Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16063

[Draft] ASAN use-after-poison in row_sel / row_sel_step / que_thr_step

    XMLWordPrintable

    Details

      Description

      10.3 ASAN cb16bc95ff9a7b

      =================================================================
      ==5740==ERROR: AddressSanitizer: use-after-poison on address 0x7f151454e9c8 at pc 0x562f4e8d8194 bp 0x7f14f45c5fc0 sp 0x7f14f45c5fb8
      READ of size 8 at 0x7f151454e9c8 thread T34
          #0 0x562f4e8d8193 in row_sel /data/src/10.3/storage/innobase/row/row0sel.cc:1798
          #1 0x562f4e8da065 in row_sel_step(que_thr_t*) /data/src/10.3/storage/innobase/row/row0sel.cc:2328
          #2 0x562f4e7cf78f in que_thr_step /data/src/10.3/storage/innobase/que/que0que.cc:1022
          #3 0x562f4e7cfe2a in que_run_threads_low /data/src/10.3/storage/innobase/que/que0que.cc:1108
          #4 0x562f4e7d0181 in que_run_threads(que_thr_t*) /data/src/10.3/storage/innobase/que/que0que.cc:1148
          #5 0x562f4e7d074c in que_eval_sql(pars_info_t*, char const*, unsigned long, trx_t*) /data/src/10.3/storage/innobase/que/que0que.cc:1225
          #6 0x562f4eb91734 in dict_stats_exec_sql /data/src/10.3/storage/innobase/dict/dict0stats.cc:312
          #7 0x562f4eb9e67a in dict_stats_delete_from_table_stats /data/src/10.3/storage/innobase/dict/dict0stats.cc:3493
          #8 0x562f4eb9ead9 in dict_stats_drop_table(char const*, char*, unsigned long) /data/src/10.3/storage/innobase/dict/dict0stats.cc:3571
          #9 0x562f4e87cdae in row_drop_table_for_mysql(char const*, trx_t*, bool, unsigned long, bool) /data/src/10.3/storage/innobase/row/row0mysql.cc:3563
          #10 0x562f4e85b40d in row_merge_drop_table(trx_t*, dict_table_t*) /data/src/10.3/storage/innobase/row/row0merge.cc:4519
          #11 0x562f4eb38f71 in dict_table_close_and_drop(trx_t*, dict_table_t*) /data/src/10.3/storage/innobase/dict/dict0dict.cc:566
          #12 0x562f4e681f47 in rollback_inplace_alter_table(Alter_inplace_info*, TABLE const*, row_prebuilt_t*) (/data/bld/10.3-asan/bin/mysqld+0x1d8cf47)
          #13 0x562f4e67600c in ha_innobase::commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.3/storage/innobase/handler/handler0alter.cc:9107
          #14 0x562f4de3b5a5 in handler::ha_commit_inplace_alter_table(TABLE*, Alter_inplace_info*, bool) /data/src/10.3/sql/handler.cc:4406
          #15 0x562f4d9533fc in mysql_inplace_alter_table /data/src/10.3/sql/sql_table.cc:7626
          #16 0x562f4d95fe7f in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.3/sql/sql_table.cc:9670
          #17 0x562f4daa4e4f in Sql_cmd_alter_table::execute(THD*) /data/src/10.3/sql/sql_alter.cc:334
          #18 0x562f4d74b957 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6282
          #19 0x562f4d755ec6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
          #20 0x562f4d73076c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #21 0x562f4d72d803 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #22 0x562f4da96590 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #23 0x562f4da95fa5 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #24 0x7f152a766493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #25 0x7f1528b4c93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x7f151454e9c8 is located 531042696 bytes to the rightASAN:SIGSEGV
      ==5740==AddressSanitizer: while reporting a bug found another one.Ignoring.
      

      Unfortunately this is the end of the report.

      Similar problem on one of previous builds:

      ==26413==ERROR: AddressSanitizer: use-after-poison on address 0x7fbb7597bdd0 at pc 0x5559f417c27c bp 0x7fbb5588fc80 sp 0x7fbb5588fc78
      READ of size 4 at 0x7fbb7597bdd0 thread T37
          #0 0x5559f417c27b in que_thr_step /data/src/10.3/storage/innobase/que/que0que.cc:1070
          #1 0x5559f417c516 in que_run_threads_low /data/src/10.3/storage/innobase/que/que0que.cc:1108
          #2 0x5559f417c86d in que_run_threads(que_thr_t*) /data/src/10.3/storage/innobase/que/que0que.cc:1148
          #3 0x5559f417ce38 in que_eval_sql(pars_info_t*, char const*, unsigned long, trx_t*) /data/src/10.3/storage/innobase/que/que0que.cc:1225
          #4 0x5559f4541233 in dict_stats_exec_sql /data/src/10.3/storage/innobase/dict/dict0stats.cc:312
          #5 0x5559f454e20e in dict_stats_delete_from_table_stats /data/src/10.3/storage/innobase/dict/dict0stats.cc:3494
          #6 0x5559f454e66d in dict_stats_drop_table(char const*, char*, unsigned long) /data/src/10.3/storage/innobase/dict/dict0stats.cc:3572
          #7 0x5559f42299ed in row_drop_table_for_mysql(char const*, trx_t*, bool, unsigned long, bool) /data/src/10.3/storage/innobase/row/row0mysql.cc:3563
          #8 0x5559f3fa98d1 in ha_innobase::delete_table(char const*) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:12952
          #9 0x5559f37e5c70 in handler::ha_delete_table(char const*) /data/src/10.3/sql/handler.cc:4510
          #10 0x5559f37d5d67 in ha_delete_table(THD*, handlerton*, char const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, bool) /data/src/10.3/sql/handler.cc:2528
          #11 0x5559f32dbf3d in mysql_rm_table_no_locks(THD*, TABLE_LIST*, bool, bool, bool, bool, bool, bool) /data/src/10.3/sql/sql_table.cc:2513
          #12 0x5559f32da296 in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool) /data/src/10.3/sql/sql_table.cc:2127
          #13 0x5559f30ebe32 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5050
          #14 0x5559f30fe702 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
          #15 0x5559f30d8fa8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #16 0x5559f30d603f in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #17 0x5559f343f10c in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #18 0x5559f343eb21 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #19 0x7fbb8bb93493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #20 0x7fbb89f7993e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      

      Both tests were run as

      experimental 745dc5101b2c4e98

      ASAN_OPTIONS=abort_on_error=1 perl ./runall-trials.pl --trials=10 --duration=350 --threads=6 --seed=1524795148  --validators=TransformerNoComparator --transformers=ConvertSubqueriesToViews,ConvertTablesToDerived,Count,DisableOptimizations,Distinct,EnableOptimizations,ExecuteAsCTE,ExecuteAsDeleteReturning,ExecuteAsDerived,ExecuteAsExcept,ExecuteAsExecuteImmediate,ExecuteAsInsertSelect,ExecuteAsIntersect,ExecuteAsSelectItem,ExecuteAsUnion,ExecuteAsUpdateDelete,ExecuteAsView,ExecuteAsWhereSubquery,Having,InlineSubqueries,LimitRowsExamined,OrderBy,StraightJoin,ExecuteAsPreparedTwice,ExecuteAsTrigger,ExecuteAsSPTwice,ExecuteAsFunctionTwice  --mysqld=--log_output=FILE  --mysqld=--max-statement-time=2 --mysqld=--lock-wait-timeout=5 --mysqld=--innodb-lock-wait-timeout=3 --mysqld=--loose-debug_assert_on_not_freed_memory=0 --views  --basedir=/data/bld/10.3-asan --grammar=conf/runtime/alter_online.yy --gendata=conf/runtime/alter_online.zz --engine=InnoDB --vardir=/dev/shm/vardir2
      

      It takes multiple trials to reproduce.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              elenst Elena Stepanova
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: