[MDEV-19633] ASAN use-after-poison in tree_insert() in main.func_gconcat - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL)
Fix Version/s: 10.2.25, 10.3.16, 10.4.6
Component/s: Server
Labels:
None

Description

Found here http://buildbot.askmonty.org/buildbot/builders/kvm-asan/builds/1368/steps/mtr_nm/logs/stdio

main.func_gconcat                        w1 [ fail ]

        Test ended at 2019-05-28 15:06:24

CURRENT_TEST: main.func_gconcat

mysqltest: At line 880: query 'SELECT GROUP_CONCAT(concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1) ORDER BY 2,1,3,4,6,5,8,7) AS c

FROM seq_1_to_200000' failed: 2013: Lost connection to MySQL server during query

The result from queries just before the failure was:

< snip >

Warning	1260	Row 3 was cut by GROUP_CONCAT()

INSERT INTO t1 VALUES (REPEAT('a', 499999), 3), (REPEAT('b', 500000), 4);

SELECT LENGTH(GROUP_CONCAT(f1 ORDER BY f2)) FROM t1 GROUP BY f2;

LENGTH(GROUP_CONCAT(f1 ORDER BY f2))

Warnings:

Warning	1260	Row 1 was cut by GROUP_CONCAT()

Warning	1260	Row 2 was cut by GROUP_CONCAT()

Warning	1260	Row 3 was cut by GROUP_CONCAT()

Warning	1260	Row 5 was cut by GROUP_CONCAT()

DROP TABLE t1;

SET group_concat_max_len= DEFAULT;

set session group_concat_max_len=1024;

set max_session_mem_used=16*1024*1024;

SELECT GROUP_CONCAT(concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1) ORDER BY 2,1,3,4,6,5,8,7) AS c

FROM seq_1_to_200000;

More results from queries before failure can be found in /dev/shm/var/1/log/func_gconcat.log

Server [mysqld.1 - pid: 2633, winpid: 2633, exit: 256] failed during test run

Server log from this test:

----------SERVER LOG START-----------

=================================================================

==2634==ERROR: AddressSanitizer: use-after-poison on address 0x629000b59330 at pc 0x7f3637155935 bp 0x7f362a27d260 sp 0x7f362a27ca08

READ of size 240 at 0x629000b59330 thread T5

    #0 0x7f3637155934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)

    #1 0x5606f503f3ad in tree_insert /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:255

    #2 0x5606f4245d54 in copy_to_tree /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.cc:3475

    #3 0x5606f5041277 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:551

    #4 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #5 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #6 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #7 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #8 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #9 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #10 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #11 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #12 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #13 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #14 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #15 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550

    #16 0x5606f50410ec in tree_walk /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:538

    #17 0x5606f424608b in Item_func_group_concat::repack_tree(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.cc:3493

    #18 0x5606f4246d7d in Item_func_group_concat::add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.cc:3561

    #19 0x5606f424b173 in Aggregator_simple::add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.h:708

    #20 0x5606f3ba8dcf in Item_sum::aggregator_add() (/home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld+0xeffdcf)

    #21 0x5606f3b8c949 in update_sum_func /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:23756

    #22 0x5606f3b749a3 in end_send_group(JOIN*, st_join_table*, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:20175

    #23 0x5606f3b6bb9f in evaluate_join_record /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:19010

    #24 0x5606f3b6adfc in sub_select(JOIN*, st_join_table*, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:18829

    #25 0x5606f3b68c3f in do_select /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:18334

    #26 0x5606f3b0a6d9 in JOIN::exec_inner() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3625

    #27 0x5606f3b083df in JOIN::exec() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3420

    #28 0x5606f3b0b72c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3820

    #29 0x5606f3aeae20 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:376

    #30 0x5606f3a728bc in execute_sqlcom_select /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:6493

    #31 0x5606f3a5fcb1 in mysql_execute_command(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:3534

    #32 0x5606f3a7b020 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:8027

    #33 0x5606f3a566aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:1833

    #34 0x5606f3a53827 in do_command(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:1387

    #35 0x5606f3d7dd0f in do_handle_one_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_connect.cc:1335

    #36 0x5606f3d7d717 in handle_one_connection /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_connect.cc:1241

    #37 0x5606f45339bd in pfs_spawn_thread /home/buildbot/buildbot/build/mariadb-10.2.25/storage/perfschema/pfs.cc:1862

    #38 0x7f36359836b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #39 0x7f3634e1882c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10682c)

0x629000b59330 is located 304 bytes inside of 16352-byte region [0x629000b59200,0x629000b5d1e0)

allocated by thread T5 here:

    #0 0x7f3637161602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)

    #1 0x5606f501bc52 in my_malloc /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/my_malloc.c:101

    #2 0x5606f4ffd4f1 in alloc_root /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/my_alloc.c:242

    #3 0x5606f503f1ed in tree_insert /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:243

    #4 0x5606f4246ee7 in Item_func_group_concat::add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.cc:3564

    #5 0x5606f424b173 in Aggregator_simple::add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.h:708

    #6 0x5606f3ba8dcf in Item_sum::aggregator_add() (/home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld+0xeffdcf)

    #7 0x5606f3ba8a63 in Item_sum::reset_and_add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.h:440

    #8 0x5606f3b8c892 in init_sum_functions /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:23738

    #9 0x5606f3b74847 in end_send_group(JOIN*, st_join_table*, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:20167

    #10 0x5606f3b6bb9f in evaluate_join_record /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:19010

    #11 0x5606f3b6a76e in sub_select(JOIN*, st_join_table*, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:18790

    #12 0x5606f3b68c3f in do_select /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:18334

    #13 0x5606f3b0a6d9 in JOIN::exec_inner() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3625

    #14 0x5606f3b083df in JOIN::exec() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3420

    #15 0x5606f3b0b72c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3820

    #16 0x5606f3aeae20 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:376

    #17 0x5606f3a728bc in execute_sqlcom_select /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:6493

    #18 0x5606f3a5fcb1 in mysql_execute_command(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:3534

    #19 0x5606f3a7b020 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:8027

    #20 0x5606f3a566aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:1833

    #21 0x5606f3a53827 in do_command(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:1387

    #22 0x5606f3d7dd0f in do_handle_one_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_connect.cc:1335

    #23 0x5606f3d7d717 in handle_one_connection /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_connect.cc:1241

    #24 0x5606f45339bd in pfs_spawn_thread /home/buildbot/buildbot/build/mariadb-10.2.25/storage/perfschema/pfs.cc:1862

    #25 0x7f36359836b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T5 created by T0 here:

    #0 0x7f36370ff253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)

    #1 0x5606f4533daa in spawn_thread_v1 /home/buildbot/buildbot/build/mariadb-10.2.25/storage/perfschema/pfs.cc:1912

    #2 0x5606f386150e in inline_mysql_thread_create /home/buildbot/buildbot/build/mariadb-10.2.25/include/mysql/psi/mysql_thread.h:1239

    #3 0x5606f3875a46 in create_thread_to_handle_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld.cc:6506

    #4 0x5606f3876146 in create_new_thread /home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld.cc:6576

    #5 0x5606f3877189 in handle_connections_sockets() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld.cc:6851

    #6 0x5606f3874f91 in mysqld_main(int, char**) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld.cc:6125

    #7 0x5606f385f91f in main /home/buildbot/buildbot/build/mariadb-10.2.25/sql/main.cc:25

    #8 0x7f3634d3282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: use-after-poison ??:0 __asan_memcpy

Shadow bytes around the buggy address:

  0x0c5280163210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280163220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280163230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280163240: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00

  0x0c5280163250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c5280163260: 00 00 00 00 00 00[f7]00 00 00 00 00 00 00 00 00

  0x0c5280163270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c5280163280: 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00

  0x0c5280163290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c52801632a0: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00

  0x0c52801632b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

==2634==ABORTING

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Eugene Kosov (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-05-29 13:39

Updated:: 2019-09-10 22:45

Resolved:: 2019-06-14 13:57

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.