[MDEV-29459] ASAN errors in Field_blob::cmp_binary upon update on federated table - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.4, 10.5, 10.6
Component/s: Storage Engine - Federated
Labels:
None

Description

--source include/have_log_bin.inc

INSTALL SONAME 'ha_federatedx';

CREATE TABLE t (a BLOB, b CHAR(1));

INSERT INTO t values ('xx','x');

eval CREATE SERVER fedlink FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT);

CREATE TABLE fed_t ENGINE=FEDERATED CONNECTION='fedlink/t';

UPDATE fed_t SET a = b;

# Cleanup

DROP TABLE fed_t, t;

UNINSTALL SONAME 'ha_federatedx';

10.3 e4cffc92
==2973967==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000025df0 at pc 0x0000006b946c bp 0x7f1358708e60 sp 0x7f1358708608
READ of size 1 at 0x60c000025df0 thread T6
#0 0x6b946b in MemcmpInterceptorCommon(void, int ()(void const, void const, unsigned long), void const, void const, unsigned long) (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x6b946b)
#1 0x6b981a in memcmp (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x6b981a)
#2 0x152f7d1 in Field_blob::cmp_binary(unsigned char const, unsigned char const, unsigned int) /data/src/10.3/sql/field.cc:8578:11
#3 0x1562a56 in Field::cmp_binary_offset(unsigned int) /data/src/10.3/sql/field.h:1105:12
#4 0xefea4e in compare_record(TABLE const*) /data/src/10.3/sql/sql_update.cc:96:20
#5 0xf07617 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:911:34
#6 0xb57581 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#7 0xb42fc6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#8 0xb33b4c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#9 0xb3ce4c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#10 0x1083096 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#11 0x1082763 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#12 0x2e99121 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#13 0x7f13632b2ea6 in start_thread nptl/pthread_create.c:477:8
#14 0x7f13631bddee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60c000025df0 is located 112 bytes inside of 124-byte region [0x60c000025d80,0x60c000025dfc)
freed by thread T6 here:
#0 0x71c53d in free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c53d)
#1 0x3072fd7 in free_memory /data/src/10.3/mysys/safemalloc.c:279:3
#2 0x307302d in sf_free /data/src/10.3/mysys/safemalloc.c:197:3
#3 0x302b0df in my_free /data/src/10.3/mysys/my_malloc.c:223:5
#4 0x78856e in String::free() /data/src/10.3/sql/sql_string.h:369:7
#5 0x7f4687 in String::set(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/sql_string.h:289:5
#6 0x151608c in Field_string::val_str(String, String) /data/src/10.3/sql/field.cc:7272:12
#7 0x7c7e8c in Field::val_str(String*) /data/src/10.3/sql/field.h:862:48
#8 0x156c890 in Field_blob::store_field(Field*) /data/src/10.3/sql/field.h:3704:11
#9 0x157e4b0 in field_conv_incompatible(Field, Field) /data/src/10.3/sql/field_conv.cc:836:14
#10 0x157e2af in field_conv(Field, Field) /data/src/10.3/sql/field_conv.cc:849:10
#11 0x162750d in save_field_in_field(Field, bool, Field*, bool) /data/src/10.3/sql/item.cc:6857:8
#12 0x164aaaa in Item_field::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:6908:10
#13 0x97c25f in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8460:11
#14 0x97d923 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8632:11
#15 0xf075c7 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:905:11
#16 0xb57581 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#17 0xb42fc6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#18 0xb33b4c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#19 0xb3ce4c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#20 0x1083096 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#21 0x1082763 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#22 0x2e99121 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#23 0x7f13632b2ea6 in start_thread nptl/pthread_create.c:477:8

previously allocated by thread T6 here:
#0 0x71c7bd in malloc (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c7bd)
#1 0x3071f90 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118:28
#2 0x302ab5f in my_malloc /data/src/10.3/mysys/my_malloc.c:101:10
#3 0xe2ac9e in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44:23
#4 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#5 0x152aeaa in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#6 0x7f13584be2a4 in ha_federatedx::convert_row_to_internal_format(unsigned char, st_federatedx_row, st_federatedx_result*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:888:19
#7 0x7f13584d1474 in ha_federatedx::read_next(unsigned char, st_federatedx_result) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2938:17
#8 0x7f13584d3f5d in ha_federatedx::rnd_next(unsigned char*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2900:14
#9 0x15b7378 in handler::ha_rnd_next(unsigned char*) /data/src/10.3/sql/handler.cc:2858:5
#10 0x1b143d2 in rr_sequential(READ_RECORD*) /data/src/10.3/sql/records.cc:485:35
#11 0x933398 in READ_RECORD::read_record() /data/src/10.3/sql/records.h:70:30
#12 0xf07297 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:893:23
#13 0xb57581 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#14 0xb42fc6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#15 0xb33b4c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#16 0xb3ce4c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#17 0x1083096 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#18 0x1082763 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#19 0x2e99121 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#20 0x7f13632b2ea6 in start_thread nptl/pthread_create.c:477:8

Thread T6 created by T0 here:
#0 0x7071ea in pthread_create (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x7071ea)
#1 0x2e9f3c9 in spawn_thread_v1(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/storage/perfschema/pfs.cc:1919:15
#2 0x757a1a in inline_mysql_thread_create(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/include/mysql/psi/mysql_thread.h:1275:11
#3 0x769453 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668:15
#4 0x76ac4a in create_new_thread(CONNECT*) /data/src/10.3/sql/mysqld.cc:6738:3
#5 0x7689cd in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996:9
#6 0x75b3de in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290:3
#7 0x74ed61 in main /data/src/10.3/sql/main.cc:25:10
#8 0x7f13630e6d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x6b946b) in MemcmpInterceptorCommon(void, int ()(void const, void const, unsigned long), void const, void const, unsigned long)
Shadow bytes around the buggy address:
0x0c187fffcb60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fffcb70: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187fffcb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187fffcb90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fffcba0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
=>0x0c187fffcbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c187fffcbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fffcc00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2973967==ABORTING

Also reproducible on older minor versions (not a recent regression).

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2022-09-03 18:13

Updated:: 2023-11-28 10:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.