Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15907

ASAN heap-use-after-free in strnmov / .. / fill_effective_table_privileges on concurrent GRANT and CREATE VIEW

Details

    Description

      Note: The test is for reproducing only, don't put it into the regression suite as is!
      I suppose it's acceptable to put it into the regression suite if the time-based test is converted into a (small) number of loops, but it would be better to have a properly synchronized test.

      Note that the test starts by setting the duration in a variable, you can adjust it as needed. For me, it fails in the first seconds.

      Stored procedures are not important for the problem, they are there only to provide the necessary concurrency.

      --let $test_duration= 30
      		 
       
      		 
      CREATE USER foo@localhost;
      		 
       
      		 
      --delimiter $
      		 
       
      		 
      CREATE PROCEDURE pr1()
      		 
      BEGIN
      		 
        LOOP
      		 
          PREPARE stmt1 FROM "GRANT ALL PRIVILEGES ON *.* TO foo@localhost";
      		 
          EXECUTE stmt1;
      		 
        END LOOP;
      		 
      END $
      		 
       
      		 
      CREATE PROCEDURE pr2()
      		 
      BEGIN
      		 
        LOOP
      		 
          PREPARE stmt2 FROM "CREATE OR REPLACE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
      		 
          EXECUTE stmt2;
      		 
        END LOOP;
      		 
      END $
      		 
       
      		 
      --delimiter ;
      		 
       
      		 
      --connect (con1,localhost,root,,)
      		 
      --let $con1= `SELECT CONNECTION_ID()`
      		 
      --send CALL pr1()
      		 
        
      --connect (con2,localhost,root,,)
      		 
      --let $con2= `SELECT CONNECTION_ID()`
      		 
      --send CALL pr2()
      		 
       
      		 
      --sleep $test_duration
      		 
       
      		 
      --connection default
      		 
       
      		 
      # Cleanup
      		 
      --eval KILL $con1
      		 
      --eval KILL $con2
      		 
      DROP VIEW v;
      		 
      DROP USER foo@localhost;
      		 
      DROP PROCEDURE pr1;
      		 
      DROP PROCEDURE pr2;

      10.0 ASAN 14f6b0cdfd

      		 
      ==23051==ERROR: AddressSanitizer: heap-use-after-free on address 0x62400006de38 at pc 0x19823bc bp 0x7efd7461cb40 sp 0x7efd7461cb38
      		 
      READ of size 1 at 0x62400006de38 thread T7
      		 
          #0 0x19823bb in strnmov /data/src/10.0/strings/strnmov.c:41
      		 
          #1 0x5bb1b9 in name_hash_search /data/src/10.0/sql/sql_acl.cc:4018
      		 
          #2 0x5bb529 in table_hash_search /data/src/10.0/sql/sql_acl.cc:4066
      		 
          #3 0x5c9ecf in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.0/sql/sql_acl.cc:10725
      		 
          #4 0x8c91a6 in create_view_precheck(THD*, TABLE_LIST*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:323
      		 
          #5 0x8c97bf in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:427
      		 
          #6 0x6e1021 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4950
      		 
          #7 0x714b2d in Prepared_statement::execute(String*, bool) /data/src/10.0/sql/sql_prepare.cc:3975
      		 
          #8 0x7155bc in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.0/sql/sql_prepare.cc:3629
      		 
          #9 0x7161fc in mysql_sql_stmt_execute(THD*) /data/src/10.0/sql/sql_prepare.cc:2779
      		 
          #10 0x6ce84a in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:2567
      		 
          #11 0xebb7a5 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3210
      		 
          #12 0xed097a in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.0/sql/sp_head.cc:2977
      		 
          #13 0xed16c8 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3126
      		 
          #14 0xec48c4 in sp_head::execute(THD*, bool) /data/src/10.0/sql/sp_head.cc:1369
      		 
          #15 0xec867f in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.0/sql/sp_head.cc:2157
      		 
          #16 0x6dfc58 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4727
      		 
          #17 0x6e4888 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.0/sql/sql_parse.cc:6637
      		 
          #18 0x6e84a7 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.0/sql/sql_parse.cc:1300
      		 
          #19 0x6ecda0 in do_command(THD*) /data/src/10.0/sql/sql_parse.cc:1003
      		 
          #20 0x97c9f1 in do_handle_one_connection(THD*) /data/src/10.0/sql/sql_connect.cc:1377
      		 
          #21 0x97cc58 in handle_one_connection /data/src/10.0/sql/sql_connect.cc:1292
      		 
          #22 0x11b65bc in pfs_spawn_thread /data/src/10.0/storage/perfschema/pfs.cc:1861
      		 
          #23 0x7efd7f1ce493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #24 0x7efd7d7a293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      		 
       
      		 
      0x62400006de38 is located 7480 bytes inside of 7572-byte region [0x62400006c100,0x62400006de94)
      		 
      freed by thread T7 here:
      		 
          #0 0x7efd7f438527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
      		 
          #1 0x18f686b in free_memory /data/src/10.0/mysys/safemalloc.c:276
      		 
       
      		 
      previously allocated by thread T7 here:
      		 
          #0 0x7efd7f43873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x18f693c in sf_malloc /data/src/10.0/mysys/safemalloc.c:115
      		 
          #2 0x19f950a (/data/bld/10.0-asan/bin/mysqld+0x19f950a)
      		 
       
      		 
      Thread T7 created by T0 here:
      		 
          #0 0x7efd7f407bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
      		 
          #1 0x11c1e13 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.0/strings/strnmov.c:41 strnmov
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c4880005b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4880005b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4880005b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4880005ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4880005bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x0c4880005bc0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
      		 
        0x0c4880005bd0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c4880005be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c4880005bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c4880005c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c4880005c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==23051==ABORTING

      If the MTR test doesn't work for you on whatever reason, see RQG variant in Matthias'es comments.

      Attachments

        1. MDEV-15907.cc
          3 kB
        2. MDEV-15907.sh
          1 kB
        3. MDEV-15907.yy
          8 kB

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22781 CREATE VIEW containing WITH clause Signal 11

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova created issue -
            elenst Elena Stepanova made changes -
            Field Original Value New Value
            Fix Version/s 10.2 [ 14601 ]
            Fix Version/s 10.3 [ 22126 ]
            Affects Version/s 10.2 [ 14601 ]
            elenst Elena Stepanova made changes -
            Description {noformat:title=10.3 56074319860 ASAN}
            ==6928==ERROR: AddressSanitizer: heap-use-after-free on address 0x6230005eb490 at pc 0x557f4aa87d7e bp 0x7f86db4ff220 sp 0x7f86db4ff218
            READ of size 1 at 0x6230005eb490 thread T74
                #0 0x557f4aa87d7d in strnmov /data/src/10.3/strings/strnmov.c:41
                #1 0x557f48fff0e4 in name_hash_search /data/src/10.3/sql/sql_acl.cc:4858
                #2 0x557f48fff6bb in table_hash_search /data/src/10.3/sql/sql_acl.cc:4907
                #3 0x557f4902d128 in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.3/sql/sql_acl.cc:11817
                #4 0x557f4941601b in create_view_precheck(THD*, TABLE_LIST*, TABLE_LIST*, enum_view_create_mode) /data/src/10.3/sql/sql_view.cc:322
                #5 0x557f494168ad in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.3/sql/sql_view.cc:426
                #6 0x557f491acb95 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6103
                #7 0x557f49200ea4 in Prepared_statement::execute(String*, bool) /data/src/10.3/sql/sql_prepare.cc:4740
                #8 0x557f491fc685 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.3/sql/sql_prepare.cc:4170
                #9 0x557f491f68b1 in mysql_stmt_execute_common /data/src/10.3/sql/sql_prepare.cc:3170
                #10 0x557f491f6125 in mysqld_stmt_execute(THD*, char*, unsigned int) /data/src/10.3/sql/sql_prepare.cc:3068
                #11 0x557f491923e1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1788
                #12 0x557f4918f979 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
                #13 0x557f494f82f6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
                #14 0x557f494f7d0b in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
                #15 0x557f49ffbe57 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
                #16 0x7f8721560493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #17 0x7f871f94693e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x6230005eb490 is located 107958304158800 bytes insideASAN:SIGSEGV
            ==6928==AddressSanitizer: while reporting a bug found another one.Ignoring.
            {noformat}

            {noformat:title=experimental 75de94b07db}
            perl ./runall-trials.pl --trials=3 --duration=500 --threads=6 --seed=1522319169 --reporters=Backtrace,ErrorLog,Deadlock --validators=TransformerNoComparator --views --redefine=conf/mariadb/versioning.yy --redefine=conf/mariadb/alter_table.yy --redefine=conf/mariadb/bulk_insert.yy --redefine=conf/mariadb/sequences.yy --redefine=conf/mariadb/xa.yy --basedir=/data/bld/10.3-asan --mysqld=--log_output=FILE --mysqld=--max-statement-time=30 --mysqld=--lock-wait-timeout=10 --mysqld=--loose-innodb-lock-wait-timeout=5 --mysqld=--loose-debug_assert_on_not_freed_memory=0 --mysqld=--default-storage-engine=RocksDB --mysqld=--plugin-load-add=ha_rocksdb --mysqld=--binlog-format=row --grammar=conf/runtime/performance_schema.yy --mysqld=--performance-schema --ps-protocol --transformers=ExecuteAsCTE,ExecuteAsDeleteReturning,ExecuteAsExcept,ExecuteAsInsertSelect,ExecuteAsIntersect,ExecuteAsUnion,ExecuteAsUpdateDelete,ExecuteAsView,ExecuteAsSPTwice --vardir=/data/logs/mdev15802_asan
            {noformat}

            Can't reproduce so far. Note ps-protocol.             		{noformat:title=10.2 ASAN e9b78a1055c}
            ==7223==ERROR: AddressSanitizer: heap-use-after-free on address 0x62300032bdb8 at pc 0x564c75271aa1 bp 0x7f2b6a91cf50 sp 0x7f2b6a91cf48
            READ of size 1 at 0x62300032bdb8 thread T33
                #0 0x564c75271aa0 in strnmov /data/src/10.2/strings/strnmov.c:41
                #1 0x564c739e2f10 in name_hash_search /data/src/10.2/sql/sql_acl.cc:4962
                #2 0x564c739e3496 in table_hash_search /data/src/10.2/sql/sql_acl.cc:5010
                #3 0x564c73a0f8c8 in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.2/sql/sql_acl.cc:11782
                #4 0x564c73ddfefb in TABLE_LIST::prepare_security(THD*) /data/src/10.2/sql/table.cc:5565
                #5 0x564c73dacaa2 in mysql_make_view(THD*, TABLE_SHARE*, TABLE_LIST*, bool) /data/src/10.2/sql/sql_view.cc:1182
                #6 0x564c73a2f6f4 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1812
                #7 0x564c73a36482 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3439
                #8 0x564c73a38baa in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3958
                #9 0x564c73a3c8b0 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4712
                #10 0x564c73a1e624 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:501
                #11 0x564c73b56ffe in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6395
                #12 0x564c73b44756 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3481
                #13 0x564c73ba96de in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4774
                #14 0x564c73ba5059 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
                #15 0x564c73b9f57b in mysql_stmt_execute_common /data/src/10.2/sql/sql_prepare.cc:3205
                #16 0x564c73b9ee19 in mysqld_stmt_execute(THD*, char*, unsigned int) /data/src/10.2/sql/sql_prepare.cc:3103
                #17 0x564c73b3acdd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1763
                #18 0x564c73b38240 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
                #19 0x564c73e7a057 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
                #20 0x564c73e79a6c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
                #21 0x564c748898c5 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
                #22 0x7f2bae42f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #23 0x7f2bac81593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x62300032bdb8 is located 13071920072616 bytes inside of global variable '<89>E<FC><83>}<FC>' from '<89><85>L<FF><FF><FF>H<83><BD>P<FF><FF><FF>' (0x564c750bb610) of size 94886381197796
            0x62300032bdb8 is located 13071941184130 bytes insideASAN:SIGSEGV
            ==7223==AddressSanitizer: while reporting a bug found another one.Ignoring.
            {noformat}
            elenst Elena Stepanova made changes -
            Description {noformat:title=10.2 ASAN e9b78a1055c}
            ==7223==ERROR: AddressSanitizer: heap-use-after-free on address 0x62300032bdb8 at pc 0x564c75271aa1 bp 0x7f2b6a91cf50 sp 0x7f2b6a91cf48
            READ of size 1 at 0x62300032bdb8 thread T33
                #0 0x564c75271aa0 in strnmov /data/src/10.2/strings/strnmov.c:41
                #1 0x564c739e2f10 in name_hash_search /data/src/10.2/sql/sql_acl.cc:4962
                #2 0x564c739e3496 in table_hash_search /data/src/10.2/sql/sql_acl.cc:5010
                #3 0x564c73a0f8c8 in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.2/sql/sql_acl.cc:11782
                #4 0x564c73ddfefb in TABLE_LIST::prepare_security(THD*) /data/src/10.2/sql/table.cc:5565
                #5 0x564c73dacaa2 in mysql_make_view(THD*, TABLE_SHARE*, TABLE_LIST*, bool) /data/src/10.2/sql/sql_view.cc:1182
                #6 0x564c73a2f6f4 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1812
                #7 0x564c73a36482 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3439
                #8 0x564c73a38baa in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3958
                #9 0x564c73a3c8b0 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4712
                #10 0x564c73a1e624 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:501
                #11 0x564c73b56ffe in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6395
                #12 0x564c73b44756 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3481
                #13 0x564c73ba96de in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4774
                #14 0x564c73ba5059 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
                #15 0x564c73b9f57b in mysql_stmt_execute_common /data/src/10.2/sql/sql_prepare.cc:3205
                #16 0x564c73b9ee19 in mysqld_stmt_execute(THD*, char*, unsigned int) /data/src/10.2/sql/sql_prepare.cc:3103
                #17 0x564c73b3acdd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1763
                #18 0x564c73b38240 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
                #19 0x564c73e7a057 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
                #20 0x564c73e79a6c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
                #21 0x564c748898c5 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
                #22 0x7f2bae42f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #23 0x7f2bac81593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x62300032bdb8 is located 13071920072616 bytes inside of global variable '<89>E<FC><83>}<FC>' from '<89><85>L<FF><FF><FF>H<83><BD>P<FF><FF><FF>' (0x564c750bb610) of size 94886381197796
            0x62300032bdb8 is located 13071941184130 bytes insideASAN:SIGSEGV
            ==7223==AddressSanitizer: while reporting a bug found another one.Ignoring.
            {noformat}
            		{noformat:title=10.2 ASAN e9b78a1055c}
            ==7223==ERROR: AddressSanitizer: heap-use-after-free on address 0x62300032bdb8 at pc 0x564c75271aa1 bp 0x7f2b6a91cf50 sp 0x7f2b6a91cf48
            READ of size 1 at 0x62300032bdb8 thread T33
                #0 0x564c75271aa0 in strnmov /data/src/10.2/strings/strnmov.c:41
                #1 0x564c739e2f10 in name_hash_search /data/src/10.2/sql/sql_acl.cc:4962
                #2 0x564c739e3496 in table_hash_search /data/src/10.2/sql/sql_acl.cc:5010
                #3 0x564c73a0f8c8 in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.2/sql/sql_acl.cc:11782
                #4 0x564c73ddfefb in TABLE_LIST::prepare_security(THD*) /data/src/10.2/sql/table.cc:5565
                #5 0x564c73dacaa2 in mysql_make_view(THD*, TABLE_SHARE*, TABLE_LIST*, bool) /data/src/10.2/sql/sql_view.cc:1182
                #6 0x564c73a2f6f4 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1812
                #7 0x564c73a36482 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3439
                #8 0x564c73a38baa in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3958
                #9 0x564c73a3c8b0 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4712
                #10 0x564c73a1e624 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:501
                #11 0x564c73b56ffe in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6395
                #12 0x564c73b44756 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3481
                #13 0x564c73ba96de in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4774
                #14 0x564c73ba5059 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
                #15 0x564c73b9f57b in mysql_stmt_execute_common /data/src/10.2/sql/sql_prepare.cc:3205
                #16 0x564c73b9ee19 in mysqld_stmt_execute(THD*, char*, unsigned int) /data/src/10.2/sql/sql_prepare.cc:3103
                #17 0x564c73b3acdd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1763
                #18 0x564c73b38240 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
                #19 0x564c73e7a057 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
                #20 0x564c73e79a6c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
                #21 0x564c748898c5 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
                #22 0x7f2bae42f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #23 0x7f2bac81593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x62300032bdb8 is located 13071920072616 bytes inside of global variable '<89>E<FC><83>}<FC>' from '<89><85>L<FF><FF><FF>H<83><BD>P<FF><FF><FF>' (0x564c750bb610) of size 94886381197796
            0x62300032bdb8 is located 13071941184130 bytes insideASAN:SIGSEGV
            ==7223==AddressSanitizer: while reporting a bug found another one.Ignoring.
            {noformat}

            Reproducible in seconds by running this on elenst/rqg/merge aa7bc7508b or mleich/rqg/experimental f97bcfcb83
            {noformat}
            perl ./runall-new.pl --basedir=/data/bld/10.2-asan --vardir=/dev/shm/vardir --skip-gendata --duration=350 --threads=2 --validators=TransformerNoComparator --transformers=ExecuteAsView --grammar=conf/runtime/performance_schema.yy --mysqld=--performance-schema --ps-protocol
            {noformat}
            elenst Elena Stepanova made changes -
            Comment [ Reproducible in seconds by running this on elenst/rqg/merge aa7bc7508b or mleich/rqg/experimental f97bcfcb83
            {noformat}
            perl ./runall-new.pl --basedir=/data/bld/10.2-asan --vardir=/dev/shm/vardir --skip-gendata --duration=350 --threads=2 --validators=TransformerNoComparator --transformers=ExecuteAsView --grammar=conf/runtime/performance_schema.yy --mysqld=--performance-schema --ps-protocol
            {noformat} ]
            elenst Elena Stepanova made changes -
            Assignee Elena Stepanova [ elenst ] Matthias Leich [ mleich ]
            mleich Matthias Leich added a comment -

            Simplified RQG grammar
            --------------------------------
            query:
            SELECT * FROM INFORMATION_SCHEMA.`TABLES` AS table1;
            thread1:
            GRANT ALL PRIVILEGES ON A . * TO 'someuser'@'somehost';

            In the moment it looks as if I might be able to develop some MTR
            based replay testcase.

            mleich Matthias Leich added a comment - Simplified RQG grammar -------------------------------- query: SELECT * FROM INFORMATION_SCHEMA.`TABLES` AS table1; thread1: GRANT ALL PRIVILEGES ON A . * TO 'someuser'@'somehost'; In the moment it looks as if I might be able to develop some MTR based replay testcase.
            mleich Matthias Leich added a comment -

            I am giving up with attempts to make a MTR based replay testcase.

            mleich Matthias Leich added a comment - I am giving up with attempts to make a MTR based replay testcase.
            mleich Matthias Leich added a comment -

            Quite fast replay with RQG on

            • 10.2.17 compiled with ASAN
              10.2 commit 45ab00f097be0f77d7087182244218f036c3f113
            • 10.3.9 compiled with ASAN
              10.3 commit f74d2a9faa4b4233433dfcb0d2d14a6b269c48ba

            I will upload the files required for the replay.
            You will need my experimental RQG.
            git clone https://github.com/mleich1/rqg RQG_mleich1
            cd RQG_mleich1
            git checkout experimental
            In case that does not work please show up.

            mleich Matthias Leich added a comment - Quite fast replay with RQG on 10.2.17 compiled with ASAN 10.2 commit 45ab00f097be0f77d7087182244218f036c3f113 10.3.9 compiled with ASAN 10.3 commit f74d2a9faa4b4233433dfcb0d2d14a6b269c48ba I will upload the files required for the replay. You will need my experimental RQG. git clone https://github.com/mleich1/rqg RQG_mleich1 cd RQG_mleich1 git checkout experimental In case that does not work please show up.
            mleich Matthias Leich made changes -
            Attachment MDEV-15907.cc [ 45928 ]
            Attachment MDEV-15907.sh [ 45929 ]
            Attachment MDEV-15907.yy [ 45930 ]
            mleich Matthias Leich made changes -
            Summary [Draft] ASAN heap-use-after-free in strnmov / name_hash_search ASAN heap-use-after-free in strnmov / name_hash_search
            mleich Matthias Leich made changes -
            Status Open [ 1 ] Confirmed [ 10101 ]
            mleich Matthias Leich made changes -
            Assignee Matthias Leich [ mleich ] Elena Stepanova [ elenst ]
            elenst Elena Stepanova made changes -
            Component/s Authentication and Privilege System [ 13101 ]
            Component/s Views [ 10111 ]
            Component/s Server [ 13907 ]
            Description {noformat:title=10.2 ASAN e9b78a1055c}
            ==7223==ERROR: AddressSanitizer: heap-use-after-free on address 0x62300032bdb8 at pc 0x564c75271aa1 bp 0x7f2b6a91cf50 sp 0x7f2b6a91cf48
            READ of size 1 at 0x62300032bdb8 thread T33
                #0 0x564c75271aa0 in strnmov /data/src/10.2/strings/strnmov.c:41
                #1 0x564c739e2f10 in name_hash_search /data/src/10.2/sql/sql_acl.cc:4962
                #2 0x564c739e3496 in table_hash_search /data/src/10.2/sql/sql_acl.cc:5010
                #3 0x564c73a0f8c8 in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.2/sql/sql_acl.cc:11782
                #4 0x564c73ddfefb in TABLE_LIST::prepare_security(THD*) /data/src/10.2/sql/table.cc:5565
                #5 0x564c73dacaa2 in mysql_make_view(THD*, TABLE_SHARE*, TABLE_LIST*, bool) /data/src/10.2/sql/sql_view.cc:1182
                #6 0x564c73a2f6f4 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1812
                #7 0x564c73a36482 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3439
                #8 0x564c73a38baa in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3958
                #9 0x564c73a3c8b0 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4712
                #10 0x564c73a1e624 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:501
                #11 0x564c73b56ffe in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6395
                #12 0x564c73b44756 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3481
                #13 0x564c73ba96de in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4774
                #14 0x564c73ba5059 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
                #15 0x564c73b9f57b in mysql_stmt_execute_common /data/src/10.2/sql/sql_prepare.cc:3205
                #16 0x564c73b9ee19 in mysqld_stmt_execute(THD*, char*, unsigned int) /data/src/10.2/sql/sql_prepare.cc:3103
                #17 0x564c73b3acdd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1763
                #18 0x564c73b38240 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
                #19 0x564c73e7a057 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
                #20 0x564c73e79a6c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
                #21 0x564c748898c5 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
                #22 0x7f2bae42f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #23 0x7f2bac81593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x62300032bdb8 is located 13071920072616 bytes inside of global variable '<89>E<FC><83>}<FC>' from '<89><85>L<FF><FF><FF>H<83><BD>P<FF><FF><FF>' (0x564c750bb610) of size 94886381197796
            0x62300032bdb8 is located 13071941184130 bytes insideASAN:SIGSEGV
            ==7223==AddressSanitizer: while reporting a bug found another one.Ignoring.
            {noformat}

            Reproducible in seconds by running this on elenst/rqg/merge aa7bc7508b or mleich/rqg/experimental f97bcfcb83
            {noformat}
            perl ./runall-new.pl --basedir=/data/bld/10.2-asan --vardir=/dev/shm/vardir --skip-gendata --duration=350 --threads=2 --validators=TransformerNoComparator --transformers=ExecuteAsView --grammar=conf/runtime/performance_schema.yy --mysqld=--performance-schema --ps-protocol
            {noformat}             		{color:red}Note: The test is for reproducing only, don't put it into the regression suite as is!{color}
            I suppose it's acceptable to put it into the regression suite if the time-based test is converted into a (small) number of loops, but it would be better to have a properly synchronized test.

            Note that the test starts by setting the duration in a variable, you can adjust it as needed. For me, it fails in the first seconds.

            Stored procedures are not important for the problem, they are there only to provide the necessary concurrency.

            {code:sql}
            --let $test_duration= 30

            CREATE USER foo@localhost;

            --delimiter $

            CREATE PROCEDURE pr1()
            BEGIN
              LOOP
                PREPARE stmt1 FROM "GRANT ALL PRIVILEGES ON *.* TO foo@localhost";
                EXECUTE stmt1;
              END LOOP;
            END $

            CREATE PROCEDURE pr2()
            BEGIN
              LOOP
                PREPARE stmt2 FROM "CREATE OR REPLACE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
                EXECUTE stmt2;
              END LOOP;
            END $

            --delimiter ;

            --connect (con1,localhost,root,,)
            --let $con1= `SELECT CONNECTION_ID()`
            --send CALL pr1()
              
            --connect (con2,localhost,root,,)
            --let $con2= `SELECT CONNECTION_ID()`
            --send CALL pr2()

            --sleep $test_duration

            --connection default

            # Cleanup
            --eval KILL $con1
            --eval KILL $con2
            DROP VIEW v;
            DROP USER foo@localhost;
            DROP PROCEDURE pr1;
            DROP PROCEDURE pr2;
            {code}

            {noformat:title=10.0 ASAN 14f6b0cdfd}
            ==23051==ERROR: AddressSanitizer: heap-use-after-free on address 0x62400006de38 at pc 0x19823bc bp 0x7efd7461cb40 sp 0x7efd7461cb38
            READ of size 1 at 0x62400006de38 thread T7
                #0 0x19823bb in strnmov /data/src/10.0/strings/strnmov.c:41
                #1 0x5bb1b9 in name_hash_search /data/src/10.0/sql/sql_acl.cc:4018
                #2 0x5bb529 in table_hash_search /data/src/10.0/sql/sql_acl.cc:4066
                #3 0x5c9ecf in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.0/sql/sql_acl.cc:10725
                #4 0x8c91a6 in create_view_precheck(THD*, TABLE_LIST*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:323
                #5 0x8c97bf in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:427
                #6 0x6e1021 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4950
                #7 0x714b2d in Prepared_statement::execute(String*, bool) /data/src/10.0/sql/sql_prepare.cc:3975
                #8 0x7155bc in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.0/sql/sql_prepare.cc:3629
                #9 0x7161fc in mysql_sql_stmt_execute(THD*) /data/src/10.0/sql/sql_prepare.cc:2779
                #10 0x6ce84a in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:2567
                #11 0xebb7a5 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3210
                #12 0xed097a in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.0/sql/sp_head.cc:2977
                #13 0xed16c8 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3126
                #14 0xec48c4 in sp_head::execute(THD*, bool) /data/src/10.0/sql/sp_head.cc:1369
                #15 0xec867f in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.0/sql/sp_head.cc:2157
                #16 0x6dfc58 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4727
                #17 0x6e4888 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.0/sql/sql_parse.cc:6637
                #18 0x6e84a7 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.0/sql/sql_parse.cc:1300
                #19 0x6ecda0 in do_command(THD*) /data/src/10.0/sql/sql_parse.cc:1003
                #20 0x97c9f1 in do_handle_one_connection(THD*) /data/src/10.0/sql/sql_connect.cc:1377
                #21 0x97cc58 in handle_one_connection /data/src/10.0/sql/sql_connect.cc:1292
                #22 0x11b65bc in pfs_spawn_thread /data/src/10.0/storage/perfschema/pfs.cc:1861
                #23 0x7efd7f1ce493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #24 0x7efd7d7a293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x62400006de38 is located 7480 bytes inside of 7572-byte region [0x62400006c100,0x62400006de94)
            freed by thread T7 here:
                #0 0x7efd7f438527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
                #1 0x18f686b in free_memory /data/src/10.0/mysys/safemalloc.c:276

            previously allocated by thread T7 here:
                #0 0x7efd7f43873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
                #1 0x18f693c in sf_malloc /data/src/10.0/mysys/safemalloc.c:115
                #2 0x19f950a (/data/bld/10.0-asan/bin/mysqld+0x19f950a)

            Thread T7 created by T0 here:
                #0 0x7efd7f407bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
                #1 0x11c1e13 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911

            SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.0/strings/strnmov.c:41 strnmov
            Shadow bytes around the buggy address:
              0x0c4880005b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            =>0x0c4880005bc0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
              0x0c4880005bd0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Heap right redzone: fb
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack partial redzone: f4
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Contiguous container OOB:fc
              ASan internal: fe
            ==23051==ABORTING
            {noformat}
            Summary ASAN heap-use-after-free in strnmov / name_hash_search ASAN heap-use-after-free in strnmov / name_hash_search on concurrent GRANT and CREATE VIEW
            elenst Elena Stepanova made changes -
            Fix Version/s 10.0 [ 16000 ]
            Fix Version/s 10.1 [ 16100 ]
            Fix Version/s 10.4 [ 22408 ]
            Affects Version/s 5.5 [ 15800 ]
            Affects Version/s 10.0 [ 16000 ]
            Affects Version/s 10.1 [ 16100 ]
            Affects Version/s 10.4 [ 22408 ]
            elenst Elena Stepanova made changes -
            Summary ASAN heap-use-after-free in strnmov / name_hash_search on concurrent GRANT and CREATE VIEW ASAN heap-use-after-free in strnmov / .. / fill_effective_table_privileges on concurrent GRANT and CREATE VIEW
            elenst Elena Stepanova made changes -
            Comment [ [~mleich], could you please do grammar simplification for this? ]
            elenst Elena Stepanova made changes -
            Comment [ For the record, in travis tests I initially got this non-ASAN crash:
            {noformat:title=bb-10.2-mdev16428 af1568668f6a910b5739fe1d7181c59f94a95196}
            #3 <signal handler called>
            #4 0x0000557f3f9aaee6 in base_list_iterator::next (this=0x7f0ad930c7c0) at /home/travis/src/sql/sql_list.h:453
            #5 0x0000557f3fad4f6f in List_iterator<partition_element>::operator++ (this=0x7f0ad930c7c0) at /home/travis/src/sql/sql_list.h:564
            #6 0x0000557f3faedf22 in mysql_create_frm_image (thd=0x7f0ac4004f70, db=0x7f0ac404b298 "performance_schema", table_name=0x7f0ac404b2ab "setup_instruments", create_info=0x7f0ad930da68, alter_info=0x7f0ad930de40, create_table_mode=0, key_info=0x7f0ad930c868, key_count=0x7f0ad930c864, frm=0x7f0ad930c8b0) at /home/travis/src/sql/sql_table.cc:4486
            #7 0x0000557f3fb2794d in TABLE_SHARE::init_from_sql_statement_string (this=0x7f0ac404ad98, thd=0x7f0ac4004f70, write=false, sql=0x557f40741790 "CREATE TABLE setup_instruments(NAME VARCHAR(128) not null,ENABLED ENUM ('YES', 'NO') not null,TIMED ENUM ('YES', 'NO') not null)", sql_length=128) at /home/travis/src/sql/table.cc:2673
            #8 0x0000557f4036a4c1 in pfs_discover_table (hton=0x557f425df0c0, thd=0x7f0ac4004f70, share=0x7f0ac404ad98) at /home/travis/src/storage/perfschema/ha_perfschema.cc:81
            #9 0x0000557f3fcaaf1d in discover_handlerton (thd=0x7f0ac4004f70, plugin=0x7f0ac4197de0, arg=0x7f0ac404ad98) at /home/travis/src/sql/handler.cc:4883
            #10 0x0000557f3fa42483 in plugin_foreach_with_mask (thd=0x7f0ac4004f70, func=0x557f3fcaaea4 <discover_handlerton(THD*, plugin_ref, void*)>, type=1, state_mask=8, arg=0x7f0ac404ad98) at /home/travis/src/sql/sql_plugin.cc:2399
            #11 0x0000557f3fcab111 in ha_discover_table (thd=0x7f0ac4004f70, share=0x7f0ac404ad98) at /home/travis/src/sql/handler.cc:4927
            #12 0x0000557f3fb20a3f in open_table_def (thd=0x7f0ac4004f70, share=0x7f0ac404ad98, flags=11) at /home/travis/src/sql/table.cc:604
            #13 0x0000557f3fc1a4a5 in tdc_acquire_share (thd=0x7f0ac4004f70, tl=0x7f0ac42312e8, flags=3, out_table=0x7f0ad930e708) at /home/travis/src/sql/table_cache.cc:825
            #14 0x0000557f3f9b328f in open_table (thd=0x7f0ac4004f70, table_list=0x7f0ac42312e8, ot_ctx=0x7f0ad930eb40) at /home/travis/src/sql/sql_base.cc:1753
            #15 0x0000557f3f9b62b2 in open_and_process_table (thd=0x7f0ac4004f70, lex=0x7f0ac422fa98, tables=0x7f0ac42312e8, counter=0x7f0ad930ec14, flags=512, prelocking_strategy=0x7f0ad930ebc0, has_prelocking_list=false, ot_ctx=0x7f0ad930eb40) at /home/travis/src/sql/sql_base.cc:3433
            #16 0x0000557f3f9b73f6 in open_tables (thd=0x7f0ac4004f70, options=..., start=0x7f0ad930ec00, counter=0x7f0ad930ec14, flags=512, prelocking_strategy=0x7f0ad930ebc0) at /home/travis/src/sql/sql_base.cc:3952
            #17 0x0000557f3f9fed49 in open_tables (thd=0x7f0ac4004f70, tables=0x7f0ad930ec00, counter=0x7f0ad930ec14, flags=512) at /home/travis/src/sql/sql_base.h:470
            #18 0x0000557f3fa49cc1 in mysql_test_update (stmt=0x7f0ac4298900, table_list=0x7f0ac42312e8) at /home/travis/src/sql/sql_prepare.cc:1411
            #19 0x0000557f3fa4be36 in check_prepared_statement (stmt=0x7f0ac4298900) at /home/travis/src/sql/sql_prepare.cc:2346
            #20 0x0000557f3fa4f970 in Prepared_statement::prepare (this=0x7f0ac4298900, packet=0x7f0ac400a771 "UPDATE performance_schema.setup_instruments SET ENABLED = 'NO' WHERE NAME LIKE '%sql%' /* QNO 13072 CON_ID 19 */ ", packet_len=113) at /home/travis/src/sql/sql_prepare.cc:3996
            #21 0x0000557f3fa4c4f7 in mysqld_stmt_prepare (thd=0x7f0ac4004f70, packet=0x7f0ac400a771 "UPDATE performance_schema.setup_instruments SET ENABLED = 'NO' WHERE NAME LIKE '%sql%' /* QNO 13072 CON_ID 19 */ ", packet_length=113) at /home/travis/src/sql/sql_prepare.cc:2633
            #22 0x0000557f3fa21bbe in dispatch_command (command=COM_STMT_PREPARE, thd=0x7f0ac4004f70, packet=0x7f0ac400a771 "UPDATE performance_schema.setup_instruments SET ENABLED = 'NO' WHERE NAME LIKE '%sql%' /* QNO 13072 CON_ID 19 */ ", packet_length=113, is_com_multi=false, is_next_command=false) at /home/travis/src/sql/sql_parse.cc:1777
            #23 0x0000557f3fa20835 in do_command (thd=0x7f0ac4004f70) at /home/travis/src/sql/sql_parse.cc:1374
            #24 0x0000557f3fb709d4 in do_handle_one_connection (connect=0x557f427455b0) at /home/travis/src/sql/sql_connect.cc:1335
            #25 0x0000557f3fb70761 in handle_one_connection (arg=0x557f427455b0) at /home/travis/src/sql/sql_connect.cc:1241
            #26 0x0000557f4039d14c in pfs_spawn_thread (arg=0x557f4277a890) at /home/travis/src/storage/perfschema/pfs.cc:1862
            #27 0x00007f0af08dd184 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
            #28 0x00007f0aefde9ffd in clone () from /lib/x86_64-linux-gnu/libc.so.6
            {noformat}

            But it's not reproducible itself so far, and when I tried to run with ASAN, I got the failure above instead. So, hopefully they have the same origin, but if not and if somebody wants to investigate this separately, coredump, datadir, logs etc. are available on demand. ]
            elenst Elena Stepanova made changes -
            Comment [ A comment with security level 'Developers' was removed. ]
            elenst Elena Stepanova made changes -
            Description {color:red}Note: The test is for reproducing only, don't put it into the regression suite as is!{color}
            I suppose it's acceptable to put it into the regression suite if the time-based test is converted into a (small) number of loops, but it would be better to have a properly synchronized test.

            Note that the test starts by setting the duration in a variable, you can adjust it as needed. For me, it fails in the first seconds.

            Stored procedures are not important for the problem, they are there only to provide the necessary concurrency.

            {code:sql}
            --let $test_duration= 30

            CREATE USER foo@localhost;

            --delimiter $

            CREATE PROCEDURE pr1()
            BEGIN
              LOOP
                PREPARE stmt1 FROM "GRANT ALL PRIVILEGES ON *.* TO foo@localhost";
                EXECUTE stmt1;
              END LOOP;
            END $

            CREATE PROCEDURE pr2()
            BEGIN
              LOOP
                PREPARE stmt2 FROM "CREATE OR REPLACE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
                EXECUTE stmt2;
              END LOOP;
            END $

            --delimiter ;

            --connect (con1,localhost,root,,)
            --let $con1= `SELECT CONNECTION_ID()`
            --send CALL pr1()
              
            --connect (con2,localhost,root,,)
            --let $con2= `SELECT CONNECTION_ID()`
            --send CALL pr2()

            --sleep $test_duration

            --connection default

            # Cleanup
            --eval KILL $con1
            --eval KILL $con2
            DROP VIEW v;
            DROP USER foo@localhost;
            DROP PROCEDURE pr1;
            DROP PROCEDURE pr2;
            {code}

            {noformat:title=10.0 ASAN 14f6b0cdfd}
            ==23051==ERROR: AddressSanitizer: heap-use-after-free on address 0x62400006de38 at pc 0x19823bc bp 0x7efd7461cb40 sp 0x7efd7461cb38
            READ of size 1 at 0x62400006de38 thread T7
                #0 0x19823bb in strnmov /data/src/10.0/strings/strnmov.c:41
                #1 0x5bb1b9 in name_hash_search /data/src/10.0/sql/sql_acl.cc:4018
                #2 0x5bb529 in table_hash_search /data/src/10.0/sql/sql_acl.cc:4066
                #3 0x5c9ecf in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.0/sql/sql_acl.cc:10725
                #4 0x8c91a6 in create_view_precheck(THD*, TABLE_LIST*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:323
                #5 0x8c97bf in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:427
                #6 0x6e1021 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4950
                #7 0x714b2d in Prepared_statement::execute(String*, bool) /data/src/10.0/sql/sql_prepare.cc:3975
                #8 0x7155bc in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.0/sql/sql_prepare.cc:3629
                #9 0x7161fc in mysql_sql_stmt_execute(THD*) /data/src/10.0/sql/sql_prepare.cc:2779
                #10 0x6ce84a in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:2567
                #11 0xebb7a5 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3210
                #12 0xed097a in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.0/sql/sp_head.cc:2977
                #13 0xed16c8 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3126
                #14 0xec48c4 in sp_head::execute(THD*, bool) /data/src/10.0/sql/sp_head.cc:1369
                #15 0xec867f in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.0/sql/sp_head.cc:2157
                #16 0x6dfc58 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4727
                #17 0x6e4888 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.0/sql/sql_parse.cc:6637
                #18 0x6e84a7 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.0/sql/sql_parse.cc:1300
                #19 0x6ecda0 in do_command(THD*) /data/src/10.0/sql/sql_parse.cc:1003
                #20 0x97c9f1 in do_handle_one_connection(THD*) /data/src/10.0/sql/sql_connect.cc:1377
                #21 0x97cc58 in handle_one_connection /data/src/10.0/sql/sql_connect.cc:1292
                #22 0x11b65bc in pfs_spawn_thread /data/src/10.0/storage/perfschema/pfs.cc:1861
                #23 0x7efd7f1ce493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #24 0x7efd7d7a293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x62400006de38 is located 7480 bytes inside of 7572-byte region [0x62400006c100,0x62400006de94)
            freed by thread T7 here:
                #0 0x7efd7f438527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
                #1 0x18f686b in free_memory /data/src/10.0/mysys/safemalloc.c:276

            previously allocated by thread T7 here:
                #0 0x7efd7f43873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
                #1 0x18f693c in sf_malloc /data/src/10.0/mysys/safemalloc.c:115
                #2 0x19f950a (/data/bld/10.0-asan/bin/mysqld+0x19f950a)

            Thread T7 created by T0 here:
                #0 0x7efd7f407bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
                #1 0x11c1e13 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911

            SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.0/strings/strnmov.c:41 strnmov
            Shadow bytes around the buggy address:
              0x0c4880005b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            =>0x0c4880005bc0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
              0x0c4880005bd0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Heap right redzone: fb
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack partial redzone: f4
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Contiguous container OOB:fc
              ASan internal: fe
            ==23051==ABORTING
            {noformat}             		{color:red}Note: The test is for reproducing only, don't put it into the regression suite as is!{color}
            I suppose it's acceptable to put it into the regression suite if the time-based test is converted into a (small) number of loops, but it would be better to have a properly synchronized test.

            Note that the test starts by setting the duration in a variable, you can adjust it as needed. For me, it fails in the first seconds.

            Stored procedures are not important for the problem, they are there only to provide the necessary concurrency.

            {code:sql}
            --let $test_duration= 30

            CREATE USER foo@localhost;

            --delimiter $

            CREATE PROCEDURE pr1()
            BEGIN
              LOOP
                PREPARE stmt1 FROM "GRANT ALL PRIVILEGES ON *.* TO foo@localhost";
                EXECUTE stmt1;
              END LOOP;
            END $

            CREATE PROCEDURE pr2()
            BEGIN
              LOOP
                PREPARE stmt2 FROM "CREATE OR REPLACE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
                EXECUTE stmt2;
              END LOOP;
            END $

            --delimiter ;

            --connect (con1,localhost,root,,)
            --let $con1= `SELECT CONNECTION_ID()`
            --send CALL pr1()
              
            --connect (con2,localhost,root,,)
            --let $con2= `SELECT CONNECTION_ID()`
            --send CALL pr2()

            --sleep $test_duration

            --connection default

            # Cleanup
            --eval KILL $con1
            --eval KILL $con2
            DROP VIEW v;
            DROP USER foo@localhost;
            DROP PROCEDURE pr1;
            DROP PROCEDURE pr2;
            {code}

            {noformat:title=10.0 ASAN 14f6b0cdfd}
            ==23051==ERROR: AddressSanitizer: heap-use-after-free on address 0x62400006de38 at pc 0x19823bc bp 0x7efd7461cb40 sp 0x7efd7461cb38
            READ of size 1 at 0x62400006de38 thread T7
                #0 0x19823bb in strnmov /data/src/10.0/strings/strnmov.c:41
                #1 0x5bb1b9 in name_hash_search /data/src/10.0/sql/sql_acl.cc:4018
                #2 0x5bb529 in table_hash_search /data/src/10.0/sql/sql_acl.cc:4066
                #3 0x5c9ecf in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.0/sql/sql_acl.cc:10725
                #4 0x8c91a6 in create_view_precheck(THD*, TABLE_LIST*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:323
                #5 0x8c97bf in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:427
                #6 0x6e1021 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4950
                #7 0x714b2d in Prepared_statement::execute(String*, bool) /data/src/10.0/sql/sql_prepare.cc:3975
                #8 0x7155bc in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.0/sql/sql_prepare.cc:3629
                #9 0x7161fc in mysql_sql_stmt_execute(THD*) /data/src/10.0/sql/sql_prepare.cc:2779
                #10 0x6ce84a in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:2567
                #11 0xebb7a5 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3210
                #12 0xed097a in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.0/sql/sp_head.cc:2977
                #13 0xed16c8 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3126
                #14 0xec48c4 in sp_head::execute(THD*, bool) /data/src/10.0/sql/sp_head.cc:1369
                #15 0xec867f in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.0/sql/sp_head.cc:2157
                #16 0x6dfc58 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4727
                #17 0x6e4888 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.0/sql/sql_parse.cc:6637
                #18 0x6e84a7 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.0/sql/sql_parse.cc:1300
                #19 0x6ecda0 in do_command(THD*) /data/src/10.0/sql/sql_parse.cc:1003
                #20 0x97c9f1 in do_handle_one_connection(THD*) /data/src/10.0/sql/sql_connect.cc:1377
                #21 0x97cc58 in handle_one_connection /data/src/10.0/sql/sql_connect.cc:1292
                #22 0x11b65bc in pfs_spawn_thread /data/src/10.0/storage/perfschema/pfs.cc:1861
                #23 0x7efd7f1ce493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #24 0x7efd7d7a293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

            0x62400006de38 is located 7480 bytes inside of 7572-byte region [0x62400006c100,0x62400006de94)
            freed by thread T7 here:
                #0 0x7efd7f438527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
                #1 0x18f686b in free_memory /data/src/10.0/mysys/safemalloc.c:276

            previously allocated by thread T7 here:
                #0 0x7efd7f43873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
                #1 0x18f693c in sf_malloc /data/src/10.0/mysys/safemalloc.c:115
                #2 0x19f950a (/data/bld/10.0-asan/bin/mysqld+0x19f950a)

            Thread T7 created by T0 here:
                #0 0x7efd7f407bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
                #1 0x11c1e13 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911

            SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.0/strings/strnmov.c:41 strnmov
            Shadow bytes around the buggy address:
              0x0c4880005b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c4880005bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            =>0x0c4880005bc0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
              0x0c4880005bd0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c4880005c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Heap right redzone: fb
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack partial redzone: f4
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Contiguous container OOB:fc
              ASan internal: fe
            ==23051==ABORTING
            {noformat}

            If the MTR test doesn't work for you on whatever reason, see RQG variant in Matthias'es comments.
            elenst Elena Stepanova made changes -
            Assignee Elena Stepanova [ elenst ] Sergei Golubchik [ serg ]
            serg Sergei Golubchik made changes -
            Assignee Sergei Golubchik [ serg ] Sergey Vojtovich [ svoj ]
            svoj Sergey Vojtovich added a comment - - edited

            Single threaded test:

            PREPARE stmt1 FROM "CREATE OR REPLACE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
            		 
            FLUSH PRIVILEGES;
            		 
            EXECUTE stmt1;
            		 
            DROP VIEW v;

            svoj Sergey Vojtovich added a comment - - edited Single threaded test: PREPARE stmt1 FROM "CREATE OR REPLACE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES"; FLUSH PRIVILEGES; EXECUTE stmt1; DROP VIEW v;
            svoj Sergey Vojtovich added a comment -

            serg, please review robertbindar's PR#1253.

            svoj Sergey Vojtovich added a comment - serg , please review robertbindar 's PR#1253.
            svoj Sergey Vojtovich made changes -
            Assignee Sergey Vojtovich [ svoj ] Sergei Golubchik [ serg ]
            Status Confirmed [ 10101 ] In Review [ 10002 ]
            serg Sergei Golubchik made changes -
            Status In Review [ 10002 ] Stalled [ 10000 ]
            serg Sergei Golubchik made changes -
            Fix Version/s 5.5.64 [ 23303 ]
            Fix Version/s 10.1.39 [ 23305 ]
            Fix Version/s 10.2.24 [ 23308 ]
            Fix Version/s 10.3.15 [ 23309 ]
            Fix Version/s 10.4.5 [ 23311 ]
            Fix Version/s 10.2 [ 14601 ]
            Fix Version/s 10.0 [ 16000 ]
            Fix Version/s 10.1 [ 16100 ]
            Fix Version/s 10.3 [ 22126 ]
            Fix Version/s 10.4 [ 22408 ]
            Resolution Fixed [ 1 ]
            Status Stalled [ 10000 ] Closed [ 6 ]
            serg Sergei Golubchik made changes -
            Assignee Sergei Golubchik [ serg ] Robert Bindar [ robertbindar ]
            alice Alice Sherepa made changes -
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 86616 ] MariaDB v4 [ 154176 ]

            People

              robertbindar Robert Bindar
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.