Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
-
None
Description
--source include/have_innodb.inc
|
|
|
CREATE TABLE t1 (id INT PRIMARY KEY, a VARCHAR(2333), va VARCHAR(171) AS (a)) ENGINE=InnoDB; |
INSERT INTO t1 (id,a) VALUES (1,REPEAT('x',200)); |
SELECT id, va INTO OUTFILE 'load_t1' FROM t1; |
--error ER_DATA_TOO_LONG
|
LOAD DATA INFILE 'load_t1' REPLACE INTO TABLE t1 (id,va); |
SELECT * FROM t1; |
LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va); |
|
|
# Cleanup
|
DROP TABLE t1; |
--let $datadir= `select @@datadir`
|
--remove_file $datadir/test/load_t1 |
|
10.2 29d9897f debug |
2021-01-22 19:42:32 140674636863232 [ERROR] [FATAL] InnoDB: Data field type 0, len 0
|
210122 19:42:32 [ERROR] mysqld got signal 6 ;
|
|
|
#5 0x00007ff1637ac859 in __GI_abort () at abort.c:79
|
#6 0x0000558a4099b40d in ib::fatal::~fatal (this=0x7ff15dc22a00, __in_chrg=<optimized out>) at /data/src/10.2/storage/innobase/ut/ut0ut.cc:649
|
#7 0x0000558a40a2a3c7 in dfield_check_typed (field=0x7ff10809fd38) at /data/src/10.2/storage/innobase/data/data0data.cc:159
|
#8 0x0000558a40a2a451 in dtuple_check_typed (tuple=0x7ff10809fc70) at /data/src/10.2/storage/innobase/data/data0data.cc:182
|
#9 0x0000558a408ae9a8 in row_ins_index_entry_step (node=0x7ff108039090, thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3400
|
#10 0x0000558a408aee5f in row_ins (node=0x7ff108039090, thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3548
|
#11 0x0000558a408af20a in row_ins_step (thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3668
|
#12 0x0000558a408cd46c in row_insert_for_mysql (mysql_rec=0x7ff108036eb8 "\377", prebuilt=0x7ff108038b30) at /data/src/10.2/storage/innobase/row/row0mysql.cc:1411
|
#13 0x0000558a4078ce04 in ha_innobase::write_row (this=0x7ff108176828, record=0x7ff108036eb8 "\377") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
|
#14 0x0000558a4058f10b in handler::ha_write_row (this=0x7ff108176828, buf=0x7ff108036eb8 "\377") at /data/src/10.2/sql/handler.cc:6118
|
#15 0x0000558a402da1c3 in write_record (thd=0x7ff108000d90, table=0x7ff108175c20, info=0x7ff15dc234a0) at /data/src/10.2/sql/sql_insert.cc:1939
|
#16 0x0000558a4071ecec in read_sep_field (thd=0x7ff108000d90, info=..., table_list=0x7ff108012860, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, ignore_check_option_errors=true) at /data/src/10.2/sql/sql_load.cc:1175
|
#17 0x0000558a4071d2fa in mysql_load (thd=0x7ff108000d90, ex=0x7ff1080127d8, table_list=0x7ff108012860, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_ERROR, ignore=true, read_file_from_client=false) at /data/src/10.2/sql/sql_load.cc:682
|
#18 0x0000558a40300518 in mysql_execute_command (thd=0x7ff108000d90) at /data/src/10.2/sql/sql_parse.cc:4605
|
#19 0x0000558a4030a3bf in mysql_parse (thd=0x7ff108000d90, rawbuf=0x7ff1080126f8 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", length=55, parser_state=0x7ff15dc245f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7763
|
#20 0x0000558a402f8698 in dispatch_command (command=COM_QUERY, thd=0x7ff108000d90, packet=0x7ff108008b51 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", packet_length=55, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
|
#21 0x0000558a402f7193 in do_command (thd=0x7ff108000d90) at /data/src/10.2/sql/sql_parse.cc:1381
|
#22 0x0000558a40451aae in do_handle_one_connection (connect=0x558a444acfa0) at /data/src/10.2/sql/sql_connect.cc:1336
|
#23 0x0000558a40451813 in handle_one_connection (arg=0x558a444acfa0) at /data/src/10.2/sql/sql_connect.cc:1241
|
#24 0x0000558a40c79dd2 in pfs_spawn_thread (arg=0x558a444900d0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#25 0x00007ff163ccd609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#26 0x00007ff1638a9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.2 29d9897f non-debug ASAN |
==1685553==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00003ca80 at pc 0x5635b74e4a38 bp 0x7f0ff88864b0 sp 0x7f0ff88864a0
|
READ of size 1 at 0x61e00003ca80 thread T27
|
#0 0x5635b74e4a37 in Field::is_null_in_record(unsigned char const*) const /data/src/10.2/sql/field.h:1145
|
#1 0x5635b74e4a37 in TABLE::validate_default_values_of_unset_fields(THD*) const /data/src/10.2/sql/table.cc:7983
|
#2 0x5635b7ca634b in mysql_load(THD*, sql_exchange*, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /data/src/10.2/sql/sql_load.cc:668
|
#3 0x5635b723dc3f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4605
|
#4 0x5635b725033f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#5 0x5635b72598cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#6 0x5635b725e7a5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#7 0x5635b755e776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#8 0x5635b755eebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#9 0x5635b882b458 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#10 0x7f100f2ca608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
#11 0x7f100eea4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
|
0x61e00003ca80 is located 0 bytes to the right of 2560-byte region [0x61e00003c080,0x61e00003ca80)
|
allocated by thread T27 here:
|
#0 0x7f100f831bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x5635b88e3d96 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#2 0x5635b88cf5eb in alloc_root /data/src/10.2/mysys/my_alloc.c:243
|
#3 0x5635b74c028c in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.2/sql/table.cc:1621
|
#4 0x5635b74cba30 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.2/sql/table.cc:684
|
#5 0x5635b76e0d24 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
|
#6 0x5635b7135ef6 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
|
#7 0x5635b7142651 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
|
#8 0x5635b7142651 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
|
#9 0x5635b7143b21 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
|
#10 0x5635b71ec745 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
|
#11 0x5635b71ec745 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
|
#12 0x5635b7238319 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
|
#13 0x5635b725033f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#14 0x5635b72598cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#15 0x5635b725e7a5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#16 0x5635b755e776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#17 0x5635b755eebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#18 0x5635b882b458 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#19 0x7f100f2ca608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T27 created by T0 here:
|
#0 0x7f100f75e805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x5635b883443e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x5635b70336e2 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x5635b70336e2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
|
#4 0x5635b7043d43 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
|
#5 0x5635b7043d43 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
|
#6 0x5635b7046257 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
|
#7 0x7f100eda90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.2/sql/field.h:1145 in Field::is_null_in_record(unsigned char const*) const
|
Shadow bytes around the buggy address:
|
0x0c3c7ffff900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3c7ffff910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3c7ffff920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3c7ffff930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3c7ffff940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
|
=>0x0c3c7ffff950:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3c7ffff960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3c7ffff970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3c7ffff980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3c7ffff990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3c7ffff9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1685553==ABORTING
|
Reproducible on 10.2+.
My non-debug non-ASAN builds don't crash, but given the non-debug ASAN failure above, it probably won't end well.
The exact same test case, but with BIGINT instead of INT for the primary key causes differently looking failures:
--source include/have_innodb.inc
|
|
CREATE TABLE t1 (id BIGINT PRIMARY KEY, a VARCHAR(2333), va VARCHAR(171) AS (a)) ENGINE=InnoDB; |
INSERT INTO t1 (id,a) VALUES (1,REPEAT('x',200)); |
SELECT id, va INTO OUTFILE 'load_t1' FROM t1; |
--error ER_DATA_TOO_LONG
|
LOAD DATA INFILE 'load_t1' REPLACE INTO TABLE t1 (id,va); |
SELECT * FROM t1; |
LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va); |
|
# Cleanup
|
DROP TABLE t1; |
--let $datadir= `select @@datadir`
|
--remove_file $datadir/test/load_t1 |
|
10.2 29d9897f debug |
mysqld: /data/src/10.2/storage/innobase/include/data0data.h:562: dfield_t* dtuple_get_nth_field(dtuple_t*, ulint): Assertion `n < tuple->n_fields' failed.
|
210122 20:31:35 [ERROR] mysqld got signal 6 ;
|
|
|
#7 0x00007efc3c60df36 in __GI___assert_fail (assertion=0x559087e58361 "n < tuple->n_fields", file=0x559087e58278 "/data/src/10.2/storage/innobase/include/data0data.h", line=562, function=0x559087e58330 "dfield_t* dtuple_get_nth_field(dtuple_t*, ulint)") at assert.c:101
|
#8 0x000055908777aac0 in dtuple_get_nth_field (tuple=0x7efbe009fc78, n=1) at /data/src/10.2/storage/innobase/include/data0data.h:562
|
#9 0x000055908789c5d2 in row_mysql_convert_row_to_innobase (row=0x7efbe009fc78, prebuilt=0x7efbe0038b30, mysql_rec=0x7efbe0036eb8 "\377", blob_heap=0x7efc36a72d08) at /data/src/10.2/storage/innobase/row/row0mysql.cc:604
|
#10 0x000055908789e3ad in row_insert_for_mysql (mysql_rec=0x7efbe0036eb8 "\377", prebuilt=0x7efbe0038b30) at /data/src/10.2/storage/innobase/row/row0mysql.cc:1391
|
#11 0x000055908775de04 in ha_innobase::write_row (this=0x7efbe0176828, record=0x7efbe0036eb8 "\377") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
|
#12 0x000055908756010b in handler::ha_write_row (this=0x7efbe0176828, buf=0x7efbe0036eb8 "\377") at /data/src/10.2/sql/handler.cc:6118
|
#13 0x00005590872ab1c3 in write_record (thd=0x7efbe0000d90, table=0x7efbe0175c20, info=0x7efc36a734a0) at /data/src/10.2/sql/sql_insert.cc:1939
|
#14 0x00005590876efcec in read_sep_field (thd=0x7efbe0000d90, info=..., table_list=0x7efbe0012860, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, ignore_check_option_errors=true) at /data/src/10.2/sql/sql_load.cc:1175
|
#15 0x00005590876ee2fa in mysql_load (thd=0x7efbe0000d90, ex=0x7efbe00127d8, table_list=0x7efbe0012860, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_ERROR, ignore=true, read_file_from_client=false) at /data/src/10.2/sql/sql_load.cc:682
|
#16 0x00005590872d1518 in mysql_execute_command (thd=0x7efbe0000d90) at /data/src/10.2/sql/sql_parse.cc:4605
|
#17 0x00005590872db3bf in mysql_parse (thd=0x7efbe0000d90, rawbuf=0x7efbe00126f8 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", length=55, parser_state=0x7efc36a745f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7763
|
#18 0x00005590872c9698 in dispatch_command (command=COM_QUERY, thd=0x7efbe0000d90, packet=0x7efbe0008b51 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", packet_length=55, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
|
#19 0x00005590872c8193 in do_command (thd=0x7efbe0000d90) at /data/src/10.2/sql/sql_parse.cc:1381
|
#20 0x0000559087422aae in do_handle_one_connection (connect=0x5590898dbfa0) at /data/src/10.2/sql/sql_connect.cc:1336
|
#21 0x0000559087422813 in handle_one_connection (arg=0x5590898dbfa0) at /data/src/10.2/sql/sql_connect.cc:1241
|
#22 0x0000559087c4add2 in pfs_spawn_thread (arg=0x5590898bf0d0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#23 0x00007efc3cb1d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#24 0x00007efc3c6f9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.2 29d9897f debug+ASAN |
==1688464==ERROR: AddressSanitizer: use-after-poison on address 0x6250000f5b67 at pc 0x557392b089da bp 0x7f19d74399f0 sp 0x7f19d74399e0
|
WRITE of size 1 at 0x6250000f5b67 thread T27
|
#0 0x557392b089d9 in row_mysql_store_col_in_innobase_format(dfield_t*, unsigned char*, unsigned long, unsigned char const*, unsigned long, unsigned long) /data/src/10.2/storage/innobase/row/row0mysql.cc:436
|
#1 0x557392b09659 in row_mysql_convert_row_to_innobase /data/src/10.2/storage/innobase/row/row0mysql.cc:622
|
#2 0x557392b0ea35 in row_insert_for_mysql(unsigned char const*, row_prebuilt_t*) /data/src/10.2/storage/innobase/row/row0mysql.cc:1391
|
#3 0x55739284844a in ha_innobase::write_row(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
|
#4 0x557392338e89 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:6118
|
#5 0x557391c7840c in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1939
|
#6 0x55739272c48e in read_sep_field /data/src/10.2/sql/sql_load.cc:1175
|
#7 0x55739272871a in mysql_load(THD*, sql_exchange*, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /data/src/10.2/sql/sql_load.cc:682
|
#8 0x557391cdc1f7 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4605
|
#9 0x557391cf17eb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#10 0x557391cca830 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#11 0x557391cc75ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#12 0x55739204fb1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#13 0x55739204f3e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#14 0x5573933eb5d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#15 0x7f19edfdb608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
#16 0x7f19edbb5292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
|
0x6250000f5b67 is located 2663 bytes inside of 7984-byte region [0x6250000f5100,0x6250000f7030)
|
allocated by thread T27 here:
|
#0 0x7f19ee542bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x5573929d7302 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:289
|
#2 0x5573929d7b99 in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:390
|
#3 0x557392b00222 in mem_heap_alloc /data/src/10.2/storage/innobase/include/mem0mem.ic:191
|
#4 0x557392b0ce82 in row_get_prebuilt_insert_row /data/src/10.2/storage/innobase/row/row0mysql.cc:1115
|
#5 0x557392b0e9ab in row_insert_for_mysql(unsigned char const*, row_prebuilt_t*) /data/src/10.2/storage/innobase/row/row0mysql.cc:1388
|
#6 0x55739284844a in ha_innobase::write_row(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
|
#7 0x557392338e89 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:6118
|
#8 0x557391c7840c in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1939
|
#9 0x557391c71f8c in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:1066
|
#10 0x557391cd8b91 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
|
#11 0x557391cf17eb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#12 0x557391cca830 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#13 0x557391cc75ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#14 0x55739204fb1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#15 0x55739204f3e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#16 0x5573933eb5d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#17 0x7f19edfdb608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T27 created by T0 here:
|
#0 0x7f19ee46f805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x5573933eb9ca in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x557391a6c083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x557391a83c2b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
|
#4 0x557391a843c6 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
|
#5 0x557391a85558 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
|
#6 0x557391a82f7c in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
|
#7 0x557391a6a93c in main /data/src/10.2/sql/main.cc:25
|
#8 0x7f19edaba0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/storage/innobase/row/row0mysql.cc:436 in row_mysql_store_col_in_innobase_format(dfield_t*, unsigned char*, unsigned long, unsigned char const*, unsigned long, unsigned long)
|
Shadow bytes around the buggy address:
|
0x0c4a80016b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a80016b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a80016b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a80016b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c4a80016b60: 00 00 00 00 00 00 00 00 00 00 00 04[f7]00 00 00
|
0x0c4a80016b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a80016b80: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
|
0x0c4a80016b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a80016ba0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a80016bb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1688464==ABORTING
|
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- relates to
-
-
- Closed
-
Activity
the test case is similar to the one above (and is derived from one of tests from MDEV-24583--that is why I set this bug as related), but crashes non-debug builds. Repeatable with InnoDB/Myisam
create table t1 (pk int, a varchar(1), v varchar(1) as (concat('virt-',a)), primary key (pk)); |
insert into t1 (pk,a) values (1,'a'),(2,'b'); |
|
--error 1406
|
replace into t1 (pk) values (1); |
replace into t1 (pk) values (1); |
replace into t1 (pk) values (1); |
drop table t1; |
MariaDB [test]> create table t1 (pk int, a varchar(1), v varchar(1) as (concat('virt-',a)), primary key (pk));
|
Query OK, 0 rows affected (0.009 sec)
|
|
|
MariaDB [test]> insert into t1 (pk,a) values (1,'a'),(2,'b');
|
Query OK, 2 rows affected (0.001 sec)
|
Records: 2 Duplicates: 0 Warnings: 0
|
|
|
MariaDB [test]> replace into t1 (pk) values (1);
|
ERROR 1406 (22001): Data too long for column 'v' at row 1
|
MariaDB [test]> replace into t1 (pk) values (1);
|
Query OK, 1 row affected (0.001 sec)
|
|
|
MariaDB [test]> replace into t1 (pk) values (1);
|
ERROR 2013 (HY000): Lost connection to MySQL server during query
|
|
10.5 5e3d3220bbe344b |
Version: '10.5.9-MariaDB'
|
210210 10:28:14 [ERROR] mysqld got signal 11 ;
|
|
|
??:0(__restore_rt)[0x7f65c90a6730]
|
sql/table.cc:7742(TABLE::move_fields(Field**, unsigned char const*, unsigned char const*))[0x563b20b58748]
|
sql/sql_insert.cc:1871(write_record(THD*, TABLE*, st_copy_info*, select_result*))[0x563b20a627a8]
|
sql/sql_insert.cc:1099(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x563b20a68a96]
|
sql/sql_parse.cc:4596(mysql_execute_command(THD*))[0x563b20a9ea44]
|
sql/sql_parse.cc:8079(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x563b20a8fe52]
|
sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x563b20a9ace2]
|
sql/sql_parse.cc:1370(do_command(THD*))[0x563b20a9bb9f]
|
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x563b20b84170]
|
sql/sql_connect.cc:1312(handle_one_connection)[0x563b20b8454d]
|
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x563b20eb21bb]
|
nptl/pthread_create.c:487(start_thread)[0x7f65c909bfa3]
|
x86_64/clone.S:97(clone)[0x7f65c86a44cf]
|
|
|
Query (0x7f64c0011de0): REPLACE INTO t1 (pk) VALUES (1)
|
|
10.2 afc5bac49d48b6fd1 |
Version: '10.2.37-MariaDB-debug-log' socket: '/10.2/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==3356==ERROR: AddressSanitizer: use-after-poison on address 0x619000087c38 at pc 0x55e3ed8021c5 bp 0x7fc7026d8e90 sp 0x7fc7026d8e88
|
READ of size 1 at 0x619000087c38 thread T5
|
#0 0x55e3ed8021c4 in Field::is_null_in_record(unsigned char const*) const /10.2/sql/field.h:1145
|
#1 0x55e3ed98f952 in TABLE::validate_default_values_of_unset_fields(THD*) const /10.2/sql/table.cc:7989
|
#2 0x55e3ed62bd4b in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /10.2/sql/sql_insert.cc:940
|
#3 0x55e3ed695cdb in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:4194
|
#4 0x55e3ed6b01d7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:7763
|
#5 0x55e3ed686f05 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1827
|
#6 0x55e3ed68392a in do_command(THD*) /10.2/sql/sql_parse.cc:1381
|
#7 0x55e3eda2c0f1 in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
|
#8 0x55e3eda2b9b2 in handle_one_connection /10.2/sql/sql_connect.cc:1241
|
#9 0x55e3eeec5821 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1869
|
#10 0x7fc70ce79fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
#11 0x7fc70c7fd4ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
|
|
|
0x619000087c38 is located 440 bytes inside of 1100-byte region [0x619000087a80,0x619000087ecc)
|
allocated by thread T5 here:
|
#0 0x7fc70cf7c330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
|
#1 0x55e3ef0aa471 in sf_malloc /10.2/mysys/safemalloc.c:118
|
#2 0x55e3ef077a59 in my_malloc /10.2/mysys/my_malloc.c:101
|
#3 0x55e3ef055e63 in alloc_root /10.2/mysys/my_alloc.c:243
|
#4 0x55e3ef0577f3 in memdup_root /10.2/mysys/my_alloc.c:464
|
#5 0x55e3ed95b0c3 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /10.2/sql/table.cc:1288
|
#6 0x55e3ed95616d in open_table_def(THD*, TABLE_SHARE*, unsigned int) /10.2/sql/table.cc:684
|
#7 0x55e3edbb3d46 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /10.2/sql/table_cache.cc:826
|
#8 0x55e3ed56378b in open_table(THD*, TABLE_LIST*, Open_table_context*) /10.2/sql/sql_base.cc:1797
|
#9 0x55e3ed56c269 in open_and_process_table /10.2/sql/sql_base.cc:3614
|
#10 0x55e3ed56e8d8 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /10.2/sql/sql_base.cc:4081
|
#11 0x55e3ed5728af in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /10.2/sql/sql_base.cc:4880
|
#12 0x55e3ed4e0c34 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /10.2/sql/sql_base.h:507
|
#13 0x55e3ed62a677 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /10.2/sql/sql_insert.cc:758
|
#14 0x55e3ed695cdb in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:4194
|
#15 0x55e3ed6b01d7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:7763
|
#16 0x55e3ed686f05 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1827
|
#17 0x55e3ed68392a in do_command(THD*) /10.2/sql/sql_parse.cc:1381
|
#18 0x55e3eda2c0f1 in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
|
#19 0x55e3eda2b9b2 in handle_one_connection /10.2/sql/sql_connect.cc:1241
|
#20 0x55e3eeec5821 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1869
|
#21 0x7fc70ce79fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fc70cee3db0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
|
#1 0x55e3eeec5c5d in spawn_thread_v1 /10.2/storage/perfschema/pfs.cc:1919
|
#2 0x55e3ed418494 in inline_mysql_thread_create /10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x55e3ed430567 in create_thread_to_handle_connection(CONNECT*) /10.2/sql/mysqld.cc:6573
|
#4 0x55e3ed430cbc in create_new_thread /10.2/sql/mysqld.cc:6643
|
#5 0x55e3ed431e3d in handle_connections_sockets() /10.2/sql/mysqld.cc:6901
|
#6 0x55e3ed42f94a in mysqld_main(int, char**) /10.2/sql/mysqld.cc:6192
|
#7 0x55e3ed416de4 in main /10.2/sql/main.cc:25
|
#8 0x7fc70c72809a in __libc_start_main ../csu/libc-start.c:308
|
A similar ASAN failure with INSERT instead of LOAD:
);--error ER_DATA_TOO_LONG10.2 ceb39761
==3359387==ERROR: AddressSanitizer: use-after-poison on address 0x619000087c38 at pc 0x55bcdb007133 bp 0x7f25317bd350 sp 0x7f25317bd340READ of size 1 at 0x619000087c38 thread T5#0 0x55bcdb007132 in Field::is_null_in_record(unsigned char const*) const /data/src/10.2/sql/field.h:1145#1 0x55bcdb185456 in TABLE::validate_default_values_of_unset_fields(THD*) const /data/src/10.2/sql/table.cc:7989#2 0x55bcdae3cd40 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:940#3 0x55bcdaea4495 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194#4 0x55bcdaebd0ef in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763#5 0x55bcdae96134 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827#6 0x55bcdae92ef3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381#7 0x55bcdb21b774 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336#8 0x55bcdb21b037 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241#9 0x55bcdc5b74b7 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869#10 0x7f253c51b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477#11 0x7f253c0f5292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)0x619000087c38 is located 440 bytes inside of 1100-byte region [0x619000087a80,0x619000087ecc)allocated by thread T5 here:#0 0x7f253ca82bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)#1 0x55bcdc6d4012 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118#2 0x55bcdc69ff77 in my_malloc /data/src/10.2/mysys/my_malloc.c:101#3 0x55bcdc67d5e9 in alloc_root /data/src/10.2/mysys/my_alloc.c:243#4 0x55bcdc67f01f in memdup_root /data/src/10.2/mysys/my_alloc.c:464#5 0x55bcdb152442 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.2/sql/table.cc:1288#6 0x55bcdb14de07 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.2/sql/table.cc:684#7 0x55bcdb39fc45 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826#8 0x55bcdad77134 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797#9 0x55bcdad7fc82 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614#10 0x55bcdad8205c in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081#11 0x55bcdad85be2 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880#12 0x55bcdacfcdb1 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507#13 0x55bcdae3babd in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758#14 0x55bcdaea4495 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194#15 0x55bcdaebd0ef in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763#16 0x55bcdae96134 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827#17 0x55bcdae92ef3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381#18 0x55bcdb21b774 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336#19 0x55bcdb21b037 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241#20 0x55bcdc5b74b7 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869#21 0x7f253c51b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477Thread T5 created by T0 here:#0 0x7f253c9af805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)#1 0x55bcdc5b78a8 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919#2 0x55bcdac38083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246#3 0x55bcdac4fc54 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573#4 0x55bcdac503ef in create_new_thread /data/src/10.2/sql/mysqld.cc:6643#5 0x55bcdac51581 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901#6 0x55bcdac4efa5 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192#7 0x55bcdac3693c in main /data/src/10.2/sql/main.cc:25#8 0x7f253bffa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/field.h:1145 in Field::is_null_in_record(unsigned char const*) constShadow bytes around the buggy address:0x0c3280008f30: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa0x0c3280008f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c3280008f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c3280008f60: 00 f7 00 00 f7 01 f7 00 00 00 00 00 00 00 00 000x0c3280008f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00=>0x0c3280008f80: 00 02 f7 00 f7 00 03[f7]01 f7 00 00 00 00 00 000x0c3280008f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c3280008fa0: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c3280008fb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 000x0c3280008fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c3280008fd0: 00 00 00 00 00 00 00 f7 f7 04 fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc==3359387==ABORTING