[MDEV-29317] Assertion `sp && savepoint_next && *sp && *sp <= savepoint_level' failed in federatedx_txn::sp_release, and ASAN: use-after-poison in federatedx_txn::sp_release - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.2(EOL), 11.4, 11.6(EOL), 11.7(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: Storage Engine - Federated
Labels:
- ASAN
- memory_corruption

Description

INSTALL SONAME 'ha_federatedx';

eval CREATE SERVER fedlink FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT);

CREATE TABLE t (id INT);

CREATE TABLE fed_t ENGINE=FEDERATED CONNECTION='fedlink/t';

INSERT INTO fed_t VALUES (1);

START TRANSACTION;

SELECT * FROM fed_t;

SAVEPOINT sp;

SAVEPOINT sp;

# Cleanup

DROP TABLE fed_t, t;

10.3 8c21dc52
mysqld: /data/src/10.3/storage/federatedx/federatedx_txn.cc:336: int federatedx_txn::sp_release(ulong): Assertion `sp && savepoint_next && sp && *sp <= savepoint_level' failed.
220816 19:45:57 [ERROR] mysqld got signal 6 ;

#7 0x00007f9562db6662 in __GI___assert_fail (assertion=0x7f955cd8bc48 "sp && savepoint_next && sp && sp <= savepoint_level", file=0x7f955cd8b888 "/data/src/10.3/storage/federatedx/federatedx_txn.cc", line=336, function=0x7f955cd8bcc8 "int federatedx_txn::sp_release(ulong*)") at assert.c:101
#8 0x00007f955cd87029 in federatedx_txn::sp_release (this=0x7f954c146cf0, sp=0x7f954c018be0) at /data/src/10.3/storage/federatedx/federatedx_txn.cc:336
#9 0x00007f955cd830be in ha_federatedx::savepoint_release (hton=0x7f954c006ff0, thd=0x7f954c000d90, sv=0x7f954c018be0) at /data/src/10.3/storage/federatedx/ha_federatedx.cc:3559
#10 0x0000560e5b78131f in ha_release_savepoint (thd=0x7f954c000d90, sv=0x7f954c018b78) at /data/src/10.3/sql/handler.cc:2466
#11 0x0000560e5b5e5b96 in trans_savepoint (thd=0x7f954c000d90, name=...) at /data/src/10.3/sql/transaction.cc:631
#12 0x0000560e5b4603e9 in mysql_execute_command (thd=0x7f954c000d90) at /data/src/10.3/sql/sql_parse.cc:5675
#13 0x0000560e5b4671ea in mysql_parse (thd=0x7f954c000d90, rawbuf=0x7f954c012ad8 "SAVEPOINT sp", length=12, parser_state=0x7f955cddd5b0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7871
#14 0x0000560e5b453a1f in dispatch_command (command=COM_QUERY, thd=0x7f954c000d90, packet=0x7f954c008f31 "SAVEPOINT sp", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
#15 0x0000560e5b4523dd in do_command (thd=0x7f954c000d90) at /data/src/10.3/sql/sql_parse.cc:1398
#16 0x0000560e5b5cfe30 in do_handle_one_connection (connect=0x560e5e505170) at /data/src/10.3/sql/sql_connect.cc:1403
#17 0x0000560e5b5cfb9b in handle_one_connection (arg=0x560e5e505170) at /data/src/10.3/sql/sql_connect.cc:1308
#18 0x0000560e5bf80346 in pfs_spawn_thread (arg=0x560e5e605a40) at /data/src/10.3/storage/perfschema/pfs.cc:1869
#19 0x00007f9562f4fea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x00007f9562e7fdef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Likely related to MDEV-29178.

Attachments

Issue Links

relates to

MDEV-29178 Assertion `sp > last_savepoint()' failed in federatedx_io_mysql::savepoint_set or crash upon shutdown

Confirmed

Activity

Roel Van de Paar added a comment - 2024-11-16 04:05 - edited

Ran into the same

INSTALL SONAME 'ha_federatedx.so';

eval CREATE SERVER srv FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT);

CREATE TABLE t1 (c INT);

CREATE TABLE t2 CONNECTION='srv/t1' ENGINE=FEDERATED;

XA START 'a';

--error ER_WRONG_VALUE_COUNT_ON_ROW

INSERT INTO t2 VALUES (0,1);

SAVEPOINT sv;

SAVEPOINT sv;

Leads to:

CS 10.5.27 b138f428ea2d3496a3a5a2212c424f8218547ef1 (Debug)
mariadbd: /test/10.5_dbg/storage/federatedx/federatedx_txn.cc:347: int federatedx_txn::sp_release(ulong): Assertion `sp && savepoint_next && sp && *sp <= savepoint_level' failed.

CS 10.5.27 b138f428ea2d3496a3a5a2212c424f8218547ef1 (Debug)
Core was generated by `/test/MD141024-mariadb-10.5.27-linux-x86_64-dbg/bin/mariadbd --no-defaults --ma'.
Program terminated with signal SIGABRT, Aborted.
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 2056705)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x00001524aa64526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x00001524aa6288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00001524aa62881b in __assert_fail_base (fmt=0x1524aa7d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x1524a81c7230 "sp && savepoint_next && sp && sp <= savepoint_level", file=file@entry=0x1524a81c7058 "/test/10.5_dbg/storage/federatedx/federatedx_txn.cc", line=line@entry=347, function=function@entry=0x1524a81c7268 "int federatedx_txn::sp_release(ulong*)") at ./assert/assert.c:94
#6 0x00001524aa63b507 in __assert_fail (assertion=0x1524a81c7230 "sp && savepoint_next && sp && sp <= savepoint_level", file=0x1524a81c7058 "/test/10.5_dbg/storage/federatedx/federatedx_txn.cc", line=347, function=0x1524a81c7268 "int federatedx_txn::sp_release(ulong*)")at ./assert/assert.c:103
#7 0x00001524a81bdac6 in federatedx_txn::sp_release (this=0x15243c007de0, sp=sp@entry=0x15243c018f80)at /test/10.5_dbg/storage/federatedx/federatedx_txn.cc:347
#8 0x00001524a81b3b51 in ha_federatedx::savepoint_release (hton=<optimized out>, thd=<optimized out>, sv=0x15243c018f80)at /test/10.5_dbg/storage/federatedx/ha_federatedx.cc:3577
#9 0x00005634a1c21a73 in ha_release_savepoint (thd=thd@entry=0x15243c000d58, sv=sv@entry=0x15243c018ef0) at /test/10.5_dbg/sql/handler.cc:2730
#10 0x00005634a1aca803 in trans_savepoint (thd=thd@entry=0x15243c000d58, name=<optimized out>) at /test/10.5_dbg/sql/transaction.cc:599
#11 0x00005634a1974625 in mysql_execute_command (thd=thd@entry=0x15243c000d58)at /test/10.5_dbg/sql/sql_parse.cc:5882
#12 0x00005634a1977183 in mysql_parse (thd=thd@entry=0x15243c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1524a82182b0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)at /test/10.5_dbg/sql/sql_parse.cc:8236
#13 0x00005634a197984f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x15243c000d58, packet=packet@entry=0x15243c00ab09 "SAVEPOINT sv", packet_length=packet_length@entry=12, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)at /test/10.5_dbg/sql/sql_class.h:238
#14 0x00005634a197bf56 in do_command (thd=0x15243c000d58)at /test/10.5_dbg/sql/sql_parse.cc:1376
#15 0x00005634a1ab59fd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5634a5049408, put_in_cache=put_in_cache@entry=true)at /test/10.5_dbg/sql/sql_connect.cc:1417
#16 0x00005634a1ab5d35 in handle_one_connection (arg=arg@entry=0x5634a5049408)at /test/10.5_dbg/sql/sql_connect.cc:1319
#17 0x00005634a1ef8fb8 in pfs_spawn_thread (arg=0x5634a503d778)at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#18 0x00001524aa69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#19 0x00001524aa729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Debug)
mariadbd: /test/11.2_dbg/storage/federatedx/federatedx_txn.cc:347: int federatedx_txn::sp_release(ulong): Assertion `sp && savepoint_next && sp && *sp <= savepoint_level' failed.

CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Debug)
Core was generated by `/test/MD141024-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd --defaults-group-su'.
Program terminated with signal SIGABRT, Aborted.
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 1993422)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x000014f23e44526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x000014f23e4288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x000014f23e42881b in __assert_fail_base (fmt=0x14f23e5d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x14f239916428 "sp && savepoint_next && sp && sp <= savepoint_level", file=file@entry=0x14f239916250 "/test/11.2_dbg/storage/federatedx/federatedx_txn.cc", line=line@entry=347, function=function@entry=0x14f239916460 "int federatedx_txn::sp_release(ulong*)") at ./assert/assert.c:94
#6 0x000014f23e43b507 in __assert_fail (assertion=0x14f239916428 "sp && savepoint_next && sp && sp <= savepoint_level", file=0x14f239916250 "/test/11.2_dbg/storage/federatedx/federatedx_txn.cc", line=347, function=0x14f239916460 "int federatedx_txn::sp_release(ulong*)")at ./assert/assert.c:103
#7 0x000014f23990ce06 in federatedx_txn::sp_release (this=0x14f21c1803d0, sp=sp@entry=0x14f21c0189d8)at /test/11.2_dbg/storage/federatedx/federatedx_txn.cc:347
#8 0x000014f2399038e9 in ha_federatedx::savepoint_release (hton=<optimized out>, thd=<optimized out>, sv=0x14f21c0189d8)at /test/11.2_dbg/storage/federatedx/ha_federatedx.cc:3596
#9 0x00005599c70ca4be in ha_release_savepoint (thd=thd@entry=0x14f21c000d58, sv=sv@entry=0x14f21c018970) at /test/11.2_dbg/sql/handler.cc:3116
#10 0x00005599c6f4441b in savepoint_add (thd=thd@entry=0x14f21c000d58, name=<optimized out>, list=<optimized out>, release_old=0x5599c70ca3af <ha_release_savepoint(THD, st_savepoint)>)at /test/11.2_dbg/sql/transaction.cc:624
#11 0x00005599c6f44532 in trans_savepoint (thd=thd@entry=0x14f21c000d58, name={str = 0x14f21c0149c8 "sv", length = 2})at /test/11.2_dbg/sql/transaction.cc:663
#12 0x00005599c6db9c68 in mysql_execute_command (thd=thd@entry=0x14f21c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:5600
#13 0x00005599c6dbc2ce in mysql_parse (thd=thd@entry=0x14f21c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14f2399682a0)at /test/11.2_dbg/sql/sql_parse.cc:7938
#14 0x00005599c6dbe786 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14f21c000d58, packet=packet@entry=0x14f21c116159 "SAVEPOINT sv", packet_length=packet_length@entry=12, blocking=blocking@entry=true)at /test/11.2_dbg/sql/sql_class.h:248
#15 0x00005599c6dc09c2 in do_command (thd=0x14f21c000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407
#16 0x00005599c6f2dfe7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5599cb1487e8, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439
#17 0x00005599c6f2e2ef in handle_one_connection (arg=arg@entry=0x5599cb1487e8)at /test/11.2_dbg/sql/sql_connect.cc:1341
#18 0x00005599c7375f14 in pfs_spawn_thread (arg=0x5599cb0d1d38)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201
#19 0x000014f23e49ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#20 0x000014f23e529c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

And ASAN sees a use-after-poison in federatedx_txn::sp_release from ha_release_savepoint:

CS 11.7.0 35cebfdc513f92b143b1a7229c480f4f684f1698 (Optimized, UBASAN)
==2062974==ERROR: AddressSanitizer: use-after-poison on address 0x5250000961c8 at pc 0x1514b2976e4d bp 0x1514a38fd3f0 sp 0x1514a38fd3e0
WRITE of size 8 at 0x5250000961c8 thread T12
#0 0x1514b2976e4c in federatedx_txn::sp_release(unsigned long*) /test/11.7_opt_san/storage/federatedx/federatedx_txn.cc:359
#1 0x558353a5cda2 in ha_release_savepoint(THD, st_savepoint) /test/11.7_opt_san/sql/handler.cc:3147
#2 0x558352d474cb in savepoint_add(THD, Lex_ident_savepoint, st_savepoint, int ()(THD, st_savepoint)) /test/11.7_opt_san/sql/transaction.cc:623
#3 0x558352d47ed8 in trans_savepoint(THD*, st_mysql_const_lex_string) /test/11.7_opt_san/sql/transaction.cc:662
#4 0x55835226c219 in mysql_execute_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:5571
#5 0x558352285922 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.7_opt_san/sql/sql_parse.cc:7889
#6 0x55835229732a in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.7_opt_san/sql/sql_parse.cc:1892
#7 0x5583522a7fe6 in do_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:1405
#8 0x558352cb137c in do_handle_one_connection(CONNECT*, bool) /test/11.7_opt_san/sql/sql_connect.cc:1448
#9 0x558352cb39b4 in handle_one_connection /test/11.7_opt_san/sql/sql_connect.cc:1350
#10 0x1514c8a9ca93 in start_thread nptl/pthread_create.c:447
#11 0x1514c8b29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x5250000961c8 is located 200 bytes inside of 8208-byte region [0x525000096100,0x525000098110)
allocated by thread T12 here:
#0 0x5583518b20f7 in malloc (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x85140f7)
#1 0x5583562beb84 in my_malloc /test/11.7_opt_san/mysys/my_malloc.c:93
#2 0x55835629729b in root_alloc /test/11.7_opt_san/mysys/my_alloc.c:66
#3 0x55835629729b in reset_root_defaults /test/11.7_opt_san/mysys/my_alloc.c:244
#4 0x558351eaa4d4 in THD::init_for_queries() /test/11.7_opt_san/sql/sql_class.cc:1513
#5 0x558352caa874 in prepare_new_connection_state(THD*) /test/11.7_opt_san/sql/sql_connect.cc:1276
#6 0x558352cad267 in thd_prepare_connection(THD*) /test/11.7_opt_san/sql/sql_connect.cc:1371
#7 0x558352cad267 in thd_prepare_connection(THD*) /test/11.7_opt_san/sql/sql_connect.cc:1360
#8 0x558352cb0417 in do_handle_one_connection(CONNECT*, bool) /test/11.7_opt_san/sql/sql_connect.cc:1438
#9 0x558352cb39b4 in handle_one_connection /test/11.7_opt_san/sql/sql_connect.cc:1350
#10 0x1514c8a9ca93 in start_thread nptl/pthread_create.c:447

Thread T12 created by T0 here:
#0 0x558351855fa5 in __interceptor_pthread_create (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x84b7fa5)
#1 0x55835190c2de in create_thread_to_handle_connection(CONNECT*) /test/11.7_opt_san/sql/mysqld.cc:6271
#2 0x55835192070f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.7_opt_san/sql/mysqld.cc:6395
#3 0x5583519217f7 in handle_connections_sockets() /test/11.7_opt_san/sql/mysqld.cc:6508
#4 0x558351924a0c in mysqld_main(int, char**) /test/11.7_opt_san/sql/mysqld.cc:6166
#5 0x1514c8a2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x1514c8a2a28a in __libc_start_main_impl ../csu/libc-start.c:360
#7 0x558351822d64 in _start (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x8484d64)

SUMMARY: AddressSanitizer: use-after-poison /test/11.7_opt_san/storage/federatedx/federatedx_txn.cc:359 in federatedx_txn::sp_release(unsigned long*)
Shadow bytes around the buggy address:
0x0a4a8000abe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a8000abf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a8000ac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a8000ac10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a8000ac20: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
=>0x0a4a8000ac30: 00 00 00 00 f7 03 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
0x0a4a8000ac40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0a4a8000ac50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0a4a8000ac60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0a4a8000ac70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0a4a8000ac80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2062974==ABORTING

Roel Van de Paar added a comment - 2024-11-16 04:05 - edited Ran into the same INSTALL SONAME 'ha_federatedx.so' ; eval CREATE SERVER srv FOREIGN DATA WRAPPER mysql OPTIONS ( USER 'root' , HOST '127.0.0.1' , DATABASE 'test' , PORT $MASTER_MYPORT); CREATE TABLE t1 (c INT ); CREATE TABLE t2 CONNECTION = 'srv/t1' ENGINE=FEDERATED; XA START 'a' ; --error ER_WRONG_VALUE_COUNT_ON_ROW INSERT INTO t2 VALUES (0,1); SAVEPOINT sv; SAVEPOINT sv; Leads to: CS 10.5.27 b138f428ea2d3496a3a5a2212c424f8218547ef1 (Debug) mariadbd: /test/10.5_dbg/storage/federatedx/federatedx_txn.cc:347: int federatedx_txn::sp_release(ulong*): Assertion `sp && savepoint_next && *sp && *sp <= savepoint_level' failed. CS 10.5.27 b138f428ea2d3496a3a5a2212c424f8218547ef1 (Debug) Core was generated by `/test/MD141024-mariadb-10.5.27-linux-x86_64-dbg/bin/mariadbd --no-defaults --ma'. Program terminated with signal SIGABRT, Aborted. Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c. #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 [Current thread is 1 (LWP 2056705)] (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89 #3 0x00001524aa64526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26 #4 0x00001524aa6288ff in __GI_abort () at ./stdlib/abort.c:79 #5 0x00001524aa62881b in __assert_fail_base (fmt=0x1524aa7d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x1524a81c7230 "sp && savepoint_next && *sp && *sp <= savepoint_level", file=file@entry=0x1524a81c7058 "/test/10.5_dbg/storage/federatedx/federatedx_txn.cc", line=line@entry=347, function=function@entry=0x1524a81c7268 "int federatedx_txn::sp_release(ulong*)") at ./assert/assert.c:94 #6 0x00001524aa63b507 in __assert_fail (assertion=0x1524a81c7230 "sp && savepoint_next && *sp && *sp <= savepoint_level", file=0x1524a81c7058 "/test/10.5_dbg/storage/federatedx/federatedx_txn.cc", line=347, function=0x1524a81c7268 "int federatedx_txn::sp_release(ulong*)")at ./assert/assert.c:103 #7 0x00001524a81bdac6 in federatedx_txn::sp_release (this=0x15243c007de0, sp=sp@entry=0x15243c018f80)at /test/10.5_dbg/storage/federatedx/federatedx_txn.cc:347 #8 0x00001524a81b3b51 in ha_federatedx::savepoint_release (hton=<optimized out>, thd=<optimized out>, sv=0x15243c018f80)at /test/10.5_dbg/storage/federatedx/ha_federatedx.cc:3577 #9 0x00005634a1c21a73 in ha_release_savepoint (thd=thd@entry=0x15243c000d58, sv=sv@entry=0x15243c018ef0) at /test/10.5_dbg/sql/handler.cc:2730 #10 0x00005634a1aca803 in trans_savepoint (thd=thd@entry=0x15243c000d58, name=<optimized out>) at /test/10.5_dbg/sql/transaction.cc:599 #11 0x00005634a1974625 in mysql_execute_command (thd=thd@entry=0x15243c000d58)at /test/10.5_dbg/sql/sql_parse.cc:5882 #12 0x00005634a1977183 in mysql_parse (thd=thd@entry=0x15243c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1524a82182b0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)at /test/10.5_dbg/sql/sql_parse.cc:8236 #13 0x00005634a197984f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x15243c000d58, packet=packet@entry=0x15243c00ab09 "SAVEPOINT sv", packet_length=packet_length@entry=12, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)at /test/10.5_dbg/sql/sql_class.h:238 #14 0x00005634a197bf56 in do_command (thd=0x15243c000d58)at /test/10.5_dbg/sql/sql_parse.cc:1376 #15 0x00005634a1ab59fd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5634a5049408, put_in_cache=put_in_cache@entry=true)at /test/10.5_dbg/sql/sql_connect.cc:1417 #16 0x00005634a1ab5d35 in handle_one_connection (arg=arg@entry=0x5634a5049408)at /test/10.5_dbg/sql/sql_connect.cc:1319 #17 0x00005634a1ef8fb8 in pfs_spawn_thread (arg=0x5634a503d778)at /test/10.5_dbg/storage/perfschema/pfs.cc:2201 #18 0x00001524aa69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #19 0x00001524aa729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Debug) mariadbd: /test/11.2_dbg/storage/federatedx/federatedx_txn.cc:347: int federatedx_txn::sp_release(ulong*): Assertion `sp && savepoint_next && *sp && *sp <= savepoint_level' failed. CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Debug) Core was generated by `/test/MD141024-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd --defaults-group-su'. Program terminated with signal SIGABRT, Aborted. Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c. #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 [Current thread is 1 (LWP 1993422)] (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89 #3 0x000014f23e44526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26 #4 0x000014f23e4288ff in __GI_abort () at ./stdlib/abort.c:79 #5 0x000014f23e42881b in __assert_fail_base (fmt=0x14f23e5d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x14f239916428 "sp && savepoint_next && *sp && *sp <= savepoint_level", file=file@entry=0x14f239916250 "/test/11.2_dbg/storage/federatedx/federatedx_txn.cc", line=line@entry=347, function=function@entry=0x14f239916460 "int federatedx_txn::sp_release(ulong*)") at ./assert/assert.c:94 #6 0x000014f23e43b507 in __assert_fail (assertion=0x14f239916428 "sp && savepoint_next && *sp && *sp <= savepoint_level", file=0x14f239916250 "/test/11.2_dbg/storage/federatedx/federatedx_txn.cc", line=347, function=0x14f239916460 "int federatedx_txn::sp_release(ulong*)")at ./assert/assert.c:103 #7 0x000014f23990ce06 in federatedx_txn::sp_release (this=0x14f21c1803d0, sp=sp@entry=0x14f21c0189d8)at /test/11.2_dbg/storage/federatedx/federatedx_txn.cc:347 #8 0x000014f2399038e9 in ha_federatedx::savepoint_release (hton=<optimized out>, thd=<optimized out>, sv=0x14f21c0189d8)at /test/11.2_dbg/storage/federatedx/ha_federatedx.cc:3596 #9 0x00005599c70ca4be in ha_release_savepoint (thd=thd@entry=0x14f21c000d58, sv=sv@entry=0x14f21c018970) at /test/11.2_dbg/sql/handler.cc:3116 #10 0x00005599c6f4441b in savepoint_add (thd=thd@entry=0x14f21c000d58, name=<optimized out>, list=<optimized out>, release_old=0x5599c70ca3af <ha_release_savepoint(THD*, st_savepoint*)>)at /test/11.2_dbg/sql/transaction.cc:624 #11 0x00005599c6f44532 in trans_savepoint (thd=thd@entry=0x14f21c000d58, name={str = 0x14f21c0149c8 "sv", length = 2})at /test/11.2_dbg/sql/transaction.cc:663 #12 0x00005599c6db9c68 in mysql_execute_command (thd=thd@entry=0x14f21c000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:5600 #13 0x00005599c6dbc2ce in mysql_parse (thd=thd@entry=0x14f21c000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14f2399682a0)at /test/11.2_dbg/sql/sql_parse.cc:7938 #14 0x00005599c6dbe786 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14f21c000d58, packet=packet@entry=0x14f21c116159 "SAVEPOINT sv", packet_length=packet_length@entry=12, blocking=blocking@entry=true)at /test/11.2_dbg/sql/sql_class.h:248 #15 0x00005599c6dc09c2 in do_command (thd=0x14f21c000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407 #16 0x00005599c6f2dfe7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5599cb1487e8, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439 #17 0x00005599c6f2e2ef in handle_one_connection (arg=arg@entry=0x5599cb1487e8)at /test/11.2_dbg/sql/sql_connect.cc:1341 #18 0x00005599c7375f14 in pfs_spawn_thread (arg=0x5599cb0d1d38)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201 #19 0x000014f23e49ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #20 0x000014f23e529c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 And ASAN sees a use-after-poison in federatedx_txn::sp_release from ha_release_savepoint : CS 11.7.0 35cebfdc513f92b143b1a7229c480f4f684f1698 (Optimized, UBASAN) ==2062974==ERROR: AddressSanitizer: use-after-poison on address 0x5250000961c8 at pc 0x1514b2976e4d bp 0x1514a38fd3f0 sp 0x1514a38fd3e0 WRITE of size 8 at 0x5250000961c8 thread T12 #0 0x1514b2976e4c in federatedx_txn::sp_release(unsigned long*) /test/11.7_opt_san/storage/federatedx/federatedx_txn.cc:359 #1 0x558353a5cda2 in ha_release_savepoint(THD*, st_savepoint*) /test/11.7_opt_san/sql/handler.cc:3147 #2 0x558352d474cb in savepoint_add(THD*, Lex_ident_savepoint, st_savepoint**, int (*)(THD*, st_savepoint*)) /test/11.7_opt_san/sql/transaction.cc:623 #3 0x558352d47ed8 in trans_savepoint(THD*, st_mysql_const_lex_string) /test/11.7_opt_san/sql/transaction.cc:662 #4 0x55835226c219 in mysql_execute_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:5571 #5 0x558352285922 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.7_opt_san/sql/sql_parse.cc:7889 #6 0x55835229732a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.7_opt_san/sql/sql_parse.cc:1892 #7 0x5583522a7fe6 in do_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:1405 #8 0x558352cb137c in do_handle_one_connection(CONNECT*, bool) /test/11.7_opt_san/sql/sql_connect.cc:1448 #9 0x558352cb39b4 in handle_one_connection /test/11.7_opt_san/sql/sql_connect.cc:1350 #10 0x1514c8a9ca93 in start_thread nptl/pthread_create.c:447 #11 0x1514c8b29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 0x5250000961c8 is located 200 bytes inside of 8208-byte region [0x525000096100,0x525000098110) allocated by thread T12 here: #0 0x5583518b20f7 in malloc (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x85140f7) #1 0x5583562beb84 in my_malloc /test/11.7_opt_san/mysys/my_malloc.c:93 #2 0x55835629729b in root_alloc /test/11.7_opt_san/mysys/my_alloc.c:66 #3 0x55835629729b in reset_root_defaults /test/11.7_opt_san/mysys/my_alloc.c:244 #4 0x558351eaa4d4 in THD::init_for_queries() /test/11.7_opt_san/sql/sql_class.cc:1513 #5 0x558352caa874 in prepare_new_connection_state(THD*) /test/11.7_opt_san/sql/sql_connect.cc:1276 #6 0x558352cad267 in thd_prepare_connection(THD*) /test/11.7_opt_san/sql/sql_connect.cc:1371 #7 0x558352cad267 in thd_prepare_connection(THD*) /test/11.7_opt_san/sql/sql_connect.cc:1360 #8 0x558352cb0417 in do_handle_one_connection(CONNECT*, bool) /test/11.7_opt_san/sql/sql_connect.cc:1438 #9 0x558352cb39b4 in handle_one_connection /test/11.7_opt_san/sql/sql_connect.cc:1350 #10 0x1514c8a9ca93 in start_thread nptl/pthread_create.c:447 Thread T12 created by T0 here: #0 0x558351855fa5 in __interceptor_pthread_create (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x84b7fa5) #1 0x55835190c2de in create_thread_to_handle_connection(CONNECT*) /test/11.7_opt_san/sql/mysqld.cc:6271 #2 0x55835192070f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.7_opt_san/sql/mysqld.cc:6395 #3 0x5583519217f7 in handle_connections_sockets() /test/11.7_opt_san/sql/mysqld.cc:6508 #4 0x558351924a0c in mysqld_main(int, char**) /test/11.7_opt_san/sql/mysqld.cc:6166 #5 0x1514c8a2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #6 0x1514c8a2a28a in __libc_start_main_impl ../csu/libc-start.c:360 #7 0x558351822d64 in _start (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x8484d64) SUMMARY: AddressSanitizer: use-after-poison /test/11.7_opt_san/storage/federatedx/federatedx_txn.cc:359 in federatedx_txn::sp_release(unsigned long*) Shadow bytes around the buggy address: 0x0a4a8000abe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4a8000abf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4a8000ac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4a8000ac10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4a8000ac20: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 =>0x0a4a8000ac30: 00 00 00 00 f7 03 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 0x0a4a8000ac40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0a4a8000ac50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0a4a8000ac60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0a4a8000ac70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0a4a8000ac80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2062974==ABORTING

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-08-16 16:47

Updated:: 2025-02-14 11:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Assertion `sp && savepoint_next && sp && sp <= savepoint_level' failed in federatedx_txn::sp_release, and ASAN: use-after-poison in federatedx_txn::sp_release