[MDEV-14758] [Draft] AddressSanitizer: heap-use-after-free in Field_timestampf::cmp - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Partitioning, Versioned Tables
Labels:
None

Description

Draft test case is below. The test case is seemingly deterministic, however the failure is sporadic.It's likely to be another representation of already filed versioning bugs, need to wait till they are fixed to re-verify.

bb-10.3-temporal ASAN ea49441c416347
==17559==ERROR: AddressSanitizer: heap-use-after-free on address 0x629000494030 at pc 0x55dfbd589d25 bp 0x7f2a53a3ca60 sp 0x7f2a53a3ca58
READ of size 7 at 0x629000494030 thread T33
#0 0x55dfbd589d24 in Field_timestampf::cmp(unsigned char const, unsigned char const) /data/src/bb-10.3-temporal/sql/field.h:2650
#1 0x55dfbd1dac10 in partition_info_compare_column_values /data/src/bb-10.3-temporal/sql/partition_info.cc:1693
#2 0x55dfbd1dac88 in partition_info::compare_column_values(void const, void const) /data/src/bb-10.3-temporal/sql/partition_info.cc:1704
#3 0x55dfbd1da09f in partition_info::check_range_constants(THD*, bool) /data/src/bb-10.3-temporal/sql/partition_info.cc:1554
#4 0x55dfbd1de1c1 in partition_info::check_partition_info(THD, handlerton, handler, HA_CREATE_INFO*, bool) /data/src/bb-10.3-temporal/sql/partition_info.cc:2181
#5 0x55dfbda16d2a in prep_alter_part_table(THD, TABLE, Alter_info, HA_CREATE_INFO, Alter_table_ctx, bool, bool*) /data/src/bb-10.3-temporal/sql/sql_partition.cc:5437
#6 0x55dfbd0e97ce in mysql_alter_table(THD, char const, char const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/bb-10.3-temporal/sql/sql_table.cc:9321
#7 0x55dfbd23ac24 in Sql_cmd_alter_table::execute(THD*) /data/src/bb-10.3-temporal/sql/sql_alter.cc:331
#8 0x55dfbced2c06 in mysql_execute_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:6261
#9 0x55dfbcedd143 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:7991
#10 0x55dfbceb7866 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1825
#11 0x55dfbceb48c7 in do_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1370
#12 0x55dfbd22c664 in do_handle_one_connection(CONNECT*) /data/src/bb-10.3-temporal/sql/sql_connect.cc:1420
#13 0x55dfbd22c079 in handle_one_connection /data/src/bb-10.3-temporal/sql/sql_connect.cc:1326
#14 0x7f2a8909e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#15 0x7f2a8748493e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x629000494030 is located 7728 bytes inside of 16460-byte region [0x629000492200,0x62900049624c)
freed by thread T33 here:
#0 0x7f2a89308527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
#1 0x55dfbe764957 in free_memory /data/src/bb-10.3-temporal/mysys/safemalloc.c:279
#2 0x55dfbe763fb8 in sf_free /data/src/bb-10.3-temporal/mysys/safemalloc.c:197
#3 0x55dfbe732baf in my_free /data/src/bb-10.3-temporal/mysys/my_malloc.c:217
#4 0x55dfbe712fad in free_root /data/src/bb-10.3-temporal/mysys/my_alloc.c:405
#5 0x55dfbcebaacc in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:2414
#6 0x55dfbceb48c7 in do_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1370
#7 0x55dfbd22c664 in do_handle_one_connection(CONNECT*) /data/src/bb-10.3-temporal/sql/sql_connect.cc:1420
#8 0x55dfbd22c079 in handle_one_connection /data/src/bb-10.3-temporal/sql/sql_connect.cc:1326
#9 0x7f2a8909e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T33 here:
#0 0x7f2a8930873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x55dfbe76375a in sf_malloc /data/src/bb-10.3-temporal/mysys/safemalloc.c:118
#2 0x55dfbe73229d in my_malloc /data/src/bb-10.3-temporal/mysys/my_malloc.c:101
#3 0x55dfbe712117 in alloc_root /data/src/bb-10.3-temporal/mysys/my_alloc.c:243
#4 0x55dfbe7127ba in multi_alloc_root /data/src/bb-10.3-temporal/mysys/my_alloc.c:311
#5 0x55dfbcf78c34 in make_join_statistics /data/src/bb-10.3-temporal/sql/sql_select.cc:4368
#6 0x55dfbcf6225f in JOIN::optimize_inner() /data/src/bb-10.3-temporal/sql/sql_select.cc:1971
#7 0x55dfbcf5e50c in JOIN::optimize() /data/src/bb-10.3-temporal/sql/sql_select.cc:1556
#8 0x55dfbce82cb5 in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/bb-10.3-temporal/sql/sql_lex.cc:3976
#9 0x55dfbd2f97a8 in JOIN::optimize_constant_subqueries() /data/src/bb-10.3-temporal/sql/opt_subselect.cc:5211
#10 0x55dfbcf5f4b3 in JOIN::optimize_inner() /data/src/bb-10.3-temporal/sql/sql_select.cc:1681
#11 0x55dfbcf5e50c in JOIN::optimize() /data/src/bb-10.3-temporal/sql/sql_select.cc:1556
#12 0x55dfbcf77f55 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/bb-10.3-temporal/sql/sql_select.cc:4244
#13 0x55dfbcf52f6c in handle_select(THD, LEX, select_result*, unsigned long) /data/src/bb-10.3-temporal/sql/sql_select.cc:382
#14 0x55dfbced4d9e in execute_sqlcom_select /data/src/bb-10.3-temporal/sql/sql_parse.cc:6535
#15 0x55dfbcec2ec5 in mysql_execute_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:3749
#16 0x55dfbcedd143 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:7991
#17 0x55dfbceb7866 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1825
#18 0x55dfbceb48c7 in do_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1370
#19 0x55dfbd22c664 in do_handle_one_connection(CONNECT*) /data/src/bb-10.3-temporal/sql/sql_connect.cc:1420
#20 0x55dfbd22c079 in handle_one_connection /data/src/bb-10.3-temporal/sql/sql_connect.cc:1326
#21 0x7f2a8909e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

Thread T33 created by T0 here:
#0 0x7f2a892d7bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x55dfbe78ece6 in spawn_thread_noop /data/src/bb-10.3-temporal/mysys/psi_noop.c:187
#2 0x55dfbcc7ef0f in inline_mysql_thread_create /data/src/bb-10.3-temporal/include/mysql/psi/mysql_thread.h:1239
#3 0x55dfbcc94cef in create_thread_to_handle_connection(CONNECT*) /data/src/bb-10.3-temporal/sql/mysqld.cc:6574
#4 0x55dfbcc953f4 in create_new_thread /data/src/bb-10.3-temporal/sql/mysqld.cc:6644
#5 0x55dfbcc96405 in handle_connections_sockets() /data/src/bb-10.3-temporal/sql/mysqld.cc:6919
#7 0x55dfbcc7d43f in main /data/src/bb-10.3-temporal/sql/main.cc:25
#8 0x7f2a873bc2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/bb-10.3-temporal/sql/field.h:2650 Field_timestampf::cmp(unsigned char const, unsigned char const)
Shadow bytes around the buggy address:
0x0c528008a7b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528008a7c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528008a7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528008a7e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528008a7f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c528008a800: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c528008a810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528008a820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528008a830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528008a840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528008a850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==17559==ABORTING

# Run with --mysqld=--sql-mode='' --default-server-options --mysqld=--max-statement-time=30   --mysqld=--lock-wait-timeout=5 --mysqld=--innodb-lock-wait-timeout=3

GRANT ALL ON *.* TO rqg@localhost;

CREATE TABLE `table0_innodb_int_autoinc` (

`col_char_12_key` char(12),

`col_char_12` char(12),

`col_int_key` int,

`col_int` int,

pk integer auto_increment,

primary key (pk)) ENGINE=innodb;

CREATE TABLE `table0_innodb_key_pk_parts_2_int_autoinc` (

`col_int` int,

`col_char_12_key` char(12),

pk integer auto_increment,

`col_int_key` int,

primary key (pk),

key (`col_int_key` )) ENGINE=innodb;

CREATE TABLE `table1_innodb_int_autoinc` (

`col_char_12` char(12),

`col_char_12_key` char(12),

`col_int_key` int,

pk integer auto_increment,

`col_int` int,

primary key (pk)) ENGINE=innodb;

CREATE TABLE `table1_innodb_key_pk_parts_2_int_autoinc` (

`col_int_key` int,

`col_char_12_key` char(12),

`col_int` int,

pk integer auto_increment,

primary key (pk)) ENGINE=innodb;

CREATE TABLE `table100_innodb_key_pk_parts_2_int_autoinc` (

pk integer auto_increment,

`col_char_12_key` char(12),

`col_int_key` int,

primary key (pk),

key (`col_int_key` )) ENGINE=innodb PARTITION BY key (pk) partitions 2;

--connect (con15_0,localhost,rqg,,test)

SET STATEMENT system_versioning_alter_history=KEEP FOR ALTER TABLE `table0_innodb_key_pk_parts_2_int_autoinc` ADD SYSTEM VERSIONING, ADD COLUMN IF NOT EXISTS `col_char_12` TEXT NOT NULL DEFAULT '';

--connect (con14_0,localhost,rqg,,test)

INSERT INTO `table1_innodb_int_autoinc` (`pk`) VALUES (NULL);

REPLACE INTO `table0_innodb_key_pk_parts_2_int_autoinc` ( `col_int_key`, `col_int` ) VALUES ( 'l', 6 ), ( 50, 1456406528 );

UPDATE `table0_innodb_key_pk_parts_2_int_autoinc` AS X SET `col_int` = 4162584576 ORDER BY `col_char_12`,`col_char_12_key`,`col_int`,`col_int_key`,`pk` LIMIT 7;

SET AUTOCOMMIT=OFF;

INSERT IGNORE INTO `table0_innodb_int_autoinc` ( `col_int_key` ) SELECT `pk` FROM `table1_innodb_int_autoinc` AS X ORDER BY `col_char_12`,`col_char_12_key`,`col_int`,`col_int_key`,`pk` LIMIT 8;

SELECT ( SELECT `col_int_key` FROM `table1_innodb_key_pk_parts_2_int_autoinc` WHERE `pk` = 2701590528 ) FROM `table0_innodb_key_pk_parts_2_int_autoinc` AS X LEFT JOIN `table1_innodb_int_autoinc` AS Y USING ( `pk` ) WHERE X.`col_char_12_key` BETWEEN 24 AND 752156672 LIMIT 6;

--connection con15_0

--error ER_LOCK_WAIT_TIMEOUT

SET STATEMENT system_versioning_alter_history=KEEP FOR ALTER TABLE `table1_innodb_key_pk_parts_2_int_autoinc` ADD PERIOD FOR SYSTEM_TIME(`sys_trx_start`, `sys_trx_start`), CHANGE COLUMN IF EXISTS `vers_start` `vers_start` TIMESTAMP(6) GENERATED ALWAYS AS ROW START, MODIFY COLUMN IF EXISTS tcol10 TIME NULL, ALTER COLUMN `col_int` SET DEFAULT NULL;

--error ER_LOCK_WAIT_TIMEOUT

UPDATE IGNORE `table0_innodb_int_autoinc` AS X SET `col_char_12` = 5 WHERE X.`col_char_12_key` < 1401028608 ORDER BY `col_char_12`,`col_char_12_key`,`col_int`,`col_int_key`,`pk` LIMIT 6;

--connection con14_0

SET STATEMENT system_versioning_alter_history=KEEP FOR ALTER TABLE `table0_innodb_key_pk_parts_2_int_autoinc` PARTITION BY system_time INTERVAL 9 SECOND ( PARTITION ver_p1 HISTORY, PARTITION ver_p2 HISTORY, PARTITION ver_pn CURRENT );

DELETE FROM `table0_innodb_key_pk_parts_2_int_autoinc`;

SELECT * FROM `table1_innodb_key_pk_parts_2_int_autoinc` AS X LEFT JOIN `table0_innodb_key_pk_parts_2_int_autoinc` AS Y USING ( `col_int_key` ) WHERE X.`col_char_12_key` = ( SELECT `pk` FROM `table100_innodb_key_pk_parts_2_int_autoinc` WHERE `pk` = 'n' ) LIMIT 8;

SET STATEMENT system_versioning_alter_history=KEEP FOR ALTER TABLE `table0_innodb_key_pk_parts_2_int_autoinc` ADD PARTITION (PARTITION ver_p3 HISTORY);

Attachments

Activity

People

Assignee:: Elena Stepanova

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2017-12-24 19:07

Updated:: 2022-05-16 21:35

Resolved:: 2022-05-16 21:35

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.