Details
-
Bug
-
Status: Stalled (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5, 10.6, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1
Description
CREATE TABLE t (f TEXT, FULLTEXT (f)) ENGINE=MyISAM; |
INSERT INTO t VALUES ('foo'),('bar'); # Optional, fails either way |
CREATE TABLE tmrg (f TEXT) ENGINE=MERGE, UNION(t); |
SELECT * FROM tmrg; |
|
|
# Cleanup
|
DROP TABLE tmrg, t; |
|
10.5 75063d12 |
==3017382==ERROR: AddressSanitizer: use-after-poison on address 0x61d000231098 at pc 0x557f6777a665 bp 0x7f5b079662b0 sp 0x7f5b079662a8
|
READ of size 8 at 0x61d000231098 thread T5
|
#0 0x557f6777a664 in myrg_attach_children /data/src/10.5/storage/myisammrg/myrg_open.c:481
|
#1 0x557f6776dff2 in ha_myisammrg::attach_children() /data/src/10.5/storage/myisammrg/ha_myisammrg.cc:839
|
#2 0x557f67772f6f in ha_myisammrg::extra(ha_extra_function) /data/src/10.5/storage/myisammrg/ha_myisammrg.cc:1340
|
#3 0x557f657a3b6b in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:4429
|
#4 0x557f657a825e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:5237
|
#5 0x557f656feac5 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.5/sql/sql_base.h:507
|
#6 0x557f6594a4d4 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6252
|
#7 0x557f65939a6c in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4008
|
#8 0x557f65955eb8 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8106
|
#9 0x557f6592ba49 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
|
#10 0x557f659283e6 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
|
#11 0x557f65d7519e in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1416
|
#12 0x557f65d74b66 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1318
|
#13 0x557f669c1433 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
|
#14 0x7f5b0f0a7fd3 in start_thread nptl/pthread_create.c:442
|
#15 0x7f5b0f1285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x61d000231098 is located 1560 bytes inside of 2296-byte region [0x61d000230a80,0x61d000231378)
|
allocated by thread T5 here:
|
#0 0x7f5b0fcb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x557f67615035 in my_malloc /data/src/10.5/mysys/my_malloc.c:91
|
#2 0x557f675ef618 in my_multi_malloc /data/src/10.5/mysys/mulalloc.c:59
|
#3 0x557f674f9613 in mi_open /data/src/10.5/storage/myisam/mi_open.c:313
|
#4 0x557f674766ad in ha_myisam::open(char const*, int, unsigned int) /data/src/10.5/storage/myisam/ha_myisam.cc:834
|
#5 0x557f661562d0 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /data/src/10.5/sql/handler.cc:3012
|
#6 0x557f65c9440f in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.5/sql/table.cc:4323
|
#7 0x557f65796cc3 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.5/sql/sql_base.cc:2015
|
#8 0x557f657a05f8 in open_and_process_table /data/src/10.5/sql/sql_base.cc:3807
|
#9 0x557f657a3125 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:4290
|
#10 0x557f657a825e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.5/sql/sql_base.cc:5237
|
#11 0x557f656feac5 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.5/sql/sql_base.h:507
|
#12 0x557f65872469 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/src/10.5/sql/sql_insert.cc:757
|
#13 0x557f6593da0a in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4629
|
#14 0x557f65955eb8 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8106
|
#15 0x557f6592ba49 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
|
#16 0x557f659283e6 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
|
#17 0x557f65d7519e in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1416
|
#18 0x557f65d74b66 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1318
|
#19 0x557f669c1433 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
|
#20 0x7f5b0f0a7fd3 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f5b0fc49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x557f669bd166 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:52
|
#2 0x557f669c1822 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
|
#3 0x557f6561deeb in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
|
#4 0x557f65633c32 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6057
|
#5 0x557f65634243 in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6116
|
#6 0x557f65634516 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6181
|
#7 0x557f65635107 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6308
|
#8 0x557f656334af in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5703
|
#9 0x557f6561c8f8 in main /data/src/10.5/sql/main.cc:25
|
#10 0x7f5b0f046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/storage/myisammrg/myrg_open.c:481 in myrg_attach_children
|
Shadow bytes around the buggy address:
|
0x0c3a8003e1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3a8003e1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3a8003e1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3a8003e1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3a8003e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c3a8003e210: 00 f7 00[f7]00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3a8003e220: 00 00 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3a8003e230: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3a8003e240: 00 00 00 00 00 00 00 f7 00 00 00 f7 00 00 00 00
|
0x0c3a8003e250: 00 00 f7 00 00 f7 00 00 f7 00 f7 00 f7 00 00 00
|
0x0c3a8003e260: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 f7 fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==3017382==ABORTING
|
230419 15:45:29 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.5.20-MariaDB-debug-log source revision: 75063d128812347228873e2dce4ae7799f348ebf
|
key_buffer_size=1048576
|
read_buffer_size=131072
|
max_used_connections=1
|
max_threads=153
|
thread_count=1
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63762 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
|
Thread pointer: 0x62b000069218
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7f5b07968c50 thread_stack 0x100000
|
sanitizer_common/sanitizer_common_interceptors.inc:4277(__interceptor_backtrace.part.0)[0x7f5b0fc51f31]
|
mysys/stacktrace.c:212(my_print_stacktrace)[0x557f67624eb5]
|
sql/signal_handler.cc:241(handle_fatal_signal)[0x557f6613e1c7]
|
libc_sigaction.c:0(__restore_rt)[0x7f5b0f05af90]
|
nptl/pthread_kill.c:44(__pthread_kill_implementation)[0x7f5b0f0a9ccc]
|
posix/raise.c:27(__GI_raise)[0x7f5b0f05aef2]
|
stdlib/abort.c:81(__GI_abort)[0x7f5b0f045472]
|
sanitizer_common/sanitizer_posix_libcdep.cpp:137(__sanitizer::Abort())[0x7f5b0fcd650f]
|
sanitizer_common/sanitizer_termination.cpp:59(__sanitizer::Die())[0x7f5b0fce2ba1]
|
asan/asan_report.cpp:190(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7f5b0fcc1f5e]
|
asan/asan_report.cpp:479(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7f5b0fcc14c6]
|
asan/asan_rtl.cpp:123(__asan_report_load8)[0x7f5b0fcc25ac]
|
myisammrg/myrg_open.c:481(myrg_attach_children)[0x557f6777a665]
|
myisammrg/ha_myisammrg.cc:839(ha_myisammrg::attach_children())[0x557f6776dff3]
|
myisammrg/ha_myisammrg.cc:1340(ha_myisammrg::extra(ha_extra_function))[0x557f67772f70]
|
sql/sql_base.cc:4429(open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*))[0x557f657a3b6c]
|
sql/sql_base.cc:5237(open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*))[0x557f657a825f]
|
sql/sql_base.h:507(open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int))[0x557f656feac6]
|
sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x557f6594a4d5]
|
sql/sql_parse.cc:4008(mysql_execute_command(THD*))[0x557f65939a6d]
|
sql/sql_parse.cc:8106(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x557f65955eb9]
|
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x557f6592ba4a]
|
sql/sql_parse.cc:1375(do_command(THD*))[0x557f659283e7]
|
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x557f65d7519f]
|
sql/sql_connect.cc:1320(handle_one_connection)[0x557f65d74b67]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x557f669c1434]
|
nptl/pthread_create.c:442(start_thread)[0x7f5b0f0a7fd4]
|
x86_64/clone3.S:83(clone3)[0x7f5b0f1285bc]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b000038238): SELECT * FROM tmrg
|
|
|
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
The failure started happening on 10.5 after this commit:
commit 57c526ffb852fb027e25fdc77173d45bdc60b8a2
|
Author: Monty
|
Date: Sun Feb 26 18:33:10 2023 +0200
|
|
|
Added detection of memory overwrite with multi_malloc
|