Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Duplicate
-
10.3(EOL), 10.11.17
-
Can result in hang or crash
-
See MDEV-39711
-
Q3/2026 Replic. Maintenance
Description
--source include/have_binlog_format_row.inc
|
# BLOB → TEXT is also affected; STORED is not affected |
CREATE TABLE t (a TEXT, v BLOB AS (a) VIRTUAL) WITH SYSTEM VERSIONING AS |
SELECT 'foo' AS a; |
|
|
UPDATE t SET a='bar'; # or REPLACE |
|
|
# Cleanup
|
DROP TABLE t; |
|
10.11.17 b89cb5d5c7-ASAN |
==26818==ERROR: AddressSanitizer: heap-use-after-free on address 0x6d1a52937e68 at pc 0x70ea5491fdbb bp 0x6cea44316c80 sp 0x6cea44316428
|
READ of size 3 at 0x6d1a52937e68 thread T7
|
#0 0x70ea5491fdba in memcpy path/to/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
|
#1 0x5e3fea57c9f1 in Field_blob::pack(unsigned char*, unsigned char const*, unsigned int) path/to/src/sql/field.cc:9248
|
#2 0x5e3fea98ab87 in pack_row(TABLE*, st_bitmap const*, unsigned char*, unsigned char const*) path/to/src/sql/rpl_record.cc:106
|
#3 0x5e3fe9cd769a in THD::binlog_update_row(TABLE*, bool, unsigned char const*, unsigned char const*) path/to/src/sql/sql_class.cc:7443
|
#4 0x5e3fea612505 in Update_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*) path/to/src/sql/log_event.h:5575
|
#5 0x5e3fea603c4f in handler::binlog_log_row(TABLE*, unsigned char const*, unsigned char const*, bool (*)(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)) path/to/src/sql/handler.cc:7274
|
#6 0x5e3fea60a2e0 in handler::ha_update_row(unsigned char const*, unsigned char const*) path/to/src/sql/handler.cc:7905
|
#7 0x5e3fea0f94b0 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) path/to/src/sql/sql_update.cc:1137
|
#8 0x5e3fe9deb144 in mysql_execute_command(THD*, bool) path/to/src/sql/sql_parse.cc:4503
|
#9 0x5e3fe9df68dd in mysql_parse(THD*, char*, unsigned int, Parser_state*) path/to/src/sql/sql_parse.cc:8221
|
#10 0x5e3fe9dfa9a0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) path/to/src/sql/sql_parse.cc:1924
|
#11 0x5e3fe9dff2cf in do_command(THD*, bool) path/to/src/sql/sql_parse.cc:1434
|
#12 0x5e3fea201b66 in do_handle_one_connection(CONNECT*, bool) path/to/src/sql/sql_connect.cc:1475
|
#13 0x5e3fea202040 in handle_one_connection path/to/src/sql/sql_connect.cc:1387
|
#14 0x5e3feac6a285 in pfs_spawn_thread path/to/src/storage/perfschema/pfs.cc:2201
|
#15 0x70ea5485f802 in asan_thread_start path/to/libsanitizer/asan/asan_interceptors.cpp:239
|
#16 0x70ea536a3d63 (/lib/x86_64-linux-gnu/libc.so.6+0xa3d63) (BuildId: a5b27db7ef3036c1dacf2e4ddc2e052767129439)
|
#17 0x70ea537373fb (/lib/x86_64-linux-gnu/libc.so.6+0x1373fb) (BuildId: a5b27db7ef3036c1dacf2e4ddc2e052767129439)
|
|
|
0x6d1a52937e68 is located 24 bytes inside of 32-byte region [0x6d1a52937e50,0x6d1a52937e70)
|
freed by thread T7 here:
|
#0 0x70ea5492114b in free path/to/libsanitizer/asan/asan_malloc_linux.cpp:51
|
#1 0x5e3feb753841 in my_free path/to/src/mysys/my_malloc.c:217
|
|
|
previously allocated by thread T7 here:
|
#0 0x70ea5492261b in malloc path/to/libsanitizer/asan/asan_malloc_linux.cpp:67
|
#1 0x5e3feb7532d8 in my_malloc path/to/src/mysys/my_malloc.c:92
|
|
|
Thread T7 created by T0 here:
|
#0 0x70ea549196aa in pthread_create path/to/libsanitizer/asan/asan_interceptors.cpp:250
|
#1 0x5e3feac6a4f4 in my_thread_create path/to/src/storage/perfschema/my_thread.h:52
|
#2 0x5e3feac6a4f4 in pfs_spawn_thread_v1 path/to/src/storage/perfschema/pfs.cc:2252
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free path/to/src/sql/field.cc:9248 in Field_blob::pack(unsigned char*, unsigned char const*, unsigned int)
|
Shadow bytes around the buggy address:
|
0x6d1a52937b80: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
|
0x6d1a52937c00: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
|
0x6d1a52937c80: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
|
0x6d1a52937d00: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 00
|
0x6d1a52937d80: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
|
=>0x6d1a52937e00: fd fd fa fa fd fd fd fd fa fa fd fd fd[fd]fa fa
|
0x6d1a52937e80: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
|
0x6d1a52937f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x6d1a52937f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x6d1a52938000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x6d1a52938080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==26818==ABORTING
|
No obvious problem on a non-ASAN build.
The test case is not applicable to pre-10.3 versions due to the use of system versioning.
Somehow couldn't reproduce on 10.4+ but can in 10.11.
Attachments
Issue Links
- is caused by
-
-
- Closed
-
-
-
- Stalled
-
- relates to
-
-
- Closed
-
- split to
-
-
- Confirmed
-
-
-
- Stalled
-
