[MDEV-19536] Server crash or ASAN heap-use-after-free in is_temporary_table / read_statistics_for_tables_if_needed - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.28, 10.1.42, 10.3.19, 10.4.9
Component/s: Optimizer
Labels:
- affects-tests

Description

Please note that it's a non-deterministic concurrent test.

SET use_stat_tables= PREFERABLY;

CREATE TABLE t1 (a INT);

CREATE OR REPLACE VIEW v1 AS SELECT * FROM t1;

--connect (con1,localhost,root,,)

--let $conid= `SELECT CONNECTION_ID()`

--delimiter $

--send

    LOOP

        CREATE OR REPLACE TABLE t1 (b INT);

    END LOOP $

--delimiter ;

--connection default

--let $run= 10000

while ($run)

    --error ER_VIEW_INVALID

    SHOW INDEX FROM v1;

    --dec $run

# Cleanup

--eval KILL $conid

DROP VIEW v1;

DROP TABLE IF EXISTS t1;

10.1 91efcc63
#3 <signal handler called>
#4 0x00005555964598fc in is_temporary_table (tl=0x7f153a9a8658) at /data/src/10.1/sql/sql_base.h:675
#5 0x0000555596573414 in read_statistics_for_tables_if_needed (thd=0x7f153c7cd070, tables=0x7f153a84a868) at /data/src/10.1/sql/sql_statistics.cc:3275
#6 0x000055559655ca05 in fill_schema_table_by_open (thd=0x7f153c7cd070, is_show_fields_or_keys=true, table=0x7f153a8ff088, schema_table=0x555597627920 <schema_tables+1792>, orig_db_name=0x7f1544f38790, orig_table_name=0x7f1544f387e0, open_tables_state_backup=0x7f1544f38800, can_deadlock=false) at /data/src/10.1/sql/sql_show.cc:4290
#7 0x000055559655da5b in get_all_tables (thd=0x7f153c7cd070, tables=0x7f153a846960, cond=0x0) at /data/src/10.1/sql/sql_show.cc:4814
#8 0x000055559656ceeb in get_schema_tables_result (join=0x7f153a8483a8, executed_place=PROCESSED_BY_JOIN_EXEC) at /data/src/10.1/sql/sql_show.cc:8280
#9 0x000055559650c5f0 in JOIN::exec_inner (this=0x7f153a8483a8) at /data/src/10.1/sql/sql_select.cc:2714
#10 0x000055559650bc9b in JOIN::exec (this=0x7f153a8483a8) at /data/src/10.1/sql/sql_select.cc:2562
#11 0x000055559650f229 in mysql_select (thd=0x7f153c7cd070, rref_pointer_array=0x7f153c7d1560, tables=0x7f153a846960, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x7f153a848388, unit=0x7f153c7d0bb8, select_lex=0x7f153c7d12b8) at /data/src/10.1/sql/sql_select.cc:3499
#12 0x0000555596504913 in handle_select (thd=0x7f153c7cd070, lex=0x7f153c7d0af0, result=0x7f153a848388, setup_tables_done_option=0) at /data/src/10.1/sql/sql_select.cc:376
#13 0x00005555964d40e2 in execute_sqlcom_select (thd=0x7f153c7cd070, all_tables=0x7f153a846960) at /data/src/10.1/sql/sql_parse.cc:5951
#14 0x00005555964ca443 in mysql_execute_command (thd=0x7f153c7cd070) at /data/src/10.1/sql/sql_parse.cc:3038
#15 0x00005555964d7d5b in mysql_parse (thd=0x7f153c7cd070, rawbuf=0x7f153a845088 "SHOW INDEX FROM v1", length=18, parser_state=0x7f1544f3a1e0) at /data/src/10.1/sql/sql_parse.cc:7469
#16 0x00005555964c6455 in dispatch_command (command=COM_QUERY, thd=0x7f153c7cd070, packet=0x7f153e7f0071 "SHOW INDEX FROM v1", packet_length=18) at /data/src/10.1/sql/sql_parse.cc:1499
#17 0x00005555964c5213 in do_command (thd=0x7f153c7cd070) at /data/src/10.1/sql/sql_parse.cc:1131
#18 0x00005555966006c3 in do_handle_one_connection (thd_arg=0x7f153c7cd070) at /data/src/10.1/sql/sql_connect.cc:1330
#19 0x0000555596600409 in handle_one_connection (arg=0x7f153c7cd070) at /data/src/10.1/sql/sql_connect.cc:1242
#20 0x0000555596a33a3e in pfs_spawn_thread (arg=0x7f1542c39c70) at /data/src/10.1/storage/perfschema/pfs.cc:1861
#21 0x00007f1544bb84a4 in start_thread (arg=0x7f1544f3b700) at pthread_create.c:456
#22 0x00007f15435ced0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Reproducible on 10.1-10.4.

Attachments

Activity

Ascending order - Click to sort in descending order

Alice Sherepa added a comment - 2019-07-05 11:25

SET use_stat_tables= PREFERABLY;

CREATE TABLE t1 (a INT);

CREATE OR REPLACE VIEW v1 AS SELECT * FROM t1;

--connect (con1,localhost,root,,)

--let $conid= `SELECT CONNECTION_ID()`

--delimiter $

--send

    LOOP

        CREATE OR REPLACE TABLE t1 (b INT);

    END LOOP $

--delimiter ;

--connection default

--let $run= 10000

while ($run)

    SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'v1';

    --dec $run

# Cleanup

--eval KILL $conid

DROP VIEW v1;

DROP TABLE IF EXISTS t1;

Alice Sherepa added a comment - 2019-07-05 11:25 SET use_stat_tables= PREFERABLY; CREATE TABLE t1 (a INT ); CREATE OR REPLACE VIEW v1 AS SELECT * FROM t1; --connect (con1,localhost,root,,) --let $conid= `SELECT CONNECTION_ID()` --delimiter $ --send LOOP CREATE OR REPLACE TABLE t1 (b INT ); END LOOP $ --delimiter ; --connection default --let $run= 10000 while ($run) { SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'v1' ; --dec $run } # Cleanup --eval KILL $conid DROP VIEW v1; DROP TABLE IF EXISTS t1;

Sergey Vojtovich added a comment - 2019-10-02 12:21

Test provided by Alice covers another problem, likely ~~MDEV-19061~~. Although it didn't fail for me.

Sergey Vojtovich added a comment - 2019-10-02 12:21 Test provided by Alice covers another problem, likely MDEV-19061 . Although it didn't fail for me.

Sergey Vojtovich added a comment - 2019-10-02 12:26 - edited

igor, please review three patches in bb-10.1-svoj-~~MDEV-19536~~:
https://github.com/MariaDB/server/commit/e43791d4dc8feb2c02a08ce73c0bb0e2c320018c
https://github.com/MariaDB/server/commit/1b1b9013a5045983bbb3be68a2e8bc8f81186aea
https://github.com/MariaDB/server/commit/9374fe3d33b267bf12556a26119d6496625f659c

Sergey Vojtovich added a comment - 2019-10-02 12:26 - edited igor , please review three patches in bb-10.1-svoj- MDEV-19536 : https://github.com/MariaDB/server/commit/e43791d4dc8feb2c02a08ce73c0bb0e2c320018c https://github.com/MariaDB/server/commit/1b1b9013a5045983bbb3be68a2e8bc8f81186aea https://github.com/MariaDB/server/commit/9374fe3d33b267bf12556a26119d6496625f659c

Alice Sherepa added a comment - 2019-10-02 12:55

svoj, Just checked the test, fails for me, but it is sporadic, please try with --repeat=N

10.4 97d82c34293375aa0ddf4
Version: '10.4.9-MariaDB-debug-log' socket: '/10.4/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
=================================================================
==29349==ERROR: AddressSanitizer: heap-use-after-free on address 0x6200000770f0 at pc 0x0000008287a2 bp 0x7f26ab2290a0 sp 0x7f26ab229090
READ of size 8 at 0x6200000770f0 thread T27
#0 0x8287a1 in is_temporary_table(TABLE_LIST*) /10.4/sql/sql_base.h:622
#1 0xb9d08e in statistics_for_tables_is_needed /10.4/sql/sql_statistics.cc:3215
#2 0xb9dca4 in read_statistics_for_tables_if_needed(THD, TABLE_LIST) /10.4/sql/sql_statistics.cc:3344
#3 0xb553b4 in fill_schema_table_by_open /10.4/sql/sql_show.cc:4653
#4 0xb58b07 in get_all_tables(THD, TABLE_LIST, Item*) /10.4/sql/sql_show.cc:5292
#5 0xb88fcb in get_schema_tables_result(JOIN*, enum_schema_table_state) /10.4/sql/sql_show.cc:8899
#6 0xa73c21 in JOIN::exec_inner() /10.4/sql/sql_select.cc:4343
#7 0xa71cd3 in JOIN::exec() /10.4/sql/sql_select.cc:4168
#8 0xa7593a in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.4/sql/sql_select.cc:4600
#9 0xa4b899 in handle_select(THD, LEX, select_result*, unsigned long) /10.4/sql/sql_select.cc:420
#10 0x9cb79f in execute_sqlcom_select /10.4/sql/sql_parse.cc:6352
#11 0x9b960e in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3894
#12 0x9d3f66 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7912
#13 0x9acefa in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1841
#14 0x9a9d1e in do_command(THD*) /10.4/sql/sql_parse.cc:1359
#15 0xd3caf0 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412
#16 0xd3c496 in handle_one_connection /10.4/sql/sql_connect.cc:1316
#17 0x21eb0e2 in pfs_spawn_thread /10.4/storage/perfschema/pfs.cc:1862
#18 0x7f26c2fe46b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#19 0x7f26c1bc741c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Alice Sherepa added a comment - 2019-10-02 12:55 svoj , Just checked the test, fails for me, but it is sporadic, please try with --repeat=N 10.4 97d82c34293375aa0ddf4 Version: '10.4.9-MariaDB-debug-log' socket: '/10.4/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution ================================================================= ==29349==ERROR: AddressSanitizer: heap-use-after-free on address 0x6200000770f0 at pc 0x0000008287a2 bp 0x7f26ab2290a0 sp 0x7f26ab229090 READ of size 8 at 0x6200000770f0 thread T27 #0 0x8287a1 in is_temporary_table(TABLE_LIST*) /10.4/sql/sql_base.h:622 #1 0xb9d08e in statistics_for_tables_is_needed /10.4/sql/sql_statistics.cc:3215 #2 0xb9dca4 in read_statistics_for_tables_if_needed(THD*, TABLE_LIST*) /10.4/sql/sql_statistics.cc:3344 #3 0xb553b4 in fill_schema_table_by_open /10.4/sql/sql_show.cc:4653 #4 0xb58b07 in get_all_tables(THD*, TABLE_LIST*, Item*) /10.4/sql/sql_show.cc:5292 #5 0xb88fcb in get_schema_tables_result(JOIN*, enum_schema_table_state) /10.4/sql/sql_show.cc:8899 #6 0xa73c21 in JOIN::exec_inner() /10.4/sql/sql_select.cc:4343 #7 0xa71cd3 in JOIN::exec() /10.4/sql/sql_select.cc:4168 #8 0xa7593a in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/sql/sql_select.cc:4600 #9 0xa4b899 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/sql/sql_select.cc:420 #10 0x9cb79f in execute_sqlcom_select /10.4/sql/sql_parse.cc:6352 #11 0x9b960e in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3894 #12 0x9d3f66 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7912 #13 0x9acefa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1841 #14 0x9a9d1e in do_command(THD*) /10.4/sql/sql_parse.cc:1359 #15 0xd3caf0 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412 #16 0xd3c496 in handle_one_connection /10.4/sql/sql_connect.cc:1316 #17 0x21eb0e2 in pfs_spawn_thread /10.4/storage/perfschema/pfs.cc:1862 #18 0x7f26c2fe46b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #19 0x7f26c1bc741c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Sergey Vojtovich added a comment - 2019-10-02 13:10

alice, thanks! Looks like I was wrong and your test case covering exactly this issue.

Sergey Vojtovich added a comment - 2019-10-02 13:10 alice , thanks! Looks like I was wrong and your test case covering exactly this issue.

Igor Babaev (Inactive) added a comment - 2019-10-07 05:29

It's ok to push all 3 patches to 10.1

Igor Babaev (Inactive) added a comment - 2019-10-07 05:29 It's ok to push all 3 patches to 10.1

People

Assignee:: Sergey Vojtovich

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2019-05-21 10:32

Updated:: 2019-10-07 09:36

Resolved:: 2019-10-07 09:36

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server