Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27483

ASAN use-after-poison in Field::set_image / get_column_range_cardinality with utf32

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.5, 10.6, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.7(EOL), 10.8(EOL)
    • 10.5, 10.6
    • Optimizer
    • None

    Description

      SET use_stat_tables=PREFERABLY, optimizer_use_condition_selectivity=4;
      		 
       
      		 
      CREATE TABLE t (f CHAR(255)) CHARACTER SET utf32;
      		 
      INSERT INTO t VALUES ('foo'),('bar');
      		 
      ANALYZE TABLE t PERSISTENT FOR ALL;
      		 
      SELECT * FROM t WHERE f > 'a';
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t;

      10.2 b557f263

      		 
      ==1234964==ERROR: AddressSanitizer: use-after-poison on address 0x6210000609a2 at pc 0x7f2157ea0983 bp 0x7f214cc8daf0 sp 0x7f214cc8d2a0
      		 
      READ of size 1020 at 0x6210000609a2 thread T5
      		 
          #0 0x7f2157ea0982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
      		 
          #1 0x55c4ecc9f399 in Field::set_image(unsigned char const*, unsigned int, charset_info_st const*) /data/src/10.2-bug/sql/field.h:1262
      		 
          #2 0x55c4ecc9f49d in Field::set_key_image(unsigned char const*, unsigned int) /data/src/10.2-bug/sql/field.h:1297
      		 
          #3 0x55c4ed4a03b1 in store_key_image_to_rec(Field*, unsigned char*, unsigned int) /data/src/10.2-bug/sql/opt_range.cc:3265
      		 
          #4 0x55c4ecd20b27 in get_column_range_cardinality(Field*, st_key_range*, st_key_range*, unsigned int) /data/src/10.2-bug/sql/sql_statistics.cc:3780
      		 
          #5 0x55c4ed49d92d in records_in_column_ranges /data/src/10.2-bug/sql/opt_range.cc:2869
      		 
          #6 0x55c4ed49f25a in calculate_cond_selectivity_for_table(THD*, TABLE*, Item**) /data/src/10.2-bug/sql/opt_range.cc:3118
      		 
          #7 0x55c4ecc0038c in make_join_statistics /data/src/10.2-bug/sql/sql_select.cc:4523
      		 
          #8 0x55c4ecbe3120 in JOIN::optimize_inner() /data/src/10.2-bug/sql/sql_select.cc:1597
      		 
          #9 0x55c4ecbde46f in JOIN::optimize() /data/src/10.2-bug/sql/sql_select.cc:1127
      		 
          #10 0x55c4ecbf981d in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2-bug/sql/sql_select.cc:3835
      		 
          #11 0x55c4ecbd6943 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2-bug/sql/sql_select.cc:361
      		 
          #12 0x55c4ecb511f5 in execute_sqlcom_select /data/src/10.2-bug/sql/sql_parse.cc:6271
      		 
          #13 0x55c4ecb3e5f3 in mysql_execute_command(THD*) /data/src/10.2-bug/sql/sql_parse.cc:3582
      		 
          #14 0x55c4ecb5a343 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2-bug/sql/sql_parse.cc:7793
      		 
          #15 0x55c4ecb33b4a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2-bug/sql/sql_parse.cc:1827
      		 
          #16 0x55c4ecb309ae in do_command(THD*) /data/src/10.2-bug/sql/sql_parse.cc:1381
      		 
          #17 0x55c4eceab927 in do_handle_one_connection(CONNECT*) /data/src/10.2-bug/sql/sql_connect.cc:1336
      		 
          #18 0x55c4eceab22c in handle_one_connection /data/src/10.2-bug/sql/sql_connect.cc:1241
      		 
          #19 0x55c4ee1ca653 in pfs_spawn_thread /data/src/10.2-bug/storage/perfschema/pfs.cc:1869
      		 
          #20 0x7f2157999ea6 in start_thread nptl/pthread_create.c:477
      		 
          #21 0x7f215759edee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
      		 
       
      		 
      0x6210000609a2 is located 1186 bytes inside of 4172-byte region [0x621000060500,0x62100006154c)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7f2157f10e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
      		 
          #1 0x55c4ee2e0ed8 in sf_malloc /data/src/10.2-bug/mysys/safemalloc.c:118
      		 
          #2 0x55c4ee2ae817 in my_malloc /data/src/10.2-bug/mysys/my_malloc.c:101
      		 
          #3 0x55c4ee28cc31 in alloc_root /data/src/10.2-bug/mysys/my_alloc.c:243
      		 
          #4 0x55c4ed49ce15 in create_key_parts_for_pseudo_indexes /data/src/10.2-bug/sql/opt_range.cc:2755
      		 
          #5 0x55c4ed49ed02 in calculate_cond_selectivity_for_table(THD*, TABLE*, Item**) /data/src/10.2-bug/sql/opt_range.cc:3071
      		 
          #6 0x55c4ecc0038c in make_join_statistics /data/src/10.2-bug/sql/sql_select.cc:4523
      		 
          #7 0x55c4ecbe3120 in JOIN::optimize_inner() /data/src/10.2-bug/sql/sql_select.cc:1597
      		 
          #8 0x55c4ecbde46f in JOIN::optimize() /data/src/10.2-bug/sql/sql_select.cc:1127
      		 
          #9 0x55c4ecbf981d in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2-bug/sql/sql_select.cc:3835
      		 
          #10 0x55c4ecbd6943 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2-bug/sql/sql_select.cc:361
      		 
          #11 0x55c4ecb511f5 in execute_sqlcom_select /data/src/10.2-bug/sql/sql_parse.cc:6271
      		 
          #12 0x55c4ecb3e5f3 in mysql_execute_command(THD*) /data/src/10.2-bug/sql/sql_parse.cc:3582
      		 
          #13 0x55c4ecb5a343 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2-bug/sql/sql_parse.cc:7793
      		 
          #14 0x55c4ecb33b4a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2-bug/sql/sql_parse.cc:1827
      		 
          #15 0x55c4ecb309ae in do_command(THD*) /data/src/10.2-bug/sql/sql_parse.cc:1381
      		 
          #16 0x55c4eceab927 in do_handle_one_connection(CONNECT*) /data/src/10.2-bug/sql/sql_connect.cc:1336
      		 
          #17 0x55c4eceab22c in handle_one_connection /data/src/10.2-bug/sql/sql_connect.cc:1241
      		 
          #18 0x55c4ee1ca653 in pfs_spawn_thread /data/src/10.2-bug/storage/perfschema/pfs.cc:1869
      		 
          #19 0x7f2157999ea6 in start_thread nptl/pthread_create.c:477
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f2157ebc2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
      		 
          #1 0x55c4ee1caa40 in spawn_thread_v1 /data/src/10.2-bug/storage/perfschema/pfs.cc:1919
      		 
          #2 0x55c4ec8e3cab in inline_mysql_thread_create /data/src/10.2-bug/include/mysql/psi/mysql_thread.h:1246
      		 
          #3 0x55c4ec8fb0f3 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2-bug/sql/mysqld.cc:6575
      		 
          #4 0x55c4ec8fb853 in create_new_thread /data/src/10.2-bug/sql/mysqld.cc:6645
      		 
          #5 0x55c4ec8fc9ac in handle_connections_sockets() /data/src/10.2-bug/sql/mysqld.cc:6903
      		 
          #6 0x55c4ec8fa4d3 in mysqld_main(int, char**) /data/src/10.2-bug/sql/mysqld.cc:6194
      		 
          #7 0x55c4ec8e25f4 in main /data/src/10.2-bug/sql/main.cc:25
      		 
          #8 0x7f21574c7d09 in __libc_start_main ../csu/libc-start.c:308
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c42800040e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c42800040f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c4280004100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c4280004110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c4280004120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c4280004130: 00 00 00 00[02]f7 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c4280004140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c4280004150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c4280004160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c4280004170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c4280004180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
        Shadow gap:              cc
      		 
      ==1234964==ABORTING

      Attachments

        1. hist2.test
          29 kB
          Elena Stepanova

        Activity

          People

            psergei Sergei Petrunia
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.