Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22480

Galera AddressSanitizer: heap-buffer-overflow on galera_sr.GCF-1043B test

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Fix Version/s: 10.4, 10.5
    • Component/s: Galera
    • Labels:
      None

      Description

      ==94117==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000093b8 at pc 0x55d86ff42938 bp 0x7fb3c97f15e0 sp 0x7fb3c97f15d0
      READ of size 8 at 0x6020000093b8 thread T22
          #0 0x55d86ff42937 in Wsrep_schema::remove_fragments(THD*, wsrep::id const&, wsrep::transaction_id, std::vector<wsrep::seqno, std::allocator<wsrep::seqno> > const&) /home/jan/mysql/10.5/sql/wsrep_schema.cc:1086
          #1 0x55d86fee1174 in Wsrep_client_service::remove_fragments() /home/jan/mysql/10.5/sql/wsrep_client_service.cc:202
          #2 0x55d870bf69db in wsrep::transaction::before_prepare(wsrep::unique_lock<wsrep::mutex>&) /home/jan/mysql/10.5/wsrep-lib/src/transaction.cpp:307
          #3 0x55d870bf7468 in wsrep::transaction::before_commit() /home/jan/mysql/10.5/wsrep-lib/src/transaction.cpp:438
          #4 0x55d86f4e6fbb in wsrep::client_state::before_commit() /home/jan/mysql/10.5/wsrep-lib/include/wsrep/client_state.hpp:472
          #5 0x55d86f49f49b in wsrep_before_commit /home/jan/mysql/10.5/sql/wsrep_trans_observer.h:274
          #6 0x55d86f4a8120 in ha_commit_trans(THD*, bool) /home/jan/mysql/10.5/sql/handler.cc:1646
          #7 0x55d86f122b35 in trans_commit_stmt(THD*) /home/jan/mysql/10.5/sql/transaction.cc:462
          #8 0x55d86ecd5490 in mysql_execute_command(THD*) /home/jan/mysql/10.5/sql/sql_parse.cc:5967
          #9 0x55d86ece28dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jan/mysql/10.5/sql/sql_parse.cc:7953
          #10 0x55d86ece167a in wsrep_mysql_parse /home/jan/mysql/10.5/sql/sql_parse.cc:7756
          #11 0x55d86ecb7ff1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jan/mysql/10.5/sql/sql_parse.cc:1825
          #12 0x55d86ecb4bbc in do_command(THD*) /home/jan/mysql/10.5/sql/sql_parse.cc:1358
          #13 0x55d86f0e44eb in do_handle_one_connection(CONNECT*, bool) /home/jan/mysql/10.5/sql/sql_connect.cc:1422
          #14 0x55d86f0e3d97 in handle_one_connection /home/jan/mysql/10.5/sql/sql_connect.cc:1319
          #15 0x55d86fdbf206 in pfs_spawn_thread /home/jan/mysql/10.5/storage/perfschema/pfs.cc:2201
          #16 0x7fb3e5a28608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
          #17 0x7fb3e55fc102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)
       
      0x6020000093b8 is located 0 bytes to the right of 8-byte region [0x6020000093b0,0x6020000093b8)
      allocated by thread T22 here:
          #0 0x7fb3e5ffe947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
          #1 0x55d870c0fe3a in __gnu_cxx::new_allocator<wsrep::seqno>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
          #2 0x55d870c0da75 in std::allocator_traits<std::allocator<wsrep::seqno> >::allocate(std::allocator<wsrep::seqno>&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:444
          #3 0x55d870c0aba1 in std::_Vector_base<wsrep::seqno, std::allocator<wsrep::seqno> >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343
          #4 0x55d870c07522 in void std::vector<wsrep::seqno, std::allocator<wsrep::seqno> >::_M_realloc_insert<wsrep::seqno const&>(__gnu_cxx::__normal_iterator<wsrep::seqno*, std::vector<wsrep::seqno, std::allocator<wsrep::seqno> > >, wsrep::seqno const&) /usr/include/c++/9/bits/vector.tcc:440
          #5 0x55d870c055f6 in std::vector<wsrep::seqno, std::allocator<wsrep::seqno> >::push_back(wsrep::seqno const&) /usr/include/c++/9/bits/stl_vector.h:1195
          #6 0x55d870c03d00 in wsrep::streaming_context::stored(wsrep::seqno) /home/jan/mysql/10.5/wsrep-lib/include/wsrep/streaming_context.hpp:117
          #7 0x55d870bfeb89 in wsrep::transaction::certify_fragment(wsrep::unique_lock<wsrep::mutex>&) /home/jan/mysql/10.5/wsrep-lib/src/transaction.cpp:1356
          #8 0x55d870bfd6cb in wsrep::transaction::streaming_step(wsrep::unique_lock<wsrep::mutex>&, bool) /home/jan/mysql/10.5/wsrep-lib/src/transaction.cpp:1229
          #9 0x55d870bf654a in wsrep::transaction::after_row() /home/jan/mysql/10.5/wsrep-lib/src/transaction.cpp:265
          #10 0x55d86f4e69ec in wsrep::client_state::after_row() /home/jan/mysql/10.5/wsrep-lib/include/wsrep/client_state.hpp:369
          #11 0x55d86f49e68f in wsrep_after_row /home/jan/mysql/10.5/sql/wsrep_trans_observer.h:172
          #12 0x55d86f4d3b2b in wsrep_after_row /home/jan/mysql/10.5/sql/handler.cc:6559
          #13 0x55d86f4d9cf2 in handler::ha_update_row(unsigned char const*, unsigned char const*) /home/jan/mysql/10.5/sql/handler.cc:7014
          #14 0x55d86efb9fa0 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /home/jan/mysql/10.5/sql/sql_update.cc:1056
          #15 0x55d86ecc89a4 in mysql_execute_command(THD*) /home/jan/mysql/10.5/sql/sql_parse.cc:4363
          #16 0x55d86ece28dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jan/mysql/10.5/sql/sql_parse.cc:7953
          #17 0x55d86ece167a in wsrep_mysql_parse /home/jan/mysql/10.5/sql/sql_parse.cc:7756
          #18 0x55d86ecb7ff1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jan/mysql/10.5/sql/sql_parse.cc:1825
          #19 0x55d86ecb4bbc in do_command(THD*) /home/jan/mysql/10.5/sql/sql_parse.cc:1358
          #20 0x55d86f0e44eb in do_handle_one_connection(CONNECT*, bool) /home/jan/mysql/10.5/sql/sql_connect.cc:1422
          #21 0x55d86f0e3d97 in handle_one_connection /home/jan/mysql/10.5/sql/sql_connect.cc:1319
          #22 0x55d86fdbf206 in pfs_spawn_thread /home/jan/mysql/10.5/storage/perfschema/pfs.cc:2201
          #23 0x7fb3e5a28608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
       
      Thread T22 created by T0 here:
          #0 0x7fb3e5f29805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x55d86fdba1fa in my_thread_create /home/jan/mysql/10.5/storage/perfschema/my_thread.h:34
          #2 0x55d86fdbf5f9 in pfs_spawn_thread_v1 /home/jan/mysql/10.5/storage/perfschema/pfs.cc:2252
          #3 0x55d86e9b2644 in inline_mysql_thread_create /home/jan/mysql/10.5/include/mysql/psi/mysql_thread.h:1321
          #4 0x55d86e9c8e50 in create_thread_to_handle_connection(CONNECT*) /home/jan/mysql/10.5/sql/mysqld.cc:6054
          #5 0x55d86e9c94c5 in create_new_thread(CONNECT*) /home/jan/mysql/10.5/sql/mysqld.cc:6113
          #6 0x55d86e9c981b in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/jan/mysql/10.5/sql/mysqld.cc:6178
          #7 0x55d86e9ca43c in handle_connections_sockets() /home/jan/mysql/10.5/sql/mysqld.cc:6305
          #8 0x55d86e9c85ad in mysqld_main(int, char**) /home/jan/mysql/10.5/sql/mysqld.cc:5713
          #9 0x55d86e9b0f1c in main /home/jan/mysql/10.5/sql/main.cc:25
          #10 0x7fb3e55010b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jan/mysql/10.5/sql/wsrep_schema.cc:1086 in Wsrep_schema::remove_fragments(THD*, wsrep::id const&, wsrep::transaction_id, std::vector<wsrep::seqno, std::allocator<wsrep::seqno> > const&)
      Shadow bytes around the buggy address:
        0x0c047fff9220: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
        0x0c047fff9230: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 fa
        0x0c047fff9240: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
        0x0c047fff9250: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
        0x0c047fff9260: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
      =>0x0c047fff9270: fa fa fd fd fa fa 00[fa]fa fa fd fd fa fa fd fd
        0x0c047fff9280: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
        0x0c047fff9290: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
        0x0c047fff92a0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
        0x0c047fff92b0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
        0x0c047fff92c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==94117==ABORTING
      200506 14:12:37 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.5.3-MariaDB-debug-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=6
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63700 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62b000046288
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7fb3c97f48d0 thread_stack 0x5fc00
      ??:0(__interceptor_tcgetattr)[0x7fb3e5f5bd30]
      /home/jan/mysql/10.5/sql/mariadbd(my_print_stacktrace+0xec)[0x55d870a52a82]
      /home/jan/mysql/10.5/sql/mariadbd(handle_fatal_signal+0x9ef)[0x55d86f49af44]
      sigaction.c:0(__restore_rt)[0x7fb3e5a343c0]
      ??:0(gsignal)[0x7fb3e552018b]
      ??:0(abort)[0x7fb3e54ff859]
      ??:0(__sanitizer_set_report_fd)[0x7fb3e601a6a2]
      ??:0(__sanitizer_get_module_and_offset_for_pc)[0x7fb3e602524c]
      ??:0(__sanitizer_ptr_cmp)[0x7fb3e60068ec]
      ??:0(__asan_on_error)[0x7fb3e6006363]
      ??:0(__asan_report_load8)[0x7fb3e60071ab]
      /home/jan/mysql/10.5/sql/mariadbd(_ZN12Wsrep_schema16remove_fragmentsEP3THDRKN5wsrep2idENS2_14transaction_idERKSt6vectorINS2_5seqnoESaIS8_EE+0x40e)[0x55d86ff42938]
      /home/jan/mysql/10.5/sql/mariadbd(_ZN20Wsrep_client_service16remove_fragmentsEv+0x1e5)[0x55d86fee1175]
      /home/jan/mysql/10.5/sql/mariadbd(_ZN5wsrep11transaction14before_prepareERNS_11unique_lockINS_5mutexEEE+0x3ea)[0x55d870bf69dc]
      /home/jan/mysql/10.5/sql/mariadbd(_ZN5wsrep11transaction13before_commitEv+0x3e7)[0x55d870bf7469]
      sql/wsrep_schema.cc:1086(Wsrep_schema::remove_fragments(THD*, wsrep::id const&, wsrep::transaction_id, std::vector<wsrep::seqno, std::allocator<wsrep::seqno> > const&))[0x55d86f4e6fbc]
      sql/wsrep_client_service.cc:205(Wsrep_client_service::remove_fragments())[0x55d86f49f49c]
      /home/jan/mysql/10.5/sql/mariadbd(_Z15ha_commit_transP3THDb+0x117b)[0x55d86f4a8121]
      src/transaction.cpp:307(wsrep::transaction::before_prepare(wsrep::unique_lock<wsrep::mutex>&))[0x55d86f122b36]
      src/transaction.cpp:438(wsrep::transaction::before_commit())[0x55d86ecd5491]
      wsrep/client_state.hpp:473(wsrep::client_state::before_commit())[0x55d86ece28de]
      sql/wsrep_trans_observer.h:274(wsrep_before_commit(THD*, bool))[0x55d86ece167b]
      sql/handler.cc:1646(ha_commit_trans(THD*, bool))[0x55d86ecb7ff2]
      sql/transaction.cc:462(trans_commit_stmt(THD*))[0x55d86ecb4bbd]
      sql/sql_parse.cc:5968(mysql_execute_command(THD*))[0x55d86f0e44ec]
      sql/sql_parse.cc:7953(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d86f0e3d98]
      sql/sql_parse.cc:7767(wsrep_mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d86fdbf207]
      nptl/pthread_create.c:478(start_thread)[0x7fb3e5a28609]
      ??:0(clone)[0x7fb3e55fc103]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b0000312a8): UPDATE t1 SET f2 = 'y' WHERE f1 = 1 OR f1 = 2
      Connection ID (thread ID): 10
      Status: KILL_QUERY
      

        Attachments

          Activity

            People

            Assignee:
            teemu.ollakka Teemu Ollakka
            Reporter:
            jplindst Jan Lindström
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: