[MDEV-32510] ASAN use-after-poison in online alter with rocksdb under SERIALIZABLE isolation level Created: 2023-10-18  Updated: 2023-11-20

Status: Open
Project: MariaDB Server
Component/s: Data Definition - Alter Table, Storage Engine - RocksDB
Affects Version/s: 11.2.1
Fix Version/s: 11.2

Type: Bug Priority: Major
Reporter: Nikita Malyavin Assignee: Nikita Malyavin
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Problem/Incident
is caused by MDEV-16329 Engine-independent online ALTER TABLE Closed

 Description   

The failure happens with rocksdb engine, so the code should be compiled with -DPLUGIN_ROCKSDB=YES

install soname 'ha_rocksdb.so';
 
set default_storage_engine= rocksdb;
 
 
 
create table t1 (a int, b int, key(b));
 
 
 
--connection con2
 
insert into t1 values (1,1),(null,null),(3,3),(4,null),(null,5);
 
 
 
--connection default
 
 
 
eval set session transaction isolation level SERIALIZABLE;
 
set debug_sync= "alter_table_online_downgraded signal downgraded wait_for goalters";
 
 
 
send alter table t1 force, algorithm=copy;
 
 
 
--connection con2
 
set debug_sync= "now wait_for downgraded";
 
delete from t1 where b is null;
 
set debug_sync= "now signal goalters";
 
 
 
--connection default
 
--reap
 
drop table t1;
 
 
 
set debug_sync= reset;

ASAN output:

==361875==ERROR: AddressSanitizer: use-after-poison on address 0x61900038fd80 at pc 0x7faf65e853b2 bp 0x7faf68478600 sp 0x7faf684785f8
 
READ of size 8 at 0x61900038fd80 thread T33
 
    #0 0x7faf65e853b1 in myrocks::Rdb_field_packing::get_field_in_table(TABLE const*) const /home/nik/mariadb/storage/rocksdb/rdb_datadic.cc:3500:33
 
    #1 0x7faf65e93008 in myrocks::Rdb_key_def::pack_record(TABLE const*, unsigned char*, unsigned char const*, unsigned char*, myrocks::Rdb_string_writer*, bool, long long, unsigned int, unsigned int*, char const*) const /home/nik/mariadb/storage/rocksdb/rdb_datadic.cc:1378:41
 
    #2 0x7faf65e92327 in myrocks::Rdb_key_def::pack_index_tuple(TABLE*, unsigned char*, unsigned char*, unsigned char*, unsigned char const*, unsigned long const&) const /home/nik/mariadb/storage/rocksdb/rdb_datadic.cc:1024:10
 
    #3 0x7faf65c6c714 in myrocks::ha_rocksdb::index_read_map_impl(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function, st_key_range const*) /home/nik/mariadb/storage/rocksdb/ha_rocksdb.cc:8579:22
 
    #4 0x7faf65c6deab in myrocks::ha_rocksdb::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /home/nik/mariadb/storage/rocksdb/ha_rocksdb.cc:8491:3
 
    #5 0x560a8fd46b4e in handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /home/nik/mariadb/sql/handler.cc:3676:3
 
    #6 0x560a902ef111 in Rows_log_event::find_row(rpl_group_info*) /home/nik/mariadb/sql/log_event_server.cc:7558:25
 
    #7 0x560a902f1966 in Delete_rows_log_event::do_exec_row(rpl_group_info*) /home/nik/mariadb/sql/log_event_server.cc:7786:7
 
    #8 0x560a902d3c09 in Rows_log_event::do_apply_event(rpl_group_info*) /home/nik/mariadb/sql/log_event_server.cc:5139:14
 
    #9 0x560a90279fba in Log_event::apply_event(rpl_group_info*) /home/nik/mariadb/sql/log_event.cc:3875:8
 
    #10 0x560a90c3258d in online_alter_read_from_binlog(THD*, rpl_group_info*, Cache_flip_event_log*, unsigned long long*) /home/nik/mariadb/sql/sql_table.cc:11742:16
 
    #11 0x560a90c1d49f in copy_data_between_tables(THD*, TABLE*, TABLE*, List<Create_field>&, bool, unsigned int, st_order*, unsigned long long*, unsigned long long*, Alter_info::enum_enable_or_disable, Alter_table_ctx*, bool, unsigned long long) /home/nik/mariadb/sql/sql_table.cc:12171:12
 
    #12 0x560a90bfc9c4 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /home/nik/mariadb/sql/sql_table.cc:11201:9
 
    #13 0x560a90ea9985 in Sql_cmd_alter_table::execute(THD*) /home/nik/mariadb/sql/sql_alter.cc:615:11
 
    #14 0x560a90852c89 in mysql_execute_command(THD*, bool) /home/nik/mariadb/sql/sql_parse.cc:5775:26
 
    #15 0x560a90831a9a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/nik/mariadb/sql/sql_parse.cc:7810:18
 
    #16 0x560a9082b4ed in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/nik/mariadb/sql/sql_parse.cc:1893:7
 
    #17 0x560a908338c9 in do_command(THD*, bool) /home/nik/mariadb/sql/sql_parse.cc:1406:17
 
    #18 0x560a90e80995 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1445:11
 
    #19 0x560a90e8013e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1347:5
 
    #20 0x560a91767e68 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3
 
    #21 0x7faf96c679ea  (/usr/lib/libc.so.6+0x8c9ea) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
 
    #22 0x7faf96ceb7cb  (/usr/lib/libc.so.6+0x1107cb) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
 
 
 
0x61900038fd80 is located 1024 bytes inside of 1040-byte region [0x61900038f980,0x61900038fd90)
 
allocated by thread T33 here:
 
    #0 0x560a8fa80639 in malloc (/home/nik/mariadb/bld/sql/mariadbd+0x1ef8639) (BuildId: 61f2f0aa5846429700a393caa97e17ef66f1d08e)
 
    #1 0x560a9268a406 in my_malloc /home/nik/mariadb/mysys/my_malloc.c:89:29
 
    #2 0x560a92658545 in root_alloc /home/nik/mariadb/mysys/my_alloc.c:71:10
 
    #3 0x560a92659b29 in alloc_root /home/nik/mariadb/mysys/my_alloc.c:339:29
 
    #4 0x560a9265c634 in strmake_root /home/nik/mariadb/mysys/my_alloc.c:598:12
 
    #5 0x560a90d1ff49 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/nik/mariadb/sql/table.cc:4270:20
 
    #6 0x560a9125d8b2 in THD::open_temporary_table(TMP_TABLE_SHARE*, char const*) /home/nik/mariadb/sql/temporary_tables.cc:1135:7
 
    #7 0x560a9125c19c in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, bool) /home/nik/mariadb/sql/temporary_tables.cc:74:12
 
    #8 0x560a90bfb94e in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /home/nik/mariadb/sql/sql_table.cc:11115:19
 
    #9 0x560a90ea9985 in Sql_cmd_alter_table::execute(THD*) /home/nik/mariadb/sql/sql_alter.cc:615:11
 
    #10 0x560a90852c89 in mysql_execute_command(THD*, bool) /home/nik/mariadb/sql/sql_parse.cc:5775:26
 
    #11 0x560a90831a9a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/nik/mariadb/sql/sql_parse.cc:7810:18
 
    #12 0x560a9082b4ed in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/nik/mariadb/sql/sql_parse.cc:1893:7
 
    #13 0x560a908338c9 in do_command(THD*, bool) /home/nik/mariadb/sql/sql_parse.cc:1406:17
 
    #14 0x560a90e80995 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1445:11
 
    #15 0x560a90e8013e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1347:5
 
    #16 0x560a91767e68 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3
 
    #17 0x7faf96c679ea  (/usr/lib/libc.so.6+0x8c9ea) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
 
 
 
Thread T33 created by T0 here:
 
    #0 0x560a8f9b92f8 in pthread_create (/home/nik/mariadb/bld/sql/mariadbd+0x1e312f8) (BuildId: 61f2f0aa5846429700a393caa97e17ef66f1d08e)
 
    #1 0x560a9176843c in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/storage/perfschema/my_thread.h:52:10
 
    #2 0x560a917683cb in pfs_spawn_thread_v1 /home/nik/mariadb/storage/perfschema/pfs.cc:2252:15
 
    #3 0x560a903180e2 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/include/mysql/psi/mysql_thread.h:1139:11
 
    #4 0x560a90327b99 in create_thread_to_handle_connection(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6169:19
 
    #5 0x560a9032848b in create_new_thread(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6231:3
 
    #6 0x560a90328b4d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/nik/mariadb/sql/mysqld.cc:6293:5
 
    #7 0x560a9032661b in handle_connections_sockets() /home/nik/mariadb/sql/mysqld.cc:6417:9
 
    #8 0x560a9031ba31 in mysqld_main(int, char**) /home/nik/mariadb/sql/mysqld.cc:6064:3
 
    #9 0x560a8facb161 in main /home/nik/mariadb/sql/main.cc:34:10
 
    #10 0x7faf96c02ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /home/nik/mariadb/storage/rocksdb/rdb_datadic.cc:3500:33 in myrocks::Rdb_field_packing::get_field_in_table(TABLE const*) const
 
Shadow bytes around the buggy address:
 
  0x61900038fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x61900038fb80: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x61900038fc00: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
 
  0x61900038fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x61900038fd00: 00 00 00 f7 00 00 00 00 f7 f7 00 00 00 04 f7 f7
 
=>0x61900038fd80:[f7]f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x61900038fe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x61900038fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x61900038ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x61900038ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x619000390000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb


Generated at Thu Feb 08 10:31:54 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.