[MDEV-29059] ASAN errors, ER_DUP_KEY, assertion failures upon REPLACE into spider table with underlying unique key - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
Fix Version/s: 10.5, 10.6
Component/s: Storage Engine - Spider
Labels:
None

Description

REPLACE doesn't seem to work correctly with Spider tables, with slight variations producing different errors on different versions.

1. UNIQUE on underlying table, no key on Spider table

--source plugin/spider/spider/include/init_spider.inc

SET spider_same_server_link= on;

eval create server s foreign data wrapper mysql options (host "127.0.0.1", database "test", user "root", port $MASTER_MYPORT);

CREATE TABLE t (b INT, UNIQUE(b));

CREATE TABLE t_spider (b INT) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'";

REPLACE INTO t_spider (b) VALUES (0),(0);

# Cleanup

DROP TABLE t_spider, t;

--source plugin/spider/spider/include/deinit_spider.inc

10.3 d6e80c21
mysqltest: At line 8: query 'REPLACE INTO t_spider (b) VALUES (0),(0)' failed: 1022: Can't write; duplicate key in table 't_spider'

which really shouldn't be happening, given that it's REPLACE.
Not surprising however, as underneath it is converted into inserts:

                    25 Query    set session transaction isolation level repeatable read;set session autocommit = 1;set session sql_log_off = 0;start transaction

                    25 Query    insert into `test`.`t`(`b`)values(0)

                    25 Query    insert into `test`.`t`(`b`)values(0)

                    25 Query    rollback

Reproducible on 10.3-10.10.

2. UNIQUE on underlying table, key on Spider table

CREATE TABLE t (b INT, UNIQUE(b));

CREATE TABLE t_spider (b INT, KEY(b)) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'";

REPLACE INTO t_spider (b) VALUES (0),(0);

10.3 d6e80c21
==1913971==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f75f53465e0 at pc 0x561d660ac9ce bp 0x7f75f5346530 sp 0x7f75f5346528
WRITE of size 1 at 0x7f75f53465e0 thread T5
#0 0x561d660ac9cd in key_copy(unsigned char, unsigned char const, st_key*, unsigned int, bool) /data/src/10.3/sql/key.cc:129
#1 0x561d65657423 in write_record(THD, TABLE, st_copy_info*) /data/src/10.3/sql/sql_insert.cc:1802
#2 0x561d65674628 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:1077
#3 0x561d6570c1ee in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4504
#4 0x561d6571b5d7 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7870
#5 0x561d65720119 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#6 0x561d65725ebd in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#7 0x561d65a43c36 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#8 0x561d65a4449a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#9 0x561d66c8a1b4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#10 0x7f75ffd6cea6 in start_thread nptl/pthread_create.c:477
#11 0x7f75ffc9cdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

Address 0x7f75f53465e0 is located in stack of thread T5
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /data/src/10.3/sql/key.cc:129 in key_copy(unsigned char, unsigned char const, st_key*, unsigned int, bool)
Shadow bytes around the buggy address:
0x0fef3ea60c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fef3ea60c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fef3ea60c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fef3ea60c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fef3ea60ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fef3ea60cb0: 00 00 00 00 00 00 00 00 ca ca ca ca[cb]cb cb cb
0x0fef3ea60cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fef3ea60cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fef3ea60ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fef3ea60cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fef3ea60d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Thread T5 created by T0 here:
#0 0x7f76005ba2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x561d66c8e80a in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
#2 0x561d654b2f3b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
#3 0x561d654b2f3b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
#4 0x561d654c324d in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
#5 0x561d654c324d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
#6 0x561d654c51f5 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
#7 0x7f75ffbc5d09 in __libc_start_main ../csu/libc-start.c:308

Reproducible on 10.3-10.10.

3. Extra column and more keys

CREATE TABLE t (a INT NOT NULL AUTO_INCREMENT, b INT DEFAULT 0, UNIQUE(a), UNIQUE(b));

CREATE TABLE t_spider (a INT NOT NULL AUTO_INCREMENT, b INT DEFAULT 0, KEY(a), KEY(b)) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'";

REPLACE INTO t_spider () VALUES (),();

10.3 d6e80c21 debug
mysqld: /data/src/10.3/sql/handler.cc:6462: int handler::ha_reset(): Assertion `bitmap_is_set_all(&table->s->all_set)' failed.
220708 2:34:57 [ERROR] mysqld got signal 6 ;

#7 0x00007fbb66686662 in __GI___assert_fail (assertion=0x55907aabe328 "bitmap_is_set_all(&table->s->all_set)", file=0x55907aabb5be "/data/src/10.3/sql/handler.cc", line=6462, function=0x55907aabe30b "int handler::ha_reset()") at assert.c:101
No locals.
#8 0x000055907a02ddf2 in handler::ha_reset (this=0x7fbb500ba598) at /data/src/10.3/sql/handler.cc:6462
_db_stack_frame_ = {func = 0x55907a91d0ad "close_thread_table", file = 0x55907a91cc88 "/data/src/10.3/sql/sql_base.cc", level = 2147483655, line = -1, prev = 0x7fbb606acc80}
__PRETTY_FUNCTION__ = "int handler::ha_reset()"
#9 0x0000559079c5f495 in close_thread_table (thd=0x7fbb50000d90, table_ptr=0x7fbb50000e70) at /data/src/10.3/sql/sql_base.cc:922
table = 0x7fbb500b9930
_db_stack_frame_ = {func = 0x55907a91cfb6 "close_thread_tables", file = 0x55907a91cc88 "/data/src/10.3/sql/sql_base.cc", level = 2147483654, line = -1, prev = 0x7fbb606accf0}
__PRETTY_FUNCTION__ = "void close_thread_table(THD, TABLE*)"
#10 0x0000559079c5f0ec in close_thread_tables (thd=0x7fbb50000d90) at /data/src/10.3/sql/sql_base.cc:871
table = 0x0
_db_stack_frame_ = {func = 0x55907a9332c8 "mysql_execute_command", file = 0x55907a9326a8 "/data/src/10.3/sql/sql_parse.cc", level = 2147483653, line = -1, prev = 0x7fbb606aced0}
__PRETTY_FUNCTION__ = "void close_thread_tables(THD*)"
#11 0x0000559079d03179 in mysql_execute_command (thd=0x7fbb50000d90) at /data/src/10.3/sql/sql_parse.cc:6160
res = 0
up_result = 0
lex = 0x7fbb50004b80
select_lex = 0x7fbb500053d8
first_table = 0x7fbb50012bd8
all_tables = 0x7fbb50012bd8
unit = 0x7fbb50004c40
have_table_map_for_update = false
rpl_filter = 0x3887a8b51dc
_db_stack_frame_ = {func = 0x55907a9345a0 "mysql_parse", file = 0x55907a9326a8 "/data/src/10.3/sql/sql_parse.cc", level = 2147483652, line = -1, prev = 0x7fbb606ad400}
__PRETTY_FUNCTION__ = "int mysql_execute_command(THD*)"
orig_binlog_format = BINLOG_FORMAT_MIXED
orig_current_stmt_binlog_format = BINLOG_FORMAT_STMT
#12 0x0000559079d08090 in mysql_parse (thd=0x7fbb50000d90, rawbuf=0x7fbb50012ad8 "REPLACE INTO t_spider () VALUES (),()", length=37, parser_state=0x7fbb606ad5b0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7870
found_semicolon = 0x0
error = 32699
lex = 0x7fbb50004b80
err = false
_db_stack_frame_ = {func = 0x55907a932b32 "dispatch_command", file = 0x55907a9326a8 "/data/src/10.3/sql/sql_parse.cc", level = 2147483651, line = -1, prev = 0x7fbb606ad590}
__PRETTY_FUNCTION__ = "void mysql_parse(THD, char, uint, Parser_state*, bool, bool)"
#13 0x0000559079cf48c5 in dispatch_command (command=COM_QUERY, thd=0x7fbb50000d90, packet=0x7fbb50008f31 "REPLACE INTO t_spider () VALUES (),()", packet_length=37, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
packet_end = 0x7fbb50012afd ""
parser_state = {m_lip = {lookahead_token = -1, lookahead_yylval = 0x0, m_thd = 0x7fbb50000d90, m_ptr = 0x7fbb50012afe "\004", m_tok_start = 0x7fbb50012afe "\004", m_tok_end = 0x7fbb50012afe "\004", m_end_of_query = 0x7fbb50012afd "", m_tok_start_prev = 0x7fbb50012afd "", m_buf = 0x7fbb50012ad8 "REPLACE INTO t_spider () VALUES (),()", m_buf_length = 37, m_echo = true, m_echo_saved = 12, m_cpp_buf = 0x7fbb50012b58 "REPLACE INTO t_spider () VALUES (),()", m_cpp_ptr = 0x7fbb50012b7d "", m_cpp_tok_start = 0x7fbb50012b7d "", m_cpp_tok_start_prev = 0x7fbb50012b7d "", m_cpp_tok_end = 0x7fbb50012b7d "", m_body_utf8 = 0x0, m_body_utf8_ptr = 0x100007a88f993 <error: Cannot access memory at address 0x100007a88f993>, m_cpp_utf8_processed_ptr = 0x0, next_state = MY_LEX_END, found_semicolon = 0x0, ignore_space = false, stmt_prepare_mode = false, multi_statements = true, yylineno = 1, m_digest = 0x0, in_comment = NO_COMMENT, in_comment_saved = PRESERVE_COMMENT, m_cpp_text_start = 0x7fbb50012b65 "t_spider () VALUES (),()", m_cpp_text_end = 0x7fbb50012b6d " () VALUES (),()", m_underscore_cs = 0x0}, m_yacc = {yacc_yyss = 0x0, yacc_yyvs = 0x0, m_set_signal_info = {m_item = {0x0 <repeats 12 times>}}, m_lock_type = TL_READ_DEFAULT, m_mdl_type = MDL_SHARED_READ}, m_digest_psi = 0x7fbb50004658}
net = 0x7fbb50001098
error = false
do_end_of_statement = true
_db_stack_frame_ = {func = 0x55907a9328bd "do_command", file = 0x55907a9326a8 "/data/src/10.3/sql/sql_parse.cc", level = 2147483650, line = -1, prev = 0x7fbb606addf0}
drop_more_results = false
__PRETTY_FUNCTION__ = "bool dispatch_command(enum_server_command, THD, char, uint, bool, bool)"
res = <optimized out>
#14 0x0000559079cf3283 in do_command (thd=0x7fbb50000d90) at /data/src/10.3/sql/sql_parse.cc:1398
return_value = false
packet = 0x7fbb50008f30 "\003REPLACE INTO t_spider () VALUES (),()"
packet_length = 38
net = 0x7fbb50001098
command = COM_QUERY
_db_stack_frame_ = {func = 0x55907acb47d0 "?func", file = 0x55907acb47d6 "?file", level = 2147483649, line = -1, prev = 0x0}
__PRETTY_FUNCTION__ = "bool do_command(THD*)"
#15 0x0000559079e70878 in do_handle_one_connection (connect=0x55907c29c170) at /data/src/10.3/sql/sql_connect.cc:1403
create_user = true
thr_create_utime = 3659009253887
thd = 0x7fbb50000d90
#16 0x0000559079e705e3 in handle_one_connection (arg=0x55907c29c170) at /data/src/10.3/sql/sql_connect.cc:1308
connect = 0x55907c29c170
#17 0x000055907a81fb62 in pfs_spawn_thread (arg=0x55907c39ca40) at /data/src/10.3/storage/perfschema/pfs.cc:1869
typed_arg = 0x55907c39ca40
user_arg = 0x55907c29c170
user_start_routine = 0x559079e705b3 <handle_one_connection(void*)>
pfs = 0x7fbb6497d6c0
klass = 0x55907c08f280
#18 0x00007fbb6681fea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
ret = <optimized out>
pd = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140442753230592, -3937929035520758171, 140721286345934, 140721286345935, 140442753228736, 311296, 3904456715782237797, 3904453081207451237}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = 0
#19 0x00007fbb6674fdef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible on 10.3-10.4.

Attachments

Activity

Elena Stepanova added a comment - 2022-07-27 13:58 - edited

Some more to the collection, I don't see a reason to file a new report at this point:

--source plugin/spider/spider/include/init_spider.inc

SET spider_same_server_link= on;

eval CREATE SERVER s FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT);

CREATE TABLE t (a POINT UNIQUE);

INSERT INTO t VALUES (POINT(0,0));

CREATE TABLE t_spider (a POINT UNIQUE) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'";

REPLACE INTO t_spider SELECT * FROM t_spider;

# Cleanup

DROP TABLE t_spider, t;

--source plugin/spider/spider/include/deinit_spider.inc

10.4 9a897335
==1976405==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f817d1537bc at pc 0x7f8187116983 bp 0x7f817d152880 sp 0x7f817d152030
READ of size 8 at 0x7f817d1537bc thread T5
#0 0x7f8187116982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
#1 0x7f817ce457c3 in Static_binary_string::q_append(char const*, unsigned long) /data/src/10.4/sql/sql_string.h:317
#2 0x7f817ce457c3 in spider_string::q_append(char const*, unsigned int) /data/src/10.4/storage/spider/spd_malloc.cc:1131
#3 0x7f817ceb04d0 in spider_db_mysql_util::append_column_value(ha_spider, spider_string, Field, unsigned char const, charset_info_st const*) /data/src/10.4/storage/spider/spd_db_mysql.cc:4353
#4 0x7f817cd4f5b9 in spider_db_append_key_where_internal(spider_string, spider_string, spider_string, st_key_range const, st_key_range const, ha_spider, bool, unsigned long, unsigned int) /data/src/10.4/storage/spider/spd_db_conn.cc:1953
#5 0x7f817cedf2d9 in spider_mbase_handler::append_key_where(spider_string, spider_string, spider_string, st_key_range const, st_key_range const*, unsigned long, bool) /data/src/10.4/storage/spider/spd_db_mysql.cc:10740
#6 0x7f817cedf3ef in spider_mbase_handler::append_key_where_part(st_key_range const, st_key_range const, unsigned long) /data/src/10.4/storage/spider/spd_db_mysql.cc:10724
#7 0x7f817ce76a1c in ha_spider::append_key_where_sql_part(st_key_range const, st_key_range const, unsigned long) /data/src/10.4/storage/spider/ha_spider.cc:15051
#8 0x7f817cd52342 in spider_db_append_key_where(st_key_range const, st_key_range const, ha_spider*) /data/src/10.4/storage/spider/spd_db_conn.cc:2705
#9 0x7f817ce794ec in ha_spider::index_read_map_internal(unsigned char, unsigned char const, unsigned long, ha_rkey_function) /data/src/10.4/storage/spider/ha_spider.cc:2193
#10 0x55739f15333f in handler::index_read_idx_map(unsigned char, unsigned int, unsigned char const, unsigned long, ha_rkey_function) /data/src/10.4/sql/handler.cc:6134
#11 0x55739f15e553 in handler::ha_index_read_idx_map(unsigned char, unsigned int, unsigned char const, unsigned long, ha_rkey_function) /data/src/10.4/sql/handler.cc:2976
#12 0x55739e9da1ba in write_record(THD, TABLE, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:1832
#13 0x55739e9dca6c in select_insert::send_data(List<Item>&) /data/src/10.4/sql/sql_insert.cc:3989
#14 0x55739e9dca6c in select_insert::send_data(List<Item>&) /data/src/10.4/sql/sql_insert.cc:3953
#15 0x55739ec6ad53 in Pushdown_query::execute(JOIN*) /data/src/10.4/sql/group_by_handler.cc:100
#16 0x55739ec06f7d in do_select /data/src/10.4/sql/sql_select.cc:20081
#17 0x55739ec06f7d in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4545
#18 0x55739ec09d8e in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4327
#19 0x55739ec01964 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4766
#20 0x55739ec044f8 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:436
#21 0x55739eaab9d5 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4712
#22 0x55739eab07be in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7995
#23 0x55739eab778a in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#24 0x55739eabc418 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#25 0x55739ee0c278 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#26 0x55739ee0c73a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#27 0x55739f97b5d4 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#28 0x7f8186c17ea6 in start_thread nptl/pthread_create.c:477
#29 0x7f8186814dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

Address 0x7f817d1537bc is located in stack of thread T5 at offset 348 in frame
#0 0x55739f15de9f in handler::ha_index_read_idx_map(unsigned char, unsigned int, unsigned char const, unsigned long, ha_rkey_function) /data/src/10.4/sql/handler.cc:2970

This frame has 2 object(s):
[48, 96) 'state'
[128, 192) 'state' (line 2976) <== Memory access at offset 348 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
Thread T5 created by T0 here:
#0 0x7f81871322a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x55739f97fc2a in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x55739e82518b in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x55739e82518b in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6282
#4 0x55739e8313af in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6352
#5 0x55739e8319ea in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6450
#6 0x55739e832af9 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6608
#7 0x55739e834562 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5940
#8 0x7f818673dd09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0ff0afa226a0: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 f3 f3 f3 f3
0x0ff0afa226b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0afa226c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x0ff0afa226d0: f1 f1 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
0x0ff0afa226e0: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
=>0x0ff0afa226f0: ca ca ca ca 00 00 00[04]cb cb cb cb 00 00 00 00
0x0ff0afa22700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0afa22710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0afa22720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x0ff0afa22730: f1 f1 01 f2 00 00 00 00 00 00 f3 f3 f3 f3 00 00
0x0ff0afa22740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1976405==ABORTING

Same test case without ASAN:

mysqltest: At line 10: query 'REPLACE INTO t_spider SELECT * FROM t_spider' failed: 1032: Can't find record in 't_spider'

--source plugin/spider/spider/include/init_spider.inc

SET spider_same_server_link= on;

eval CREATE SERVER s FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT);

CREATE TABLE t (a INT, UNIQUE(a) USING HASH);

INSERT INTO t VALUES (1);

CREATE TABLE t_spider (a INT, UNIQUE(a) USING HASH) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'";

REPLACE INTO t_spider SELECT * FROM t_spider;

# Cleanup

DROP TABLE t_spider, t;

--source plugin/spider/spider/include/deinit_spider.inc

mysqltest: At line 10: query 'REPLACE INTO t_spider SELECT * FROM t_spider' failed: 1054: Unknown column 'DB_ROW_HASH_1' in 'field list'

Elena Stepanova added a comment - 2022-07-27 13:58 - edited Some more to the collection, I don't see a reason to file a new report at this point: --source plugin/spider/spider/include/init_spider.inc SET spider_same_server_link= on ; eval CREATE SERVER s FOREIGN DATA WRAPPER mysql OPTIONS ( USER 'root' , HOST '127.0.0.1' , DATABASE 'test' , PORT $MASTER_MYPORT); CREATE TABLE t (a POINT UNIQUE ); INSERT INTO t VALUES (POINT(0,0)); CREATE TABLE t_spider (a POINT UNIQUE ) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'" ; REPLACE INTO t_spider SELECT * FROM t_spider; # Cleanup DROP TABLE t_spider, t; --source plugin/spider/spider/include/deinit_spider.inc 10.4 9a897335 ==1976405==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7f817d1537bc at pc 0x7f8187116983 bp 0x7f817d152880 sp 0x7f817d152030 READ of size 8 at 0x7f817d1537bc thread T5 #0 0x7f8187116982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 #1 0x7f817ce457c3 in Static_binary_string::q_append(char const*, unsigned long) /data/src/10.4/sql/sql_string.h:317 #2 0x7f817ce457c3 in spider_string::q_append(char const*, unsigned int) /data/src/10.4/storage/spider/spd_malloc.cc:1131 #3 0x7f817ceb04d0 in spider_db_mysql_util::append_column_value(ha_spider*, spider_string*, Field*, unsigned char const*, charset_info_st const*) /data/src/10.4/storage/spider/spd_db_mysql.cc:4353 #4 0x7f817cd4f5b9 in spider_db_append_key_where_internal(spider_string*, spider_string*, spider_string*, st_key_range const*, st_key_range const*, ha_spider*, bool, unsigned long, unsigned int) /data/src/10.4/storage/spider/spd_db_conn.cc:1953 #5 0x7f817cedf2d9 in spider_mbase_handler::append_key_where(spider_string*, spider_string*, spider_string*, st_key_range const*, st_key_range const*, unsigned long, bool) /data/src/10.4/storage/spider/spd_db_mysql.cc:10740 #6 0x7f817cedf3ef in spider_mbase_handler::append_key_where_part(st_key_range const*, st_key_range const*, unsigned long) /data/src/10.4/storage/spider/spd_db_mysql.cc:10724 #7 0x7f817ce76a1c in ha_spider::append_key_where_sql_part(st_key_range const*, st_key_range const*, unsigned long) /data/src/10.4/storage/spider/ha_spider.cc:15051 #8 0x7f817cd52342 in spider_db_append_key_where(st_key_range const*, st_key_range const*, ha_spider*) /data/src/10.4/storage/spider/spd_db_conn.cc:2705 #9 0x7f817ce794ec in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.4/storage/spider/ha_spider.cc:2193 #10 0x55739f15333f in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.4/sql/handler.cc:6134 #11 0x55739f15e553 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.4/sql/handler.cc:2976 #12 0x55739e9da1ba in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:1832 #13 0x55739e9dca6c in select_insert::send_data(List<Item>&) /data/src/10.4/sql/sql_insert.cc:3989 #14 0x55739e9dca6c in select_insert::send_data(List<Item>&) /data/src/10.4/sql/sql_insert.cc:3953 #15 0x55739ec6ad53 in Pushdown_query::execute(JOIN*) /data/src/10.4/sql/group_by_handler.cc:100 #16 0x55739ec06f7d in do_select /data/src/10.4/sql/sql_select.cc:20081 #17 0x55739ec06f7d in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4545 #18 0x55739ec09d8e in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4327 #19 0x55739ec01964 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4766 #20 0x55739ec044f8 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:436 #21 0x55739eaab9d5 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4712 #22 0x55739eab07be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7995 #23 0x55739eab778a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857 #24 0x55739eabc418 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378 #25 0x55739ee0c278 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420 #26 0x55739ee0c73a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #27 0x55739f97b5d4 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #28 0x7f8186c17ea6 in start_thread nptl/pthread_create.c:477 #29 0x7f8186814dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee) Address 0x7f817d1537bc is located in stack of thread T5 at offset 348 in frame #0 0x55739f15de9f in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.4/sql/handler.cc:2970 This frame has 2 object(s): [48, 96) 'state' [128, 192) 'state' (line 2976) <== Memory access at offset 348 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T5 created by T0 here: #0 0x7f81871322a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214 #1 0x55739f97fc2a in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919 #2 0x55739e82518b in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275 #3 0x55739e82518b in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6282 #4 0x55739e8313af in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6352 #5 0x55739e8319ea in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6450 #6 0x55739e832af9 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6608 #7 0x55739e834562 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5940 #8 0x7f818673dd09 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0ff0afa226a0: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 f3 f3 f3 f3 0x0ff0afa226b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff0afa226c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x0ff0afa226d0: f1 f1 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 0x0ff0afa226e0: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 =>0x0ff0afa226f0: ca ca ca ca 00 00 00[04]cb cb cb cb 00 00 00 00 0x0ff0afa22700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff0afa22710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff0afa22720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x0ff0afa22730: f1 f1 01 f2 00 00 00 00 00 00 f3 f3 f3 f3 00 00 0x0ff0afa22740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1976405==ABORTING Same test case without ASAN: mysqltest: At line 10: query 'REPLACE INTO t_spider SELECT * FROM t_spider' failed: 1032: Can 't find record in ' t_spider' --source plugin/spider/spider/include/init_spider.inc SET spider_same_server_link= on ; eval CREATE SERVER s FOREIGN DATA WRAPPER mysql OPTIONS ( USER 'root' , HOST '127.0.0.1' , DATABASE 'test' , PORT $MASTER_MYPORT); CREATE TABLE t (a INT , UNIQUE (a) USING HASH); INSERT INTO t VALUES (1); CREATE TABLE t_spider (a INT , UNIQUE (a) USING HASH) ENGINE=SPIDER COMMENT = "wrapper 'mysql', srv 's', table 't'" ; REPLACE INTO t_spider SELECT * FROM t_spider; # Cleanup DROP TABLE t_spider, t; --source plugin/spider/spider/include/deinit_spider.inc mysqltest: At line 10: query 'REPLACE INTO t_spider SELECT * FROM t_spider' failed: 1054: Unknown column 'DB_ROW_HASH_1' in 'field list'

People

Assignee:: Yuchen Pei

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022-07-07 23:37

Updated:: 2024-09-10 14:56

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server