Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27309

Server crash or ASAN memcpy-param-overlap upon INSERT into Aria/MyISAM table with DESC key

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Blocker
    • Resolution: Fixed
    • N/A
    • 10.8.1
    • Server
    • None
    • preview-10.8-MDEV-13756-desc-indexes d6fa6e0a

    Description

      Hopefully it has the same root cause and will be fixed together with MDEV-27303, but I'm not entirely sure

      CREATE TABLE t1 (id INT, c BINARY(80), PRIMARY KEY(id)) ENGINE=Aria;
      ALTER  TABLE t1 ADD KEY(c DESC, id);
      INSERT INTO t1 VALUES (1,NULL),(2,''),(3,'');
       
      # Cleanup
      DROP TABLE t1;
      

      preview-10.8-MDEV-13756-desc-indexes d6fa6e0a

      ==226322==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7fe8749ea687,0x7fe8749fa683) and [0x7fe8749eb4af, 0x7fe8749fb4ab) overlap
          #0 0x87ef14 in __asan_memcpy (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x87ef14)
          #1 0x225fdac in _ma_get_pack_key /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_search.c:1098:2
          #2 0x225727b in _ma_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_search.c:389:12
          #3 0x2322cd6 in w_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:646:9
          #4 0x2321fb3 in _ma_ck_real_write_btree /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:532:15
          #5 0x233a0f8 in _ma_ck_write_btree_with_log /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:498:10
          #6 0x2321b85 in _ma_ck_write_btree /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:456:10
          #7 0x232121d in _ma_ck_write /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:441:3
          #8 0x231e30b in maria_write /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:189:16
          #9 0x211c2c9 in ha_maria::write_row(unsigned char const*) /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ha_maria.cc:1271:10
          #10 0x19f79cc in handler::ha_write_row(unsigned char const*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/handler.cc:7516:3
          #11 0xcf54f3 in write_record(THD*, TABLE*, st_copy_info*, select_result*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_insert.cc:2156:12
          #12 0xce7baa in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_insert.cc:1127:14
          #13 0xdfee33 in mysql_execute_command(THD*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:4563:10
          #14 0xde008a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:8028:18
          #15 0xdd8dcb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:1894:7
          #16 0xde2da5 in do_command(THD*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:1402:17
          #17 0x140e6f5 in do_handle_one_connection(CONNECT*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_connect.cc:1418:11
          #18 0x140dd23 in handle_one_connection /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_connect.cc:1312:5
          #19 0x24eddf7 in pfs_spawn_thread /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/pfs.cc:2201:3
          #20 0x7fe87e134608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
          #21 0x7fe87de4b292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
      Address 0x7fe8749ea687 is located in stack of thread T5 at offset 71 in frame
          #0 0x2256b2f in _ma_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_search.c:367
       
        This frame has 5 object(s):
          [32, 40) 'not_used' (line 369)
          [64, 2579) 't_buff' (line 370) <== Memory access at offset 71 partially overflows this variable
          [2720, 2728) 'page' (line 371) <== Memory access at offset 71 partially underflows this variable
          [2752, 2784) 'tmp_key' (line 374) <== Memory access at offset 71 partially underflows this variable
          [2816, 2848) '_db_stack_frame_' (line 375) <== Memory access at offset 71 partially underflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
            (longjmp and C++ exceptions *are* supported)
      Thread T5 created by T0 here:
          #0 0x86a97a in pthread_create (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x86a97a)
          #1 0x24ee48c in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/my_thread.h:48:10
          #2 0x24ee416 in pfs_spawn_thread_v1 /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/pfs.cc:2252:15
          #3 0x8b8e52 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/preview-10.8-MDEV-13756-desc-indexes/include/mysql/psi/mysql_thread.h:1139:11
          #4 0x8c9354 in create_thread_to_handle_connection(CONNECT*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:5965:19
          #5 0x8c9c83 in create_new_thread(CONNECT*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6024:3
          #6 0x8ca386 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6086:5
          #7 0x8c8122 in handle_connections_sockets() /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6210:9
          #8 0x8bcd2a in mysqld_main(int, char**) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:5860:3
          #9 0x8b1c41 in main /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/main.cc:34:10
          #10 0x7fe87dd500b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
       
      Address 0x7fe8749eb4af is located in stack of thread T5 at offset 3695 in frame
          #0 0x2256b2f in _ma_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_search.c:367
       
        This frame has 5 object(s):
          [32, 40) 'not_used' (line 369)
          [64, 2579) 't_buff' (line 370)
          [2720, 2728) 'page' (line 371)
          [2752, 2784) 'tmp_key' (line 374)
          [2816, 2848) '_db_stack_frame_' (line 375) <== Memory access at offset 3695 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
            (longjmp and C++ exceptions *are* supported)
      SUMMARY: AddressSanitizer: memcpy-param-overlap (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x87ef14) in __asan_memcpy
      

      Same but with MyISAM:

      ==226682==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f57cc655ec7,0x7f57cc665ec3) and [0x7f57cc656741, 0x7f57cc66673d) overlap
          #0 0x87ef14 in __asan_memcpy (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x87ef14)
          #1 0x33e5a07 in _mi_get_pack_key /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_search.c:857:2
          #2 0x33deb05 in _mi_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_search.c:264:12
          #3 0x3404268 in w_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:359:8
          #4 0x3403b68 in _mi_ck_real_write_btree /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:299:14
          #5 0x34036d5 in _mi_ck_write_btree /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:279:9
          #6 0x3402e5f in _mi_ck_write /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:250:5
          #7 0x3400fe7 in mi_write /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:125:13
          #8 0x32db8e9 in ha_myisam::write_row(unsigned char const*) /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/ha_myisam.cc:954:10
          #9 0x19f79cc in handler::ha_write_row(unsigned char const*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/handler.cc:7516:3
          #10 0xcf54f3 in write_record(THD*, TABLE*, st_copy_info*, select_result*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_insert.cc:2156:12
          #11 0xce7baa in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_insert.cc:1127:14
          #12 0xdfee33 in mysql_execute_command(THD*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:4563:10
          #13 0xde008a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:8028:18
          #14 0xdd8dcb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:1894:7
          #15 0xde2da5 in do_command(THD*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:1402:17
          #16 0x140e6f5 in do_handle_one_connection(CONNECT*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_connect.cc:1418:11
          #17 0x140dd23 in handle_one_connection /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_connect.cc:1312:5
          #18 0x24eddf7 in pfs_spawn_thread /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/pfs.cc:2201:3
          #19 0x7f57d5d92608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
          #20 0x7f57d5aa9292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
      Address 0x7f57cc655ec7 is located in stack of thread T5 at offset 103 in frame
          #0 0x33de43f in _mi_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_search.c:251
       
        This frame has 4 object(s):
          [32, 40) 'page.addr'
          [64, 72) 'not_used' (line 253)
          [96, 1304) 't_buff' (line 254) <== Memory access at offset 103 partially overflows this variable
          [1440, 1472) '_db_stack_frame_' (line 255) <== Memory access at offset 103 partially underflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
            (longjmp and C++ exceptions *are* supported)
      Thread T5 created by T0 here:
          #0 0x86a97a in pthread_create (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x86a97a)
          #1 0x24ee48c in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/my_thread.h:48:10
          #2 0x24ee416 in pfs_spawn_thread_v1 /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/pfs.cc:2252:15
          #3 0x8b8e52 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/preview-10.8-MDEV-13756-desc-indexes/include/mysql/psi/mysql_thread.h:1139:11
          #4 0x8c9354 in create_thread_to_handle_connection(CONNECT*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:5965:19
          #5 0x8c9c83 in create_new_thread(CONNECT*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6024:3
          #6 0x8ca386 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6086:5
          #7 0x8c8122 in handle_connections_sockets() /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6210:9
          #8 0x8bcd2a in mysqld_main(int, char**) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:5860:3
          #9 0x8b1c41 in main /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/main.cc:34:10
          #10 0x7f57d59ae0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
       
      Address 0x7f57cc656741 is located in stack of thread T5 at offset 2273 in frame
          #0 0x33de43f in _mi_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_search.c:251
       
        This frame has 4 object(s):
          [32, 40) 'page.addr'
          [64, 72) 'not_used' (line 253)
          [96, 1304) 't_buff' (line 254)
          [1440, 1472) '_db_stack_frame_' (line 255) <== Memory access at offset 2273 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
            (longjmp and C++ exceptions *are* supported)
      SUMMARY: AddressSanitizer: memcpy-param-overlap (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x87ef14) in __asan_memcpy
      

      Non-ASAN builds (debug and non-debug) crash, usually with half-baked stack traces.
      InnoDB seems all right.

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.