Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22600

Various ASAN use-after-poison errors or Assertion `prebuilt->mysql_prefix_len <= prebuilt->mysql_row_len' failed in row_sel_dequeue_cached_row_for_mysql upon SIMULTANEOUS_ASSIGNMENT and geometry

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.3, 10.4, 10.5
    • Fix Version/s: 10.3, 10.4, 10.5
    • Component/s: GIS, Variables
    • Labels:
      None

      Description

      --source include/have_innodb.inc
       
      CREATE TABLE t1 (pk INT AUTO_INCREMENT PRIMARY KEY, g GEOMETRY, i INT) ENGINE=InnoDB;
      INSERT INTO t1 () VALUES (),(),(),(),(),(),(),();
      SET SQL_MODE= 'SIMULTANEOUS_ASSIGNMENT';
      --error ER_CANT_CREATE_GEOMETRY_OBJECT
      UPDATE t1 SET i = NULL, g = 'foo';
      SELECT * FROM t1 ORDER BY i;
       
      # Cleanup
      DROP TABLE t1;
      

      10.3 38d62189

      mysqld: /data/src/10.3/storage/innobase/row/row0sel.cc:3723: void row_sel_dequeue_cached_row_for_mysql(byte*, row_prebuilt_t*): Assertion `prebuilt->mysql_prefix_len <= prebuilt->mysql_row_len' failed.
      200517  2:00:24 [ERROR] mysqld got signal 6 ;
       
      #7  0x00007f220650df12 in __GI___assert_fail (assertion=0x55a690ffe638 "prebuilt->mysql_prefix_len <= prebuilt->mysql_row_len", file=0x55a690ffd618 "/data/src/10.3/storage/innobase/row/row0sel.cc", line=3723, function=0x55a691001f40 <row_sel_dequeue_cached_row_for_mysql(unsigned char*, row_prebuilt_t*)::__PRETTY_FUNCTION__> "void row_sel_dequeue_cached_row_for_mysql(byte*, row_prebuilt_t*)") at assert.c:101
      #8  0x000055a690854062 in row_sel_dequeue_cached_row_for_mysql (buf=0x7f21ac1654b0 "\377\005", prebuilt=0x7f21ac0a18e0) at /data/src/10.3/storage/innobase/row/row0sel.cc:3723
      #9  0x000055a690855dc8 in row_search_mvcc (buf=0x7f21ac1654b0 "\377\005", mode=PAGE_CUR_UNSUPP, prebuilt=0x7f21ac0a18e0, match_mode=0, direction=1) at /data/src/10.3/storage/innobase/row/row0sel.cc:4315
      #10 0x000055a690677a1e in ha_innobase::general_fetch (this=0x7f21ac0a1138, buf=0x7f21ac1654b0 "\377\005", direction=1, match_mode=0) at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9529
      #11 0x000055a690677fa2 in ha_innobase::rnd_next (this=0x7f21ac0a1138, buf=0x7f21ac1654b0 "\377\005") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9738
      #12 0x000055a6904488f4 in handler::ha_rnd_next (this=0x7f21ac0a1138, buf=0x7f21ac1654b0 "\377\005") at /data/src/10.3/sql/handler.cc:2847
      #13 0x000055a69043bd58 in find_all_keys (thd=0x7f21ac000af0, param=0x7f220010a0b0, select=0x7f21ac0151b0, fs_info=0x7f21ac166ee0, buffpek_pointers=0x7f220010a2b0, tempfile=0x7f220010a140, pq=0x0, found_rows=0x7f21ac1670c0) at /data/src/10.3/sql/filesort.cc:774
      #14 0x000055a69043a27b in filesort (thd=0x7f21ac000af0, table=0x7f21ac1858e0, filesort=0x7f21ac015380, tracker=0x7f21ac015a20, join=0x7f21ac0132e8, first_table_bit=1) at /data/src/10.3/sql/filesort.cc:268
      #15 0x000055a6901ab1b5 in create_sort_index (thd=0x7f21ac000af0, join=0x7f21ac0132e8, tab=0x7f21ac0148a0, fsort=0x7f21ac015380) at /data/src/10.3/sql/sql_select.cc:22890
      #16 0x000055a6901a545c in st_join_table::sort_table (this=0x7f21ac0148a0) at /data/src/10.3/sql/sql_select.cc:20656
      #17 0x000055a6901a5037 in join_init_read_record (tab=0x7f21ac0148a0) at /data/src/10.3/sql/sql_select.cc:20597
      #18 0x000055a6901a2dd2 in sub_select (join=0x7f21ac0132e8, join_tab=0x7f21ac0148a0, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:19678
      #19 0x000055a6901a22be in do_select (join=0x7f21ac0132e8, procedure=0x0) at /data/src/10.3/sql/sql_select.cc:19221
      #20 0x000055a690179213 in JOIN::exec_inner (this=0x7f21ac0132e8) at /data/src/10.3/sql/sql_select.cc:4102
      #21 0x000055a6901785e6 in JOIN::exec (this=0x7f21ac0132e8) at /data/src/10.3/sql/sql_select.cc:3896
      #22 0x000055a6901798f7 in mysql_select (thd=0x7f21ac000af0, tables=0x7f21ac012a20, wild_num=1, fields=..., conds=0x0, og_num=1, order=0x7f21ac0131a8, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f21ac0132c0, unit=0x7f21ac0049b8, select_lex=0x7f21ac005140) at /data/src/10.3/sql/sql_select.cc:4301
      #23 0x000055a69016af44 in handle_select (thd=0x7f21ac000af0, lex=0x7f21ac0048f8, result=0x7f21ac0132c0, setup_tables_done_option=0) at /data/src/10.3/sql/sql_select.cc:370
      #24 0x000055a6901328d6 in execute_sqlcom_select (thd=0x7f21ac000af0, all_tables=0x7f21ac012a20) at /data/src/10.3/sql/sql_parse.cc:6293
      #25 0x000055a69012904f in mysql_execute_command (thd=0x7f21ac000af0) at /data/src/10.3/sql/sql_parse.cc:3820
      #26 0x000055a690136be1 in mysql_parse (thd=0x7f21ac000af0, rawbuf=0x7f21ac012818 "SELECT * FROM t1 ORDER BY i", length=27, parser_state=0x7f220010b5e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7817
      #27 0x000055a69012344f in dispatch_command (command=COM_QUERY, thd=0x7f21ac000af0, packet=0x7f21ac008c71 "", packet_length=27, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
      #28 0x000055a690121d67 in do_command (thd=0x7f21ac000af0) at /data/src/10.3/sql/sql_parse.cc:1401
      #29 0x000055a69029a017 in do_handle_one_connection (connect=0x55a693fc0250) at /data/src/10.3/sql/sql_connect.cc:1403
      #30 0x000055a690299d79 in handle_one_connection (arg=0x55a693fc0250) at /data/src/10.3/sql/sql_connect.cc:1308
      #31 0x000055a690c4e70c in pfs_spawn_thread (arg=0x55a693fdb200) at /data/src/10.3/storage/perfschema/pfs.cc:1869
      #32 0x00007f22084964a4 in start_thread (arg=0x7f220010c700) at pthread_create.c:456
      #33 0x00007f22065cad0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
      

      Reproducible on 10.3-10.5.
      The test case is not applicable to 10.2 due to SIMULTANEOUS_ASSIGNMENT.

      Normal release build doesn't show any problem, but RelWithDebInfo build with ASAN does:

      10.5 0186b0a0 RelWithDebInfo + ASAN

      ==7783==ERROR: AddressSanitizer: use-after-poison on address 0x619000114111 at pc 0x7f067f703f7f bp 0x7f066e2065a0 sp 0x7f066e205d50
      READ of size 4 at 0x619000114111 thread T15
          #0 0x7f067f703f7e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
          #1 0x5580e3a6fde8 in row_sel_store_mysql_field /data/src/10.5/storage/innobase/row/row0sel.cc:2966
          #2 0x5580e3a70343 in row_sel_store_mysql_rec /data/src/10.5/storage/innobase/row/row0sel.cc:3146
          #3 0x5580e4ccc3a3 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /data/src/10.5/storage/innobase/row/row0sel.cc:5451
          #4 0x5580e4a8e57d in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:8973
          #5 0x5580e4a8ed96 in ha_innobase::index_first(unsigned char*) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:9346
          #6 0x5580e4a8ed96 in ha_innobase::rnd_next(unsigned char*) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:9439
          #7 0x5580e4281a55 in handler::ha_rnd_next(unsigned char*) /data/src/10.5/sql/handler.cc:2991
          #8 0x5580e426e821 in find_all_keys /data/src/10.5/sql/filesort.cc:892
          #9 0x5580e426e821 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/src/10.5/sql/filesort.cc:361
          #10 0x5580e3dfd5d8 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/src/10.5/sql/sql_select.cc:23870
          #11 0x5580e3dfde38 in st_join_table::sort_table() /data/src/10.5/sql/sql_select.cc:21599
          #12 0x5580e3dfdffb in join_init_read_record(st_join_table*) /data/src/10.5/sql/sql_select.cc:21538
          #13 0x5580e3dd1464 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20612
          #14 0x5580e3e4084e in do_select /data/src/10.5/sql/sql_select.cc:20149
          #15 0x5580e3e4084e in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4464
          #16 0x5580e3e414bd in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4245
          #17 0x5580e3e3ac56 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4669
          #18 0x5580e3e3d1bb in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:429
          #19 0x5580e3a42ece in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6172
          #20 0x5580e3d336a7 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3901
          #21 0x5580e3d46014 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7957
          #22 0x5580e3d2a706 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1840
          #23 0x5580e3d26176 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1359
          #24 0x5580e3fd3867 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1411
          #25 0x5580e3fd4576 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1313
          #26 0x5580e48d6e33 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #27 0x7f067f4914a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
          #28 0x7f067d5c5d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
       
      0x619000114111 is located 401 bytes inside of 1008-byte region [0x619000113f80,0x619000114370)
      allocated by thread T15 here:
          #0 0x7f067f768d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
          #1 0x5580e51df153 in my_malloc /data/src/10.5/mysys/my_malloc.c:88
       
      Thread T15 created by T0 here:
          #0 0x7f067f6d7f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
          #1 0x5580e48d70aa in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:34
          #2 0x5580e48d70aa in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
       
      SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e) 
      Shadow bytes around the buggy address:
        0x0c328001a7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c328001a7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c328001a7f0: 00 00 00 00 00 00 f7 00 00 f7 01 f7 00 00 00 00
        0x0c328001a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c328001a810: 00 00 00 00 00 00 00 00 00 02 f7 00 f7 00 00 05
      =>0x0c328001a820: f7 01[f7]00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c328001a830: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c328001a840: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
        0x0c328001a850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c328001a860: 00 00 00 00 00 00 00 00 f7 00 00 f7 f7 f7 fa fa
        0x0c328001a870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==7783==ABORTING
      200517  2:03:38 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.5.4-MariaDB-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=2
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63597 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62b00007e218
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f066e20a8e0 thread_stack 0x5fc00
      ??:0(backtrace)[0x7f067f6f4681]
      mysys/stacktrace.c:307(my_print_stacktrace)[0x5580e51e7ac6]
      sql/signal_handler.cc:210(handle_fatal_signal)[0x5580e4272df6]
      ??:0(__restore_rt)[0x7f067f49b0e0]
      linux/raise.c:51(__GI_raise)[0x7f067d50ffff]
      stdlib/abort.c:91(__GI_abort)[0x7f067d51142a]
      ??:0(__sanitizer_cov_trace_switch)[0x7f067f782329]
      ??:0(__asan_print_accumulated_stats)[0x7f067f7779ab]
      ??:0(__asan_unpoison_intra_object_redzone)[0x7f067f771b57]
      ??:0(__interceptor_if_indextoname)[0x7f067f703f9e]
      /data/bld/10.5-rel-asan/bin/mariadbd(+0x8c5de9)[0x5580e3a6fde9]
      row/row0sel.cc:2967(row_sel_store_mysql_field(unsigned char*, row_prebuilt_t*, unsigned char const*, dict_index_t const*, unsigned short const*, unsigned long, mysql_row_templ_t const*))[0x5580e3a70344]
      row/row0sel.cc:3146(row_sel_store_mysql_rec(unsigned char*, row_prebuilt_t*, unsigned char const*, dtuple_t const*, bool, dict_index_t const*, unsigned short const*))[0x5580e4ccc3a4]
      row/row0sel.cc:5451(row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long))[0x5580e4a8e57e]
      handler/ha_innodb.cc:8975(ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function))[0x5580e4a8ed97]
      handler/ha_innodb.cc:9351(ha_innobase::index_first(unsigned char*))[0x5580e4281a56]
      sql/handler.cc:2991(handler::ha_rnd_next(unsigned char*))[0x5580e426e822]
      sql/filesort.cc:892(find_all_keys)[0x5580e3dfd5d9]
      sql/sql_select.cc:23872(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x5580e3dfde39]
      sql/sql_select.cc:21601(st_join_table::sort_table())[0x5580e3dfdffc]
      sql/sql_select.cc:21538(join_init_read_record(st_join_table*))[0x5580e3dd1465]
      sql/sql_select.cc:20613(sub_select(JOIN*, st_join_table*, bool))[0x5580e3e4084f]
      sql/sql_select.cc:20150(do_select)[0x5580e3e414be]
      sql/sql_select.cc:4246(JOIN::exec())[0x5580e3e3ac57]
      sql/sql_select.cc:4671(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5580e3e3d1bc]
      sql/sql_select.cc:429(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5580e3a42ecf]
      sql/sql_parse.cc:6172(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5580e3d336a8]
      sql/sql_parse.cc:3901(mysql_execute_command(THD*))[0x5580e3d46015]
      sql/sql_parse.cc:7974(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5580e3d2a707]
      sql/sql_parse.cc:1842(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5580e3d26177]
      sql/sql_parse.cc:1359(do_command(THD*))[0x5580e3fd3868]
      sql/sql_connect.cc:1411(do_handle_one_connection(CONNECT*, bool))[0x5580e3fd4577]
      sql/sql_connect.cc:1317(handle_one_connection)[0x5580e48d6e34]
      nptl/pthread_create.c:456(start_thread)[0x7f067f4914a4]
      x86_64/clone.S:99(clone)[0x7f067d5c5d0f]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b000077238): SELECT * FROM t1 ORDER BY i
      Connection ID (thread ID): 4
      Status: NOT_KILLED
       
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
       
      The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
      information that should help you find out what is causing the crash.
      Writing a core file...
      Working directory at /dev/shm/var_auto_gAa7/mysqld.1/d...
      Resource Limits:
      Limit                     Soft Limit           Hard Limit           Units     
      Max cpu time              unlimited            unlimited            seconds   
      Max file size             unlimited            unlimited            bytes     
      Max data size             unlimited            unlimited            bytes     
      Max stack size            8388608              unlimited            bytes     
      Max core file size        0                    0                    bytes     
      Max resident set          unlimited            unlimited            bytes     
      Max processes             128123               128123               processes 
      Max open files            1024                 1024                 files     
      Max locked memory         65536                65536                bytes     
      Max address space         unlimited            unlimited            bytes     
      Max file locks            unlimited            unlimited            locks     
      Max pending signals       128123               128123               signals   
      Max msgqueue size         819200               819200               bytes     
      Max nice priority         0                    0                    
      Max realtime priority     0                    0                    
      Max realtime timeout      unlimited            unlimited            us        
      Core pattern: co...
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              holyfoot Alexey Botchkov
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.