Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18452

ASAN unknown-crash in Field::set_default upon SET bit_column = DEFAULT

Details

    Description

      CREATE TABLE t1 (b BIT(20)) ENGINE=MyISAM;
      		 
      INSERT INTO t1 VALUES (0);
      		 
      UPDATE t1 SET b = DEFAULT;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t1;

      10.1 6e2af7d0 ASAN

      		 
      ==19734==ERROR: AddressSanitizer: unknown-crash on address 0x619000082129 at pc 0x560d51ff7b71 bp 0x7f3249ae0fd0 sp 0x7f3249ae0fc8
      		 
      READ of size 3 at 0x619000082129 thread T6
      		 
          #0 0x560d51ff7b70 in Field::set_default() /data/src/10.1/sql/field.h:857
      		 
          #1 0x560d51ff7b70 in Field_bit::set_default() /data/src/10.1/sql/field.cc:9687
      		 
          #2 0x560d52092a8d in Item_default_value::save_in_field(Field*, bool) /data/src/10.1/sql/item.cc:8206
      		 
          #3 0x560d51a5f7f4 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool) /data/src/10.1/sql/sql_base.cc:8901
      		 
          #4 0x560d51a5fefe in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.1/sql/sql_base.cc:9010
      		 
          #5 0x560d51d42157 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool, unsigned long long*, unsigned long long*) /data/src/10.1/sql/sql_update.cc:770
      		 
          #6 0x560d51b40f72 in mysql_execute_command(THD*) /data/src/10.1/sql/sql_parse.cc:3790
      		 
          #7 0x560d51b508f0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.1/sql/sql_parse.cc:7468
      		 
          #8 0x560d51b576d4 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.1/sql/sql_parse.cc:1496
      		 
          #9 0x560d51b5de60 in do_command(THD*) /data/src/10.1/sql/sql_parse.cc:1124
      		 
          #10 0x560d51e0656f in do_handle_one_connection(THD*) /data/src/10.1/sql/sql_connect.cc:1330
      		 
          #11 0x560d51e06a80 in handle_one_connection /data/src/10.1/sql/sql_connect.cc:1242
      		 
          #12 0x560d526d570a in pfs_spawn_thread /data/src/10.1/storage/perfschema/pfs.cc:1861
      		 
          #13 0x7f3256238493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #14 0x7f32545f193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      		 
       
      		 
      0x619000082129 is located 169 bytes inside of 1100-byte region [0x619000082080,0x6190000824cc)
      		 
      allocated by thread T6 here:
      		 
          #0 0x7f32564a273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x560d52ea1505 in sf_malloc /data/src/10.1/mysys/safemalloc.c:115
      		 
          #2 0x560d52f99f5a (/data/bld/10.1-asan/bin/mysqld+0x1d9df5a)
      		 
       
      		 
      Thread T6 created by T0 here:
      		 
          #0 0x7f3256471bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
      		 
          #1 0x560d526e0f61 in spawn_thread_v1 /data/src/10.1/storage/perfschema/pfs.cc:1911
      		 
       
      		 
      SUMMARY: AddressSanitizer: unknown-crash /data/src/10.1/sql/field.h:857 Field::set_default()
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c32800083d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c32800083e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c32800083f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c3280008400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c3280008410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c3280008420: 00 00 00 01 02[03]01 00 00 00 00 00 00 04 00 00
      		 
        0x0c3280008430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c3280008440: 00 00 00 00 00 00 00 00 00 04 f7 f7 f7 f7 f7 f7
      		 
        0x0c3280008450: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c3280008460: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c3280008470: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==19734==ABORTING

      10.4 923415ff

      		 
      ==19880==ERROR: AddressSanitizer: unknown-crash on address 0x6190000aba29 at pc 0x557236d64b3b bp 0x7f55e883a1e0 sp 0x7f55e883a1d8
      		 
      READ of size 3 at 0x6190000aba29 thread T5
      		 
          #0 0x557236d64b3a in Field::set_default() /data/src/10.4/sql/field.cc:2415
      		 
          #1 0x557236dc7e8c in Field_bit::set_default() /data/src/10.4/sql/field.cc:10058
      		 
          #2 0x557236dd03e2 in Field::save_in_field_default_value(bool) /data/src/10.4/sql/field.cc:11058
      		 
          #3 0x557236e8d752 in Item_default_value::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:9266
      		 
          #4 0x557236552bff in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/src/10.4/sql/sql_base.cc:8402
      		 
          #5 0x557236553db0 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.4/sql/sql_base.cc:8571
      		 
          #6 0x55723690c391 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool, unsigned long long*, unsigned long long*) /data/src/10.4/sql/sql_update.cc:883
      		 
          #7 0x55723669e7c5 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4607
      		 
          #8 0x5572366b627e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8117
      		 
          #9 0x55723668e642 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1803
      		 
          #10 0x55723668b6e5 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1356
      		 
          #11 0x557236a07662 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1398
      		 
          #12 0x557236a0705b in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1301
      		 
          #13 0x5572375b53d0 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
      		 
          #14 0x7f55f3bb7493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #15 0x7f55f1f9d93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      		 
       
      		 
      0x6190000aba29 is located 169 bytes inside of 1100-byte region [0x6190000ab980,0x6190000abdcc)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7f55f3e2173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x557237f5fa6e in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
      		 
          #2 0x557237f303eb in my_malloc /data/src/10.4/mysys/my_malloc.c:101
      		 
          #3 0x557237f0fef7 in alloc_root /data/src/10.4/mysys/my_alloc.c:250
      		 
          #4 0x557237f11a69 in memdup_root /data/src/10.4/mysys/my_alloc.c:491
      		 
          #5 0x557236939ae4 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.4/sql/table.cc:1356
      		 
          #6 0x5572369349b9 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.4/sql/table.cc:681
      		 
          #7 0x557236c0321f in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.4/sql/table_cache.cc:840
      		 
          #8 0x55723652fcbc in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.4/sql/sql_base.cc:1893
      		 
          #9 0x557236538387 in open_and_process_table /data/src/10.4/sql/sql_base.cc:3728
      		 
          #10 0x55723653b18f in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:4261
      		 
          #11 0x55723653fad3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:5143
      		 
          #12 0x5572364ac7ca in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.4/sql/sql_base.h:509
      		 
          #13 0x5572365f56c9 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:764
      		 
          #14 0x55723669f47f in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4751
      		 
          #15 0x5572366b627e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8117
      		 
          #16 0x55723668e642 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1803
      		 
          #17 0x55723668b6e5 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1356
      		 
          #18 0x557236a07662 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1398
      		 
          #19 0x557236a0705b in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1301
      		 
          #20 0x5572375b53d0 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
      		 
          #21 0x7f55f3bb7493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f55f3df0bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
      		 
          #1 0x5572375b5998 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
      		 
          #2 0x5572363e4c66 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
      		 
          #3 0x5572363fa4a1 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6195
      		 
          #4 0x5572363faba6 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6265
      		 
          #5 0x5572363faf36 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6363
      		 
          #6 0x5572363fbb82 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6521
      		 
          #7 0x5572363f9cdc in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5853
      		 
          #8 0x5572363e2aef in main /data/src/10.4/sql/main.cc:25
      		 
          #9 0x7f55f1ed52b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
      		 
       
      		 
      SUMMARY: AddressSanitizer: unknown-crash /data/src/10.4/sql/field.cc:2415 Field::set_default()
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c328000d6f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c328000d700: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c328000d710: f7 f7 f7 f7 f7 f7 f7 f7 f7 04 fa fa fa fa fa fa
      		 
        0x0c328000d720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c328000d730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c328000d740: 00 00 00 01 02[03]01 00 00 00 00 00 00 00 00 00
      		 
        0x0c328000d750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c328000d760: 00 00 00 00 00 00 00 00 00 00 00 00 04 f7 f7 f7
      		 
        0x0c328000d770: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c328000d780: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c328000d790: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==19880==ABORTING

      Reproducible with at least MyISAM and Aria. Couldn't reproduce with InnoDB.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-17361 Server crashes in Query_arena::set_query_arena upon UPDATE on multi-table view

          • Major - Major loss of function.
          • Closed

          Activity

            There are no comments yet on this issue.

            People

              bar Alexander Barkov
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.