Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-23728

ASAN use-after-poison in st_key::actual_rec_per_key upon INSERT ... SELECT

    XMLWordPrintable

Details

    Description

      CREATE TABLE t1 (
        pk int,
        f01 int,
        f02 int,
        f03 int,
        f04 int,
        f05 int,
        f06 int,
        f07 int,
        f08 int,
        f09 int,
        f10 int,
        f11 int,
        f12 int,
        f13 int,
        f14 int,
        f15 int,
        f16 int,
        f17 int,
        f18 int,
        f19 int,
        f20 int,
        f21 int,
        f22 int,
        f23 int,
        f24 int,
        f25 int,
        f26 int,
        f27 int,
        f28 int,
        f29 int,
        f30 int,
        f31 int,
        extra text,
        primary key (pk)
      );
       
      CREATE TABLE t2 (
        pk int,
        f01 int,
        f02 int,
        f03 int,
        f04 int,
        f05 int,
        f06 int,
        f07 int,
        f08 int,
        f09 int,
        f10 int,
        f11 int,
        f12 int,
        f13 int,
        f14 int,
        f15 int,
        f16 int,
        f17 int,
        f18 int,
        f19 int,
        f20 int,
        f21 int,
        f22 int,
        f23 int,
        f24 int,
        f25 int,
        f26 int,
        f27 int,
        f28 int,
        f29 int,
        f30 int,
        f31 int,
        primary key (pk)
      );
       
      INSERT INTO t1 (pk) VALUES (1),(2);
       
      INSERT INTO t1 SELECT * FROM (SELECT * FROM t1) AS sq NATURAL JOIN t2;
       
      # Cleanup
      DROP TABLE t1, t2;
      

      10.2 bc2dbdb6 ASAN

      ==1240042==ERROR: AddressSanitizer: use-after-poison on address 0x61d0001a5c48 at pc 0x561386ebaf3f bp 0x7ff1114ae530 sp 0x7ff1114ae520
      READ of size 8 at 0x61d0001a5c48 thread T5
          #0 0x561386ebaf3e in st_key::actual_rec_per_key(unsigned int) /data/src/10.2/sql/table.cc:8424
          #1 0x561386cac175 in best_access_path(JOIN*, st_join_table*, unsigned long long, st_position const*, unsigned int, bool, double, st_position*, st_position*) /data/src/10.2/sql/sql_select.cc:6603
          #2 0x561386cb5826 in best_extension_by_limited_search /data/src/10.2/sql/sql_select.cc:8321
          #3 0x561386cb1926 in greedy_search /data/src/10.2/sql/sql_select.cc:7534
          #4 0x561386caf859 in choose_plan(JOIN*, unsigned long long) /data/src/10.2/sql/sql_select.cc:7110
          #5 0x561386c9ccde in make_join_statistics /data/src/10.2/sql/sql_select.cc:4583
          #6 0x561386c7ec4e in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:1584
          #7 0x561386c79f75 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1114
          #8 0x561386c9558b in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3819
          #9 0x561386c7237b in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
          #10 0x561386bdc1fa in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4275
          #11 0x561386bf3f77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
          #12 0x561386bcd272 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1823
          #13 0x561386bca04e in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1377
          #14 0x561386f4d765 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #15 0x561386f4d028 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #16 0x5613882cd009 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
          #17 0x7ff11c214608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
          #18 0x7ff11bdee102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)
       
      0x61d0001a5c48 is located 1992 bytes inside of 2084-byte region [0x61d0001a5480,0x61d0001a5ca4)
      allocated by thread T5 here:
          #0 0x7ff11c3f4bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
          #1 0x5613884b01b7 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
          #2 0x56138847c56c in my_malloc /data/src/10.2/mysys/my_malloc.c:101
          #3 0x561388459e8e in alloc_root /data/src/10.2/mysys/my_alloc.c:243
          #4 0x56138845b8ab in memdup_root /data/src/10.2/mysys/my_alloc.c:464
          #5 0x561387187045 in Field::make_new_field(st_mem_root*, TABLE*, bool) /data/src/10.2/sql/field.cc:2387
          #6 0x561386ce7c94 in create_tmp_field_from_field(THD*, Field*, char const*, TABLE*, Item_field*) /data/src/10.2/sql/sql_select.cc:16266
          #7 0x561386ce97d1 in create_tmp_field(THD*, TABLE*, Item*, Item::Type, Item***, Field**, Field**, bool, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:16522
          #8 0x561386cecc4a in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:16970
          #9 0x561386e43a57 in select_union::create_result_table(THD*, List<Item>*, bool, unsigned long long, char const*, bool, bool, bool) /data/src/10.2/sql/sql_union.cc:180
          #10 0x561386b5b8ab in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.2/sql/sql_derived.cc:770
          #11 0x561386b58408 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.2/sql/sql_derived.cc:198
          #12 0x561386eb912c in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.2/sql/table.cc:8118
          #13 0x561386b95cab in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.2/sql/sql_lex.h:3202
          #14 0x561386b783ef in mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool) /data/src/10.2/sql/sql_insert.cc:1498
          #15 0x561386b8713d in mysql_insert_select_prepare(THD*) /data/src/10.2/sql/sql_insert.cc:3518
          #16 0x561386bdbf6f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4259
          #17 0x561386bf3f77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
          #18 0x561386bcd272 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1823
          #19 0x561386bca04e in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1377
          #20 0x561386f4d765 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #21 0x561386f4d028 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #22 0x5613882cd009 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
          #23 0x7ff11c214608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
       
      Thread T5 created by T0 here:
          #0 0x7ff11c321805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x5613882cd3fa in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
          #2 0x561386971f97 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
          #3 0x561386989927 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6518
          #4 0x56138698a0b8 in create_new_thread /data/src/10.2/sql/mysqld.cc:6588
          #5 0x56138698b243 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6846
          #6 0x561386988c99 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6137
          #7 0x56138697087c in main /data/src/10.2/sql/main.cc:25
          #8 0x7ff11bcf30b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/table.cc:8424 in st_key::actual_rec_per_key(unsigned int)
      Shadow bytes around the buggy address:
        0x0c3a8002cb30: 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8002cb40: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
        0x0c3a8002cb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8002cb60: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
        0x0c3a8002cb70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c3a8002cb80: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
        0x0c3a8002cb90: f7 f7 f7 f7 04 fa fa fa fa fa fa fa fa fa fa fa
        0x0c3a8002cba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3a8002cbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3a8002cbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3a8002cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==1240042==ABORTING
      

      Reproducible on 10.1-10.5 (and on 5.5, too), with MyISAM, InnoDB, Aria.
      No obvious problem on my builds without ASAN, but non-debug build with ASAN fails the same way.

      Attachments

        Activity

          People

            psergei Sergei Petrunia
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.