Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.2(EOL), 10.3(EOL)
-
None
Description
CREATE TABLE t1 (b BLOB DEFAULT ''); |
PREPARE stmt FROM "ALTER TABLE t1 FORCE"; |
EXECUTE stmt; |
|
|
# Cleanup
|
DROP TABLE t1; |
|
10.2 ASAN 55f4e4800b |
==31069==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000080590 at pc 0x55c8d0ce4a15 bp 0x7feecd0a8110 sp 0x7feecd0a8108
|
WRITE of size 8 at 0x619000080590 thread T5
|
#0 0x55c8d0ce4a14 in Item_change_list::rollback_item_tree_changes() /data/src/10.2/sql/sql_class.cc:2691
|
#1 0x55c8d0def5bb in Prepared_statement::cleanup_stmt() /data/src/10.2/sql/sql_prepare.cc:3837
|
#2 0x55c8d0df5f00 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4802
|
#3 0x55c8d0df159f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
|
#4 0x55c8d0dec1cf in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3311
|
#5 0x55c8d0d9177f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3495
|
#6 0x55c8d0daceda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7914
|
#7 0x55c8d0d880eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1815
|
#8 0x55c8d0d8518f in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1369
|
#9 0x55c8d10c08cf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
|
#10 0x55c8d10c02e4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#11 0x55c8d1acbfc3 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#12 0x7feed952d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#13 0x7feed791393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x619000080590 is located 784 bytes inside of 1100-byte region [0x619000080280,0x6190000806cc)
|
freed by thread T5 here:
|
#0 0x7feed9797527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x55c8d23ecd9d in free_memory /data/src/10.2/mysys/safemalloc.c:279
|
#2 0x55c8d23ec3a3 in sf_free /data/src/10.2/mysys/safemalloc.c:197
|
#3 0x55c8d23bb68a in my_free /data/src/10.2/mysys/my_malloc.c:217
|
#4 0x55c8d239cd00 in free_root /data/src/10.2/mysys/my_alloc.c:398
|
#5 0x55c8d1019c03 in closefrm(TABLE*) /data/src/10.2/sql/table.cc:3442
|
#6 0x55c8d1220494 in intern_close_table /data/src/10.2/sql/table_cache.cc:222
|
#7 0x55c8d12206fa in tc_remove_table /data/src/10.2/sql/table_cache.cc:260
|
#8 0x55c8d122152b in tc_release_table(TABLE*) /data/src/10.2/sql/table_cache.cc:460
|
#9 0x55c8d0c795bf in close_thread_table(THD*, TABLE**) /data/src/10.2/sql/sql_base.cc:900
|
#10 0x55c8d0c7830b in close_all_tables_for_name(THD*, TABLE_SHARE*, ha_extra_function, TABLE*) /data/src/10.2/sql/sql_base.cc:674
|
#11 0x55c8d0fa7fa7 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9571
|
#12 0x55c8d10cec2e in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:324
|
#13 0x55c8d0da2b0b in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6220
|
#14 0x55c8d0df5c24 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4774
|
#15 0x55c8d0df159f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
|
#16 0x55c8d0dec1cf in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3311
|
#17 0x55c8d0d9177f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3495
|
#18 0x55c8d0daceda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7914
|
#19 0x55c8d0d880eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1815
|
#20 0x55c8d0d8518f in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1369
|
#21 0x55c8d10c08cf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
|
#22 0x55c8d10c02e4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#23 0x55c8d1acbfc3 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#24 0x7feed952d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
previously allocated by thread T5 here:
|
#0 0x7feed979773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x55c8d23ebb13 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
|
#2 0x55c8d23badc2 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#3 0x55c8d239bc65 in alloc_root /data/src/10.2/mysys/my_alloc.c:241
|
#4 0x55c8d1016642 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3060
|
#5 0x55c8d0c7d3c6 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1877
|
#6 0x55c8d0c83958 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3409
|
#7 0x55c8d0c86080 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3928
|
#8 0x55c8d0f6cd71 in open_tables /data/src/10.2/sql/sql_base.h:237
|
#9 0x55c8d0fa40ad in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:8750
|
#10 0x55c8d10cec2e in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:324
|
#11 0x55c8d0da2b0b in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6220
|
#12 0x55c8d0df5c24 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4774
|
#13 0x55c8d0df159f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
|
#14 0x55c8d0dec1cf in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3311
|
#15 0x55c8d0d9177f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3495
|
#16 0x55c8d0daceda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7914
|
#17 0x55c8d0d880eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1815
|
#18 0x55c8d0d8518f in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1369
|
#19 0x55c8d10c08cf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
|
#20 0x55c8d10c02e4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#21 0x55c8d1acbfc3 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#22 0x7feed952d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7feed9766bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x55c8d1acc58b in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
|
#2 0x55c8d0b82cde in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
|
#3 0x55c8d0b97b15 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6436
|
#4 0x55c8d0b9821a in create_new_thread /data/src/10.2/sql/mysqld.cc:6506
|
#5 0x55c8d0b9922b in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6781
|
#6 0x55c8d0b9706a in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6055
|
#7 0x55c8d0b8107f in main /data/src/10.2/sql/main.cc:25
|
#8 0x7feed784b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/sql/sql_class.cc:2691 Item_change_list::rollback_item_tree_changes()
|
Shadow bytes around the buggy address:
|
0x0c3280008060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c32800080a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c32800080b0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c32800080c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c32800080d0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
0x0c32800080e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c32800080f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==31069==ABORTING
|
180402 1:49:38 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.2.15-MariaDB-debug-log
|
key_buffer_size=1048576
|
read_buffer_size=131072
|
stdlib/abort.c:91(__GI_abort)[0x7feed785f3fa]
|
/usr/lib/x86_64-linux-gnu/libasan.so.1(+0x61f29)[0x7feed97a4f29]
|
/usr/lib/x86_64-linux-gnu/libasan.so.1(+0x59ca5)[0x7feed979cca5]
|
/usr/lib/x86_64-linux-gnu/libasan.so.1(+0x5daa2)[0x7feed97a0aa2]
|
/usr/lib/x86_64-linux-gnu/libasan.so.1(__asan_report_error+0x3d9)[0x7feed979c139]
|
/usr/lib/x86_64-linux-gnu/libasan.so.1(__asan_report_store8+0x27)[0x7feed979d107]
|
sql/sql_class.cc:2691(Item_change_list::rollback_item_tree_changes())[0x55c8d0ce4a15]
|
sql/sql_prepare.cc:3838(Prepared_statement::cleanup_stmt())[0x55c8d0def5bc]
|
sql/sql_prepare.cc:4809(Prepared_statement::execute(String*, bool))[0x55c8d0df5f01]
|
sql/sql_prepare.cc:4203(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x55c8d0df15a0]
|
sql/sql_prepare.cc:3312(mysql_sql_stmt_execute(THD*))[0x55c8d0dec1d0]
|
sql/sql_parse.cc:3496(mysql_execute_command(THD*))[0x55c8d0d91780]
|
sql/sql_parse.cc:7914(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55c8d0dacedb]
|
sql/sql_parse.cc:1817(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55c8d0d880ec]
|
sql/sql_parse.cc:1369(do_command(THD*))[0x55c8d0d85190]
|
sql/sql_connect.cc:1335(do_handle_one_connection(CONNECT*))[0x55c8d10c08d0]
|
sql/sql_connect.cc:1242(handle_one_connection)[0x55c8d10c02e5]
|
perfschema/pfs.cc:1864(pfs_spawn_thread)[0x55c8d1acbfc4]
|
nptl/pthread_create.c:333(start_thread)[0x7feed952d494]
|
x86_64/clone.S:99(clone)[0x7feed791393f]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b000000320): ALTER TABLE t1 FORCE
|
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-