[MDEV-30926] Segfault after MyISAM repair of vcol-indexed table - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Review (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0
Component/s: Storage Engine - MyISAM, Virtual Columns
Labels:
- ASAN
- memory_corruption

Description

SIGSEGV in l_find or lf_hash_destroy on UPDATE or INSERT depending on version, ASAN: heap-use-after-free in Field::set_notnull

SET sql_mode='';

CREATE TABLE t2 (a INT GENERATED ALWAYS AS (1) VIRTUAL,KEY(a)) ENGINE=MyISAM;

CREATE TABLE t1 (a INT) ENGINE=InnoDB;

INSERT INTO t1 VALUES (1);

XA START 'a';

UPDATE t1,non_existing_1 SET 1=1;

DELETE FROM mysql.db;

INSERT INTO t1 VALUES (1);

INSERT INTO t2 (SELECT 1);

INSERT INTO non_existing_2 VALUES (1);  # Crashing on 2nd execution on 10.6 (opt), 10.8 (dbg+opt), 10.10 (opt)

UPDATE t2 SET a=1;

SELECT SLEEP (1);  # Shows server gone

Leads to:

11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Optimized)
Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 l_find (head=0x14b8e8057df8, head@entry=0x55efd1933010, cs=cs@entry=0x0,
hashnr=hashnr@entry=0,
key=key@entry=0x7ffdaced3a68 "\310\070\265\321\357U",
keylen=keylen@entry=0, cursor=cursor@entry=0x7ffdaced38e0,
pins=<optimized out>, callback=<optimized out>)
at /test/11.0_opt/mysys/lf_hash.cc:114
[Current thread is 1 (Thread 0x14b9dfd26480 (LWP 843505))]
(gdb) bt
#0 l_find (head=0x14b8e8057df8, head@entry=0x55efd1933010, cs=cs@entry=0x0, hashnr=hashnr@entry=0, key=key@entry=0x7ffdaced3a68 "\310\070\265\321\357U", keylen=keylen@entry=0, cursor=cursor@entry=0x7ffdaced38e0, pins=<optimized out>, callback=<optimized out>) at /test/11.0_opt/mysys/lf_hash.cc:114
#1 0x000055efceb986ef in lf_hash_iterate (hash=0x55efcf666560 <tdc_hash>, pins=0x55efd1a0b1f0, action=0x55efce666d70 <tc_purge_callback(TDC_element, Share_free_tables::List)>, argument=0x7ffdaced3a68) at /test/11.0_opt/mysys/lf_hash.cc:531
#2 0x000055efce668496 in tdc_iterate (thd=thd@entry=0x0, action=action@entry=0x55efce666d70 <tc_purge_callback(TDC_element, Share_free_tables::List)>, argument=argument@entry=0x7ffdaced3a68, no_dups=no_dups@entry=false) at /test/11.0_opt/sql/table_cache.cc:1186
#3 0x000055efce6686ca in tc_purge () at /test/11.0_opt/sql/table_cache.cc:315
#4 0x000055efce427f52 in purge_tables () at /test/11.0_opt/sql/sql_base.cc:326
#5 0x000055efce667481 in tdc_start_shutdown () at /test/11.0_opt/sql/table_cache.cc:639
#6 0x000055efce38d953 in clean_up (print_message=true) at /test/11.0_opt/sql/mysqld.cc:1994
#7 clean_up (print_message=<optimized out>) at /test/11.0_opt/sql/mysqld.cc:1961
#8 0x000055efce3960a7 in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /test/11.0_opt/sql/mysqld.cc:6047
#9 0x000014b9dfffdd90 in __libc_start_call_main (main=main@entry=0x55efce34d540 <main(int, char**)>, argc=argc@entry=10, argv=argv@entry=0x7ffdaced3f18) at ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x000014b9dfffde40 in __libc_start_main_impl (main=0x55efce34d540 <main(int, char**)>, argc=10, argv=0x7ffdaced3f18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffdaced3f08) at ../csu/libc-start.c:392
#11 0x000055efce38b6e5 in _start ()

Issue does not appear sporadic. However, interestingly, versions 10.6 (opt), 10.8 (dbg+opt) and 10.10 (opt) do not immediately crash on the testcase above. However, when repeating the testcase in the same client session, we see a different crash location (the final INSERT) with a different stack:

10.6.13 6aec87544c675751141100d6efe3a2d943cb528f (Optimized)
Core was generated by `/test/MD110223-mariadb-10.6.13-linux-x86_64-opt/bin/mariadbd --no-defaults --co'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 l_find (head=0x150e2c058898, head@entry=0x55b4de464b88,
cs=0x55b4dd4c5c00 <my_charset_bin>, hashnr=<optimized out>,
key=key@entry=0x150e2c010c49 "test", keylen=keylen@entry=20,
cursor=cursor@entry=0x150ec40a5b30, pins=<optimized out>,
callback=<optimized out>) at /test/10.6_opt/mysys/lf_hash.cc:114
[Current thread is 1 (Thread 0x150ec40a8640 (LWP 867199))]
(gdb) bt
#0 l_find (head=0x150e2c058898, head@entry=0x55b4de464b88, cs=0x55b4dd4c5c00 <my_charset_bin>, hashnr=<optimized out>, key=key@entry=0x150e2c010c49 "test", keylen=keylen@entry=20, cursor=cursor@entry=0x150ec40a5b30, pins=<optimized out>, callback=<optimized out>) at /test/10.6_opt/mysys/lf_hash.cc:114
#1 0x000055b4dcbba045 in l_search (pins=0x55b4de45d2e0, keylen=20, key=0x150e2c010c49 "test", hashnr=<optimized out>, cs=<optimized out>, head=0x55b4de464b88) at /test/10.6_opt/mysys/lf_hash.cc:298
#2 lf_hash_search_using_hash_value (hash=0x55b4dd56b880 <tdc_hash>, pins=0x55b4de45d2e0, hashnr=<optimized out>, key=0x150e2c010c49, keylen=20) at /test/10.6_opt/mysys/lf_hash.cc:501
#3 0x000055b4dc66a110 in tdc_acquire_share (thd=thd@entry=0x150e2c000c68, tl=tl@entry=0x150e2c0107a0, flags=flags@entry=3, out_table=out_table@entry=0x150ec40a5c50) at /test/10.6_opt/sql/table_cache.cc:813
#4 0x000055b4dc4531ad in open_table (thd=0x150e2c000c68, table_list=0x150e2c0107a0, ot_ctx=0x150ec40a62d0) at /test/10.6_opt/sql/sql_base.cc:1886
#5 0x000055b4dc456b6a in open_and_process_table (ot_ctx=0x150ec40a62d0, has_prelocking_list=false, prelocking_strategy=0x150ec40a6490, flags=0, counter=0x150ec40a636c, tables=0x150e2c0107a0, thd=0x150e2c000c68) at /test/10.6_opt/sql/sql_base.cc:3847
#6 open_tables (thd=thd@entry=0x150e2c000c68, options=@0x150e2c006168: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x150ec40a6358, counter=counter@entry=0x150ec40a636c, flags=flags@entry=0, prelocking_strategy=0x150ec40a6490) at /test/10.6_opt/sql/sql_base.cc:4330
#7 0x000055b4dc45733a in open_and_lock_tables (thd=thd@entry=0x150e2c000c68, options=<optimized out>, tables=<optimized out>, tables@entry=0x150e2c0107a0, derived=derived@entry=true, flags=flags@entry=0, prelocking_strategy=<optimized out>) at /test/10.6_opt/sql/sql_base.cc:5303
#8 0x000055b4dc4882bc in open_and_lock_tables (flags=<optimized out>, derived=<optimized out>, tables=<optimized out>, thd=<optimized out>) at /test/10.6_opt/sql/sql_base.h:509
#9 open_and_lock_for_insert_delayed (table_list=<optimized out>, thd=<optimized out>) at /test/10.6_opt/sql/sql_insert.cc:626
#10 mysql_insert (thd=thd@entry=0x150e2c000c68, table_list=0x150e2c0107a0, fields=@0x150e2c005b20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b4dd543890 <end_of_list>, last = 0x150e2c005b20, elements = 0}, <No data fields>}, values_list=@0x150e2c005b68: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x150e2c011408, last = 0x150e2c011408, elements = 1}, <No data fields>}, update_fields=@0x150e2c005b50: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b4dd543890 <end_of_list>, last = 0x150e2c005b50, elements = 0}, <No data fields>}, update_values=@0x150e2c005b38: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55b4dd543890 <end_of_list>, last = 0x150e2c005b38, elements = 0}, <No data fields>}, duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /test/10.6_opt/sql/sql_insert.cc:752
#11 0x000055b4dc4be861 in mysql_execute_command (thd=0x150e2c000c68, is_called_from_prepared_stmt=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:4570
#12 0x000055b4dc4c2f34 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x150e2c000c68) at /test/10.6_opt/sql/sql_parse.cc:8021
#13 mysql_parse (thd=0x150e2c000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:7943
#14 0x000055b4dc4c5512 in dispatch_command (command=COM_QUERY, thd=0x150e2c000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:1993
#15 0x000055b4dc4c6cb0 in do_command (thd=0x150e2c000c68, blocking=blocking@entry=true) at /test/10.6_opt/sql/sql_parse.cc:1409
#16 0x000055b4dc5cabf7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b4de5142c8, put_in_cache=put_in_cache@entry=true) at /test/10.6_opt/sql/sql_connect.cc:1416
#17 0x000055b4dc5caecd in handle_one_connection (arg=0x55b4de5142c8) at /test/10.6_opt/sql/sql_connect.cc:1318
#18 0x0000150ef139eb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#19 0x0000150ef1430a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

11.0.1 4d09050ca77a7efac4565d46e4bcd85a5f210c53 (Optimized, UBASAN)
==852581==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000010a18 at pc 0x5602419cbf07 bp 0x151232cc7930 sp 0x151232cc7920
READ of size 1 at 0x606000010a18 thread T20
#0 0x5602419cbf06 in Field::set_notnull(long long) /test/11.0_opt_san/sql/field.h:1405
#1 0x5602419cbf06 in save_int_value_in_field /test/11.0_opt_san/sql/item.cc:6927
#2 0x5602419cbf06 in Item_int::save_in_field(Field*, bool) /test/11.0_opt_san/sql/item.cc:6934
#3 0x560240c38678 in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /test/11.0_opt_san/sql/table.cc:8892
#4 0x56024193a95a in handler::ha_rnd_next(unsigned char*) /test/11.0_opt_san/sql/handler.cc:3447
#5 0x56023fde33b3 in rr_sequential(READ_RECORD*) /test/11.0_opt_san/sql/records.cc:519
#6 0x560240b93a29 in READ_RECORD::read_record() /test/11.0_opt_san/sql/records.h:81
#7 0x560240b93a29 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /test/11.0_opt_san/sql/sql_update.cc:1018
#8 0x560240496b54 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:4410
#9 0x5602404ae542 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8000
#10 0x5602404bbfa5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
#11 0x5602404c5700 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
#12 0x560240da603c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
#13 0x560240da863c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
#14 0x151255a2ab42 in start_thread nptl/pthread_create.c:442
#15 0x151255abc9ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x606000010a18 is located 24 bytes inside of 56-byte region [0x606000010a00,0x606000010a38)
freed by thread T20 here:
#0 0x56023fbe24e7 in __interceptor_free (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd+0x79094e7)
#1 0x560243d917ef in mi_repair_by_sort /test/11.0_opt_san/storage/myisam/mi_check.c:2560
#2 0x560243d5b426 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /test/11.0_opt_san/storage/myisam/ha_myisam.cc:1345
#3 0x560243d60ea1 in ha_myisam::enable_indexes(unsigned int) /test/11.0_opt_san/storage/myisam/ha_myisam.cc:1684
#4 0x560243d61d8c in ha_myisam::end_bulk_insert() /test/11.0_opt_san/storage/myisam/ha_myisam.cc:1879
#5 0x56024026b18d in select_insert::prepare_eof() /test/11.0_opt_san/sql/sql_insert.cc:4251
#6 0x56024026fdfb in select_insert::send_eof() /test/11.0_opt_san/sql/sql_insert.cc:4361
#7 0x560240896b44 in JOIN::exec_inner() /test/11.0_opt_san/sql/sql_select.cc:4699
#8 0x56024089df23 in JOIN::exec() /test/11.0_opt_san/sql/sql_select.cc:4600
#9 0x56024088bd8d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.0_opt_san/sql/sql_select.cc:5080
#10 0x56024088f8e0 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:581
#11 0x5602404a48bd in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:4713
#12 0x5602404ae542 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8000
#13 0x5602404bbfa5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
#14 0x5602404c5700 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
#15 0x560240da603c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
#16 0x560240da863c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
#17 0x151255a2ab42 in start_thread nptl/pthread_create.c:442

previously allocated by thread T20 here:
#0 0x56023fbe2837 in malloc (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd+0x7909837)
#1 0x560243f55724 in my_malloc /test/11.0_opt_san/mysys/my_malloc.c:91
#2 0x560243de07ef in mi_alloc_rec_buff /test/11.0_opt_san/storage/myisam/mi_open.c:762
#3 0x560243d91b6d in mi_repair_by_sort /test/11.0_opt_san/storage/myisam/mi_check.c:2241
#4 0x560243d5b426 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /test/11.0_opt_san/storage/myisam/ha_myisam.cc:1345
#5 0x560243d60ea1 in ha_myisam::enable_indexes(unsigned int) /test/11.0_opt_san/storage/myisam/ha_myisam.cc:1684
#6 0x560243d61d8c in ha_myisam::end_bulk_insert() /test/11.0_opt_san/storage/myisam/ha_myisam.cc:1879
#7 0x56024026b18d in select_insert::prepare_eof() /test/11.0_opt_san/sql/sql_insert.cc:4251
#8 0x56024026fdfb in select_insert::send_eof() /test/11.0_opt_san/sql/sql_insert.cc:4361
#9 0x560240896b44 in JOIN::exec_inner() /test/11.0_opt_san/sql/sql_select.cc:4699
#10 0x56024089df23 in JOIN::exec() /test/11.0_opt_san/sql/sql_select.cc:4600
#11 0x56024088bd8d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.0_opt_san/sql/sql_select.cc:5080
#12 0x56024088f8e0 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:581
#13 0x5602404a48bd in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:4713
#14 0x5602404ae542 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8000
#15 0x5602404bbfa5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
#16 0x5602404c5700 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
#17 0x560240da603c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
#18 0x560240da863c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
#19 0x151255a2ab42 in start_thread nptl/pthread_create.c:442

Thread T20 created by T0 here:
#0 0x56023fb86675 in pthread_create (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd+0x78ad675)
#1 0x56023fc3ad3e in create_thread_to_handle_connection(CONNECT*) /test/11.0_opt_san/sql/mysqld.cc:6100
#2 0x56023fc4d04f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_opt_san/sql/mysqld.cc:6221
#3 0x56023fc4dfd7 in handle_connections_sockets() /test/11.0_opt_san/sql/mysqld.cc:6345
#4 0x56023fc5103d in mysqld_main(int, char**) /test/11.0_opt_san/sql/mysqld.cc:5995
#5 0x1512559bfd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_opt_san/sql/field.h:1405 in Field::set_notnull(long long)
Shadow bytes around the buggy address:
0x0c0c7fffa0f0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fffa100: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fffa110: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fffa120: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fffa130: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c0c7fffa140: fd fd fd[fd]fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c7fffa150: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fffa160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fffa170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fffa180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fffa190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==852581==ABORTING
...
Query (0x629000087238): UPDATE t2 SET a=1

This second method may also be used to produce the crash in any version when using MTR; see first comment below. However, please note the stack is different.

Bug confirmed present in:
MariaDB: 10.3.38 (dbg), 10.3.38 (opt), 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (opt), 10.6.13 (dbg), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.2 (dbg), 10.11.2 (opt), 11.0.1 (dbg), 11.0.1 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

Attachments

Issue Links

is duplicated by

MDEV-31782 ASAN heap-use-after-free in MyISAM bulk insert with indexed virtual column

Stalled

MDEV-32089 Assertion `!strcmp(&path[strlen(path) - strlen(dot_ext[IBD])], dot_ext[IBD])' failed in void mtr_t::log_file_op(mfile_type_t, uint32_t, const char*, const char*)

Stalled

relates to

MDEV-23294 Segfault or assertion upon MyISAM repair

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2023-03-25 07:00

Updated:: 2024-03-26 23:24

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.