Details
Description
To reproduce, build MariaDB server with ASAN enabled -DWITH_ASAN:BOOL=ON, enable Galera/wsrep and run sysbench load against one node:
sysbench --mysql-user=root --mysql-socket=/tmp/mysqld.1.sock --mysql-db=test --threads=32 --time=3600 --report-interval=1 oltp_read_write run
|
From different terminal, run "show processlist" against the same node repeatedly:
while mysql --user=root -S/tmp/mysqld.1.sock -e "show processlist"; do sleep 1; done
|
The server process will eventually crash with error:
==22561==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f370f7b670
|
0 at pc 0x7f37328ec66e bp 0x7f370ff88050 sp 0x7f370ff877f8
|
READ of size 49 at 0x7f370f7b6700 thread T41
|
#0 0x7f37328ec66d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
|
#1 0x564d516a750e in Protocol::store(char const*, charset_info_st const*) /h
|
ome/teemu/work/git/mariadb-server/sql/protocol.cc:1029
|
#2 0x564d51a793dc in mysqld_list_processes(THD*, char const*, bool) /home/te
|
emu/work/git/mariadb-server/sql/sql_show.cc:2736
|
#3 0x564d518e060a in mysql_execute_command(THD*) /home/teemu/work/git/mariad
|
b-server/sql/sql_parse.cc:4512
|
#4 0x564d518f7ae2 in mysql_parse(THD*, char*, unsigned int, Parser_state*, b
|
ool, bool) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:7733
|
#5 0x564d518f6597 in wsrep_mysql_parse /home/teemu/work/git/mariadb-server/s
|
ql/sql_parse.cc:7525
|
#6 0x564d518ce72f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:1820
|
#7 0x564d518cb1b4 in do_command(THD*) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:1377
|
#8 0x564d51c7410b in do_handle_one_connection(CONNECT*) /home/teemu/work/git/mariadb-server/sql/sql_connect.cc:1336
|
#9 0x564d51c739c8 in handle_one_connection /home/teemu/work/git/mariadb-server/sql/sql_connect.cc:1241
|
#10 0x564d530fdecf in pfs_spawn_thread /home/teemu/work/git/mariadb-server/storage/perfschema/pfs.cc:1869
|
#11 0x7f37309916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
|
#12 0x7f372fd7ba3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)
|
|
Address 0x7f370f7b6700 is located in stack of thread T60 at offset 32 in frame
|
#0 0x564d5247f2b0 in innobase_commit_low(trx_t*) /home/teemu/work/git/mariadb-server/storage/innobase/handler/ha_innodb.cc:4439
|
|
This frame has 1 object(s):
|
[32, 96) 'info' <== Memory access at offset 32 is inside this variable
|
The reason for the crash seems to be assignment of THD proc info from info buffer which goes immediately out of scope after assignment, in innobase_commit_low():
#ifdef WITH_WSREP
|
const char* tmp = 0;
|
const bool is_wsrep = trx->is_wsrep();
|
THD* thd = trx->mysql_thd;
|
if (is_wsrep) {
|
#ifdef WSREP_PROC_INFO
|
char info[64];
|
info[sizeof(info) - 1] = '\0';
|
snprintf(info, sizeof(info) - 1,
|
"innobase_commit_low():trx_commit_for_mysql(%lld)",
|
(long long) wsrep_thd_trx_seqno(thd));
|
tmp = thd_proc_info(thd, info);
|
#else
|
tmp = thd_proc_info(thd, "innobase_commit_low()");
|
#endif /* WSREP_PROC_INFO */
|
}
|
#endif /* WITH_WSREP */
|