[MDEV-24583] ASAN use-after-poison in create_tmp_table or assertion failures after failed REPLACE into table with virtual/stored column - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.38, 10.3.29, 10.4.19, 10.5.10
Component/s: Virtual Columns
Labels:
- affects-tests
- regression

Description

CREATE TABLE t1 (pk INT, a VARCHAR(3), v VARCHAR(3) GENERATED ALWAYS AS (CONCAT('x-',a)) VIRTUAL, PRIMARY KEY(pk));

CREATE VIEW v1 AS SELECT * FROM t1;

INSERT INTO t1 (pk, a) VALUES (1,'foo');

SET sql_mode=CONCAT(@@sql_mode,',STRICT_ALL_TABLES');

 --error 0,ER_DATA_TOO_LONG

REPLACE INTO t1 (pk,a) VALUES (1,'qux');

SELECT * FROM v1;

# Cleanup

DROP VIEW v1;

DROP TABLE t1;

10.2 ab271ee7 ASAN
==3015140==ERROR: AddressSanitizer: use-after-poison on address 0x619000087c39 at pc 0x7fe873e5d480 bp 0x7fe868c0d2e0 sp 0x7fe868c0ca88
READ of size 4 at 0x619000087c39 thread T5
#0 0x7fe873e5d47f (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
#1 0x561579ca1ae5 in create_tmp_table(THD, TMP_TABLE_PARAM, List<Item>&, st_order, bool, bool, unsigned long long, unsigned long long, char const, bool, bool) /data/src/10.2/sql/sql_select.cc:17212
#2 0x561579df7ead in select_union::create_result_table(THD, List<Item>, bool, unsigned long long, char const*, bool, bool, bool) /data/src/10.2/sql/sql_union.cc:180
#3 0x561579b0c395 in mysql_derived_prepare(THD, LEX, TABLE_LIST*) /data/src/10.2/sql/sql_derived.cc:771
#4 0x561579b08f31 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /data/src/10.2/sql/sql_derived.cc:198
#5 0x561579e6e12a in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.2/sql/table.cc:8118
#6 0x561579b46db7 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.2/sql/sql_lex.h:3202
#7 0x561579b6467e in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.2/sql/sql_lex.cc:3930
#8 0x561579c27a2c in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.2/sql/sql_select.cc:716
#9 0x561579c47fae in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3814
#10 0x561579c24c67 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
#11 0x561579b9c046 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
#12 0x561579b88feb in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
#13 0x561579ba55c3 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#14 0x561579b7e608 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#15 0x561579b7b3c7 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#16 0x561579f032da in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#17 0x561579f02b9d in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#18 0x56157b29dff5 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#19 0x7fe873968608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#20 0x7fe873542292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x619000087c39 is located 441 bytes inside of 1100-byte region [0x619000087a80,0x619000087ecc)
allocated by thread T5 here:
#0 0x7fe873ecfbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x56157b3bab48 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
#2 0x56157b386aad in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#3 0x56157b36411f in alloc_root /data/src/10.2/mysys/my_alloc.c:243
#4 0x56157b365b55 in memdup_root /data/src/10.2/mysys/my_alloc.c:464
#5 0x561579e39f5d in TABLE_SHARE::init_from_binary_frm_image(THD, bool, unsigned char const, unsigned long) /data/src/10.2/sql/table.cc:1288
#6 0x561579e35929 in open_table_def(THD, TABLE_SHARE, unsigned int) /data/src/10.2/sql/table.cc:684
#7 0x56157a0874db in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
#8 0x561579a5f6b4 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
#9 0x561579a68208 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
#10 0x561579a6a5e2 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
#11 0x561579a6e168 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
#12 0x5615799e5331 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
#13 0x561579e21d29 in mysql_create_view(THD, TABLE_LIST, enum_view_create_mode) /data/src/10.2/sql/sql_view.cc:453
#14 0x561579b98bde in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5820
#15 0x561579ba55c3 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#16 0x561579b7e608 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#17 0x561579b7b3c7 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#18 0x561579f032da in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#19 0x561579f02b9d in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#20 0x56157b29dff5 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#21 0x7fe873968608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7fe873dfc805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x56157b29e3e6 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
#2 0x561579920083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x561579937c2b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
#4 0x5615799383c6 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
#5 0x561579939558 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
#6 0x561579936f7c in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
#7 0x56157991e93c in main /data/src/10.2/sql/main.cc:25
#8 0x7fe8734470b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
Shadow bytes around the buggy address:
0x0c3280008f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c3280008f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280008f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280008f60: 00 f7 00 00 f7 01 f7 00 00 00 00 00 00 00 00 00
0x0c3280008f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280008f80: 00 02 f7 00 f7 00 05[f7]01 f7 00 00 00 00 00 00
0x0c3280008f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280008fa0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280008fb0: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
0x0c3280008fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280008fd0: 00 00 00 00 00 00 00 00 f7 04 fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3015140==ABORTING

More verbose stack trace on 10.5:

10.5 8de233af ASAN
==3015338==ERROR: AddressSanitizer: use-after-poison on address 0x61900008cc69 at pc 0x7feccb1e4480 bp 0x7fecc1692460 sp 0x7fecc1691c08
READ of size 4 at 0x61900008cc69 thread T5
#0 0x7feccb1e447f (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
#1 0x55d2d6c87b6f in field_conv_memcpy /data/src/10.5/sql/field_conv.cc:832
#2 0x55d2d6c87c75 in field_conv(Field, Field) /data/src/10.5/sql/field_conv.cc:862
#3 0x55d2d65e6f00 in Create_tmp_table::finalize(THD, TABLE, TMP_TABLE_PARAM*, bool, bool) /data/src/10.5/sql/sql_select.cc:18807
#4 0x55d2d65ec4fc in create_tmp_table(THD, TMP_TABLE_PARAM, List<Item>&, st_order, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const, bool, bool) /data/src/10.5/sql/sql_select.cc:19183
#5 0x55d2d678d9a1 in select_unit::create_result_table(THD, List<Item>, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.5/sql/sql_union.cc:329
#6 0x55d2d63ca320 in mysql_derived_prepare /data/src/10.5/sql/sql_derived.cc:846
#7 0x55d2d63c6275 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /data/src/10.5/sql/sql_derived.cc:206
#8 0x55d2d6823b36 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.5/sql/table.cc:9120
#9 0x55d2d640f3d1 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.5/sql/sql_lex.h:4425
#10 0x55d2d6435478 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.5/sql/sql_lex.cc:4911
#11 0x55d2d655c0de in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.5/sql/sql_select.cc:1158
#12 0x55d2d6582469 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.5/sql/sql_select.cc:4634
#13 0x55d2d655445f in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:417
#14 0x55d2d64bda5b in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6281
#15 0x55d2d64ac95c in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3977
#16 0x55d2d64c8d55 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8062
#17 0x55d2d649f04e in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
#18 0x55d2d649b977 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
#19 0x55d2d68ddc33 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
#20 0x55d2d68dd597 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
#21 0x55d2d75e8ee2 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#22 0x7feccad68608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#23 0x7fecca93e292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x61900008cc69 is located 489 bytes inside of 1124-byte region [0x61900008ca80,0x61900008cee4)
allocated by thread T5 here:
#0 0x7feccb256bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55d2d82871c7 in sf_malloc /data/src/10.5/mysys/safemalloc.c:118
#2 0x55d2d82545e3 in my_malloc /data/src/10.5/mysys/my_malloc.c:88
#3 0x55d2d82303f2 in alloc_root /data/src/10.5/mysys/my_alloc.c:244
#4 0x55d2d8231af4 in memdup_root /data/src/10.5/mysys/my_alloc.c:479
#5 0x55d2d67e5a4d in TABLE_SHARE::init_from_binary_frm_image(THD, bool, unsigned char const, unsigned long, unsigned char const*, unsigned long) /data/src/10.5/sql/table.cc:1791
#6 0x55d2d67ddf59 in open_table_def(THD, TABLE_SHARE, unsigned int) /data/src/10.5/sql/table.cc:714
#7 0x55d2d6af8a43 in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /data/src/10.5/sql/table_cache.cc:831
#8 0x55d2d6307e09 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.5/sql/sql_base.cc:1852
#9 0x55d2d6312b02 in open_and_process_table /data/src/10.5/sql/sql_base.cc:3801
#10 0x55d2d6315689 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:4275
#11 0x55d2d631a7cd in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:5211
#12 0x55d2d62719d9 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/src/10.5/sql/sql_base.h:507
#13 0x55d2d67c8b7c in mysql_create_view(THD, TABLE_LIST, enum_view_create_mode) /data/src/10.5/sql/sql_view.cc:452
#14 0x55d2d64ba0ac in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:5825
#15 0x55d2d64c8d55 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8062
#16 0x55d2d649f04e in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
#17 0x55d2d649b977 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
#18 0x55d2d68ddc33 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
#19 0x55d2d68dd597 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
#20 0x55d2d75e8ee2 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#21 0x7feccad68608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7feccb183805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55d2d75e3e86 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
#2 0x55d2d75e92d5 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
#3 0x55d2d618f4fe in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
#4 0x55d2d61a54d4 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6022
#5 0x55d2d61a5b53 in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6081
#6 0x55d2d61a5eb0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6146
#7 0x55d2d61a6acf in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6273
#8 0x55d2d61a4ce1 in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5668
#9 0x55d2d618dd9c in main /data/src/10.5/sql/main.cc:25
#10 0x7fecca8430b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
Shadow bytes around the buggy address:
0x0c3280009930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280009940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280009950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280009960: 00 00 00 00 f7 00 00 f7 01 f7 00 00 00 00 00 00
0x0c3280009970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280009980: 00 00 00 00 00 00 00 02 f7 00 f7 00 05[f7]01 f7
0x0c3280009990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32800099a0: 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00
0x0c32800099b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32800099c0: 00 00 00 00 f7 00 00 f7 00 00 00 00 00 00 f7 02
0x0c32800099d0: f7 04 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 04 fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3015338==ABORTING
210113 23:14:35 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.5.9-MariaDB-debug-log
key_buffer_size=1048576
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=2
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63743 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b000069288
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7fecc1696950 thread_stack 0x5fc00
??:0(__interceptor_tcgetattr)[0x7feccb1b5d30]
mysys/stacktrace.c:212(my_print_stacktrace)[0x55d2d8264c2b]
sql/signal_handler.cc:211(handle_fatal_signal)[0x55d2d6ca594c]
sigaction.c:0(__restore_rt)[0x7feccad743c0]
??:0(gsignal)[0x7fecca86218b]
??:0(abort)[0x7fecca841859]
??:0(__sanitizer_set_report_fd)[0x7feccb2746a2]
??:0(__sanitizer_get_module_and_offset_for_pc)[0x7feccb27f24c]
??:0(__sanitizer_ptr_cmp)[0x7feccb2608ec]
??:0(__asan_on_error)[0x7feccb260363]
??:0(__interceptor_getdelim)[0x7feccb1e449f]
sql/field_conv.cc:833(field_conv_memcpy(Field, Field))[0x55d2d6c87b70]
sql/field_conv.cc:863(field_conv(Field, Field))[0x55d2d6c87c76]
sql/sql_select.cc:18808(Create_tmp_table::finalize(THD, TABLE, TMP_TABLE_PARAM*, bool, bool))[0x55d2d65e6f01]
sql/sql_select.cc:19182(create_tmp_table(THD, TMP_TABLE_PARAM, List<Item>&, st_order, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const, bool, bool))[0x55d2d65ec4fd]
sql/sql_union.cc:329(select_unit::create_result_table(THD, List<Item>, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int))[0x55d2d678d9a2]
sql/sql_derived.cc:846(mysql_derived_prepare(THD, LEX, TABLE_LIST*))[0x55d2d63ca321]
sql/sql_derived.cc:206(mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int))[0x55d2d63c6276]
sql/table.cc:9120(TABLE_LIST::handle_derived(LEX*, unsigned int))[0x55d2d6823b37]
sql/sql_lex.h:4425(LEX::handle_list_of_derived(TABLE_LIST*, unsigned int))[0x55d2d640f3d2]
sql/sql_lex.cc:4912(st_select_lex::handle_derived(LEX*, unsigned int))[0x55d2d6435479]
sql/sql_select.cc:1158(JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit))[0x55d2d655c0df]
sql/sql_select.cc:4634(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55d2d658246a]
sql/sql_select.cc:417(handle_select(THD, LEX, select_result*, unsigned long))[0x55d2d6554460]
sql/sql_parse.cc:6281(execute_sqlcom_select(THD, TABLE_LIST))[0x55d2d64bda5c]
sql/sql_parse.cc:3977(mysql_execute_command(THD*))[0x55d2d64ac95d]
sql/sql_parse.cc:8062(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55d2d64c8d56]
sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55d2d649f04f]
sql/sql_parse.cc:1370(do_command(THD*))[0x55d2d649b978]
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55d2d68ddc34]
sql/sql_connect.cc:1314(handle_one_connection)[0x55d2d68dd598]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55d2d75e8ee3]
nptl/pthread_create.c:478(start_thread)[0x7feccad68609]
??:0(clone)[0x7fecca93e293]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x62b0000382a8): SELECT * FROM v1

Connection ID (thread ID): 4
Status: NOT_KILLED

Both debug and non-debug ASAN builds are affected.
Reproducible on 10.2+.

The failure appeared in 10.2 branch after this commit:

commit 97db6c15ea3e83a21df137c222dbd5a40fbe7c82

Author: Nikita Malyavin

Date:   Tue Aug 11 00:38:32 2020 +1000

    MDEV-20618 Assertion failed in row_upd_sec_index_entry

Note: For why the initial INSERT does not fail in the test case regardless the original SQL_MODE, see MDEV-24582.

Variation of the test case which causes InnoDB assertion failures on debug and non-debug builds:

--source include/have_innodb.inc

CREATE TABLE t1 (

  pk INT,

  a VARCHAR(1),

  v VARCHAR(1) AS (CONCAT('virt-',a)) VIRTUAL,

  PRIMARY KEY (pk)

) ENGINE=InnoDB;

INSERT INTO t1 (pk,a) VALUES

(1,'a'),(2,'b'),(3,'c'),(4,'d'),(5,'e'),(6,'f');

 --error ER_DATA_TOO_LONG

REPLACE INTO t1 (pk) VALUES (1);

SELECT * FROM t1;

DROP TABLE t1;

10.2 ab271ee7 debug
mysqld: /data/src/10.2/storage/innobase/row/row0sel.cc:3828: void row_sel_dequeue_cached_row_for_mysql(byte, row_prebuilt_t): Assertion `prebuilt->mysql_prefix_len <= prebuilt->mysql_row_len' failed.
210114 0:10:39 [ERROR] mysqld got signal 6 ;

#7 0x00007fef277eff36 in __GI___assert_fail (assertion=0x564d55c681a0 "prebuilt->mysql_prefix_len <= prebuilt->mysql_row_len", file=0x564d55c66770 "/data/src/10.2/storage/innobase/row/row0sel.cc", line=3828, function=0x564d55c68140 "void row_sel_dequeue_cached_row_for_mysql(byte, row_prebuilt_t)") at assert.c:101
#8 0x0000564d5565084f in row_sel_dequeue_cached_row_for_mysql (buf=0x7feed00068d0 "\377", prebuilt=0x7feed0036eb0) at /data/src/10.2/storage/innobase/row/row0sel.cc:3828
#9 0x0000564d55651f0c in row_search_mvcc (buf=0x7feed00068d0 "\377", mode=PAGE_CUR_UNSUPP, prebuilt=0x7feed0036eb0, match_mode=0, direction=1) at /data/src/10.2/storage/innobase/row/row0sel.cc:4424
#10 0x0000564d554e205a in ha_innobase::general_fetch (this=0x7feed00aa6f8, buf=0x7feed00068d0 "\377", direction=1, match_mode=0) at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:9652
#11 0x0000564d554e2622 in ha_innobase::rnd_next (this=0x7feed00aa6f8, buf=0x7feed00068d0 "\377") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:9863
#12 0x0000564d552d7c3d in handler::ha_rnd_next (this=0x7feed00aa6f8, buf=0x7feed00068d0 "\377") at /data/src/10.2/sql/handler.cc:2669
#13 0x0000564d5544aaeb in rr_sequential (info=0x7feed00145a0) at /data/src/10.2/sql/records.cc:492
#14 0x0000564d550c02c8 in sub_select (join=0x7feed0012fd8, join_tab=0x7feed00144d8, end_of_records=false) at /data/src/10.2/sql/sql_select.cc:18877
#15 0x0000564d550bf75c in do_select (join=0x7feed0012fd8, procedure=0x0) at /data/src/10.2/sql/sql_select.cc:18402
#16 0x0000564d550993d3 in JOIN::exec_inner (this=0x7feed0012fd8) at /data/src/10.2/sql/sql_select.cc:3641
#17 0x0000564d5509887a in JOIN::exec (this=0x7feed0012fd8) at /data/src/10.2/sql/sql_select.cc:3436
#18 0x0000564d55099a3c in mysql_select (thd=0x7feed0000d90, tables=0x7feed00128d0, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7feed0012fb8, unit=0x7feed0004988, select_lex=0x7feed00050c8) at /data/src/10.2/sql/sql_select.cc:3836
#19 0x0000564d5508dbb6 in handle_select (thd=0x7feed0000d90, lex=0x7feed00048c8, result=0x7feed0012fb8, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
#20 0x0000564d55058508 in execute_sqlcom_select (thd=0x7feed0000d90, all_tables=0x7feed00128d0) at /data/src/10.2/sql/sql_parse.cc:6248
#21 0x0000564d5504eeb7 in mysql_execute_command (thd=0x7feed0000d90) at /data/src/10.2/sql/sql_parse.cc:3559
#22 0x0000564d5505c2b1 in mysql_parse (thd=0x7feed0000d90, rawbuf=0x7feed00126f8 "SELECT * FROM t1", length=16, parser_state=0x7fef21c565f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7763
#23 0x0000564d5504a58a in dispatch_command (command=COM_QUERY, thd=0x7feed0000d90, packet=0x7feed0008b51 "", packet_length=16, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
#24 0x0000564d55049085 in do_command (thd=0x7feed0000d90) at /data/src/10.2/sql/sql_parse.cc:1381
#25 0x0000564d551a3704 in do_handle_one_connection (connect=0x564d578ff220) at /data/src/10.2/sql/sql_connect.cc:1336
#26 0x0000564d551a3469 in handle_one_connection (arg=0x564d578ff220) at /data/src/10.2/sql/sql_connect.cc:1241
#27 0x0000564d559cb44a in pfs_spawn_thread (arg=0x564d578e2350) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#28 0x00007fef27cff609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#29 0x00007fef278db293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.2 ab271ee7 non-debug
2021-01-14 00:11:32 0x7f36a221f700 InnoDB: Assertion failure in file /data/src/10.2/storage/innobase/row/row0mysql.cc line 1014
InnoDB: Failing assertion: magic1 == ROW_PREBUILT_FETCH_MAGIC_N

#6 0x0000558698eb1bf9 in ut_dbg_assertion_failed (expr=expr@entry=0x5586997fcbd0 "magic1 == ROW_PREBUILT_FETCH_MAGIC_N", file=file@entry=0x5586997fc758 "/data/src/10.2/storage/innobase/row/row0mysql.cc", line=line@entry=1014) at /data/src/10.2/storage/innobase/ut/ut0dbg.cc:60
#7 0x0000558698e9dc0d in row_prebuilt_free (prebuilt=0x7f3650178f18, dict_locked=dict_locked@entry=0) at /data/src/10.2/storage/innobase/row/row0mysql.cc:1014
#8 0x00005586992cdece in ha_innobase::close (this=0x7f36500945e0) at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:6597
#9 0x0000558699042469 in closefrm (table=table@entry=0x7f3650093a48) at /data/src/10.2/sql/table.cc:3519
#10 0x00005586990ea681 in intern_close_table (table=0x7f3650093a48) at /data/src/10.2/sql/table_cache.cc:222
#11 tdc_remove_table (thd=thd@entry=0x7f3650000c48, remove_type=remove_type@entry=TDC_RT_REMOVE_ALL, db=<optimized out>, table_name=<optimized out>, kill_delayed_threads=kill_delayed_threads@entry=false) at /data/src/10.2/sql/table_cache.cc:1132
#12 0x0000558699018c05 in mysql_rm_table_no_locks (thd=0x7f3650000c48, tables=<optimized out>, if_exists=<optimized out>, drop_temporary=<optimized out>, drop_view=<optimized out>, dont_log_query=<optimized out>, dont_free_locks=<optimized out>) at /data/src/10.2/sql/sql_table.cc:2436
#13 0x00005586990197b4 in mysql_rm_table (thd=thd@entry=0x7f3650000c48, tables=tables@entry=0x7f365000f410, if_exists=<optimized out>, drop_temporary=<optimized out>) at /data/src/10.2/sql/sql_table.cc:2089
#14 0x0000558698f8f70f in mysql_execute_command (thd=0x7f3650000c48) at /data/src/10.2/sql/structs.h:530
#15 0x0000558698f95c3b in mysql_parse (thd=thd@entry=0x7f3650000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f36a221e5b0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.2/sql/sql_parse.cc:7763
#16 0x0000558698f98e4d in dispatch_command (command=COM_QUERY, thd=0x7f3650000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.2/sql/sql_class.h:1096
#17 0x0000558698f9a097 in do_command (thd=0x7f3650000c48) at /data/src/10.2/sql/sql_parse.cc:1381
#18 0x0000558699072d76 in do_handle_one_connection (connect=connect@entry=0x55869bb3c078) at /data/src/10.2/sql/sql_connect.cc:1336
#19 0x0000558699072eef in handle_one_connection (arg=arg@entry=0x55869bb3c078) at /data/src/10.2/sql/sql_connect.cc:1241
#20 0x000055869960d946 in pfs_spawn_thread (arg=0x55869be3f1f8) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#21 0x00007f36a8297609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#22 0x00007f36a7e8c293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

And yet another variation, it causes the same assertions as above on 10.2-10.4 debug builds and 10.2-10.5 release builds, but a different one on 10.5 debug build. The only difference is ORDER BY in SELECT.

--source include/have_innodb.inc

CREATE TABLE t1 (

  pk INT,

  a VARCHAR(1),

  v VARCHAR(1) AS (CONCAT('virt-',a)) VIRTUAL,

  PRIMARY KEY (pk)

) ENGINE=InnoDB;

INSERT INTO t1 (pk,a) VALUES

(1,'a'),(2,'b'),(3,'c'),(4,'d'),(5,'e'),(6,'f');

 --error ER_DATA_TOO_LONG

REPLACE INTO t1 (pk) VALUES (1);

SELECT * FROM t1 ORDER BY a;

DROP TABLE t1;

10.5 8de233af debug
mariadbd: /data/src/10.5/sql/field.h:1155: const uchar* Field::ptr_in_record(const uchar*) const: Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0' failed.
210114 0:17:48 [ERROR] mysqld got signal 6 ;

#7 0x00007f3d4dea3f36 in __GI___assert_fail (assertion=0x5644a00b21c8 "l_offset >= 0 && table->s->rec_buff_length - l_offset > 0", file=0x5644a00b20b6 "/data/src/10.5/sql/field.h", line=1155, function=0x5644a00b2208 "const uchar* Field::ptr_in_record(const uchar*) const") at assert.c:101
#8 0x000056449f40a0bd in Field::ptr_in_record (this=0x7f3d10233360, record=0x7f3d102332f8 "\377") at /data/src/10.5/sql/field.h:1155
#9 0x000056449f74b900 in key_copy (to_key=0x7f3d100f9d08 '\245' <repeats 16 times>, '\217' <repeats 184 times>..., from_record=0x7f3d102332f8 "\377", key_info=0x7f3d100436e0, key_length=4, with_zerofill=false) at /data/src/10.5/sql/key.cc:144
#10 0x000056449faa0d45 in ha_innobase::position (this=0x7f3d100f8c40, record=0x7f3d102332f8 "\377") at /data/src/10.5/storage/innobase/handler/ha_innodb.cc:10076
#11 0x000056449f60d637 in find_all_keys (thd=0x7f3d10000db8, param=0x7f3d4824b070, select=0x7f3d10017808, fs_info=0x7f3d100525b0, buffpek_pointers=0x7f3d4824b290, tempfile=0x7f3d4824b120, pq=0x0, found_rows=0x7f3d100527a0) at /data/src/10.5/sql/filesort.cc:897
#12 0x000056449f60b7a4 in filesort (thd=0x7f3d10000db8, table=0x7f3d101b3a38, filesort=0x7f3d100179d8, tracker=0x7f3d100180c8, join=0x7f3d10015798, first_table_bit=1) at /data/src/10.5/sql/filesort.cc:352
#13 0x000056449f33ac44 in create_sort_index (thd=0x7f3d10000db8, join=0x7f3d10015798, tab=0x7f3d10016ec8, fsort=0x7f3d100179d8) at /data/src/10.5/sql/sql_select.cc:23862
#14 0x000056449f334d56 in st_join_table::sort_table (this=0x7f3d10016ec8) at /data/src/10.5/sql/sql_select.cc:21607
#15 0x000056449f33492e in join_init_read_record (tab=0x7f3d10016ec8) at /data/src/10.5/sql/sql_select.cc:21546
#16 0x000056449f33265c in sub_select (join=0x7f3d10015798, join_tab=0x7f3d10016ec8, end_of_records=false) at /data/src/10.5/sql/sql_select.cc:20620
#17 0x000056449f331b55 in do_select (join=0x7f3d10015798, procedure=0x0) at /data/src/10.5/sql/sql_select.cc:20157
#18 0x000056449f305602 in JOIN::exec_inner (this=0x7f3d10015798) at /data/src/10.5/sql/sql_select.cc:4462
#19 0x000056449f304723 in JOIN::exec (this=0x7f3d10015798) at /data/src/10.5/sql/sql_select.cc:4242
#20 0x000056449f305de5 in mysql_select (thd=0x7f3d10000db8, tables=0x7f3d100145b8, fields=..., conds=0x0, og_num=1, order=0x7f3d10015610, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f3d10015770, unit=0x7f3d10004f58, select_lex=0x7f3d10013fc8) at /data/src/10.5/sql/sql_select.cc:4658
#21 0x000056449f2f5a33 in handle_select (thd=0x7f3d10000db8, lex=0x7f3d10004e90, result=0x7f3d10015770, setup_tables_done_option=0) at /data/src/10.5/sql/sql_select.cc:417
#22 0x000056449f2b8409 in execute_sqlcom_select (thd=0x7f3d10000db8, all_tables=0x7f3d100145b8) at /data/src/10.5/sql/sql_parse.cc:6281
#23 0x000056449f2af495 in mysql_execute_command (thd=0x7f3d10000db8) at /data/src/10.5/sql/sql_parse.cc:3977
#24 0x000056449f2bd2b0 in mysql_parse (thd=0x7f3d10000db8, rawbuf=0x7f3d10013f30 "SELECT * FROM t1 ORDER BY a", length=27, parser_state=0x7f3d4824c510, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:8062
#25 0x000056449f2a9237 in dispatch_command (command=COM_QUERY, thd=0x7f3d10000db8, packet=0x7f3d100090a9 "", packet_length=27, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1889
#26 0x000056449f2a7a2b in do_command (thd=0x7f3d10000db8) at /data/src/10.5/sql/sql_parse.cc:1370
#27 0x000056449f45578d in do_handle_one_connection (connect=0x5644a2180058, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1410
#28 0x000056449f4554f0 in handle_one_connection (arg=0x5644a21927b8) at /data/src/10.5/sql/sql_connect.cc:1312
#29 0x000056449f9b445d in pfs_spawn_thread (arg=0x5644a220e458) at /data/src/10.5/storage/perfschema/pfs.cc:2201
#30 0x00007f3d4e3bb609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#31 0x00007f3d4df8f293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

mdev24583-hang-threads.txt
40 kB
2021-03-09 13:04

Issue Links

is duplicated by

MDEV-24656 [FATAL] InnoDB: Data field type 0, len 0, ASAN heap-buffer-overflow upon LOAD DATA with virtual columns

Closed

MDEV-24665 ASAN errors, assertion failures, corrupt values after failed LOAD DATA into table with virtual/stored column

Closed

MDEV-24782 ASAN use-after-poison in Field::pack_int / THD::binlog_update_row

Closed

relates to

MDEV-24582 INSERT silently truncates too long value for a virtual column without warnings or errors

Open

MDEV-24655 Unexpected results or ASAN use-after-poison in Field::cmp_binary or in row_sel_store_mysql_field_func upon updating virtual column

Closed

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-01-13 21:17

Updated:: 2021-06-07 23:34

Resolved:: 2021-04-27 10:09

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.