Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16788

2nd execution of SP: ASAN heap-use-after-free in my_strcasecmp_utf8 or Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' or unexpected ER_TOO_LONG_IDENT

    XMLWordPrintable

Details

    Description

      Note: There are 3 types of failures in this report, all happen on similar test cases. Please fix the ASAN failure, which is reliably reproducible, and then I'll re-check the rest. Other failures are quoted there for the reference.

      CREATE TABLE t1 (k INT);
      		 
       
      		 
      CREATE PROCEDURE pr() ALTER TABLE t1 ADD CONSTRAINT CHECK (k != 5);
      		 
      CALL pr;
      		 
      CALL pr;
      		 
       
      		 
      # Cleanup
      		 
      DROP PROCEDURE pr;
      		 
      DROP TABLE t1;

      This failure is reliably reproducible on ASAN builds of 10.2 and 10.3:

      10.2 9827c5e10 ASAN

      		 
      ==13396==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000dcba0 at pc 0x5627f434d21f bp 0x7f4f3376eda0 sp 0x7f4f3376ed98
      		 
      READ of size 1 at 0x6250000dcba0 thread T6
      		 
          #0 0x5627f434d21e in my_strcasecmp_utf8 /data/src/10.2/strings/ctype-utf8.c:5302
      		 
          #1 0x5627f2e5707e in handle_if_exists_options /data/src/10.2/sql/sql_table.cc:6211
      		 
          #2 0x5627f2e690d2 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:8978
      		 
          #3 0x5627f2f94bb5 in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:324
      		 
          #4 0x5627f2c62326 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6222
      		 
          #5 0x5627f35e3701 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3246
      		 
          #6 0x5627f35e234d in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3009
      		 
          #7 0x5627f35e2fcb in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3162
      		 
          #8 0x5627f35d88cc in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1327
      		 
          #9 0x5627f35dc6b9 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2116
      		 
          #10 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
      		 
          #11 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
      		 
          #12 0x5627f2c6cd0a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
      		 
          #13 0x5627f2c47996 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
      		 
          #14 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
      		 
          #15 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
      		 
          #16 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
      		 
          #17 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
      		 
          #18 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #19 0x7f4f3e32e93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      		 
       
      		 
      0x6250000dcba0 is located 2720 bytes inside of 8268-byte region [0x6250000dc100,0x6250000de14c)
      		 
      freed by thread T6 here:
      		 
          #0 0x7f4f401b2527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
      		 
          #1 0x5627f42b7b5b in free_memory /data/src/10.2/mysys/safemalloc.c:279
      		 
          #2 0x5627f42b7161 in sf_free /data/src/10.2/mysys/safemalloc.c:197
      		 
          #3 0x5627f4286402 in my_free /data/src/10.2/mysys/my_malloc.c:217
      		 
          #4 0x5627f4267a78 in free_root /data/src/10.2/mysys/my_alloc.c:398
      		 
          #5 0x5627f35d8a6a in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1346
      		 
          #6 0x5627f35dc6b9 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2116
      		 
          #7 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
      		 
          #8 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
      		 
          #9 0x5627f2c6cd0a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
      		 
          #10 0x5627f2c47996 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
      		 
          #11 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
      		 
          #12 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
      		 
          #13 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
      		 
          #14 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
      		 
          #15 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
       
      		 
      previously allocated by thread T6 here:
      		 
          #0 0x7f4f401b273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x5627f42b68d1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
      		 
          #2 0x5627f4285b3a in my_malloc /data/src/10.2/mysys/my_malloc.c:101
      		 
          #3 0x5627f42669dd in alloc_root /data/src/10.2/mysys/my_alloc.c:241
      		 
          #4 0x5627f2c7c213 in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned int) /data/src/10.2/sql/sql_class.h:986
      		 
          #5 0x5627f2c4be5c in alloc_query(THD*, char const*, unsigned int) /data/src/10.2/sql/sql_parse.cc:2644
      		 
          #6 0x5627f35e2eb7 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3150
      		 
          #7 0x5627f35d88cc in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1327
      		 
          #8 0x5627f35dc6b9 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2116
      		 
          #9 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
      		 
          #10 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
      		 
          #11 0x5627f2c6cd0a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
      		 
          #12 0x5627f2c47996 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
      		 
          #13 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
      		 
          #14 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
      		 
          #15 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
      		 
          #16 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
      		 
          #17 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
       
      		 
      Thread T6 created by T0 here:
      		 
          #0 0x7f4f40181bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
      		 
          #1 0x5627f3996687 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
      		 
          #2 0x5627f2a41c6e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
      		 
          #3 0x5627f2a56b59 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451
      		 
          #4 0x5627f2a5725e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521
      		 
          #5 0x5627f2a5826f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796
      		 
          #6 0x5627f2a560ae in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070
      		 
          #7 0x5627f2a4000f in main /data/src/10.2/sql/main.cc:25
      		 
          #8 0x7f4f3e2662b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/strings/ctype-utf8.c:5302 my_strcasecmp_utf8
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c4a80013920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a80013930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a80013940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a80013950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a80013960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x0c4a80013970: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a80013980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a80013990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a800139a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a800139b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4a800139c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==13396==ABORTING

      This failure is very sporadically reproducible with similar test cases (but dirtier ones) on 10.3 debug non-ASAN builds, once in dozens attempts. Couldn't make it happen on 10.2:

      10.3 141a5b24843

      		 
      mysqld: /data/src/10.3/sql/sql_string.h:589: void String::q_append(const LEX_CSTRING*): Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' failed.
      		 
      180720 15:07:07 [ERROR] mysqld got signal 6 ;
      		 
       
      		 
      #7  0x00007ff4ea8adee2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #8  0x00005601ae4219f9 in String::q_append (this=0x7ff4e4a4da50, ls=0x7ff4d40de128) at /data/src/10.3/sql/sql_string.h:587
      		 
      #9  0x00005601ae41fb9a in pack_expression (buf=0x7ff4e4a4da50, vcol=0x7ff4d40de110, field_nr=4294967295, type=VCOL_CHECK_TABLE) at /data/src/10.3/sql/unireg.cc:637
      		 
      #10 0x00005601ae41fdb4 in pack_vcols (buf=0x7ff4e4a4da50, create_fields=..., check_constraint_list=0x7ff4e4a50d30) at /data/src/10.3/sql/unireg.cc:676
      		 
      #11 0x00005601ae41e020 in build_frm_image (thd=0x7ff4d4000b00, table=0x7ff4e4a501c0, create_info=0x7ff4e4a50d90, create_fields=..., keys=0, key_info=0x7ff4d40bb188, db_file=0x7ff4d40baa90) at /data/src/10.3/sql/unireg.cc:194
      		 
      #12 0x00005601ae3c164b in mysql_create_frm_image (thd=0x7ff4d4000b00, db=0x7ff4e4a501b0, table_name=0x7ff4e4a501c0, create_info=0x7ff4e4a50d90, alter_info=0x7ff4e4a50cd0, create_table_mode=-2, key_info=0x7ff4e4a4f498, key_count=0x7ff4e4a4f46c, frm=0x7ff4e4a4f500) at /data/src/10.3/sql/sql_table.cc:4724
      		 
      #13 0x00005601ae3c2029 in create_table_impl (thd=0x7ff4d4000b00, orig_db=0x7ff4e4a501b0, orig_table_name=0x7ff4e4a501c0, db=0x7ff4e4a501e0, table_name=0x7ff4e4a50210, path=0x7ff4e4a50a0d "./test/#sql-5a25_58", options=..., create_info=0x7ff4e4a50d90, alter_info=0x7ff4e4a50cd0, create_table_mode=-2, is_trans=0x0, key_info=0x7ff4e4a4f498, key_count=0x7ff4e4a4f46c, frm=0x7ff4e4a4f500) at /data/src/10.3/sql/sql_table.cc:4963
      		 
      #14 0x00005601ae3ce93e in mysql_alter_table (thd=0x7ff4d4000b00, new_db=0x7ff4d405f5d8, new_name=0x7ff4d405f990, create_info=0x7ff4e4a50d90, table_list=0x7ff4d40dd7a8, alter_info=0x7ff4e4a50cd0, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9595
      		 
      #15 0x00005601ae455dc5 in Sql_cmd_alter_table::execute (this=0x7ff4d40de150, thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_alter.cc:495
      		 
      #16 0x00005601ae2f92f1 in mysql_execute_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:6280
      		 
      #17 0x00005601ae21cf2a in sp_instr_stmt::exec_core (this=0x7ff4d40de158, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754) at /data/src/10.3/sql/sp_head.cc:3594
      		 
      #18 0x00005601ae21c387 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7ff4d40de1a0, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754, open_tables=false, instr=0x7ff4d40de158) at /data/src/10.3/sql/sp_head.cc:3322
      		 
      #19 0x00005601ae21cb0c in sp_instr_stmt::execute (this=0x7ff4d40de158, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754) at /data/src/10.3/sql/sp_head.cc:3500
      		 
      #20 0x00005601ae216887 in sp_head::execute (this=0x7ff4d40dc858, thd=0x7ff4d4000b00, merge_da_on_success=true) at /data/src/10.3/sql/sp_head.cc:1354
      		 
      #21 0x00005601ae21924e in sp_head::execute_procedure (this=0x7ff4d40dc858, thd=0x7ff4d4000b00, args=0x7ff4d4005740) at /data/src/10.3/sql/sp_head.cc:2294
      		 
      #22 0x00005601ae2ee560 in do_execute_sp (thd=0x7ff4d4000b00, sp=0x7ff4d40dc858) at /data/src/10.3/sql/sql_parse.cc:2945
      		 
      #23 0x00005601ae2ef0de in Sql_cmd_call::execute (this=0x7ff4d4014df0, thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:3187
      		 
      #24 0x00005601ae2f92f1 in mysql_execute_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:6280
      		 
      #25 0x00005601ae2fe2eb in mysql_parse (thd=0x7ff4d4000b00, rawbuf=0x7ff4d4014d08 "CALL stored_proc_6469", length=21, parser_state=0x7ff4e4a545f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8073
      		 
      #26 0x00005601ae2eb64a in dispatch_command (command=COM_QUERY, thd=0x7ff4d4000b00, packet=0x7ff4d400b211 "CALL stored_proc_6469", packet_length=21, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1847
      		 
      #27 0x00005601ae2ea06e in do_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:1392
      		 
      #28 0x00005601ae4503a5 in do_handle_one_connection (connect=0x5601b0bcfc10) at /data/src/10.3/sql/sql_connect.cc:1402
      		 
      #29 0x00005601ae450129 in handle_one_connection (arg=0x5601b0bcfc10) at /data/src/10.3/sql/sql_connect.cc:1308
      		 
      #30 0x00005601ae8e1b27 in pfs_spawn_thread (arg=0x5601b0be34b0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
      		 
      #31 0x00007ff4ec584494 in start_thread (arg=0x7ff4e4a55700) at pthread_create.c:333
      		 
      #32 0x00007ff4ea96a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Finally, this failure is also very sporadically reproducible on non-debug 10.3 builds:

      mysqltest: At line 14: query 'CALL pkg_6469.stored_proc_6469 /* TRANSFORM_OUTCOME_UNORDERED_MATCH */ /* QNO 5905 CON_ID 17 */' failed: 1059: Identifier name 'H?' is too long

      This happens on even dirtier test cases and with the stored routine within a package, so it can't be checked on 10.2.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16933 ASAN heap-use-after-free in my_charlen_utf8 / handle_if_exists_options on 2nd execution of SP with ALTER adding CHECK constraint

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16932 ASAN heap-use-after-free in my_charlen_utf8 / my_well_formed_char_length_utf8 on 2nd execution of SP with ALTER trying to add bad CHECK

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-18285 [Draft] Assertion `! is_set()' failed in Diagnostics_area::disable_status upon DROP COLUMN

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21848 Server crashes in handle_if_exists_options upon adding check constraint to temporary table

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-24524 Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' failed in String::append on SELECT from I_S

          • Major - Major loss of function.
          • Closed

          Activity

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.