[MDEV-29459] ASAN errors in Field_blob::cmp_binary upon update on federated table - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
Fix Version/s: 10.5, 10.6
Component/s: Storage Engine - Federated
Labels:
None

Description

--source include/have_log_bin.inc

INSTALL SONAME 'ha_federatedx';

CREATE TABLE t (a BLOB, b CHAR(1));

INSERT INTO t values ('xx','x');

eval CREATE SERVER fedlink FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT);

CREATE TABLE fed_t ENGINE=FEDERATED CONNECTION='fedlink/t';

UPDATE fed_t SET a = b;

# Cleanup

DROP TABLE fed_t, t;

UNINSTALL SONAME 'ha_federatedx';

10.3 e4cffc92
==2973967==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000025df0 at pc 0x0000006b946c bp 0x7f1358708e60 sp 0x7f1358708608
READ of size 1 at 0x60c000025df0 thread T6
#0 0x6b946b in MemcmpInterceptorCommon(void, int ()(void const, void const, unsigned long), void const, void const, unsigned long) (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x6b946b)
#1 0x6b981a in memcmp (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x6b981a)
#2 0x152f7d1 in Field_blob::cmp_binary(unsigned char const, unsigned char const, unsigned int) /data/src/10.3/sql/field.cc:8578:11
#3 0x1562a56 in Field::cmp_binary_offset(unsigned int) /data/src/10.3/sql/field.h:1105:12
#4 0xefea4e in compare_record(TABLE const*) /data/src/10.3/sql/sql_update.cc:96:20
#5 0xf07617 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:911:34
#6 0xb57581 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#7 0xb42fc6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#8 0xb33b4c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#9 0xb3ce4c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#10 0x1083096 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#11 0x1082763 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#12 0x2e99121 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#13 0x7f13632b2ea6 in start_thread nptl/pthread_create.c:477:8
#14 0x7f13631bddee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60c000025df0 is located 112 bytes inside of 124-byte region [0x60c000025d80,0x60c000025dfc)
freed by thread T6 here:
#0 0x71c53d in free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c53d)
#1 0x3072fd7 in free_memory /data/src/10.3/mysys/safemalloc.c:279:3
#2 0x307302d in sf_free /data/src/10.3/mysys/safemalloc.c:197:3
#3 0x302b0df in my_free /data/src/10.3/mysys/my_malloc.c:223:5
#4 0x78856e in String::free() /data/src/10.3/sql/sql_string.h:369:7
#5 0x7f4687 in String::set(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/sql_string.h:289:5
#6 0x151608c in Field_string::val_str(String, String) /data/src/10.3/sql/field.cc:7272:12
#7 0x7c7e8c in Field::val_str(String*) /data/src/10.3/sql/field.h:862:48
#8 0x156c890 in Field_blob::store_field(Field*) /data/src/10.3/sql/field.h:3704:11
#9 0x157e4b0 in field_conv_incompatible(Field, Field) /data/src/10.3/sql/field_conv.cc:836:14
#10 0x157e2af in field_conv(Field, Field) /data/src/10.3/sql/field_conv.cc:849:10
#11 0x162750d in save_field_in_field(Field, bool, Field*, bool) /data/src/10.3/sql/item.cc:6857:8
#12 0x164aaaa in Item_field::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:6908:10
#13 0x97c25f in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8460:11
#14 0x97d923 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8632:11
#15 0xf075c7 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:905:11
#16 0xb57581 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#17 0xb42fc6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#18 0xb33b4c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#19 0xb3ce4c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#20 0x1083096 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#21 0x1082763 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#22 0x2e99121 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#23 0x7f13632b2ea6 in start_thread nptl/pthread_create.c:477:8

previously allocated by thread T6 here:
#0 0x71c7bd in malloc (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c7bd)
#1 0x3071f90 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118:28
#2 0x302ab5f in my_malloc /data/src/10.3/mysys/my_malloc.c:101:10
#3 0xe2ac9e in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44:23
#4 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#5 0x152aeaa in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#6 0x7f13584be2a4 in ha_federatedx::convert_row_to_internal_format(unsigned char, st_federatedx_row, st_federatedx_result*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:888:19
#7 0x7f13584d1474 in ha_federatedx::read_next(unsigned char, st_federatedx_result) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2938:17
#8 0x7f13584d3f5d in ha_federatedx::rnd_next(unsigned char*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2900:14
#9 0x15b7378 in handler::ha_rnd_next(unsigned char*) /data/src/10.3/sql/handler.cc:2858:5
#10 0x1b143d2 in rr_sequential(READ_RECORD*) /data/src/10.3/sql/records.cc:485:35
#11 0x933398 in READ_RECORD::read_record() /data/src/10.3/sql/records.h:70:30
#12 0xf07297 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:893:23
#13 0xb57581 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#14 0xb42fc6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#15 0xb33b4c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#16 0xb3ce4c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#17 0x1083096 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#18 0x1082763 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#19 0x2e99121 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#20 0x7f13632b2ea6 in start_thread nptl/pthread_create.c:477:8

Thread T6 created by T0 here:
#0 0x7071ea in pthread_create (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x7071ea)
#1 0x2e9f3c9 in spawn_thread_v1(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/storage/perfschema/pfs.cc:1919:15
#2 0x757a1a in inline_mysql_thread_create(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/include/mysql/psi/mysql_thread.h:1275:11
#3 0x769453 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668:15
#4 0x76ac4a in create_new_thread(CONNECT*) /data/src/10.3/sql/mysqld.cc:6738:3
#5 0x7689cd in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996:9
#6 0x75b3de in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290:3
#7 0x74ed61 in main /data/src/10.3/sql/main.cc:25:10
#8 0x7f13630e6d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x6b946b) in MemcmpInterceptorCommon(void, int ()(void const, void const, unsigned long), void const, void const, unsigned long)
Shadow bytes around the buggy address:
0x0c187fffcb60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fffcb70: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187fffcb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187fffcb90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fffcba0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
=>0x0c187fffcbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c187fffcbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fffcc00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2973967==ABORTING

Also reproducible on older minor versions (not a recent regression).

Attachments

Activity

Elena Stepanova added a comment - 2022-09-14 00:08

This is probably related, as slight change in test cases switch from one failure to another

--source include/have_log_bin.inc

INSTALL SONAME 'ha_federatedx';

eval CREATE SERVER fedlink FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT);

CREATE TABLE t (a VARCHAR(8), i INT, b BLOB);

INSERT INTO t VALUES ('foo',1,'bar'),('baz',2,'qux') ;

CREATE TABLE IF NOT EXISTS fed_t ENGINE=FEDERATED CONNECTION='fedlink/t';

UPDATE fed_t AS tbl1 SET i = 3, b = a WHERE a > b;

# Cleanup

DROP TABLE fed_t, t;

10.3 f1544424
==682620==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000025df0 at pc 0x000000e33745 bp 0x7f4da912a500 sp 0x7f4da912a4f8
READ of size 1 at 0x60c000025df0 thread T6
#0 0xe33744 in String::append_for_single_quote(char const*, unsigned long) /data/src/10.3/sql/sql_string.cc:1157:14
#1 0xe33a23 in String::print(String*) const /data/src/10.3/sql/sql_string.cc:1174:8
#2 0x7f4da8eee5c3 in ha_federatedx::update_row(unsigned char const, unsigned char const) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2406:21
#3 0x15e227d in handler::ha_update_row(unsigned char const, unsigned char const) /data/src/10.3/sql/handler.cc:6527:3
#4 0xf07692 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:963:31
#5 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#6 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#7 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#8 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#9 0x1082cd6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#10 0x10823a3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#11 0x2e98dc1 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#12 0x7f4db3cdbea6 in start_thread nptl/pthread_create.c:477:8
#13 0x7f4db3be6dee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60c000025df0 is located 112 bytes inside of 124-byte region [0x60c000025d80,0x60c000025dfc)
freed by thread T6 here:
#0 0x71c53d in free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c53d)
#1 0x3072c77 in free_memory /data/src/10.3/mysys/safemalloc.c:279:3
#2 0x3072ccd in sf_free /data/src/10.3/mysys/safemalloc.c:197:3
#3 0x302ad7f in my_free /data/src/10.3/mysys/my_malloc.c:223:5
#4 0x78856e in String::free() /data/src/10.3/sql/sql_string.h:369:7
#5 0x7f4687 in String::set(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/sql_string.h:289:5
#6 0x151d6b5 in Field_varstring::val_str(String, String) /data/src/10.3/sql/field.cc:7685:12
#7 0x7c7e8c in Field::val_str(String*) /data/src/10.3/sql/field.h:862:48
#8 0x156c4d0 in Field_blob::store_field(Field*) /data/src/10.3/sql/field.h:3704:11
#9 0x157e0f0 in field_conv_incompatible(Field, Field) /data/src/10.3/sql/field_conv.cc:836:14
#10 0x157deef in field_conv(Field, Field) /data/src/10.3/sql/field_conv.cc:849:10
#11 0x162714d in save_field_in_field(Field, bool, Field*, bool) /data/src/10.3/sql/item.cc:6857:8
#12 0x164a6ea in Item_field::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:6908:10
#13 0x97c2af in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8460:11
#14 0x97d973 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8632:11
#15 0xf07207 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:905:11
#16 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#17 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#18 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#19 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#20 0x1082cd6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#21 0x10823a3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#22 0x2e98dc1 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#23 0x7f4db3cdbea6 in start_thread nptl/pthread_create.c:477:8

previously allocated by thread T6 here:
#0 0x71c7bd in malloc (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c7bd)
#1 0x3071c30 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118:28
#2 0x302a7ff in my_malloc /data/src/10.3/mysys/my_malloc.c:101:10
#3 0xe2a8de in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44:23
#4 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#5 0x152aaea in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#6 0x7f4da8ee02a4 in ha_federatedx::convert_row_to_internal_format(unsigned char, st_federatedx_row, st_federatedx_result*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:888:19
#7 0x7f4da8ef3474 in ha_federatedx::read_next(unsigned char, st_federatedx_result) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2938:17
#8 0x7f4da8ef5f5d in ha_federatedx::rnd_next(unsigned char*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2900:14
#9 0x15b6fb8 in handler::ha_rnd_next(unsigned char*) /data/src/10.3/sql/handler.cc:2858:5
#10 0x1b140c2 in rr_sequential(READ_RECORD*) /data/src/10.3/sql/records.cc:485:35
#11 0x9333e8 in READ_RECORD::read_record() /data/src/10.3/sql/records.h:70:30
#12 0xf06ed7 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:893:23
#13 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#14 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#15 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#16 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#17 0x1082cd6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#18 0x10823a3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#19 0x2e98dc1 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#20 0x7f4db3cdbea6 in start_thread nptl/pthread_create.c:477:8

Thread T6 created by T0 here:
#0 0x7071ea in pthread_create (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x7071ea)
#1 0x2e9f069 in spawn_thread_v1(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/storage/perfschema/pfs.cc:1919:15
#2 0x757a1a in inline_mysql_thread_create(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/include/mysql/psi/mysql_thread.h:1275:11
#3 0x769453 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668:15
#4 0x76ac4a in create_new_thread(CONNECT*) /data/src/10.3/sql/mysqld.cc:6738:3
#5 0x7689cd in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996:9
#6 0x75b3de in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290:3
#7 0x74ed61 in main /data/src/10.3/sql/main.cc:25:10
#8 0x7f4db3b0fd09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/sql_string.cc:1157:14 in String::append_for_single_quote(char const*, unsigned long)
Shadow bytes around the buggy address:
0x0c187fffcb60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fffcb70: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187fffcb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187fffcb90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fffcba0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
=>0x0c187fffcbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c187fffcbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffcbf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fffcc00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==682620==ABORTING

Elena Stepanova added a comment - 2022-09-14 00:08 This is probably related, as slight change in test cases switch from one failure to another --source include/have_log_bin.inc INSTALL SONAME 'ha_federatedx' ; eval CREATE SERVER fedlink FOREIGN DATA WRAPPER mysql OPTIONS ( USER 'root' , HOST '127.0.0.1' , DATABASE 'test' , PORT $MASTER_MYPORT); CREATE TABLE t (a VARCHAR (8), i INT , b BLOB); INSERT INTO t VALUES ( 'foo' ,1, 'bar' ),( 'baz' ,2, 'qux' ) ; CREATE TABLE IF NOT EXISTS fed_t ENGINE=FEDERATED CONNECTION = 'fedlink/t' ; UPDATE fed_t AS tbl1 SET i = 3, b = a WHERE a > b; # Cleanup DROP TABLE fed_t, t; 10.3 f1544424 ==682620==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000025df0 at pc 0x000000e33745 bp 0x7f4da912a500 sp 0x7f4da912a4f8 READ of size 1 at 0x60c000025df0 thread T6 #0 0xe33744 in String::append_for_single_quote(char const*, unsigned long) /data/src/10.3/sql/sql_string.cc:1157:14 #1 0xe33a23 in String::print(String*) const /data/src/10.3/sql/sql_string.cc:1174:8 #2 0x7f4da8eee5c3 in ha_federatedx::update_row(unsigned char const*, unsigned char const*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2406:21 #3 0x15e227d in handler::ha_update_row(unsigned char const*, unsigned char const*) /data/src/10.3/sql/handler.cc:6527:3 #4 0xf07692 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:963:31 #5 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21 #6 0xb43016 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18 #7 0xb33b9c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7 #8 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17 #9 0x1082cd6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11 #10 0x10823a3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3 #11 0x2e98dc1 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3 #12 0x7f4db3cdbea6 in start_thread nptl/pthread_create.c:477:8 #13 0x7f4db3be6dee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 0x60c000025df0 is located 112 bytes inside of 124-byte region [0x60c000025d80,0x60c000025dfc) freed by thread T6 here: #0 0x71c53d in free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c53d) #1 0x3072c77 in free_memory /data/src/10.3/mysys/safemalloc.c:279:3 #2 0x3072ccd in sf_free /data/src/10.3/mysys/safemalloc.c:197:3 #3 0x302ad7f in my_free /data/src/10.3/mysys/my_malloc.c:223:5 #4 0x78856e in String::free() /data/src/10.3/sql/sql_string.h:369:7 #5 0x7f4687 in String::set(char const*, unsigned long, charset_info_st const*) /data/src/10.3/sql/sql_string.h:289:5 #6 0x151d6b5 in Field_varstring::val_str(String*, String*) /data/src/10.3/sql/field.cc:7685:12 #7 0x7c7e8c in Field::val_str(String*) /data/src/10.3/sql/field.h:862:48 #8 0x156c4d0 in Field_blob::store_field(Field*) /data/src/10.3/sql/field.h:3704:11 #9 0x157e0f0 in field_conv_incompatible(Field*, Field*) /data/src/10.3/sql/field_conv.cc:836:14 #10 0x157deef in field_conv(Field*, Field*) /data/src/10.3/sql/field_conv.cc:849:10 #11 0x162714d in save_field_in_field(Field*, bool*, Field*, bool) /data/src/10.3/sql/item.cc:6857:8 #12 0x164a6ea in Item_field::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:6908:10 #13 0x97c2af in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8460:11 #14 0x97d973 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8632:11 #15 0xf07207 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:905:11 #16 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21 #17 0xb43016 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18 #18 0xb33b9c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7 #19 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17 #20 0x1082cd6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11 #21 0x10823a3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3 #22 0x2e98dc1 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3 #23 0x7f4db3cdbea6 in start_thread nptl/pthread_create.c:477:8 previously allocated by thread T6 here: #0 0x71c7bd in malloc (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c7bd) #1 0x3071c30 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118:28 #2 0x302a7ff in my_malloc /data/src/10.3/mysys/my_malloc.c:101:10 #3 0xe2a8de in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44:23 #4 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12 #5 0x152aaea in Field_blob::store(char const*, unsigned long, charset_info_st const*) /data/src/10.3/sql/field.cc:8440:13 #6 0x7f4da8ee02a4 in ha_federatedx::convert_row_to_internal_format(unsigned char*, st_federatedx_row*, st_federatedx_result*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:888:19 #7 0x7f4da8ef3474 in ha_federatedx::read_next(unsigned char*, st_federatedx_result*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2938:17 #8 0x7f4da8ef5f5d in ha_federatedx::rnd_next(unsigned char*) /data/src/10.3/storage/federatedx/ha_federatedx.cc:2900:14 #9 0x15b6fb8 in handler::ha_rnd_next(unsigned char*) /data/src/10.3/sql/handler.cc:2858:5 #10 0x1b140c2 in rr_sequential(READ_RECORD*) /data/src/10.3/sql/records.cc:485:35 #11 0x9333e8 in READ_RECORD::read_record() /data/src/10.3/sql/records.h:70:30 #12 0xf06ed7 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:893:23 #13 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21 #14 0xb43016 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18 #15 0xb33b9c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7 #16 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17 #17 0x1082cd6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11 #18 0x10823a3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3 #19 0x2e98dc1 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3 #20 0x7f4db3cdbea6 in start_thread nptl/pthread_create.c:477:8 Thread T6 created by T0 here: #0 0x7071ea in pthread_create (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x7071ea) #1 0x2e9f069 in spawn_thread_v1(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/10.3/storage/perfschema/pfs.cc:1919:15 #2 0x757a1a in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/10.3/include/mysql/psi/mysql_thread.h:1275:11 #3 0x769453 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668:15 #4 0x76ac4a in create_new_thread(CONNECT*) /data/src/10.3/sql/mysqld.cc:6738:3 #5 0x7689cd in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996:9 #6 0x75b3de in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290:3 #7 0x74ed61 in main /data/src/10.3/sql/main.cc:25:10 #8 0x7f4db3b0fd09 in __libc_start_main csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/sql_string.cc:1157:14 in String::append_for_single_quote(char const*, unsigned long) Shadow bytes around the buggy address: 0x0c187fffcb60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fffcb70: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa 0x0c187fffcb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 0x0c187fffcb90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fffcba0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa =>0x0c187fffcbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd 0x0c187fffcbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffcbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffcbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffcbf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c187fffcc00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==682620==ABORTING

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2022-09-03 18:13

Updated:: 2024-09-10 14:56

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server