Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Description
INSTALL SONAME 'ha_federatedx'; |
eval CREATE SERVER fedlink FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT); |
CREATE TABLE t (a INT); |
CREATE TABLE t_fed ENGINE=FEDERATED CONNECTION='fedlink/t'; |
|
|
--connect (con1,localhost,root,,test)
|
START TRANSACTION; |
INSERT INTO t_fed VALUES (1); |
--connection default
|
FLUSH TABLES;
|
|
|
# Cleanup
|
--connection con1
|
COMMIT; |
--disconnect con1
|
--connection default
|
DROP TABLE t_fed, t; |
UNINSTALL SONAME 'ha_federatedx'; |
|
10.3 25219920 debug |
mysqld: /data/src/10.3/storage/federatedx/ha_federatedx.cc:1679: int free_server(federatedx_txn*, FEDERATEDX_SERVER*): Assertion `server->io_count == 0' failed.
|
220730 15:51:00 [ERROR] mysqld got signal 6 ;
|
|
|
#7 0x00007fabae0e4662 in __GI___assert_fail (assertion=0x7faba80b8cb0 "server->io_count == 0", file=0x7faba80b8520 "/data/src/10.3/storage/federatedx/ha_federatedx.cc", line=1679, function=0x7faba80b8cc8 "int free_server(federatedx_txn*, FEDERATEDX_SERVER*)") at assert.c:101
|
#8 0x00007faba80ab1c5 in free_server (txn=0x7faba80c1380 <zero_txn>, server=0x7fab8c02a2d0) at /data/src/10.3/storage/federatedx/ha_federatedx.cc:1679
|
#9 0x00007faba80ab3f5 in free_share (txn=0x7faba80c1380 <zero_txn>, share=0x7fab8c029fc8) at /data/src/10.3/storage/federatedx/ha_federatedx.cc:1716
|
#10 0x00007faba80aba28 in ha_federatedx::close (this=0x7fab8c027528) at /data/src/10.3/storage/federatedx/ha_federatedx.cc:1846
|
#11 0x000055e22805b324 in handler::ha_close (this=0x7fab8c027528) at /data/src/10.3/sql/handler.cc:2844
|
#12 0x000055e227e57823 in closefrm (table=0x7fab8c00bb70) at /data/src/10.3/sql/table.cc:3790
|
#13 0x000055e227f7a5fa in intern_close_table (table=0x7fab8c00bb70) at /data/src/10.3/sql/table_cache.cc:222
|
#14 0x000055e227f7aa68 in tc_purge (mark_flushed=true) at /data/src/10.3/sql/table_cache.cc:335
|
#15 0x000055e227c95f52 in close_cached_tables (thd=0x7fab98000d90, tables=0x0, wait_for_refresh=true, timeout=86400) at /data/src/10.3/sql/sql_base.cc:377
|
#16 0x000055e227ee2e60 in reload_acl_and_cache (thd=0x7fab98000d90, options=4, tables=0x0, write_to_binlog=0x7faba810afb0) at /data/src/10.3/sql/sql_reload.cc:337
|
#17 0x000055e227d384a9 in mysql_execute_command (thd=0x7fab98000d90) at /data/src/10.3/sql/sql_parse.cc:5418
|
#18 0x000055e227d401d6 in mysql_parse (thd=0x7fab98000d90, rawbuf=0x7fab98012ad8 "FLUSH TABLES", length=12, parser_state=0x7faba810b5b0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7871
|
#19 0x000055e227d2ca0b in dispatch_command (command=COM_QUERY, thd=0x7fab98000d90, packet=0x7fab98008f31 "FLUSH TABLES", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
|
#20 0x000055e227d2b3c9 in do_command (thd=0x7fab98000d90) at /data/src/10.3/sql/sql_parse.cc:1398
|
#21 0x000055e227ea8a14 in do_handle_one_connection (connect=0x55e22acc5170) at /data/src/10.3/sql/sql_connect.cc:1403
|
#22 0x000055e227ea877f in handle_one_connection (arg=0x55e22acc5170) at /data/src/10.3/sql/sql_connect.cc:1308
|
#23 0x000055e228858e1e in pfs_spawn_thread (arg=0x55e22adc5a40) at /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#24 0x00007fabae27dea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#25 0x00007fabae1addef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.3 25219920 non-debug ASAN |
==1733654==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000070a68 at pc 0x7fd1396bbad4 bp 0x7fd13968e7c0 sp 0x7fd13968e7b8
|
READ of size 1 at 0x621000070a68 thread T6
|
#0 0x7fd1396bbad3 in federatedx_txn::txn_commit() /data/src/10.3/storage/federatedx/federatedx_txn.cc:238
|
#1 0x7fd1396bbad3 in federatedx_txn::txn_commit() /data/src/10.3/storage/federatedx/federatedx_txn.cc:224
|
#2 0x55aa9f30491e in commit_one_phase_2 /data/src/10.3/sql/handler.cc:1658
|
#3 0x55aa9f308e1a in ha_commit_trans(THD*, bool) /data/src/10.3/sql/handler.cc:1500
|
#4 0x55aa9f01efca in trans_commit(THD*) /data/src/10.3/sql/transaction.cc:293
|
#5 0x55aa9ecc01aa in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5577
|
#6 0x55aa9eccab37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871
|
#7 0x55aa9eccf679 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
|
#8 0x55aa9ecd541d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
|
#9 0x55aa9eff3506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#10 0x55aa9eff3d6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#11 0x55aaa023a7a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#12 0x7fd1442b3ea6 in start_thread nptl/pthread_create.c:477
|
#13 0x7fd1441e3dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
|
|
|
0x621000070a68 is located 360 bytes inside of 4128-byte region [0x621000070900,0x621000071920)
|
freed by thread T5 here:
|
#0 0x7fd144b55b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
|
#1 0x55aaa02f882d in free_root /data/src/10.3/mysys/my_alloc.c:430
|
#2 0x7fd1396a45fe in free_server /data/src/10.3/storage/federatedx/ha_federatedx.cc:1683
|
#3 0x7fd1396a4af3 in free_share /data/src/10.3/storage/federatedx/ha_federatedx.cc:1716
|
#4 0x7fd1396b0977 in ha_federatedx::close() /data/src/10.3/storage/federatedx/ha_federatedx.cc:1846
|
#5 0x55aa9ef418c0 in closefrm(TABLE*) /data/src/10.3/sql/table.cc:3790
|
#6 0x55aa9f1b7697 in intern_close_table /data/src/10.3/sql/table_cache.cc:222
|
#7 0x55aa9f1b7697 in tc_purge(bool) /data/src/10.3/sql/table_cache.cc:335
|
#8 0x55aa9eb74dee in close_cached_tables(THD*, TABLE_LIST*, bool, unsigned long) /data/src/10.3/sql/sql_base.cc:377
|
#9 0x55aa9f049958 in reload_acl_and_cache(THD*, unsigned long long, TABLE_LIST*, int*) /data/src/10.3/sql/sql_reload.cc:337
|
#10 0x55aa9ecbbc78 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5418
|
#11 0x55aa9eccab37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871
|
#12 0x55aa9eccf679 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
|
#13 0x55aa9ecd541d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
|
#14 0x55aa9eff3506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#15 0x55aa9eff3d6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#16 0x55aaa023a7a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#17 0x7fd1442b3ea6 in start_thread nptl/pthread_create.c:477
|
|
|
previously allocated by thread T6 here:
|
#0 0x7fd144b55e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
|
#1 0x55aaa030bb12 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
#2 0x55aaa02f78ba in init_alloc_root /data/src/10.3/mysys/my_alloc.c:82
|
#3 0x7fd1396a8458 in get_server /data/src/10.3/storage/federatedx/ha_federatedx.cc:1532
|
#4 0x7fd1396ab7a9 in get_share /data/src/10.3/storage/federatedx/ha_federatedx.cc:1637
|
#5 0x7fd1396aeeaf in ha_federatedx::open(char const*, int, unsigned int) /data/src/10.3/storage/federatedx/ha_federatedx.cc:1772
|
#6 0x55aa9f30d35f in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /data/src/10.3/sql/handler.cc:2778
|
#7 0x55aa9ef64844 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.3/sql/table.cc:3690
|
#8 0x55aa9eb72e7f in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:2004
|
#9 0x55aa9eb7bfa9 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3731
|
#10 0x55aa9eb7bfa9 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4206
|
#11 0x55aa9eb7dc8e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5146
|
#12 0x55aa9ec21a42 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:503
|
#13 0x55aa9ec21a42 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760
|
#14 0x55aa9ecbb72e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4505
|
#15 0x55aa9eccab37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871
|
#16 0x55aa9eccf679 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
|
#17 0x55aa9ecd541d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
|
#18 0x55aa9eff3506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#19 0x55aa9eff3d6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#20 0x55aaa023a7a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#21 0x7fd1442b3ea6 in start_thread nptl/pthread_create.c:477
|
|
|
Thread T6 created by T0 here:
|
#0 0x7fd144b012a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x55aaa023edfa in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
#2 0x55aa9ea61f1b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
|
#3 0x55aa9ea61f1b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
|
#4 0x55aa9ea7222d in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
|
#5 0x55aa9ea7222d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
|
#6 0x55aa9ea741d5 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
|
#7 0x7fd14410cd09 in __libc_start_main ../csu/libc-start.c:308
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fd144b012a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x55aaa023edfa in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
#2 0x55aa9ea61f1b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
|
#3 0x55aa9ea61f1b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
|
#4 0x55aa9ea7222d in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
|
#5 0x55aa9ea7222d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
|
#6 0x55aa9ea741d5 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
|
#7 0x7fd14410cd09 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/storage/federatedx/federatedx_txn.cc:238 in federatedx_txn::txn_commit()
|
Shadow bytes around the buggy address:
|
0x0c42800060f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4280006100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4280006110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4280006120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280006130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c4280006140: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
|
0x0c4280006150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280006160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280006170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280006180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280006190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1733654==ABORTING
|
Or, with ROLLBACK instead of COMMIT,
READ of size 8 at 0x621000070a40 thread T6
|
#0 0x7f5f6821acb8 in federatedx_txn::txn_rollback() /data/src/10.3/storage/federatedx/federatedx_txn.cc:270
|
#1 0x7f5f6821acb8 in federatedx_txn::txn_rollback() /data/src/10.3/storage/federatedx/federatedx_txn.cc:258
|
#2 0x55c03ff4b002 in ha_rollback_trans(THD*, bool) /data/src/10.3/sql/handler.cc:1765
|
#3 0x55c03fc62704 in trans_rollback(THD*) /data/src/10.3/sql/transaction.cc:409
|
#4 0x55c03fc62704 in trans_rollback(THD*) /data/src/10.3/sql/transaction.cc:393
|
#5 0x55c03f901d2c in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5628
|
#6 0x55c03f90db37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871
|
#7 0x55c03f912679 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
|
#8 0x55c03f91841d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
|
#9 0x55c03fc36506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#10 0x55c03fc36d6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#11 0x55c040e7d7a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#12 0x7f5f72e16ea6 in start_thread nptl/pthread_create.c:477
|
#13 0x7f5f72d46dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
|
Non-ASAN non-debug build throws "Memory not freed" warnings.
The failure is not limited to having federated and underlying on the same server, it also happens with separate local and remote servers.
Attachments
Issue Links
- relates to
-
-
- Open
-
-
-
- Open
-