[MDEV-33167] ASAN errors in dict_sys_t::load_table / get_foreign_key_info after failing to load a table Created: 2024-01-03  Updated: 2024-01-03

Status: Open
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.6, 10.11, 11.0, 11.1, 11.2, 11.3
Fix Version/s: 10.6, 10.11, 11.0, 11.1, 11.2, 11.3

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 0
Labels: regression


 Description    

--source include/have_innodb.inc
 
 
 
CREATE DATABASE db1;
 
CREATE DATABASE db2;
 
 
 
SET FOREIGN_KEY_CHECKS = OFF;
 
 
 
CREATE TABLE db1.t1 (a VARCHAR(8), FOREIGN KEY(a) REFERENCES test.t(f)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3;
 
CREATE TABLE db2.t2 (b VARCHAR(8), FOREIGN KEY(b) REFERENCES test.t(f)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3;
 
 
 
CREATE TABLE test.t (f VARCHAR(8) PRIMARY KEY) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 
 
 
--source include/restart_mysqld.inc
 
 
 
ALTER TABLE db2.t2 FORCE;
 
 
 
# Cleanup
 
DROP DATABASE db1;
 
DROP DATABASE db2;
 
DROP TABLE t;

10.6 686865e112fa4840376745194349845f8d00a2a7

 
2024-01-03 16:06:33 3 [Warning] InnoDB: Load table `test`.`t` failed, the table has missing foreign key indexes. Turn off 'foreign_key_checks' and try again.
 
=================================================================
 
==3171533==ERROR: AddressSanitizer: heap-use-after-free on address 0x61c000021240 at pc 0x7fc17e64a731 bp 0x7fc16f6f5210 sp 0x7fc16f6f49c0
 
READ of size 7 at 0x61c000021240 thread T11
 
    #0 0x7fc17e64a730 in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
 
    #1 0x5649fe5bde23 in dict_sys_t::load_table(st_::span<char const> const&, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2574
 
    #2 0x5649fe584894 in dict_table_open_on_name(char const*, bool, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0dict.cc:1062
 
    #3 0x5649fdf29bc9 in get_foreign_key_info /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15540
 
    #4 0x5649fdf2a1f7 in ha_innobase::get_foreign_key_list(THD*, List<st_foreign_key_info>*) /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15603
 
    #5 0x5649fceeb8a2 in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /data/bld/10.6-asan/sql/sql_table.cc:7874
 
    #6 0x5649fcefe1ae in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /data/bld/10.6-asan/sql/sql_table.cc:10135
 
    #7 0x5649fd0c518d in Sql_cmd_alter_table::execute(THD*) /data/bld/10.6-asan/sql/sql_alter.cc:675
 
    #8 0x5649fcc51410 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6074
 
    #9 0x5649fcc5e914 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8100
 
    #10 0x5649fcc34349 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1896
 
    #11 0x5649fcc3107d in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1409
 
    #12 0x5649fd0a6660 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1415
 
    #13 0x5649fd0a6021 in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1317
 
    #14 0x5649fdcfca05 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
 
    #15 0x7fc17dca8043 in start_thread nptl/pthread_create.c:442
 
    #16 0x7fc17dd2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x61c000021240 is located 448 bytes inside of 1752-byte region [0x61c000021080,0x61c000021758)
 
freed by thread T11 here:
 
    #0 0x7fc17e6b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
 
    #1 0x5649fdf56753 in ut_allocator<unsigned char, true>::deallocate(unsigned char*, unsigned long) /data/bld/10.6-asan/storage/innobase/include/ut0new.h:424
 
    #2 0x5649fe148106 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /data/bld/10.6-asan/storage/innobase/mem/mem0mem.cc:416
 
    #3 0x5649fe5c57e4 in mem_heap_free /data/bld/10.6-asan/storage/innobase/include/mem0mem.inl:419
 
    #4 0x5649fe5c8a39 in dict_mem_table_free(dict_table_t*) /data/bld/10.6-asan/storage/innobase/dict/dict0mem.cc:234
 
    #5 0x5649fe58abfe in dict_sys_t::remove(dict_table_t*, bool, bool) /data/bld/10.6-asan/storage/innobase/dict/dict0dict.cc:1910
 
    #6 0x5649fe5bc894 in dict_load_table_one /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2457
 
    #7 0x5649fe5bddbc in dict_sys_t::load_table(st_::span<char const> const&, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2570
 
    #8 0x5649fe584894 in dict_table_open_on_name(char const*, bool, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0dict.cc:1062
 
    #9 0x5649fdf29bc9 in get_foreign_key_info /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15540
 
    #10 0x5649fdf2a1f7 in ha_innobase::get_foreign_key_list(THD*, List<st_foreign_key_info>*) /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15603
 
    #11 0x5649fceeb8a2 in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /data/bld/10.6-asan/sql/sql_table.cc:7874
 
    #12 0x5649fcefe1ae in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /data/bld/10.6-asan/sql/sql_table.cc:10135
 
    #13 0x5649fd0c518d in Sql_cmd_alter_table::execute(THD*) /data/bld/10.6-asan/sql/sql_alter.cc:675
 
    #14 0x5649fcc51410 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6074
 
    #15 0x5649fcc5e914 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8100
 
    #16 0x5649fcc34349 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1896
 
    #17 0x5649fcc3107d in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1409
 
    #18 0x5649fd0a6660 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1415
 
    #19 0x5649fd0a6021 in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1317
 
    #20 0x5649fdcfca05 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
 
    #21 0x7fc17dca8043 in start_thread nptl/pthread_create.c:442
 
 
 
previously allocated by thread T11 here:
 
    #0 0x7fc17e6b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 
    #1 0x5649fdf5628b in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /data/bld/10.6-asan/storage/innobase/include/ut0new.h:375
 
    #2 0x5649fe1473f7 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/bld/10.6-asan/storage/innobase/mem/mem0mem.cc:277
 
    #3 0x5649fe147d07 in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/bld/10.6-asan/storage/innobase/mem/mem0mem.cc:378
 
    #4 0x5649fe5c5468 in mem_heap_alloc /data/bld/10.6-asan/storage/innobase/include/mem0mem.inl:193
 
    #5 0x5649fe5c7eda in dict_table_t::create(st_::span<char const> const&, fil_space_t*, unsigned long, unsigned long, unsigned long, unsigned long) /data/bld/10.6-asan/storage/innobase/dict/dict0mem.cc:173
 
    #6 0x5649fe5b9d29 in dict_load_table_low(mtr_t*, bool, unsigned char const*, dict_table_t**) /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2213
 
    #7 0x5649fe5bbe4d in dict_load_table_one /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2388
 
    #8 0x5649fe5bddbc in dict_sys_t::load_table(st_::span<char const> const&, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0load.cc:2570
 
    #9 0x5649fe584894 in dict_table_open_on_name(char const*, bool, dict_err_ignore_t) /data/bld/10.6-asan/storage/innobase/dict/dict0dict.cc:1062
 
    #10 0x5649fdf29bc9 in get_foreign_key_info /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15540
 
    #11 0x5649fdf2a1f7 in ha_innobase::get_foreign_key_list(THD*, List<st_foreign_key_info>*) /data/bld/10.6-asan/storage/innobase/handler/ha_innodb.cc:15603
 
    #12 0x5649fceeb8a2 in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /data/bld/10.6-asan/sql/sql_table.cc:7874
 
    #13 0x5649fcefe1ae in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /data/bld/10.6-asan/sql/sql_table.cc:10135
 
    #14 0x5649fd0c518d in Sql_cmd_alter_table::execute(THD*) /data/bld/10.6-asan/sql/sql_alter.cc:675
 
    #15 0x5649fcc51410 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6074
 
    #16 0x5649fcc5e914 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8100
 
    #17 0x5649fcc34349 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1896
 
    #18 0x5649fcc3107d in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1409
 
    #19 0x5649fd0a6660 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1415
 
    #20 0x5649fd0a6021 in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1317
 
    #21 0x5649fdcfca05 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
 
    #22 0x7fc17dca8043 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T11 created by T0 here:
 
    #0 0x7fc17e649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x5649fdcf8740 in my_thread_create /data/bld/10.6-asan/storage/perfschema/my_thread.h:52
 
    #2 0x5649fdcfcdf4 in pfs_spawn_thread_v1 /data/bld/10.6-asan/storage/perfschema/pfs.cc:2252
 
    #3 0x5649fc91b8ab in inline_mysql_thread_create /data/bld/10.6-asan/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x5649fc932b3b in create_thread_to_handle_connection(CONNECT*) /data/bld/10.6-asan/sql/mysqld.cc:6003
 
    #5 0x5649fc93314c in create_new_thread(CONNECT*) /data/bld/10.6-asan/sql/mysqld.cc:6062
 
    #6 0x5649fc933437 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.6-asan/sql/mysqld.cc:6124
 
    #7 0x5649fc933dc7 in handle_connections_sockets() /data/bld/10.6-asan/sql/mysqld.cc:6248
 
    #8 0x5649fc9323b8 in mysqld_main(int, char**) /data/bld/10.6-asan/sql/mysqld.cc:5898
 
    #9 0x5649fc91a9b8 in main /data/bld/10.6-asan/sql/main.cc:34
 
    #10 0x7fc17dc461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389 in __interceptor_strlen
 
Shadow bytes around the buggy address:
 
  0x0c387fffc1f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
  0x0c387fffc200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c387fffc210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c387fffc220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c387fffc230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c387fffc240: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
 
  0x0c387fffc250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c387fffc260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c387fffc270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c387fffc280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c387fffc290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==3171533==ABORTING

No obvious immediate effect on a non-debug build on my machine (but it may be a matter of luck).

The failure started happening after this merge in 10.6.15:

commit 5ea5291d97209ed90b6721d228cd5d24a1feeb58
 
Merge: 691e964d235 61acb43689d
 
Author: Oleksandr Byelkin
 
Date:   Wed Aug 2 20:20:50 2023 +0200
 
 
 
    Merge branch '10.5' into 10.6

I couldn't reproduce it on 10.5, but apparently the culprit was this:

commit da09ae05a9a744f184715e1eb35f2755681bd6b5
 
Author: Sergei Golubchik
 
Date:   Thu Jul 13 10:59:39 2023 +0200
 
 
 
    MDEV-18114 Foreign Key Constraint actions don't affect Virtual Column


Generated at Thu Feb 08 10:36:53 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.