[MDEV-32449] Server crashes in Alter_info::add_stat_drop_index upon CREATE TABLE Created: 2023-10-11  Updated: 2023-10-18  Resolved: 2023-10-16

Status: Closed
Project: MariaDB Server
Component/s: Data Definition - Alter Table
Affects Version/s: 10.6
Fix Version/s: 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3

Type: Bug Priority: Blocker
Reporter: Elena Stepanova Assignee: Michael Widenius
Resolution: Fixed Votes: 0
Labels: regression, rr-profile


 Description   

I have set it tentatively to blocker and regression, as very similar issues were observed and fixed during testing of MDEV-31957 – so similar in fact that I think one of the fixes made in bb-10.6-monty may have gotten lost while force-pushing or merging into main.

10.6 8bf17c579b9a2d8d2f3c611f4b22fa5edb8e117c

 
0x000055f5938ab1f1 in Alter_info::add_stat_drop_index (this=0x7f5c95976f90, thd=0x30c044000aa8, key_name=0x30c044014250) at /data/for_monty/10.6/sql/sql_alter.cc:343
 
343	      if (key_info->name.length &&
 
(rr) bt
 
#0  0x000055f5938ab1f1 in Alter_info::add_stat_drop_index (this=0x7f5c95976f90, thd=0x30c044000aa8, key_name=0x30c044014250) at /data/for_monty/10.6/sql/sql_alter.cc:343
 
#1  0x000055f5937ea3c3 in mysql_prepare_create_table (thd=0x30c044000aa8, create_info=0x7f5c95977100, alter_info=0x7f5c95976f90, db_options=0x7f5c9597628c, file=0x30c044014360, 
    key_info_buffer=0x7f5c95976bd0, key_count=0x7f5c95976bc4, create_table_mode=0) at /data/for_monty/10.6/sql/sql_table.cc:2904
 
#2  0x000055f5937ee059 in mysql_create_frm_image (thd=0x30c044000aa8, create_info=0x7f5c95977100, alter_info=0x7f5c95976f90, create_table_mode=0, key_info=0x7f5c95976bd0, key_count=0x7f5c95976bc4, 
    frm=0x7f5c95976c00) at /data/for_monty/10.6/sql/sql_table.cc:4094
 
#3  0x000055f5937eed3a in create_table_impl (thd=0x30c044000aa8, ddl_log_state_create=0x7f5c95976e90, ddl_log_state_rm=0x7f5c95976eb0, orig_db=..., orig_table_name=..., db=..., table_name=..., path=..., 
    options=..., create_info=0x7f5c95977100, alter_info=0x7f5c95976f90, create_table_mode=0, is_trans=0x7f5c95976e63, key_info=0x7f5c95976bd0, key_count=0x7f5c95976bc4, frm=0x7f5c95976c00)
 
    at /data/for_monty/10.6/sql/sql_table.cc:4408
 
#4  0x000055f5937ef2d0 in mysql_create_table_no_lock (thd=0x30c044000aa8, ddl_log_state_create=0x7f5c95976e90, ddl_log_state_rm=0x7f5c95976eb0, create_info=0x7f5c95977100, alter_info=0x7f5c95976f90, 
    is_trans=0x7f5c95976e63, create_table_mode=0, table_list=0x30c044013030) at /data/for_monty/10.6/sql/sql_table.cc:4533
 
#5  0x000055f5937f1251 in mysql_create_like_table (thd=0x30c044000aa8, table=0x30c044013030, src_table=0x30c0440137d0, create_info=0x7f5c959789e0) at /data/for_monty/10.6/sql/sql_table.cc:5210
 
#6  0x000055f59380532e in Sql_cmd_create_table_like::execute (this=0x30c044012fd0, thd=0x30c044000aa8) at /data/for_monty/10.6/sql/sql_table.cc:11995
 
#7  0x000055f593703856 in mysql_execute_command (thd=0x30c044000aa8, is_called_from_prepared_stmt=false) at /data/for_monty/10.6/sql/sql_parse.cc:6026
 
#8  0x000055f5937093f0 in mysql_parse (thd=0x30c044000aa8, rawbuf=0x30c044012ed0 "/* WRK-1 QNO 2007 */  CREATE TABLE IF NOT EXISTS r LIKE `alt_table_db`.`alt_t1`", length=79, parser_state=0x7f5c95979390)
 
    at /data/for_monty/10.6/sql/sql_parse.cc:8050
 
#9  0x000055f5936f5f74 in dispatch_command (command=COM_QUERY, thd=0x30c044000aa8, packet=0x30c04400ab29 "/* WRK-1 QNO 2007 */  CREATE TABLE IF NOT EXISTS r LIKE `alt_table_db`.`alt_t1`", 
    packet_length=79, blocking=true) at /data/for_monty/10.6/sql/sql_parse.cc:1896
 
#10 0x000055f5936f4995 in do_command (thd=0x30c044000aa8, blocking=true) at /data/for_monty/10.6/sql/sql_parse.cc:1410
 
#11 0x000055f5938a17de in do_handle_one_connection (connect=0x55f59782efd8, put_in_cache=true) at /data/for_monty/10.6/sql/sql_connect.cc:1416
 
#12 0x000055f5938a153f in handle_one_connection (arg=0x55f59782efd8) at /data/for_monty/10.6/sql/sql_connect.cc:1318
 
#13 0x000055f593dcb642 in pfs_spawn_thread (arg=0x55f5976794f8) at /data/for_monty/10.6/storage/perfschema/pfs.cc:2201
 
#14 0x000055f595b216ba in start_thread (arg=0x7f5c9597a700) at pthread_create.c:333
 
#15 0x00001d205aa7251d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109



 Comments   
Comment by Elena Stepanova [ 2023-10-15 ]

After the fix in 10.6 I am getting another failure (before the fix the test case was failing as in the description):

CREATE TABLE t (a POINT, b POINT, KEY(a)) ENGINE=Aria;
 
ALTER TABLE t ADD FOREIGN KEY (a) REFERENCES t (b);
 
CREATE TEMPORARY TABLE tmp LIKE t;
 
 
 
# Cleanup
 
DROP TABLE t;

10.6 1c554459b382479cca3045b4cc6b5d1e3a858664

 
==3616486==ERROR: AddressSanitizer: use-after-poison on address 0x62b000086f48 at pc 0x56006e3e4c88 bp 0x7f1ebe081da0 sp 0x7f1ebe081d98
 
WRITE of size 8 at 0x62b000086f48 thread T5
 
    #0 0x56006e3e4c87 in mysql_prepare_create_table /data/src/10.6-bug/sql/sql_table.cc:2939
 
    #1 0x56006e3eee3b in mysql_create_frm_image(THD*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /data/src/10.6-bug/sql/sql_table.cc:4094
 
    #2 0x56006e3f0c95 in create_table_impl /data/src/10.6-bug/sql/sql_table.cc:4407
 
    #3 0x56006e3f190a in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.6-bug/sql/sql_table.cc:4529
 
    #4 0x56006e3f6770 in mysql_create_like_table(THD*, TABLE_LIST*, TABLE_LIST*, Table_specification_st*) /data/src/10.6-bug/sql/sql_table.cc:5206
 
    #5 0x56006e429c2a in Sql_cmd_create_table_like::execute(THD*) /data/src/10.6-bug/sql/sql_table.cc:11995
 
    #6 0x56006e172f81 in mysql_execute_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:6026
 
    #7 0x56006e1803a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6-bug/sql/sql_parse.cc:8050
 
    #8 0x56006e156047 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6-bug/sql/sql_parse.cc:1896
 
    #9 0x56006e152d7b in do_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:1409
 
    #10 0x56006e5c2cb1 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1416
 
    #11 0x56006e5c2672 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1318
 
    #12 0x56006f2246eb in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201
 
    #13 0x7f1ec58a7fd3 in start_thread nptl/pthread_create.c:442
 
    #14 0x7f1ec59285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x62b000086f48 is located 7496 bytes inside of 24624-byte region [0x62b000085200,0x62b00008b230)
 
allocated by thread T5 here:
 
    #0 0x7f1ec64b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 
    #1 0x56006fe2a0db in my_malloc /data/src/10.6-bug/mysys/my_malloc.c:91
 
    #2 0x56006fe06073 in reset_root_defaults /data/src/10.6-bug/mysys/my_alloc.c:156
 
    #3 0x56006e02a58c in THD::init_for_queries() /data/src/10.6-bug/sql/sql_class.cc:1413
 
    #4 0x56006e5c1f56 in prepare_new_connection_state(THD*) /data/src/10.6-bug/sql/sql_connect.cc:1245
 
    #5 0x56006e5c26f3 in thd_prepare_connection(THD*) /data/src/10.6-bug/sql/sql_connect.cc:1339
 
    #6 0x56006e5c2c0b in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1406
 
    #7 0x56006e5c2672 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1318
 
    #8 0x56006f2246eb in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201
 
    #9 0x7f1ec58a7fd3 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f1ec6449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x56006f220426 in my_thread_create /data/src/10.6-bug/storage/perfschema/my_thread.h:52
 
    #2 0x56006f224ada in pfs_spawn_thread_v1 /data/src/10.6-bug/storage/perfschema/pfs.cc:2252
 
    #3 0x56006de4189b in inline_mysql_thread_create /data/src/10.6-bug/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x56006de58b0a in create_thread_to_handle_connection(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5995
 
    #5 0x56006de5911b in create_new_thread(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:6054
 
    #6 0x56006de59406 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6-bug/sql/mysqld.cc:6116
 
    #7 0x56006de59d96 in handle_connections_sockets() /data/src/10.6-bug/sql/mysqld.cc:6240
 
    #8 0x56006de58387 in mysqld_main(int, char**) /data/src/10.6-bug/sql/mysqld.cc:5890
 
    #9 0x56006de409a8 in main /data/src/10.6-bug/sql/main.cc:34
 
    #10 0x7f1ec5846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.6-bug/sql/sql_table.cc:2939 in mysql_prepare_create_table
 
Shadow bytes around the buggy address:
 
  0x0c5680008d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5680008da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5680008db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5680008dc0: 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00
 
  0x0c5680008dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c5680008de0: 00 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
 
  0x0c5680008df0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008e10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008e20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008e30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==3616486==ABORTING

Comment by Michael Widenius [ 2023-10-16 ]

Fixed

Comment by Elena Stepanova [ 2023-10-16 ]

monty,
Please note the comment above, it doesn't look like this one was fixed, there are no additional commits in 10.6 as of now.

Comment by Michael Widenius [ 2023-10-16 ]

Pushed trivial fix

Generated at Thu Feb 08 10:31:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.