Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17838

AddressSanitizer: heap-use-after-free in my_strcasecmp_utf8 / Item_field::rename_fields_processor

    XMLWordPrintable

Details

    Description

      10.4 27f3329ff6cb755b600d5363

      ==24262==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400033f530 at pc 0x5651683ed6ba bp 0x7f825cabf350 sp 0x7f825cabf340
      READ of size 1 at 0x60400033f530 thread T32
          #0 0x5651683ed6b9 in my_strcasecmp_utf8 /git/10.4/strings/ctype-utf8.c:5109
          #1 0x565167139e51 in Item_field::rename_fields_processor(void*) /git/10.4/sql/item.cc:721
          #2 0x56516679bf61 in Item::walk(bool (Item::*)(void*), bool, void*) /git/10.4/sql/item.h:1722
          #3 0x565166bfd8f2 in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /git/10.4/sql/sql_table.cc:7953
          #4 0x565166c06693 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /git/10.4/sql/sql_table.cc:9388
          #5 0x565166d4f509 in Sql_cmd_alter_table::execute(THD*) /git/10.4/sql/sql_alter.cc:497
          #6 0x5651669fbb1f in mysql_execute_command(THD*) /git/10.4/sql/sql_parse.cc:6289
          #7 0x565166a0632e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.4/sql/sql_parse.cc:8091
          #8 0x5651669e10ab in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.4/sql/sql_parse.cc:1851
          #9 0x5651669de243 in do_command(THD*) /git/10.4/sql/sql_parse.cc:1396
          #10 0x565166d3f7d8 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1402
          #11 0x565166d3f1b5 in handle_one_connection /git/10.4/sql/sql_connect.cc:1308
          #12 0x7f828ba9f6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
          #13 0x7f828af3441c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
       
      0x60400033f530 is located 32 bytes inside of 40-byte region [0x60400033f510,0x60400033f538)
      freed by thread T32 here:
          #0 0x7f828c5a32ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
          #1 0x565168243a33 in my_free /git/10.4/mysys/my_malloc.c:221
          #2 0x56516821f793 in free_root /git/10.4/mysys/my_alloc.c:419
          #3 0x5651669e42b0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.4/sql/sql_parse.cc:2441
          #4 0x5651669de243 in do_command(THD*) /git/10.4/sql/sql_parse.cc:1396
          #5 0x565166d3f7d8 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1402
          #6 0x565166d3f1b5 in handle_one_connection /git/10.4/sql/sql_connect.cc:1308
          #7 0x7f828ba9f6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
       
      previously allocated by thread T32 here:
          #0 0x7f828c5a3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
          #1 0x565168242f6a in my_malloc /git/10.4/mysys/my_malloc.c:101
          #2 0x56516821eea0 in alloc_root /git/10.4/mysys/my_alloc.c:194
          #3 0x56516822006d in strmake_root /git/10.4/mysys/my_alloc.c:479
          #4 0x56516681017b in THD::make_lex_string(st_mysql_const_lex_string*, char const*, unsigned long) /git/10.4/sql/sql_class.h:3634
          #5 0x5651669ae90e in Lex_ident_sys_st::copy_keyword(THD*, Lex_ident_cli_st const*) /git/10.4/sql/sql_lex.cc:8625
          #6 0x5651669ae959 in Lex_ident_sys_st::copy_or_convert(THD*, Lex_ident_cli_st const*, charset_info_st const*) /git/10.4/sql/sql_lex.cc:8634
          #7 0x5651668f5cfc in THD::to_ident_sys_alloc(Lex_ident_sys_st*, Lex_ident_cli_st const*) /git/10.4/sql/sql_class.cc:2422
          #8 0x565166f80a1c in MYSQLparse(THD*) /git/10.4/sql/sql_yacc.yy:15382
          #9 0x565166a123d2 in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /git/10.4/sql/sql_parse.cc:10108
          #10 0x565166a05ec4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.4/sql/sql_parse.cc:8044
          #11 0x5651669e10ab in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.4/sql/sql_parse.cc:1851
          #12 0x5651669de243 in do_command(THD*) /git/10.4/sql/sql_parse.cc:1396
          #13 0x565166d3f7d8 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1402
          #14 0x565166d3f1b5 in handle_one_connection /git/10.4/sql/sql_connect.cc:1308
          #15 0x7f828ba9f6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
       
      Thread T32 created by T0 here:
          #0 0x7f828c541253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
          #1 0x5651682a55c3 in spawn_thread_noop /git/10.4/mysys/psi_noop.c:187
          #2 0x56516674cfb4 in inline_mysql_thread_create /git/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x5651667627c4 in create_thread_to_handle_connection(CONNECT*) /git/10.4/sql/mysqld.cc:6330
          #4 0x565166762ec4 in create_new_thread(CONNECT*) /git/10.4/sql/mysqld.cc:6400
          #5 0x56516676324f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /git/10.4/sql/mysqld.cc:6517
          #6 0x565166763ecc in handle_connections_sockets() /git/10.4/sql/mysqld.cc:6682
          #7 0x565166761c89 in mysqld_main(int, char**) /git/10.4/sql/mysqld.cc:5952
          #8 0x56516674b29f in main /git/10.4/sql/main.cc:25
          #9 0x7f828ae4d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
      

      perl ./runall-new.pl --no-mask --seed=1543230130 --duration=400 --queries=100M --reporters=Backtrace,ErrorLog,Deadlock --validators=TransformerNoComparator --transformers=ConvertSubqueriesToViews,ConvertTablesToDerived,Count,DisableIndexes,DisableOptimizations,Distinct,EnableOptimizations,ExecuteAsCTE,ExecuteAsDeleteReturning,ExecuteAsDerived,ExecuteAsExcept,ExecuteAsExecuteImmediate,ExecuteAsInsertSelect,ExecuteAsIntersect,ExecuteAsSelectItem,ExecuteAsUnion,ExecuteAsUpdateDelete,ExecuteAsView,ExecuteAsWhereSubquery,Having,InlineSubqueries,InlineVirtualColumns,LimitRowsExamined,OrderBy,StraightJoin,ExecuteAsPreparedTwice,ExecuteAsTrigger,ExecuteAsSPTwice,ExecuteAsFunctionTwice --mysqld=--log_output=FILE --querytimeout=30 --vcols --threads=1 --grammar=conf/mariadb/instant_add.yy --gendata=conf/optimizer/blobs.zz --engine=MyIsam --mtr-build-thread=304 --basedir1=/git/10.4 --vardir1=/1
      

      Attachments

        1. dt.7z
          2.90 MB
          Alice Sherepa

        Issue Links

          Activity

            People

              Unassigned Unassigned
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.