Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18891

ASAN heap-use-after-free in innobase_get_computed_value on concurrent DELETE from table with long index

    XMLWordPrintable

    Details

      Description

      Note: Before MDEV-371 the ALTER wasn't possible.

      --source include/have_innodb.inc
       
      CREATE TABLE t1 (b BLOB, i INT) ENGINE=InnoDB;
      REPLACE INTO t1 VALUES (NULL,0);
       
      --connect (con1,localhost,root,,test)
      ALTER TABLE t1 ADD UNIQUE (b);
      --send
      DELETE FROM t1;
       
      --connection default
      DELETE FROM t1;
       
      # Cleanup
      --disconnect con1
      --connection default
      DROP TABLE t1;
      

      10.4 a796f1f ASAN

      ==6095==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000107939 at pc 0x5627280c4eab bp 0x7fb2a9dd6840 sp 0x7fb2a9dd6838
      READ of size 10 at 0x619000107939 thread T28
          #0 0x5627280c4eaa in innobase_get_computed_value(dtuple_t const*, dict_v_col_t const*, dict_index_t const*, mem_block_info_t**, mem_block_info_t*, dict_field_t const*, THD*, TABLE*, unsigned char*, dict_table_t const*, upd_t*, dict_foreign_t*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:20786
          #1 0x5627283d7227 in row_upd_store_v_row /data/src/10.4/storage/innobase/row/row0upd.cc:2182
          #2 0x5627283d7879 in row_upd_store_row(upd_node_t*, THD*, TABLE*) /data/src/10.4/storage/innobase/row/row0upd.cc:2246
          #3 0x5627283dbd6f in row_upd_del_mark_clust_rec /data/src/10.4/storage/innobase/row/row0upd.cc:2981
          #4 0x5627283dcd8d in row_upd_clust_step /data/src/10.4/storage/innobase/row/row0upd.cc:3171
          #5 0x5627283dd907 in row_upd /data/src/10.4/storage/innobase/row/row0upd.cc:3293
          #6 0x5627283de622 in row_upd_step(que_thr_t*) /data/src/10.4/storage/innobase/row/row0upd.cc:3437
          #7 0x562728344f15 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.4/storage/innobase/row/row0mysql.cc:1890
          #8 0x562728095baf in ha_innobase::delete_row(unsigned char const*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:9025
          #9 0x5627278c1839 in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6810
          #10 0x562727cbb601 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:297
          #11 0x562727cb3e7c in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:843
          #12 0x562727100f3a in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5032
          #13 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
          #14 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #15 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #16 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #17 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #18 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #19 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #20 0x7fb2c470093e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x619000107939 is located 441 bytes inside of 1100-byte region [0x619000107780,0x619000107bcc)
      freed by thread T28 here:
          #0 0x7fb2c6584527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x5627289f6a69 in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x5627289f606f in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x5627289c6ab8 in my_free /data/src/10.4/mysys/my_malloc.c:222
          #4 0x5627289a6a0a in free_root /data/src/10.4/mysys/my_alloc.c:428
          #5 0x5627273a4499 in TABLE_SHARE::destroy() /data/src/10.4/sql/table.cc:498
          #6 0x5627273a46a5 in free_table_share(TABLE_SHARE*) /data/src/10.4/sql/table.cc:514
          #7 0x56272769dc7e in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.4/sql/temporary_tables.cc:1447
          #8 0x5627276992da in THD::drop_temporary_table(TABLE*, bool*, bool) /data/src/10.4/sql/temporary_tables.cc:646
          #9 0x56272733950a in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10135
          #10 0x5627274942ee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:499
          #11 0x56272710b5d9 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6393
          #12 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
          #13 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T28 here:
          #0 0x7fb2c658473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x5627289f57df in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x5627289c60da in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x5627289a57d2 in alloc_root /data/src/10.4/mysys/my_alloc.c:250
          #4 0x5627289a7344 in memdup_root /data/src/10.4/mysys/my_alloc.c:491
          #5 0x5627273ac2cb in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.4/sql/table.cc:1611
          #6 0x56272769ae5f in THD::create_temporary_table(handlerton*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*) /data/src/10.4/sql/temporary_tables.cc:965
          #7 0x5627276964bc in THD::create_and_open_tmp_table(handlerton*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, bool, bool) /data/src/10.4/sql/temporary_tables.cc:76
          #8 0x562727338464 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9990
          #9 0x5627274942ee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:499
          #10 0x56272710b5d9 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6393
          #11 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
          #12 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #13 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #14 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #15 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #16 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #17 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T28 created by T0 here:
          #0 0x7fb2c6553bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x562728045e50 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x562726e36476 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x562726e4b6ed in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6141
          #4 0x562726e4bdf2 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6211
          #5 0x562726e4c182 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6309
          #6 0x562726e4cdce in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6467
          #7 0x562726e4af28 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5799
          #8 0x562726e342ff in main /data/src/10.4/sql/main.cc:25
          #9 0x7fb2c46382b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/handler/ha_innodb.cc:20786 innobase_get_computed_value(dtuple_t const*, dict_v_col_t const*, dict_index_t const*, mem_block_info_t**, mem_block_info_t*, dict_field_t const*, THD*, TABLE*, unsigned char*, dict_table_t const*, upd_t*, dict_foreign_t*)
      Shadow bytes around the buggy address:
        0x0c3280018ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3280018ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3280018ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3280018f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3280018f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c3280018f20: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
        0x0c3280018f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3280018f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3280018f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3280018f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3280018f70: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==6095==ABORTING
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: