Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25033

ASAN heap-buffer-overflow around row_sel_store_mysql_field_func

    XMLWordPrintable

Details

    Description

      origin/bb-10.2-thiru 2ad72312560cdbc7136c749a775a32871b6c23bb 2021-03-01T21:18:30+05:30
       
      Query (0x62b00000e228): DELETE LOW_PRIORITY FROM `table0_innodb_int_autoinc` WHERE `col_char_12_key` = 3 ORDER BY `col_char_12`,`col_char_12_key`,`col_int`,`col_int_key`,`pk` LIMIT 2
      Status: KILL_TIMEOUT
       
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 211279][rr 3064696 211283]==3064696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62700008f6f5 at pc 0x7ff284005480 bp 0x7ff25786f110 sp 0x7ff25786e8b8
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 211286][rr 3064696 211288]READ of size 13685 at 0x62700008f6f5 thread T33
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216456]    #0 0x7ff28400547f  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216490]    #1 0x563bd1dba90e in row_sel_store_mysql_field_func /Server/bb-10.2-thiru/storage/innobase/row/row0sel.cc:3077
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216492]    #2 0x563bd1dbba6e in row_sel_store_mysql_rec /Server/bb-10.2-thiru/storage/innobase/row/row0sel.cc:3245
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216500]    #3 0x563bd1dc8565 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /Server/bb-10.2-thiru/storage/innobase/row/row0sel.cc:5623
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216542]    #4 0x563bd1aac919 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /Server/bb-10.2-thiru/storage/innobase/handler/ha_innodb.cc:9392
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216544]    #5 0x563bd1aaf518 in ha_innobase::index_first(unsigned char*) /Server/bb-10.2-thiru/storage/innobase/handler/ha_innodb.cc:9769
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216546]    #6 0x563bd1aaf891 in ha_innobase::rnd_next(unsigned char*) /Server/bb-10.2-thiru/storage/innobase/handler/ha_innodb.cc:9862
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216578]    #7 0x563bd15da78f in handler::ha_rnd_next(unsigned char*) /Server/bb-10.2-thiru/sql/handler.cc:2669
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216586]    #8 0x563bd15bf925 in find_all_keys /Server/bb-10.2-thiru/sql/filesort.cc:798
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216592]    #9 0x563bd15bc1e3 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /Server/bb-10.2-thiru/sql/filesort.cc:275
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216604]    #10 0x563bd198f1c2 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /Server/bb-10.2-thiru/sql/sql_delete.cc:503
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216620]    #11 0x563bd10089fb in mysql_execute_command(THD*) /Server/bb-10.2-thiru/sql/sql_parse.cc:4424
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216622]    #12 0x563bd101e4df in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /Server/bb-10.2-thiru/sql/sql_parse.cc:7790
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216624]    #13 0x563bd0ff9242 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /Server/bb-10.2-thiru/sql/sql_parse.cc:1827
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216626]    #14 0x563bd0ff6672 in do_command(THD*) /Server/bb-10.2-thiru/sql/sql_parse.cc:1381
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216632]    #15 0x563bd132f0a0 in do_handle_one_connection(CONNECT*) /Server/bb-10.2-thiru/sql/sql_connect.cc:1336
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216634]    #16 0x563bd132e963 in handle_one_connection /Server/bb-10.2-thiru/sql/sql_connect.cc:1241
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216642]    #17 0x7ff283c41608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
      # 2021-03-02T06:40:26 [3061468] | [rr 3064696 216644]    #18 0x7ff28381d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      sdp:/home/mleich/RQG_O/storage/1614683207/TBR-922/dev/shm/vardir/1614683207/146/1/rr
      _RR_TRACE_DIR="." rr replay --mark-stdio
       
      RQG
      ===
      git clone https://github.com/mleich1/rqg --branch experimental RQG
       
      perl rqg.pl \
      --gendata=conf/engines/engine_stress.zz \
      --views \
      --grammar=conf/engines/engine_stress.yy \
      --redefine=conf/mariadb/alter_table.yy \
      --redefine=conf/mariadb/instant_add.yy \
      --redefine=conf/mariadb/modules/alter_table_columns.yy \
      --redefine=conf/mariadb/bulk_insert.yy \
      --redefine=conf/mariadb/modules/foreign_keys.yy \
      --redefine=conf/mariadb/modules/locks.yy \
      --redefine=conf/mariadb/modules/sql_mode.yy \
      --redefine=conf/mariadb/versioning.yy \
      --redefine=conf/mariadb/sequences.yy \
      --redefine=conf/mariadb/modules/locks-10.4-extra.yy \
      --mysqld=--innodb_use_native_aio=1 \
      --mysqld=--innodb_lock_schedule_algorithm=fcfs \
      --mysqld=--loose-idle_write_transaction_timeout=0 \
      --mysqld=--loose-idle_transaction_timeout=0 \
      --mysqld=--loose-idle_readonly_transaction_timeout=0 \
      --mysqld=--connect_timeout=60 \
      --mysqld=--interactive_timeout=28800 \
      --mysqld=--slave_net_timeout=60 \
      --mysqld=--net_read_timeout=30 \
      --mysqld=--net_write_timeout=60 \
      --mysqld=--loose-table_lock_wait_timeout=50 \
      --mysqld=--wait_timeout=28800 \
      --mysqld=--lock-wait-timeout=86400 \
      --mysqld=--innodb-lock-wait-timeout=50 \
      --no-mask \
      --queries=10000000 \
      --seed=random \
      --reporters=Backtrace \
      --reporters=ErrorLog \
      --reporters=Deadlock1 \
      --validators=None \
      --mysqld=--log_output=none \
      --mysqld=--log-bin \
      --mysqld=--log_bin_trust_function_creators=1 \
      --mysqld=--loose-debug_assert_on_not_freed_memory=0 \
      --engine=InnoDB \
      --mysqld=--plugin-load-add=file_key_management.so \
      --mysqld=--loose-file-key-management-filename=$RQG_HOMR/conf/mariadb/encryption_keys.txt \
      --duration=300 \
      --mysqld=--loose-innodb_fatal_semaphore_wait_threshold=300 \
      --mysqld=--loose-innodb-sync-debug \
      --mysqld=--innodb_stats_persistent=off \
      --mysqld=--innodb_adaptive_hash_index=off \
      --mysqld=--loose-max-statement-time=30 \
      --threads=1 \
      --rr=Extended \
      --mysqld=--innodb_page_size=16K \
      --mysqld=--innodb-buffer-pool-size=8M \
      --duration=300 \
      --no_mask \
      --workdir=<local settings> \
      --vardir=<local settings> \
      --mtr-build-thread=<local settings> \
      --basedir1=<local settings> \
      --script_debug=_nix_
      

      Attachments

        Activity

          People

            sanja Oleksandr Byelkin
            mleich Matthias Leich
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.