Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.3.4
-
None
Description
|
with Aria |
--source include/have_partition.inc
|
|
|
CREATE TABLE t1 (i INT) ENGINE=Aria WITH SYSTEM VERSIONING PARTITION BY system_time INTERVAL 1 MONTH (PARTITION p1 HISTORY, PARTITION pn CURRENT); |
CREATE TABLE t2 ENGINE=Aria SELECT * FROM INFORMATION_SCHEMA.TABLES; |
INSERT INTO t2 SELECT * FROM INFORMATION_SCHEMA.TABLES; |
|
|
# Cleanup
|
DROP TABLE t1, t2; |
|
bb-10.3-temporal ac95aa888380 ASAN |
==25032==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000026680 at pc 0x564d2dcb670c bp 0x7f40e8e7d9f0 sp 0x7f40e8e7d9e8
|
READ of size 8 at 0x611000026680 thread T5
|
#0 0x564d2dcb670b in maria_status /data/src/bb-10.3-temporal/storage/maria/ma_info.c:59
|
#1 0x564d2dcf3ebc in ha_maria::info(unsigned int) /data/src/bb-10.3-temporal/storage/maria/ha_maria.cc:2507
|
#2 0x564d2e8a53f0 in ha_partition::info(unsigned int) /data/src/bb-10.3-temporal/sql/ha_partition.cc:8172
|
#3 0x564d2e87558c in ha_partition::update_create_info(HA_CREATE_INFO*) /data/src/bb-10.3-temporal/sql/ha_partition.cc:2121
|
#4 0x564d2d24fb4b in get_schema_tables_record /data/src/bb-10.3-temporal/sql/sql_show.cc:5574
|
#5 0x564d2d247c65 in fill_schema_table_by_open /data/src/bb-10.3-temporal/sql/sql_show.cc:4623
|
#6 0x564d2d24bd9e in get_all_tables(THD*, TABLE_LIST*, Item*) /data/src/bb-10.3-temporal/sql/sql_show.cc:5299
|
#7 0x564d2d27c1a0 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/bb-10.3-temporal/sql/sql_show.cc:8684
|
#8 0x564d2d16ffe7 in JOIN::exec_inner() /data/src/bb-10.3-temporal/sql/sql_select.cc:4008
|
#9 0x564d2d16e249 in JOIN::exec() /data/src/bb-10.3-temporal/sql/sql_select.cc:3839
|
#10 0x564d2d1718b1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/bb-10.3-temporal/sql/sql_select.cc:4255
|
#11 0x564d2d14c446 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/bb-10.3-temporal/sql/sql_select.cc:379
|
#12 0x564d2d0c1e4e in mysql_execute_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:4815
|
#13 0x564d2d0d64cb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:7993
|
#14 0x564d2d0b0be2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1826
|
#15 0x564d2d0adc43 in do_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1370
|
#16 0x564d2d423aed in do_handle_one_connection(CONNECT*) /data/src/bb-10.3-temporal/sql/sql_connect.cc:1401
|
#17 0x564d2d423502 in handle_one_connection /data/src/bb-10.3-temporal/sql/sql_connect.cc:1307
|
#18 0x564d2df61e30 in pfs_spawn_thread /data/src/bb-10.3-temporal/storage/perfschema/pfs.cc:1863
|
#19 0x7f40f538f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#20 0x7f40f377593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x611000026680 is located 128 bytes inside of 244-byte region [0x611000026600,0x6110000266f4)
|
freed by thread T5 here:
|
#0 0x7f40f55f9527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x564d2e964a31 in free_memory /data/src/bb-10.3-temporal/mysys/safemalloc.c:279
|
#2 0x564d2e964092 in sf_free /data/src/bb-10.3-temporal/mysys/safemalloc.c:197
|
#3 0x564d2e932e42 in my_free /data/src/bb-10.3-temporal/mysys/my_malloc.c:215
|
#4 0x564d2dcbe214 in _ma_trnman_end_trans_hook /data/src/bb-10.3-temporal/storage/maria/ma_state.c:546
|
#5 0x564d2dd00beb in trnman_end_trn /data/src/bb-10.3-temporal/storage/maria/trnman.c:473
|
#6 0x564d2dd7932e in ma_commit /data/src/bb-10.3-temporal/storage/maria/ma_commit.c:38
|
#7 0x564d2dcf5f47 in ha_maria::external_lock(THD*, int) /data/src/bb-10.3-temporal/storage/maria/ha_maria.cc:2778
|
#8 0x564d2d7d5bf5 in handler::ha_external_lock(THD*, int) /data/src/bb-10.3-temporal/sql/handler.cc:6106
|
#9 0x564d2da75fcc in unlock_external /data/src/bb-10.3-temporal/sql/lock.cc:729
|
#10 0x564d2da733e1 in mysql_unlock_tables(THD*, st_mysql_lock*, bool) /data/src/bb-10.3-temporal/sql/lock.cc:434
|
#11 0x564d2da7322d in mysql_unlock_tables(THD*, st_mysql_lock*) /data/src/bb-10.3-temporal/sql/lock.cc:420
|
#12 0x564d2d05adb9 in select_create::send_eof() /data/src/bb-10.3-temporal/sql/sql_insert.cc:4630
|
#13 0x564d2d1d2ff7 in do_select /data/src/bb-10.3-temporal/sql/sql_select.cc:18831
|
#14 0x564d2d170755 in JOIN::exec_inner() /data/src/bb-10.3-temporal/sql/sql_select.cc:4056
|
#15 0x564d2d16e249 in JOIN::exec() /data/src/bb-10.3-temporal/sql/sql_select.cc:3839
|
#16 0x564d2d1718b1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/bb-10.3-temporal/sql/sql_select.cc:4255
|
#17 0x564d2d14c446 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/bb-10.3-temporal/sql/sql_select.cc:379
|
#18 0x564d2d0be28f in mysql_execute_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:4221
|
#19 0x564d2d0d64cb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:7993
|
#20 0x564d2d0b0be2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1826
|
#21 0x564d2d0adc43 in do_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1370
|
#22 0x564d2d423aed in do_handle_one_connection(CONNECT*) /data/src/bb-10.3-temporal/sql/sql_connect.cc:1401
|
#23 0x564d2d423502 in handle_one_connection /data/src/bb-10.3-temporal/sql/sql_connect.cc:1307
|
#24 0x564d2df61e30 in pfs_spawn_thread /data/src/bb-10.3-temporal/storage/perfschema/pfs.cc:1863
|
#25 0x7f40f538f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
previously allocated by thread T5 here:
|
#0 0x7f40f55f973f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x564d2e963834 in sf_malloc /data/src/bb-10.3-temporal/mysys/safemalloc.c:118
|
#2 0x564d2e932535 in my_malloc /data/src/bb-10.3-temporal/mysys/my_malloc.c:101
|
#3 0x564d2dcbb2ab in _ma_setup_live_state /data/src/bb-10.3-temporal/storage/maria/ma_state.c:80
|
#4 0x564d2dcf6cc1 in ha_maria::implicit_commit(THD*, bool) /data/src/bb-10.3-temporal/storage/maria/ha_maria.cc:2965
|
#5 0x564d2d7b3c53 in ha_commit_trans(THD*, bool) /data/src/bb-10.3-temporal/sql/handler.cc:1358
|
#6 0x564d2d3e45a4 in Table_locker::~Table_locker() (/data/bld/bb-10.3-temporal-asan/bin/mysqld+0x11095a4)
|
#7 0x564d2d3e53c1 in partition_info::vers_scan_min_max(THD*, partition_element*) (/data/bld/bb-10.3-temporal-asan/bin/mysqld+0x110a3c1)
|
#8 0x564d2d3cfaca in partition_info::vers_setup_stats(THD*, bool) /data/src/bb-10.3-temporal/sql/partition_info.cc:1291
|
#9 0x564d2d362db2 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/bb-10.3-temporal/sql/table.cc:3521
|
#10 0x564d2cf7cdbb in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/bb-10.3-temporal/sql/sql_base.cc:1907
|
#11 0x564d2cf83edb in open_and_process_table /data/src/bb-10.3-temporal/sql/sql_base.cc:3467
|
#12 0x564d2cf86837 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/bb-10.3-temporal/sql/sql_base.cc:3987
|
#13 0x564d2cf747da in open_tables /data/src/bb-10.3-temporal/sql/sql_base.h:238
|
#14 0x564d2cf8b827 in open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /data/src/bb-10.3-temporal/sql/sql_base.cc:4930
|
#15 0x564d2cf8bca9 in open_tables_only_view_structure(THD*, TABLE_LIST*, bool) /data/src/bb-10.3-temporal/sql/sql_base.cc:4987
|
#16 0x564d2d247ac9 in fill_schema_table_by_open /data/src/bb-10.3-temporal/sql/sql_show.cc:4585
|
#17 0x564d2d24bd9e in get_all_tables(THD*, TABLE_LIST*, Item*) /data/src/bb-10.3-temporal/sql/sql_show.cc:5299
|
#18 0x564d2d27c1a0 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/bb-10.3-temporal/sql/sql_show.cc:8684
|
#19 0x564d2d16ffe7 in JOIN::exec_inner() /data/src/bb-10.3-temporal/sql/sql_select.cc:4008
|
#20 0x564d2d16e249 in JOIN::exec() /data/src/bb-10.3-temporal/sql/sql_select.cc:3839
|
#21 0x564d2d1718b1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/bb-10.3-temporal/sql/sql_select.cc:4255
|
#22 0x564d2d14c446 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/bb-10.3-temporal/sql/sql_select.cc:379
|
#23 0x564d2d0be28f in mysql_execute_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:4221
|
#24 0x564d2d0d64cb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:7993
|
#25 0x564d2d0b0be2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1826
|
#26 0x564d2d0adc43 in do_command(THD*) /data/src/bb-10.3-temporal/sql/sql_parse.cc:1370
|
#27 0x564d2d423aed in do_handle_one_connection(CONNECT*) /data/src/bb-10.3-temporal/sql/sql_connect.cc:1401
|
#28 0x564d2d423502 in handle_one_connection /data/src/bb-10.3-temporal/sql/sql_connect.cc:1307
|
#29 0x564d2df61e30 in pfs_spawn_thread /data/src/bb-10.3-temporal/storage/perfschema/pfs.cc:1863
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f40f55c8bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x564d2df623f8 in spawn_thread_v1 /data/src/bb-10.3-temporal/storage/perfschema/pfs.cc:1913
|
#2 0x564d2ce788ff in inline_mysql_thread_create /data/src/bb-10.3-temporal/include/mysql/psi/mysql_thread.h:1268
|
#3 0x564d2ce8e64e in create_thread_to_handle_connection(CONNECT*) /data/src/bb-10.3-temporal/sql/mysqld.cc:6549
|
#4 0x564d2ce8ed53 in create_new_thread /data/src/bb-10.3-temporal/sql/mysqld.cc:6619
|
#6 0x564d2ce8dadf in mysqld_main(int, char**) /data/src/bb-10.3-temporal/sql/mysqld.cc:6169
|
#7 0x564d2ce76e2f in main /data/src/bb-10.3-temporal/sql/main.cc:25
|
#8 0x7f40f36ad2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/bb-10.3-temporal/storage/maria/ma_info.c:59 maria_status
|
Shadow bytes around the buggy address:
|
0x0c227fffcc80: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
|
0x0c227fffcc90: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c227fffcca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c227fffccb0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
|
0x0c227fffccc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c227fffccd0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
|
0x0c227fffcce0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c227fffccf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c227fffcd00: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
|
0x0c227fffcd10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c227fffcd20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==25032==ABORTING
|
|
with InnoDB |
--source include/have_innodb.inc
|
--source include/have_partition.inc
|
|
|
CREATE OR REPLACE TABLE t1 (i INT) ENGINE=InnoDB WITH SYSTEM VERSIONING PARTITION BY system_time INTERVAL 1 MONTH (PARTITION p1 HISTORY, PARTITION pn CURRENT); |
CREATE OR REPLACE TABLE t2 ENGINE=InnoDB SELECT * FROM INFORMATION_SCHEMA.TABLES; |
INSERT INTO t2 SELECT * FROM INFORMATION_SCHEMA.TABLES; |
|
|
# Cleanup
|
DROP TABLE t1, t2; |
2018-01-12 3:59:42 9 [ERROR] Transaction not registered for MariaDB 2PC, but transaction is active
|
Attachments
Issue Links
- is caused by
-
-
- Closed
-