Details
-
Bug
-
Status: Open (View Workflow)
-
Critical
-
Resolution: Unresolved
-
10.5, 10.6, 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.7(EOL), 10.8(EOL), 10.9(EOL)
-
None
Description
Update: see the new test case in the comment.
The test case is highly non-deterministic, run with --repeat=N. Depending on the build type, it fails for me within 10-50 attempts, but it can vary a lot on different machines and builds.
--source include/have_innodb.inc
|
|
CREATE TABLE t1 (a INT, KEY(a)) ENGINE=InnoDB; |
CREATE TABLE t2 (b INT) ENGINE=InnoDB; |
CREATE VIEW v2 AS SELECT * FROM t2; |
|
--connect (con1,localhost,root,,test)
|
ALTER TABLE t2 ADD FOREIGN KEY(b) REFERENCES t1 (a) ON UPDATE CASCADE; |
--send
|
UPDATE t1, v2 SET t1.a = 1; |
|
--connection default
|
DROP TABLE IF EXISTS x; |
FLUSH TABLES;
|
|
--connection con1
|
--reap
|
--disconnect con1
|
--connection default
|
DROP VIEW v2; |
DROP TABLE t2, t1; |
10.3 192aa295 |
#3 <signal handler called>
|
#4 0x0000563be5379131 in unsafe_key_update (leaves=..., tables_for_update=1) at /data/src/10.3/sql/sql_update.cc:1371
|
#5 0x0000563be5379a43 in Multiupdate_prelocking_strategy::handle_end (this=0x7f91ed4cdc90, thd=0x7f9198000b00) at /data/src/10.3/sql/sql_update.cc:1586
|
#6 0x0000563be51f0174 in open_tables (thd=0x7f9198000b00, options=..., start=0x7f91ed4cdc68, counter=0x7f91ed4cdc64, flags=0, prelocking_strategy=0x7f91ed4cdc90) at /data/src/10.3/sql/sql_base.cc:4272
|
#7 0x0000563be5374f74 in open_tables (thd=0x7f9198000b00, tables=0x7f91ed4cdc68, counter=0x7f91ed4cdc64, flags=0, prelocking_strategy=0x7f91ed4cdc90) at /data/src/10.3/sql/sql_base.h:251
|
#8 0x0000563be5379fb4 in mysql_multi_update_prepare (thd=0x7f9198000b00) at /data/src/10.3/sql/sql_update.cc:1709
|
#9 0x0000563be527dadc in mysql_execute_command (thd=0x7f9198000b00) at /data/src/10.3/sql/sql_parse.cc:4327
|
#10 0x0000563be5289012 in mysql_parse (thd=0x7f9198000b00, rawbuf=0x7f9198011448 "UPDATE t1, v2 SET t1.a = 1", length=26, parser_state=0x7f91ed4ce5f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7829
|
#11 0x0000563be5276c10 in dispatch_command (command=COM_QUERY, thd=0x7f9198000b00, packet=0x7f9198008c61 "UPDATE t1, v2 SET t1.a = 1", packet_length=26, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
|
#12 0x0000563be5275633 in do_command (thd=0x7f9198000b00) at /data/src/10.3/sql/sql_parse.cc:1401
|
#13 0x0000563be53deb55 in do_handle_one_connection (connect=0x563be88a02b0) at /data/src/10.3/sql/sql_connect.cc:1402
|
#14 0x0000563be53de8cc in handle_one_connection (arg=0x563be88a02b0) at /data/src/10.3/sql/sql_connect.cc:1308
|
#15 0x0000563be5cb7b02 in pfs_spawn_thread (arg=0x563be87e8d50) at /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#16 0x00007f91f5cf04a4 in start_thread (arg=0x7f91ed4cf700) at pthread_create.c:456
|
#17 0x00007f91f4238d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
10.3 192aa295 ASAN |
==4418==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190003c5b70 at pc 0x556d0deb973b bp 0x7f1d185bbf90 sp 0x7f1d185bbf88
|
READ of size 8 at 0x6190003c5b70 thread T28
|
#0 0x556d0deb973a in Item_field::used_tables() const /data/src/10.3/sql/item.cc:3548
|
#1 0x556d0d65b226 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /data/src/10.3/sql/sql_base.cc:7489
|
#2 0x556d0da0399b in setup_fields_with_no_wrap(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, bool) /data/src/10.3/sql/sql_base.h:377
|
#3 0x556d0d9f6b28 in Multiupdate_prelocking_strategy::handle_end(THD*) /data/src/10.3/sql/sql_update.cc:1572
|
#4 0x556d0d649415 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4272
|
#5 0x556d0d9eca66 in open_tables /data/src/10.3/sql/sql_base.h:251
|
#6 0x556d0d9f7814 in mysql_multi_update_prepare(THD*) /data/src/10.3/sql/sql_update.cc:1709
|
#7 0x556d0d7932dd in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4327
|
#8 0x556d0d7a96c9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7829
|
#9 0x556d0d78571f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
|
#10 0x556d0d7826d9 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
|
#11 0x556d0dae6e4f in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#12 0x556d0dae682b in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#13 0x556d0ee70f15 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#14 0x7f1d2ff3b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#15 0x7f1d2e483d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
|
0x6190003c5b70 is located 240 bytes inside of 1100-byte region [0x6190003c5a80,0x6190003c5ecc)
|
freed by thread T28 here:
|
#0 0x7f1d30212a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
|
#1 0x556d0ef99e56 in free_memory /data/src/10.3/mysys/safemalloc.c:279
|
#2 0x556d0ef994f8 in sf_free /data/src/10.3/mysys/safemalloc.c:197
|
#3 0x556d0ef6bb2a in my_free /data/src/10.3/mysys/my_malloc.c:223
|
#4 0x556d0ef4ce12 in free_root /data/src/10.3/mysys/my_alloc.c:429
|
#5 0x556d0da3178d in closefrm(TABLE*) /data/src/10.3/sql/table.cc:3629
|
#6 0x556d0dc8f3d1 in intern_close_table /data/src/10.3/sql/table_cache.cc:222
|
#7 0x556d0dc8f638 in tc_remove_table /data/src/10.3/sql/table_cache.cc:260
|
#8 0x556d0dc908fd in tc_release_table(TABLE*) /data/src/10.3/sql/table_cache.cc:474
|
#9 0x556d0d63a8d4 in close_thread_table(THD*, TABLE**) /data/src/10.3/sql/sql_base.cc:920
|
#10 0x556d0d63a035 in close_thread_tables(THD*) /data/src/10.3/sql/sql_base.cc:862
|
#11 0x556d0d650011 in close_tables_for_reopen(THD*, TABLE_LIST**, MDL_savepoint const&) /data/src/10.3/sql/sql_base.cc:5493
|
#12 0x556d0d648eaf in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4184
|
#13 0x556d0d9eca66 in open_tables /data/src/10.3/sql/sql_base.h:251
|
#14 0x556d0d9f7814 in mysql_multi_update_prepare(THD*) /data/src/10.3/sql/sql_update.cc:1709
|
#15 0x556d0d7932dd in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4327
|
#16 0x556d0d7a96c9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7829
|
#17 0x556d0d78571f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
|
#18 0x556d0d7826d9 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
|
#19 0x556d0dae6e4f in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#20 0x556d0dae682b in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#21 0x556d0ee70f15 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#22 0x7f1d2ff3b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
previously allocated by thread T28 here:
|
#0 0x7f1d30212d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x556d0ef98ef8 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
|
#2 0x556d0ef6b271 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
#3 0x556d0ef4be62 in alloc_root /data/src/10.3/mysys/my_alloc.c:250
|
#4 0x556d0ef4d451 in strmake_root /data/src/10.3/mysys/my_alloc.c:480
|
#5 0x556d0da2db80 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.3/sql/table.cc:3186
|
#6 0x556d0d63eda5 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1979
|
#7 0x556d0d646688 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3666
|
#8 0x556d0d648e56 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4161
|
#9 0x556d0d9eca66 in open_tables /data/src/10.3/sql/sql_base.h:251
|
#10 0x556d0d9f7814 in mysql_multi_update_prepare(THD*) /data/src/10.3/sql/sql_update.cc:1709
|
#11 0x556d0d7932dd in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4327
|
#12 0x556d0d7a96c9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7829
|
#13 0x556d0d78571f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
|
#14 0x556d0d7826d9 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
|
#15 0x556d0dae6e4f in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#16 0x556d0dae682b in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#17 0x556d0ee70f15 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#18 0x7f1d2ff3b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
Thread T28 created by T0 here:
|
#0 0x7f1d30181f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x556d0ee71351 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
|
#2 0x556d0d4fe730 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
|
#3 0x556d0d513581 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6605
|
#4 0x556d0d513c64 in create_new_thread /data/src/10.3/sql/mysqld.cc:6675
|
#5 0x556d0d514c7c in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6950
|
#6 0x556d0d512a51 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6227
|
#7 0x556d0d4fce4f in main /data/src/10.3/sql/main.cc:25
|
#8 0x7f1d2e3bb2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/item.cc:3548 in Item_field::used_tables() const
|
Shadow bytes around the buggy address:
|
0x0c3280070b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280070b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280070b30: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
0x0c3280070b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280070b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c3280070b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
|
0x0c3280070b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280070b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280070b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280070ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280070bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==4418==ABORTING
|
All of debug, non-debug and ASAN builds fail, but it takes longer on non-debug.
Couldn't reproduce with the provided test case on 10.4, maybe it's just the matter of luck or different dynamics, or maybe the problem really doesn't exist there.
Attachments
Issue Links
- relates to
-
MDEV-30841 SIGSEGV in Item_field::used_tables and UBSAN: runtime error: member access within null pointer of type 'struct Field' on SELECT
- Open
-
MDEV-34768 ASAN errors in Multiupdate_prelocking_strategy::handle_end upon concurrent online ALTER and DML prepare
- Open
-
MDEV-9674 Server crash on large transaction combined with multi-update inside stored procedure
- Closed
-
MDEV-21630 Server crashes in mysql_derived_prepare on 2nd execution of SP with views, ASAN: heap-use-after-free in mysql_derived_prepare
- Confirmed