[MDEV-29510] ASAN errors upon updating BLOB column twice in one UPDATE - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.4, 10.5, 10.6
Component/s: Data Manipulation - Update
Labels:
None

Description

CREATE TABLE t (pk INT PRIMARY KEY, a BLOB, b BLOB);

INSERT INTO t VALUES (1,'foo','bar'),(2,'baz','qux');

UPDATE t SET a = 'x', b = a, a = 'foobarqux';

DROP TABLE t;

10.3 43745b7e with InnoDB
==3359876==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00004b0b0 at pc 0x00000071bc17 bp 0x7f4bbb9cc010 sp 0x7f4bbb9cb7d8
READ of size 1 at 0x60c00004b0b0 thread T27
#0 0x71bc16 in __asan_memcpy (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71bc16)
#1 0x1da57ff in mem_heap_dup(mem_block_info_t, void const, unsigned long) /data/src/10.3/storage/innobase/include/mem0mem.h:242:5
#2 0x229718c in dfield_dup(dfield_t, mem_block_info_t) /data/src/10.3/storage/innobase/include/data0data.inl:173:17
#3 0x2289e4d in row_upd_index_replace_new_col_val(dfield_t, dict_field_t const, dict_col_t const, upd_field_t const, mem_block_info_t*, page_size_t const&) /data/src/10.3/storage/innobase/row/row0upd.cc:1294:3
#4 0x2288f6c in row_upd_index_replace_new_col_vals_index_pos(dtuple_t, dict_index_t const, upd_t const, mem_block_info_t) /data/src/10.3/storage/innobase/row/row0upd.cc:1359:13
#5 0x24950df in btr_cur_optimistic_update(unsigned long, btr_cur_t, unsigned short, mem_block_info_t, upd_t const, unsigned long, que_thr_t, unsigned long, mtr_t) /data/src/10.3/storage/innobase/btr/btr0cur.cc:4391:2
#6 0x229ca2d in row_upd_clust_rec(unsigned long, upd_node_t, dict_index_t, unsigned short, mem_block_info_t, que_thr_t, mtr_t*) /data/src/10.3/storage/innobase/row/row0upd.cc:2892:9
#7 0x229924d in row_upd_clust_step(upd_node_t, que_thr_t) /data/src/10.3/storage/innobase/row/row0upd.cc:3203:9
#8 0x2292234 in row_upd(upd_node_t, que_thr_t) /data/src/10.3/storage/innobase/row/row0upd.cc:3304:9
#9 0x229148c in row_upd_step(que_thr_t*) /data/src/10.3/storage/innobase/row/row0upd.cc:3448:8
#10 0x217b6e8 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.3/storage/innobase/row/row0mysql.cc:1827:3
#11 0x1d1744f in ha_innobase::update_row(unsigned char const, unsigned char const) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8970:11
#12 0x15e268d in handler::ha_update_row(unsigned char const, unsigned char const) /data/src/10.3/sql/handler.cc:6527:3
#13 0xf07aa2 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:963:31
#14 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#15 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#16 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#17 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#18 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#19 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#20 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#21 0x7f4bd2163ea6 in start_thread nptl/pthread_create.c:477:8
#22 0x7f4bd206edee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60c00004b0b0 is located 112 bytes inside of 124-byte region [0x60c00004b040,0x60c00004b0bc)
freed by thread T27 here:
#0 0x71c53d in free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c53d)
#1 0x3073107 in free_memory /data/src/10.3/mysys/safemalloc.c:279:3
#2 0x307315d in sf_free /data/src/10.3/mysys/safemalloc.c:197:3
#3 0x302b20f in my_free /data/src/10.3/mysys/my_malloc.c:223:5
#4 0x78856e in String::free() /data/src/10.3/sql/sql_string.h:369:7
#5 0xe2ac7e in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:43:5
#6 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#7 0x152aefa in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#8 0x1601815 in Item::save_str_value_in_field(Field, String) /data/src/10.3/sql/item.cc:529:17
#9 0x164ba64 in Item_string::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:7027:10
#10 0x97c2af in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8460:11
#11 0x97d973 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8632:11
#12 0xf07617 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:905:11
#13 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#14 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#15 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#16 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#17 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#18 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#19 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#20 0x7f4bd2163ea6 in start_thread nptl/pthread_create.c:477:8

previously allocated by thread T27 here:
#0 0x71c7bd in malloc (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c7bd)
#1 0x30720c0 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118:28
#2 0x302ac8f in my_malloc /data/src/10.3/mysys/my_malloc.c:101:10
#3 0xe2acee in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44:23
#4 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#5 0x152aefa in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#6 0x1601815 in Item::save_str_value_in_field(Field, String) /data/src/10.3/sql/item.cc:529:17
#7 0x164ba64 in Item_string::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:7027:10
#8 0x97efc8 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8742:18
#9 0x97f680 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8795:11
#10 0xa713f9 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:1020:13
#11 0xb58be7 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4505:10
#12 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#13 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#14 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#15 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#16 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#17 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#18 0x7f4bd2163ea6 in start_thread nptl/pthread_create.c:477:8

Thread T27 created by T0 here:
#0 0x7071ea in pthread_create (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x7071ea)
#1 0x2e9f4f9 in spawn_thread_v1(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/storage/perfschema/pfs.cc:1919:15
#2 0x757a1a in inline_mysql_thread_create(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/include/mysql/psi/mysql_thread.h:1275:11
#3 0x769453 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668:15
#4 0x76ac4a in create_new_thread(CONNECT*) /data/src/10.3/sql/mysqld.cc:6738:3
#5 0x7689cd in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996:9
#6 0x75b3de in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290:3
#7 0x74ed61 in main /data/src/10.3/sql/main.cc:25:10
#8 0x7f4bd1f97d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71bc16) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c18800015c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c18800015d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c18800015e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c18800015f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c1880001600: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c1880001610: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
0x0c1880001620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c1880001630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880001640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880001650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880001660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3359876==ABORTING

10.3 43745b7e with Aria
==3359973==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000c530 at pc 0x00000071bc17 bp 0x7f5a6f0adaf0 sp 0x7f5a6f0ad2b8
READ of size 1 at 0x60c00000c530 thread T5
#0 0x71bc16 in __asan_memcpy (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71bc16)
#1 0x2abd237 in write_block_record /data/src/10.3/storage/maria/ma_blockrec.c:2836:7
#2 0x2a91eb8 in _ma_update_block_record2 /data/src/10.3/storage/maria/ma_blockrec.c:3804:10
#3 0x2a90a72 in _ma_update_block_record /data/src/10.3/storage/maria/ma_blockrec.c:4019:10
#4 0x2af157f in maria_update /data/src/10.3/storage/maria/ma_update.c:160:7
#5 0x29086e3 in ha_maria::update_row(unsigned char const, unsigned char const) /data/src/10.3/storage/maria/ha_maria.cc:2279:10
#6 0x15e268d in handler::ha_update_row(unsigned char const, unsigned char const) /data/src/10.3/sql/handler.cc:6527:3
#7 0xf07aa2 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:963:31
#8 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#9 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#10 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#11 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#12 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#13 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#14 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#15 0x7f5a79bebea6 in start_thread nptl/pthread_create.c:477:8
#16 0x7f5a79af6dee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60c00000c530 is located 112 bytes inside of 124-byte region [0x60c00000c4c0,0x60c00000c53c)
freed by thread T5 here:
#0 0x71c53d in free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c53d)
#1 0x3073107 in free_memory /data/src/10.3/mysys/safemalloc.c:279:3
#2 0x307315d in sf_free /data/src/10.3/mysys/safemalloc.c:197:3
#3 0x302b20f in my_free /data/src/10.3/mysys/my_malloc.c:223:5
#4 0x78856e in String::free() /data/src/10.3/sql/sql_string.h:369:7
#5 0xe2ac7e in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:43:5
#6 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#7 0x152aefa in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#8 0x1601815 in Item::save_str_value_in_field(Field, String) /data/src/10.3/sql/item.cc:529:17
#9 0x164ba64 in Item_string::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:7027:10
#10 0x97c2af in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8460:11
#11 0x97d973 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8632:11
#12 0xf07617 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:905:11
#13 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#14 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#15 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#16 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#17 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#18 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#19 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#20 0x7f5a79bebea6 in start_thread nptl/pthread_create.c:477:8

previously allocated by thread T5 here:
#0 0x71c7bd in malloc (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c7bd)
#1 0x30720c0 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118:28
#2 0x302ac8f in my_malloc /data/src/10.3/mysys/my_malloc.c:101:10
#3 0xe2acee in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44:23
#4 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#5 0x152aefa in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#6 0x1601815 in Item::save_str_value_in_field(Field, String) /data/src/10.3/sql/item.cc:529:17
#7 0x164ba64 in Item_string::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:7027:10
#8 0x97efc8 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8742:18
#9 0x97f680 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8795:11
#10 0xa713f9 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:1020:13
#11 0xb58be7 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4505:10
#12 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#13 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#14 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#15 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#16 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#17 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#18 0x7f5a79bebea6 in start_thread nptl/pthread_create.c:477:8

Thread T5 created by T0 here:
#0 0x7071ea in pthread_create (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x7071ea)
#1 0x2e9f4f9 in spawn_thread_v1(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/storage/perfschema/pfs.cc:1919:15
#2 0x757a1a in inline_mysql_thread_create(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/include/mysql/psi/mysql_thread.h:1275:11
#3 0x769453 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668:15
#4 0x76ac4a in create_new_thread(CONNECT*) /data/src/10.3/sql/mysqld.cc:6738:3
#5 0x7689cd in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996:9
#6 0x75b3de in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290:3
#7 0x74ed61 in main /data/src/10.3/sql/main.cc:25:10
#8 0x7f5a79a1fd09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71bc16) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c187fff9850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187fff9860: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff9870: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187fff9890: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fff98a0: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
0x0c187fff98b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187fff98c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff98d0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3359973==ABORTING

10.3 43745b7e with MyISAM
==3360048==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000c470 at pc 0x00000071bc17 bp 0x7fca91650eb0 sp 0x7fca91650678
READ of size 1 at 0x60c00000c470 thread T5
#0 0x71bc16 in __asan_memcpy (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71bc16)
#1 0x2ca1f1c in _mi_rec_pack /data/src/10.3/storage/myisam/mi_dynrec.c:998:4
#2 0x2ca69c8 in _mi_update_blob_record /data/src/10.3/storage/myisam/mi_dynrec.c:317:13
#3 0x2d4bcdb in mi_update /data/src/10.3/storage/myisam/mi_update.c:156:9
#4 0x2c34652 in ha_myisam::update_row(unsigned char const, unsigned char const) /data/src/10.3/storage/myisam/ha_myisam.cc:1845:10
#5 0x15e268d in handler::ha_update_row(unsigned char const, unsigned char const) /data/src/10.3/sql/handler.cc:6527:3
#6 0xf07aa2 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:963:31
#7 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#8 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#9 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#10 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#11 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#12 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#13 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#14 0x7fca9c180ea6 in start_thread nptl/pthread_create.c:477:8
#15 0x7fca9c08bdee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60c00000c470 is located 112 bytes inside of 124-byte region [0x60c00000c400,0x60c00000c47c)
freed by thread T5 here:
#0 0x71c53d in free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c53d)
#1 0x3073107 in free_memory /data/src/10.3/mysys/safemalloc.c:279:3
#2 0x307315d in sf_free /data/src/10.3/mysys/safemalloc.c:197:3
#3 0x302b20f in my_free /data/src/10.3/mysys/my_malloc.c:223:5
#4 0x78856e in String::free() /data/src/10.3/sql/sql_string.h:369:7
#5 0xe2ac7e in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:43:5
#6 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#7 0x152aefa in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#8 0x1601815 in Item::save_str_value_in_field(Field, String) /data/src/10.3/sql/item.cc:529:17
#9 0x164ba64 in Item_string::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:7027:10
#10 0x97c2af in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8460:11
#11 0x97d973 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8632:11
#12 0xf07617 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:905:11
#13 0xb575d1 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344:21
#14 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#15 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#16 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#17 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#18 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#19 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#20 0x7fca9c180ea6 in start_thread nptl/pthread_create.c:477:8

previously allocated by thread T5 here:
#0 0x71c7bd in malloc (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c7bd)
#1 0x30720c0 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118:28
#2 0x302ac8f in my_malloc /data/src/10.3/mysys/my_malloc.c:101:10
#3 0xe2acee in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44:23
#4 0x7c71e8 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379:12
#5 0x152aefa in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/field.cc:8440:13
#6 0x1601815 in Item::save_str_value_in_field(Field, String) /data/src/10.3/sql/item.cc:529:17
#7 0x164ba64 in Item_string::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:7027:10
#8 0x97efc8 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8742:18
#9 0x97f680 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8795:11
#10 0xa713f9 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:1020:13
#11 0xb58be7 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4505:10
#12 0xb43016 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
#13 0xb33b9c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
#14 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
#15 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
#16 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
#17 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
#18 0x7fca9c180ea6 in start_thread nptl/pthread_create.c:477:8

Thread T5 created by T0 here:
#0 0x7071ea in pthread_create (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x7071ea)
#1 0x2e9f4f9 in spawn_thread_v1(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/storage/perfschema/pfs.cc:1919:15
#2 0x757a1a in inline_mysql_thread_create(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /data/src/10.3/include/mysql/psi/mysql_thread.h:1275:11
#3 0x769453 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668:15
#4 0x76ac4a in create_new_thread(CONNECT*) /data/src/10.3/sql/mysqld.cc:6738:3
#5 0x7689cd in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996:9
#6 0x75b3de in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290:3
#7 0x74ed61 in main /data/src/10.3/sql/main.cc:25:10
#8 0x7fca9bfb4d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71bc16) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c187fff9830: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9840: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187fff9850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c187fff9860: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9870: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
=>0x0c187fff9880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c187fff9890: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff98a0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3360048==ABORTING

Reproducible on all old minor versions I had handy.

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2022-09-11 16:35

Updated:: 2023-11-28 10:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.