[MDEV-32523] ASAN errors or assertion failure in row_merge_buf_add Created: 2023-10-19  Updated: 2023-11-28

Status: Stalled
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.4, 10.5, 10.6, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Thirunarayanan Balathandayuthapani
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-32547 ALTER IGNORE TABLE only sometimes con... Open

 Description   

The difference in test cases is only the length of the field in the final ALTER.

--source include/have_innodb.inc
 
 
 
CREATE TABLE t (a INT, b VARCHAR(16)) ENGINE=InnoDB;
 
INSERT INTO t (a) VALUES (1),(2);
 
ALTER TABLE t ALTER b SET DEFAULT '0';
 
ALTER IGNORE TABLE t MODIFY b VARCHAR(12289) NOT NULL;
 
 
 
# Cleanup
 
DROP TABLE t;

10.4 b1c8ea83

 
==1725987==ERROR: AddressSanitizer: unknown-crash on address 0x6190000dc0ce at pc 0x7f865ce4814b bp 0x7f8647b0c8e0 sp 0x7f8647b0c090
 
READ of size 12289 at 0x6190000dc0ce thread T27
 
    #0 0x7f865ce4814a in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
 
    #1 0x563a1941094b in mem_heap_dup(mem_block_info_t*, void const*, unsigned long) /data/src/10.4/storage/innobase/include/mem0mem.h:242
 
    #2 0x563a196fd846 in dfield_dup /data/src/10.4/storage/innobase/include/data0data.inl:173
 
    #3 0x563a1970a227 in row_merge_buf_add /data/src/10.4/storage/innobase/row/row0merge.cc:816
 
    #4 0x563a19715f0e in row_merge_read_clustered_index /data/src/10.4/storage/innobase/row/row0merge.cc:2323
 
    #5 0x563a19725973 in row_merge_build_indexes(trx_t*, dict_table_t*, dict_table_t*, bool, dict_index_t**, unsigned long const*, unsigned long, TABLE*, dtuple_t const*, unsigned long const*, unsigned long, ib_sequence_t&, bool, ut_stage_alter_t*, dict_add_v_col_t const*, TABLE*, bool) /data/src/10.4/storage/innobase/row/row0merge.cc:4697
 
    #6 0x563a1947c5c8 in ha_innobase::inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.4/storage/innobase/handler/handler0alter.cc:8746
 
    #7 0x563a184f2051 in handler::ha_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.4/sql/handler.h:4355
 
    #8 0x563a184d3537 in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7943
 
    #9 0x563a184e5cf0 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10471
 
    #10 0x563a1866ca47 in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:531
 
    #11 0x563a18275d0e in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6218
 
    #12 0x563a18281588 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8012
 
    #13 0x563a18257817 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #14 0x563a18254386 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #15 0x563a18653dd3 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #16 0x563a186536ea in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #17 0x563a192c52f7 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #18 0x7f865c7c8fd3 in start_thread nptl/pthread_create.c:442
 
    #19 0x7f865c8495bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x6190000dc460 is located 0 bytes to the right of 992-byte region [0x6190000dc080,0x6190000dc460)
 
allocated by thread T27 here:
 
    #0 0x7f865ceb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 
    #1 0x563a19e0eece in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #2 0x563a19deb8f4 in alloc_root /data/src/10.4/mysys/my_alloc.c:258
 
    #3 0x563a19ded02c in strmake_root /data/src/10.4/mysys/my_alloc.c:488
 
    #4 0x563a18580dc3 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.4/sql/table.cc:3800
 
    #5 0x563a180d24ed in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.4/sql/sql_base.cc:2114
 
    #6 0x563a184d3ca6 in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:8028
 
    #7 0x563a184e5cf0 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10471
 
    #8 0x563a1866ca47 in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:531
 
    #9 0x563a18275d0e in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6218
 
    #10 0x563a18281588 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8012
 
    #11 0x563a18257817 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #12 0x563a18254386 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #13 0x563a18653dd3 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #14 0x563a186536ea in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #15 0x563a192c52f7 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #16 0x7f865c7c8fd3 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f865ce49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x563a192c56e4 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x563a17f5ef89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x563a17f766b6 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6289
 
    #4 0x563a17f76e01 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6359
 
    #5 0x563a17f772cf in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6457
 
    #6 0x563a17f7817b in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6615
 
    #7 0x563a17f75e19 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5947
 
    #8 0x563a17f5d0b8 in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f865c767189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: unknown-crash ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
 
Shadow bytes around the buggy address:
 
  0x0c32800137c0: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 f7 04
 
  0x0c32800137d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c32800137e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
 
  0x0c32800137f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280013800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
=>0x0c3280013810: 00 00 00 00 f7 02 f7 00 00[06]00 00 06 f7 00 00
 
  0x0c3280013820: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280013830: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
 
  0x0c3280013840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280013850: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 04
 
  0x0c3280013860: f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==1725987==ABORTING


--source include/have_innodb.inc
 
 
 
CREATE TABLE t (a INT, b VARCHAR(16)) ENGINE=InnoDB;
 
INSERT INTO t (a) VALUES (1),(2);
 
ALTER TABLE t ALTER b SET DEFAULT '0';
 
ALTER IGNORE TABLE t MODIFY b VARCHAR(256) NOT NULL;
 
 
 
# Cleanup
 
DROP TABLE t;


mysqld: /data/src/10.4/storage/innobase/row/row0merge.cc:729: ulint row_merge_buf_add(row_merge_buf_t*, dict_index_t*, const dict_table_t*, const dict_table_t*, fts_psort_t*, dtuple_t*, const row_ext_t*, bool, doc_id_t*, mem_heap_t*, dberr_t*, mem_heap_t**, TABLE*, trx_t*): Assertion `len <= col->len || ((col->mtype) == 5 || (col->mtype) == 14)' failed.
 
231020  0:24:55 [ERROR] mysqld got signal 6 ;
 
 
 
#8  0x00007f31ad645395 in __assert_fail_base (fmt=0x7f31ad7b9a70 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x561ea19b8000 "len <= col->len || ((col->mtype) == 5 || (col->mtype) == 14)", file=file@entry=0x561ea19b7420 "/data/src/10.4/storage/innobase/row/row0merge.cc", line=line@entry=729, function=function@entry=0x561ea19b7e20 "ulint row_merge_buf_add(row_merge_buf_t*, dict_index_t*, const dict_table_t*, const dict_table_t*, fts_psort_t*, dtuple_t*, const row_ext_t*, bool, doc_id_t*, mem_heap_t*, dberr_t*, mem_heap_t**, TABL"...) at ./assert/assert.c:92
 
#9  0x00007f31ad653df2 in __GI___assert_fail (assertion=0x561ea19b8000 "len <= col->len || ((col->mtype) == 5 || (col->mtype) == 14)", file=0x561ea19b7420 "/data/src/10.4/storage/innobase/row/row0merge.cc", line=729, function=0x561ea19b7e20 "ulint row_merge_buf_add(row_merge_buf_t*, dict_index_t*, const dict_table_t*, const dict_table_t*, fts_psort_t*, dtuple_t*, const row_ext_t*, bool, doc_id_t*, mem_heap_t*, dberr_t*, mem_heap_t**, TABL"...) at ./assert/assert.c:101
 
#10 0x0000561ea06cb664 in row_merge_buf_add (buf=0x615000041d88, fts_index=0x0, old_table=0x618000033508, new_table=0x618000034508, psort_info=0x0, row=0x6310000b48b0, ext=0x0, history_fts=false, doc_id=0x7f319895b090, conv_heap=0x0, err=0x7f319895b030, v_heap=0x7f319895b070, my_table=0x7f319895f150, trx=0x7f31a555c908) at /data/src/10.4/storage/innobase/row/row0merge.cc:729
 
#11 0x0000561ea06d7f0f in row_merge_read_clustered_index (trx=0x7f31a555c908, table=0x7f319895f150, old_table=0x618000033508, new_table=0x618000034508, online=true, index=0x6190000dd710, fts_sort_idx=0x0, psort_info=0x0, files=0x603000037930, key_numbers=0x6190000dd720, n_index=1, defaults=0x6190000dd7a8, add_v=0x0, col_map=0x6190000dd860, add_autoinc=18446744073709551615, sequence=..., block=0x7f319841a000 "", skip_pk_sort=true, tmpfd=0x7f319895be80, stage=0x60700001c250, pct_cost=50, crypt_block=0x0, eval_table=0x7f319895f150, allow_not_null=true) at /data/src/10.4/storage/innobase/row/row0merge.cc:2323
 
#12 0x0000561ea06e7974 in row_merge_build_indexes (trx=0x7f31a555c908, old_table=0x618000033508, new_table=0x618000034508, online=true, indexes=0x6190000dd710, key_numbers=0x6190000dd720, n_indexes=1, table=0x7f319895f150, defaults=0x6190000dd7a8, col_map=0x6190000dd860, add_autoinc=18446744073709551615, sequence=..., skip_pk_sort=true, stage=0x60700001c250, add_v=0x0, eval_table=0x7f319895f150, allow_not_null=true) at /data/src/10.4/storage/innobase/row/row0merge.cc:4697
 
#13 0x0000561ea043e5c9 in ha_innobase::inplace_alter_table (this=0x61d000265ca8, altered_table=0x7f319895f150, ha_alter_info=0x7f319895d3e0) at /data/src/10.4/storage/innobase/handler/handler0alter.cc:8746
 
#14 0x0000561e9f4b4052 in handler::ha_inplace_alter_table (this=0x61d000265ca8, altered_table=0x7f319895f150, ha_alter_info=0x7f319895d3e0) at /data/src/10.4/sql/handler.h:4355
 
#15 0x0000561e9f495538 in mysql_inplace_alter_table (thd=0x62b00009a208, table_list=0x62b0000a1368, table=0x620000041088, altered_table=0x7f319895f150, ha_alter_info=0x7f319895d3e0, target_mdl_request=0x7f319895d600, alter_ctx=0x7f319895e660) at /data/src/10.4/sql/sql_table.cc:7943
 
#16 0x0000561e9f4a7cf1 in mysql_alter_table (thd=0x62b00009a208, new_db=0x62b00009ea10, new_name=0x62b00009ee78, create_info=0x7f3198960250, table_list=0x62b0000a1368, recreate_info=0x7f31989600b0, alter_info=0x7f3198960150, order_num=0, order=0x0, ignore=true) at /data/src/10.4/sql/sql_table.cc:10471
 
#17 0x0000561e9f62ea48 in Sql_cmd_alter_table::execute (this=0x62b0000a1bb8, thd=0x62b00009a208) at /data/src/10.4/sql/sql_alter.cc:531
 
#18 0x0000561e9f237d0f in mysql_execute_command (thd=0x62b00009a208) at /data/src/10.4/sql/sql_parse.cc:6218
 
#19 0x0000561e9f243589 in mysql_parse (thd=0x62b00009a208, rawbuf=0x62b0000a1228 "ALTER IGNORE TABLE t MODIFY b VARCHAR(256) NOT NULL", length=51, parser_state=0x7f3198962860, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8012
 
#20 0x0000561e9f219818 in dispatch_command (command=COM_QUERY, thd=0x62b00009a208, packet=0x62900029e209 "ALTER IGNORE TABLE t MODIFY b VARCHAR(256) NOT NULL", packet_length=51, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1857
 
#21 0x0000561e9f216387 in do_command (thd=0x62b00009a208) at /data/src/10.4/sql/sql_parse.cc:1378
 
#22 0x0000561e9f615dd4 in do_handle_one_connection (connect=0x608000000ba8) at /data/src/10.4/sql/sql_connect.cc:1420
 
#23 0x0000561e9f6156eb in handle_one_connection (arg=0x608000000ba8) at /data/src/10.4/sql/sql_connect.cc:1324
 
#24 0x0000561ea02872f8 in pfs_spawn_thread (arg=0x615000006208) at /data/src/10.4/storage/perfschema/pfs.cc:1869
 
#25 0x00007f31ad6a7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#26 0x00007f31ad7285bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81



 Comments   
Comment by Thirunarayanan Balathandayuthapani [ 2023-10-22 ]

Patch is in bb-10.6-MDEV-32523

Comment by Thirunarayanan Balathandayuthapani [ 2023-10-22 ]

Patch is in bb-10.4-MDEV-32523

Comment by Marko Mäkelä [ 2023-10-23 ]

While reviewing this, I was wondering if we should simplify this further:

diff --git a/storage/innobase/handler/handler0alter.cc b/storage/innobase/handler/handler0alter.cc
 
index 3e49ef5d29e..1add097f174 100644
 
--- a/storage/innobase/handler/handler0alter.cc
 
+++ b/storage/innobase/handler/handler0alter.cc
 
@@ -4558,7 +4558,8 @@ static void innobase_build_col_map_add(
 
 		return;
 
 	}
 
 
-	const Field& from = old_field ? *old_field : *field;
 
+	const Field& from = *field;
 
+
 
 	ulint	size	= from.pack_length();
 
 
 	byte*	buf	= static_cast<byte*>(mem_heap_alloc(heap, size));

When I tested this alternative fix, I got some result differences for the tests innodb.alter_not_null and innodb.alter_not_null_debug. This prompted me to file MDEV-32547.

I think that the submitted patch is good as is. We will probably have to revise this further, once the questions in MDEV-32547 have been answered.

Generated at Thu Feb 08 10:32:00 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.