[MDEV-23272] Galera stack-use-after-scope error with ASAN build - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.1.46, 10.2.33, 10.3.24, 10.4.14, 10.5.5
Component/s: Galera
Labels:
None

Description

To reproduce, build MariaDB server with ASAN enabled -DWITH_ASAN:BOOL=ON, enable Galera/wsrep and run sysbench load against one node:

sysbench --mysql-user=root --mysql-socket=/tmp/mysqld.1.sock --mysql-db=test --threads=32 --time=3600 --report-interval=1 oltp_read_write run

From different terminal, run "show processlist" against the same node repeatedly:

while mysql --user=root -S/tmp/mysqld.1.sock -e "show processlist"; do sleep 1; done

The server process will eventually crash with error:

==22561==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f370f7b670

0 at pc 0x7f37328ec66e bp 0x7f370ff88050 sp 0x7f370ff877f8

READ of size 49 at 0x7f370f7b6700 thread T41

    #0 0x7f37328ec66d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)

    #1 0x564d516a750e in Protocol::store(char const*, charset_info_st const*) /h

ome/teemu/work/git/mariadb-server/sql/protocol.cc:1029

    #2 0x564d51a793dc in mysqld_list_processes(THD*, char const*, bool) /home/te

emu/work/git/mariadb-server/sql/sql_show.cc:2736

    #3 0x564d518e060a in mysql_execute_command(THD*) /home/teemu/work/git/mariad

b-server/sql/sql_parse.cc:4512

    #4 0x564d518f7ae2 in mysql_parse(THD*, char*, unsigned int, Parser_state*, b

ool, bool) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:7733

    #5 0x564d518f6597 in wsrep_mysql_parse /home/teemu/work/git/mariadb-server/s

ql/sql_parse.cc:7525

    #6 0x564d518ce72f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:1820

    #7 0x564d518cb1b4 in do_command(THD*) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:1377

    #8 0x564d51c7410b in do_handle_one_connection(CONNECT*) /home/teemu/work/git/mariadb-server/sql/sql_connect.cc:1336

    #9 0x564d51c739c8 in handle_one_connection /home/teemu/work/git/mariadb-server/sql/sql_connect.cc:1241

    #10 0x564d530fdecf in pfs_spawn_thread /home/teemu/work/git/mariadb-server/storage/perfschema/pfs.cc:1869

    #11 0x7f37309916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

    #12 0x7f372fd7ba3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

Address 0x7f370f7b6700 is located in stack of thread T60 at offset 32 in frame

    #0 0x564d5247f2b0 in innobase_commit_low(trx_t*) /home/teemu/work/git/mariadb-server/storage/innobase/handler/ha_innodb.cc:4439

  This frame has 1 object(s):

    [32, 96) 'info' <== Memory access at offset 32 is inside this variable

The reason for the crash seems to be assignment of THD proc info from info buffer which goes immediately out of scope after assignment, in innobase_commit_low():

#ifdef WITH_WSREP

	const char* tmp = 0;

	const bool is_wsrep = trx->is_wsrep();

	THD* thd = trx->mysql_thd;

	if (is_wsrep) {

#ifdef WSREP_PROC_INFO

		char info[64];

		info[sizeof(info) - 1] = '\0';

		snprintf(info, sizeof(info) - 1,

			 "innobase_commit_low():trx_commit_for_mysql(%lld)",

			 (long long) wsrep_thd_trx_seqno(thd));

		tmp = thd_proc_info(thd, info);

#else

		tmp = thd_proc_info(thd, "innobase_commit_low()");

#endif /* WSREP_PROC_INFO */

#endif /* WITH_WSREP */

Attachments

Activity

Transition	Time In Source Status	Execution Times

Jan Lindström (Inactive) made transition - 2020-07-24 06:01

Open

Closed

18h 50m

People

Assignee:: Jan Lindström (Inactive)

Reporter:: Teemu Ollakka

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2020-07-23 11:10

Updated:: 2020-07-24 06:01

Resolved:: 2020-07-24 06:01

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server