[MDEV-28345] ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3, 11.5.2, 11.6.0
Component/s: Data types
Labels:

Description

Possibly related to ~~MDEV-18414~~ or ~~MDEV-25439~~ though there are significant differences.

CREATE TABLE t (c BLOB) ENGINE=InnoDB;

INSERT INTO t VALUES ('0.0e'),('0.0e+0');

SELECT * FROM t WHERE COALESCE(c)=0.0;

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

==2353529==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a528e at pc 0x557084c2e7f0 bp 0x145fcffbb450 sp 0x145fcffbb440

SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1476 in my_strtod_int

Full stack from error log:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)
==2353506==ERROR: AddressSanitizer: use-after-poison on address 0x6290001272a6 at pc 0x55bd77a308d6 bp 0x14a6d6226560 sp 0x14a6d6226550
READ of size 1 at 0x6290001272a6 thread T14
#0 0x55bd77a308d5 in my_strtod_int /test/10.9_dbg_san/strings/dtoa.c:1476
#1 0x55bd77a308d5 in my_strtod /test/10.9_dbg_san/strings/dtoa.c:469
#2 0x55bd7792e0b8 in my_strntod_8bit /test/10.9_dbg_san/strings/ctype-simple.c:801
#3 0x55bd74f792df in charset_info_st::strntod(char, unsigned long, char, int) const /test/10.9_dbg_san/include/m_ctype.h:788
#4 0x55bd74f792df in Value_source::Converter_strntod::Converter_strntod(charset_info_st const, char const, unsigned long) /test/10.9_dbg_san/sql/field.h:210
#5 0x55bd74f792df in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD, Value_source::Warn_filter, charset_info_st const, char const*, unsigned long) /test/10.9_dbg_san/sql/field.h:281
#6 0x55bd74f792df in Value_source::double_from_string_with_check(charset_info_st const, char const, char const*) const /test/10.9_dbg_san/sql/field.h:350
#7 0x55bd74f792df in Value_source::double_from_string_with_check(String const*) const /test/10.9_dbg_san/sql/field.h:381
#8 0x55bd74f792df in Item_func_hybrid_field_type::val_real_from_str_op() /test/10.9_dbg_san/sql/item_func.cc:939
#9 0x55bd7401b82d in Type_handler_string_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/10.9_dbg_san/sql/sql_type.cc:5628
#10 0x55bd72fbf76c in Item_func_hybrid_field_type::val_real() /test/10.9_dbg_san/sql/item_func.h:899
#11 0x55bd74bd9843 in Arg_comparator::compare_real() /test/10.9_dbg_san/sql/item_cmpfunc.cc:831
#12 0x55bd74bd30f3 in Arg_comparator::compare() /test/10.9_dbg_san/sql/item_cmpfunc.h:103
#13 0x55bd74bd30f3 in Item_func_eq::val_int() /test/10.9_dbg_san/sql/item_cmpfunc.cc:1762
#14 0x55bd73286d23 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21193
#15 0x55bd7332b7dc in sub_select(JOIN, st_join_table, bool) /test/10.9_dbg_san/sql/sql_select.cc:21134
#16 0x55bd734fd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
#17 0x55bd734fd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
#18 0x55bd734fec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
#19 0x55bd734ee58b in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:5007
#20 0x55bd734efef0 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
#21 0x55bd7305cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
#22 0x55bd730c2216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
#23 0x55bd73024728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#24 0x55bd7309a44e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#25 0x55bd730b0fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#26 0x55bd73b7dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#27 0x55bd73b80ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#28 0x55bd760d9c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#29 0x14a6f9450608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#30 0x14a6f86c5162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

0x6290001272a6 is located 166 bytes inside of 16536-byte region [0x629000127200,0x62900012b298)
allocated by thread T14 here:
#0 0x55bd72636248 in malloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x849e248)
#1 0x55bd76995aa8 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /test/10.9_dbg_san/storage/innobase/include/ut0new.h:375
#2 0x55bd76995aa8 in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /test/10.9_dbg_san/storage/innobase/mem/mem0mem.cc:277
#3 0x55bd76d14f74 in mem_heap_create_func /test/10.9_dbg_san/storage/innobase/include/mem0mem.inl:377
#4 0x55bd76d2cb8c in row_sel_store_mysql_field /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:3050
#5 0x55bd76d2e719 in row_sel_store_mysql_rec /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:3196
#6 0x55bd76d5e20e in row_search_mvcc(unsigned char, page_cur_mode_t, row_prebuilt_t, unsigned long, unsigned long) /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:5653
#7 0x55bd76594ba9 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /test/10.9_dbg_san/storage/innobase/handler/ha_innodb.cc:9273
#8 0x55bd765dede6 in ha_innobase::rnd_next(unsigned char*) /test/10.9_dbg_san/storage/innobase/handler/ha_innodb.cc:9477
#9 0x55bd7491fa88 in handler::ha_rnd_next(unsigned char*) /test/10.9_dbg_san/sql/handler.cc:3414
#10 0x55bd7289b95c in rr_sequential(READ_RECORD*) /test/10.9_dbg_san/sql/records.cc:519
#11 0x55bd7332b8c9 in READ_RECORD::read_record() /test/10.9_dbg_san/sql/records.h:81
#12 0x55bd7332b8c9 in sub_select(JOIN, st_join_table, bool) /test/10.9_dbg_san/sql/sql_select.cc:21114
#13 0x55bd734fd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
#14 0x55bd734fd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
#15 0x55bd734fec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
#16 0x55bd734ee58b in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:5007
#17 0x55bd734efef0 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
#18 0x55bd7305cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
#19 0x55bd730c2216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
#20 0x55bd73024728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#21 0x55bd7309a44e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#22 0x55bd730b0fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#23 0x55bd73b7dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#24 0x55bd73b80ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#25 0x55bd760d9c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#26 0x14a6f9450608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477

Thread T14 created by T0 here:
#0 0x55bd72563285 in __interceptor_pthread_create (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x83cb285)
#1 0x55bd760e918c in my_thread_create /test/10.9_dbg_san/storage/perfschema/my_thread.h:52
#2 0x55bd760e918c in pfs_spawn_thread_v1 /test/10.9_dbg_san/storage/perfschema/pfs.cc:2252
#3 0x55bd7268f8ac in inline_mysql_thread_create /test/10.9_dbg_san/include/mysql/psi/mysql_thread.h:1139
#4 0x55bd7268f8ac in create_thread_to_handle_connection(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:5980
#5 0x55bd726a4d86 in create_new_thread(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:6039
#6 0x55bd726a5561 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.9_dbg_san/sql/mysqld.cc:6101
#7 0x55bd726a7146 in handle_connections_sockets() /test/10.9_dbg_san/sql/mysqld.cc:6225
#8 0x55bd726ad29c in mysqld_main(int, char**) /test/10.9_dbg_san/sql/mysqld.cc:5875
#9 0x55bd7267780a in main /test/10.9_dbg_san/sql/main.cc:34
#10 0x14a6f85ca0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: use-after-poison /test/10.9_dbg_san/strings/dtoa.c:1476 in my_strtod_int
Shadow bytes around the buggy address:
0x0c528001ce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528001ce10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528001ce20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528001ce30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528001ce40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c528001ce50: 00 00 00 f7[06]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001ce60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001ce70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001ce80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001ce90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001cea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2353506==ABORTING
220419 16:09:52 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.9.0-MariaDB-debug
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468120 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00015e288
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x14a6d622bc90 thread_stack 0x100000
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(+0x83fd7b0)[0x55bd725957b0]
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(my_print_stacktrace+0xfb)[0x55bd7784d6ee]
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(handle_fatal_signal+0xc2d)[0x55bd748e685b]
sigaction.c:0(__restore_rt)[0x14a6f945c3c0]
linux/raise.c:51(__GI_raise)[0x14a6f85e903b]
stdlib/abort.c:81(__GI_abort)[0x14a6f85c8859]
:0(__sanitizer::Abort())[0x55bd72653d32]
:0(__sanitizer::Die())[0x55bd7265e8dc]
:0(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x55bd7263ff6c]
:0(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x55bd7263f9e3]
??:0(__asan_report_load1)[0x55bd726404cb]
strings/dtoa.c:1476(my_strtod_int)[0x55bd77a308d6]
strings/ctype-simple.c:802(my_strntod_8bit)[0x55bd7792e0b9]
sql/field.h:210(Value_source::Converter_strntod::Converter_strntod(charset_info_st const, char const, unsigned long))[0x55bd74f792e0]
sql/sql_type.cc:5629(Type_handler_string_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const)[0x55bd7401b82e]
sql/item_func.h:900(Item_func_hybrid_field_type::val_real())[0x55bd72fbf76d]
sql/item_cmpfunc.cc:831(Arg_comparator::compare_real())[0x55bd74bd9844]
sql/item_cmpfunc.cc:1763(Item_func_eq::val_int())[0x55bd74bd30f4]
sql/sql_select.cc:21193(evaluate_join_record(JOIN, st_join_table, int))[0x55bd73286d24]
sql/sql_select.cc:21103(sub_select(JOIN, st_join_table, bool))[0x55bd7332b7dd]
sql/sql_select.cc:20640(JOIN::exec_inner())[0x55bd734fd363]
sql/sql_select.cc:4528(JOIN::exec())[0x55bd734fec95]
sql/sql_select.cc:5007(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55bd734ee58c]
sql/sql_select.cc:543(handle_select(THD, LEX, select_result*, unsigned long))[0x55bd734efef1]
sql/sql_parse.cc:6268(execute_sqlcom_select(THD, TABLE_LIST))[0x55bd7305cfc3]
sql/sql_parse.cc:3959(mysql_execute_command(THD*, bool))[0x55bd730c2217]
sql/sql_parse.cc:8043(mysql_parse(THD, char, unsigned int, Parser_state*))[0x55bd73024729]
sql/sql_parse.cc:1910(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x55bd7309a44f]
sql/sql_parse.cc:1407(do_command(THD*, bool))[0x55bd730b0faa]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55bd73b7dc4c]
sql/sql_connect.cc:1312(handle_one_connection)[0x55bd73b80ae6]
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55bd760d9c63]
nptl/pthread_create.c:478(start_thread)[0x14a6f9450609]
x86_64/clone.S:97(__GI___clone)[0x14a6f86c5163]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x6290000e62a8): SELECT * FROM t WHERE COALESCE(c)=0.0

Connection ID (thread ID): 4
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size unlimited unlimited bytes
Max core file size 0 0 bytes
Max resident set unlimited unlimited bytes
Max processes unlimited unlimited processes
Max open files 1048576 1048576 files
Max locked memory unlimited unlimited bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals unlimited unlimited signals
Max msgqueue size unlimited unlimited bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: core

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Note, MyISAM is not affected.

The problem is also repeatable with this script, without COALESCE:

DROP TABLE t;

CREATE TABLE t (c BLOB) ENGINE=InnoDB;

INSERT INTO t VALUES ('0.0e'),('0.0e+0');

SELECT * FROM t WHERE c=0.0;

Attachments

Issue Links

relates to

MDEV-28374 UBSAN: runtime error: signed integer overflow: 10000000000000 * 10000000000000 cannot be represented in type 'long long int' in sql/sql_analyse.cc

Confirmed

MDEV-29473 UBSAN: Signed integer overflow: X * Y cannot be represented in type 'int' in strings/dtoa.c

Closed

MDEV-32759 Heap-Use-After-Free at /mariadb-11.3.0/strings/dtoa.c:1378

Stalled

split to

MDEV-34616 ASAN: heap-use-after-free in my_strtod_int

Open

Activity

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022-04-19 06:23

Updated:: 2024-07-18 05:39

Resolved:: 2024-07-18 05:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.