Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16788

2nd execution of SP: ASAN heap-use-after-free in my_strcasecmp_utf8 or Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' or unexpected ER_TOO_LONG_IDENT

    XMLWordPrintable

    Details

      Description

      Note: There are 3 types of failures in this report, all happen on similar test cases. Please fix the ASAN failure, which is reliably reproducible, and then I'll re-check the rest. Other failures are quoted there for the reference.

      CREATE TABLE t1 (k INT);
       
      CREATE PROCEDURE pr() ALTER TABLE t1 ADD CONSTRAINT CHECK (k != 5);
      CALL pr;
      CALL pr;
       
      # Cleanup
      DROP PROCEDURE pr;
      DROP TABLE t1;
      

      This failure is reliably reproducible on ASAN builds of 10.2 and 10.3:

      10.2 9827c5e10 ASAN

      ==13396==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000dcba0 at pc 0x5627f434d21f bp 0x7f4f3376eda0 sp 0x7f4f3376ed98
      READ of size 1 at 0x6250000dcba0 thread T6
          #0 0x5627f434d21e in my_strcasecmp_utf8 /data/src/10.2/strings/ctype-utf8.c:5302
          #1 0x5627f2e5707e in handle_if_exists_options /data/src/10.2/sql/sql_table.cc:6211
          #2 0x5627f2e690d2 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:8978
          #3 0x5627f2f94bb5 in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:324
          #4 0x5627f2c62326 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6222
          #5 0x5627f35e3701 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3246
          #6 0x5627f35e234d in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3009
          #7 0x5627f35e2fcb in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3162
          #8 0x5627f35d88cc in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1327
          #9 0x5627f35dc6b9 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2116
          #10 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
          #11 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
          #12 0x5627f2c6cd0a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
          #13 0x5627f2c47996 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
          #14 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
          #15 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
          #16 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #17 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #18 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #19 0x7f4f3e32e93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x6250000dcba0 is located 2720 bytes inside of 8268-byte region [0x6250000dc100,0x6250000de14c)
      freed by thread T6 here:
          #0 0x7f4f401b2527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x5627f42b7b5b in free_memory /data/src/10.2/mysys/safemalloc.c:279
          #2 0x5627f42b7161 in sf_free /data/src/10.2/mysys/safemalloc.c:197
          #3 0x5627f4286402 in my_free /data/src/10.2/mysys/my_malloc.c:217
          #4 0x5627f4267a78 in free_root /data/src/10.2/mysys/my_alloc.c:398
          #5 0x5627f35d8a6a in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1346
          #6 0x5627f35dc6b9 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2116
          #7 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
          #8 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
          #9 0x5627f2c6cd0a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
          #10 0x5627f2c47996 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
          #11 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
          #12 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
          #13 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #14 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #15 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T6 here:
          #0 0x7f4f401b273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x5627f42b68d1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
          #2 0x5627f4285b3a in my_malloc /data/src/10.2/mysys/my_malloc.c:101
          #3 0x5627f42669dd in alloc_root /data/src/10.2/mysys/my_alloc.c:241
          #4 0x5627f2c7c213 in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned int) /data/src/10.2/sql/sql_class.h:986
          #5 0x5627f2c4be5c in alloc_query(THD*, char const*, unsigned int) /data/src/10.2/sql/sql_parse.cc:2644
          #6 0x5627f35e2eb7 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3150
          #7 0x5627f35d88cc in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1327
          #8 0x5627f35dc6b9 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2116
          #9 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
          #10 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
          #11 0x5627f2c6cd0a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
          #12 0x5627f2c47996 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
          #13 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
          #14 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
          #15 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #16 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #17 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T6 created by T0 here:
          #0 0x7f4f40181bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x5627f3996687 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
          #2 0x5627f2a41c6e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
          #3 0x5627f2a56b59 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451
          #4 0x5627f2a5725e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521
          #5 0x5627f2a5826f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796
          #6 0x5627f2a560ae in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070
          #7 0x5627f2a4000f in main /data/src/10.2/sql/main.cc:25
          #8 0x7f4f3e2662b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/strings/ctype-utf8.c:5302 my_strcasecmp_utf8
      Shadow bytes around the buggy address:
        0x0c4a80013920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a80013930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a80013940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a80013950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a80013960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c4a80013970: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a80013980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a80013990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a800139a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a800139b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a800139c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==13396==ABORTING
      

      This failure is very sporadically reproducible with similar test cases (but dirtier ones) on 10.3 debug non-ASAN builds, once in dozens attempts. Couldn't make it happen on 10.2:

      10.3 141a5b24843

      mysqld: /data/src/10.3/sql/sql_string.h:589: void String::q_append(const LEX_CSTRING*): Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' failed.
      180720 15:07:07 [ERROR] mysqld got signal 6 ;
       
      #7  0x00007ff4ea8adee2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
      #8  0x00005601ae4219f9 in String::q_append (this=0x7ff4e4a4da50, ls=0x7ff4d40de128) at /data/src/10.3/sql/sql_string.h:587
      #9  0x00005601ae41fb9a in pack_expression (buf=0x7ff4e4a4da50, vcol=0x7ff4d40de110, field_nr=4294967295, type=VCOL_CHECK_TABLE) at /data/src/10.3/sql/unireg.cc:637
      #10 0x00005601ae41fdb4 in pack_vcols (buf=0x7ff4e4a4da50, create_fields=..., check_constraint_list=0x7ff4e4a50d30) at /data/src/10.3/sql/unireg.cc:676
      #11 0x00005601ae41e020 in build_frm_image (thd=0x7ff4d4000b00, table=0x7ff4e4a501c0, create_info=0x7ff4e4a50d90, create_fields=..., keys=0, key_info=0x7ff4d40bb188, db_file=0x7ff4d40baa90) at /data/src/10.3/sql/unireg.cc:194
      #12 0x00005601ae3c164b in mysql_create_frm_image (thd=0x7ff4d4000b00, db=0x7ff4e4a501b0, table_name=0x7ff4e4a501c0, create_info=0x7ff4e4a50d90, alter_info=0x7ff4e4a50cd0, create_table_mode=-2, key_info=0x7ff4e4a4f498, key_count=0x7ff4e4a4f46c, frm=0x7ff4e4a4f500) at /data/src/10.3/sql/sql_table.cc:4724
      #13 0x00005601ae3c2029 in create_table_impl (thd=0x7ff4d4000b00, orig_db=0x7ff4e4a501b0, orig_table_name=0x7ff4e4a501c0, db=0x7ff4e4a501e0, table_name=0x7ff4e4a50210, path=0x7ff4e4a50a0d "./test/#sql-5a25_58", options=..., create_info=0x7ff4e4a50d90, alter_info=0x7ff4e4a50cd0, create_table_mode=-2, is_trans=0x0, key_info=0x7ff4e4a4f498, key_count=0x7ff4e4a4f46c, frm=0x7ff4e4a4f500) at /data/src/10.3/sql/sql_table.cc:4963
      #14 0x00005601ae3ce93e in mysql_alter_table (thd=0x7ff4d4000b00, new_db=0x7ff4d405f5d8, new_name=0x7ff4d405f990, create_info=0x7ff4e4a50d90, table_list=0x7ff4d40dd7a8, alter_info=0x7ff4e4a50cd0, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9595
      #15 0x00005601ae455dc5 in Sql_cmd_alter_table::execute (this=0x7ff4d40de150, thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_alter.cc:495
      #16 0x00005601ae2f92f1 in mysql_execute_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:6280
      #17 0x00005601ae21cf2a in sp_instr_stmt::exec_core (this=0x7ff4d40de158, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754) at /data/src/10.3/sql/sp_head.cc:3594
      #18 0x00005601ae21c387 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7ff4d40de1a0, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754, open_tables=false, instr=0x7ff4d40de158) at /data/src/10.3/sql/sp_head.cc:3322
      #19 0x00005601ae21cb0c in sp_instr_stmt::execute (this=0x7ff4d40de158, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754) at /data/src/10.3/sql/sp_head.cc:3500
      #20 0x00005601ae216887 in sp_head::execute (this=0x7ff4d40dc858, thd=0x7ff4d4000b00, merge_da_on_success=true) at /data/src/10.3/sql/sp_head.cc:1354
      #21 0x00005601ae21924e in sp_head::execute_procedure (this=0x7ff4d40dc858, thd=0x7ff4d4000b00, args=0x7ff4d4005740) at /data/src/10.3/sql/sp_head.cc:2294
      #22 0x00005601ae2ee560 in do_execute_sp (thd=0x7ff4d4000b00, sp=0x7ff4d40dc858) at /data/src/10.3/sql/sql_parse.cc:2945
      #23 0x00005601ae2ef0de in Sql_cmd_call::execute (this=0x7ff4d4014df0, thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:3187
      #24 0x00005601ae2f92f1 in mysql_execute_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:6280
      #25 0x00005601ae2fe2eb in mysql_parse (thd=0x7ff4d4000b00, rawbuf=0x7ff4d4014d08 "CALL stored_proc_6469", length=21, parser_state=0x7ff4e4a545f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8073
      #26 0x00005601ae2eb64a in dispatch_command (command=COM_QUERY, thd=0x7ff4d4000b00, packet=0x7ff4d400b211 "CALL stored_proc_6469", packet_length=21, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1847
      #27 0x00005601ae2ea06e in do_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:1392
      #28 0x00005601ae4503a5 in do_handle_one_connection (connect=0x5601b0bcfc10) at /data/src/10.3/sql/sql_connect.cc:1402
      #29 0x00005601ae450129 in handle_one_connection (arg=0x5601b0bcfc10) at /data/src/10.3/sql/sql_connect.cc:1308
      #30 0x00005601ae8e1b27 in pfs_spawn_thread (arg=0x5601b0be34b0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
      #31 0x00007ff4ec584494 in start_thread (arg=0x7ff4e4a55700) at pthread_create.c:333
      #32 0x00007ff4ea96a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      Finally, this failure is also very sporadically reproducible on non-debug 10.3 builds:

      mysqltest: At line 14: query 'CALL pkg_6469.stored_proc_6469 /* TRANSFORM_OUTCOME_UNORDERED_MATCH */ /* QNO 5905 CON_ID 17 */' failed: 1059: Identifier name 'H?' is too long
      

      This happens on even dirtier test cases and with the stored routine within a package, so it can't be checked on 10.2.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: