Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31083

ASAN use-after-poison in myrg_attach_children

    XMLWordPrintable

Details

    Description

      CREATE TABLE t (f TEXT, FULLTEXT (f)) ENGINE=MyISAM;
      INSERT INTO t VALUES ('foo'),('bar'); # Optional, fails either way
      CREATE TABLE tmrg (f TEXT) ENGINE=MERGE, UNION(t);
      SELECT * FROM tmrg;
       
      # Cleanup
      DROP TABLE tmrg, t;
      

      10.5 75063d12

      ==3017382==ERROR: AddressSanitizer: use-after-poison on address 0x61d000231098 at pc 0x557f6777a665 bp 0x7f5b079662b0 sp 0x7f5b079662a8
      READ of size 8 at 0x61d000231098 thread T5
          #0 0x557f6777a664 in myrg_attach_children /data/src/10.5/storage/myisammrg/myrg_open.c:481
          #1 0x557f6776dff2 in ha_myisammrg::attach_children() /data/src/10.5/storage/myisammrg/ha_myisammrg.cc:839
          #2 0x557f67772f6f in ha_myisammrg::extra(ha_extra_function) /data/src/10.5/storage/myisammrg/ha_myisammrg.cc:1340
          #3 0x557f657a3b6b in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:4429
          #4 0x557f657a825e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:5237
          #5 0x557f656feac5 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.5/sql/sql_base.h:507
          #6 0x557f6594a4d4 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6252
          #7 0x557f65939a6c in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4008
          #8 0x557f65955eb8 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8106
          #9 0x557f6592ba49 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
          #10 0x557f659283e6 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
          #11 0x557f65d7519e in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1416
          #12 0x557f65d74b66 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1318
          #13 0x557f669c1433 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #14 0x7f5b0f0a7fd3 in start_thread nptl/pthread_create.c:442
          #15 0x7f5b0f1285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
       
      0x61d000231098 is located 1560 bytes inside of 2296-byte region [0x61d000230a80,0x61d000231378)
      allocated by thread T5 here:
          #0 0x7f5b0fcb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
          #1 0x557f67615035 in my_malloc /data/src/10.5/mysys/my_malloc.c:91
          #2 0x557f675ef618 in my_multi_malloc /data/src/10.5/mysys/mulalloc.c:59
          #3 0x557f674f9613 in mi_open /data/src/10.5/storage/myisam/mi_open.c:313
          #4 0x557f674766ad in ha_myisam::open(char const*, int, unsigned int) /data/src/10.5/storage/myisam/ha_myisam.cc:834
          #5 0x557f661562d0 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /data/src/10.5/sql/handler.cc:3012
          #6 0x557f65c9440f in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.5/sql/table.cc:4323
          #7 0x557f65796cc3 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.5/sql/sql_base.cc:2015
          #8 0x557f657a05f8 in open_and_process_table /data/src/10.5/sql/sql_base.cc:3807
          #9 0x557f657a3125 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:4290
          #10 0x557f657a825e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:5237
          #11 0x557f656feac5 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.5/sql/sql_base.h:507
          #12 0x557f65872469 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/src/10.5/sql/sql_insert.cc:757
          #13 0x557f6593da0a in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4629
          #14 0x557f65955eb8 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8106
          #15 0x557f6592ba49 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
          #16 0x557f659283e6 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
          #17 0x557f65d7519e in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1416
          #18 0x557f65d74b66 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1318
          #19 0x557f669c1433 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #20 0x7f5b0f0a7fd3 in start_thread nptl/pthread_create.c:442
       
      Thread T5 created by T0 here:
          #0 0x7f5b0fc49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
          #1 0x557f669bd166 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:52
          #2 0x557f669c1822 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
          #3 0x557f6561deeb in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
          #4 0x557f65633c32 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6057
          #5 0x557f65634243 in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6116
          #6 0x557f65634516 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6181
          #7 0x557f65635107 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6308
          #8 0x557f656334af in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5703
          #9 0x557f6561c8f8 in main /data/src/10.5/sql/main.cc:25
          #10 0x7f5b0f046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/storage/myisammrg/myrg_open.c:481 in myrg_attach_children
      Shadow bytes around the buggy address:
        0x0c3a8003e1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8003e1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8003e1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8003e1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8003e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c3a8003e210: 00 f7 00[f7]00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8003e220: 00 00 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8003e230: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
        0x0c3a8003e240: 00 00 00 00 00 00 00 f7 00 00 00 f7 00 00 00 00
        0x0c3a8003e250: 00 00 f7 00 00 f7 00 00 f7 00 f7 00 f7 00 00 00
        0x0c3a8003e260: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 f7 fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==3017382==ABORTING
      230419 15:45:29 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.5.20-MariaDB-debug-log source revision: 75063d128812347228873e2dce4ae7799f348ebf
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=1
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63762 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62b000069218
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f5b07968c50 thread_stack 0x100000
      sanitizer_common/sanitizer_common_interceptors.inc:4277(__interceptor_backtrace.part.0)[0x7f5b0fc51f31]
      mysys/stacktrace.c:212(my_print_stacktrace)[0x557f67624eb5]
      sql/signal_handler.cc:241(handle_fatal_signal)[0x557f6613e1c7]
      libc_sigaction.c:0(__restore_rt)[0x7f5b0f05af90]
      nptl/pthread_kill.c:44(__pthread_kill_implementation)[0x7f5b0f0a9ccc]
      posix/raise.c:27(__GI_raise)[0x7f5b0f05aef2]
      stdlib/abort.c:81(__GI_abort)[0x7f5b0f045472]
      sanitizer_common/sanitizer_posix_libcdep.cpp:137(__sanitizer::Abort())[0x7f5b0fcd650f]
      sanitizer_common/sanitizer_termination.cpp:59(__sanitizer::Die())[0x7f5b0fce2ba1]
      asan/asan_report.cpp:190(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7f5b0fcc1f5e]
      asan/asan_report.cpp:479(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7f5b0fcc14c6]
      asan/asan_rtl.cpp:123(__asan_report_load8)[0x7f5b0fcc25ac]
      myisammrg/myrg_open.c:481(myrg_attach_children)[0x557f6777a665]
      myisammrg/ha_myisammrg.cc:839(ha_myisammrg::attach_children())[0x557f6776dff3]
      myisammrg/ha_myisammrg.cc:1340(ha_myisammrg::extra(ha_extra_function))[0x557f67772f70]
      sql/sql_base.cc:4429(open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*))[0x557f657a3b6c]
      sql/sql_base.cc:5237(open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*))[0x557f657a825f]
      sql/sql_base.h:507(open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int))[0x557f656feac6]
      sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x557f6594a4d5]
      sql/sql_parse.cc:4008(mysql_execute_command(THD*))[0x557f65939a6d]
      sql/sql_parse.cc:8106(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x557f65955eb9]
      sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x557f6592ba4a]
      sql/sql_parse.cc:1375(do_command(THD*))[0x557f659283e7]
      sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x557f65d7519f]
      sql/sql_connect.cc:1320(handle_one_connection)[0x557f65d74b67]
      perfschema/pfs.cc:2203(pfs_spawn_thread)[0x557f669c1434]
      nptl/pthread_create.c:442(start_thread)[0x7f5b0f0a7fd4]
      x86_64/clone3.S:83(clone3)[0x7f5b0f1285bc]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b000038238): SELECT * FROM tmrg
       
      Connection ID (thread ID): 4
      Status: NOT_KILLED
      

      The failure started happening on 10.5 after this commit:

      commit 57c526ffb852fb027e25fdc77173d45bdc60b8a2
      Author: Monty
      Date:   Sun Feb 26 18:33:10 2023 +0200
       
          Added detection of memory overwrite with multi_malloc
      

      Attachments

        Activity

          People

            monty Michael Widenius
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.