Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27427

ASAN use-after-poison in get_full_part_id_from_key upon SELECT from partitioned table

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.5, 10.6, 10.7
    • Fix Version/s: 10.5, 10.6, 10.7
    • Component/s: Partitioning
    • Labels:
      None

      Description

      --source include/have_partition.inc
       
      CREATE TABLE t (b INT, e BINARY(8), f INT, KEY(f,e,b), KEY(b))
      PARTITION BY HASH(f) PARTITIONS 2;
       
      INSERT INTO t VALUES (1,'foo',10),(2,'bar',20);
       
      SELECT DISTINCT * FROM t WHERE (b = 100 OR f = 1) AND e = '';
       
      # Cleanup
      DROP TABLE t;
      

      10.5 4c3ad244

      ==16134==ERROR: AddressSanitizer: use-after-poison on address 0x621000094eba at pc 0x7f9d8763a480 bp 0x7f9d81a3c970 sp 0x7f9d81a3c118
      READ of size 8 at 0x621000094eba thread T5
          #0 0x7f9d8763a47f  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
          #1 0x56100412f05a in key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/key.cc:262
          #2 0x56100432bb30 in get_full_part_id_from_key(TABLE const*, unsigned char*, st_key*, st_key_range const*, part_id_range*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_partition.cc:3999
          #3 0x56100432d3aa in get_partition_set(TABLE const*, unsigned char*, unsigned int, st_key_range const*, part_id_range*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_partition.cc:4256
          #4 0x56100468168e in ha_partition::partition_scan_set_up(unsigned char*, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/ha_partition.cc:7239
          #5 0x561004673821 in ha_partition::common_index_read(unsigned char*, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/ha_partition.cc:5818
          #6 0x561004675c89 in ha_partition::read_range_first(st_key_range const*, st_key_range const*, bool, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/ha_partition.cc:6154
          #7 0x561004278efe in QUICK_RANGE_SELECT::get_next_prefix(unsigned int, unsigned int, unsigned char*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/opt_range.cc:12742
          #8 0x56100428c52e in QUICK_GROUP_MIN_MAX_SELECT::next_prefix() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/opt_range.cc:15573
          #9 0x56100428ac33 in QUICK_GROUP_MIN_MAX_SELECT::get_next() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/opt_range.cc:15315
          #10 0x5610042adba5 in rr_quick /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/records.cc:403
          #11 0x5610034a0bfd in READ_RECORD::read_record() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/records.h:80
          #12 0x5610037ab58c in join_init_read_record(st_join_table*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:21853
          #13 0x5610037a4666 in sub_select(JOIN*, st_join_table*, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:20885
          #14 0x5610037a274f in do_select /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:20420
          #15 0x56100372e09b in JOIN::exec_inner() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:4516
          #16 0x56100372b6a5 in JOIN::exec() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:4296
          #17 0x56100372faea in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:4773
          #18 0x561003700fda in handle_select(THD*, LEX*, select_result*, unsigned long) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:444
          #19 0x56100366c3c4 in execute_sqlcom_select /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:6314
          #20 0x56100365b4f6 in mysql_execute_command(THD*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:4005
          #21 0x5610036774bd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:8100
          #22 0x56100364d986 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:1891
          #23 0x56100364a3d6 in do_command(THD*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:1370
          #24 0x561003a8564d in do_handle_one_connection(CONNECT*, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_connect.cc:1418
          #25 0x561003a84e66 in handle_one_connection /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_connect.cc:1312
          #26 0x7f9d87044608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #27 0x7f9d86c19292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      0x621000094eba is located 442 bytes inside of 4196-byte region [0x621000094d00,0x621000095d64)
      allocated by thread T5 here:
          #0 0x7f9d876acbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
          #1 0x5610051d3f26 in sf_malloc /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/mysys/safemalloc.c:121
          #2 0x5610051a4683 in my_malloc /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/mysys/my_malloc.c:90
          #3 0x561005180cac in alloc_root /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/mysys/my_alloc.c:244
          #4 0x561004288398 in QUICK_GROUP_MIN_MAX_SELECT::init() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/opt_range.cc:14973
          #5 0x5610042871e5 in TRP_GROUP_MIN_MAX::make_quick(PARAM*, bool, st_mem_root*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/opt_range.cc:14814
          #6 0x561004236517 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/opt_range.cc:3055
          #7 0x5610037301f0 in get_quick_record_count /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:4817
          #8 0x5610037370be in make_join_statistics /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:5544
          #9 0x561003715b59 in JOIN::optimize_inner() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:2296
          #10 0x56100370f055 in JOIN::optimize() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:1668
          #11 0x56100372f8f5 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:4759
          #12 0x561003700fda in handle_select(THD*, LEX*, select_result*, unsigned long) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_select.cc:444
          #13 0x56100366c3c4 in execute_sqlcom_select /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:6314
          #14 0x56100365b4f6 in mysql_execute_command(THD*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:4005
          #15 0x5610036774bd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:8100
          #16 0x56100364d986 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:1891
          #17 0x56100364a3d6 in do_command(THD*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_parse.cc:1370
          #18 0x561003a8564d in do_handle_one_connection(CONNECT*, bool) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_connect.cc:1418
          #19 0x561003a84e66 in handle_one_connection /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/sql_connect.cc:1312
          #20 0x7f9d87044608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
       
      Thread T5 created by T0 here:
          #0 0x7f9d875d9805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x561003360bff in create_thread_to_handle_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/mysqld.cc:6012
          #2 0x56100336127e in create_new_thread(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/mysqld.cc:6071
          #3 0x5610033615db in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/mysqld.cc:6136
          #4 0x561003362200 in handle_connections_sockets() /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/mysqld.cc:6263
          #5 0x561003360430 in mysqld_main(int, char**) /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/mysqld.cc:5658
          #6 0x56100334e05c in main /home/jenkins/workspace/sandbox-elenst/Reproduce/buildtype/ASAN/node/ubuntu-2004-amd64-build/version/10.5/src/sql/main.cc:25
          #7 0x7f9d86b1e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f) 
      Shadow bytes around the buggy address:
        0x0c428000a980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428000a990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428000a9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c428000a9b0: 00 00 00 00 f7 00 00 04 f7 00 00 04 f7 00 00 00
        0x0c428000a9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 04 f7
      =>0x0c428000a9d0: 00 00 00 00 00 f7 00[02]f7 00 02 f7 00 00 00 00
        0x0c428000a9e0: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c428000a9f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c428000aa00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c428000aa10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c428000aa20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==16134==ABORTING
      220105 18:48:56 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.5.14-MariaDB-debug-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=1
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63676 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62b00005b288
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f9d81a3fd20 thread_stack 0x100000
      ??:0(__interceptor_tcgetattr)[0x7f9d8760bd30]
      mysys/stacktrace.c:212(my_print_stacktrace)[0x5610051b3e6e]
      sql/signal_handler.cc:225(handle_fatal_signal)[0x561003e47567]
      sigaction.c:0(__restore_rt)[0x7f9d870503c0]
      ??:0(gsignal)[0x7f9d86b3d18b]
      ??:0(abort)[0x7f9d86b1c859]
      ??:0(__sanitizer_set_report_fd)[0x7f9d876ca6a2]
      ??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f9d876d524c]
      ??:0(__sanitizer_ptr_cmp)[0x7f9d876b68ec]
      ??:0(__asan_on_error)[0x7f9d876b6363]
      ??:0(__interceptor_getdelim)[0x7f9d8763a49f]
      sql/key.cc:191(key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int))[0x56100412f05b]
      sql/sql_partition.cc:4000(get_full_part_id_from_key(TABLE const*, unsigned char*, st_key*, st_key_range const*, part_id_range*))[0x56100432bb31]
      sql/sql_partition.cc:4257(get_partition_set(TABLE const*, unsigned char*, unsigned int, st_key_range const*, part_id_range*))[0x56100432d3ab]
      sql/ha_partition.cc:7239(ha_partition::partition_scan_set_up(unsigned char*, bool))[0x56100468168f]
      sql/ha_partition.cc:5818(ha_partition::common_index_read(unsigned char*, bool))[0x561004673822]
      sql/ha_partition.cc:6154(ha_partition::read_range_first(st_key_range const*, st_key_range const*, bool, bool))[0x561004675c8a]
      sql/opt_range.cc:12742(QUICK_RANGE_SELECT::get_next_prefix(unsigned int, unsigned int, unsigned char*))[0x561004278eff]
      sql/opt_range.cc:15573(QUICK_GROUP_MIN_MAX_SELECT::next_prefix())[0x56100428c52f]
      sql/opt_range.cc:15315(QUICK_GROUP_MIN_MAX_SELECT::get_next())[0x56100428ac34]
      sql/records.cc:403(rr_quick(READ_RECORD*))[0x5610042adba6]
      sql/records.h:80(READ_RECORD::read_record())[0x5610034a0bfe]
      sql/sql_select.cc:21853(join_init_read_record(st_join_table*))[0x5610037ab58d]
      sql/sql_select.cc:20885(sub_select(JOIN*, st_join_table*, bool))[0x5610037a4667]
      sql/sql_select.cc:20420(do_select(JOIN*, Procedure*))[0x5610037a2750]
      sql/sql_select.cc:4516(JOIN::exec_inner())[0x56100372e09c]
      sql/sql_select.cc:4297(JOIN::exec())[0x56100372b6a6]
      sql/sql_select.cc:4775(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x56100372faeb]
      sql/sql_select.cc:444(handle_select(THD*, LEX*, select_result*, unsigned long))[0x561003700fdb]
      sql/sql_parse.cc:6314(execute_sqlcom_select(THD*, TABLE_LIST*))[0x56100366c3c5]
      sql/sql_parse.cc:4005(mysql_execute_command(THD*))[0x56100365b4f7]
      sql/sql_parse.cc:8100(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5610036774be]
      sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x56100364d987]
      sql/sql_parse.cc:1370(do_command(THD*))[0x56100364a3d7]
      sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x561003a8564e]
      sql/sql_connect.cc:1314(handle_one_connection)[0x561003a84e67]
      nptl/pthread_create.c:478(start_thread)[0x7f9d87044609]
      ??:0(clone)[0x7f9d86c19293]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b0000622a8): SELECT DISTINCT * FROM t WHERE (b = 100 OR f = 1) AND e = ''
       
      Connection ID (thread ID): 4
      Status: NOT_KILLED
      

      Reproducible with at least InnoDB, MyISAM, Aria.
      Reproducible on 10.5+, including older 10.5 versions.
      Not reproducible on 10.4.
      No obvious immediate problem with a non-ASAN build.

        Attachments

          Activity

            People

            Assignee:
            nayuta-yanagisawa Nayuta Yanagisawa
            Reporter:
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.