Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16153

Server crashes in Apc_target::disable, ASAN heap-use-after-free in Explain_query::~Explain_query upon/after EXECUTE IMMEDIATE

    XMLWordPrintable

Details

    Description

      CREATE OR REPLACE TABLE t1 (a INT) WITH SYSTEM VERSIONING;
      EXECUTE IMMEDIATE "SELECT * FROM t1 WHERE EXISTS (SELECT 1)";
      DROP TABLE t1;
      

      10.3 ASAN 15419a5583

      ==30831==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b00002da70 at pc 0x5648473629bb bp 0x7f1d9095d970 sp 0x7f1d9095d968
      READ of size 1 at 0x62b00002da70 thread T5
          #0 0x5648473629ba in Explain_query::~Explain_query() /data/src/10.3/sql/sql_explain.cc:62
          #1 0x564847370cbc in delete_explain_query(LEX*) /data/src/10.3/sql/sql_explain.cc:2407
          #2 0x564846f949b4 in log_slow_statement(THD*) /data/src/10.3/sql/sql_parse.cc:2515
          #3 0x564846f93e81 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:2419
          #4 0x564846f8de9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #5 0x5648472fa2d3 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #6 0x5648472f9cdf in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #7 0x564847e0e967 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #8 0x7f1d9cf22493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #9 0x7f1d9b30893e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x62b00002da70 is located 14448 bytes inside of 24716-byte region [0x62b00002a200,0x62b00003028c)
      freed by thread T5 here:
          #0 0x7f1d9d18c527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x5648487c6a82 in free_memory /data/src/10.3/mysys/safemalloc.c:279
          #2 0x5648487c6088 in sf_free /data/src/10.3/mysys/safemalloc.c:197
          #3 0x56484879675d in my_free /data/src/10.3/mysys/my_malloc.c:222
          #4 0x564848776a75 in free_root /data/src/10.3/mysys/my_alloc.c:427
          #5 0x564846ff937e in Prepared_statement::~Prepared_statement() /data/src/10.3/sql/sql_prepare.cc:3812
          #6 0x564846ff9491 in Prepared_statement::~Prepared_statement() /data/src/10.3/sql/sql_prepare.cc:3814
          #7 0x564846ff3f63 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.3/sql/sql_prepare.cc:2886
          #8 0x564846f9c477 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3774
          #9 0x564846fb6a70 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8019
          #10 0x564846f90e14 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #11 0x564846f8de9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #12 0x5648472fa2d3 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #13 0x5648472f9cdf in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #14 0x564847e0e967 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #15 0x7f1d9cf22493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T5 here:
          #0 0x7f1d9d18c73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x5648487c57f8 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x564848795e50 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x56484877461d in init_alloc_root /data/src/10.3/mysys/my_alloc.c:81
          #4 0x5648472703f2 in init_sql_alloc(st_mem_root*, char const*, unsigned int, unsigned int, unsigned long) /data/src/10.3/sql/thr_malloc.cc:65
          #5 0x564846ff8809 in Prepared_statement::Prepared_statement(THD*) /data/src/10.3/sql/sql_prepare.cc:3734
          #6 0x564846ff3d65 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.3/sql/sql_prepare.cc:2854
          #7 0x564846f9c477 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3774
          #8 0x564846fb6a70 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8019
          #9 0x564846f90e14 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
          #10 0x564846f8de9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
          #11 0x5648472fa2d3 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
          #12 0x5648472f9cdf in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #13 0x564847e0e967 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #14 0x7f1d9cf22493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7f1d9d15bbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x564847e0ef2f in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x564846cfc6fa in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x564846d127bf in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6556
          #4 0x564846d12ec4 in create_new_thread /data/src/10.3/sql/mysqld.cc:6626
          #5 0x564846d13ed5 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6901
          #6 0x564846d11c7c in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6178
          #7 0x564846cfa79f in main /data/src/10.3/sql/main.cc:25
          #8 0x7f1d9b2402b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/sql_explain.cc:62 Explain_query::~Explain_query()
      Shadow bytes around the buggy address:
        0x0c567fffdaf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffdb00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffdb10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffdb20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffdb30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c567fffdb40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
        0x0c567fffdb50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffdb60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffdb70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffdb80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffdb90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==30831==ABORTING
      

      10.3 15419a5583

      #3  <signal handler called>
      #4  0x0000557b30c6de54 in Apc_target::disable (this=0x8f8f8f8f8f8fccf7) at /data/src/10.3/sql/my_apc.h:68
      #5  0x0000557b30c653cb in Explain_query::~Explain_query (this=0x7f3564117bd0, __in_chrg=<optimized out>) at /data/src/10.3/sql/sql_explain.cc:63
      #6  0x0000557b30c6d429 in delete_explain_query (lex=0x7f35640048b8) at /data/src/10.3/sql/sql_explain.cc:2407
      #7  0x0000557b30acbf74 in log_slow_statement (thd=0x7f3564000b00) at /data/src/10.3/sql/sql_parse.cc:2515
      #8  0x0000557b30acbafc in dispatch_command (command=COM_QUERY, thd=0x7f3564000b00, packet=0x7f3564145801 "", packet_length=60, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:2419
      #9  0x0000557b30ac886b in do_command (thd=0x7f3564000b00) at /data/src/10.3/sql/sql_parse.cc:1391
      #10 0x0000557b30c2d891 in do_handle_one_connection (connect=0x557b34a46eb0) at /data/src/10.3/sql/sql_connect.cc:1402
      #11 0x0000557b30c2d615 in handle_one_connection (arg=0x557b34a46eb0) at /data/src/10.3/sql/sql_connect.cc:1308
      #12 0x0000557b310bcab1 in pfs_spawn_thread (arg=0x557b34ae87c0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
      #13 0x00007f357dfc2494 in start_thread (arg=0x7f3576493700) at pthread_create.c:333
      #14 0x00007f357c3a893f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      It appears to be a very recent regression (of the past few days), I didn't search for the exact commit which caused it.

      Attachments

        Activity

          People

            serg Sergei Golubchik
            elenst Elena Stepanova
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.