Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.2.28, 5.5.66, 10.1.42, 10.3.19, 10.4.9
Description
Notes:
The test case is highly non-deterministic, sometimes it fails almost right away many times in a row, and sometimes it takes dozens of attempts. also many times in a row. Run with big --repeat=N value before deciding it's fixed or not reproducible. Please try to create a deterministic one for regression suite.
Sequence engine is not important for the scenario, it is just used to populate the table.
Use of DAYOFWEEK('utf8') in the WHERE clause seems to be important. Probably it can be replaced by something more sensible, but I couldn't find quickly enough what it might be.
--source include/have_sequence.inc
|
|
|
CREATE TABLE t1 (a INT) ENGINE=HEAP; |
INSERT INTO t1 SELECT seq FROM seq_1_to_10000; |
SELECT * FROM t1; |
|
|
--connect (con1,localhost,root,,test)
|
--send
|
SELECT * FROM t1 WHERE DAYOFWEEK('utf8'); |
|
|
--connection default
|
SELECT * FROM t1; |
FLUSH TABLES;
|
|
|
# Cleanup
|
--connection con1
|
--reap
|
--disconnect con1
|
|
|
--connection default
|
DROP TABLE IF EXISTS t1; |
|
10.4 ASAN 0339cbe2 |
==17429==ERROR: AddressSanitizer: heap-use-after-free on address 0x6180000247b8 at pc 0x5654f0a73816 bp 0x7ff7398b8480 sp 0x7ff7398b8478
|
WRITE of size 8 at 0x6180000247b8 thread T27
|
#0 0x5654f0a73815 in list_delete /data/src/10.4/mysys/list.c:52
|
#1 0x5654efe74b6b in hp_close /data/src/10.4/storage/heap/hp_close.c:40
|
#2 0x5654efe74954 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
|
#3 0x5654efe581b4 in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
|
#4 0x5654ef966100 in handler::ha_close() /data/src/10.4/sql/handler.cc:2812
|
#5 0x5654ef4b2d7c in closefrm(TABLE*) /data/src/10.4/sql/table.cc:4053
|
#6 0x5654ef775394 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
|
#7 0x5654ef775a4e in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
|
#8 0x5654ef0800de in purge_tables(bool) /data/src/10.4/sql/sql_base.cc:335
|
#9 0x5654ef080315 in close_cached_tables(THD*, TABLE_LIST*, bool, unsigned long) /data/src/10.4/sql/sql_base.cc:364
|
#10 0x5654ef5dd168 in reload_acl_and_cache(THD*, unsigned long long, TABLE_LIST*, int*) /data/src/10.4/sql/sql_reload.cc:332
|
#11 0x5654ef2017e2 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5458
|
#12 0x5654ef210c8d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7898
|
#13 0x5654ef1e9f4a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
|
#14 0x5654ef1e6e3e in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
|
#15 0x5654ef56bca6 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
|
#16 0x5654ef56b65a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
#17 0x7ff75cf124a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#18 0x7ff75b459d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
|
|
0x6180000247b8 is located 824 bytes inside of 852-byte region [0x618000024480,0x6180000247d4)
|
freed by thread T27 here:
|
#0 0x7ff75d1e9a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
|
#1 0x5654f0afc7b5 in free_memory /data/src/10.4/mysys/safemalloc.c:279
|
#2 0x5654f0afbe9e in sf_free /data/src/10.4/mysys/safemalloc.c:197
|
#3 0x5654f0acdfdb in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#4 0x5654efe74c68 in hp_close /data/src/10.4/storage/heap/hp_close.c:43
|
#5 0x5654efe74954 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
|
#6 0x5654efe581b4 in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
|
#7 0x5654ef966100 in handler::ha_close() /data/src/10.4/sql/handler.cc:2812
|
#8 0x5654ef4b2d7c in closefrm(TABLE*) /data/src/10.4/sql/table.cc:4053
|
#9 0x5654ef775394 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
|
#10 0x5654ef775a4e in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
|
#11 0x5654ef0800de in purge_tables(bool) /data/src/10.4/sql/sql_base.cc:335
|
#12 0x5654ef080315 in close_cached_tables(THD*, TABLE_LIST*, bool, unsigned long) /data/src/10.4/sql/sql_base.cc:364
|
#13 0x5654ef5dd168 in reload_acl_and_cache(THD*, unsigned long long, TABLE_LIST*, int*) /data/src/10.4/sql/sql_reload.cc:332
|
#14 0x5654ef2017e2 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5458
|
#15 0x5654ef210c8d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7898
|
#16 0x5654ef1e9f4a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
|
#17 0x5654ef1e6e3e in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
|
#18 0x5654ef56bca6 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
|
#19 0x5654ef56b65a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
#20 0x7ff75cf124a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
|
previously allocated by thread T27 here:
|
#0 0x7ff75d1e9d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x5654f0afb8b6 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x5654f0acd6ea in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x5654efe68755 in heap_open_from_share /data/src/10.4/storage/heap/hp_open.c:33
|
#4 0x5654efe69062 in heap_open /data/src/10.4/storage/heap/hp_open.c:121
|
#5 0x5654efe57aa2 in ha_heap::open(char const*, int, unsigned int) /data/src/10.4/storage/heap/ha_heap.cc:94
|
#6 0x5654ef965166 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /data/src/10.4/sql/handler.cc:2746
|
#7 0x5654ef4b1dfe in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.4/sql/table.cc:3951
|
#8 0x5654ef0883d3 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.4/sql/sql_base.cc:2086
|
#9 0x5654ef090894 in open_and_process_table /data/src/10.4/sql/sql_base.cc:3850
|
#10 0x5654ef092ec0 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:4324
|
#11 0x5654ef097be4 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:5217
|
#12 0x5654ef004531 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.4/sql/sql_base.h:505
|
#13 0x5654ef1fa9cc in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4608
|
#14 0x5654ef210c8d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7898
|
#15 0x5654ef1e9f4a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
|
#16 0x5654ef1e6e3e in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
|
#17 0x5654ef56bca6 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
|
#18 0x5654ef56b65a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
#19 0x7ff75cf124a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
|
Thread T27 created by T0 here:
|
#0 0x7ff75d158f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x5654f0b27bb0 in spawn_thread_noop /data/src/10.4/mysys/psi_noop.c:187
|
#2 0x5654eef41cb8 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x5654eef5625c in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6234
|
#4 0x5654eef5693f in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6304
|
#5 0x5654eef56cca in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6402
|
#6 0x5654eef5791c in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6560
|
#7 0x5654eef55add in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5892
|
#8 0x5654eef3fb9f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7ff75b3912e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/mysys/list.c:52 in list_delete
|
Shadow bytes around the buggy address:
|
0x0c307fffc8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c307fffc8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c307fffc8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c307fffc8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c307fffc8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c307fffc8f0: fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa
|
0x0c307fffc900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c307fffc910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c307fffc920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c307fffc930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c307fffc940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==17429==ABORTING
|
Reproducible on 10.1-10.4, I didn't try 5.5. The failure however appeared after 5.5 merge, apparently with this commit:
commit afb4878703e71307af0fe8723f8ab10e8d4e0288
|
Author: Sergey Vojtovich
|
Date: Tue Jun 25 15:52:05 2019 +0400
|
|
|
MDEV-18783 - Server crash in hp_rb_make_key
|
Attachments
Issue Links
- is caused by
-
-
- Closed
-