[MDEV-29027] ASAN errors in spider_db_free_result after partition DDL - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3
Component/s: Partitioning, Storage Engine - Spider
Labels:
None

Description

--source plugin/spider/spider/include/init_spider.inc

--source include/have_partition.inc

SET spider_same_server_link= on;

eval create server s foreign data wrapper mysql options (host "127.0.0.1", database "test", user "root", port $MASTER_MYPORT);

CREATE TABLE t1 (a INT);

CREATE TABLE t_spider (a INT) ENGINE=SPIDER PARTITION BY HASH(a) (PARTITION p1 COMMENT = "wrapper 'mysql', srv 's', table 't1'");

CREATE TABLE t2 (a INT);

ALTER TABLE t_spider ADD PARTITION (PARTITION p2 COMMENT = "wrapper 'mysql', srv 's', table 't2'");

# Cleanup

DROP TABLE t_spider, t1, t2;

--source plugin/spider/spider/include/deinit_spider.inc

10.5 b546913b
==4132956==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140000110c8 at pc 0x7f10a2f04c5a bp 0x7f10a33d0230 sp 0x7f10a33d0228
READ of size 8 at 0x6140000110c8 thread T5
#0 0x7f10a2f04c59 in spider_db_free_result(ha_spider*, bool) /data/src/10.5/storage/spider/spd_db_conn.cc:3728
#1 0x7f10a300c442 in ha_spider::close() /data/src/10.5/storage/spider/ha_spider.cc:711
#2 0x556cc0f0ad78 in ha_partition::close() /data/src/10.5/sql/ha_partition.cc:4060
#3 0x556cc0c6b1cc in alter_close_table /data/src/10.5/sql/sql_partition.cc:6838
#4 0x556cc0c8e77c in fast_alter_partition_table(THD, TABLE, Alter_info, HA_CREATE_INFO, TABLE_LIST, st_mysql_const_lex_string const, st_mysql_const_lex_string const*) /data/src/10.5/sql/sql_partition.cc:7402
#5 0x556cc02af8e5 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool, bool) /data/src/10.5/sql/sql_table.cc:10557
#6 0x556cc03ee7f5 in Sql_cmd_alter_table::execute(THD*) /data/src/10.5/sql/sql_alter.cc:543
#7 0x556cc0062187 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:6056
#8 0x556cc006f23b in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8100
#9 0x556cc0075554 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
#10 0x556cc007ae52 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
#11 0x556cc03dcc5e in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1418
#12 0x556cc03dd30c in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
#13 0x556cc0f29cf4 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#14 0x7f10ac77cea6 in start_thread nptl/pthread_create.c:477
#15 0x7f10ac379dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

0x6140000110c8 is located 136 bytes inside of 416-byte region [0x614000011040,0x6140000111e0)
freed by thread T5 here:
#0 0x7f10acd10b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x7f10a2fed0d1 in spider_free_mem(st_spider_transaction, void, unsigned long) /data/src/10.5/storage/spider/spd_malloc.cc:188
#2 0x7f10a300ca9a in ha_spider::close() /data/src/10.5/storage/spider/ha_spider.cc:722
#3 0x556cc0f0ad78 in ha_partition::close() /data/src/10.5/sql/ha_partition.cc:4060
#4 0x556cc0c6b1cc in alter_close_table /data/src/10.5/sql/sql_partition.cc:6838
#5 0x556cc0c8e77c in fast_alter_partition_table(THD, TABLE, Alter_info, HA_CREATE_INFO, TABLE_LIST, st_mysql_const_lex_string const, st_mysql_const_lex_string const*) /data/src/10.5/sql/sql_partition.cc:7402
#6 0x556cc02af8e5 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool, bool) /data/src/10.5/sql/sql_table.cc:10557
#7 0x556cc03ee7f5 in Sql_cmd_alter_table::execute(THD*) /data/src/10.5/sql/sql_alter.cc:543
#8 0x556cc0062187 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:6056
#9 0x556cc006f23b in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8100
#10 0x556cc0075554 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
#11 0x556cc007ae52 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
#12 0x556cc03dcc5e in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1418
#13 0x556cc03dd30c in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
#14 0x556cc0f29cf4 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#15 0x7f10ac77cea6 in start_thread nptl/pthread_create.c:477

previously allocated by thread T5 here:
#0 0x7f10acd10e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x556cc18da748 in my_malloc /data/src/10.5/mysys/my_malloc.c:90
#2 0x7f10a2fed3fd in spider_bulk_alloc_mem(st_spider_transaction, unsigned int, char const, char const*, unsigned long, unsigned long, ...) /data/src/10.5/storage/spider/spd_malloc.cc:236
#3 0x7f10a30336a1 in ha_spider::open(char const*, int, unsigned int) /data/src/10.5/storage/spider/ha_spider.cc:379
#4 0x556cc0726d3f in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /data/src/10.5/sql/handler.cc:3013
#5 0x556cc0f14ff2 in ha_partition::open_read_partitions(char*, unsigned long) /data/src/10.5/sql/ha_partition.cc:8792
#6 0x556cc0f16754 in ha_partition::open(char const*, int, unsigned int) /data/src/10.5/sql/ha_partition.cc:3784
#7 0x556cc0726d3f in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /data/src/10.5/sql/handler.cc:3013
#8 0x556cc0346390 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /data/src/10.5/sql/table.cc:4322
#9 0x556cbfef26ed in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.5/sql/sql_base.cc:2014
#10 0x556cbfefb261 in open_and_process_table /data/src/10.5/sql/sql_base.cc:3805
#11 0x556cbfefb261 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:4288
#12 0x556cc02a8385 in open_tables /data/src/10.5/sql/sql_base.h:263
#13 0x556cc02a8385 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool, bool) /data/src/10.5/sql/sql_table.cc:10066
#14 0x556cc03ee7f5 in Sql_cmd_alter_table::execute(THD*) /data/src/10.5/sql/sql_alter.cc:543
#15 0x556cc0062187 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:6056
#16 0x556cc006f23b in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8100
#17 0x556cc0075554 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
#18 0x556cc007ae52 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
#19 0x556cc03dcc5e in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1418
#20 0x556cc03dd30c in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
#21 0x556cc0f29cf4 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#22 0x7f10ac77cea6 in start_thread nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f10accbc2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x556cc0f29f82 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:52
#2 0x556cc0f29f82 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
#3 0x556cbfdd422b in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
#4 0x556cbfdd422b in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6051
#5 0x556cbfddfaa2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6175
#6 0x556cbfde04b3 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6302
#7 0x556cbfde219b in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5697
#8 0x7f10ac2a2d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.5/storage/spider/spd_db_conn.cc:3728 in spider_db_free_result(ha_spider*, bool)
Shadow bytes around the buggy address:
0x0c287fffa1c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fffa1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fffa1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fffa1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c287fffa200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c287fffa210: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
0x0c287fffa220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fffa230: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c287fffa240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc

Couldn't reproduce on 10.4.

Attachments

Issue Links

blocks

MDEV-27186 Assertion `!is_set() || (m_status == DA_EOF_BULK && is_bulk_op())' failed in Diagnostics_area::set_eof_status when using spider partitioning, and Assertion `! is_set()' failed in Diagnostics_area::set_eof_status

Closed

relates to

MDEV-26858 Spider: Remove dead code related to HandlerSocket

Closed

MDEV-28522 Delete constant SPIDER_SQL_TYPE_*_HS

Closed

Activity

Ascending order - Click to sort in descending order

View 4 older comments

Roel Van de Paar added a comment - 2024-04-26 05:19 - edited

Also ran into this

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE TABLE t (a INT,KEY(a)) ENGINE=Spider PARTITION BY KEY(a) PARTITIONS 4;

ALTER TABLE t ADD PARTITION PARTITIONS 1;

11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)
==521557==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000013ec8 at pc 0x15389de8e416 bp 0x15389f527770 sp 0x15389f527760
READ of size 8 at 0x614000013ec8 thread T11
#0 0x15389de8e415 in spider_db_free_result(ha_spider*, bool) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2868
#1 0x15389e04202c in ha_spider::close() /test/11.5_opt_san/storage/spider/ha_spider.cc:534
#2 0x55b22ae0c020 in ha_partition::close() /test/11.5_opt_san/sql/ha_partition.cc:4235
#3 0x55b228358135 in alter_close_table /test/11.5_opt_san/sql/sql_partition.cc:7108
#4 0x55b2283acfbd in fast_alter_partition_table(THD, TABLE, Alter_info, Alter_table_ctx, HA_CREATE_INFO, TABLE_LIST) /test/11.5_opt_san/sql/sql_partition.cc:7856
#5 0x55b2289cd4b0 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /test/11.5_opt_san/sql/sql_table.cc:10814
#6 0x55b228d09f73 in Sql_cmd_alter_table::execute(THD*) /test/11.5_opt_san/sql/sql_alter.cc:703
#7 0x55b228314fdb in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:5802
#8 0x55b228334aed in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
#9 0x55b228342519 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
#10 0x55b22834cce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
#11 0x55b228cde887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
#12 0x55b228ce127c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
#13 0x1538c0e8f189 in start_thread nptl/pthread_create.c:444
#14 0x1538c0f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x614000013ec8 is located 136 bytes inside of 416-byte region [0x614000013e40,0x614000013fe0)
freed by thread T11 here:
#0 0x55b227a34aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
#1 0x15389e000010 in spider_free_mem(st_spider_transaction, void, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
#2 0x15389e0433ab in ha_spider::close() /test/11.5_opt_san/storage/spider/ha_spider.cc:543
#3 0x55b22ae0be4b in ha_partition::close() /test/11.5_opt_san/sql/ha_partition.cc:4235
#4 0x55b228358135 in alter_close_table /test/11.5_opt_san/sql/sql_partition.cc:7108
#5 0x55b2283acfbd in fast_alter_partition_table(THD, TABLE, Alter_info, Alter_table_ctx, HA_CREATE_INFO, TABLE_LIST) /test/11.5_opt_san/sql/sql_partition.cc:7856
#6 0x55b2289cd4b0 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /test/11.5_opt_san/sql/sql_table.cc:10814
#7 0x55b228d09f73 in Sql_cmd_alter_table::execute(THD*) /test/11.5_opt_san/sql/sql_alter.cc:703
#8 0x55b228314fdb in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:5802
#9 0x55b228334aed in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
#10 0x55b228342519 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
#11 0x55b22834cce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
#12 0x55b228cde887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
#13 0x55b228ce127c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
#14 0x1538c0e8f189 in start_thread nptl/pthread_create.c:444

previously allocated by thread T11 here:
#0 0x55b227a35f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
#1 0x55b22c0be315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
#2 0x15389e000434 in spider_bulk_alloc_mem(st_spider_transaction, unsigned int, char const, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
#3 0x15389e0ad78b in ha_spider::open(char const*, int, unsigned int) /test/11.5_opt_san/storage/spider/ha_spider.cc:268
#4 0x55b2299a0236 in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /test/11.5_opt_san/sql/handler.cc:3513
#5 0x55b22ae27e88 in ha_partition::open_read_partitions(char*, unsigned long) /test/11.5_opt_san/sql/ha_partition.cc:8970
#6 0x55b22ae2c1ac in ha_partition::open(char const*, int, unsigned int) /test/11.5_opt_san/sql/ha_partition.cc:3930
#7 0x55b2299a0236 in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /test/11.5_opt_san/sql/handler.cc:3513
#8 0x55b228b4daa7 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.5_opt_san/sql/table.cc:4580
#9 0x55b227ee302d in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.5_opt_san/sql/sql_base.cc:2232
#10 0x55b227efa179 in open_and_process_table /test/11.5_opt_san/sql/sql_base.cc:4165
#11 0x55b227efa179 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.5_opt_san/sql/sql_base.cc:4651
#12 0x55b2289c7a3d in open_tables /test/11.5_opt_san/sql/sql_base.h:271
#13 0x55b2289c7a3d in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /test/11.5_opt_san/sql/sql_table.cc:10287
#14 0x55b228d09f73 in Sql_cmd_alter_table::execute(THD*) /test/11.5_opt_san/sql/sql_alter.cc:703
#15 0x55b228314fdb in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:5802
#16 0x55b228334aed in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
#17 0x55b228342519 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
#18 0x55b22834cce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
#19 0x55b228cde887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
#20 0x55b228ce127c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
#21 0x1538c0e8f189 in start_thread nptl/pthread_create.c:444

Thread T11 created by T0 here:
#0 0x55b2279c15d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
#1 0x55b227a9559d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
#2 0x55b227aa88cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
#3 0x55b227aa996f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
#4 0x55b227aacb78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
#5 0x1538c0e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2868 in spider_db_free_result(ha_spider*, bool)
Shadow bytes around the buggy address:
0x0c287fffa780: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c287fffa790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fffa7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fffa7b0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c287fffa7c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c287fffa7d0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
0x0c287fffa7e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fffa7f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c287fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==521557==ABORTING
240426 15:16:07 [ERROR] mysqld got signal 6 ;

Note the slightly different stacks between opt/dbg:

ASAN|heap-use-after-free|storage/spider/spd_db_conn.cc|spider_db_free_result|ha_spider::close|ha_partition::close|alter_close_table  ## opt

ASAN|heap-use-after-free|storage/spider/spd_db_conn.cc|spider_db_free_result|ha_spider::close|handler::ha_close|ha_partition::close  ## dbg

Roel Van de Paar added a comment - 2024-04-26 05:19 - edited Also ran into this INSTALL PLUGIN Spider SONAME 'ha_spider.so' ; CREATE TABLE t (a INT , KEY (a)) ENGINE=Spider PARTITION BY KEY (a) PARTITIONS 4; ALTER TABLE t ADD PARTITION PARTITIONS 1; 11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN) ==521557==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000013ec8 at pc 0x15389de8e416 bp 0x15389f527770 sp 0x15389f527760 READ of size 8 at 0x614000013ec8 thread T11 #0 0x15389de8e415 in spider_db_free_result(ha_spider*, bool) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2868 #1 0x15389e04202c in ha_spider::close() /test/11.5_opt_san/storage/spider/ha_spider.cc:534 #2 0x55b22ae0c020 in ha_partition::close() /test/11.5_opt_san/sql/ha_partition.cc:4235 #3 0x55b228358135 in alter_close_table /test/11.5_opt_san/sql/sql_partition.cc:7108 #4 0x55b2283acfbd in fast_alter_partition_table(THD*, TABLE*, Alter_info*, Alter_table_ctx*, HA_CREATE_INFO*, TABLE_LIST*) /test/11.5_opt_san/sql/sql_partition.cc:7856 #5 0x55b2289cd4b0 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /test/11.5_opt_san/sql/sql_table.cc:10814 #6 0x55b228d09f73 in Sql_cmd_alter_table::execute(THD*) /test/11.5_opt_san/sql/sql_alter.cc:703 #7 0x55b228314fdb in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:5802 #8 0x55b228334aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815 #9 0x55b228342519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892 #10 0x55b22834cce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405 #11 0x55b228cde887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445 #12 0x55b228ce127c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347 #13 0x1538c0e8f189 in start_thread nptl/pthread_create.c:444 #14 0x1538c0f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 0x614000013ec8 is located 136 bytes inside of 416-byte region [0x614000013e40,0x614000013fe0) freed by thread T11 here: #0 0x55b227a34aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0) #1 0x15389e000010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183 #2 0x15389e0433ab in ha_spider::close() /test/11.5_opt_san/storage/spider/ha_spider.cc:543 #3 0x55b22ae0be4b in ha_partition::close() /test/11.5_opt_san/sql/ha_partition.cc:4235 #4 0x55b228358135 in alter_close_table /test/11.5_opt_san/sql/sql_partition.cc:7108 #5 0x55b2283acfbd in fast_alter_partition_table(THD*, TABLE*, Alter_info*, Alter_table_ctx*, HA_CREATE_INFO*, TABLE_LIST*) /test/11.5_opt_san/sql/sql_partition.cc:7856 #6 0x55b2289cd4b0 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /test/11.5_opt_san/sql/sql_table.cc:10814 #7 0x55b228d09f73 in Sql_cmd_alter_table::execute(THD*) /test/11.5_opt_san/sql/sql_alter.cc:703 #8 0x55b228314fdb in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:5802 #9 0x55b228334aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815 #10 0x55b228342519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892 #11 0x55b22834cce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405 #12 0x55b228cde887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445 #13 0x55b228ce127c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347 #14 0x1538c0e8f189 in start_thread nptl/pthread_create.c:444 previously allocated by thread T11 here: #0 0x55b227a35f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f) #1 0x55b22c0be315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93 #2 0x15389e000434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231 #3 0x15389e0ad78b in ha_spider::open(char const*, int, unsigned int) /test/11.5_opt_san/storage/spider/ha_spider.cc:268 #4 0x55b2299a0236 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.5_opt_san/sql/handler.cc:3513 #5 0x55b22ae27e88 in ha_partition::open_read_partitions(char*, unsigned long) /test/11.5_opt_san/sql/ha_partition.cc:8970 #6 0x55b22ae2c1ac in ha_partition::open(char const*, int, unsigned int) /test/11.5_opt_san/sql/ha_partition.cc:3930 #7 0x55b2299a0236 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.5_opt_san/sql/handler.cc:3513 #8 0x55b228b4daa7 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/11.5_opt_san/sql/table.cc:4580 #9 0x55b227ee302d in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.5_opt_san/sql/sql_base.cc:2232 #10 0x55b227efa179 in open_and_process_table /test/11.5_opt_san/sql/sql_base.cc:4165 #11 0x55b227efa179 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.5_opt_san/sql/sql_base.cc:4651 #12 0x55b2289c7a3d in open_tables /test/11.5_opt_san/sql/sql_base.h:271 #13 0x55b2289c7a3d in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /test/11.5_opt_san/sql/sql_table.cc:10287 #14 0x55b228d09f73 in Sql_cmd_alter_table::execute(THD*) /test/11.5_opt_san/sql/sql_alter.cc:703 #15 0x55b228314fdb in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:5802 #16 0x55b228334aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815 #17 0x55b228342519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892 #18 0x55b22834cce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405 #19 0x55b228cde887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445 #20 0x55b228ce127c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347 #21 0x1538c0e8f189 in start_thread nptl/pthread_create.c:444 Thread T11 created by T0 here: #0 0x55b2279c15d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5) #1 0x55b227a9559d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079 #2 0x55b227aa88cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203 #3 0x55b227aa996f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316 #4 0x55b227aacb78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974 #5 0x1538c0e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2868 in spider_db_free_result(ha_spider*, bool) Shadow bytes around the buggy address: 0x0c287fffa780: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287fffa790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffa7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffa7b0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c287fffa7c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c287fffa7d0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd 0x0c287fffa7e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffa7f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c287fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==521557==ABORTING 240426 15:16:07 [ERROR] mysqld got signal 6 ; Note the slightly different stacks between opt/dbg: ASAN|heap-use-after-free|storage/spider/spd_db_conn.cc|spider_db_free_result|ha_spider::close|ha_partition::close|alter_close_table ## opt ASAN|heap-use-after-free|storage/spider/spd_db_conn.cc|spider_db_free_result|ha_spider::close|handler::ha_close|ha_partition::close ## dbg

Roel Van de Paar added a comment - 2024-04-26 05:20

ycp Hi! This seems to be a somewhat serious issue. There is a previous patch, can you review it please? It seems Nayuta never pushed it.

Roel Van de Paar added a comment - 2024-04-26 05:20 ycp Hi! This seems to be a somewhat serious issue. There is a previous patch, can you review it please? It seems Nayuta never pushed it.

Yuchen Pei added a comment - 2024-04-29 07:20 - edited

Roel: I think the patch looks ok, but I'd like holyfoot to take a look before I push it.

Hi holyfoot, ptal thanks. Note that I added the original test and reformatted the changes to minimise the diff. As part of the fix I also backported ~~MDEV-26858~~. This is because there's some dead code protected by #if defined(HS_HAS_SQLCOM) && defined(HAVE_HANDLERSOCKET), which contains thd. Since the code is dead/untested, it would make less sense to try to guess how to update it, than just backport ~~MDEV-26858~~ that cleans it up. Also backported ~~MDEV-28522~~ which is a followup to ~~MDEV-26858~~.

42865a199f0 upstream/bb-10.5-mdev-29027 MDEV-29027 ASAN errors in spider_db_free_result after partition DDL

7f1f1350122 MDEV-28522 Delete constant SPIDER_SQL_TYPE_*_HS

318708c6a71 MDEV-26858 Spider: Remove dead code related to HandlerSocket

BTW holyfoot, when you review the patch could you also consider whether it is possible that current_thd returns NULL, something like ~~MDEV-32822~~ which however does not have a test case yet.

Update on 2024-05-09: minor correction of the commit message in the patch for review

Yuchen Pei added a comment - 2024-04-29 07:20 - edited Roel : I think the patch looks ok, but I'd like holyfoot to take a look before I push it. Hi holyfoot , ptal thanks. Note that I added the original test and reformatted the changes to minimise the diff. As part of the fix I also backported MDEV-26858 . This is because there's some dead code protected by #if defined(HS_HAS_SQLCOM) && defined(HAVE_HANDLERSOCKET) , which contains thd . Since the code is dead/untested, it would make less sense to try to guess how to update it, than just backport MDEV-26858 that cleans it up. Also backported MDEV-28522 which is a followup to MDEV-26858 . 42865a199f0 upstream/bb-10.5-mdev-29027 MDEV-29027 ASAN errors in spider_db_free_result after partition DDL 7f1f1350122 MDEV-28522 Delete constant SPIDER_SQL_TYPE_*_HS 318708c6a71 MDEV-26858 Spider: Remove dead code related to HandlerSocket BTW holyfoot , when you review the patch could you also consider whether it is possible that current_thd returns NULL, something like MDEV-32822 which however does not have a test case yet. Update on 2024-05-09: minor correction of the commit message in the patch for review

Alexey Botchkov added a comment - 2024-05-21 11:33

ok to push.

I think I'd prefer the THD to be sent as an argument to the spider_db_free_result instead.
Though not strongly enough to protest

Alexey Botchkov added a comment - 2024-05-21 11:33 ok to push. I think I'd prefer the THD to be sent as an argument to the spider_db_free_result instead. Though not strongly enough to protest

Yuchen Pei added a comment - 2024-05-31 00:09

thanks for the review - pushed the following to 10.5

25476ba1ae1 upstream/bb-10.5-mdev-29027 upstream/10.5 MDEV-29027 ASAN errors in spider_db_free_result after partition DDL

6d0c9872d95 MDEV-28522 Delete constant SPIDER_SQL_TYPE_*_HS

6c302207807 MDEV-26858 Spider: Remove dead code related to HandlerSocket

Yuchen Pei added a comment - 2024-05-31 00:09 thanks for the review - pushed the following to 10.5 25476ba1ae1 upstream/bb-10.5-mdev-29027 upstream/10.5 MDEV-29027 ASAN errors in spider_db_free_result after partition DDL 6d0c9872d95 MDEV-28522 Delete constant SPIDER_SQL_TYPE_*_HS 6c302207807 MDEV-26858 Spider: Remove dead code related to HandlerSocket

People

Assignee:: Yuchen Pei

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022-07-04 20:52

Updated:: 2024-09-30 05:24

Resolved:: 2024-05-31 00:09

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server