[MDEV-22903] heap-use-after-free while accessing fts cache deleted doc ids - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.1.46, 10.2.33, 10.3.24, 10.4.14, 10.5.5
Component/s: Storage Engine - InnoDB
Labels:
- rr-profile-analyzed

Description

ASAN failure hit during RQG testing

==60090==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000120730 at pc 0x561a4926e8ef bp 0x683e3e275840 sp 0x683e3e275830

READ of size 8 at 0x61a000120730 thread T69

    #0 0x561a4926e8ee in ib_vector_size storage/innobase/include/ut0vec.ic:118

    #1 0x561a4928f11e in fts_cache_append_deleted_doc_ids(fts_cache_t const*, ib_vector_t*) storage/innobase/fts/fts0fts.cc:5188

    #2 0x561a492c7b94 in fts_query(trx_t*, dict_index_t*, unsigned int, unsigned char const*, unsigned long, fts_result_t**) storage/innobase/fts/fts0que.cc:4007

    #3 0x561a48ab1579 in ha_innobase::ft_init_ext(unsigned int, unsigned int, String*) storage/innobase/handler/ha_innodb.cc:9597

    #4 0x561a4812b2b8 in Item_func_match::init_search(THD*, bool) sql/item_func.cc:6068

    #5 0x561a4766d157 in init_ftfuncs(THD*, st_select_lex*, bool) sql/sql_base.cc:8909

    #6 0x561a47897823 in JOIN::optimize_stage2() sql/sql_select.cc:2778

    #7 0x561a47891e14 in JOIN::optimize_inner() sql/sql_select.cc:2262

    #8 0x561a4788b046 in JOIN::optimize() sql/sql_select.cc:1612

    #9 0x561a478ab46c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) sql/sql_select.cc:4635

    #10 0x561a4787d812 in handle_select(THD*, LEX*, select_result*, unsigned long) sql/sql_select.cc:417

    #11 0x561a477edfe4 in execute_sqlcom_select sql/sql_parse.cc:6208

    #12 0x561a477dd313 in mysql_execute_command(THD*) sql/sql_parse.cc:3939

    #13 0x561a477f9138 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) sql/sql_parse.cc:7992

    #14 0x561a477cfc8c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) sql/sql_parse.cc:1874

    #15 0x561a477cc50a in do_command(THD*) sql/sql_parse.cc:1355

    #16 0x561a47bf9a47 in do_handle_one_connection(CONNECT*, bool) sql/sql_connect.cc:1411

    #17 0x561a47bf93a5 in handle_one_connection sql/sql_connect.cc:1313

    #18 0x561a488b3096 in pfs_spawn_thread storage/perfschema/pfs.cc:2201

    #19 0x3d597f56b6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

    #20 0x7f49706bd88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

...

Query (0x62b0000f5238): SELECT `c12`,MATCH (`c3`) AGAINST ('one-third' IN NATURAL LANGUAGE MODE ) AS SCORE FROM `table400_innodb_int_autoinc` WHERE MATCH (`c2`) AGAINST ('personality' IN NATURAL LANGUAGE MODE ) != 1

origin/10.5 574ef3800567a24a57812d46118579fb08aaf243 2020-06-13T11:59:34+03:00

RQG

git clone https://github.com/mleich1/rqg --branch experimental RQG

origin/experimental 611a31e38a3bc157392c0748c95991b6a248bb3b 2020-06-09T15:31:46+02:00

perl rqg.pl \

--gendata=conf/engines/innodb/full_text_search.zz \

--short_column_names \

--grammar=conf/engines/innodb/full_text_search.yy \

--redefine=conf/mariadb/alter_table.yy \

--redefine=conf/mariadb/instant_add.yy \

--redefine=conf/mariadb/modules/alter_table_columns.yy \

--redefine=conf/mariadb/sp.yy \

--redefine=conf/mariadb/bulk_insert.yy \

--redefine=conf/mariadb/modules/foreign_keys.yy \

--redefine=conf/mariadb/modules/locks.yy \

--redefine=conf/mariadb/modules/sql_mode.yy \

--redefine=conf/mariadb/redefine_temporary_tables.yy \

--redefine=conf/mariadb/versioning.yy \

--redefine=conf/mariadb/sequences.yy \

--mysqld=--innodb_use_native_aio=1 \

--mysqld=--innodb_stats_persistent=off \

--mysqld=--innodb_lock_schedule_algorithm=fcfs \

--mysqld=--loose-idle_write_transaction_timeout=0 \

--mysqld=--loose-idle_transaction_timeout=0 \

--mysqld=--loose-idle_readonly_transaction_timeout=0 \

--mysqld=--connect_timeout=60 \

--mysqld=--interactive_timeout=28800 \

--mysqld=--slave_net_timeout=60 \

--mysqld=--net_read_timeout=30 \

--mysqld=--net_write_timeout=60 \

--mysqld=--loose-table_lock_wait_timeout=50 \

--mysqld=--wait_timeout=28800 \

--mysqld=--lock-wait-timeout=86400 \

--mysqld=--innodb-lock-wait-timeout=50 \

--no-mask \

--queries=10000000 \

--seed=random \

--reporters=Backtrace \

--reporters=ErrorLog \

--reporters=Deadlock1 \

--validators=None \

--mysqld=--log_output=none \

--mysqld=--log-bin \

--mysqld=--log_bin_trust_function_creators=1 \

--mysqld=--loose-max-statement-time=30 \

--mysqld=--loose-debug_assert_on_not_freed_memory=0 \

--engine=InnoDB \

--restart_timeout=120 \

--duration=300 \

--mysqld=--loose-innodb_fatal_semaphore_wait_threshold=300 \

--mysqld=--loose-innodb-sync-debug \

--threads=33 \

--mysqld=--innodb_page_size=64K \

--mysqld=--innodb-buffer-pool-size=256M \

--duration=300 \

--no_mask \

... certain local settings ...

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

001987.log
220 kB
2020-06-15 20:01

Activity

People

Assignee:: Thirunarayanan Balathandayuthapani

Reporter:: Matthias Leich

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2020-06-15 19:58

Updated:: 2020-07-23 11:05

Resolved:: 2020-07-23 11:05

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.