Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29520

ASAN heap-use-after-poison in row_merge_spatial_rows()

Details

    Description

      There are two open bugs with similar stack traces, MDEV-27224 and MDEV-27223, but those are about virtual columns / unique blobs. This one isn't, and 10.3 is affected as well.

      --source include/have_innodb.inc
       
      CREATE TABLE t (a VARCHAR(8192), b POINT NOT NULL, PRIMARY KEY(a(8)), SPATIAL(b)) ENGINE=InnoDB;
      INSERT INTO t VALUES (REPEAT('MariaDB Corporation Ab ',351),POINT(0,0));
      ALTER TABLE t FORCE;
       
      # Cleanup
      DROP TABLE t;
      

      10.3 43745b7e

      ==4075358==ERROR: AddressSanitizer: use-after-poison on address 0x6310000a09b0 at pc 0x00000071bc17 bp 0x7fef59f4d4b0 sp 0x7fef59f4cc78
      READ of size 8 at 0x6310000a09b0 thread T27
          #0 0x71bc16 in __asan_memcpy (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71bc16)
          #1 0x20a2211 in void rec_convert_dtuple_to_rec_comp<false>(unsigned char*, dict_index_t const*, dfield_t const*, unsigned long, rec_comp_status_t, bool) /data/src/10.3/storage/innobase/rem/rem0rec.cc:1597:4
          #2 0x209a2ea in rec_convert_dtuple_to_rec_new(unsigned char*, dict_index_t const*, dtuple_t const*) /data/src/10.3/storage/innobase/rem/rem0rec.cc:1633:2
          #3 0x2099d7b in rec_convert_dtuple_to_rec(unsigned char*, dict_index_t const*, dtuple_t const*, unsigned long) /data/src/10.3/storage/innobase/rem/rem0rec.cc:1662:9
          #4 0x248c0a7 in page_cur_tuple_insert(page_cur_t*, dtuple_t const*, dict_index_t*, unsigned short**, mem_block_info_t**, unsigned long, mtr_t*) /data/src/10.3/storage/innobase/include/page0cur.inl:277:8
          #5 0x2488aa1 in btr_cur_optimistic_insert(unsigned long, btr_cur_t*, unsigned short**, mem_block_info_t**, dtuple_t*, unsigned char**, big_rec_t**, unsigned long, que_thr_t*, mtr_t*) /data/src/10.3/storage/innobase/btr/btr0cur.cc:3473:10
          #6 0x21673b8 in index_tuple_info_t::insert(unsigned long, mem_block_info_t*, btr_pcur_t*, mtr_t*) /data/src/10.3/storage/innobase/row/row0merge.cc:186:12
          #7 0x2155ab6 in row_merge_spatial_rows(unsigned long, index_tuple_info_t**, unsigned long, mem_block_info_t*, mem_block_info_t*, btr_pcur_t*, mtr_t*) /data/src/10.3/storage/innobase/row/row0merge.cc:1595:23
          #8 0x2140474 in row_merge_read_clustered_index(trx_t*, TABLE*, dict_table_t const*, dict_table_t*, bool, dict_index_t**, dict_index_t*, fts_psort_t*, merge_file_t*, unsigned long const*, unsigned long, dtuple_t const*, dict_add_v_col_t const*, unsigned long const*, unsigned long, ib_sequence_t&, unsigned char*, bool, pfs_os_file_t*, ut_stage_alter_t*, double, unsigned char*, TABLE*, bool) /data/src/10.3/storage/innobase/row/row0merge.cc:1952:10
          #9 0x213a5c2 in row_merge_build_indexes(trx_t*, dict_table_t*, dict_table_t*, bool, dict_index_t**, unsigned long const*, unsigned long, TABLE*, dtuple_t const*, unsigned long const*, unsigned long, ib_sequence_t&, bool, ut_stage_alter_t*, dict_add_v_col_t const*, TABLE*, bool) /data/src/10.3/storage/innobase/row/row0merge.cc:4735:10
          #10 0x1dfab6e in ha_innobase::inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.3/storage/innobase/handler/handler0alter.cc:7209:10
          #11 0xeb40e0 in handler::ha_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.3/sql/handler.h:4147:11
          #12 0xe96a38 in mysql_inplace_alter_table(THD*, TABLE_LIST*, TABLE*, TABLE*, Alter_inplace_info*, MDL_request*, Alter_table_ctx*) /data/src/10.3/sql/sql_table.cc:7773:21
          #13 0xe83bf4 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.3/sql/sql_table.cc:10111:16
          #14 0x109a120 in Sql_cmd_alter_table::execute(THD*) /data/src/10.3/sql/sql_alter.cc:512:11
          #15 0xb6aed0 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6076:26
          #16 0xb43016 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
          #17 0xb33b9c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
          #18 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
          #19 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
          #20 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
          #21 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
          #22 0x7fef706e8ea6 in start_thread nptl/pthread_create.c:477:8
          #23 0x7fef705f3dee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
      0x6310000a09b0 is located 432 bytes inside of 65664-byte region [0x6310000a0800,0x6310000b0880)
      allocated by thread T27 here:
          #0 0x71c7bd in malloc (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71c7bd)
          #1 0x1f9c6e0 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.3/storage/innobase/mem/mem0mem.cc:277:37
          #2 0x2126ca1 in mem_heap_create_func(unsigned long, char const*, unsigned int, unsigned long) /data/src/10.3/storage/innobase/include/mem0mem.inl:375:10
          #3 0x213fe56 in row_merge_read_clustered_index(trx_t*, TABLE*, dict_table_t const*, dict_table_t*, bool, dict_index_t**, dict_index_t*, fts_psort_t*, merge_file_t*, unsigned long const*, unsigned long, dtuple_t const*, dict_add_v_col_t const*, unsigned long const*, unsigned long, ib_sequence_t&, unsigned char*, bool, pfs_os_file_t*, ut_stage_alter_t*, double, unsigned char*, TABLE*, bool) /data/src/10.3/storage/innobase/row/row0merge.cc:1892:13
          #4 0x213a5c2 in row_merge_build_indexes(trx_t*, dict_table_t*, dict_table_t*, bool, dict_index_t**, unsigned long const*, unsigned long, TABLE*, dtuple_t const*, unsigned long const*, unsigned long, ib_sequence_t&, bool, ut_stage_alter_t*, dict_add_v_col_t const*, TABLE*, bool) /data/src/10.3/storage/innobase/row/row0merge.cc:4735:10
          #5 0x1dfab6e in ha_innobase::inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.3/storage/innobase/handler/handler0alter.cc:7209:10
          #6 0xeb40e0 in handler::ha_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.3/sql/handler.h:4147:11
          #7 0xe96a38 in mysql_inplace_alter_table(THD*, TABLE_LIST*, TABLE*, TABLE*, Alter_inplace_info*, MDL_request*, Alter_table_ctx*) /data/src/10.3/sql/sql_table.cc:7773:21
          #8 0xe83bf4 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.3/sql/sql_table.cc:10111:16
          #9 0x109a120 in Sql_cmd_alter_table::execute(THD*) /data/src/10.3/sql/sql_alter.cc:512:11
          #10 0xb6aed0 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6076:26
          #11 0xb43016 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871:18
          #12 0xb33b9c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852:7
          #13 0xb3ce9c in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398:17
          #14 0x10830e6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403:11
          #15 0x10827b3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308:3
          #16 0x2e99251 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869:3
          #17 0x7fef706e8ea6 in start_thread nptl/pthread_create.c:477:8
       
      Thread T27 created by T0 here:
          #0 0x7071ea in pthread_create (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x7071ea)
          #1 0x2e9f4f9 in spawn_thread_v1(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/10.3/storage/perfschema/pfs.cc:1919:15
          #2 0x757a1a in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/10.3/include/mysql/psi/mysql_thread.h:1275:11
          #3 0x769453 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668:15
          #4 0x76ac4a in create_new_thread(CONNECT*) /data/src/10.3/sql/mysqld.cc:6738:3
          #5 0x7689cd in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996:9
          #6 0x75b3de in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290:3
          #7 0x74ed61 in main /data/src/10.3/sql/main.cc:25:10
          #8 0x7fef7051cd09 in __libc_start_main csu/../csu/libc-start.c:308:16
       
      SUMMARY: AddressSanitizer: use-after-poison (/mnt8t/bld/10.3-asan-nightly/bin/mysqld+0x71bc16) in __asan_memcpy
      Shadow bytes around the buggy address:
        0x0c628000c0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c628000c0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c628000c100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c628000c110: f7 00 00 00 00 00 07 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c628000c120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c628000c130: f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c628000c140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c628000c150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c628000c160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c628000c170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c628000c180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==4075358==ABORTING
      

      Attachments

        Issue Links

          Activity

            The issue was that row_merge_read_clustered_index() would invoke mem_heap_free(row_heap) before invoking row_merge_spatial_rows(), which would access some data that was allocated from the heap.

            marko Marko Mäkelä added a comment - The issue was that row_merge_read_clustered_index() would invoke mem_heap_free(row_heap) before invoking row_merge_spatial_rows() , which would access some data that was allocated from the heap.

            People

              marko Marko Mäkelä
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.