[MDEV-24656] [FATAL] InnoDB: Data field type 0, len 0, ASAN heap-buffer-overflow upon LOAD DATA with virtual columns - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.2.38, 10.3.29, 10.4.19, 10.5.10
Component/s: Virtual Columns
Labels:
None

Description

--source include/have_innodb.inc

CREATE TABLE t1 (id INT PRIMARY KEY, a VARCHAR(2333), va VARCHAR(171) AS (a)) ENGINE=InnoDB;

INSERT INTO t1 (id,a) VALUES (1,REPEAT('x',200));

SELECT id, va INTO OUTFILE 'load_t1' FROM t1;

--error ER_DATA_TOO_LONG

LOAD DATA INFILE 'load_t1' REPLACE INTO TABLE t1 (id,va);

SELECT * FROM t1;

LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va);

# Cleanup

DROP TABLE t1;

--let $datadir= `select @@datadir`

--remove_file $datadir/test/load_t1

10.2 29d9897f debug
2021-01-22 19:42:32 140674636863232 [ERROR] [FATAL] InnoDB: Data field type 0, len 0
210122 19:42:32 [ERROR] mysqld got signal 6 ;

#5 0x00007ff1637ac859 in __GI_abort () at abort.c:79
#6 0x0000558a4099b40d in ib::fatal::~fatal (this=0x7ff15dc22a00, __in_chrg=<optimized out>) at /data/src/10.2/storage/innobase/ut/ut0ut.cc:649
#7 0x0000558a40a2a3c7 in dfield_check_typed (field=0x7ff10809fd38) at /data/src/10.2/storage/innobase/data/data0data.cc:159
#8 0x0000558a40a2a451 in dtuple_check_typed (tuple=0x7ff10809fc70) at /data/src/10.2/storage/innobase/data/data0data.cc:182
#9 0x0000558a408ae9a8 in row_ins_index_entry_step (node=0x7ff108039090, thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3400
#10 0x0000558a408aee5f in row_ins (node=0x7ff108039090, thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3548
#11 0x0000558a408af20a in row_ins_step (thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3668
#12 0x0000558a408cd46c in row_insert_for_mysql (mysql_rec=0x7ff108036eb8 "\377", prebuilt=0x7ff108038b30) at /data/src/10.2/storage/innobase/row/row0mysql.cc:1411
#13 0x0000558a4078ce04 in ha_innobase::write_row (this=0x7ff108176828, record=0x7ff108036eb8 "\377") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
#14 0x0000558a4058f10b in handler::ha_write_row (this=0x7ff108176828, buf=0x7ff108036eb8 "\377") at /data/src/10.2/sql/handler.cc:6118
#15 0x0000558a402da1c3 in write_record (thd=0x7ff108000d90, table=0x7ff108175c20, info=0x7ff15dc234a0) at /data/src/10.2/sql/sql_insert.cc:1939
#16 0x0000558a4071ecec in read_sep_field (thd=0x7ff108000d90, info=..., table_list=0x7ff108012860, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, ignore_check_option_errors=true) at /data/src/10.2/sql/sql_load.cc:1175
#17 0x0000558a4071d2fa in mysql_load (thd=0x7ff108000d90, ex=0x7ff1080127d8, table_list=0x7ff108012860, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_ERROR, ignore=true, read_file_from_client=false) at /data/src/10.2/sql/sql_load.cc:682
#18 0x0000558a40300518 in mysql_execute_command (thd=0x7ff108000d90) at /data/src/10.2/sql/sql_parse.cc:4605
#19 0x0000558a4030a3bf in mysql_parse (thd=0x7ff108000d90, rawbuf=0x7ff1080126f8 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", length=55, parser_state=0x7ff15dc245f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7763
#20 0x0000558a402f8698 in dispatch_command (command=COM_QUERY, thd=0x7ff108000d90, packet=0x7ff108008b51 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", packet_length=55, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
#21 0x0000558a402f7193 in do_command (thd=0x7ff108000d90) at /data/src/10.2/sql/sql_parse.cc:1381
#22 0x0000558a40451aae in do_handle_one_connection (connect=0x558a444acfa0) at /data/src/10.2/sql/sql_connect.cc:1336
#23 0x0000558a40451813 in handle_one_connection (arg=0x558a444acfa0) at /data/src/10.2/sql/sql_connect.cc:1241
#24 0x0000558a40c79dd2 in pfs_spawn_thread (arg=0x558a444900d0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#25 0x00007ff163ccd609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#26 0x00007ff1638a9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.2 29d9897f non-debug ASAN
==1685553==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00003ca80 at pc 0x5635b74e4a38 bp 0x7f0ff88864b0 sp 0x7f0ff88864a0
READ of size 1 at 0x61e00003ca80 thread T27
#0 0x5635b74e4a37 in Field::is_null_in_record(unsigned char const*) const /data/src/10.2/sql/field.h:1145
#1 0x5635b74e4a37 in TABLE::validate_default_values_of_unset_fields(THD*) const /data/src/10.2/sql/table.cc:7983
#2 0x5635b7ca634b in mysql_load(THD, sql_exchange, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /data/src/10.2/sql/sql_load.cc:668
#3 0x5635b723dc3f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4605
#4 0x5635b725033f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#5 0x5635b72598cb in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#6 0x5635b725e7a5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#7 0x5635b755e776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#8 0x5635b755eebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#9 0x5635b882b458 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#10 0x7f100f2ca608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#11 0x7f100eea4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x61e00003ca80 is located 0 bytes to the right of 2560-byte region [0x61e00003c080,0x61e00003ca80)
allocated by thread T27 here:
#0 0x7f100f831bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5635b88e3d96 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#2 0x5635b88cf5eb in alloc_root /data/src/10.2/mysys/my_alloc.c:243
#3 0x5635b74c028c in TABLE_SHARE::init_from_binary_frm_image(THD, bool, unsigned char const, unsigned long) /data/src/10.2/sql/table.cc:1621
#4 0x5635b74cba30 in open_table_def(THD, TABLE_SHARE, unsigned int) /data/src/10.2/sql/table.cc:684
#5 0x5635b76e0d24 in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
#6 0x5635b7135ef6 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
#7 0x5635b7142651 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
#8 0x5635b7142651 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
#9 0x5635b7143b21 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
#10 0x5635b71ec745 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
#11 0x5635b71ec745 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
#12 0x5635b7238319 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
#13 0x5635b725033f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#14 0x5635b72598cb in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#15 0x5635b725e7a5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#16 0x5635b755e776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#17 0x5635b755eebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#18 0x5635b882b458 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#19 0x7f100f2ca608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T27 created by T0 here:
#0 0x7f100f75e805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x5635b883443e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
#2 0x5635b70336e2 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x5635b70336e2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
#4 0x5635b7043d43 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
#5 0x5635b7043d43 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
#6 0x5635b7046257 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
#7 0x7f100eda90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.2/sql/field.h:1145 in Field::is_null_in_record(unsigned char const*) const
Shadow bytes around the buggy address:
0x0c3c7ffff900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
=>0x0c3c7ffff950:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7ffff960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7ffff970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7ffff980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7ffff990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1685553==ABORTING

Reproducible on 10.2+.
My non-debug non-ASAN builds don't crash, but given the non-debug ASAN failure above, it probably won't end well.

The exact same test case, but with BIGINT instead of INT for the primary key causes differently looking failures:

--source include/have_innodb.inc

CREATE TABLE t1 (id BIGINT PRIMARY KEY, a VARCHAR(2333), va VARCHAR(171) AS (a)) ENGINE=InnoDB;

INSERT INTO t1 (id,a) VALUES (1,REPEAT('x',200));

SELECT id, va INTO OUTFILE 'load_t1' FROM t1;

--error ER_DATA_TOO_LONG

LOAD DATA INFILE 'load_t1' REPLACE INTO TABLE t1 (id,va);

SELECT * FROM t1;

LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va);

# Cleanup

DROP TABLE t1;

--let $datadir= `select @@datadir`

--remove_file $datadir/test/load_t1

10.2 29d9897f debug
mysqld: /data/src/10.2/storage/innobase/include/data0data.h:562: dfield_t* dtuple_get_nth_field(dtuple_t*, ulint): Assertion `n < tuple->n_fields' failed.
210122 20:31:35 [ERROR] mysqld got signal 6 ;

#7 0x00007efc3c60df36 in __GI___assert_fail (assertion=0x559087e58361 "n < tuple->n_fields", file=0x559087e58278 "/data/src/10.2/storage/innobase/include/data0data.h", line=562, function=0x559087e58330 "dfield_t* dtuple_get_nth_field(dtuple_t*, ulint)") at assert.c:101
#8 0x000055908777aac0 in dtuple_get_nth_field (tuple=0x7efbe009fc78, n=1) at /data/src/10.2/storage/innobase/include/data0data.h:562
#9 0x000055908789c5d2 in row_mysql_convert_row_to_innobase (row=0x7efbe009fc78, prebuilt=0x7efbe0038b30, mysql_rec=0x7efbe0036eb8 "\377", blob_heap=0x7efc36a72d08) at /data/src/10.2/storage/innobase/row/row0mysql.cc:604
#10 0x000055908789e3ad in row_insert_for_mysql (mysql_rec=0x7efbe0036eb8 "\377", prebuilt=0x7efbe0038b30) at /data/src/10.2/storage/innobase/row/row0mysql.cc:1391
#11 0x000055908775de04 in ha_innobase::write_row (this=0x7efbe0176828, record=0x7efbe0036eb8 "\377") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
#12 0x000055908756010b in handler::ha_write_row (this=0x7efbe0176828, buf=0x7efbe0036eb8 "\377") at /data/src/10.2/sql/handler.cc:6118
#13 0x00005590872ab1c3 in write_record (thd=0x7efbe0000d90, table=0x7efbe0175c20, info=0x7efc36a734a0) at /data/src/10.2/sql/sql_insert.cc:1939
#14 0x00005590876efcec in read_sep_field (thd=0x7efbe0000d90, info=..., table_list=0x7efbe0012860, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, ignore_check_option_errors=true) at /data/src/10.2/sql/sql_load.cc:1175
#15 0x00005590876ee2fa in mysql_load (thd=0x7efbe0000d90, ex=0x7efbe00127d8, table_list=0x7efbe0012860, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_ERROR, ignore=true, read_file_from_client=false) at /data/src/10.2/sql/sql_load.cc:682
#16 0x00005590872d1518 in mysql_execute_command (thd=0x7efbe0000d90) at /data/src/10.2/sql/sql_parse.cc:4605
#17 0x00005590872db3bf in mysql_parse (thd=0x7efbe0000d90, rawbuf=0x7efbe00126f8 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", length=55, parser_state=0x7efc36a745f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7763
#18 0x00005590872c9698 in dispatch_command (command=COM_QUERY, thd=0x7efbe0000d90, packet=0x7efbe0008b51 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", packet_length=55, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
#19 0x00005590872c8193 in do_command (thd=0x7efbe0000d90) at /data/src/10.2/sql/sql_parse.cc:1381
#20 0x0000559087422aae in do_handle_one_connection (connect=0x5590898dbfa0) at /data/src/10.2/sql/sql_connect.cc:1336
#21 0x0000559087422813 in handle_one_connection (arg=0x5590898dbfa0) at /data/src/10.2/sql/sql_connect.cc:1241
#22 0x0000559087c4add2 in pfs_spawn_thread (arg=0x5590898bf0d0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#23 0x00007efc3cb1d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#24 0x00007efc3c6f9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.2 29d9897f debug+ASAN
==1688464==ERROR: AddressSanitizer: use-after-poison on address 0x6250000f5b67 at pc 0x557392b089da bp 0x7f19d74399f0 sp 0x7f19d74399e0
WRITE of size 1 at 0x6250000f5b67 thread T27
#0 0x557392b089d9 in row_mysql_store_col_in_innobase_format(dfield_t, unsigned char, unsigned long, unsigned char const*, unsigned long, unsigned long) /data/src/10.2/storage/innobase/row/row0mysql.cc:436
#1 0x557392b09659 in row_mysql_convert_row_to_innobase /data/src/10.2/storage/innobase/row/row0mysql.cc:622
#2 0x557392b0ea35 in row_insert_for_mysql(unsigned char const, row_prebuilt_t) /data/src/10.2/storage/innobase/row/row0mysql.cc:1391
#3 0x55739284844a in ha_innobase::write_row(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
#4 0x557392338e89 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:6118
#5 0x557391c7840c in write_record(THD, TABLE, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1939
#6 0x55739272c48e in read_sep_field /data/src/10.2/sql/sql_load.cc:1175
#7 0x55739272871a in mysql_load(THD, sql_exchange, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /data/src/10.2/sql/sql_load.cc:682
#8 0x557391cdc1f7 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4605
#9 0x557391cf17eb in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#10 0x557391cca830 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#11 0x557391cc75ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#12 0x55739204fb1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#13 0x55739204f3e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#14 0x5573933eb5d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#15 0x7f19edfdb608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#16 0x7f19edbb5292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x6250000f5b67 is located 2663 bytes inside of 7984-byte region [0x6250000f5100,0x6250000f7030)
allocated by thread T27 here:
#0 0x7f19ee542bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5573929d7302 in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:289
#2 0x5573929d7b99 in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:390
#3 0x557392b00222 in mem_heap_alloc /data/src/10.2/storage/innobase/include/mem0mem.ic:191
#4 0x557392b0ce82 in row_get_prebuilt_insert_row /data/src/10.2/storage/innobase/row/row0mysql.cc:1115
#5 0x557392b0e9ab in row_insert_for_mysql(unsigned char const, row_prebuilt_t) /data/src/10.2/storage/innobase/row/row0mysql.cc:1388
#6 0x55739284844a in ha_innobase::write_row(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
#7 0x557392338e89 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:6118
#8 0x557391c7840c in write_record(THD, TABLE, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1939
#9 0x557391c71f8c in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:1066
#10 0x557391cd8b91 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
#11 0x557391cf17eb in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#12 0x557391cca830 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#13 0x557391cc75ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#14 0x55739204fb1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#15 0x55739204f3e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#16 0x5573933eb5d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#17 0x7f19edfdb608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T27 created by T0 here:
#0 0x7f19ee46f805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x5573933eb9ca in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
#2 0x557391a6c083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x557391a83c2b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
#4 0x557391a843c6 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
#5 0x557391a85558 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
#6 0x557391a82f7c in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
#7 0x557391a6a93c in main /data/src/10.2/sql/main.cc:25
#8 0x7f19edaba0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/storage/innobase/row/row0mysql.cc:436 in row_mysql_store_col_in_innobase_format(dfield_t, unsigned char, unsigned long, unsigned char const*, unsigned long, unsigned long)
Shadow bytes around the buggy address:
0x0c4a80016b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80016b60: 00 00 00 00 00 00 00 00 00 00 00 04[f7]00 00 00
0x0c4a80016b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b80: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
0x0c4a80016b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016ba0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016bb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1688464==ABORTING

Attachments

Issue Links

duplicates

MDEV-24583 ASAN use-after-poison in create_tmp_table or assertion failures after failed REPLACE into table with virtual/stored column

Closed

relates to

MDEV-24665 ASAN errors, assertion failures, corrupt values after failed LOAD DATA into table with virtual/stored column

Closed

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-01-22 17:45

Updated:: 2021-04-26 13:41

Resolved:: 2021-04-26 13:41

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.