Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17071

Server crashes in TABLE_LIST::get_tablenr or ASAN use-after-poison in write_record upon INSERT into view

    XMLWordPrintable

Details

    Description

      CREATE  TABLE t1 (a INT, b INT NOT NULL, UNIQUE(b));
      		 
      INSERT INTO t1 VALUES (10, 0);
      		 
      CREATE TABLE t2 (c INT);
      		 
      CREATE  ALGORITHM=MERGE VIEW v AS SELECT * FROM t1 JOIN t2;
      		 
      ALTER TABLE t1 ADD d VARCHAR(16);
      		 
      INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL;
      		 
       
      		 
      # Cleanup
      		 
      DROP VIEW v;
      		 
      DROP TABLE t1, t2;

      10.4 631c5ab4

      		 
      #3  <signal handler called>
      		 
      #4  0x00005598efe91c86 in TABLE_LIST::get_tablenr (this=0xffffffffffffffff) at /data/src/10.4/sql/table.h:2178
      		 
      #5  0x00005598efe7e259 in st_select_lex::save_leaf_tables (this=0x7facd4013a30, thd=0x7facd4000b00) at /data/src/10.4/sql/sql_lex.cc:4914
      		 
      #6  0x00005598efe63953 in mysql_insert (thd=0x7facd4000b00, table_list=0x7facd4013250, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_UPDATE, ignore=false) at /data/src/10.4/sql/sql_insert.cc:1264
      		 
      #7  0x00005598efeb1a13 in mysql_execute_command (thd=0x7facd4000b00) at /data/src/10.4/sql/sql_parse.cc:4524
      		 
      #8  0x00005598efebe331 in mysql_parse (thd=0x7facd4000b00, rawbuf=0x7facd4013128 "INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL", length=61, parser_state=0x7face5d77170, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7912
      		 
      #9  0x00005598efea9284 in dispatch_command (command=COM_QUERY, thd=0x7facd4000b00, packet=0x7facd4008331 "INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL", packet_length=61, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1841
      		 
      #10 0x00005598efea78e8 in do_command (thd=0x7facd4000b00) at /data/src/10.4/sql/sql_parse.cc:1359
      		 
      #11 0x00005598f00318b9 in do_handle_one_connection (connect=0x5598f402b060) at /data/src/10.4/sql/sql_connect.cc:1412
      		 
      #12 0x00005598f0031608 in handle_one_connection (arg=0x5598f402b060) at /data/src/10.4/sql/sql_connect.cc:1316
      		 
      #13 0x00005598f0a6935f in pfs_spawn_thread (arg=0x5598f4060450) at /data/src/10.4/storage/perfschema/pfs.cc:1862
      		 
      #14 0x00007faced71a4a4 in start_thread (arg=0x7face5d78700) at pthread_create.c:456
      		 
      #15 0x00007facebc62d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

      Reproducible on all 10.x, with at least MyISAM, InnoDB, Aria.

      10.4 ASAN 631c5ab4

      		 
      ==16627==ERROR: AddressSanitizer: use-after-poison on address 0x62b000068280 at pc 0x7f7069e16d7b bp 0x7f705f396690 sp 0x7f705f395e40
      		 
      WRITE of size 26 at 0x62b000068280 thread T5
      		 
          #0 0x7f7069e16d7a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
      		 
          #1 0x55e2a87b1fee in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:1814
      		 
          #2 0x55e2a87acc9f in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1076
      		 
          #3 0x55e2a885e76a in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4524
      		 
          #4 0x55e2a887669a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7912
      		 
          #5 0x55e2a884ddf1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1841
      		 
          #6 0x55e2a884ab40 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1359
      		 
          #7 0x55e2a8be6745 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
      		 
          #8 0x55e2a8be60f9 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
      		 
          #9 0x55e2aa1cd4db in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
      		 
          #10 0x7f7069ba44a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
      		 
          #11 0x7f70680ecd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
      		 
       
      		 
      0x62b00006828c is located 0 bytes to the right of 24716-byte region [0x62b000062200,0x62b00006828c)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7f7069e7bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
      		 
          #1 0x55e2aa30f68c in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
      		 
          #2 0x55e2aa2e0330 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
      		 
          #3 0x55e2aa2beae9 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:151
      		 
          #4 0x55e2a874578b in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1387
      		 
          #5 0x55e2a8be5ab6 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247
      		 
          #6 0x55e2a8be613f in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331
      		 
          #7 0x55e2a8be66fb in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
      		 
          #8 0x55e2a8be60f9 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
      		 
          #9 0x55e2aa1cd4db in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
      		 
          #10 0x7f7069ba44a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f7069deaf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
      		 
          #1 0x55e2aa1cd8c8 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
      		 
          #2 0x55e2a858da38 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
      		 
          #3 0x55e2a85a289f in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6240
      		 
          #4 0x55e2a85a2f82 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6310
      		 
          #5 0x55e2a85a330d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6408
      		 
          #6 0x55e2a85a3f5f in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6566
      		 
          #7 0x55e2a85a2120 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5898
      		 
          #8 0x55e2a858b91f in main /data/src/10.4/sql/main.cc:25
      		 
          #9 0x7f70680242e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) 
      Shadow bytes around the buggy address:
      		 
        0x0c5680005000: 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7 00 00
      		 
        0x0c5680005010: 00 00 00 00 00 00 00 00 f7 00 00 00 f7 00 00 00
      		 
        0x0c5680005020: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
      		 
        0x0c5680005030: 00 00 00 00 f7 02 f7 02 f7 02 f7 00 00 f7 00 00
      		 
        0x0c5680005040: f7 00 00 f7 00 00 f7 00 00 f7 00 00 f7 00 00 00
      		 
      =>0x0c5680005050:[f7]04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c5680005060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c5680005070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c5680005080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c5680005090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c56800050a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==16627==ABORTING

      ASAN variation is reproducible on 10.x and 5.5.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-17699 AddressSanitizer: use-after-poison in base_list_iterator::next_fast

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sanja Oleksandr Byelkin
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.