[MDEV-29748] ASAN errors or server crash in File_parser::parse upon concurrent view operations - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4, 10.10.2
Component/s: Views
Labels:
- regression

Description

The test case is for reproducing purposes only, don't put it into the regression suite! Create a deterministic one instead.

--delimiter $$

--connect (con1,localhost,root,,)

--let $con1id= `SELECT CONNECTION_ID()`

--send

  LOOP

    CREATE OR REPLACE VIEW v AS SELECT 'x' AS a;

  END LOOP $$

--connect (con2,localhost,root,,)

--let $con2id= `SELECT CONNECTION_ID()`

--send

  BEGIN NOT ATOMIC

    DECLARE CONTINUE HANDLER FOR SQLEXCEPTION BEGIN END;

    LOOP

      UPDATE v SET a = 'x';

    END LOOP;

  END $$

--connection default

--delimiter ;

--let $run= 10000

while ($run)

  SELECT * FROM v;

  --dec $run

# Cleanup

--eval KILL $con1id

--eval KILL $con2id

DROP VIEW IF EXISTS v;

10.3 d099bcad
==3858398==ERROR: AddressSanitizer: use-after-poison on address 0x61900015887b at pc 0x55a948b42569 bp 0x7fd439e0e770 sp 0x7fd439e0e768
WRITE of size 1 at 0x61900015887b thread T7
#0 0x55a948b42568 in File_parser::parse(unsigned char, st_mem_root, File_option, unsigned int, Unknown_key_hook) const /data/src/10.3/sql/parse_file.cc:845
#1 0x55a94909b7f5 in mariadb_view_version_get(TABLE_SHARE*) /data/src/10.3/sql/sql_view.cc:1186
#2 0x55a94909be8d in mysql_make_view(THD, TABLE_SHARE, TABLE_LIST*, bool) /data/src/10.3/sql/sql_view.cc:1256
#3 0x55a948c660b4 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1911
#4 0x55a948c6f99d in open_and_process_table /data/src/10.3/sql/sql_base.cc:3733
#5 0x55a948c71fe1 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4208
#6 0x55a948d31238 in open_tables(THD, TABLE_LIST, unsigned int, unsigned int) /data/src/10.3/sql/sql_base.h:473
#7 0x55a94907a98d in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:354
#8 0x55a948ddca5b in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344
#9 0x55a948bc76a3 in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.3/sql/sp_head.cc:3708
#10 0x55a948bc5e7e in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3438
#11 0x55a948bc6e4c in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.3/sql/sp_head.cc:3614
#12 0x55a948bb8bd6 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1377
#13 0x55a948bbea3d in sp_head::execute_procedure(THD, List<Item>) /data/src/10.3/sql/sp_head.cc:2404
#14 0x55a948dd3960 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:3019
#15 0x55a948de6eeb in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5693
#16 0x55a948df5607 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7855
#17 0x55a948dccc55 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#18 0x55a948dc980d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#19 0x55a94918ca81 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#20 0x55a94918c37d in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#21 0x55a94a737e9e in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#22 0x7fd444bcdea6 in start_thread nptl/pthread_create.c:477
#23 0x7fd444aedaee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfcaee)

0x61900015887b is located 507 bytes inside of 992-byte region [0x619000158680,0x619000158a60)
allocated by thread T7 here:
#0 0x7fd445470e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55a94a84c1ba in my_malloc /data/src/10.3/mysys/my_malloc.c:101
#2 0x55a94a828f79 in alloc_root /data/src/10.3/mysys/my_alloc.c:251
#3 0x55a948b26a45 in Sql_alloc::operator new(unsigned long, st_mem_root*) /data/src/10.3/sql/sql_alloc.h:39
#4 0x55a948b402e5 in sql_parse_prepare(st_mysql_const_lex_string const, st_mem_root, bool) /data/src/10.3/sql/parse_file.cc:425
#5 0x55a9490abd62 in open_table_def(THD, TABLE_SHARE, unsigned int) /data/src/10.3/sql/table.cc:632
#6 0x55a94936a95a in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
#7 0x55a948c65d23 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1859
#8 0x55a948c6f99d in open_and_process_table /data/src/10.3/sql/sql_base.cc:3733
#9 0x55a948c71fe1 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4208
#10 0x55a948d31238 in open_tables(THD, TABLE_LIST, unsigned int, unsigned int) /data/src/10.3/sql/sql_base.h:473
#11 0x55a94907a98d in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /data/src/10.3/sql/sql_update.cc:354
#12 0x55a948ddca5b in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344
#13 0x55a948bc76a3 in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.3/sql/sp_head.cc:3708
#14 0x55a948bc5e7e in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3438
#15 0x55a948bc6e4c in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.3/sql/sp_head.cc:3614
#16 0x55a948bb8bd6 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1377
#17 0x55a948bbea3d in sp_head::execute_procedure(THD, List<Item>) /data/src/10.3/sql/sp_head.cc:2404
#18 0x55a948dd3960 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:3019
#19 0x55a948de6eeb in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5693
#20 0x55a948df5607 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7855
#21 0x55a948dccc55 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#22 0x55a948dc980d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#23 0x55a94918ca81 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#24 0x55a94918c37d in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#25 0x55a94a737e9e in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#26 0x7fd444bcdea6 in start_thread nptl/pthread_create.c:477

Thread T7 created by T0 here:
#0 0x7fd44541c2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x55a94a73828b in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
#2 0x55a948b01d76 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
#3 0x55a948b19f39 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
#4 0x55a948b1a699 in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
#5 0x55a948b1b7f2 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
#6 0x55a948b192b9 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
#7 0x55a948b00604 in main /data/src/10.3/sql/main.cc:25
#8 0x7fd444a14d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/parse_file.cc:845 in File_parser::parse(unsigned char, st_mem_root, File_option, unsigned int, Unknown_key_hook) const
Shadow bytes around the buggy address:
0x0c32800230b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32800230c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32800230d0: 00 00 00 00 f7 00 00 00 00 00 f7 00 00 00 00 00
0x0c32800230e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32800230f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280023100: 00 00 00 00 00 00 00 04 f7 00 00 04 f7 00 00[03]
0x0c3280023110: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3280023120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3280023130: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3280023140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
0x0c3280023150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3858398==ABORTING

The failure started happening on 10.3 after this commit:

commit f65ba9aeb7eea75656c74da7c20cb4157cb8d943 98e62e631706f982a6b0e3a63909fa96f98aac5a

Author:     Oleksandr Byelkin

AuthorDate: Wed Apr 17 15:50:59 2019 +0200

Commit:     Oleksandr Byelkin

CommitDate: Fri Sep 30 12:11:37 2022 +0200

    MDEV-17124: mariadb 10.1.34, views and prepared statements:  ERROR 1615 (HY000): Prepared statement needs to be re-prepared

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-10-08 16:35

Updated:: 2022-10-24 12:36

Resolved:: 2022-10-24 12:35

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.