Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.2(EOL), 10.3(EOL), 10.4(EOL)
-
None
Description
perl ./mtr mroonga/storage.column_generated_stored_add_column
|
10.2 ASAN 40b4f9c9 |
==14058==ERROR: AddressSanitizer: unknown-crash on address 0x619000098e23 at pc 0x55b85fd9a261 bp 0x7f022da36330 sp 0x7f022da36328
|
WRITE of size 7 at 0x619000098e23 thread T5
|
#0 0x55b85fd9a260 in my_copy_fix_mb /data/src/10.2/strings/ctype-mb.c:410
|
#1 0x55b85e8a3005 in String_copier::well_formed_copy(charset_info_st const*, char*, unsigned int, charset_info_st const*, char const*, unsigned int, unsigned int) /data/src/10.2/sql/sql_string.cc:1062
|
#2 0x55b85ec71c4e in Field_varstring::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:7525
|
#3 0x55b85ed194ab in Item::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6365
|
#4 0x55b85e972fdb in TABLE::update_virtual_field(Field*) /data/src/10.2/sql/table.cc:7675
|
#5 0x7f0238583883 in ha_mroonga::storage_inplace_alter_table_add_column(TABLE*, Alter_inplace_info*) /data/src/10.2/storage/mroonga/ha_mroonga.cpp:15212
|
#6 0x7f0238585f66 in ha_mroonga::storage_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/storage/mroonga/ha_mroonga.cpp:15406
|
#7 0x7f0238586777 in ha_mroonga::inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/storage/mroonga/ha_mroonga.cpp:15445
|
#8 0x55b85e8ea209 in handler::ha_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.2/sql/handler.h:3795
|
#9 0x55b85e8d434b in mysql_inplace_alter_table /data/src/10.2/sql/sql_table.cc:7362
|
#10 0x55b85e8e1534 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9452
|
#11 0x55b85ea0db10 in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:329
|
#12 0x55b85e6d5a35 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6231
|
#13 0x55b85e6e056b in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
|
#14 0x55b85e6baf58 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
|
#15 0x55b85e6b7f77 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
|
#16 0x55b85e9ff687 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#17 0x55b85e9ff09c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
|
#18 0x55b85f41cc95 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#19 0x7f024261d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#20 0x7f0240a0393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
0x619000098e23 is located 163 bytes inside of 1100-byte region [0x619000098d80,0x6190000991cc)
|
allocated by thread T5 here:
|
#0 0x7f024288773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x55b85fd3ddcd in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
|
#2 0x55b85fd0cf53 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#3 0x55b85fcede00 in alloc_root /data/src/10.2/mysys/my_alloc.c:242
|
#4 0x55b85fcef65b in strmake_root /data/src/10.2/mysys/my_alloc.c:449
|
#5 0x55b85e951fbb in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3048
|
#6 0x55b85e5afc16 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1923
|
#7 0x55b85e5b65cf in open_and_process_table /data/src/10.2/sql/sql_base.cc:3488
|
#8 0x55b85e5b8dc0 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4011
|
#9 0x55b85e5bcacc in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4767
|
#10 0x55b85e59ded4 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:506
|
#11 0x55b85e664d1e in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
|
#12 0x55b85e6c912a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4441
|
#13 0x55b85e6e056b in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
|
#14 0x55b85e6baf58 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
|
#15 0x55b85e6b7f77 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
|
#16 0x55b85e9ff687 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#17 0x55b85e9ff09c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
|
#18 0x55b85f41cc95 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
|
#19 0x7f024261d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
Thread T5 created by T0 here:
|
#0 0x7f0242856bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x55b85f41d25d in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
|
#2 0x55b85e4b469e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
|
#3 0x55b85e4c963b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
|
#4 0x55b85e4c9d40 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
|
#5 0x55b85e4cad57 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
|
#6 0x55b85e4c8b90 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
|
#7 0x55b85e4b2a3f in main /data/src/10.2/sql/main.cc:25
|
#8 0x7f024093b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
SUMMARY: AddressSanitizer: unknown-crash /data/src/10.2/strings/ctype-mb.c:410 my_copy_fix_mb
|
Shadow bytes around the buggy address:
|
0x0c328000b170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000b180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000b190: 00 00 00 00 00 00 f7 f7 f7 04 fa fa fa fa fa fa
|
0x0c328000b1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c328000b1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c328000b1c0: 00 05 00 00[01]00 00 01 00 00 00 00 00 00 00 00
|
0x0c328000b1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000b1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000b1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000b200: 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 f7
|
0x0c328000b210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==14058==ABORTING
|
Attachments
Issue Links
- causes
-
MDEV-18840 re-enable ALTER inplace adding of stored generated columns in Mroonga
-
- Open
-
This is what's happening. Mroonga implements a logic to add GENERATED STORED columns inplace. This is how it's done:
my_ptrdiff_t diff =
PTR_BYTE_DIFF(table->record[0], altered_table->record[0]);
mrn::TableFieldsOffsetMover mover(altered_table, diff);
...
...
MRN_GENERATED_COLUMNS_UPDATE_VIRTUAL_FIELD(altered_table, altered_field);
...
error = generic_store_bulk(altered_field, &new_value);
That is, it moves all fields from altered table to point into record[0] of the old table, then it reads old table row by row, computes values of the generated field in the altered table and writes them down.
This only works if all fields from the altered table have same offsets and same lengths as in the old table, otherwise they won't find their values. And only if the record length in the altered table is not longer than in the old table. But practically this is not guaranteed at all.
In this bug report a VARCHAR(255) utf8mb4 column is added, so the altered_table->s->rec_buff_length is 1020 bytes longer than table->s->rec_buff_length. And memmove writes way beyond the allocated memory for table->record[0].
I've disabled this optimization for now.