[MDEV-31866] Various ASAN use-after-poison errors upon UPDATE with blob columns - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11
Component/s: None
Labels:
None

Description

CREATE TABLE t1 ( c7 blob, c11 mediumblob, c2 tinyblob, c5 blob, c13 longblob, c9 mediumblob, c8 mediumblob, c15 longblob, c0 tinyblob, c14 longblob, c10 mediumblob, c4 blob, c6 blob, c12 longblob, c3 tinyblob, c1 tinyblob, pk int);

INSERT INTO t1 VALUES ('','h','w','','','null','h','k','e','j','','g','d','s','b','g',2), ('v','','','','q','','null','x','','u','h','z','','w','','w',1);

UPDATE t1 SET c5 = 1, c7 = c5, c5 = c3  WHERE c7 >= c3 OR c9 IS NULL;

10.4 b54e4bf00b191633c74
Version: '10.4.31-MariaDB-debug-log'
=================================================================
==3303107==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00003d130 at pc 0x7f865c2bed10 bp 0x7f86451270e0 sp 0x7f8645126888
READ of size 1 at 0x60c00003d130 thread T27
#0 0x7f865c2bed0f in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:825
#1 0x558c53890f6b in Field_blob::cmp_binary(unsigned char const, unsigned char const, unsigned int) /10.4/src/sql/field.cc:8673
#2 0x558c538b08c7 in Field::cmp_binary_offset(unsigned int) /10.4/src/sql/field.h:1120
#3 0x558c533f9805 in compare_record(TABLE const*) /10.4/src/sql/sql_update.cc:120
#4 0x558c5340142c in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /10.4/src/sql/sql_update.cc:1029
#5 0x558c531290ea in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4449
#6 0x558c53142176 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8010
#7 0x558c531185d8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
#8 0x558c53115103 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
#9 0x558c53522a08 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
#10 0x558c535222ac in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
#11 0x558c541cadad in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
#12 0x7f865bcf3608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#13 0x7f865b8c4132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x60c00003d130 is located 112 bytes inside of 124-byte region [0x60c00003d0c0,0x60c00003d13c)
freed by thread T27 here:
#0 0x7f865c2f140f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x558c54d611df in free_memory /10.4/src/mysys/safemalloc.c:279
#2 0x558c54d6079b in sf_free /10.4/src/mysys/safemalloc.c:197
#3 0x558c54d2f127 in my_free /10.4/src/mysys/my_malloc.c:222
#4 0x558c52e37967 in Binary_string::free() /10.4/src/sql/sql_string.h:698
#5 0x558c52e81f0d in Binary_string::set(char const*, unsigned long) /10.4/src/sql/sql_string.h:549
#6 0x558c52e81f5e in String::set(char const, unsigned long, charset_info_st const) /10.4/src/sql/sql_string.h:854
#7 0x558c5388fe64 in Field_blob::val_str(String, String) /10.4/src/sql/field.cc:8595
#8 0x558c52e5ecc5 in Field::val_str(String*) /10.4/src/sql/field.h:868
#9 0x558c538bc14e in Field_blob::store_field(Field*) /10.4/src/sql/field.h:3947
#10 0x558c538ca969 in field_conv_incompatible /10.4/src/sql/field_conv.cc:851
#11 0x558c538caa0a in field_conv(Field, Field) /10.4/src/sql/field_conv.cc:864
#12 0x558c5396763a in save_field_in_field /10.4/src/sql/item.cc:6569
#13 0x558c53967e06 in Item_field::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6620
#14 0x558c52fb36fd in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /10.4/src/sql/sql_base.cc:8655
#15 0x558c52fb4918 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /10.4/src/sql/sql_base.cc:8827
#16 0x558c534013f8 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /10.4/src/sql/sql_update.cc:1022
#17 0x558c531290ea in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4449
#18 0x558c53142176 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8010
#19 0x558c531185d8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
#20 0x558c53115103 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
#21 0x558c53522a08 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
#22 0x558c535222ac in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
#23 0x558c541cadad in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
#24 0x7f865bcf3608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T27 here:
#0 0x7f865c2f1808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x558c54d6014f in sf_malloc /10.4/src/mysys/safemalloc.c:118
#2 0x558c54d2e630 in my_malloc /10.4/src/mysys/my_malloc.c:101
#3 0x558c5335a8cf in Binary_string::real_alloc(unsigned long) /10.4/src/sql/sql_string.cc:44
#4 0x558c52e5cf1d in Binary_string::alloc(unsigned long) /10.4/src/sql/sql_string.h:707
#5 0x558c5388e960 in Field_blob::store(char const, unsigned long, charset_info_st const) /10.4/src/sql/field.cc:8520
#6 0x558c53882f9e in Field_str::store(long long, bool) /10.4/src/sql/field.cc:7204
#7 0x558c53968e91 in save_int_value_in_field /10.4/src/sql/item.cc:6795
#8 0x558c53968fa1 in Item_int::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6801
#9 0x558c52fb36fd in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /10.4/src/sql/sql_base.cc:8655
#10 0x558c52fb4918 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /10.4/src/sql/sql_base.cc:8827
#11 0x558c534013f8 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /10.4/src/sql/sql_update.cc:1022
#12 0x558c531290ea in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4449
#13 0x558c53142176 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8010
#14 0x558c531185d8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
#15 0x558c53115103 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
#16 0x558c53522a08 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
#17 0x558c535222ac in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
#18 0x558c541cadad in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
#19 0x7f865bcf3608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T27 created by T0 here:
#0 0x7f865c21e815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x558c541cb19e in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
#2 0x558c52e11f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
#3 0x558c52e2a0e0 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6287
#4 0x558c52e2a87b in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6357
#5 0x558c52e2ad61 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6455
#6 0x558c52e2bc1d in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6613
#7 0x558c52e297e5 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5945
#8 0x558c52e0ff3c in main /10.4/src/sql/main.cc:25
#9 0x7f865b7c9082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:825 in __interceptor_memcmp
Shadow bytes around the buggy address:
0x0c187ffff9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187ffff9e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187ffff9f0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187ffffa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187ffffa10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187ffffa20: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
0x0c187ffffa30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187ffffa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187ffffa50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187ffffa60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187ffffa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3303107==ABORTING
----------SERVER LOG END-------------

--source include/have_innodb.inc

CREATE TABLE t1 ( c7 blob, c11 mediumblob, c2 tinyblob, c5 blob, c13 longblob, c9 mediumblob, c8 mediumblob, c15 longblob, c0 tinyblob, c14 longblob, c10 mediumblob, c4 blob, c6 blob, c12 longblob, c3 tinyblob, c1 tinyblob, pk int(11) auto_increment, PRIMARY KEY (pk)) engine=innodb;

INSERT INTO t1 VALUES ('','h','w','','','null','h','k','e','j','','g','d','s','b','g',2), ('v','','','','q','','null','x','','u','h','z','','w','','w',1);

UPDATE t1 SET c9 = c12, c5 = 1, c11 = c11, c13 = c1, c7 = c5, c5 = c3 WHERE c7 > c3;

10.4 b54e4bf00b191633c74
Version: '10.4.31-MariaDB-debug-log'
=================================================================
==3286736==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00003d1f0 at pc 0x7f479de36e0d bp 0x7f4786c9da20 sp 0x7f4786c9d1c8
READ of size 1 at 0x60c00003d1f0 thread T27
#0 0x7f479de36e0c in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:826
#1 0x55ae95c4b8b6 in calc_row_difference /10.4/src/storage/innobase/handler/ha_innodb.cc:8577
#2 0x55ae95c4dfc5 in ha_innobase::update_row(unsigned char const, unsigned char const) /10.4/src/storage/innobase/handler/ha_innodb.cc:8930
#3 0x55ae9528c01e in handler::ha_update_row(unsigned char const, unsigned char const) /10.4/src/sql/handler.cc:6905
#4 0x55ae94d72789 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /10.4/src/sql/sql_update.cc:1087
#5 0x55ae94a9a0ea in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4449
#6 0x55ae94ab3176 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8010
#7 0x55ae94a895d8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
#8 0x55ae94a86103 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
#9 0x55ae94e93a08 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
#10 0x55ae94e932ac in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
#11 0x55ae95b3bdad in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
#12 0x7f479d86b608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#13 0x7f479d43c132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x60c00003d1f0 is located 112 bytes inside of 124-byte region [0x60c00003d180,0x60c00003d1fc)
freed by thread T27 here:
#0 0x7f479de6940f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x55ae966d21df in free_memory /10.4/src/mysys/safemalloc.c:279
#2 0x55ae966d179b in sf_free /10.4/src/mysys/safemalloc.c:197
#3 0x55ae966a0127 in my_free /10.4/src/mysys/my_malloc.c:222
#4 0x55ae947a8967 in Binary_string::free() /10.4/src/sql/sql_string.h:698
#5 0x55ae947f2f0d in Binary_string::set(char const*, unsigned long) /10.4/src/sql/sql_string.h:549
#6 0x55ae947f2f5e in String::set(char const, unsigned long, charset_info_st const) /10.4/src/sql/sql_string.h:854
#7 0x55ae95200f53 in Field_blob::val_str(String, String) /10.4/src/sql/field.cc:8597
#8 0x55ae947cfcc5 in Field::val_str(String*) /10.4/src/sql/field.h:868
#9 0x55ae9522d14e in Field_blob::store_field(Field*) /10.4/src/sql/field.h:3947
#10 0x55ae9523b969 in field_conv_incompatible /10.4/src/sql/field_conv.cc:851
#11 0x55ae9523ba0a in field_conv(Field, Field) /10.4/src/sql/field_conv.cc:864
#12 0x55ae952d863a in save_field_in_field /10.4/src/sql/item.cc:6569
#13 0x55ae952d8e06 in Item_field::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6620
#14 0x55ae949246fd in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /10.4/src/sql/sql_base.cc:8655
#15 0x55ae94925918 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /10.4/src/sql/sql_base.cc:8827
#16 0x55ae94d723f8 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /10.4/src/sql/sql_update.cc:1022
#17 0x55ae94a9a0ea in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4449
#18 0x55ae94ab3176 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8010
#19 0x55ae94a895d8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
#20 0x55ae94a86103 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
#21 0x55ae94e93a08 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
#22 0x55ae94e932ac in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
#23 0x55ae95b3bdad in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
#24 0x7f479d86b608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T27 here:
#0 0x7f479de69808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55ae966d114f in sf_malloc /10.4/src/mysys/safemalloc.c:118
#2 0x55ae9669f630 in my_malloc /10.4/src/mysys/my_malloc.c:101
#3 0x55ae94ccb8cf in Binary_string::real_alloc(unsigned long) /10.4/src/sql/sql_string.cc:44
#4 0x55ae947cdf1d in Binary_string::alloc(unsigned long) /10.4/src/sql/sql_string.h:707
#5 0x55ae951ff960 in Field_blob::store(char const, unsigned long, charset_info_st const) /10.4/src/sql/field.cc:8520
#6 0x55ae951f3f9e in Field_str::store(long long, bool) /10.4/src/sql/field.cc:7204
#7 0x55ae952d9e91 in save_int_value_in_field /10.4/src/sql/item.cc:6795
#8 0x55ae952d9fa1 in Item_int::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6801
#9 0x55ae949246fd in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /10.4/src/sql/sql_base.cc:8655
#10 0x55ae94925918 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /10.4/src/sql/sql_base.cc:8827
#11 0x55ae94d723f8 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /10.4/src/sql/sql_update.cc:1022
#12 0x55ae94a9a0ea in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4449
#13 0x55ae94ab3176 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8010
#14 0x55ae94a895d8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
#15 0x55ae94a86103 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
#16 0x55ae94e93a08 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
#17 0x55ae94e932ac in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
#18 0x55ae95b3bdad in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
#19 0x7f479d86b608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T27 created by T0 here:
#0 0x7f479dd96815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x55ae95b3c19e in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
#2 0x55ae94782f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
#3 0x55ae9479b0e0 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6287
#4 0x55ae9479b87b in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6357
#5 0x55ae9479bd61 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6455
#6 0x55ae9479cc1d in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6613
#7 0x55ae9479a7e5 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5945
#8 0x55ae94780f3c in main /10.4/src/sql/main.cc:25
#9 0x7f479d341082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:826 in __interceptor_memcmp
Shadow bytes around the buggy address:
0x0c187ffff9e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187ffff9f0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187ffffa00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c187ffffa10: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187ffffa20: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
=>0x0c187ffffa30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c187ffffa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187ffffa50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187ffffa60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187ffffa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187ffffa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3286736==ABORTING
----------SERVER LOG END-------------

CREATE TABLE t1 (c7 blob, c11 mediumblob, c2 tinyblob, c5 blob, c13 longblob, c9 mediumblob, c8 mediumblob, c15 longblob, c0 tinyblob, c14 longblob, c10 mediumblob, c4 blob, c6 blob, c12 longblob, c3 tinyblob, c1 tinyblob, pk int(11) auto_increment, PRIMARY KEY (pk DESC)) engine=innodb;

INSERT INTO t1 VALUES

('r\\','b\\','','','','j\\','k\\','h\\','s\\','','h\\','','','k\\','','null',16),

('','w\\','u\\','g\\','','q\\','','','','z\\','a\\','','12',NULL,'',NULL,15),

('','','','null','z\\','null','','a\\','b\\','b\\','','','y\\','null','b\\','',14),

('','','','null','z null','','a b b ','','y null','b  ','9\n','w  u g ','q  ','','','z  a ',12),

('r b ','','','j  k h s ','h  ','','k ','null','10','','',NULL,'',NULL,'',NULL,11),

('r','b','','','','j','k','h','s','','h','','','k','','null',10),

('','','','null','z','null','','a','b','b','','','y','null','b','',9),

('','w','u','g','','q','','v','','z','a','','v','h','','null',8),

('','','t','','null','','z','s','','','v','','e','null','','',7),

('p','','l','e','c','e','null','p','','q','','','','','s','null',6),

('s','','j','null','null','','null','','null','','','','','null','y','',5),

('','j','l','','null','','w','j','a','','','null','n','','d','null',4),

('c','','','null','j','','','p','null','','','h','o','null','','',3),

('','h','w','','','null','h','k','e','j','','g','d','s','b','g',2),

('v','','','','q','','null','x','','u','h','z','','w','','w',1);

UPDATE  t1 SET c9 = c12, c5 = 1, c11 = c11, c13 = c1, c7 = c5, c5 = c3 WHERE c7 > c3;

on smaller version - similar to the above test case, but on 10.10-11.2:

10.10 ced243a09912ba5d17
==3283858==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000032788 at pc 0x7f83ca343490 bp 0x7f83bac9ab80 sp 0x7f83bac9a328
READ of size 1 at 0x60e000032788 thread T11
#0 0x7f83ca34348f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#1 0x556dd5c430d4 in mem_heap_dup(mem_block_info_t, void const, unsigned long) /10.10/src/storage/innobase/include/mem0mem.h:240
#2 0x556dd6061ddf in dfield_dup /10.10/src/storage/innobase/include/data0data.inl:170
#3 0x556dd606a7b1 in row_upd_index_replace_new_col_val /10.10/src/storage/innobase/row/row0upd.cc:801
#4 0x556dd606ba82 in row_upd_index_replace_new_col_vals_index_pos(dtuple_t, dict_index_t const, upd_t const, mem_block_info_t) /10.10/src/storage/innobase/row/row0upd.cc:926
#5 0x556dd61b9fb7 in btr_cur_optimistic_update(unsigned long, btr_cur_t, unsigned short, mem_block_info_t, upd_t const, unsigned long, que_thr_t, unsigned long, mtr_t) /10.10/src/storage/innobase/btr/btr0cur.cc:3645
#6 0x556dd6074d56 in row_upd_clust_rec /10.10/src/storage/innobase/row/row0upd.cc:2376
#7 0x556dd6076749 in row_upd_clust_step /10.10/src/storage/innobase/row/row0upd.cc:2657
#8 0x556dd607727a in row_upd /10.10/src/storage/innobase/row/row0upd.cc:2758
#9 0x556dd607819d in row_upd_step(que_thr_t*) /10.10/src/storage/innobase/row/row0upd.cc:2900
#10 0x556dd5fcaddb in row_update_for_mysql(row_prebuilt_t*) /10.10/src/storage/innobase/row/row0mysql.cc:1681
#11 0x556dd5bfaa8e in ha_innobase::update_row(unsigned char const, unsigned char const) /10.10/src/storage/innobase/handler/ha_innodb.cc:8634
#12 0x556dd5241e08 in handler::ha_update_row(unsigned char const, unsigned char const) /10.10/src/sql/handler.cc:7701
#13 0x556dd4c8a52a in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /10.10/src/sql/sql_update.cc:1104
#14 0x556dd490bccb in mysql_execute_command(THD*, bool) /10.10/src/sql/sql_parse.cc:4421
#15 0x556dd492590f in mysql_parse(THD, char, unsigned int, Parser_state*) /10.10/src/sql/sql_parse.cc:8058
#16 0x556dd48fb5d3 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /10.10/src/sql/sql_parse.cc:1894
#17 0x556dd48f8331 in do_command(THD*, bool) /10.10/src/sql/sql_parse.cc:1407
#18 0x556dd4dc0fee in do_handle_one_connection(CONNECT*, bool) /10.10/src/sql/sql_connect.cc:1416
#19 0x556dd4dc094b in handle_one_connection /10.10/src/sql/sql_connect.cc:1318
#20 0x556dd59f5e0d in pfs_spawn_thread /10.10/src/storage/perfschema/pfs.cc:2201
#21 0x7f83c9e28608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#22 0x7f83c99f9132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x60e000032788 is located 136 bytes inside of 156-byte region [0x60e000032700,0x60e00003279c)
freed by thread T11 here:
#0 0x7f83ca3b540f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x556dd66572b9 in free_memory /10.10/src/mysys/safemalloc.c:297
#2 0x556dd66566f6 in sf_free /10.10/src/mysys/safemalloc.c:203
#3 0x556dd6624074 in my_free /10.10/src/mysys/my_malloc.c:216
#4 0x556dd45536b7 in Binary_string::free_buffer() /10.10/src/sql/sql_string.h:308
#5 0x556dd463f945 in Binary_string::set(char const*, unsigned long) /10.10/src/sql/sql_string.h:554
#6 0x556dd463fa32 in String::set(char const, unsigned long, charset_info_st const) /10.10/src/sql/sql_string.h:912
#7 0x556dd51b0077 in Field_blob::val_str(String, String) /10.10/src/sql/field.cc:8778
#8 0x556dd45e48bd in Field::val_str(String*) /10.10/src/sql/field.h:1047
#9 0x556dd4ff4b63 in Field_blob::store_field(Field*) /10.10/src/sql/field.h:4476
#10 0x556dd51df35a in field_conv_incompatible /10.10/src/sql/field_conv.cc:850
#11 0x556dd51df3fb in field_conv(Field, Field) /10.10/src/sql/field_conv.cc:863
#12 0x556dd528d313 in save_field_in_field /10.10/src/sql/item.cc:6689
#13 0x556dd528da99 in Item_field::save_in_field(Field*, bool) /10.10/src/sql/item.cc:6739
#14 0x556dd4775d44 in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /10.10/src/sql/sql_base.cc:8955
#15 0x556dd4776f5f in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /10.10/src/sql/sql_base.cc:9127
#16 0x556dd4c8a199 in mysql_update(THD, TABLE_LIST, List<Item>&, List<Item>&, Item, unsigned int, st_order, unsigned long long, bool, unsigned long long, unsigned long long) /10.10/src/sql/sql_update.cc:1039
#17 0x556dd490bccb in mysql_execute_command(THD*, bool) /10.10/src/sql/sql_parse.cc:4421
#18 0x556dd492590f in mysql_parse(THD, char, unsigned int, Parser_state*) /10.10/src/sql/sql_parse.cc:8058
#19 0x556dd48fb5d3 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /10.10/src/sql/sql_parse.cc:1894
#20 0x556dd48f8331 in do_command(THD*, bool) /10.10/src/sql/sql_parse.cc:1407
#21 0x556dd4dc0fee in do_handle_one_connection(CONNECT*, bool) /10.10/src/sql/sql_connect.cc:1416
#22 0x556dd4dc094b in handle_one_connection /10.10/src/sql/sql_connect.cc:1318
#23 0x556dd59f5e0d in pfs_spawn_thread /10.10/src/storage/perfschema/pfs.cc:2201
#24 0x7f83c9e28608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T11 here:
#0 0x7f83ca3b5808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x556dd66560aa in sf_malloc /10.10/src/mysys/safemalloc.c:126
#2 0x556dd66231c1 in my_malloc /10.10/src/mysys/my_malloc.c:88
#3 0x556dd4bb9e21 in Binary_string::real_alloc(unsigned long) /10.10/src/sql/sql_string.cc:45
#4 0x556dd461a614 in Binary_string::alloc(unsigned long) /10.10/src/sql/sql_string.h:792
#5 0x556dd51aeaa5 in Field_blob::store(char const, unsigned long, charset_info_st const) /10.10/src/sql/field.cc:8701
#6 0x556dd5258302 in Item::save_str_value_in_field(Field, String) /10.10/src/sql/item.cc:408
#7 0x556dd528e636 in Item_string::save_in_field(Field*, bool) /10.10/src/sql/item.cc:6857
#8 0x556dd4777cb3 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool) /10.10/src/sql/sql_base.cc:9239
#9 0x556dd4778167 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /10.10/src/sql/sql_base.cc:9294
#10 0x556dd48404d7 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /10.10/src/sql/sql_insert.cc:1090
#11 0x556dd490ce41 in mysql_execute_command(THD*, bool) /10.10/src/sql/sql_parse.cc:4578
#12 0x556dd492590f in mysql_parse(THD, char, unsigned int, Parser_state*) /10.10/src/sql/sql_parse.cc:8058
#13 0x556dd48fb5d3 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /10.10/src/sql/sql_parse.cc:1894
#14 0x556dd48f8331 in do_command(THD*, bool) /10.10/src/sql/sql_parse.cc:1407
#15 0x556dd4dc0fee in do_handle_one_connection(CONNECT*, bool) /10.10/src/sql/sql_connect.cc:1416
#16 0x556dd4dc094b in handle_one_connection /10.10/src/sql/sql_connect.cc:1318
#17 0x556dd59f5e0d in pfs_spawn_thread /10.10/src/storage/perfschema/pfs.cc:2201
#18 0x7f83c9e28608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T11 created by T0 here:
#0 0x7f83ca2e2815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x556dd59f19ea in my_thread_create /10.10/src/storage/perfschema/my_thread.h:52
#2 0x556dd59f6200 in pfs_spawn_thread_v1 /10.10/src/storage/perfschema/pfs.cc:2252
#3 0x556dd452e019 in inline_mysql_thread_create /10.10/src/include/mysql/psi/mysql_thread.h:1139
#4 0x556dd4546096 in create_thread_to_handle_connection(CONNECT*) /10.10/src/sql/mysqld.cc:6045
#5 0x556dd4546712 in create_new_thread(CONNECT*) /10.10/src/sql/mysqld.cc:6104
#6 0x556dd4546a7f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.10/src/sql/mysqld.cc:6166
#7 0x556dd4547475 in handle_connections_sockets() /10.10/src/sql/mysqld.cc:6290
#8 0x556dd45458a3 in mysqld_main(int, char**) /10.10/src/sql/mysqld.cc:5940
#9 0x556dd452d0cc in main /10.10/src/sql/main.cc:34
#10 0x7f83c98fe082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c1c7fffe4a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fffe4b0: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
0x0c1c7fffe4c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fffe4d0: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
0x0c1c7fffe4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1c7fffe4f0: fd[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fffe500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fffe510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fffe520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fffe530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fffe540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3283858==ABORTING

Attachments

Issue Links

relates to

MDEV-22732 AddressSanitizer: use-after-poison upon update after an error with SIMULTANEOUS_ASSIGNMENT

Confirmed

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2023-08-07 16:38

Updated:: Yesterday 14:42

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.