Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-12350

Heap corruption, overrun buffer, ASAN errors, server crash in my_fill_8bit / filesort

    XMLWordPrintable

    Details

    • Sprint:
      10.1.30

      Description

      Examples of outcomes from the test case below (recommended for debugging), and also unsimplified attached test case. In all cases the problems were observed when the tests were run via MTR.

      MTR test case

      # This setting is in fact among MTR's settings which override defaults
      SET sort_buffer_size=256*1024;
       
      CREATE TABLE t1 (c INT) ENGINE=MyISAM;
      INSERT INTO t1 VALUES 
        (2011),(1977),(1982),(2027),(2023),(NULL),(NULL),(2004),(1974),(2032),
        (1993),(NULL),(1995),(2034),(NULL),(2009),(1900),(NULL),(2025),(1900),
        (2033),(1900),(2012),(NULL),(2009),(1992),(1974),(1974),(2012),(2028),
        (2007),(2012),(1900),(1983),(1900),(2010),(1987),(1994),(1981),(2032),
        (2010),(1989),(2014),(1900),(1900),(1976),(1978),(2007),(2030),(NULL),
        (2002),(1997),(1900),(NULL),(2000),(2027),(1975),(2026),(1975),(2026),
        (2029),(1977),(1900),(1900),(2031),(1993),(1986),(2012),(1979),(2013),
        (1994),(2014),(2025),(2006),(1971),(1974),(2021),(2011),(NULL),(1991),
        (2001),(1977),(2023),(2012),(1900),(1978),(1998),(NULL),(1988),(1999),
        (2017),(2008),(1976),(1900),(2005),(2030),(2023),(1900),(1978),(1990),
        (1978),(1987),(2030),(1900),(2034),(2006),(2015),(2001),(2019),(2024),
        (2030),(1989),(1997),(2007),(2023),(1994),(1971),(2011),(2011),(2015),
        (1984),(1978),(1979),(1989),(2008),(2030);
        
      SELECT ExtractValue('<a></a>','/a') AS f1, SPACE(c) AS f2 FROM t1 GROUP BY f1, f2 WITH ROLLUP;
       
      # Cleanup
      DROP TABLE t1;
      

      5.5 577915def8d

      	HEAP CORRUPTION DETECTED: after Normal block (#3950104) at 0x0000008BDF205700.
      CRT detected that the application wrote to memory after end of heap buffer.
       
       	ntdll.dll!RtlReportCriticalFailure()	Unknown
       	ntdll.dll!RtlpHeapHandleError()	Unknown
       	ntdll.dll!RtlpLogHeapFailure()	Unknown
       	ntdll.dll!RtlpFreeHeap()	Unknown
       	ntdll.dll!RtlFreeHeap()	Unknown
       	AcLayers.dll!00007ffb290a8185()	Unknown
       	mysqld.exe!_free_base(void * block) Line 107	C++
       	mysqld.exe!free_dbg_nolock(void * const block, const int block_use) Line 987	C++
       	mysqld.exe!_free_dbg(void * block, int block_use) Line 1011	C++
       	mysqld.exe!free(void * block) Line 20	C++
      >	mysqld.exe!my_free(void * ptr) Line 120	C
       	mysqld.exe!filesort(THD * thd, TABLE * table, st_sort_field * sortorder, unsigned int s_length, SQL_SELECT * select, unsigned __int64 max_rows, bool sort_positions, unsigned __int64 * examined_rows) Line 320	C++
       	mysqld.exe!create_sort_index(THD * thd, JOIN * join, st_order * order, unsigned __int64 filesort_limit, unsigned __int64 select_limit, bool is_order_by) Line 19937	C++
       	mysqld.exe!JOIN::init_execution() Line 1893	C++
       	mysqld.exe!JOIN::exec() Line 2407	C++
       	mysqld.exe!mysql_select(THD * thd, Item * * * rref_pointer_array, TABLE_LIST * tables, unsigned int wild_num, List<Item> & fields, Item * conds, unsigned int og_num, st_order * order, st_order * group, Item * having, st_order * proc_param, unsigned __int64 select_options, select_result * result, st_select_lex_unit * unit, st_select_lex * select_lex) Line 3101	C++
       	mysqld.exe!handle_select(THD * thd, LEX * lex, select_result * result, unsigned long setup_tables_done_option) Line 307	C++
       	mysqld.exe!execute_sqlcom_select(THD * thd, TABLE_LIST * all_tables) Line 4686	C++
       	mysqld.exe!mysql_execute_command(THD * thd) Line 2234	C++
       	mysqld.exe!mysql_parse(THD * thd, char * rawbuf, unsigned int length, Parser_state * parser_state) Line 5931	C++
       	mysqld.exe!dispatch_command(enum_server_command command, THD * thd, char * packet, unsigned int packet_length) Line 1081	C++
       	mysqld.exe!do_command(THD * thd) Line 793	C++
       	mysqld.exe!threadpool_process_request(THD * thd) Line 233	C++
       	mysqld.exe!io_completion_callback(_TP_CALLBACK_INSTANCE * instance, void * context, void * overlapped, unsigned long io_result, unsigned __int64 nbytes, _TP_IO * io) Line 568	C++
       	[External Code]	
      

      10.1 644ffdeb9290a5 ASAN build

      ==17588==ERROR: AddressSanitizer: unknown-crash on address 0x7f625dc69cc7 at pc 0x55c0a2e247de bp 0x7f625df68f40 sp 0x7f625df68f38
      WRITE of size 2030 at 0x7f625dc69cc7 thread T6
          #0 0x55c0a2e247dd in my_fill_8bit /data/src/10.1-asan/strings/ctype-simple.c:1081
          #1 0x55c0a2138a9f in Item_func_space::val_str(String*) /data/src/10.1-asan/sql/item_strfunc.cc:3059
          #2 0x55c0a18fe53c in Item::str_result(String*) /data/src/10.1-asan/sql/item.h:1034
          #3 0x55c0a1f9ccb5 in make_sortkey /data/src/10.1-asan/sql/filesort.cc:1002
          #4 0x55c0a1fa1b53 in find_all_keys /data/src/10.1-asan/sql/filesort.cc:840
          #5 0x55c0a1fa1b53 in filesort(THD*, TABLE*, st_sort_field*, unsigned int, SQL_SELECT*, unsigned long long, bool, unsigned long long*, unsigned long long*, Filesort_tracker*) /data/src/10.1-asan/sql/filesort.cc:301
          #6 0x55c0a1b90e05 in create_sort_index /data/src/10.1-asan/sql/sql_select.cc:21588
          #7 0x55c0a1bb6fd6 in JOIN::exec_inner() /data/src/10.1-asan/sql/sql_select.cc:3195
          #8 0x55c0a1bb872c in JOIN::exec() /data/src/10.1-asan/sql/sql_select.cc:2512
          #9 0x55c0a1bacf85 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.1-asan/sql/sql_select.cc:3449
          #10 0x55c0a1bad773 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.1-asan/sql/sql_select.cc:384
          #11 0x55c0a1a7f978 in execute_sqlcom_select /data/src/10.1-asan/sql/sql_parse.cc:5905
          #12 0x55c0a1a9926e in mysql_execute_command(THD*) /data/src/10.1-asan/sql/sql_parse.cc:2975
          #13 0x55c0a1ab0b46 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.1-asan/sql/sql_parse.cc:7326
          #14 0x55c0a1ab7347 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.1-asan/sql/sql_parse.cc:1477
          #15 0x55c0a1abd8fa in do_command(THD*) /data/src/10.1-asan/sql/sql_parse.cc:1106
          #16 0x55c0a1d6007c in do_handle_one_connection(THD*) /data/src/10.1-asan/sql/sql_connect.cc:1349
          #17 0x55c0a1d6058d in handle_one_connection /data/src/10.1-asan/sql/sql_connect.cc:1261
          #18 0x55c0a2621ab0 in pfs_spawn_thread /data/src/10.1-asan/storage/perfschema/pfs.cc:1861
          #19 0x7f626a6cc493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #20 0x7f6268a8593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x7f625dc6a0d4 is located 0 bytes to the right of 260308-byte region [0x7f625dc2a800,0x7f625dc6a0d4)
      allocated by thread T6 here:
          #0 0x7f626a93673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55c0a2de8abe in sf_malloc /data/src/10.1-asan/mysys/safemalloc.c:115
          #2 0x55c0a2ee161a (/data/src/10.1-asan/sql/mysqld+0x1d7f61a)
       
      Thread T6 created by T0 here:
          #0 0x7f626a905bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55c0a262d307 in spawn_thread_v1 /data/src/10.1-asan/storage/perfschema/pfs.cc:1911
       
      SUMMARY: AddressSanitizer: unknown-crash /data/src/10.1-asan/strings/ctype-simple.c:1081 my_fill_8bit
      Shadow bytes around the buggy address:
        0x0feccbb85340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0feccbb85350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0feccbb85360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0feccbb85370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0feccbb85380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0feccbb85390: 00 00 00 00 00 00 00 00[00]00 00 00 00 00 00 00
        0x0feccbb853a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0feccbb853b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0feccbb853c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0feccbb853d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0feccbb853e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==17588==ABORTING
      

      10.0 c3592ca7b886 debug

      Error: Freeing overrun buffer  mysys/safemalloc.c:191, mysys/my_malloc.c:218, sql/filesort_utils.cc:120, sql/table.h:361, sql/filesort.cc:370, sql/sql_select.cc:20957, sql/sql_select.cc:3058, sql/sql_select.cc:2381
      Allocated at sql/filesort_utils.cc:102, sql/table.h:352, sql/filesort.cc:271, sql/sql_select.cc:20957, sql/sql_select.cc:3058, sql/sql_select.cc:2381, sql/sql_select.cc:3320, sql/sql_select.cc:373
      

      10.2 58e0dcb93dc2b2bf4

      #3  <signal handler called>
      #4  0x00007f57268bf411 in _int_malloc () from /lib/x86_64-linux-gnu/libc.so.6
      #5  0x00007f57268c0d84 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
      #6  0x000055ff6081b794 in sf_malloc (size=131072, my_flags=0) at /data/src/10.2-bug/mysys/safemalloc.c:118
      #7  0x000055ff60808d61 in my_malloc (size=131072, my_flags=0) at /data/src/10.2-bug/mysys/my_malloc.c:101
      #8  0x000055ff607e98d7 in init_io_cache (info=0x7f571004a858, file=56, cachesize=131072, type=WRITE_CACHE, seek_offset=0, use_async_io=1 '\001', cache_myflags=0) at /data/src/10.2-bug/mysys/mf_iocache.c:243
      #9  0x000055ff6077d3ae in mi_extra (info=0x7f571004a640, function=HA_EXTRA_WRITE_CACHE, extra_arg=0x7f5720b4be50) at /data/src/10.2-bug/storage/myisam/mi_extra.c:138
      #10 0x000055ff6075a3ab in ha_myisam::start_bulk_insert (this=0x7f5710110c78, rows=0, flags=0) at /data/src/10.2-bug/storage/myisam/ha_myisam.cc:1662
      #11 0x000055ff5fe20a2d in handler::ha_start_bulk_insert (this=0x7f5710110c78, rows=0, flags=0) at /data/src/10.2-bug/sql/handler.h:2891
      #12 0x000055ff6024f9d3 in mysql_load (thd=0x7f5710000b00, ex=0x7f57100126d8, table_list=0x7f5710012770, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_ERROR, ignore=false, read_file_from_client=false) at /data/src/10.2-bug/sql/sql_load.cc:590
      #13 0x000055ff5fe3f398 in mysql_execute_command (thd=0x7f5710000b00) at /data/src/10.2-bug/sql/sql_parse.cc:4805
      #14 0x000055ff5fe48ae4 in mysql_parse (thd=0x7f5710000b00, rawbuf=0x7f5710012448 "load data infile '/data/src/10.2-bug/mysql-test/var/log/mysqld.1.err.warnings' into table error_log\nfields terminated by 'xykls37' escaped by ''\n  ignore 1 lines\n(line)\nset file_name='/data/src/10.2-b"..., length=235, parser_state=0x7f5720b4d200, is_com_multi=false, is_next_command=false) at /data/src/10.2-bug/sql/sql_parse.cc:7861
      #15 0x000055ff5fe36aa0 in dispatch_command (command=COM_QUERY, thd=0x7f5710000b00, packet=0x7f5710170581 "load data infile '/data/src/10.2-bug/mysql-test/var/log/mysqld.1.err.warnings' into table error_log\nfields terminated by 'xykls37' escaped by ''\n  ignore 1 lines\n(line)\nset file_name='/data/src/10.2-b"..., packet_length=235, is_com_multi=false, is_next_command=false) at /data/src/10.2-bug/sql/sql_parse.cc:1805
      #16 0x000055ff5fe353fe in do_command (thd=0x7f5710000b00) at /data/src/10.2-bug/sql/sql_parse.cc:1360
      #17 0x000055ff5ff82845 in do_handle_one_connection (connect=0x55ff61fde320) at /data/src/10.2-bug/sql/sql_connect.cc:1354
      #18 0x000055ff5ff825d2 in handle_one_connection (arg=0x55ff61fde320) at /data/src/10.2-bug/sql/sql_connect.cc:1260
      #19 0x000055ff6039fae8 in pfs_spawn_thread (arg=0x55ff61fc0f60) at /data/src/10.2-bug/storage/perfschema/pfs.cc:1863
      #20 0x00007f5728548494 in start_thread (arg=0x7f5720b4e700) at pthread_create.c:333
      #21 0x00007f572692e93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

        Attachments

          Activity

            People

            Assignee:
            varun Varun Gupta
            Reporter:
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: