[MDEV-19445] ASAN heap-use-after-free in ut_fold_string / dict_table_check_if_in_cache_low - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.25, 10.1.41, 10.3.16, 10.4.5
Component/s: Full-text Search, Storage Engine - InnoDB, Storage Engine - XtraDB
Labels:
None

Description

10.3 ASAN 0c405b06
==29345==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0008d08f0 at pc 0x55fa2ed01f6d bp 0x7ff8f8f15140 sp 0x7ff8f8f15138
READ of size 1 at 0x60c0008d08f0 thread T33
#0 0x55fa2ed01f6c in ut_fold_string /data/src/10.3/storage/innobase/include/ut0rnd.ic:144
#1 0x55fa2ed0b1be in dict_table_check_if_in_cache_low /data/src/10.3/storage/innobase/include/dict0priv.ic:120
#2 0x55fa2ed10d95 in dict_table_open_on_name(char const*, unsigned long, unsigned long, dict_err_ignore_t) /data/src/10.3/storage/innobase/dict/dict0dict.cc:1159
#3 0x55fa2e840f91 in i_s_fts_config_fill /data/src/10.3/storage/innobase/handler/i_s.cc:3905
#4 0x55fa2dd493f2 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.3/sql/sql_show.cc:8848
#5 0x55fa2dc3e304 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4004
#6 0x55fa2dc3c67d in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3835
#7 0x55fa2dc3faec in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4240
#8 0x55fa2dc1a97f in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:373
#9 0x55fa2db9fd56 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6548
#10 0x55fa2db8e8bd in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3821
#11 0x55fa2dba8915 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
#12 0x55fa2db830e6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1858
#13 0x55fa2db8009f in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
#14 0x55fa2dee3732 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
#15 0x55fa2dee310e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#16 0x7ff92c85f4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#17 0x7ff92ada7d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

ASAN:DEADLYSIGNAL

RQG grammar mdev19445.yy
query:
CREATE TABLE t1 (c1 INT, c2 TINYTEXT, PRIMARY KEY (c1), FULLTEXT KEY (c2)) ENGINE=InnoDB \|
SET GLOBAL innodb_ft_aux_table='test/t1' \|
SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;

Command line
perl ./runall-new.pl --duration=300 --threads=2 --grammar=./mdev19445.yy --skip-gendata --vardir=/dev/shm/vardir --basedir=<your ASAN basedir>

Remember to set the basedir on the command line above.

Any reasonably fresh fork/branch of RQG should be fine for it, but if it's not, try

git clone https://github.com/MariaDB/randgen --branch mdev19445 rqg-mdev19445

cd rqg-mdev19445

. ./cmd --basedir=/data/bld/10.3-asan

(with your basedir, naturally)

The grammar is already in the branch, and cmd contains the same command line as above.

Attachments

Issue Links

relates to

MDEV-22393 Corruption for some SET GLOBAL innodb_… string variables

Closed

Activity

People

Assignee:: Marko Mäkelä

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-05-12 19:00

Updated:: 2021-07-29 13:41

Resolved:: 2019-05-13 17:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.