Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20582

Asan failure in table_def::calc_field_size

    Details

      Description

      Following test fails with ASAN build

      --source include/have_binlog_format_row.inc
       
      --let $MYSQLD_DATADIR= `select @@datadir`
      --let $binlog_file= $MYSQLD_DATADIR/master-bin.000001
      --let $output_file= $MYSQLTEST_VARDIR/tmp/mysqlbinlog.output
       
      CREATE TABLE t1(c_char_utf8 CHAR(1) ,
        c_varchar_utf8 VARCHAR(1) ,
        c_text_utf8 TEXT );
       
      INSERT INTO t1 VALUES("1", "2", "3");
       
      --exec $MYSQL_BINLOG -F $binlog_file > $output_file
      

      binlog.xyz 'row'                         [ fail ]
              Test ended at 2019-09-13 13:54:54
       
      CURRENT_TEST: binlog.xyz
      =================================================================
      ==9067==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000049e0 at pc 0x55850271a846 bp 0x7ffcaa1efd80 sp 0x7ffcaa1efd70
      READ of size 2 at 0x6020000049e0 thread T0
          #0 0x55850271a845 in table_def::calc_field_size(unsigned int, unsigned char*) const /home/sachin/10.3/server/sql/rpl_utility.cc:330
          #1 0x5585026f3c33 in Rows_log_event::calc_row_event_length(table_def*, st_print_event_info*, st_bitmap*, unsigned char const*) /home/sachin/10.3/server/sql/log_event.cc:3472
          #2 0x5585026f3f04 in Rows_log_event::count_row_events(st_print_event_info*) /home/sachin/10.3/server/sql/log_event.cc:3529
          #3 0x5585026f56c0 in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /home/sachin/10.3/server/sql/log_event.cc:3905
          #4 0x558502712620 in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /home/sachin/10.3/server/sql/log_event.cc:12156
          #5 0x5585027159fc in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /home/sachin/10.3/server/sql/log_event.cc:13691
          #6 0x5585026bb676 in print_base64 /home/sachin/10.3/server/client/mysqlbinlog.cc:899
          #7 0x5585026bb986 in print_row_event /home/sachin/10.3/server/client/mysqlbinlog.cc:983
          #8 0x5585026bd2d5 in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /home/sachin/10.3/server/client/mysqlbinlog.cc:1474
          #9 0x5585026c3839 in dump_local_log_entries /home/sachin/10.3/server/client/mysqlbinlog.cc:2990
          #10 0x5585026bf931 in dump_log_entries /home/sachin/10.3/server/client/mysqlbinlog.cc:2217
          #11 0x5585026c40b0 in main /home/sachin/10.3/server/client/mysqlbinlog.cc:3150
          #12 0x7f38147ccb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
          #13 0x5585026b8059 in _start (/home/sachin/10.3/build/client/mysqlbinlog+0xb3059)
       
      0x6020000049e0 is located 0 bytes to the right of 16-byte region [0x6020000049d0,0x6020000049e0)
      allocated by thread T0 here:
          #0 0x7f3814fcf448 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c448)
          #1 0x5585028067fd in my_malloc /home/sachin/10.3/server/mysys/my_malloc.c:101
          #2 0x558502710a05 in Rows_log_event::Rows_log_event(char const*, unsigned int, Format_description_log_event const*) /home/sachin/10.3/server/sql/log_event.cc:10991
          #3 0x55850271588b in Write_rows_log_event::Write_rows_log_event(char const*, unsigned int, Format_description_log_event const*) /home/sachin/10.3/server/sql/log_event.cc:13145
          #4 0x5585026f5421 in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /home/sachin/10.3/server/sql/log_event.cc:3817
          #5 0x558502712620 in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /home/sachin/10.3/server/sql/log_event.cc:12156
          #6 0x5585027159fc in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /home/sachin/10.3/server/sql/log_event.cc:13691
          #7 0x5585026bb676 in print_base64 /home/sachin/10.3/server/client/mysqlbinlog.cc:899
          #8 0x5585026bb986 in print_row_event /home/sachin/10.3/server/client/mysqlbinlog.cc:983
          #9 0x5585026bd2d5 in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /home/sachin/10.3/server/client/mysqlbinlog.cc:1474
          #10 0x5585026c3839 in dump_local_log_entries /home/sachin/10.3/server/client/mysqlbinlog.cc:2990
          #11 0x5585026bf931 in dump_log_entries /home/sachin/10.3/server/client/mysqlbinlog.cc:2217
          #12 0x5585026c40b0 in main /home/sachin/10.3/server/client/mysqlbinlog.cc:3150
          #13 0x7f38147ccb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
       
      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sachin/10.3/server/sql/rpl_utility.cc:330 in table_def::calc_field_size(unsigned int, unsigned char*) const
      Shadow bytes around the buggy address:
        0x0c047fff88e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x0c047fff88f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x0c047fff8900: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
        0x0c047fff8910: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x0c047fff8920: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      =>0x0c047fff8930: fa fa 00 00 fa fa 00 07 fa fa 00 00[fa]fa fa fa
        0x0c047fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c047fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c047fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c047fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c047fff8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==9067==ABORTING
      mysqltest: At line 13: exec of '/home/sachin/10.3/build/client/mysqlbinlog --defaults-file=/home/sachin/10.3/build/mysql-test/var/my.cnf --local-load=/home/sachin/10.3/build/mysql-test/var/tmp -F /home/sachin/10.3/build/mysql-test/var/mysqld.1/data//master-bin.000001 > /home/sachin/10.3/build/mysql-test/var/tmp/mysqlbinlog.output' failed, error: 256, status: 1, errno: 11
      Output from before failure:
      INSERT INTO t1 VALUES("1", "2", "3");
       
       - saving '/home/sachin/10.3/build/mysql-test/var/log/binlog.xyz-row/' to '/home/sachin/10.3/build/mysql-test/var/log/binlog.xyz-row/'
      --------------------------------------------------------------------------
      The servers were restarted 0 times
      Spent 0.000 of 4 seconds executing testcases
       
      Failure: Failed 1/1 tests, 0.00% were successful.
       
      Failing test(s): binlog.xyz
       
      The log files in var/log may give you some hint of what went wrong.
       
      If you want to report this error, please read first the documentation
      at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html
       
      
      

      Please uncomment the part on test case in binlog_table_map_optional_metadata.test which was commented because of this bug

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachin.setiya.007 Sachin Setiya
                Reporter:
                sachin.setiya.007 Sachin Setiya
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: