[MDEV-19445] ASAN heap-use-after-free in ut_fold_string / dict_table_check_if_in_cache_low - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.25, 10.1.41, 10.3.16, 10.4.5
Component/s: Full-text Search, Storage Engine - InnoDB, Storage Engine - XtraDB
Labels:
None

Description

10.3 ASAN 0c405b06
==29345==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0008d08f0 at pc 0x55fa2ed01f6d bp 0x7ff8f8f15140 sp 0x7ff8f8f15138
READ of size 1 at 0x60c0008d08f0 thread T33
#0 0x55fa2ed01f6c in ut_fold_string /data/src/10.3/storage/innobase/include/ut0rnd.ic:144
#1 0x55fa2ed0b1be in dict_table_check_if_in_cache_low /data/src/10.3/storage/innobase/include/dict0priv.ic:120
#2 0x55fa2ed10d95 in dict_table_open_on_name(char const*, unsigned long, unsigned long, dict_err_ignore_t) /data/src/10.3/storage/innobase/dict/dict0dict.cc:1159
#3 0x55fa2e840f91 in i_s_fts_config_fill /data/src/10.3/storage/innobase/handler/i_s.cc:3905
#4 0x55fa2dd493f2 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.3/sql/sql_show.cc:8848
#5 0x55fa2dc3e304 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4004
#6 0x55fa2dc3c67d in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3835
#7 0x55fa2dc3faec in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4240
#8 0x55fa2dc1a97f in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:373
#9 0x55fa2db9fd56 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6548
#10 0x55fa2db8e8bd in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3821
#11 0x55fa2dba8915 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
#12 0x55fa2db830e6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1858
#13 0x55fa2db8009f in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
#14 0x55fa2dee3732 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
#15 0x55fa2dee310e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#16 0x7ff92c85f4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#17 0x7ff92ada7d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

ASAN:DEADLYSIGNAL

RQG grammar mdev19445.yy
query:
CREATE TABLE t1 (c1 INT, c2 TINYTEXT, PRIMARY KEY (c1), FULLTEXT KEY (c2)) ENGINE=InnoDB \|
SET GLOBAL innodb_ft_aux_table='test/t1' \|
SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;

Command line
perl ./runall-new.pl --duration=300 --threads=2 --grammar=./mdev19445.yy --skip-gendata --vardir=/dev/shm/vardir --basedir=<your ASAN basedir>

Remember to set the basedir on the command line above.

Any reasonably fresh fork/branch of RQG should be fine for it, but if it's not, try

git clone https://github.com/MariaDB/randgen --branch mdev19445 rqg-mdev19445

cd rqg-mdev19445

. ./cmd --basedir=/data/bld/10.3-asan

(with your basedir, naturally)

The grammar is already in the branch, and cmd contains the same command line as above.

Attachments

Issue Links

relates to

MDEV-22393 Corruption for some SET GLOBAL innodb_… string variables

Closed

Activity

Ascending order - Click to sort in descending order

Elena Stepanova created issue - 2019-05-12 19:00

Elena Stepanova made changes - 2019-05-12 19:10

Field	Original Value	New Value
Description	{noformat:title=10.3 ASAN 0c405b06} ==29345==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0008d08f0 at pc 0x55fa2ed01f6d bp 0x7ff8f8f15140 sp 0x7ff8f8f15138 READ of size 1 at 0x60c0008d08f0 thread T33 #0 0x55fa2ed01f6c in ut_fold_string /data/src/10.3/storage/innobase/include/ut0rnd.ic:144 #1 0x55fa2ed0b1be in dict_table_check_if_in_cache_low /data/src/10.3/storage/innobase/include/dict0priv.ic:120 #2 0x55fa2ed10d95 in dict_table_open_on_name(char const, unsigned long, unsigned long, dict_err_ignore_t) /data/src/10.3/storage/innobase/dict/dict0dict.cc:1159 #3 0x55fa2e840f91 in i_s_fts_config_fill /data/src/10.3/storage/innobase/handler/i_s.cc:3905 #4 0x55fa2dd493f2 in get_schema_tables_result(JOIN, enum_schema_table_state) /data/src/10.3/sql/sql_show.cc:8848 #5 0x55fa2dc3e304 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4004 #6 0x55fa2dc3c67d in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3835 #7 0x55fa2dc3faec in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4240 #8 0x55fa2dc1a97f in handle_select(THD, LEX, select_result, unsigned long) /data/src/10.3/sql/sql_select.cc:373 #9 0x55fa2db9fd56 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6548 #10 0x55fa2db8e8bd in mysql_execute_command(THD) /data/src/10.3/sql/sql_parse.cc:3821 #11 0x55fa2dba8915 in mysql_parse(THD, char, unsigned int, Parser_state, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091 #12 0x55fa2db830e6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1858 #13 0x55fa2db8009f in do_command(THD) /data/src/10.3/sql/sql_parse.cc:1403 #14 0x55fa2dee3732 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402 #15 0x55fa2dee310e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308 #16 0x7ff92c85f4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3) #17 0x7ff92ada7d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e) ASAN:DEADLYSIGNAL {noformat}	{noformat:title=10.3 ASAN 0c405b06} ==29345==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0008d08f0 at pc 0x55fa2ed01f6d bp 0x7ff8f8f15140 sp 0x7ff8f8f15138 READ of size 1 at 0x60c0008d08f0 thread T33 #0 0x55fa2ed01f6c in ut_fold_string /data/src/10.3/storage/innobase/include/ut0rnd.ic:144 #1 0x55fa2ed0b1be in dict_table_check_if_in_cache_low /data/src/10.3/storage/innobase/include/dict0priv.ic:120 #2 0x55fa2ed10d95 in dict_table_open_on_name(char const, unsigned long, unsigned long, dict_err_ignore_t) /data/src/10.3/storage/innobase/dict/dict0dict.cc:1159 #3 0x55fa2e840f91 in i_s_fts_config_fill /data/src/10.3/storage/innobase/handler/i_s.cc:3905 #4 0x55fa2dd493f2 in get_schema_tables_result(JOIN, enum_schema_table_state) /data/src/10.3/sql/sql_show.cc:8848 #5 0x55fa2dc3e304 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4004 #6 0x55fa2dc3c67d in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3835 #7 0x55fa2dc3faec in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4240 #8 0x55fa2dc1a97f in handle_select(THD, LEX, select_result, unsigned long) /data/src/10.3/sql/sql_select.cc:373 #9 0x55fa2db9fd56 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6548 #10 0x55fa2db8e8bd in mysql_execute_command(THD) /data/src/10.3/sql/sql_parse.cc:3821 #11 0x55fa2dba8915 in mysql_parse(THD, char, unsigned int, Parser_state, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091 #12 0x55fa2db830e6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1858 #13 0x55fa2db8009f in do_command(THD) /data/src/10.3/sql/sql_parse.cc:1403 #14 0x55fa2dee3732 in do_handle_one_connection(CONNECT) /data/src/10.3/sql/sql_connect.cc:1402 #15 0x55fa2dee310e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308 #16 0x7ff92c85f4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3) #17 0x7ff92ada7d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e) ASAN:DEADLYSIGNAL {noformat} {noformat:title=RQG grammar mdev19445.yy} query: CREATE TABLE t1 (c1 INT, c2 TINYTEXT, PRIMARY KEY (c1), FULLTEXT KEY (c2)) ENGINE=InnoDB \| SET GLOBAL innodb_ft_aux_table='test/t1' \| SELECT FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG; {noformat} {noformat:title=Command line} perl ./runall-new.pl --duration=300 --threads=2 --grammar=./mdev19445.yy --skip-gendata --vardir=/dev/shm/vardir --basedir=<your ASAN basedir> {noformat} Remember to set the basedir on the command line above. Any reasonably fresh fork/branch of RQG should be fine for it, but if it's not, try {noformat} git clone https://github.com/MariaDB/randgen --branch mdev19445 rqg-mdev19445 cd rqg-mdev19445 . ./cmd --basedir=/data/bld/10.3-asan {noformat} (with your basedir, naturally) The grammar is already in the branch, and cmd contains the same command line as above.

Elena Stepanova made changes - 2019-05-12 19:10

Assignee

Elena Stepanova [ elenst ]

Marko Mäkelä [ marko ]

Marko Mäkelä made changes - 2019-05-13 17:10

issue.field.resolutiondate

2019-05-13 17:10:49.0

2019-05-13 17:10:49.347

Marko Mäkelä made changes - 2019-05-13 17:10

Component/s		Storage Engine - XtraDB [ 10135 ]
Fix Version/s		10.1.41 [ 23406 ]
Fix Version/s		10.2.25 [ 23408 ]
Fix Version/s		10.3.16 [ 23410 ]
Fix Version/s		10.4.5 [ 23311 ]
Fix Version/s	10.2 [ 14601 ]
Fix Version/s	10.1 [ 16100 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]
Resolution		Fixed [ 1 ]
Status	Open [ 1 ]	Closed [ 6 ]

Marko Mäkelä made changes - 2020-04-28 07:53

Link

This issue relates to ~~MDEV-22393~~ [ ~~MDEV-22393~~ ]

Sergei Golubchik made changes - 2021-12-06 21:49

Workflow

MariaDB v3 [ 96679 ]

MariaDB v4 [ 156174 ]

People

Assignee:: Marko Mäkelä

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-05-12 19:00

Updated:: 2025-01-27 11:41

Resolved:: 2019-05-13 17:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server