Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6, 10.11, 11.1(EOL), 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 11.0(EOL)
Description
Null pointer access split from MDEV-23073: please note the UBSAN error (member access within null pointer) towards the end of the stack trace. marko mentions that this looks like it is related to accessing my_errno in my_read():
#define my_errno my_thread_var->thr_errno |
InnoDB should not use my_read() for anything. Assigning to thiru as he is assigned to MDEV-23073, but please feel free to reassign as needed. Note that MTR is required to reproduce the issue.
--source include/have_innodb.inc
|
CREATE TABLE t (c TEXT) ENGINE=InnoDB; |
XA BEGIN '0'; |
INSERT INTO t VALUES (b''); |
SAVEPOINT sp0;
|
XA END '0'; |
XA PREPARE '0'; |
SHUTDOWN;
|
Leads to:
11.0.2 a79abb6517f2fa68b48e61aa3354a0631e3a63f7 (Debug) |
==1492049==ERROR: LeakSanitizer: detected memory leaks
|
|
Direct leak of 40 byte(s) in 1 object(s) allocated from:
|
#0 0x5614b49d2337 in __interceptor_malloc (/test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/bin/mariadbd+0x7986337)
|
#1 0x5614b8949ebf in trx_savepoint_for_mysql(trx_t*, char const*, long) /test/10.11_dbg_san/storage/innobase/trx/trx0roll.cc:523
|
#2 0x5614b812d690 in innobase_savepoint /test/10.11_dbg_san/storage/innobase/handler/ha_innodb.cc:4910
|
#3 0x5614b69e7bd4 in ha_savepoint(THD*, st_savepoint*) /test/10.11_dbg_san/sql/handler.cc:2952
|
#4 0x5614b5d9e3d6 in trans_savepoint(THD*, st_mysql_const_lex_string) /test/10.11_dbg_san/sql/transaction.cc:617
|
#5 0x5614b5336acd in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:5711
|
#6 0x5614b5344c73 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8002
|
#7 0x5614b53549cf in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
|
#8 0x5614b5362799 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
|
#9 0x5614b5d076dd in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1416
|
#10 0x5614b5d08bf8 in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1318
|
#11 0x14b8d76f1b42 in start_thread nptl/pthread_create.c:442
|
|
Indirect leak of 11 byte(s) in 1 object(s) allocated from:
|
#0 0x5614b49d2337 in __interceptor_malloc (/test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/bin/mariadbd+0x7986337)
|
#1 0x5614b8949ed6 in mem_strdup /test/10.11_dbg_san/storage/innobase/include/mem0mem.inl:452
|
#2 0x5614b8949ed6 in trx_savepoint_for_mysql(trx_t*, char const*, long) /test/10.11_dbg_san/storage/innobase/trx/trx0roll.cc:525
|
#3 0x5614b812d690 in innobase_savepoint /test/10.11_dbg_san/storage/innobase/handler/ha_innodb.cc:4910
|
#4 0x5614b69e7bd4 in ha_savepoint(THD*, st_savepoint*) /test/10.11_dbg_san/sql/handler.cc:2952
|
#5 0x5614b5d9e3d6 in trans_savepoint(THD*, st_mysql_const_lex_string) /test/10.11_dbg_san/sql/transaction.cc:617
|
#6 0x5614b5336acd in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:5711
|
#7 0x5614b5344c73 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8002
|
#8 0x5614b53549cf in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
|
#9 0x5614b5362799 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
|
#10 0x5614b5d076dd in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1416
|
#11 0x5614b5d08bf8 in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1318
|
#12 0x14b8d76f1b42 in start_thread nptl/pthread_create.c:442
|
|
SUMMARY: AddressSanitizer: 51 byte(s) leaked in 2 allocation(s).
|
230401 12:21:47 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
Server version: 10.11.3-MariaDB-debug source revision: 50c8ef01fc63e32acd38788107ae4029d0f1b9ce
|
read_buffer_size=131072
|
max_used_connections=1
|
thread_count=0
|
Thread pointer: 0x0
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x0 thread_stack 0x100000
|
/test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/bin/mariadbd(+0x79176fe)[0x5614b49636fe]
|
asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x5614b9110f2a]
|
mysys/stacktrace.c:215(my_print_stacktrace)[0x5614b69beee2]
|
libc_sigaction.c:0(__restore_rt)[0x14b8d769f520]
|
nptl/pthread_kill.c:44(__pthread_kill_implementation)[0x14b8d76f3a7c]
|
posix/raise.c:27(__GI_raise)[0x14b8d769f476]
|
stdlib/abort.c:81(__GI_abort)[0x14b8d76857f3]
|
:0(__sanitizer::Abort())[0x5614b49f01c2]
|
:0(__sanitizer::Die())[0x5614b49fbd7c]
|
:0(__lsan::HandleLeaks())[0x5614b4a0128c]
|
:0(__lsan::DoLeakCheck())[0x5614b4a009d5]
|
stdlib/cxa_finalize.c:84(__cxa_finalize)[0x14b8d76a2a56]
|
crtstuff.c:0(__do_global_dtors_aux)[0x5614b49426a7]
|
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
|
information that should help you find out what is causing the crash.
|
Writing a core file...
|
Working directory at /test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/data
|
Resource Limits:
|
Limit Soft Limit Hard Limit Units
|
Max cpu time unlimited unlimited seconds
|
Max file size unlimited unlimited bytes
|
Max data size unlimited unlimited bytes
|
Max stack size unlimited unlimited bytes
|
Max core file size unlimited unlimited bytes
|
Max resident set unlimited unlimited bytes
|
Max processes unlimited unlimited processes
|
Max open files 1048576 1048576 files
|
Max locked memory unlimited unlimited bytes
|
Max address space unlimited unlimited bytes
|
Max file locks unlimited unlimited locks
|
Max pending signals unlimited unlimited signals
|
Max msgqueue size unlimited unlimited bytes
|
Max nice priority 0 0
|
Max realtime priority 0 0
|
Max realtime timeout unlimited unlimited us
|
Core pattern: core
|
|
/test/10.11_dbg_san/mysys/my_read.c:63:30: runtime error: member access within null pointer of type 'struct st_my_thread_var'
|
#0 0x5614b91073ea in my_read /test/10.11_dbg_san/mysys/my_read.c:63
|
#1 0x5614b69be35f in output_core_info /test/10.11_dbg_san/sql/signal_handler.cc:91
|
#2 0x5614b69bf7a7 in handle_fatal_signal /test/10.11_dbg_san/sql/signal_handler.cc:353
|
#3 0x14b8d769f51f (/lib/x86_64-linux-gnu/libc.so.6+0x4251f)
|
#4 0x14b8d76f3a7b in __pthread_kill_implementation nptl/pthread_kill.c:43
|
#5 0x14b8d76f3a7b in __pthread_kill_internal nptl/pthread_kill.c:78
|
#6 0x14b8d76f3a7b in __GI___pthread_kill nptl/pthread_kill.c:89
|
#7 0x14b8d769f475 in __GI_raise ../sysdeps/posix/raise.c:26
|
#8 0x14b8d76857f2 in __GI_abort stdlib/abort.c:79
|
#9 0x5614b49f01c1 in __sanitizer::Abort() (/test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/bin/mariadbd+0x79a41c1)
|
#10 0x5614b49fbd7b in __sanitizer::Die() (/test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/bin/mariadbd+0x79afd7b)
|
#11 0x5614b4a0128b in __lsan::HandleLeaks() (/test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/bin/mariadbd+0x79b528b)
|
#12 0x5614b4a009d4 in __lsan::DoLeakCheck() (/test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/bin/mariadbd+0x79b49d4)
|
#13 0x14b8d76a2a55 in __cxa_finalize stdlib/cxa_finalize.c:83
|
#14 0x5614b49426a6 (/test/UBASAN_MD250323-mariadb-10.11.3-linux-x86_64-dbg/bin/mariadbd+0x78f66a6)
|
|
Fatal signal 11 while backtracing
|
10.8.8 e4b83f0febbd24b04687d4814871c758cbede111 (Debug, UBASAN) |
==1441451==ERROR: LeakSanitizer: detected memory leaks
|
|
Direct leak of 40 byte(s) in 1 object(s) allocated from:
|
#0 0x55d408967337 in malloc (/test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/bin/mariadbd+0x788d337)
|
#1 0x55d40c8833f1 in trx_savepoint_for_mysql(trx_t*, char const*, long) /test/10.8_dbg_san/storage/innobase/trx/trx0roll.cc:523
|
#2 0x55d40c070f72 in innobase_savepoint /test/10.8_dbg_san/storage/innobase/handler/ha_innodb.cc:4928
|
#3 0x55d40a93a3da in ha_savepoint(THD*, st_savepoint*) /test/10.8_dbg_san/sql/handler.cc:2951
|
#4 0x55d409d0a48d in trans_savepoint(THD*, st_mysql_const_lex_string) /test/10.8_dbg_san/sql/transaction.cc:617
|
#5 0x55d4092bc2a5 in mysql_execute_command(THD*, bool) /test/10.8_dbg_san/sql/sql_parse.cc:5702
|
#6 0x55d4092ca518 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.8_dbg_san/sql/sql_parse.cc:8019
|
#7 0x55d4092da25e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.8_dbg_san/sql/sql_parse.cc:1894
|
#8 0x55d4092e8028 in do_command(THD*, bool) /test/10.8_dbg_san/sql/sql_parse.cc:1407
|
#9 0x55d409c738ef in do_handle_one_connection(CONNECT*, bool) /test/10.8_dbg_san/sql/sql_connect.cc:1416
|
#10 0x55d409c74e0a in handle_one_connection /test/10.8_dbg_san/sql/sql_connect.cc:1318
|
#11 0x14bd6a711b42 in start_thread nptl/pthread_create.c:442
|
|
Indirect leak of 11 byte(s) in 1 object(s) allocated from:
|
#0 0x55d408967337 in malloc (/test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/bin/mariadbd+0x788d337)
|
#1 0x55d40c883408 in mem_strdup /test/10.8_dbg_san/storage/innobase/include/mem0mem.inl:452
|
#2 0x55d40c883408 in trx_savepoint_for_mysql(trx_t*, char const*, long) /test/10.8_dbg_san/storage/innobase/trx/trx0roll.cc:525
|
#3 0x55d40c070f72 in innobase_savepoint /test/10.8_dbg_san/storage/innobase/handler/ha_innodb.cc:4928
|
#4 0x55d40a93a3da in ha_savepoint(THD*, st_savepoint*) /test/10.8_dbg_san/sql/handler.cc:2951
|
#5 0x55d409d0a48d in trans_savepoint(THD*, st_mysql_const_lex_string) /test/10.8_dbg_san/sql/transaction.cc:617
|
#6 0x55d4092bc2a5 in mysql_execute_command(THD*, bool) /test/10.8_dbg_san/sql/sql_parse.cc:5702
|
#7 0x55d4092ca518 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.8_dbg_san/sql/sql_parse.cc:8019
|
#8 0x55d4092da25e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.8_dbg_san/sql/sql_parse.cc:1894
|
#9 0x55d4092e8028 in do_command(THD*, bool) /test/10.8_dbg_san/sql/sql_parse.cc:1407
|
#10 0x55d409c738ef in do_handle_one_connection(CONNECT*, bool) /test/10.8_dbg_san/sql/sql_connect.cc:1416
|
#11 0x55d409c74e0a in handle_one_connection /test/10.8_dbg_san/sql/sql_connect.cc:1318
|
#12 0x14bd6a711b42 in start_thread nptl/pthread_create.c:442
|
|
SUMMARY: AddressSanitizer: 51 byte(s) leaked in 2 allocation(s).
|
230401 12:21:03 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
Server version: 10.8.8-MariaDB-debug source revision: e4b83f0febbd24b04687d4814871c758cbede111
|
read_buffer_size=131072
|
max_used_connections=1
|
thread_count=0
|
Thread pointer: 0x0
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x0 thread_stack 0x100000
|
/test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/bin/mariadbd(+0x781e6fe)[0x55d4088f86fe]
|
asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x55d40d04b4de]
|
mysys/stacktrace.c:215(my_print_stacktrace)[0x55d40a9116cc]
|
libc_sigaction.c:0(__restore_rt)[0x14bd6a6bf520]
|
nptl/pthread_kill.c:44(__pthread_kill_implementation)[0x14bd6a713a7c]
|
posix/raise.c:27(__GI_raise)[0x14bd6a6bf476]
|
stdlib/abort.c:81(__GI_abort)[0x14bd6a6a57f3]
|
:0(__sanitizer::Abort())[0x55d4089851c2]
|
:0(__sanitizer::Die())[0x55d408990d7c]
|
:0(__lsan::HandleLeaks())[0x55d40899628c]
|
:0(__lsan::DoLeakCheck())[0x55d4089959d5]
|
stdlib/cxa_finalize.c:84(__cxa_finalize)[0x14bd6a6c2a56]
|
crtstuff.c:0(__do_global_dtors_aux)[0x55d4088d76a7]
|
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
|
information that should help you find out what is causing the crash.
|
Writing a core file...
|
Working directory at /test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/data
|
Resource Limits:
|
Limit Soft Limit Hard Limit Units
|
Max cpu time unlimited unlimited seconds
|
Max file size unlimited unlimited bytes
|
Max data size unlimited unlimited bytes
|
Max stack size unlimited unlimited bytes
|
Max core file size unlimited unlimited bytes
|
Max resident set unlimited unlimited bytes
|
Max processes unlimited unlimited processes
|
Max open files 1048576 1048576 files
|
Max locked memory unlimited unlimited bytes
|
Max address space unlimited unlimited bytes
|
Max file locks unlimited unlimited locks
|
Max pending signals unlimited unlimited signals
|
Max msgqueue size unlimited unlimited bytes
|
Max nice priority 0 0
|
Max realtime priority 0 0
|
Max realtime timeout unlimited unlimited us
|
Core pattern: core
|
|
/test/10.8_dbg_san/mysys/my_read.c:63:30: runtime error: member access within null pointer of type 'struct st_my_thread_var'
|
#0 0x55d40d04199e in my_read /test/10.8_dbg_san/mysys/my_read.c:63
|
#1 0x55d40a910b49 in output_core_info /test/10.8_dbg_san/sql/signal_handler.cc:91
|
#2 0x55d40a911f91 in handle_fatal_signal /test/10.8_dbg_san/sql/signal_handler.cc:353
|
#3 0x14bd6a6bf51f (/lib/x86_64-linux-gnu/libc.so.6+0x4251f)
|
#4 0x14bd6a713a7b in __pthread_kill_implementation nptl/pthread_kill.c:43
|
#5 0x14bd6a713a7b in __pthread_kill_internal nptl/pthread_kill.c:78
|
#6 0x14bd6a713a7b in __GI___pthread_kill nptl/pthread_kill.c:89
|
#7 0x14bd6a6bf475 in __GI_raise ../sysdeps/posix/raise.c:26
|
#8 0x14bd6a6a57f2 in __GI_abort stdlib/abort.c:79
|
#9 0x55d4089851c1 in __sanitizer::Abort() (/test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/bin/mariadbd+0x78ab1c1)
|
#10 0x55d408990d7b in __sanitizer::Die() (/test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/bin/mariadbd+0x78b6d7b)
|
#11 0x55d40899628b in __lsan::HandleLeaks() (/test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/bin/mariadbd+0x78bc28b)
|
#12 0x55d4089959d4 in __lsan::DoLeakCheck() (/test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/bin/mariadbd+0x78bb9d4)
|
#13 0x14bd6a6c2a55 in __cxa_finalize stdlib/cxa_finalize.c:83
|
#14 0x55d4088d76a6 (/test/UBASAN_MD250323-mariadb-10.8.8-linux-x86_64-dbg/bin/mariadbd+0x77fd6a6)
|
|
Fatal signal 11 while backtracing
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 11.3.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
Bug confirmed present in:
MariaDB: 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.3 (dbg), 10.11.3 (opt), 11.0.2 (dbg), 11.0.2 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.39 (dbg), 10.3.39 (opt), 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt)
Attachments
Issue Links
- relates to
-
MDEV-31061 ASAN: global-buffer-overflow in __interceptor_regcomp.part.0 and UBSAN: runtime error: applying non-zero offset -999 to null pointer in pcre/pcre_exec.c
- Closed
- split from
-
MDEV-23073 LSAN: Memory leak after XA transaction with shutdown / rollback to savepoint
- Confirmed