[MDEV-28683] Spider: SIGSEGV in spider_db_direct_delete, SIGSEGV in spider_db_connect, ASAN: heap-use-after-free in spider_db_direct_delete - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4(EOL)
Fix Version/s: 10.4.33
Component/s: Storage Engine - Spider
Labels:
- regression

Description

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t (c INT) ENGINE=Spider;

SELECT * FROM t;

INSERT INTO t (SELECT 1 FROM t);

LOCK TABLES t WRITE CONCURRENT;

DELETE FROM t;

Leads to:

10.4.25 9c6135e81f29b3e3286d6b864c0fdafc2fea16ce (Optimized)
Core was generated by `/test/MD160322-mariadb-10.4.25-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000150c80078923 in spider_db_connect (share=0x150c34058828,
conn=conn@entry=0x150c340817c8, link_idx=0)
at /test/10.4_opt/storage/spider/spd_db_conn.cc:178
[Current thread is 1 (Thread 0x150c8c11f700 (LWP 3880049))]
(gdb) bt
#0 0x0000150c80078923 in spider_db_connect (share=0x150c34058828, conn=conn@entry=0x150c340817c8, link_idx=0) at /test/10.4_opt/storage/spider/spd_db_conn.cc:178
#1 0x0000150c80079508 in spider_db_conn_queue_action (conn=0x150c340817c8) at /test/10.4_opt/storage/spider/spd_db_conn.cc:293
#2 0x0000150c8007f830 in spider_db_before_query (conn=0x150c340817c8, need_mon=<optimized out>) at /test/10.4_opt/storage/spider/spd_db_conn.cc:608
#3 0x0000150c8007fa42 in spider_db_set_names_internal (trx=0x150c3403c3e8, share=0x150c34058828, conn=conn@entry=0x150c340817c8, all_link_idx=0, need_mon=0x150c3405f328) at /test/10.4_opt/storage/spider/spd_db_conn.cc:909
#4 0x0000150c8007fc05 in spider_db_set_names (spider=spider@entry=0x150c34057c50, conn=conn@entry=0x150c340817c8, link_idx=link_idx@entry=0) at /test/10.4_opt/storage/spider/spd_db_conn.cc:955
#5 0x0000150c80085eda in spider_db_direct_delete (spider=spider@entry=0x150c34057c50, table=<optimized out>, delete_rows=delete_rows@entry=0x150c8c11c2d8) at /test/10.4_opt/storage/spider/spd_db_conn.cc:8315
#6 0x0000150c800d3317 in ha_spider::direct_delete_rows (this=0x150c34057c50, delete_rows=0x150c8c11c2d8) at /test/10.4_opt/storage/spider/ha_spider.cc:11331
#7 0x0000564402989df3 in mysql_delete (thd=thd@entry=0x150c34000c48, table_list=0x150c340100b0, conds=<optimized out>, order_list=order_list@entry=0x150c34005458, limit=18446744073709551615, options=0, result=0x0) at /test/10.4_opt/sql/sql_delete.cc:654
#8 0x000056440261b0ea in mysql_execute_command (thd=0x150c34000c48) at /test/10.4_opt/sql/sql_parse.cc:4792
#9 0x0000564402621257 in mysql_parse (thd=0x150c34000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_parse.cc:7995
#10 0x00005644026238cd in dispatch_command (command=COM_QUERY, thd=0x150c34000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_class.h:1201
#11 0x0000564402625f3e in do_command (thd=0x150c34000c48) at /test/10.4_opt/sql/sql_parse.cc:1373
#12 0x000056440271bd3e in do_handle_one_connection (connect=connect@entry=0x564406013208) at /test/10.4_opt/sql/sql_connect.cc:1420
#13 0x000056440271be6f in handle_one_connection (arg=0x564406013208) at /test/10.4_opt/sql/sql_connect.cc:1316
#14 0x0000150c98a1d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#15 0x0000150c98609133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.4.25 9c6135e81f29b3e3286d6b864c0fdafc2fea16ce (Debug)
Core was generated by `/test/MD160322-mariadb-10.4.25-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000151ba166f1d6 in spider_db_direct_delete (
spider=spider@entry=0x151b68083168, table=<optimized out>,
delete_rows=delete_rows@entry=0x151ba17e4288)
at /test/10.4_dbg/storage/spider/spd_db_conn.cc:8282
[Current thread is 1 (Thread 0x151ba17e7700 (LWP 3885425))]
(gdb) bt
#0 0x0000151ba166f1d6 in spider_db_direct_delete (spider=spider@entry=0x151b68083168, table=<optimized out>, delete_rows=delete_rows@entry=0x151ba17e4288) at /test/10.4_dbg/storage/spider/spd_db_conn.cc:8282
#1 0x0000151ba16e20e4 in ha_spider::direct_delete_rows (this=0x151b68083168, delete_rows=0x151ba17e4288) at /test/10.4_dbg/storage/spider/ha_spider.cc:11304
#2 0x00005592f9b1f099 in handler::ha_direct_delete_rows (this=0x151b68083168, delete_rows=delete_rows@entry=0x151ba17e4288) at /test/10.4_dbg/sql/handler.cc:6978
#3 0x00005592f9cf8405 in mysql_delete (thd=thd@entry=0x151b68000d90, table_list=0x151b680132f8, conds=<optimized out>, order_list=order_list@entry=0x151b68005760, limit=18446744073709551615, options=<optimized out>, result=0x0) at /test/10.4_dbg/sql/sql_delete.cc:654
#4 0x00005592f98588af in mysql_execute_command (thd=thd@entry=0x151b68000d90) at /test/10.4_dbg/sql/sql_parse.cc:4797
#5 0x00005592f985fd01 in mysql_parse (thd=thd@entry=0x151b68000d90, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x151ba17e6490, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7995
#6 0x00005592f986275d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151b68000d90, packet=packet@entry=0x151b6801a361 "DELETE FROM t", packet_length=packet_length@entry=13, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_class.h:1201
#7 0x00005592f9866050 in do_command (thd=0x151b68000d90) at /test/10.4_dbg/sql/sql_parse.cc:1373
#8 0x00005592f99a5457 in do_handle_one_connection (connect=connect@entry=0x5592fde73120) at /test/10.4_dbg/sql/sql_connect.cc:1420
#9 0x00005592f99a5576 in handle_one_connection (arg=0x5592fde73120) at /test/10.4_dbg/sql/sql_connect.cc:1316
#10 0x0000151bc7fde609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#11 0x0000151bc7bca133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.25 (dbg), 10.4.25 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.35 (dbg), 10.3.35 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt), 10.10.0 (dbg), 10.10.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

Attachments

Issue Links

is blocked by

MDEV-28352 Spider: heap-use-after-free in ha_spider::lock_tables(), heap freed by spider_commit()

Closed

MDEV-29962 SIGSEGV in ha_spider::lock_tables on BEGIN after table lock

Closed

is part of

MDEV-29962 SIGSEGV in ha_spider::lock_tables on BEGIN after table lock

Closed

relates to

MDEV-28775 Implement connection manager in Spider

Stalled

MDEV-31996 Segfault when setting spider_delete_all_rows to 0 and delete all rows of a spider table, ASAN heap-use-after-free in spider_db_delete_all_rows

Closed

MDEV-34449 spider/bugfix.mdev_28683 failing the valgrind build

Closed

MDEV-27902 Spider: Crashes, asserts, hangs, memory corruptions and ASAN heap-use-after-free's

Closed

MDEV-29605 SIGSEGV in spider_db_ping, ASAN heap-use-after-free in spider_db_ping and UBSAN dynamic-type-mismatch in spider_db_ping on CREATE TABLE

Closed

(3 relates to)

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2022-05-28 01:13

The spider_db_connect stack is also seen in ~~MDEV-26546~~, but the tickets look otherwise unrelated.

Roel Van de Paar added a comment - 2022-05-28 01:13 The spider_db_connect stack is also seen in MDEV-26546 , but the tickets look otherwise unrelated.

Nayuta Yanagisawa (Inactive) added a comment - 2022-06-02 06:03

I tried ASAN build on 10.4.25 (23ddc3518f999e003d54f7a069b63b73585588aa):

==1135105==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000015f70 at pc 0x7f9322cb6e48 bp 0x7f93235d1d60 sp 0x7f93235d1d50

READ of size 4 at 0x61e000015f70 thread T28

    #0 0x7f9322cb6e47 in spider_db_direct_delete(ha_spider*, TABLE*, unsigned long long*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_db_conn.cc:8282

    #1 0x7f9322e692fa in ha_spider::direct_delete_rows(unsigned long long*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/ha_spider.cc:11329

    #2 0x55bc241677d4 in handler::ha_direct_delete_rows(unsigned long long*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:6995

    #3 0x55bc245ca5d2 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_delete.cc:654

    #4 0x55bc2397db0b in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:4797

    #5 0x55bc23993fc1 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:7995

    #6 0x55bc2396a052 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1857

    #7 0x55bc23966ad7 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1378

    #8 0x55bc23d6ce41 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1420

    #9 0x55bc23d6c5be in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1316

    #10 0x7f933ac7bb42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)

    #11 0x7f933ad0cbb3 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x125bb3)

0x61e000015f70 is located 752 bytes inside of 2568-byte region [0x61e000015c80,0x61e000016688)

freed by thread T28 here:

    #0 0x7f933b3db517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127

    #1 0x55bc255b088b in my_free /home/nayuta_mariadb/repo/mariadb-server/10.4/mysys/my_malloc.c:222

    #2 0x7f9322dd061b in spider_free_mem(st_spider_transaction*, void*, unsigned long) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_malloc.cc:188

    #3 0x7f9322cf8856 in spider_free_conn(st_spider_conn*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_conn.cc:1252

    #4 0x7f9322cf1d51 in spider_free_conn_from_trx(st_spider_transaction*, st_spider_conn*, bool, bool, int*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_conn.cc:315

    #5 0x7f9322c325d3 in spider_free_trx_conn(st_spider_transaction*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_trx.cc:117

    #6 0x7f9322c4f41d in spider_commit(handlerton*, THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_trx.cc:3491

    #7 0x55bc2413aca3 in commit_one_phase_2 /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:1831

    #8 0x55bc2413a9b1 in ha_commit_one_phase(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:1810

    #9 0x55bc241390a2 in ha_commit_trans(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:1616

    #10 0x55bc23da9994 in trans_commit_stmt(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/transaction.cc:437

    #11 0x55bc23988aed in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:6250

    #12 0x55bc23993fc1 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:7995

    #13 0x55bc2396a052 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1857

    #14 0x55bc23966ad7 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1378

    #15 0x55bc23d6ce41 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1420

    #16 0x55bc23d6c5be in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1316

    #17 0x7f933ac7bb42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)

previously allocated by thread T28 here:

    #0 0x7f933b3db867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145

    #1 0x55bc255afc8c in my_malloc /home/nayuta_mariadb/repo/mariadb-server/10.4/mysys/my_malloc.c:101

    #2 0x7f9322dd0d7f in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_malloc.cc:236

    #3 0x7f9322cf29a7 in spider_create_conn(st_spider_share*, ha_spider*, int, int, unsigned int, int*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_conn.cc:478

    #4 0x7f9322cf7783 in spider_get_conn(st_spider_share*, int, char*, st_spider_transaction*, ha_spider*, bool, bool, unsigned int, int*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_conn.cc:1080

    #5 0x7f9322d67779 in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_table.cc:5583

    #6 0x7f9322df7cad in ha_spider::open(char const*, int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/ha_spider.cc:360

    #7 0x55bc24142477 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:2811

    #8 0x55bc23c99d74 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/table.cc:4096

    #9 0x55bc237dba3f in open_table(THD*, TABLE_LIST*, Open_table_context*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.cc:2108

    #10 0x55bc237e547c in open_and_process_table /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.cc:3907

    #11 0x55bc237e8067 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.cc:4388

    #12 0x55bc237ed397 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.cc:5335

    #13 0x55bc237453e5 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.h:503

    #14 0x55bc2397cb05 in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:4677

    #15 0x55bc23993fc1 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:7995

    #16 0x55bc2396a052 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1857

    #17 0x55bc23966ad7 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1378

    #18 0x55bc23d6ce41 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1420

    #19 0x55bc23d6c5be in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1316

    #20 0x7f933ac7bb42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)

Thread T28 created by T0 here:

    #0 0x7f933b37f685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216

    #1 0x55bc256131f9 in spawn_thread_noop /home/nayuta_mariadb/repo/mariadb-server/10.4/mysys/psi_noop.c:187

    #2 0x55bc23661e3f in inline_mysql_thread_create /home/nayuta_mariadb/repo/mariadb-server/10.4/include/mysql/psi/mysql_thread.h:1275

    #3 0x55bc2367a508 in create_thread_to_handle_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:6282

    #4 0x55bc2367acbd in create_new_thread(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:6352

    #5 0x55bc2367b1ac in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:6450

    #6 0x55bc2367c07a in handle_connections_sockets() /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:6608

    #7 0x55bc23679bc2 in mysqld_main(int, char**) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:5940

    #8 0x55bc2366008c in main /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/main.cc:25

    #9 0x7f933ac10d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_db_conn.cc:8282 in spider_db_direct_delete(ha_spider*, TABLE*, unsigned long long*)

Shadow bytes around the buggy address:

  0x0c3c7fffab90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3c7fffaba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3c7fffabb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3c7fffabc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3c7fffabd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c3c7fffabe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd

  0x0c3c7fffabf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3c7fffac00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3c7fffac10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3c7fffac20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3c7fffac30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==1135105==ABORTING

Nayuta Yanagisawa (Inactive) added a comment - 2022-06-02 06:03 I tried ASAN build on 10.4.25 (23ddc3518f999e003d54f7a069b63b73585588aa): ==1135105==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000015f70 at pc 0x7f9322cb6e48 bp 0x7f93235d1d60 sp 0x7f93235d1d50 READ of size 4 at 0x61e000015f70 thread T28 #0 0x7f9322cb6e47 in spider_db_direct_delete(ha_spider*, TABLE*, unsigned long long*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_db_conn.cc:8282 #1 0x7f9322e692fa in ha_spider::direct_delete_rows(unsigned long long*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/ha_spider.cc:11329 #2 0x55bc241677d4 in handler::ha_direct_delete_rows(unsigned long long*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:6995 #3 0x55bc245ca5d2 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_delete.cc:654 #4 0x55bc2397db0b in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:4797 #5 0x55bc23993fc1 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:7995 #6 0x55bc2396a052 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1857 #7 0x55bc23966ad7 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1378 #8 0x55bc23d6ce41 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1420 #9 0x55bc23d6c5be in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1316 #10 0x7f933ac7bb42 (/lib/x86_64-linux-gnu/libc.so.6+0x94b42) #11 0x7f933ad0cbb3 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x125bb3) 0x61e000015f70 is located 752 bytes inside of 2568-byte region [0x61e000015c80,0x61e000016688) freed by thread T28 here: #0 0x7f933b3db517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x55bc255b088b in my_free /home/nayuta_mariadb/repo/mariadb-server/10.4/mysys/my_malloc.c:222 #2 0x7f9322dd061b in spider_free_mem(st_spider_transaction*, void*, unsigned long) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_malloc.cc:188 #3 0x7f9322cf8856 in spider_free_conn(st_spider_conn*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_conn.cc:1252 #4 0x7f9322cf1d51 in spider_free_conn_from_trx(st_spider_transaction*, st_spider_conn*, bool, bool, int*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_conn.cc:315 #5 0x7f9322c325d3 in spider_free_trx_conn(st_spider_transaction*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_trx.cc:117 #6 0x7f9322c4f41d in spider_commit(handlerton*, THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_trx.cc:3491 #7 0x55bc2413aca3 in commit_one_phase_2 /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:1831 #8 0x55bc2413a9b1 in ha_commit_one_phase(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:1810 #9 0x55bc241390a2 in ha_commit_trans(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:1616 #10 0x55bc23da9994 in trans_commit_stmt(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/transaction.cc:437 #11 0x55bc23988aed in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:6250 #12 0x55bc23993fc1 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:7995 #13 0x55bc2396a052 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1857 #14 0x55bc23966ad7 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1378 #15 0x55bc23d6ce41 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1420 #16 0x55bc23d6c5be in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1316 #17 0x7f933ac7bb42 (/lib/x86_64-linux-gnu/libc.so.6+0x94b42) previously allocated by thread T28 here: #0 0x7f933b3db867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x55bc255afc8c in my_malloc /home/nayuta_mariadb/repo/mariadb-server/10.4/mysys/my_malloc.c:101 #2 0x7f9322dd0d7f in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_malloc.cc:236 #3 0x7f9322cf29a7 in spider_create_conn(st_spider_share*, ha_spider*, int, int, unsigned int, int*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_conn.cc:478 #4 0x7f9322cf7783 in spider_get_conn(st_spider_share*, int, char*, st_spider_transaction*, ha_spider*, bool, bool, unsigned int, int*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_conn.cc:1080 #5 0x7f9322d67779 in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_table.cc:5583 #6 0x7f9322df7cad in ha_spider::open(char const*, int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/ha_spider.cc:360 #7 0x55bc24142477 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/handler.cc:2811 #8 0x55bc23c99d74 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/table.cc:4096 #9 0x55bc237dba3f in open_table(THD*, TABLE_LIST*, Open_table_context*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.cc:2108 #10 0x55bc237e547c in open_and_process_table /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.cc:3907 #11 0x55bc237e8067 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.cc:4388 #12 0x55bc237ed397 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.cc:5335 #13 0x55bc237453e5 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_base.h:503 #14 0x55bc2397cb05 in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:4677 #15 0x55bc23993fc1 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:7995 #16 0x55bc2396a052 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1857 #17 0x55bc23966ad7 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_parse.cc:1378 #18 0x55bc23d6ce41 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1420 #19 0x55bc23d6c5be in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/sql_connect.cc:1316 #20 0x7f933ac7bb42 (/lib/x86_64-linux-gnu/libc.so.6+0x94b42) Thread T28 created by T0 here: #0 0x7f933b37f685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216 #1 0x55bc256131f9 in spawn_thread_noop /home/nayuta_mariadb/repo/mariadb-server/10.4/mysys/psi_noop.c:187 #2 0x55bc23661e3f in inline_mysql_thread_create /home/nayuta_mariadb/repo/mariadb-server/10.4/include/mysql/psi/mysql_thread.h:1275 #3 0x55bc2367a508 in create_thread_to_handle_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:6282 #4 0x55bc2367acbd in create_new_thread(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:6352 #5 0x55bc2367b1ac in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:6450 #6 0x55bc2367c07a in handle_connections_sockets() /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:6608 #7 0x55bc23679bc2 in mysqld_main(int, char**) /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/mysqld.cc:5940 #8 0x55bc2366008c in main /home/nayuta_mariadb/repo/mariadb-server/10.4/sql/main.cc:25 #9 0x7f933ac10d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) SUMMARY: AddressSanitizer: heap-use-after-free /home/nayuta_mariadb/repo/mariadb-server/10.4/storage/spider/spd_db_conn.cc:8282 in spider_db_direct_delete(ha_spider*, TABLE*, unsigned long long*) Shadow bytes around the buggy address: 0x0c3c7fffab90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c7fffaba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c7fffabb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c7fffabc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c7fffabd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3c7fffabe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd 0x0c3c7fffabf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c7fffac00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c7fffac10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c7fffac20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c7fffac30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1135105==ABORTING

Nayuta Yanagisawa (Inactive) added a comment - 2022-06-02 06:12 - edited

The problem is reproducible on 10.4.24 (b4477ae73c836592268f7fb231eeb38a4fa83bb6). This means that it is not introduced very recently. I'm lowering the priority.

Nayuta Yanagisawa (Inactive) added a comment - 2022-06-02 06:12 - edited The problem is reproducible on 10.4.24 (b4477ae73c836592268f7fb231eeb38a4fa83bb6). This means that it is not introduced very recently. I'm lowering the priority.

Nayuta Yanagisawa (Inactive) added a comment - 2022-06-28 11:36 - edited

I guess that the reason why the bug is unreproducible on 10.5+ is that 10.5+ calls ha_spider::dml_init() before it executes DMLs, including direct delete/update. dml_init() allocates new connections to transaction and ha_spider instance. So, just backporting the code would fix the problem.

Nayuta Yanagisawa (Inactive) added a comment - 2022-06-28 11:36 - edited I guess that the reason why the bug is unreproducible on 10.5+ is that 10.5+ calls ha_spider::dml_init() before it executes DMLs, including direct delete/update. dml_init() allocates new connections to transaction and ha_spider instance. So, just backporting the code would fix the problem.

Nayuta Yanagisawa (Inactive) added a comment - 2022-06-29 06:14

I think that Spider should handle connections in a more consistent way.

Nayuta Yanagisawa (Inactive) added a comment - 2022-06-29 06:14 I think that Spider should handle connections in a more consistent way.

Yuchen Pei added a comment - 2023-10-06 04:18 - edited

mtr case

--echo #

--echo # MDEV-28683 Spider: SIGSEGV in spider_db_direct_delete, SIGSEGV in spider_db_connect, ASAN: heap-use-after-free in spider_db_direct_delete

--echo #

--disable_query_log

--disable_result_log

--source ../../t/test_init.inc

--enable_result_log

--enable_query_log

CREATE TABLE t (c INT) ENGINE=Spider;

--error ER_CONNECT_TO_FOREIGN_DATA_SOURCE

SELECT * FROM t;

# in 11.0: 1429, in 10.4: 12701

--error ER_CONNECT_TO_FOREIGN_DATA_SOURCE,12701

INSERT INTO t (SELECT 1 FROM t);

LOCK TABLES t WRITE CONCURRENT;

--error ER_CONNECT_TO_FOREIGN_DATA_SOURCE

DELETE FROM t;

UNLOCK TABLES;

DROP TABLE t;

--disable_query_log

--disable_result_log

--source ../../t/test_deinit.inc

--enable_result_log

--enable_query_log

--echo #

--echo # end of test mdev_28683

--echo #

Yuchen Pei added a comment - 2023-10-06 04:18 - edited mtr case --echo # --echo # MDEV-28683 Spider: SIGSEGV in spider_db_direct_delete, SIGSEGV in spider_db_connect, ASAN: heap-use-after-free in spider_db_direct_delete --echo # --disable_query_log --disable_result_log --source ../../t/test_init.inc --enable_result_log --enable_query_log CREATE TABLE t (c INT ) ENGINE=Spider; --error ER_CONNECT_TO_FOREIGN_DATA_SOURCE SELECT * FROM t; # in 11.0: 1429, in 10.4: 12701 --error ER_CONNECT_TO_FOREIGN_DATA_SOURCE,12701 INSERT INTO t ( SELECT 1 FROM t); LOCK TABLES t WRITE CONCURRENT; --error ER_CONNECT_TO_FOREIGN_DATA_SOURCE DELETE FROM t; UNLOCK TABLES; DROP TABLE t; --disable_query_log --disable_result_log --source ../../t/test_deinit.inc --enable_result_log --enable_query_log --echo # --echo # end of test mdev_28683 --echo #

Yuchen Pei added a comment - 2023-10-06 04:47 - edited

Hi holyfoot, ptal thanks

98c9f53b579 upstream/bb-10.4-mdev-28683 ~~MDEV-28683~~ Spider: create conn on demand when direct delete

The above is based on 10.4. Even though 10.4 is the only affected and fixversion, knowing how the release process works, the change will probably be automatically merged into higher versions too, so I tested 10.5 as well:

0c90c9975b6 upstream/bb-10.5-mdev-28683 ~~MDEV-28683~~ Spider: create conn on demand when direct delete

Yuchen Pei added a comment - 2023-10-06 04:47 - edited Hi holyfoot , ptal thanks 98c9f53b579 upstream/bb-10.4-mdev-28683 MDEV-28683 Spider: create conn on demand when direct delete The above is based on 10.4. Even though 10.4 is the only affected and fixversion, knowing how the release process works, the change will probably be automatically merged into higher versions too, so I tested 10.5 as well: 0c90c9975b6 upstream/bb-10.5-mdev-28683 MDEV-28683 Spider: create conn on demand when direct delete

Alexey Botchkov added a comment - 2023-10-09 20:45

ok to push.

Alexey Botchkov added a comment - 2023-10-09 20:45 ok to push.

Yuchen Pei added a comment - 2023-11-02 23:12 - edited

Thanks for the review. This ticket is now part of work to find a more general solution to managing SPIDER_TRX and SPIDER_CONN across statements, which is represented by ~~MDEV-29962~~.

Yuchen Pei added a comment - 2023-11-02 23:12 - edited Thanks for the review. This ticket is now part of work to find a more general solution to managing SPIDER_TRX and SPIDER_CONN across statements, which is represented by MDEV-29962 .

Yuchen Pei added a comment - 2023-12-07 03:49

Let's just use the existing solution, as I don't think it is worth the trouble trying to backport dml_init() to 10.4.

Pushed 13896f73dfe7fb206b3ed72e40ae9039e37bea19 to 10.4

Yuchen Pei added a comment - 2023-12-07 03:49 Let's just use the existing solution, as I don't think it is worth the trouble trying to backport dml_init() to 10.4. Pushed 13896f73dfe7fb206b3ed72e40ae9039e37bea19 to 10.4

People

Assignee:: Yuchen Pei

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022-05-28 01:06

Updated:: 2024-06-25 10:02

Resolved:: 2023-12-07 03:49

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server