Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29748

ASAN errors or server crash in File_parser::parse upon concurrent view operations

    XMLWordPrintable

Details

    Description

      The test case is for reproducing purposes only, don't put it into the regression suite! Create a deterministic one instead.

      --delimiter $$
      --connect (con1,localhost,root,,)
      --let $con1id= `SELECT CONNECTION_ID()`
      --send
        LOOP
          CREATE OR REPLACE VIEW v AS SELECT 'x' AS a;
        END LOOP $$
       
      --connect (con2,localhost,root,,)
      --let $con2id= `SELECT CONNECTION_ID()`
      --send
        BEGIN NOT ATOMIC
          DECLARE CONTINUE HANDLER FOR SQLEXCEPTION BEGIN END;
          LOOP
            UPDATE v SET a = 'x';
          END LOOP;
        END $$
       
      --connection default
      --delimiter ;
      --let $run= 10000
      while ($run)
      {
        SELECT * FROM v;
        --dec $run
      }
       
      # Cleanup
      --eval KILL $con1id
      --eval KILL $con2id
      DROP VIEW IF EXISTS v;
      

      10.3 d099bcad

      ==3858398==ERROR: AddressSanitizer: use-after-poison on address 0x61900015887b at pc 0x55a948b42569 bp 0x7fd439e0e770 sp 0x7fd439e0e768
      WRITE of size 1 at 0x61900015887b thread T7
          #0 0x55a948b42568 in File_parser::parse(unsigned char*, st_mem_root*, File_option*, unsigned int, Unknown_key_hook*) const /data/src/10.3/sql/parse_file.cc:845
          #1 0x55a94909b7f5 in mariadb_view_version_get(TABLE_SHARE*) /data/src/10.3/sql/sql_view.cc:1186
          #2 0x55a94909be8d in mysql_make_view(THD*, TABLE_SHARE*, TABLE_LIST*, bool) /data/src/10.3/sql/sql_view.cc:1256
          #3 0x55a948c660b4 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1911
          #4 0x55a948c6f99d in open_and_process_table /data/src/10.3/sql/sql_base.cc:3733
          #5 0x55a948c71fe1 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4208
          #6 0x55a948d31238 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/src/10.3/sql/sql_base.h:473
          #7 0x55a94907a98d in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:354
          #8 0x55a948ddca5b in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344
          #9 0x55a948bc76a3 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3708
          #10 0x55a948bc5e7e in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3438
          #11 0x55a948bc6e4c in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3614
          #12 0x55a948bb8bd6 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1377
          #13 0x55a948bbea3d in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2404
          #14 0x55a948dd3960 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:3019
          #15 0x55a948de6eeb in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5693
          #16 0x55a948df5607 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7855
          #17 0x55a948dccc55 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
          #18 0x55a948dc980d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
          #19 0x55a94918ca81 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #20 0x55a94918c37d in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #21 0x55a94a737e9e in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
          #22 0x7fd444bcdea6 in start_thread nptl/pthread_create.c:477
          #23 0x7fd444aedaee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfcaee)
       
      0x61900015887b is located 507 bytes inside of 992-byte region [0x619000158680,0x619000158a60)
      allocated by thread T7 here:
          #0 0x7fd445470e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
          #1 0x55a94a84c1ba in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #2 0x55a94a828f79 in alloc_root /data/src/10.3/mysys/my_alloc.c:251
          #3 0x55a948b26a45 in Sql_alloc::operator new(unsigned long, st_mem_root*) /data/src/10.3/sql/sql_alloc.h:39
          #4 0x55a948b402e5 in sql_parse_prepare(st_mysql_const_lex_string const*, st_mem_root*, bool) /data/src/10.3/sql/parse_file.cc:425
          #5 0x55a9490abd62 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:632
          #6 0x55a94936a95a in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
          #7 0x55a948c65d23 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1859
          #8 0x55a948c6f99d in open_and_process_table /data/src/10.3/sql/sql_base.cc:3733
          #9 0x55a948c71fe1 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4208
          #10 0x55a948d31238 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/src/10.3/sql/sql_base.h:473
          #11 0x55a94907a98d in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:354
          #12 0x55a948ddca5b in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344
          #13 0x55a948bc76a3 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3708
          #14 0x55a948bc5e7e in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3438
          #15 0x55a948bc6e4c in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3614
          #16 0x55a948bb8bd6 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1377
          #17 0x55a948bbea3d in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2404
          #18 0x55a948dd3960 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:3019
          #19 0x55a948de6eeb in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5693
          #20 0x55a948df5607 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7855
          #21 0x55a948dccc55 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
          #22 0x55a948dc980d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
          #23 0x55a94918ca81 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #24 0x55a94918c37d in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #25 0x55a94a737e9e in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
          #26 0x7fd444bcdea6 in start_thread nptl/pthread_create.c:477
       
      Thread T7 created by T0 here:
          #0 0x7fd44541c2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
          #1 0x55a94a73828b in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
          #2 0x55a948b01d76 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
          #3 0x55a948b19f39 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
          #4 0x55a948b1a699 in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
          #5 0x55a948b1b7f2 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
          #6 0x55a948b192b9 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
          #7 0x55a948b00604 in main /data/src/10.3/sql/main.cc:25
          #8 0x7fd444a14d09 in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/parse_file.cc:845 in File_parser::parse(unsigned char*, st_mem_root*, File_option*, unsigned int, Unknown_key_hook*) const
      Shadow bytes around the buggy address:
        0x0c32800230b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c32800230c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c32800230d0: 00 00 00 00 f7 00 00 00 00 00 f7 00 00 00 00 00
        0x0c32800230e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c32800230f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c3280023100: 00 00 00 00 00 00 00 04 f7 00 00 04 f7 00 00[03]
        0x0c3280023110: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c3280023120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c3280023130: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c3280023140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
        0x0c3280023150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==3858398==ABORTING
      

      The failure started happening on 10.3 after this commit:

      commit f65ba9aeb7eea75656c74da7c20cb4157cb8d943 98e62e631706f982a6b0e3a63909fa96f98aac5a
      Author:     Oleksandr Byelkin
      AuthorDate: Wed Apr 17 15:50:59 2019 +0200
      Commit:     Oleksandr Byelkin
      CommitDate: Fri Sep 30 12:11:37 2022 +0200
       
          MDEV-17124: mariadb 10.1.34, views and prepared statements:  ERROR 1615 (HY000): Prepared statement needs to be re-prepared
      

      Attachments

        Activity

          People

            sanja Oleksandr Byelkin
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.