Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16078

Server crashes in Item::delete_self or in String::free or ASAN fails with use-after-poison in String::alloced_length upon executing PS with out-of-range error

    XMLWordPrintable

    Details

      Description

      Note: I couldn't get rid of system versioning in the test case by replacing it with invisible columns, or virtual columns, or virtual invisible columns. It is very important to understand why versioning plays a role here, we have external bug reports (without versioning) for similar crashes which have not been reproduced so far.

      Note: EXECUTE IMMEDIATE allows a simpler test case, but otherwise it's not important in itself.

      EXECUTE IMMEDIATE

      CREATE OR REPLACE TABLE t1 (a INT) WITH SYSTEM VERSIONING;
      EXECUTE IMMEDIATE "SELECT * FROM t1 WHERE CAST( 7649082492112076800*2 AS INT )";
       
      # Cleanup
      DROP TABLE t1;
      

      10.3 asan 73a10cbcc

      ==1095==ERROR: AddressSanitizer: use-after-poison on address 0x62b00002ca40 at pc 0x563d4efd2538 bp 0x7fb4606f6de0 sp 0x7fb4606f6dd8
      READ of size 8 at 0x62b00002ca40 thread T5
          #0 0x563d4efd2537 in Query_arena::free_items() /data/src/10.3/sql/sql_class.cc:3815
          #1 0x563d4f10d677 in Prepared_statement::~Prepared_statement() /data/src/10.3/sql/sql_prepare.cc:3803
          #2 0x563d4f10daf7 in Prepared_statement::~Prepared_statement() /data/src/10.3/sql/sql_prepare.cc:3812
          #3 0x563d4f1085cf in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.3/sql/sql_prepare.cc:2884
          #4 0x563d4f0b139f in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3774
          #5 0x563d4f0cb49a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
          #6 0x563d4f0a5d40 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #7 0x563d4f0a2dd7 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #8 0x563d4f40bb4a in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #9 0x563d4f40b55f in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #10 0x563d4ff1019f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #11 0x7fb46ccbd493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #12 0x7fb46b0a393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x62b00002ca40 is located 10304 bytes inside of 24716-byte region [0x62b00002a200,0x62b00003028c)
      allocated by thread T5 here:
          #0 0x7fb46cf2773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x563d508c67b8 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x563d508954c0 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x563d50873cb1 in init_alloc_root /data/src/10.3/mysys/my_alloc.c:81
          #4 0x563d4f382497 in init_sql_alloc(st_mem_root*, char const*, unsigned int, unsigned int, unsigned long) /data/src/10.3/sql/thr_malloc.cc:65
          #5 0x563d4f10ce6f in Prepared_statement::Prepared_statement(THD*) /data/src/10.3/sql/sql_prepare.cc:3732
          #6 0x563d4f1083d1 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.3/sql/sql_prepare.cc:2852
          #7 0x563d4f0b139f in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3774
          #8 0x563d4f0cb49a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
          #9 0x563d4f0a5d40 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #10 0x563d4f0a2dd7 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #11 0x563d4f40bb4a in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #12 0x563d4f40b55f in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #13 0x563d4ff1019f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #14 0x7fb46ccbd493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7fb46cef6bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x563d4ff10767 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x563d4ee149be in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x563d4ee2a6e3 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6554
          #4 0x563d4ee2ade8 in create_new_thread /data/src/10.3/sql/mysqld.cc:6624
          #5 0x563d4ee2bdf9 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6899
          #6 0x563d4ee29ba0 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6176
          #7 0x563d4ee12d5f in main /data/src/10.3/sql/main.cc:25
          #8 0x7fb46afdb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/sql_class.cc:3815 Query_arena::free_items()
      Shadow bytes around the buggy address:
        0x0c567fffd8f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd900: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd910: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd920: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd930: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c567fffd940: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd950: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00
        0x0c567fffd960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c567fffd970: 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7
        0x0c567fffd980: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd990: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==1095==ABORTING
      

      10.3 73a10cbcc

      #3  <signal handler called>
      #4  0x0000561996dcf83b in Item::delete_self (this=0x7f0d54127618) at /data/src/10.3/sql/item.h:1873
      #5  0x0000561996dc5a57 in Query_arena::free_items (this=0x7f0d54006a98) at /data/src/10.3/sql/sql_class.cc:3818
      #6  0x0000561996e4bafb in Prepared_statement::~Prepared_statement (this=0x7f0d54006a80, __in_chrg=<optimized out>) at /data/src/10.3/sql/sql_prepare.cc:3803
      #7  0x0000561996e4bc8a in Prepared_statement::~Prepared_statement (this=0x7f0d54006a80, __in_chrg=<optimized out>) at /data/src/10.3/sql/sql_prepare.cc:3812
      #8  0x0000561996e4973b in mysql_sql_stmt_execute_immediate (thd=0x7f0d54000b00) at /data/src/10.3/sql/sql_prepare.cc:2884
      #9  0x0000561996e2382b in mysql_execute_command (thd=0x7f0d54000b00) at /data/src/10.3/sql/sql_parse.cc:3774
      #10 0x0000561996e30abe in mysql_parse (thd=0x7f0d54000b00, rawbuf=0x7f0d54014d68 "EXECUTE IMMEDIATE \"SELECT * FROM t1 WHERE CAST( 7649082492112076800*2 AS INT )\"", length=79, parser_state=0x7f0d645105d0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8001
      #11 0x0000561996e1e2a1 in dispatch_command (command=COM_QUERY, thd=0x7f0d54000b00, packet=0x7f0d5408ffc1 "EXECUTE IMMEDIATE \"SELECT * FROM t1 WHERE CAST( 7649082492112076800*2 AS INT )\"", packet_length=79, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1846
      #12 0x0000561996e1cce0 in do_command (thd=0x7f0d54000b00) at /data/src/10.3/sql/sql_parse.cc:1391
      #13 0x0000561996f7fb95 in do_handle_one_connection (connect=0x56199ad18290) at /data/src/10.3/sql/sql_connect.cc:1402
      #14 0x0000561996f7f922 in handle_one_connection (arg=0x56199ad18290) at /data/src/10.3/sql/sql_connect.cc:1308
      #15 0x0000561997403a1f in pfs_spawn_thread (arg=0x56199adda700) at /data/src/10.3/storage/perfschema/pfs.cc:1862
      #16 0x00007f0d6c040494 in start_thread (arg=0x7f0d64511700) at pthread_create.c:333
      #17 0x00007f0d6a42693f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      PREPARE with parameter

      CREATE TABLE t1 (a INT) WITH SYSTEM VERSIONING;
      PREPARE stmt FROM "SELECT * FROM t1 WHERE CAST( ? * 2 AS INT )";
      EXECUTE stmt USING 7649082492112076800;
       
      # Cleanup
      DROP TABLE t1;
      

      10.3 asan 73a10cbcc

      ==1310==ERROR: AddressSanitizer: use-after-poison on address 0x62b00002c3d4 at pc 0x55a5005ea81b bp 0x7feb55454f00 sp 0x7feb55454ef8
      READ of size 4 at 0x62b00002c3d4 thread T5
          #0 0x55a5005ea81a in String::alloced_length() const /data/src/10.3/sql/sql_string.h:208
          #1 0x55a500f7eec7 in Item_param::reset() /data/src/10.3/sql/item.cc:4361
          #2 0x55a500897814 in reset_stmt_params /data/src/10.3/sql/sql_prepare.cc:3048
          #3 0x55a50089e625 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.3/sql/sql_prepare.cc:4231
          #4 0x55a500898947 in mysql_sql_stmt_execute(THD*) /data/src/10.3/sql/sql_prepare.cc:3298
          #5 0x55a50083f3c7 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3784
          #6 0x55a50085949a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
          #7 0x55a500833d40 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #8 0x55a500830dd7 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #9 0x55a500b99b4a in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #10 0x55a500b9955f in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #11 0x55a50169e19f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #12 0x7feb61a1b493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #13 0x7feb5fe0193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x62b00002c3d4 is located 8660 bytes inside of 24716-byte region [0x62b00002a200,0x62b00003028c)
      allocated by thread T5 here:
          #0 0x7feb61c8573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55a5020547b8 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x55a5020234c0 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x55a502001cb1 in init_alloc_root /data/src/10.3/mysys/my_alloc.c:81
          #4 0x55a500b10497 in init_sql_alloc(st_mem_root*, char const*, unsigned int, unsigned int, unsigned long) /data/src/10.3/sql/thr_malloc.cc:65
          #5 0x55a50089ae6f in Prepared_statement::Prepared_statement(THD*) /data/src/10.3/sql/sql_prepare.cc:3732
          #6 0x55a500895e72 in mysql_sql_stmt_prepare(THD*) /data/src/10.3/sql/sql_prepare.cc:2777
          #7 0x55a50083f3b3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3779
          #8 0x55a50085949a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
          #9 0x55a500833d40 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #10 0x55a500830dd7 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #11 0x55a500b99b4a in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #12 0x55a500b9955f in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #13 0x55a50169e19f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #14 0x7feb61a1b493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7feb61c54bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55a50169e767 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x55a5005a29be in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x55a5005b86e3 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6554
          #4 0x55a5005b8de8 in create_new_thread /data/src/10.3/sql/mysqld.cc:6624
          #5 0x55a5005b9df9 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6899
          #6 0x55a5005b7ba0 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6176
          #7 0x55a5005a0d5f in main /data/src/10.3/sql/main.cc:25
          #8 0x7feb5fd392b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/sql_string.h:208 String::alloced_length() const
      Shadow bytes around the buggy address:
        0x0c567fffd820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c567fffd830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c567fffd840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c567fffd850: 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd860: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c567fffd870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7
        0x0c567fffd880: f7 f7 f7 f7 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd890: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd8a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd8b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffd8c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==1310==ABORTING
      

      10.3 73a10cbcc

      #3  <signal handler called>
      #4  0x000055cb587c8f3f in sf_malloc_usable_size (ptr=0x8f8f8f8f8f8f8f8f, is_thread_specific=0x7fd7aa409297 "") at /data/src/10.3/mysys/safemalloc.c:215
      #5  0x000055cb587b6403 in my_free (ptr=0x8f8f8f8f8f8f8f8f) at /data/src/10.3/mysys/my_malloc.c:213
      #6  0x000055cb57c1b78d in String::free (this=0x7fd798127008) at /data/src/10.3/sql/sql_string.h:358
      #7  0x000055cb58033e68 in Item_param::reset (this=0x7fd798126ed8) at /data/src/10.3/sql/item.cc:4362
      #8  0x000055cb57d55dc1 in reset_stmt_params (stmt=0x7fd798006a80) at /data/src/10.3/sql/sql_prepare.cc:3048
      #9  0x000055cb57d58cf0 in Prepared_statement::execute_loop (this=0x7fd798006a80, expanded_query=0x7fd7aa4093f0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.3/sql/sql_prepare.cc:4231
      #10 0x000055cb57d5666d in mysql_sql_stmt_execute (thd=0x7fd798000b00) at /data/src/10.3/sql/sql_prepare.cc:3298
      #11 0x000055cb57d2f853 in mysql_execute_command (thd=0x7fd798000b00) at /data/src/10.3/sql/sql_parse.cc:3784
      #12 0x000055cb57d3cabe in mysql_parse (thd=0x7fd798000b00, rawbuf=0x7fd798014d68 "EXECUTE stmt USING 7649082492112076800", length=38, parser_state=0x7fd7aa40a5d0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8001
      #13 0x000055cb57d2a2a1 in dispatch_command (command=COM_QUERY, thd=0x7fd798000b00, packet=0x7fd79808ffc1 "EXECUTE stmt USING 7649082492112076800", packet_length=38, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1846
      #14 0x000055cb57d28ce0 in do_command (thd=0x7fd798000b00) at /data/src/10.3/sql/sql_parse.cc:1391
      #15 0x000055cb57e8bb95 in do_handle_one_connection (connect=0x55cb5b550290) at /data/src/10.3/sql/sql_connect.cc:1402
      #16 0x000055cb57e8b922 in handle_one_connection (arg=0x55cb5b550290) at /data/src/10.3/sql/sql_connect.cc:1308
      #17 0x000055cb5830fa1f in pfs_spawn_thread (arg=0x55cb5b612700) at /data/src/10.3/storage/perfschema/pfs.cc:1862
      #18 0x00007fd7b1f3a494 in start_thread (arg=0x7fd7aa40b700) at pthread_create.c:333
      #19 0x00007fd7b032093f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      Disconnect after failed execute

      CREATE TABLE t1 (a INT) WITH SYSTEM VERSIONING ENGINE=MyISAM;
       
      --connect (con1,localhost,root,,)
      PREPARE stmt FROM "SELECT * FROM t1 WHERE CAST( 7649082492112076800 * 2 AS INT )";
      --error ER_DATA_OUT_OF_RANGE
      EXECUTE stmt;
      --disconnect con1
       
      # Cleanup
      --connection default
      DROP TABLE t1;
      

      10.3 73a10cbcc

      #3  <signal handler called>
      #4  0x000055b6e3e7f83b in Item::delete_self (this=0x7f86dc0222c0) at /data/src/10.3/sql/item.h:1873
      #5  0x000055b6e3e75a57 in Query_arena::free_items (this=0x7f86dc00e5d8) at /data/src/10.3/sql/sql_class.cc:3818
      #6  0x000055b6e3efbafb in Prepared_statement::~Prepared_statement (this=0x7f86dc00e5c0, __in_chrg=<optimized out>) at /data/src/10.3/sql/sql_prepare.cc:3803
      #7  0x000055b6e3efbc8a in Prepared_statement::~Prepared_statement (this=0x7f86dc00e5c0, __in_chrg=<optimized out>) at /data/src/10.3/sql/sql_prepare.cc:3812
      #8  0x000055b6e3e761ad in delete_statement_as_hash_key (key=0x7f86dc00e5c0) at /data/src/10.3/sql/sql_class.cc:3959
      #9  0x000055b6e493558b in my_hash_free_elements (hash=0x7f86dc002788) at /data/src/10.3/mysys/hash.c:129
      #10 0x000055b6e49356a5 in my_hash_reset (hash=0x7f86dc002788) at /data/src/10.3/mysys/hash.c:171
      #11 0x000055b6e3e76628 in Statement_map::reset (this=0x7f86dc002788) at /data/src/10.3/sql/sql_class.cc:4091
      #12 0x000055b6e3e6e78a in THD::free_connection (this=0x7f86dc000b00) at /data/src/10.3/sql/sql_class.cc:1656
      #13 0x000055b6e3db18dc in unlink_thd (thd=0x7f86dc000b00) at /data/src/10.3/sql/mysqld.cc:2945
      #14 0x000055b6e3db1da5 in one_thread_per_connection_end (thd=0x7f86dc000b00, put_in_cache=true) at /data/src/10.3/sql/mysqld.cc:3086
      #15 0x000055b6e402fc7e in do_handle_one_connection (connect=0x55b6e78b4170) at /data/src/10.3/sql/sql_connect.cc:1421
      #16 0x000055b6e402f922 in handle_one_connection (arg=0x55b6e78b4170) at /data/src/10.3/sql/sql_connect.cc:1308
      #17 0x00007f87449a9494 in start_thread (arg=0x7f874004d700) at pthread_create.c:333
      #18 0x00007f8742d8f93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      10.3 asan 73a10cbcc

      ==3526==ERROR: AddressSanitizer: use-after-poison on address 0x62b000025a48 at pc 0x55d4ce367538 bp 0x7f4c8177d980 sp 0x7f4c8177d978
      READ of size 8 at 0x62b000025a48 thread T6
          #0 0x55d4ce367537 in Query_arena::free_items() /data/src/10.3/sql/sql_class.cc:3815
          #1 0x55d4ce4a2677 in Prepared_statement::~Prepared_statement() /data/src/10.3/sql/sql_prepare.cc:3803
          #2 0x55d4ce4a2af7 in Prepared_statement::~Prepared_statement() /data/src/10.3/sql/sql_prepare.cc:3812
          #3 0x55d4ce368be0 in delete_statement_as_hash_key /data/src/10.3/sql/sql_class.cc:3959
          #4 0x55d4cfbc9b75 in my_hash_free_elements /data/src/10.3/mysys/hash.c:129
          #5 0x55d4cfbc9e4f in my_hash_reset /data/src/10.3/mysys/hash.c:171
          #6 0x55d4ce3694e1 in Statement_map::reset() /data/src/10.3/sql/sql_class.cc:4091
          #7 0x55d4ce354fa2 in THD::free_connection() /data/src/10.3/sql/sql_class.cc:1656
          #8 0x55d4ce1b3d66 in unlink_thd(THD*) /data/src/10.3/sql/mysqld.cc:2945
          #9 0x55d4ce1b46bc in one_thread_per_connection_end(THD*, bool) /data/src/10.3/sql/mysqld.cc:3086
          #10 0x55d4ce7a0d6c in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1421
          #11 0x55d4ce7a055f in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #12 0x55d4cf2a519f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #13 0x7f4c8e21f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #14 0x7f4c8c60593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x62b000025a48 is located 10312 bytes inside of 24716-byte region [0x62b000023200,0x62b00002928c)
      allocated by thread T6 here:
          #0 0x7f4c8e48973f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55d4cfc5b7b8 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x55d4cfc2a4c0 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x55d4cfc08cb1 in init_alloc_root /data/src/10.3/mysys/my_alloc.c:81
          #4 0x55d4ce717497 in init_sql_alloc(st_mem_root*, char const*, unsigned int, unsigned int, unsigned long) /data/src/10.3/sql/thr_malloc.cc:65
          #5 0x55d4ce4a1e6f in Prepared_statement::Prepared_statement(THD*) /data/src/10.3/sql/sql_prepare.cc:3732
          #6 0x55d4ce49ce72 in mysql_sql_stmt_prepare(THD*) /data/src/10.3/sql/sql_prepare.cc:2777
          #7 0x55d4ce4463b3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3779
          #8 0x55d4ce46049a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
          #9 0x55d4ce43ad40 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #10 0x55d4ce437dd7 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #11 0x55d4ce7a0b4a in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #12 0x55d4ce7a055f in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #13 0x55d4cf2a519f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #14 0x7f4c8e21f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T6 created by T0 here:
          #0 0x7f4c8e458bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55d4cf2a5767 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x55d4ce1a99be in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x55d4ce1bf6e3 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6554
          #4 0x55d4ce1bfde8 in create_new_thread /data/src/10.3/sql/mysqld.cc:6624
          #5 0x55d4ce1c0df9 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6899
          #6 0x55d4ce1beba0 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6176
          #7 0x55d4ce1a7d5f in main /data/src/10.3/sql/main.cc:25
          #8 0x7f4c8c53d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/sql_class.cc:3815 Query_arena::free_items()
      Shadow bytes around the buggy address:
        0x0c567fffcaf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffcb00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffcb10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffcb20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffcb30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c567fffcb40: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
        0x0c567fffcb50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffcb60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffcb70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffcb80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fffcb90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==3526==ABORTING
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                midenok Aleksey Midenkov
                Reporter:
                elenst Elena Stepanova
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: