Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31854

Server crash, ASAN errors, assertion failure upon using NEXTVAL as default

    XMLWordPrintable

Details

    Description

      CREATE SEQUENCE s;
      		 
      CREATE TABLE t (a INT DEFAULT(NEXTVAL(s)));
      		 
      INSERT INTO t VALUES (1);
      		 
      UPDATE t SET a = DEFAULT;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t;

      10.4 b54e4bf0 ASAN

      		 
      ==1605494==ERROR: AddressSanitizer: use-after-poison on address 0x62b000063b30 at pc 0x55f4aa16c050 bp 0x7fae59331d40 sp 0x7fae59331d38
      		 
      READ of size 8 at 0x62b000063b30 thread T5
      		 
          #0 0x55f4aa16c04f in Item_func_nextval::update_table() /data/src/10.4/sql/item_func.h:3531
      		 
          #1 0x55f4aa15d990 in Item_func_nextval::val_int() /data/src/10.4/sql/item_func.cc:6855
      		 
          #2 0x55f4aa044eb4 in Item::save_int_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6713
      		 
          #3 0x55f4a9d8abb7 in Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const /data/src/10.4/sql/sql_type.cc:3842
      		 
          #4 0x55f4aa045094 in Item::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6723
      		 
          #5 0x55f4a9f37ef1 in Field::set_default() /data/src/10.4/sql/field.cc:2482
      		 
          #6 0x55f4aa05ff7f in Item_default_value::calculate() /data/src/10.4/sql/item.cc:9507
      		 
          #7 0x55f4aa0602a4 in Item_default_value::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:9555
      		 
          #8 0x55f4a96b95e4 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/src/10.4/sql/sql_base.cc:8655
      		 
          #9 0x55f4a96ba7db in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.4/sql/sql_base.cc:8827
      		 
          #10 0x55f4a9af6953 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.4/sql/sql_update.cc:1022
      		 
          #11 0x55f4a98286eb in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4449
      		 
          #12 0x55f4a98416ae in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
      		 
          #13 0x55f4a9817979 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
      		 
          #14 0x55f4a98144e8 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
      		 
          #15 0x55f4a9c13a47 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
      		 
          #16 0x55f4a9c1335e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
      		 
          #17 0x55f4aa882dd3 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
      		 
          #18 0x7fae610a7fd3 in start_thread nptl/pthread_create.c:442
      		 
          #19 0x7fae611285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x62b000063b30 is located 6448 bytes inside of 24608-byte region [0x62b000062200,0x62b000068220)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7fae616b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x55f4ab3cc2ca in my_malloc /data/src/10.4/mysys/my_malloc.c:101
      		 
          #2 0x55f4ab3a8466 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:152
      		 
          #3 0x55f4a96fecba in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1388
      		 
          #4 0x55f4a9c12c7a in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1254
      		 
          #5 0x55f4a9c133a4 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1339
      		 
          #6 0x55f4a9c139a6 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1410
      		 
          #7 0x55f4a9c1335e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
      		 
          #8 0x55f4aa882dd3 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
      		 
          #9 0x7fae610a7fd3 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7fae61649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x55f4aa8831c0 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
      		 
          #2 0x55f4a951ff89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
      		 
          #3 0x55f4a9537690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
      		 
          #4 0x55f4a9537ddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
      		 
          #5 0x55f4a95382a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
      		 
          #6 0x55f4a9539155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
      		 
          #7 0x55f4a9536df3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
      		 
          #8 0x55f4a951e0b8 in main /data/src/10.4/sql/main.cc:25
      		 
          #9 0x7fae61046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/item_func.h:3531 in Item_func_nextval::update_table()
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c5680004710: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5680004720: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5680004730: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5680004740: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5680004750: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      =>0x0c5680004760: f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5680004770: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5680004780: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5680004790: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c56800047a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c56800047b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==1605494==ABORTING

      10.4 e146940a release

      		 
      #2  <signal handler called>
      		 
      #3  Item_func_nextval::val_int (this=0x7fb1301294d0) at /data/src/10.4/sql/item_func.cc:6830
      		 
      #4  0x000055ebdab5e906 in Item::save_int_in_field (this=0x7fb1301294d0, field=0x7fb130010d78, no_conversions=<optimized out>) at /data/src/10.4/sql/item.cc:6713
      		 
      #5  0x000055ebdab510ab in Item::save_in_field (this=0x7fb1301294d0, field=0x7fb130010d78, no_conversions=<optimized out>) at /data/src/10.4/sql/item.cc:6723
      		 
      #6  0x000055ebdab1c136 in Field::set_default (this=0x7fb130010d78) at /data/src/10.4/sql/field.cc:2482
      		 
      #7  0x000055ebdab62551 in Item_default_value::save_in_field (this=0x7fb130010a08, field_arg=0x7fb1301292f8, no_conversions=<optimized out>) at /data/src/10.4/sql/item.cc:9555
      		 
      #8  0x000055ebda904707 in fill_record (thd=thd@entry=0x7fb130000c58, table_arg=table_arg@entry=0x7fb13012a2f8, fields=..., values=..., ignore_errors=ignore_errors@entry=false, update=update@entry=true) at /data/src/10.4/sql/sql_base.cc:8649
      		 
      #9  0x000055ebda904a66 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x7fb130000c58, table=table@entry=0x7fb13012a2f8, fields=..., values=..., ignore_errors=ignore_errors@entry=false, event=event@entry=TRG_EVENT_UPDATE) at /data/src/10.4/sql/sql_base.cc:8822
      		 
      #10 0x000055ebdaa0a8ab in mysql_update (thd=thd@entry=0x7fb130000c58, table_list=<optimized out>, fields=..., values=..., conds=<optimized out>, order_num=<optimized out>, order=<optimized out>, limit=18446744073709551615, ignore=false, found_return=0x7fb14070cf20, updated_return=0x7fb14070cfe0) at /data/src/10.4/sql/sql_update.cc:1017
      		 
      #11 0x000055ebda95c87b in mysql_execute_command (thd=thd@entry=0x7fb130000c58) at /data/src/10.4/sql/sql_parse.cc:4449
      		 
      #12 0x000055ebda9603d0 in mysql_parse (thd=thd@entry=0x7fb130000c58, rawbuf=<optimized out>, length=24, parser_state=parser_state@entry=0x7fb14070d540, is_com_multi=is_com_multi@entry=false, is_next_command=<optimized out>) at /data/src/10.4/sql/sql_parse.cc:8008
      		 
      #13 0x000055ebda962095 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fb130000c58, packet=packet@entry=0x7fb130007d69 "UPDATE t SET a = DEFAULT", packet_length=packet_length@entry=24, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:1857
      		 
      #14 0x000055ebda963b98 in do_command (thd=0x7fb130000c58) at /data/src/10.4/sql/sql_parse.cc:1378
      		 
      #15 0x000055ebdaa48ea4 in do_handle_one_connection (connect=connect@entry=0x55ebdc5fceb8) at /data/src/10.4/sql/sql_connect.cc:1420
      		 
      #16 0x000055ebdaa48ff4 in handle_one_connection (arg=arg@entry=0x55ebdc5fceb8) at /data/src/10.4/sql/sql_connect.cc:1324
      		 
      #17 0x000055ebdad67b60 in pfs_spawn_thread (arg=0x55ebdc554a58) at /data/src/10.4/storage/perfschema/pfs.cc:1869
      		 
      #18 0x00007fb1467c8fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      		 
      #19 0x00007fb1468495bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

      11.1 adc13e2c debug+asan

      		 
      mariadbd: /data/src/11.1/sql/item_func.cc:7047: virtual longlong Item_func_nextval::val_int(): Assertion `table && table->s->sequence' failed.
      		 
      230805 19:07:23 [ERROR] mysqld got signal 6 ;
      		 
       
      		 
      #9  0x00007f3b72853df2 in __GI___assert_fail (assertion=0x55d556f68080 "table && table->s->sequence", file=0x55d556f60a00 "/data/src/11.1/sql/item_func.cc", line=7047, function=0x55d556f680c0 "virtual longlong Item_func_nextval::val_int()") at ./assert/assert.c:101
      		 
      #10 0x000055d5553fff08 in Item_func_nextval::val_int (this=0x6190000a4460) at /data/src/11.1/sql/item_func.cc:7047
      		 
      #11 0x000055d5552fc073 in Item::save_int_in_field (this=0x6190000a4460, field=0x6290000e7758, no_conversions=false) at /data/src/11.1/sql/item.cc:6862
      		 
      #12 0x000055d55501ee6c in Type_handler_int_result::Item_save_in_field (this=0x55d558e40c60 <type_handler_slonglong>, item=0x6190000a4460, field=0x6290000e7758, no_conversions=false) at /data/src/11.1/sql/sql_type.cc:4334
      		 
      #13 0x000055d5552fc25b in Item::save_in_field (this=0x6190000a4460, field=0x6290000e7758, no_conversions=false) at /data/src/11.1/sql/item.cc:6872
      		 
      #14 0x000055d5551e86d6 in Field::set_default (this=0x6290000e7758) at /data/src/11.1/sql/field.cc:2658
      		 
      #15 0x000055d555316114 in Item_default_value::calculate (this=0x6290000e6bb8) at /data/src/11.1/sql/item.cc:9671
      		 
      #16 0x000055d555316439 in Item_default_value::save_in_field (this=0x6290000e6bb8, field_arg=0x6190000a4210, no_conversions=false) at /data/src/11.1/sql/item.cc:9720
      		 
      #17 0x000055d5547e674a in fill_record (thd=0x62b00007e218, table_arg=0x6190000a3c98, fields=..., values=..., ignore_errors=false, update=true) at /data/src/11.1/sql/sql_base.cc:9034
      		 
      #18 0x000055d5547e7925 in fill_record_n_invoke_before_triggers (thd=0x62b00007e218, table=0x6190000a3c98, fields=..., values=..., ignore_errors=false, event=TRG_EVENT_UPDATE) at /data/src/11.1/sql/sql_base.cc:9208
      		 
      #19 0x000055d554cf0d24 in Sql_cmd_update::update_single_table (this=0x6290000e6d18, thd=0x62b00007e218) at /data/src/11.1/sql/sql_update.cc:922
      		 
      #20 0x000055d554d05b69 in Sql_cmd_update::execute_inner (this=0x6290000e6d18, thd=0x62b00007e218) at /data/src/11.1/sql/sql_update.cc:3067
      		 
      #21 0x000055d554b54004 in Sql_cmd_dml::execute (this=0x6290000e6d18, thd=0x62b00007e218) at /data/src/11.1/sql/sql_select.cc:33356
      		 
      #22 0x000055d5549770e2 in mysql_execute_command (thd=0x62b00007e218, is_called_from_prepared_stmt=false) at /data/src/11.1/sql/sql_parse.cc:4393
      		 
      #23 0x000055d55498e717 in mysql_parse (thd=0x62b00007e218, rawbuf=0x6290000e6238 "UPDATE t SET a = DEFAULT", length=24, parser_state=0x7f3b6b1359f0) at /data/src/11.1/sql/sql_parse.cc:7774
      		 
      #24 0x000055d554966cba in dispatch_command (command=COM_QUERY, thd=0x62b00007e218, packet=0x629000258219 "UPDATE t SET a = DEFAULT", packet_length=24, blocking=true) at /data/src/11.1/sql/sql_parse.cc:1892
      		 
      #25 0x000055d5549639f7 in do_command (thd=0x62b00007e218, blocking=true) at /data/src/11.1/sql/sql_parse.cc:1405
      		 
      #26 0x000055d554e24aaa in do_handle_one_connection (connect=0x608000002eb8, put_in_cache=true) at /data/src/11.1/sql/sql_connect.cc:1416
      		 
      #27 0x000055d554e2446b in handle_one_connection (arg=0x608000002e38) at /data/src/11.1/sql/sql_connect.cc:1318
      		 
      #28 0x000055d555a2076c in pfs_spawn_thread (arg=0x617000005b98) at /data/src/11.1/storage/perfschema/pfs.cc:2201
      		 
      #29 0x00007f3b728a7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      		 
      #30 0x00007f3b729285bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28612 Server crash caused by concurrent inserts into table with sequence default

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            People

              nikitamalyavin Nikita Malyavin
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.