[MDEV-31971] ASAN errors in ha_mroonga::storage_encode_key_fixed_size_string upon using prefixed key - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4, 10.5, 10.6, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.1
Component/s: Storage Engine - Mroonga
Labels:
None

Description

INSTALL SONAME 'ha_mroonga';

CREATE TABLE t (a char(128), KEY(a(32))) ENGINE=Mroonga;

INSERT INTO t VALUES ('foo'),('bar');

DELETE FROM t WHERE a IS NULL;

# Cleanup

DROP TABLE t;

UNINSTALL SONAME 'ha_mroonga';

10.4 900c4d69
==3640855==ERROR: AddressSanitizer: use-after-poison on address 0x621000116d82 at pc 0x7fc527c4814b bp 0x7fc51f9072c0 sp 0x7fc51f906a70
READ of size 128 at 0x621000116d82 thread T5
#0 0x7fc527c4814a in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x7fc51e58fb6c in ha_mroonga::storage_encode_key_fixed_size_string(Field, unsigned char const, unsigned char, unsigned int) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:11586
#2 0x7fc51e59680b in ha_mroonga::storage_encode_key(Field, unsigned char const, unsigned char, unsigned int) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:12078
#3 0x7fc51e557e4c in ha_mroonga::storage_records_in_range(unsigned int, st_key_range, st_key_range) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:7525
#4 0x7fc51e559495 in ha_mroonga::records_in_range(unsigned int, st_key_range, st_key_range) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:7636
#5 0x55bebfb27717 in handler::multi_range_read_info_const(unsigned int, st_range_seq_if, void, unsigned int, unsigned int, unsigned int, Cost_estimate*) /data/src/10.4/sql/multi_range_read.cc:126
#6 0x7fc51e59ab7c in ha_mroonga::storage_multi_range_read_info_const(unsigned int, st_range_seq_if, void, unsigned int, unsigned int, unsigned int, Cost_estimate*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:12375
#7 0x7fc51e59af22 in ha_mroonga::multi_range_read_info_const(unsigned int, st_range_seq_if, void, unsigned int, unsigned int, unsigned int, Cost_estimate*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:12396
#8 0x55bec020e275 in check_quick_select /data/src/10.4/sql/opt_range.cc:11258
#9 0x55bec01f4b14 in get_key_scans_params /data/src/10.4/sql/opt_range.cc:7467
#10 0x55bec01d7c22 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /data/src/10.4/sql/opt_range.cc:2943
#11 0x55bebf95ab5f in SQL_SELECT::check_quick(THD*, bool, unsigned long long) /data/src/10.4/sql/opt_range.h:1654
#12 0x55bec0297ee3 in mysql_delete(THD, TABLE_LIST, Item, SQL_I_List<st_order>, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:530
#13 0x55bebf67a975 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4815
#14 0x55bebf690a76 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
#15 0x55bebf666d41 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#16 0x55bebf6638b0 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#17 0x55bebfa62e0f in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#18 0x55bebfa62726 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#19 0x55bec06d2e1f in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#20 0x7fc5276a7fd3 in start_thread nptl/pthread_create.c:442
#21 0x7fc5277285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x621000116d82 is located 130 bytes inside of 4064-byte region [0x621000116d00,0x621000117ce0)
allocated by thread T5 here:
#0 0x7fc527cb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55bec121c882 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#2 0x55bec11f92a8 in alloc_root /data/src/10.4/mysys/my_alloc.c:251
#3 0x55bec01d6083 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /data/src/10.4/sql/opt_range.cc:2752
#4 0x55bebf95ab5f in SQL_SELECT::check_quick(THD*, bool, unsigned long long) /data/src/10.4/sql/opt_range.h:1654
#5 0x55bec0297ee3 in mysql_delete(THD, TABLE_LIST, Item, SQL_I_List<st_order>, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:530
#6 0x55bebf67a975 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4815
#7 0x55bebf690a76 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
#8 0x55bebf666d41 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#9 0x55bebf6638b0 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#10 0x55bebfa62e0f in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#11 0x55bebfa62726 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#12 0x55bec06d2e1f in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#13 0x7fc5276a7fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7fc527c49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55bec06d320c in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x55bebf36ef89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x55bebf386690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
#4 0x55bebf386ddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
#5 0x55bebf3872a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
#6 0x55bebf388155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
#7 0x55bebf385df3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
#8 0x55bebf36d0b8 in main /data/src/10.4/sql/main.cc:25
#9 0x7fc527646189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c428001ad60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428001ad70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428001ad80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428001ad90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428001ada0: 00 00 00 00 f7 00 00 00 00 f7 04 f7 00 00 00 00
=>0x0c428001adb0:[02]f7 00 00 00 00 02 f7 00 00 00 00 00 00 00 00
0x0c428001adc0: 00 00 00 00 00 00 00 f7 00 f7 00 00 00 00 00 00
0x0c428001add0: 00 00 00 00 00 00 00 f7 00 f7 f7 f7 f7 f7 f7 f7
0x0c428001ade0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c428001adf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c428001ae00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3640855==ABORTING

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2023-08-20 18:22

Updated:: Yesterday 14:42

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.