[MDEV-17678] AddressSanitizer: heap-use-after-free in field_unpack upon modifying column type - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL)
Fix Version/s: 10.5, 10.6
Component/s: Storage Engine - MyISAM, Virtual Columns
Labels:
- ASAN
- needs_bisect

Description

set sql_mode='';

create table t2 ( pk int(11) not null auto_increment, c2 datetime(2) , c1 int, vc2 datetime(6) generated always as (c2), primary key (pk), key c1 (c1,c2,vc2)) engine=myisam;

insert into `t2` (c1,c2) values (0,'1900-01-01 '),(0,'1988-03-26'),(0,'2027-12-03'),(1,'1971-12-28 '),(0,'2027-12-03'),(0,null),(0,'2027-12-03'),(0,'2027-12-03'),(1,'2013-06-07 '),(null,'2027-12-03'),(1,'1900-01-01 '),(1,'2027-12-03'),(0,'1900-01-01 '),(0,'1900-01-01 '),(1,null),(null,'2027-12-03'),(null,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03'),(0,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03'),(0,'2027-12-03'),(null,'2027-12-03'),(0,'2027-12-03'),(0,null),(0,'1900-01-01 '),(1,'2027-12-03'),(1,'1998-02-01 '),(0,'2027-12-03'),(0,'1900-01-01 '),(1,'1982-06-01 '),(1,null),(null,'2027-12-03'),(0,'2027-12-03'),(1,null),(1,'2027-12-03'),(0,'1989-07-13 '),(1,'2024-02-01 '),(1,'2027-12-03'),(1,'2027-12-03'),(null,'2027-12-03'),(0,'2029-09-07 '),(0,null),(1,'2027-12-03'),(0,'2027-12-03'),(0,'2027-12-03'),(1,'2013-02-14 '),(1,'2014-03-27 '),(1,null),(0,'2027-12-03'),(0,'2027-12-03'),(0,'2032-06-26 '),(1,'1998-05-18 '),(1,'2027-12-03'),(1,'1900-01-01 '),(0,'1900-01-01 '),(1,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(1,null),(0,'1900-01-01 '),(1,'2027-12-03'),(0,'1900-01-01 '),(1,'2027-12-03'),(0,'1997-04-15 '),(0,null),(0,'2020-12-07 '),(1,null),(0,'2027-12-03'),(null,'2027-12-03'),(1,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03'),(0,'1993-02-13 '),(1,'2027-12-03'),(1,'2027-12-03'),(0,null),(0,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(0,'1900-01-01 '),(null,null),(1,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03 '),(0,null),(null,null),(null,null),(1,'2027-12-03'),(null,null),(null,null),(0,null),(null,null),(null,null);

alter table  t2  change column pk tscol3 datetime;

10.2 f3e9d9a6e6b2614b
#0 0x5655322a1f64 in mi_uint5korr /git/10.2/include/byte_order_generic_x86_64.h:91
#1 0x5655322a372d in my_datetime_packed_from_binary(unsigned char const*, unsigned int) /git/10.2/sql/compat56.cc:308
#2 0x5655322e835e in Field_datetimef::get_TIME(st_mysql_time, unsigned char const, unsigned long long) const /git/10.2/sql/field.cc:6880
#3 0x56553231040e in Field_datetimef::get_date(st_mysql_time*, unsigned long long) /git/10.2/sql/field.h:3008
#4 0x5655322e7846 in Field_datetime_with_dec::val_str(String, String) /git/10.2/sql/field.cc:6821
#5 0x565531bb7f89 in Field::val_str(String*) /git/10.2/sql/field.h:866
#6 0x5655325811b6 in field_unpack(String, Field, unsigned char const*, unsigned int, bool) /git/10.2/sql/key.cc:369
#7 0x565532581bf6 in key_unpack(String, TABLE, st_key*) /git/10.2/sql/key.cc:442
#8 0x565532344873 in print_keydup_error(TABLE, st_key, char const*, unsigned long) /git/10.2/sql/handler.cc:3339
#9 0x565532344ab0 in print_keydup_error(TABLE, st_key, unsigned long) /git/10.2/sql/handler.cc:3361
#10 0x5655329fdb6f in ha_myisam::repair(THD*, st_handler_check_param&, bool) /git/10.2/storage/myisam/ha_myisam.cc:1275
#11 0x565532a003a0 in ha_myisam::enable_indexes(unsigned int) /git/10.2/storage/myisam/ha_myisam.cc:1606
#12 0x565532a0121b in ha_myisam::end_bulk_insert() /git/10.2/storage/myisam/ha_myisam.cc:1756
#13 0x565531d33446 in handler::ha_end_bulk_insert() /git/10.2/sql/handler.h:2912
#14 0x565531f7ef3a in copy_data_between_tables /git/10.2/sql/sql_table.cc:10164
#15 0x565531f7b286 in mysql_alter_table(THD, char, char, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /git/10.2/sql/sql_table.cc:9572
#16 0x56553209aad0 in Sql_cmd_alter_table::execute(THD*) /git/10.2/sql/sql_alter.cc:329
#17 0x565531d82e55 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:6228
#18 0x565531d8d694 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:8015
#19 0x565531d68b80 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1826
#20 0x565531d65d25 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1379
#21 0x56553208cead in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1335
#22 0x56553208c8b5 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
#23 0x56553323671d in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1862
#24 0x7fcd07b626b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#25 0x7fcd06ff741c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

2391.test
10 kB
2019-05-10 19:07

Issue Links

relates to

MDEV-18270 ASAN heap-use-after-free in Field_long::val_int()

Closed

Activity

Ascending order - Click to sort in descending order

Alice Sherepa added a comment - 2019-01-16 15:00

similar cases with different data types:

    #0 0x5627f7c2e211 in Field::is_null(long long) const /10.4/sql/field.h:1166

    #1 0x5627f8803cb5 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.4/sql/key.cc:363

    #2 0x5627f880484e in key_unpack(String*, TABLE*, st_key*) /10.4/sql/key.cc:444

    #3 0x5627f859f104 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.4/sql/handler.cc:3591

    #4 0x5627f859f350 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.4/sql/handler.cc:3614

    #5 0x5627f8c818f0 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.4/storage/myisam/ha_myisam.cc:1308

    #6 0x5627f8c8411c in ha_myisam::enable_indexes(unsigned int) /10.4/storage/myisam/ha_myisam.cc:1639

    #7 0x5627f8c84fe5 in ha_myisam::end_bulk_insert() /10.4/storage/myisam/ha_myisam.cc:1800

    #8 0x5627f7e07496 in handler::ha_end_bulk_insert() /10.4/sql/handler.h:3180

    #9 0x5627f80a1e0c in copy_data_between_tables /10.4/sql/sql_table.cc:10516

    #10 0x5627f809d9c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871

    #11 0x5627f81dd59f in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:497

    #12 0x5627f7e942fb in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6314

    #13 0x5627f7e9eb4f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8116

    #14 0x5627f7e798ca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1852

    #15 0x5627f7e76a62 in do_command(THD*) /10.4/sql/sql_parse.cc:1397

    #16 0x5627f81ce6e4 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1402

    #17 0x5627f81ce0c1 in handle_one_connection /10.4/sql/sql_connect.cc:1308

    #18 0x7f89634346b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #19 0x7f89628c941c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

    #0 0x55ec65cb9a49 in read_lowendian /10.4/sql/field.cc:5425

    #1 0x55ec65ce938c in Field_enum::val_int() /10.4/sql/field.cc:9119

    #2 0x55ec65ceb161 in Field_set::val_str(String*, String*) /10.4/sql/field.cc:9288

    #3 0x55ec653d1185 in Field::val_str(String*) /10.4/sql/field.h:834

    #4 0x55ec65fa6d66 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.4/sql/key.cc:369

    #5 0x55ec65fa784e in key_unpack(String*, TABLE*, st_key*) /10.4/sql/key.cc:444

    #6 0x55ec65d42104 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.4/sql/handler.cc:3591

    #7 0x55ec65d42350 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.4/sql/handler.cc:3614

    #8 0x55ec664248f0 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.4/storage/myisam/ha_myisam.cc:1308

    #9 0x55ec6642711c in ha_myisam::enable_indexes(unsigned int) /10.4/storage/myisam/ha_myisam.cc:1639

    #10 0x55ec66427fe5 in ha_myisam::end_bulk_insert() /10.4/storage/myisam/ha_myisam.cc:1800

    #11 0x55ec655aa496 in handler::ha_end_bulk_insert() /10.4/sql/handler.h:3180

    #12 0x55ec65844e0c in copy_data_between_tables /10.4/sql/sql_table.cc:10516

    #13 0x55ec658409c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871

    #14 0x55ec6598059f in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:497

    #15 0x55ec656372fb in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6314

    #16 0x55ec65641b4f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8116

    #17 0x55ec6561c8ca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1852

    #18 0x55ec65619a62 in do_command(THD*) /10.4/sql/sql_parse.cc:1397

    #19 0x55ec659716e4 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1402

    #20 0x55ec659710c1 in handle_one_connection /10.4/sql/sql_connect.cc:1308

    #21 0x7f539c0c46b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #22 0x7f539b55941c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

    #0 0x563643b27056 in Field_tiny::val_str(String*, String*) /10.4/sql/field.cc:3704

    #1 0x563643258185 in Field::val_str(String*) /10.4/sql/field.h:834

    #2 0x563643e2dd66 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.4/sql/key.cc:369

    #3 0x563643e2e84e in key_unpack(String*, TABLE*, st_key*) /10.4/sql/key.cc:444

    #4 0x563643bc9104 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.4/sql/handler.cc:3591

    #5 0x563643bc9350 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.4/sql/handler.cc:3614

    #6 0x5636442ab8f0 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.4/storage/myisam/ha_myisam.cc:1308

    #7 0x5636442ae11c in ha_myisam::enable_indexes(unsigned int) /10.4/storage/myisam/ha_myisam.cc:1639

    #8 0x5636442aefe5 in ha_myisam::end_bulk_insert() /10.4/storage/myisam/ha_myisam.cc:1800

    #9 0x563643431496 in handler::ha_end_bulk_insert() /10.4/sql/handler.h:3180

    #10 0x5636436cbe0c in copy_data_between_tables /10.4/sql/sql_table.cc:10516

    #11 0x5636436c79c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871

    #12 0x56364380759f in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:497

    #13 0x5636434be2fb in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6314

    #14 0x5636434c8b4f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8116

    #15 0x5636434a38ca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1852

    #16 0x5636434a0a62 in do_command(THD*) /10.4/sql/sql_parse.cc:1397

    #17 0x5636437f86e4 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1402

    #18 0x5636437f80c1 in handle_one_connection /10.4/sql/sql_connect.cc:1308

    #19 0x7ff6909186b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #20 0x7ff68fdad41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Alice Sherepa added a comment - 2019-01-16 15:00 similar cases with different data types: #0 0x5627f7c2e211 in Field::is_null(long long) const /10.4/sql/field.h:1166 #1 0x5627f8803cb5 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.4/sql/key.cc:363 #2 0x5627f880484e in key_unpack(String*, TABLE*, st_key*) /10.4/sql/key.cc:444 #3 0x5627f859f104 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.4/sql/handler.cc:3591 #4 0x5627f859f350 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.4/sql/handler.cc:3614 #5 0x5627f8c818f0 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.4/storage/myisam/ha_myisam.cc:1308 #6 0x5627f8c8411c in ha_myisam::enable_indexes(unsigned int) /10.4/storage/myisam/ha_myisam.cc:1639 #7 0x5627f8c84fe5 in ha_myisam::end_bulk_insert() /10.4/storage/myisam/ha_myisam.cc:1800 #8 0x5627f7e07496 in handler::ha_end_bulk_insert() /10.4/sql/handler.h:3180 #9 0x5627f80a1e0c in copy_data_between_tables /10.4/sql/sql_table.cc:10516 #10 0x5627f809d9c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871 #11 0x5627f81dd59f in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:497 #12 0x5627f7e942fb in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6314 #13 0x5627f7e9eb4f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8116 #14 0x5627f7e798ca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1852 #15 0x5627f7e76a62 in do_command(THD*) /10.4/sql/sql_parse.cc:1397 #16 0x5627f81ce6e4 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1402 #17 0x5627f81ce0c1 in handle_one_connection /10.4/sql/sql_connect.cc:1308 #18 0x7f89634346b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #19 0x7f89628c941c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c) #0 0x55ec65cb9a49 in read_lowendian /10.4/sql/field.cc:5425 #1 0x55ec65ce938c in Field_enum::val_int() /10.4/sql/field.cc:9119 #2 0x55ec65ceb161 in Field_set::val_str(String*, String*) /10.4/sql/field.cc:9288 #3 0x55ec653d1185 in Field::val_str(String*) /10.4/sql/field.h:834 #4 0x55ec65fa6d66 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.4/sql/key.cc:369 #5 0x55ec65fa784e in key_unpack(String*, TABLE*, st_key*) /10.4/sql/key.cc:444 #6 0x55ec65d42104 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.4/sql/handler.cc:3591 #7 0x55ec65d42350 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.4/sql/handler.cc:3614 #8 0x55ec664248f0 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.4/storage/myisam/ha_myisam.cc:1308 #9 0x55ec6642711c in ha_myisam::enable_indexes(unsigned int) /10.4/storage/myisam/ha_myisam.cc:1639 #10 0x55ec66427fe5 in ha_myisam::end_bulk_insert() /10.4/storage/myisam/ha_myisam.cc:1800 #11 0x55ec655aa496 in handler::ha_end_bulk_insert() /10.4/sql/handler.h:3180 #12 0x55ec65844e0c in copy_data_between_tables /10.4/sql/sql_table.cc:10516 #13 0x55ec658409c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871 #14 0x55ec6598059f in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:497 #15 0x55ec656372fb in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6314 #16 0x55ec65641b4f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8116 #17 0x55ec6561c8ca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1852 #18 0x55ec65619a62 in do_command(THD*) /10.4/sql/sql_parse.cc:1397 #19 0x55ec659716e4 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1402 #20 0x55ec659710c1 in handle_one_connection /10.4/sql/sql_connect.cc:1308 #21 0x7f539c0c46b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #22 0x7f539b55941c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c) #0 0x563643b27056 in Field_tiny::val_str(String*, String*) /10.4/sql/field.cc:3704 #1 0x563643258185 in Field::val_str(String*) /10.4/sql/field.h:834 #2 0x563643e2dd66 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.4/sql/key.cc:369 #3 0x563643e2e84e in key_unpack(String*, TABLE*, st_key*) /10.4/sql/key.cc:444 #4 0x563643bc9104 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.4/sql/handler.cc:3591 #5 0x563643bc9350 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.4/sql/handler.cc:3614 #6 0x5636442ab8f0 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.4/storage/myisam/ha_myisam.cc:1308 #7 0x5636442ae11c in ha_myisam::enable_indexes(unsigned int) /10.4/storage/myisam/ha_myisam.cc:1639 #8 0x5636442aefe5 in ha_myisam::end_bulk_insert() /10.4/storage/myisam/ha_myisam.cc:1800 #9 0x563643431496 in handler::ha_end_bulk_insert() /10.4/sql/handler.h:3180 #10 0x5636436cbe0c in copy_data_between_tables /10.4/sql/sql_table.cc:10516 #11 0x5636436c79c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871 #12 0x56364380759f in Sql_cmd_alter_table::execute(THD*) /10.4/sql/sql_alter.cc:497 #13 0x5636434be2fb in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:6314 #14 0x5636434c8b4f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8116 #15 0x5636434a38ca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1852 #16 0x5636434a0a62 in do_command(THD*) /10.4/sql/sql_parse.cc:1397 #17 0x5636437f86e4 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1402 #18 0x5636437f80c1 in handle_one_connection /10.4/sql/sql_connect.cc:1308 #19 0x7ff6909186b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #20 0x7ff68fdad41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Elena Stepanova added a comment - 2019-05-10 19:07

Yet another stack trace from a similar test case:

10.3 0c405b06
#3 <signal handler called>
#4 0x00005559ce5c9724 in err_conv (buff=0x7f3341ac3e88 "-1886417009", to_length=511, from=0x8f8f8f8f8f8f8f8f <error: Cannot access memory at address 0x8f8f8f8f8f8f8f8f>, from_length=143, from_cs=0x5559cfb87380 <my_charset_bin>) at /data/src/10.3/sql/sql_error.cc:874
#5 0x00005559ce517155 in ErrConvString::ptr (this=0x7f3341ac3e80) at /data/src/10.3/sql/sql_error.h:842
#6 0x00005559cea0d268 in field_unpack (to=0x7f3341ac4190, field=0x7f32f003b5e0, rec=0x7f32f0038098 "\001", max_length=64, prefix_key=true) at /data/src/10.3/sql/key.cc:398
#7 0x00005559cea0d497 in key_unpack (to=0x7f3341ac4190, table=0x7f32f0036cb0, key=0x7f32f003bae8) at /data/src/10.3/sql/key.cc:444
#8 0x00005559ce910307 in print_keydup_error (table=0x7f32f0036cb0, key=0x7f32f003bae8, msg=0x5559d0e2f431 "Duplicate entry '%-.64s' for key '%-.192s'", errflag=0) at /data/src/10.3/sql/handler.cc:3650
#9 0x00005559ce910449 in print_keydup_error (table=0x7f32f0036cb0, key=0x7f32f003bae8, errflag=0) at /data/src/10.3/sql/handler.cc:3673
#10 0x00005559cefa70fb in ha_myisam::repair (this=0x7f32f00378f8, thd=0x7f32f0000b00, param=..., do_optimize=false) at /data/src/10.3/storage/myisam/ha_myisam.cc:1281
#11 0x00005559cefa814b in ha_myisam::enable_indexes (this=0x7f32f00378f8, mode=2) at /data/src/10.3/storage/myisam/ha_myisam.cc:1612
#12 0x00005559cefa864c in ha_myisam::end_bulk_insert (this=0x7f32f00378f8) at /data/src/10.3/storage/myisam/ha_myisam.cc:1773
#13 0x00005559ce5dbecf in handler::ha_end_bulk_insert (this=0x7f32f00378f8) at /data/src/10.3/sql/handler.h:3163
#14 0x00005559ce6f15da in copy_data_between_tables (thd=0x7f32f0000b00, from=0x7f32f0184320, to=0x7f32f0036cb0, create=..., ignore=false, order_num=0, order=0x0, copied=0x7f3341ac5e98, deleted=0x7f3341ac5ea0, keys_onoff=Alter_info::LEAVE_AS_IS, alter_ctx=0x7f3341ac68d0) at /data/src/10.3/sql/sql_table.cc:10541
#15 0x00005559ce6ef20b in mysql_alter_table (thd=0x7f32f0000b00, new_db=0x7f32f00051d8, new_name=0x7f32f0005598, create_info=0x7f3341ac74c0, table_list=0x7f32f0012940, alter_info=0x7f3341ac7400, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9900
#16 0x00005559ce77625d in Sql_cmd_alter_table::execute (this=0x7f32f00130c0, thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_alter.cc:488
#17 0x00005559ce617fee in mysql_execute_command (thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_parse.cc:6285
#18 0x00005559ce61d300 in mysql_parse (thd=0x7f32f0000b00, rawbuf=0x7f32f0012808 "ALTER TABLE `t4_MyISAM` MODIFY `col_dec` DATE", length=45, parser_state=0x7f3341ac85f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8091
#19 0x00005559ce60a350 in dispatch_command (command=COM_QUERY, thd=0x7f32f0000b00, packet=0x7f32f015fe71 "", packet_length=45, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1858
#20 0x00005559ce608d75 in do_command (thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_parse.cc:1403
#21 0x00005559ce770825 in do_handle_one_connection (connect=0x5559d1a38f30) at /data/src/10.3/sql/sql_connect.cc:1402
#22 0x00005559ce77059c in handle_one_connection (arg=0x5559d1a38f30) at /data/src/10.3/sql/sql_connect.cc:1308
#23 0x00005559cf0454be in pfs_spawn_thread (arg=0x5559d19816f0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#24 0x00007f3349a3f4a4 in start_thread (arg=0x7f3341ac9700) at pthread_create.c:456
#25 0x00007f3347f87d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Dirty test case is attached as 2391.test.

Elena Stepanova added a comment - 2019-05-10 19:07 Yet another stack trace from a similar test case: 10.3 0c405b06 #3 <signal handler called> #4 0x00005559ce5c9724 in err_conv (buff=0x7f3341ac3e88 "-1886417009", to_length=511, from=0x8f8f8f8f8f8f8f8f <error: Cannot access memory at address 0x8f8f8f8f8f8f8f8f>, from_length=143, from_cs=0x5559cfb87380 <my_charset_bin>) at /data/src/10.3/sql/sql_error.cc:874 #5 0x00005559ce517155 in ErrConvString::ptr (this=0x7f3341ac3e80) at /data/src/10.3/sql/sql_error.h:842 #6 0x00005559cea0d268 in field_unpack (to=0x7f3341ac4190, field=0x7f32f003b5e0, rec=0x7f32f0038098 "\001", max_length=64, prefix_key=true) at /data/src/10.3/sql/key.cc:398 #7 0x00005559cea0d497 in key_unpack (to=0x7f3341ac4190, table=0x7f32f0036cb0, key=0x7f32f003bae8) at /data/src/10.3/sql/key.cc:444 #8 0x00005559ce910307 in print_keydup_error (table=0x7f32f0036cb0, key=0x7f32f003bae8, msg=0x5559d0e2f431 "Duplicate entry '%-.64s' for key '%-.192s'", errflag=0) at /data/src/10.3/sql/handler.cc:3650 #9 0x00005559ce910449 in print_keydup_error (table=0x7f32f0036cb0, key=0x7f32f003bae8, errflag=0) at /data/src/10.3/sql/handler.cc:3673 #10 0x00005559cefa70fb in ha_myisam::repair (this=0x7f32f00378f8, thd=0x7f32f0000b00, param=..., do_optimize=false) at /data/src/10.3/storage/myisam/ha_myisam.cc:1281 #11 0x00005559cefa814b in ha_myisam::enable_indexes (this=0x7f32f00378f8, mode=2) at /data/src/10.3/storage/myisam/ha_myisam.cc:1612 #12 0x00005559cefa864c in ha_myisam::end_bulk_insert (this=0x7f32f00378f8) at /data/src/10.3/storage/myisam/ha_myisam.cc:1773 #13 0x00005559ce5dbecf in handler::ha_end_bulk_insert (this=0x7f32f00378f8) at /data/src/10.3/sql/handler.h:3163 #14 0x00005559ce6f15da in copy_data_between_tables (thd=0x7f32f0000b00, from=0x7f32f0184320, to=0x7f32f0036cb0, create=..., ignore=false, order_num=0, order=0x0, copied=0x7f3341ac5e98, deleted=0x7f3341ac5ea0, keys_onoff=Alter_info::LEAVE_AS_IS, alter_ctx=0x7f3341ac68d0) at /data/src/10.3/sql/sql_table.cc:10541 #15 0x00005559ce6ef20b in mysql_alter_table (thd=0x7f32f0000b00, new_db=0x7f32f00051d8, new_name=0x7f32f0005598, create_info=0x7f3341ac74c0, table_list=0x7f32f0012940, alter_info=0x7f3341ac7400, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9900 #16 0x00005559ce77625d in Sql_cmd_alter_table::execute (this=0x7f32f00130c0, thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_alter.cc:488 #17 0x00005559ce617fee in mysql_execute_command (thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_parse.cc:6285 #18 0x00005559ce61d300 in mysql_parse (thd=0x7f32f0000b00, rawbuf=0x7f32f0012808 "ALTER TABLE `t4_MyISAM` MODIFY `col_dec` DATE", length=45, parser_state=0x7f3341ac85f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8091 #19 0x00005559ce60a350 in dispatch_command (command=COM_QUERY, thd=0x7f32f0000b00, packet=0x7f32f015fe71 "", packet_length=45, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1858 #20 0x00005559ce608d75 in do_command (thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_parse.cc:1403 #21 0x00005559ce770825 in do_handle_one_connection (connect=0x5559d1a38f30) at /data/src/10.3/sql/sql_connect.cc:1402 #22 0x00005559ce77059c in handle_one_connection (arg=0x5559d1a38f30) at /data/src/10.3/sql/sql_connect.cc:1308 #23 0x00005559cf0454be in pfs_spawn_thread (arg=0x5559d19816f0) at /data/src/10.3/storage/perfschema/pfs.cc:1862 #24 0x00007f3349a3f4a4 in start_thread (arg=0x7f3341ac9700) at pthread_create.c:456 #25 0x00007f3347f87d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97 Dirty test case is attached as 2391.test .

Elena Stepanova added a comment - 2021-01-04 22:07

Variation with unique blob (and corresponding conversion back to virtual columns):

--source include/have_sequence.inc

CREATE TABLE t1 (a BINARY(3), b BLOB, UNIQUE (b)) ENGINE=MyISAM;

INSERT INTO t1 SELECT 1, NULL FROM seq_1_to_100;

ALTER TABLE t1 ADD PRIMARY KEY (a);

# Cleanup

DROP TABLE t1;

--source include/have_sequence.inc

CREATE TABLE t1 (a BINARY(3), b BLOB, c BLOB AS (left(b,20)) INVISIBLE, KEY(c)) ENGINE=MyISAM;

INSERT INTO t1 SELECT 1, NULL FROM seq_1_to_100;

ALTER TABLE t1 ADD PRIMARY KEY (a);

# Cleanup

DROP TABLE t1;

10.4 d67e17bb
==3511405==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000035e0b at pc 0x559bc9d4bc51 bp 0x7f0cc68a6950 sp 0x7f0cc68a6940
READ of size 1 at 0x611000035e0b thread T5
#0 0x559bc9d4bc50 in field_unpack(String, Field, unsigned char const*, unsigned int, bool) /data/src/10.4/sql/key.cc:377
#1 0x559bc9d4c637 in key_unpack(String, TABLE, st_key*) /data/src/10.4/sql/key.cc:443
#2 0x559bc9a95843 in print_keydup_error(TABLE, st_key, char const*, unsigned long) /data/src/10.4/sql/handler.cc:3709
#3 0x559bc9a95afe in print_keydup_error(TABLE, st_key, unsigned long) /data/src/10.4/sql/handler.cc:3732
#4 0x559bcab56546 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1320
#5 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652
#6 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847
#7 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424
#8 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945
#9 0x559bc94f57e5 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295
#10 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520
#11 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160
#12 0x559bc9298c42 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958
#13 0x559bc926f833 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
#14 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
#15 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#16 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#17 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#18 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#19 0x7f0cd014a292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x611000035e0b is located 139 bytes inside of 252-byte region [0x611000035d80,0x611000035e7c)
freed by thread T5 here:
#0 0x7f0cd0ad77cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x559bcae6647c in free_memory /data/src/10.4/mysys/safemalloc.c:279
#2 0x559bcae65a38 in sf_free /data/src/10.4/mysys/safemalloc.c:197
#3 0x559bcae33d23 in my_free /data/src/10.4/mysys/my_malloc.c:222
#4 0x559bcab7d771 in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2559
#5 0x559bcab56353 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1313
#6 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652
#7 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847
#8 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424
#9 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945
#10 0x559bc94f57e5 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295
#11 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520
#12 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160
#13 0x559bc9298c42 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958
#14 0x559bc926f833 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
#15 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
#16 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#17 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#18 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#19 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T5 here:
#0 0x7f0cd0ad7bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x559bcae653ec in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
#2 0x559bcae3322c in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#3 0x559bcae336f2 in my_realloc /data/src/10.4/mysys/my_malloc.c:155
#4 0x559bcabdb6a7 in mi_alloc_rec_buff /data/src/10.4/storage/myisam/mi_open.c:762
#5 0x559bcab79e8f in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2240
#6 0x559bcab56353 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1313
#7 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652
#8 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847
#9 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424
#10 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945
#11 0x559bc94f57e5 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295
#12 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520
#13 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160
#14 0x559bc9298c42 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958
#15 0x559bc926f833 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
#16 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
#17 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#18 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#19 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#20 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f0cd0a04805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x559bcad170b3 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x559bc8f75c78 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x559bc8f8d84c in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259
#4 0x559bc8f8dfe7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329
#5 0x559bc8f8e4cd in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427
#6 0x559bc8f8f366 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585
#7 0x559bc8f8cf51 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917
#8 0x559bc8f73bec in main /data/src/10.4/sql/main.cc:25
#9 0x7f0cd004f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/key.cc:377 in field_unpack(String, Field, unsigned char const*, unsigned int, bool)
Shadow bytes around the buggy address:
0x0c227fffeb70: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c227fffeb80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fffeb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fffeba0: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
0x0c227fffebb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fffebc0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffebd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fffebe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffebf0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c227fffec00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffec10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3511405==ABORTING

Elena Stepanova added a comment - 2021-01-04 22:07 Variation with unique blob (and corresponding conversion back to virtual columns): --source include/have_sequence.inc CREATE TABLE t1 (a BINARY (3), b BLOB, UNIQUE (b)) ENGINE=MyISAM; INSERT INTO t1 SELECT 1, NULL FROM seq_1_to_100; ALTER TABLE t1 ADD PRIMARY KEY (a); # Cleanup DROP TABLE t1; --source include/have_sequence.inc CREATE TABLE t1 (a BINARY (3), b BLOB, c BLOB AS ( left (b,20)) INVISIBLE, KEY (c)) ENGINE=MyISAM; INSERT INTO t1 SELECT 1, NULL FROM seq_1_to_100; ALTER TABLE t1 ADD PRIMARY KEY (a); # Cleanup DROP TABLE t1; 10.4 d67e17bb ==3511405==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000035e0b at pc 0x559bc9d4bc51 bp 0x7f0cc68a6950 sp 0x7f0cc68a6940 READ of size 1 at 0x611000035e0b thread T5 #0 0x559bc9d4bc50 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /data/src/10.4/sql/key.cc:377 #1 0x559bc9d4c637 in key_unpack(String*, TABLE*, st_key*) /data/src/10.4/sql/key.cc:443 #2 0x559bc9a95843 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /data/src/10.4/sql/handler.cc:3709 #3 0x559bc9a95afe in print_keydup_error(TABLE*, st_key*, unsigned long) /data/src/10.4/sql/handler.cc:3732 #4 0x559bcab56546 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1320 #5 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652 #6 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847 #7 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424 #8 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945 #9 0x559bc94f57e5 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295 #10 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520 #11 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160 #12 0x559bc9298c42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958 #13 0x559bc926f833 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855 #14 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373 #15 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412 #16 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #17 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #18 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477 #19 0x7f0cd014a292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 0x611000035e0b is located 139 bytes inside of 252-byte region [0x611000035d80,0x611000035e7c) freed by thread T5 here: #0 0x7f0cd0ad77cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) #1 0x559bcae6647c in free_memory /data/src/10.4/mysys/safemalloc.c:279 #2 0x559bcae65a38 in sf_free /data/src/10.4/mysys/safemalloc.c:197 #3 0x559bcae33d23 in my_free /data/src/10.4/mysys/my_malloc.c:222 #4 0x559bcab7d771 in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2559 #5 0x559bcab56353 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1313 #6 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652 #7 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847 #8 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424 #9 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945 #10 0x559bc94f57e5 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295 #11 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520 #12 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160 #13 0x559bc9298c42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958 #14 0x559bc926f833 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855 #15 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373 #16 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412 #17 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #18 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #19 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477 previously allocated by thread T5 here: #0 0x7f0cd0ad7bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0x559bcae653ec in sf_malloc /data/src/10.4/mysys/safemalloc.c:118 #2 0x559bcae3322c in my_malloc /data/src/10.4/mysys/my_malloc.c:101 #3 0x559bcae336f2 in my_realloc /data/src/10.4/mysys/my_malloc.c:155 #4 0x559bcabdb6a7 in mi_alloc_rec_buff /data/src/10.4/storage/myisam/mi_open.c:762 #5 0x559bcab79e8f in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2240 #6 0x559bcab56353 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1313 #7 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652 #8 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847 #9 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424 #10 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945 #11 0x559bc94f57e5 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295 #12 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520 #13 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160 #14 0x559bc9298c42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958 #15 0x559bc926f833 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855 #16 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373 #17 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412 #18 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #19 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #20 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477 Thread T5 created by T0 here: #0 0x7f0cd0a04805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x559bcad170b3 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919 #2 0x559bc8f75c78 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275 #3 0x559bc8f8d84c in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259 #4 0x559bc8f8dfe7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329 #5 0x559bc8f8e4cd in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427 #6 0x559bc8f8f366 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585 #7 0x559bc8f8cf51 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917 #8 0x559bc8f73bec in main /data/src/10.4/sql/main.cc:25 #9 0x7f0cd004f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/key.cc:377 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) Shadow bytes around the buggy address: 0x0c227fffeb70: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x0c227fffeb80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fffeb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffeba0: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa 0x0c227fffebb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c227fffebc0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffebd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fffebe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffebf0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fffec00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fffec10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3511405==ABORTING

Alice Sherepa added a comment - 2022-06-22 09:18

=================================================================

==79871==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f00047972d at pc 0x7f9ac056331e bp 0x7f9a931e95e0 sp 0x7f9a931e8d90

READ of size 4 at 0x61f00047972d thread T27

    #0 0x7f9ac056331d  (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d)

    #1 0x55eb8a7f0f5d in UUID::Segment::record_to_memory(char*, char const*) const /10.10/plugin/type_uuid/sql_type_uuid.h:61

    #2 0x55eb8a7f1190 in UUID::record_to_memory(char*, char const*) /10.10/plugin/type_uuid/sql_type_uuid.h:99

    #3 0x55eb8a80272a in FixedBinTypeBundle<UUID>::Fbt::record_to_memory(char const*) /10.10/sql/sql_type_fixedbin.h:117

    #4 0x55eb8a802164 in FixedBinTypeBundle<UUID>::Field_fbt::to_fbt() const /10.10/sql/sql_type_fixedbin.h:1205

    #5 0x55eb8a7ff57c in FixedBinTypeBundle<UUID>::Field_fbt::val_str(String*, String*) /10.10/sql/sql_type_fixedbin.h:1210

    #6 0x55eb88632891 in Field::val_str(String*) /10.10/sql/field.h:1038

    #7 0x55eb895223d4 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.10/sql/key.cc:367

    #8 0x55eb89522efa in key_unpack(String*, TABLE*, st_key*) /10.10/sql/key.cc:441

    #9 0x55eb89217a6c in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.10/sql/handler.cc:4268

    #10 0x55eb89217d02 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.10/sql/handler.cc:4291

    #11 0x55eb8a4b3fad in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1322

    #12 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654

    #13 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849

    #14 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019

    #15 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707

    #16 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877

    #17 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208

    #18 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036

    #19 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894

    #20 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407

    #21 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418

    #22 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312

    #23 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201

    #24 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486

    #25 0x7f9abfd02efe in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf8efe)

0x61f00047972d is located 173 bytes inside of 3012-byte region [0x61f000479680,0x61f00047a244)

freed by thread T27 here:

    #0 0x7f9ac060cfb0 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)

    #1 0x55eb8a67a0bc in free_memory /10.10/mysys/safemalloc.c:297

    #2 0x55eb8a67956b in sf_free /10.10/mysys/safemalloc.c:203

    #3 0x55eb8a6486ff in my_free /10.10/mysys/my_malloc.c:211

    #4 0x55eb8a4d9ba6 in mi_repair_by_sort /10.10/storage/myisam/mi_check.c:2560

    #5 0x55eb8a4b3db3 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1315

    #6 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654

    #7 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849

    #8 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019

    #9 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707

    #10 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877

    #11 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208

    #12 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036

    #13 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894

    #14 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407

    #15 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418

    #16 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312

    #17 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201

    #18 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486

previously allocated by thread T27 here:

    #0 0x7f9ac060d330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)

    #1 0x55eb8a678f51 in sf_malloc /10.10/mysys/safemalloc.c:126

    #2 0x55eb8a647951 in my_malloc /10.10/mysys/my_malloc.c:90

    #3 0x55eb8a647ed5 in my_realloc /10.10/mysys/my_malloc.c:141

    #4 0x55eb8a5339ab in mi_alloc_rec_buff /10.10/storage/myisam/mi_open.c:762

    #5 0x55eb8a4d6291 in mi_repair_by_sort /10.10/storage/myisam/mi_check.c:2241

    #6 0x55eb8a4b3db3 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1315

    #7 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654

    #8 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849

    #9 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019

    #10 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707

    #11 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877

    #12 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208

    #13 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036

    #14 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894

    #15 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407

    #16 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418

    #17 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312

    #18 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201

    #19 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486

Thread T27 created by T0 here:

    #0 0x7f9ac0574db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)

    #1 0x55eb89a64260 in my_thread_create /10.10/storage/perfschema/my_thread.h:52

    #2 0x55eb89a68b2f in pfs_spawn_thread_v1 /10.10/storage/perfschema/pfs.cc:2252

    #3 0x55eb88581586 in inline_mysql_thread_create /10.10/include/mysql/psi/mysql_thread.h:1139

    #4 0x55eb88598cc7 in create_thread_to_handle_connection(CONNECT*) /10.10/sql/mysqld.cc:6015

    #5 0x55eb88599332 in create_new_thread(CONNECT*) /10.10/sql/mysqld.cc:6074

    #6 0x55eb885996a4 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.10/sql/mysqld.cc:6136

    #7 0x55eb8859a0a3 in handle_connections_sockets() /10.10/sql/mysqld.cc:6260

    #8 0x55eb8859852e in mysqld_main(int, char**) /10.10/sql/mysqld.cc:5910

    #9 0x55eb885807d4 in main /10.10/sql/main.cc:34

    #10 0x7f9abfc2e09a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d)

Shadow bytes around the buggy address:

  0x0c3e80087290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e800872a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa

  0x0c3e800872b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3e800872c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3e800872d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c3e800872e0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd

  0x0c3e800872f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e80087300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e80087310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e80087320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e80087330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==79871==ABORTING

SHUTDOWN_1655825062

Alice Sherepa added a comment - 2022-06-22 09:18 ================================================================= ==79871==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f00047972d at pc 0x7f9ac056331e bp 0x7f9a931e95e0 sp 0x7f9a931e8d90 READ of size 4 at 0x61f00047972d thread T27 #0 0x7f9ac056331d (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d) #1 0x55eb8a7f0f5d in UUID::Segment::record_to_memory(char*, char const*) const /10.10/plugin/type_uuid/sql_type_uuid.h:61 #2 0x55eb8a7f1190 in UUID::record_to_memory(char*, char const*) /10.10/plugin/type_uuid/sql_type_uuid.h:99 #3 0x55eb8a80272a in FixedBinTypeBundle<UUID>::Fbt::record_to_memory(char const*) /10.10/sql/sql_type_fixedbin.h:117 #4 0x55eb8a802164 in FixedBinTypeBundle<UUID>::Field_fbt::to_fbt() const /10.10/sql/sql_type_fixedbin.h:1205 #5 0x55eb8a7ff57c in FixedBinTypeBundle<UUID>::Field_fbt::val_str(String*, String*) /10.10/sql/sql_type_fixedbin.h:1210 #6 0x55eb88632891 in Field::val_str(String*) /10.10/sql/field.h:1038 #7 0x55eb895223d4 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.10/sql/key.cc:367 #8 0x55eb89522efa in key_unpack(String*, TABLE*, st_key*) /10.10/sql/key.cc:441 #9 0x55eb89217a6c in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.10/sql/handler.cc:4268 #10 0x55eb89217d02 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.10/sql/handler.cc:4291 #11 0x55eb8a4b3fad in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1322 #12 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654 #13 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849 #14 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019 #15 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707 #16 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877 #17 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208 #18 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036 #19 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894 #20 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407 #21 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418 #22 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312 #23 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201 #24 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486 #25 0x7f9abfd02efe in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf8efe) 0x61f00047972d is located 173 bytes inside of 3012-byte region [0x61f000479680,0x61f00047a244) freed by thread T27 here: #0 0x7f9ac060cfb0 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0) #1 0x55eb8a67a0bc in free_memory /10.10/mysys/safemalloc.c:297 #2 0x55eb8a67956b in sf_free /10.10/mysys/safemalloc.c:203 #3 0x55eb8a6486ff in my_free /10.10/mysys/my_malloc.c:211 #4 0x55eb8a4d9ba6 in mi_repair_by_sort /10.10/storage/myisam/mi_check.c:2560 #5 0x55eb8a4b3db3 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1315 #6 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654 #7 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849 #8 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019 #9 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707 #10 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877 #11 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208 #12 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036 #13 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894 #14 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407 #15 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418 #16 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312 #17 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201 #18 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486 previously allocated by thread T27 here: #0 0x7f9ac060d330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x55eb8a678f51 in sf_malloc /10.10/mysys/safemalloc.c:126 #2 0x55eb8a647951 in my_malloc /10.10/mysys/my_malloc.c:90 #3 0x55eb8a647ed5 in my_realloc /10.10/mysys/my_malloc.c:141 #4 0x55eb8a5339ab in mi_alloc_rec_buff /10.10/storage/myisam/mi_open.c:762 #5 0x55eb8a4d6291 in mi_repair_by_sort /10.10/storage/myisam/mi_check.c:2241 #6 0x55eb8a4b3db3 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1315 #7 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654 #8 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849 #9 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019 #10 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707 #11 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877 #12 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208 #13 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036 #14 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894 #15 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407 #16 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418 #17 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312 #18 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201 #19 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486 Thread T27 created by T0 here: #0 0x7f9ac0574db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0) #1 0x55eb89a64260 in my_thread_create /10.10/storage/perfschema/my_thread.h:52 #2 0x55eb89a68b2f in pfs_spawn_thread_v1 /10.10/storage/perfschema/pfs.cc:2252 #3 0x55eb88581586 in inline_mysql_thread_create /10.10/include/mysql/psi/mysql_thread.h:1139 #4 0x55eb88598cc7 in create_thread_to_handle_connection(CONNECT*) /10.10/sql/mysqld.cc:6015 #5 0x55eb88599332 in create_new_thread(CONNECT*) /10.10/sql/mysqld.cc:6074 #6 0x55eb885996a4 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.10/sql/mysqld.cc:6136 #7 0x55eb8859a0a3 in handle_connections_sockets() /10.10/sql/mysqld.cc:6260 #8 0x55eb8859852e in mysqld_main(int, char**) /10.10/sql/mysqld.cc:5910 #9 0x55eb885807d4 in main /10.10/sql/main.cc:34 #10 0x7f9abfc2e09a in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d) Shadow bytes around the buggy address: 0x0c3e80087290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3e800872a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c3e800872b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3e800872c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3e800872d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3e800872e0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd 0x0c3e800872f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3e80087300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3e80087310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3e80087320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3e80087330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==79871==ABORTING SHUTDOWN_1655825062

MariaDB Server

AddressSanitizer: heap-use-after-free in field_unpack upon modifying column type

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration