010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080006020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c3080006030: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080006040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080006050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080006060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080006070: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
 
  0x0c3080006080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc

10.6 a1542f8a debug

 
mariadbd: /data/src/10.6/storage/innobase/handler/ha_innodb.cc:3167: ulonglong innodb_prepare_commit_versioned(THD*, ulonglong*): Assertion `t.first->versioned_by_id()' failed.
 
210215 15:31:50 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007fa82bf92f36 in __GI___assert_fail (assertion=0x557a187fab66 "t.first->versioned_by_id()", file=0x557a187f8b98 "/data/src/10.6/storage/innobase/handler/ha_innodb.cc", line=3167, function=0x557a187fab88 "ulonglong innodb_prepare_commit_versioned(THD*, ulonglong*)") at assert.c:101
 
#8  0x0000557a17f3b2c0 in innodb_prepare_commit_versioned (thd=0x7fa7f4000db8, trx_id=0x7fa8252ee400) at /data/src/10.6/storage/innobase/handler/ha_innodb.cc:3167
 
#9  0x0000557a17ac78f7 in ha_commit_trans (thd=0x7fa7f4000db8, all=false) at /data/src/10.6/sql/handler.cc:1674
 
#10 0x0000557a1791e172 in trans_commit_stmt (thd=0x7fa7f4000db8) at /data/src/10.6/sql/transaction.cc:472
 
#11 0x0000557a17763cfe in mysql_execute_command (thd=0x7fa7f4000db8) at /data/src/10.6/sql/sql_parse.cc:5940
 
#12 0x0000557a177699ee in mysql_parse (thd=0x7fa7f4000db8, rawbuf=0x7fa7f4012870 "UPDATE IGNORE app_periods_t13 SET s = '1985-03-16', e = '2032-05-20' ORDER BY s, e", length=82, parser_state=0x7fa8252ef510) at /data/src/10.6/sql/sql_parse.cc:7906
 
#13 0x0000557a17755f31 in dispatch_command (command=COM_QUERY, thd=0x7fa7f4000db8, packet=0x7fa7f4008e49 "UPDATE IGNORE app_periods_t13 SET s = '1985-03-16', e = '2032-05-20' ORDER BY s, e", packet_length=82) at /data/src/10.6/sql/sql_parse.cc:1833
 
#14 0x0000557a17754948 in do_command (thd=0x7fa7f4000db8) at /data/src/10.6/sql/sql_parse.cc:1365
 
#15 0x0000557a17902117 in do_handle_one_connection (connect=0x557a1b0452f8, put_in_cache=true) at /data/src/10.6/sql/sql_connect.cc:1410
 
#16 0x0000557a17901e7a in handle_one_connection (arg=0x557a1b0452f8) at /data/src/10.6/sql/sql_connect.cc:1312
 
#17 0x0000557a17e5fe97 in pfs_spawn_thread (arg=0x557a1b046bd8) at /data/src/10.6/storage/perfschema/pfs.cc:2201
 
#18 0x00007fa82c4aa609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#19 0x00007fa82c07e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Generated at Thu Feb 08 09:33:15 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.