[MDEV-18546] ASAN heap-use-after-free in innobase_get_computed_value / row_purge - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.28, 10.3.19, 10.4.9
Component/s: Storage Engine - InnoDB, Virtual Columns
Labels:
- affects-tests

Description

10.4 3c305d3f1951f1667f84e48
#0 0x7f96f940c934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x55ed26e2b9dc in innobase_get_computed_value(dtuple_t const, dict_v_col_t const, dict_index_t const, mem_block_info_t, mem_block_info_t, dict_field_t const, THD, TABLE, unsigned char, dict_table_t const, upd_t, dict_foreign_t*) /10.4/storage/innobase/handler/ha_innodb.cc:20699
#2 0x55ed27149034 in row_vers_build_clust_v_col /10.4/storage/innobase/row/row0vers.cc:484
#3 0x55ed2714af9a in row_vers_old_has_index_entry(bool, unsigned char const, mtr_t, dict_index_t, dtuple_t const, unsigned long, unsigned long, purge_vcol_info_t*) /10.4/storage/innobase/row/row0vers.cc:958
#4 0x55ed270dfc66 in row_purge_poss_sec(purge_node_t, dict_index_t, dtuple_t const, btr_pcur_t, mtr_t*, bool) /10.4/storage/innobase/row/row0purge.cc:345
#5 0x55ed270e0de6 in row_purge_remove_sec_if_poss_leaf /10.4/storage/innobase/row/row0purge.cc:607
#6 0x55ed270e1406 in row_purge_remove_sec_if_poss /10.4/storage/innobase/row/row0purge.cc:720
#7 0x55ed270e1872 in row_purge_del_mark /10.4/storage/innobase/row/row0purge.cc:794
#8 0x55ed270e44fd in row_purge_record_func /10.4/storage/innobase/row/row0purge.cc:1194
#9 0x55ed270e4c1b in row_purge /10.4/storage/innobase/row/row0purge.cc:1261
#10 0x55ed270e53e2 in row_purge_step(que_thr_t*) /10.4/storage/innobase/row/row0purge.cc:1347
#11 0x55ed26ff925c in que_thr_step /10.4/storage/innobase/que/que0que.cc:1042
#12 0x55ed26ff965b in que_run_threads_low /10.4/storage/innobase/que/que0que.cc:1104
#13 0x55ed26ff99a2 in que_run_threads(que_thr_t*) /10.4/storage/innobase/que/que0que.cc:1144
#14 0x55ed27159743 in srv_task_execute /10.4/storage/innobase/srv/srv0srv.cc:2437
#15 0x55ed2715997d in srv_worker_thread /10.4/storage/innobase/srv/srv0srv.cc:2485
#16 0x7f96f81a26b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#17 0x7f96f743341c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Attachments

Issue Links

relates to

MDEV-15855 Assertion `mysql_table' failed in innobase_get_computed_value upon DDL/DML on a table with virtual columns

Closed

MDEV-16222 Assertion `0' failed in row_purge_remove_sec_if_poss_leaf on table with virtual columns and indexes

Closed

MDEV-17005 ASAN heap-use-after-free in innobase_get_computed_value

Closed

Activity

Ascending order - Click to sort in descending order

Alice Sherepa created issue - 2019-02-11 17:02

Alice Sherepa made changes - 2019-02-11 17:02

Field	Original Value	New Value
Link		This issue relates to ~~MDEV-15855~~ [ ~~MDEV-15855~~ ]

Elena Stepanova made changes - 2019-02-25 20:11

Component/s		Storage Engine - InnoDB [ 10129 ]
Component/s		Virtual Columns [ 10803 ]
Fix Version/s		10.3 [ 22126 ]
Affects Version/s		10.3 [ 22126 ]
Description	{noformat:title=10.4 3c305d3f1951f1667f84e48 } #0 0x7f96f940c934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934) #1 0x55ed26e2b9dc in innobase_get_computed_value(dtuple_t const, dict_v_col_t const, dict_index_t const, mem_block_info_t, mem_block_info_t, dict_field_t const, THD, TABLE, unsigned char, dict_table_t const, upd_t, dict_foreign_t) /10.4/storage/innobase/handler/ha_innodb.cc:20699 #2 0x55ed27149034 in row_vers_build_clust_v_col /10.4/storage/innobase/row/row0vers.cc:484 #3 0x55ed2714af9a in row_vers_old_has_index_entry(bool, unsigned char const, mtr_t, dict_index_t, dtuple_t const, unsigned long, unsigned long, purge_vcol_info_t) /10.4/storage/innobase/row/row0vers.cc:958 #4 0x55ed270dfc66 in row_purge_poss_sec(purge_node_t, dict_index_t, dtuple_t const, btr_pcur_t, mtr_t, bool) /10.4/storage/innobase/row/row0purge.cc:345 #5 0x55ed270e0de6 in row_purge_remove_sec_if_poss_leaf /10.4/storage/innobase/row/row0purge.cc:607 #6 0x55ed270e1406 in row_purge_remove_sec_if_poss /10.4/storage/innobase/row/row0purge.cc:720 #7 0x55ed270e1872 in row_purge_del_mark /10.4/storage/innobase/row/row0purge.cc:794 #8 0x55ed270e44fd in row_purge_record_func /10.4/storage/innobase/row/row0purge.cc:1194 #9 0x55ed270e4c1b in row_purge /10.4/storage/innobase/row/row0purge.cc:1261 #10 0x55ed270e53e2 in row_purge_step(que_thr_t) /10.4/storage/innobase/row/row0purge.cc:1347 #11 0x55ed26ff925c in que_thr_step /10.4/storage/innobase/que/que0que.cc:1042 #12 0x55ed26ff965b in que_run_threads_low /10.4/storage/innobase/que/que0que.cc:1104 #13 0x55ed26ff99a2 in que_run_threads(que_thr_t*) /10.4/storage/innobase/que/que0que.cc:1144 #14 0x55ed27159743 in srv_task_execute /10.4/storage/innobase/srv/srv0srv.cc:2437 #15 0x55ed2715997d in srv_worker_thread /10.4/storage/innobase/srv/srv0srv.cc:2485 #16 0x7f96f81a26b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #17 0x7f96f743341c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c) {noformat} {noformat} perl ./runall-new.pl --no-mask --seed=random --duration=400 --queries=100M --short_column_names --reporter=Backtrace,ErrorLog,Deadlock --validator=TransformerNoComparator --transformer=ConvertSubqueriesToViews,ConvertTablesToDerived,Count,DisableIndexes,DisableOptimizations,Distinct,EnableOptimizations,ExecuteAsCTE,ExecuteAsDeleteReturning,ExecuteAsDerived,ExecuteAsExecuteImmediate,ExecuteAsInsertSelect,ExecuteAsIntersect,ExecuteAsSelectItem,ExecuteAsUnion,ExecuteAsUpdateDelete,ExecuteAsView,ExecuteAsWhereSubquery,Having,InlineSubqueries,InlineVirtualColumns,OrderBy,ExecuteAsPreparedTwice,ExecuteAsTrigger,ExecuteAsSPTwice,ExecuteAsFunctionTwice --querytimeout=20 --redefine=conf/mariadb/alter_table.yy --redefine=conf/mariadb/sp.yy --redefine=conf/mariadb/bulk_insert.yy --views --vcols --notnull --threads=3 --grammar=conf/mariadb/functions-pre-10.3.yy --engine=InnoDB --gendata-advanced --basedir=/10.4 --vardir=/1 {noformat}	{noformat:title=10.4 3c305d3f1951f1667f84e48 } #0 0x7f96f940c934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934) #1 0x55ed26e2b9dc in innobase_get_computed_value(dtuple_t const, dict_v_col_t const, dict_index_t const, mem_block_info_t, mem_block_info_t, dict_field_t const, THD, TABLE, unsigned char, dict_table_t const, upd_t, dict_foreign_t) /10.4/storage/innobase/handler/ha_innodb.cc:20699 #2 0x55ed27149034 in row_vers_build_clust_v_col /10.4/storage/innobase/row/row0vers.cc:484 #3 0x55ed2714af9a in row_vers_old_has_index_entry(bool, unsigned char const, mtr_t, dict_index_t, dtuple_t const, unsigned long, unsigned long, purge_vcol_info_t) /10.4/storage/innobase/row/row0vers.cc:958 #4 0x55ed270dfc66 in row_purge_poss_sec(purge_node_t, dict_index_t, dtuple_t const, btr_pcur_t, mtr_t, bool) /10.4/storage/innobase/row/row0purge.cc:345 #5 0x55ed270e0de6 in row_purge_remove_sec_if_poss_leaf /10.4/storage/innobase/row/row0purge.cc:607 #6 0x55ed270e1406 in row_purge_remove_sec_if_poss /10.4/storage/innobase/row/row0purge.cc:720 #7 0x55ed270e1872 in row_purge_del_mark /10.4/storage/innobase/row/row0purge.cc:794 #8 0x55ed270e44fd in row_purge_record_func /10.4/storage/innobase/row/row0purge.cc:1194 #9 0x55ed270e4c1b in row_purge /10.4/storage/innobase/row/row0purge.cc:1261 #10 0x55ed270e53e2 in row_purge_step(que_thr_t) /10.4/storage/innobase/row/row0purge.cc:1347 #11 0x55ed26ff925c in que_thr_step /10.4/storage/innobase/que/que0que.cc:1042 #12 0x55ed26ff965b in que_run_threads_low /10.4/storage/innobase/que/que0que.cc:1104 #13 0x55ed26ff99a2 in que_run_threads(que_thr_t*) /10.4/storage/innobase/que/que0que.cc:1144 #14 0x55ed27159743 in srv_task_execute /10.4/storage/innobase/srv/srv0srv.cc:2437 #15 0x55ed2715997d in srv_worker_thread /10.4/storage/innobase/srv/srv0srv.cc:2485 #16 0x7f96f81a26b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #17 0x7f96f743341c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c) {noformat}
Summary	[draft] ASAN heap-use-after-free in innobase_get_computed_value	ASAN heap-use-after-free in innobase_get_computed_value / row_purge

Elena Stepanova made changes - 2019-02-25 20:11

Status

Open [ 1 ]

Confirmed [ 10101 ]

Elena Stepanova made changes - 2019-02-25 20:12

Assignee

Alice Sherepa [ alice ]

Marko Mäkelä [ marko ]

Elena Stepanova made changes - 2019-02-25 20:12

Link

This issue relates to ~~MDEV-17005~~ [ ~~MDEV-17005~~ ]

Elena Stepanova made changes - 2019-02-25 20:12

Link

This issue relates to ~~MDEV-16222~~ [ ~~MDEV-16222~~ ]

Marko Mäkelä made changes - 2019-02-26 22:40

Assignee

Marko Mäkelä [ marko ]

Sergei Golubchik [ serg ]

Elena Stepanova made changes - 2019-03-05 21:00

Labels

affects-tests

Elena Stepanova made changes - 2019-03-21 15:25

Assignee

Sergei Golubchik [ serg ]

Nikita Malyavin [ nikitamalyavin ]

Nikita Malyavin made changes - 2019-07-22 11:23

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Nikita Malyavin made changes - 2019-08-01 11:40

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Nikita Malyavin made changes - 2019-09-09 17:32

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Nikita Malyavin made changes - 2019-09-27 08:34

Assignee	Nikita Malyavin [ nikitamalyavin ]	Marko Mäkelä [ marko ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Marko Mäkelä made changes - 2019-10-08 09:32

Assignee	Marko Mäkelä [ marko ]	Nikita Malyavin [ nikitamalyavin ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Nikita Malyavin made changes - 2019-10-11 04:31

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Nikita Malyavin made changes - 2019-10-11 07:06

Fix Version/s		10.2.28 [ 23910 ]
Fix Version/s		10.3.19 [ 23908 ]
Fix Version/s		10.4.9 [ 23906 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]
Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

Sergei Golubchik made changes - 2021-12-06 21:49

Workflow

MariaDB v3 [ 92438 ]

MariaDB v4 [ 155682 ]

People

Assignee:: Nikita Malyavin

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2019-02-11 17:02

Updated:: 2021-04-27 08:51

Resolved:: 2019-10-11 07:06

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration