Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29926

ASAN heap-use-after-free in Explain_query::~Explain_query

Details

    Description

      CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
      EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
       
      # Cleanup
      DROP TABLE t;
      

      10.3 7d96cb47

      ==2019086==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000034838 at pc 0x55df0bfc85dc bp 0x7fe9d0fe33f0 sp 0x7fe9d0fe33e8
      READ of size 1 at 0x62b000034838 thread T5
          #0 0x55df0bfc85db in Explain_query::~Explain_query() /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_explain.cc:62
          #1 0x55df0bfd6570 in delete_explain_query(LEX*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_explain.cc:2432
          #2 0x55df0bb911a4 in log_slow_statement(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:2560
          #3 0x55df0bb9035d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:2427
          #4 0x55df0bb8986b in do_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1398
          #5 0x55df0bf4d159 in do_handle_one_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1403
          #6 0x55df0bf4ca55 in handle_one_connection /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1308
          #7 0x55df0d4fa1ae in pfs_spawn_thread /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/storage/perfschema/pfs.cc:1869
          #8 0x7fe9dbd7aea6 in start_thread nptl/pthread_create.c:477
          #9 0x7fe9dbc9aaee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfcaee)
       
      0x62b000034838 is located 13880 bytes inside of 24608-byte region [0x62b000031200,0x62b000037220)
      freed by thread T5 here:
          #0 0x7fe9dc680b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
          #1 0x55df0d60f036 in my_free /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/mysys/my_malloc.c:223
          #2 0x55df0d5ec411 in free_root /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/mysys/my_alloc.c:430
          #3 0x55df0bbfe4f1 in Prepared_statement::~Prepared_statement() /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:4057
          #4 0x55df0bbfe5f3 in Prepared_statement::~Prepared_statement() /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:4059
          #5 0x55df0bbf8335 in mysql_sql_stmt_execute_immediate(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:2995
          #6 0x55df0bb99e56 in mysql_execute_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:3877
          #7 0x55df0bbb5665 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:7855
          #8 0x55df0bb8ccb3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1852
          #9 0x55df0bb8986b in do_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1398
          #10 0x55df0bf4d159 in do_handle_one_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1403
          #11 0x55df0bf4ca55 in handle_one_connection /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1308
          #12 0x55df0d4fa1ae in pfs_spawn_thread /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/storage/perfschema/pfs.cc:1869
          #13 0x7fe9dbd7aea6 in start_thread nptl/pthread_create.c:477
       
      previously allocated by thread T5 here:
          #0 0x7fe9dc680e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
          #1 0x55df0d60e4ca in my_malloc /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/mysys/my_malloc.c:101
          #2 0x55df0d5ea249 in init_alloc_root /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/mysys/my_alloc.c:82
          #3 0x55df0beb80e0 in init_sql_alloc(st_mem_root*, char const*, unsigned int, unsigned int, unsigned long) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/thr_malloc.cc:65
          #4 0x55df0bbfdb53 in Prepared_statement::Prepared_statement(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:3976
          #5 0x55df0bbf80c8 in mysql_sql_stmt_execute_immediate(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_prepare.cc:2963
          #6 0x55df0bb99e56 in mysql_execute_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:3877
          #7 0x55df0bbb5665 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:7855
          #8 0x55df0bb8ccb3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1852
          #9 0x55df0bb8986b in do_command(THD*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_parse.cc:1398
          #10 0x55df0bf4d159 in do_handle_one_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1403
          #11 0x55df0bf4ca55 in handle_one_connection /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_connect.cc:1308
          #12 0x55df0d4fa1ae in pfs_spawn_thread /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/storage/perfschema/pfs.cc:1869
          #13 0x7fe9dbd7aea6 in start_thread nptl/pthread_create.c:477
       
      Thread T5 created by T0 here:
          #0 0x7fe9dc62c2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
          #1 0x55df0d4fa59b in spawn_thread_v1 /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/storage/perfschema/pfs.cc:1919
          #2 0x55df0b8c1d86 in inline_mysql_thread_create /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/include/mysql/psi/mysql_thread.h:1275
          #3 0x55df0b8d9f63 in create_thread_to_handle_connection(CONNECT*) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/mysqld.cc:6677
          #4 0x55df0b8da6c3 in create_new_thread /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/mysqld.cc:6747
          #5 0x55df0b8db82d in handle_connections_sockets() /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/mysqld.cc:7005
          #6 0x55df0b8d92e3 in mysqld_main(int, char**) /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/mysqld.cc:6299
          #7 0x55df0b8c0614 in main /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/main.cc:25
          #8 0x7fe9dbbc1d09 in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: heap-use-after-free /home/jenkins/workspace/sandbox-elenst/Nightly-Build-CS/src/sql/sql_explain.cc:62 in Explain_query::~Explain_query()
      Shadow bytes around the buggy address:
        0x0c567fffe8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe8f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c567fffe900: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
        0x0c567fffe910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c567fffe950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==2019086==ABORTING
      

      The failure started happening on 10.3 after this commit:

      commit bd9274faa469cc164099c7497c18a0e0a9b1184b
      Author: Dmitry Shulga
      Date:   Mon Oct 17 15:05:17 2022 +0700
       
          MDEV-16128: Server crash in Item_func::print_op on 2nd execution of PS
          
          For some queries that involve tables with different but convertible
      

      Attachments

        Issue Links

          Activity

            There are no comments yet on this issue.

            People

              sanja Oleksandr Byelkin
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.