Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29926

ASAN heap-use-after-free in Explain_query::~Explain_query

    XMLWordPrintable

Details

    Description

      CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
      EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
       
      # Cleanup
      DROP TABLE t;
      

      10.3 7d96cb47

      ==2019086==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000034838 at pc 0x55df0bfc85dc bp 0x7fe9d0fe33f0 sp 0x7fe9d0fe33e8
      READ of size 1 at 0x62b000034838 thread T5
          #0 0x55df0bfc85db in Explain_query::~Explain_query() /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_explain.cc:62
          #1 0x55df0bfd6570 in delete_explain_query(LEX*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_explain.cc:2432
          #2 0x55df0bb911a4 in log_slow_statement(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:2560
          #3 0x55df0bb9035d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:2427
          #4 0x55df0bb8986b in do_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1398
          #5 0x55df0bf4d159 in do_handle_one_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1403
          #6 0x55df0bf4ca55 in handle_one_connection /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1308
          #7 0x55df0d4fa1ae in pfs_spawn_thread /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/storage/perfschema/pfs.cc:1869
          #8 0x7fe9dbd7aea6 in start_thread nptl/pthread_create.c:477
          #9 0x7fe9dbc9aaee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfcaee)
       
      0x62b000034838 is located 13880 bytes inside of 24608-byte region [0x62b000031200,0x62b000037220)
      freed by thread T5 here:
          #0 0x7fe9dc680b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
          #1 0x55df0d60f036 in my_free /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/mysys/my_malloc.c:223
          #2 0x55df0d5ec411 in free_root /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/mysys/my_alloc.c:430
          #3 0x55df0bbfe4f1 in Prepared_statement::~Prepared_statement() /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:4057
          #4 0x55df0bbfe5f3 in Prepared_statement::~Prepared_statement() /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:4059
          #5 0x55df0bbf8335 in mysql_sql_stmt_execute_immediate(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:2995
          #6 0x55df0bb99e56 in mysql_execute_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:3877
          #7 0x55df0bbb5665 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:7855
          #8 0x55df0bb8ccb3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1852
          #9 0x55df0bb8986b in do_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1398
          #10 0x55df0bf4d159 in do_handle_one_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1403
          #11 0x55df0bf4ca55 in handle_one_connection /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1308
          #12 0x55df0d4fa1ae in pfs_spawn_thread /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/storage/perfschema/pfs.cc:1869
          #13 0x7fe9dbd7aea6 in start_thread nptl/pthread_create.c:477
       
      previously allocated by thread T5 here:
          #0 0x7fe9dc680e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
          #1 0x55df0d60e4ca in my_malloc /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/mysys/my_malloc.c:101
          #2 0x55df0d5ea249 in init_alloc_root /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/mysys/my_alloc.c:82
          #3 0x55df0beb80e0 in init_sql_alloc(st_mem_root*, char const*, unsigned int, unsigned int, unsigned long) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/thr_malloc.cc:65
          #4 0x55df0bbfdb53 in Prepared_statement::Prepared_statement(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:3976
          #5 0x55df0bbf80c8 in mysql_sql_stmt_execute_immediate(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:2963
          #6 0x55df0bb99e56 in mysql_execute_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:3877
          #7 0x55df0bbb5665 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:7855
          #8 0x55df0bb8ccb3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1852
          #9 0x55df0bb8986b in do_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1398
          #10 0x55df0bf4d159 in do_handle_one_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1403
          #11 0x55df0bf4ca55 in handle_one_connection /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1308
          #12 0x55df0d4fa1ae in pfs_spawn_thread /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/storage/perfschema/pfs.cc:1869
          #13 0x7fe9dbd7aea6 in start_thread nptl/pthread_create.c:477
       
      Thread T5 created by T0 here:
          #0 0x7fe9dc62c2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
          #1 0x55df0d4fa59b in spawn_thread_v1 /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/storage/perfschema/pfs.cc:1919
          #2 0x55df0b8c1d86 in inline_mysql_thread_create /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/include/mysql/psi/mysql_thread.h:1275
          #3 0x55df0b8d9f63 in create_thread_to_handle_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/mysqld.cc:6677
          #4 0x55df0b8da6c3 in create_new_thread /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/mysqld.cc:6747
          #5 0x55df0b8db82d in handle_connections_sockets() /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/mysqld.cc:7005
          #6 0x55df0b8d92e3 in mysqld_main(int, char**) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/mysqld.cc:6299
          #7 0x55df0b8c0614 in main /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/main.cc:25
          #8 0x7fe9dbbc1d09 in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: heap-use-after-free /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_explain.cc:62 in Explain_query::~Explain_query()
      Shadow bytes around the buggy address:
        0x0c567fffe8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe8f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c567fffe900: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
        0x0c567fffe910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==2019086==ABORTING
      

      The failure started happening on 10.3 after this commit:

      commit bd9274faa469cc164099c7497c18a0e0a9b1184b
      Author: Dmitry Shulga
      Date:   Mon Oct 17 15:05:17 2022 +0700
       
          MDEV-16128: Server crash in Item_func::print_op on 2nd execution of PS
          
          For some queries that involve tables with different but convertible
      

      Attachments

        Issue Links

          Activity

            People

              sanja Oleksandr Byelkin
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.