mleich reproduced what looks like the bug MDEV-31386, in a branch where the fix is present:

ssh pluto

rr replay /data/results/1690818484/MDEV-31386-Rebirth/1/rr/latest-trace

2023-07-31 17:25:55 0x70d307fff700  InnoDB: Assertion failure in file /data/Server/bb-11.2-MDEV-14795_1D/storage/innobase/handler/i_s.cc line 3842

InnoDB: Failing assertion: page_type == i_s_page_type[page_type].type_value

The block descriptor state had been last modified by buf_LRU_free_page(), which had discarded the uncompressed page frame of a ROW_FORMAT=COMPRESSED page. The block descriptor state at that point was buf_page_t::FREED, but it got lost due to an assignment that had better be an increment of the buffer-fix count:

diff --git a/storage/innobase/buf/buf0lru.cc b/storage/innobase/buf/buf0lru.cc

index 6cc4f1c3987..3ba31da2ffc 100644

--- a/storage/innobase/buf/buf0lru.cc

+++ b/storage/innobase/buf/buf0lru.cc

@@ -851,7 +851,12 @@ bool buf_LRU_free_page(buf_page_t *bpage, bool zip)

 		mysql_mutex_lock(&buf_pool.flush_list_mutex);

 		new (b) buf_page_t(*bpage);

 		b->frame = nullptr;

-		b->set_state(buf_page_t::UNFIXED + 1);

+		{

+			ut_d(uint32_t s=) b->fix();

+			ut_ad(s == buf_page_t::FREED

+			      || s == buf_page_t::UNFIXED

+			      || s == buf_page_t::REINIT);

+		}

 		break;

 	default:

 		if (zip || !bpage->zip.data || !bpage->frame) {

For testing, I added a statement that would output of the value s (the state of the block descriptor before incrementing the buffer-fix count). All three values (FREED, UNFIXED, REINIT) were observed while executing the test innodb_zip.wl5522_zip.

As far as I can tell, the main impact of this bug is that a crash like MDEV-31386 is possible when accessing the views INFORMATION_SCHEMA.INNODB_BUFFER_PAGE or INFORMATION_SCHEMA.INNODB_BUFFER_PAGE_LRU at an unfortunate moment. A minor performance impact is that there may be unnecessary writes (MDEV-15528) or doublewrites (MDEV-19738) of affected ROW_FORMAT=COMPRESSED pages.