Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21066

AddressSanitizer: heap-use-after-free in ha_maria::implicit_commit upon ALTER under lock

    XMLWordPrintable

    Details

      Description

      Note: I'm filing it for the record, as it seems to affect 10.1 only, it was most likely fixed in higher versions by one of numerous related patches, e.g. MDEV-10748, MDEV-18451, etc. I didn't bisect to find out which exactly patch made it go away on 10.2+.

      Note: The failure is reproducible on 10.1 ASAN non-debug build. On a debug build, with and without ASAN, the test case causes assertion failure MDEV-18418 instead.

      CREATE TABLE t1 (pk INT PRIMARY KEY, a INT) ENGINE=Aria;
      CREATE VIEW v1 AS SELECT * FROM t1;
      CREATE TABLE t2 (f INT) ENGINE=Aria;
       
      LOCK TABLES t1 READ, t2 WRITE, v1 WRITE;
      ALTER TABLE t1 CHANGE COLUMN a b INT AFTER pk;
       
      # Cleanup
      UNLOCK TABLES;
      DROP VIEW v1;
      DROP TABLE t1, t2;
      

      10.1 non-debug ASAN build

      ==22096==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000c8218 at pc 0x56373cec287d bp 0x7f74d99ec7f0 sp 0x7f74d99ec7e8
      READ of size 8 at 0x6290000c8218 thread T6
          #0 0x56373cec287c in ha_maria::implicit_commit(THD*, bool) /data/src/10.1/storage/maria/ha_maria.cc:2922
          #1 0x56373caa3659 in ha_commit_trans(THD*, bool) /data/src/10.1/sql/handler.cc:1391
          #2 0x56373c8e4f8c in trans_commit_implicit(THD*) /data/src/10.1/sql/transaction.cc:294
          #3 0x56373c65bdf4 in mysql_execute_command(THD*) /data/src/10.1/sql/sql_parse.cc:5555
          #4 0x56373c65d93e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.1/sql/sql_parse.cc:7209
          #5 0x56373c6640b5 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.1/sql/sql_parse.cc:1499
          #6 0x56373c66a696 in do_command(THD*) /data/src/10.1/sql/sql_parse.cc:1131
          #7 0x56373c8be023 in do_handle_one_connection(THD*) /data/src/10.1/sql/sql_connect.cc:1331
          #8 0x56373c8be5a9 in handle_one_connection /data/src/10.1/sql/sql_connect.cc:1242
          #9 0x56373d101bad in pfs_spawn_thread /data/src/10.1/storage/perfschema/pfs.cc:1861
          #10 0x7f74e500c4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
          #11 0x7f74e3a22d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
       
      0x6290000c8218 is located 24 bytes inside of 18224-byte region [0x6290000c8200,0x6290000cc930)
      freed by thread T6 here:
          #0 0x7f74e52e3a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
          #1 0x56373d6668ea in my_free /data/src/10.1/mysys/my_malloc.c:218
       
      previously allocated by thread T6 here:
          #0 0x7f74e52e3d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
          #1 0x56373d666708 in my_malloc /data/src/10.1/mysys/my_malloc.c:101
       
      Thread T6 created by T0 here:
          #0 0x7f74e5252f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
          #1 0x56373d10c0bc in spawn_thread_v1 /data/src/10.1/storage/perfschema/pfs.cc:1911
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.1/storage/maria/ha_maria.cc:2922 in ha_maria::implicit_commit(THD*, bool)
      Shadow bytes around the buggy address:
        0x0c5280010ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5280011000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5280011010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5280011020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5280011030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x0c5280011040: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280011050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280011060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280011070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280011080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280011090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==22096==ABORTING
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: