Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15813

ASAN use-after-poison in hp_hashnr upon HANDLER READ on a versioned HEAP table

    XMLWordPrintable

Details

    Description

      CREATE TABLE t1 (pk INT PRIMARY KEY) ENGINE=MEMORY WITH SYSTEM VERSIONING;
      INSERT INTO t1 VALUES (1);
      HANDLER t1 OPEN AS h;
      HANDLER h READ `PRIMARY` < (5);
       
      # Cleanup
      DROP TABLE t1;
      

      10.3 ASAN d8da97b09abec8

      ==17848==ERROR: AddressSanitizer: use-after-poison on address 0x62b000000b50 at pc 0x55cbf7e10d07 bp 0x7f95844f87c0 sp 0x7f95844f87b8
      READ of size 1 at 0x62b000000b50 thread T5
          #0 0x55cbf7e10d06 in hp_hashnr /data/src/10.3/storage/heap/hp_hash.c:271
          #1 0x55cbf7e0f8b8 in hp_search /data/src/10.3/storage/heap/hp_hash.c:112
          #2 0x55cbf7e1acb4 in heap_rkey /data/src/10.3/storage/heap/hp_rkey.c:63
          #3 0x55cbf7e08721 in ha_heap::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.3/storage/heap/ha_heap.cc:292
          #4 0x55cbf6e09747 in handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.3/sql/handler.cc:2812
          #5 0x55cbf6671199 in mysql_ha_read(THD*, TABLE_LIST*, enum_ha_read_modes, char const*, List<Item>*, ha_rkey_function, Item*, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_handler.cc:933
          #6 0x55cbf6715649 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5756
          #7 0x55cbf6723367 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8013
          #8 0x55cbf66fda13 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1842
          #9 0x55cbf66faaaa in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1387
          #10 0x55cbf6a66ef0 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #11 0x55cbf6a66905 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #12 0x55cbf7573e9b in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #13 0x7f9590acf493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #14 0x7f958eeb593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x62b000000b50 is located 2384 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
      allocated by thread T5 here:
          #0 0x7f9590d3973f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55cbf7f32d04 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x55cbf7f01a64 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x55cbf7ee0b6d in reset_root_defaults /data/src/10.3/mysys/my_alloc.c:151
          #4 0x55cbf661aca9 in THD::init_for_queries() /data/src/10.3/sql/sql_class.cc:1446
          #5 0x55cbf6a662c2 in prepare_new_connection_state(THD*) /data/src/10.3/sql/sql_connect.cc:1239
          #6 0x55cbf6a6694b in thd_prepare_connection(THD*) /data/src/10.3/sql/sql_connect.cc:1323
          #7 0x55cbf6a66ec6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1393
          #8 0x55cbf6a66905 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #9 0x55cbf7573e9b in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #10 0x7f9590acf493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7f9590d08bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55cbf7574463 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x55cbf64719be in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x55cbf64875c8 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6534
          #4 0x55cbf6487ccd in create_new_thread /data/src/10.3/sql/mysqld.cc:6604
          #5 0x55cbf6488cde in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6879
          #6 0x55cbf6486a85 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6156
          #7 0x55cbf646fd5f in main /data/src/10.3/sql/main.cc:25
          #8 0x7f958eded2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/storage/heap/hp_hash.c:271 hp_hashnr
      Shadow bytes around the buggy address:
        0x0c567fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c567fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c567fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c567fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c567fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c567fff8160: 00 00 00 00 00 00 00 00 00 00[f7]f7 f7 f7 f7 f7
        0x0c567fff8170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8190: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff81a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff81b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==17848==ABORTING
      180408 21:02:38 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.3.6-MariaDB-debug-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=2
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63269 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62a000048270
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f95844fbdf0 thread_stack 0x49000
      /usr/lib/x86_64-linux-gnu/libasan.so.1(backtrace+0x3a)[0x7f9590d1048a]
      mysys/stacktrace.c:269(my_print_stacktrace)[0x55cbf7f124a9]
      sql/signal_handler.cc:168(handle_fatal_signal)[0x55cbf6df5b77]
      /lib/x86_64-linux-gnu/libpthread.so.0(+0x110c0)[0x7f9590ad90c0]
      linux/raise.c:51(__GI_raise)[0x7f958edfffcf]
      stdlib/abort.c:91(__GI_abort)[0x7f958ee013fa]
      /usr/lib/x86_64-linux-gnu/libasan.so.1(+0x61f29)[0x7f9590d46f29]
      /usr/lib/x86_64-linux-gnu/libasan.so.1(+0x59ca5)[0x7f9590d3eca5]
      /usr/lib/x86_64-linux-gnu/libasan.so.1(+0x5daa2)[0x7f9590d42aa2]
      /usr/lib/x86_64-linux-gnu/libasan.so.1(__asan_report_error+0x3d9)[0x7f9590d3e139]
      /usr/lib/x86_64-linux-gnu/libasan.so.1(__asan_report_load1+0x24)[0x7f9590d3ef84]
      heap/hp_hash.c:271(hp_hashnr)[0x55cbf7e10d07]
      heap/hp_hash.c:111(hp_search)[0x55cbf7e0f8b9]
      heap/hp_rkey.c:63(heap_rkey)[0x55cbf7e1acb5]
      heap/ha_heap.cc:292(ha_heap::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function))[0x55cbf7e08722]
      sql/handler.cc:2812(handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function))[0x55cbf6e09748]
      sql/sql_handler.cc:933(mysql_ha_read(THD*, TABLE_LIST*, enum_ha_read_modes, char const*, List<Item>*, ha_rkey_function, Item*, unsigned long long, unsigned long long))[0x55cbf667119a]
      sql/sql_parse.cc:5756(mysql_execute_command(THD*))[0x55cbf671564a]
      sql/sql_parse.cc:8013(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55cbf6723368]
      sql/sql_parse.cc:1844(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55cbf66fda14]
      sql/sql_parse.cc:1387(do_command(THD*))[0x55cbf66faaab]
      sql/sql_connect.cc:1402(do_handle_one_connection(CONNECT*))[0x55cbf6a66ef1]
      sql/sql_connect.cc:1309(handle_one_connection)[0x55cbf6a66906]
      perfschema/pfs.cc:1864(pfs_spawn_thread)[0x55cbf7573e9c]
      nptl/pthread_create.c:333(start_thread)[0x7f9590acf494]
      x86_64/clone.S:99(clone)[0x7f958eeb593f]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b000000288): HANDLER h READ `PRIMARY` < (5)
      Connection ID (thread ID): 4
      Status: NOT_KILLED
      

      Attachments

        Activity

          People

            holyfoot Alexey Botchkov
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.