Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16376

ASAN: heap-use-after-free in gcol.innodb_virtual_debug

    XMLWordPrintable

Details

    Description

      This test in the test file:

      CREATE TABLE t (a INT, b INT, c INT GENERATED ALWAYS AS(a+b), h VARCHAR(10));
      INSERT INTO t VALUES (11, 3, DEFAULT, 'mm');
      INSERT INTO t VALUES (18, 1, DEFAULT, 'mm');
      INSERT INTO t VALUES (28, 1, DEFAULT, 'mm');
      INSERT INTO t VALUES (null, null, DEFAULT, 'mm');
      CREATE INDEX idx_1 on t(c);
      SET SESSION debug_dbug="+d,create_index_fail";
      --error ER_DUP_ENTRY
      ALTER TABLE t ADD COLUMN x INT GENERATED ALWAYS AS(a+b), ADD INDEX idx (x);
      SET SESSION debug_dbug="";
      SHOW CREATE TABLE t;
      SELECT c FROM t;
      DROP TABLE t;
      

      The index (dict_index_t) is added to the table and not removed when the ALTER TABLE fails. When the table is dropped, dict_index_remove_from_cache_low is invoked. It contains the following:

      	/* Remove the index from affected virtual column index list */
      	if (dict_index_has_virtual(index)) {
      		const dict_col_t*	col;
      		const dict_v_col_t*	vcol;
       
      		for (ulint i = 0; i < dict_index_get_n_fields(index); i++) {
      			col =  dict_index_get_nth_col(index, i);
      			if (dict_col_is_virtual(col)) {
      			...
      

      except when the ALTER TABLE failed, the not-really-added virtual column (that this not-really-added index refers to) was allocated in the ha_innobase_inplace_ctx and freed at the end of the ALTER TABLE. So, dereferencing col in DROP TABLE accessed freed memory and ASAN complains.

      Attachments

        Issue Links

          Activity

            People

              marko Marko Mäkelä
              serg Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.