Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16376

ASAN: heap-use-after-free in gcol.innodb_virtual_debug

    Details

      Description

      This test in the test file:

      CREATE TABLE t (a INT, b INT, c INT GENERATED ALWAYS AS(a+b), h VARCHAR(10));
      INSERT INTO t VALUES (11, 3, DEFAULT, 'mm');
      INSERT INTO t VALUES (18, 1, DEFAULT, 'mm');
      INSERT INTO t VALUES (28, 1, DEFAULT, 'mm');
      INSERT INTO t VALUES (null, null, DEFAULT, 'mm');
      CREATE INDEX idx_1 on t(c);
      SET SESSION debug_dbug="+d,create_index_fail";
      --error ER_DUP_ENTRY
      ALTER TABLE t ADD COLUMN x INT GENERATED ALWAYS AS(a+b), ADD INDEX idx (x);
      SET SESSION debug_dbug="";
      SHOW CREATE TABLE t;
      SELECT c FROM t;
      DROP TABLE t;
      

      The index (dict_index_t) is added to the table and not removed when the ALTER TABLE fails. When the table is dropped, dict_index_remove_from_cache_low is invoked. It contains the following:

      	/* Remove the index from affected virtual column index list */
      	if (dict_index_has_virtual(index)) {
      		const dict_col_t*	col;
      		const dict_v_col_t*	vcol;
       
      		for (ulint i = 0; i < dict_index_get_n_fields(index); i++) {
      			col =  dict_index_get_nth_col(index, i);
      			if (dict_col_is_virtual(col)) {
      			...
      

      except when the ALTER TABLE failed, the not-really-added virtual column (that this not-really-added index refers to) was allocated in the ha_innobase_inplace_ctx and freed at the end of the ALTER TABLE. So, dereferencing col in DROP TABLE accessed freed memory and ASAN complains.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                marko Marko Mäkelä
                Reporter:
                serg Sergei Golubchik
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: