Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.4(EOL), 10.5, 10.6, 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL)
-
None
Description
The test cases differ only in the name of the 2nd table, provided separately for demonstrating slightly different effects.
INSTALL SONAME 'ha_mroonga'; |
|
|
--connect (con1,localhost,root,,)
|
CREATE TEMPORARY TABLE t1 (a INT) ENGINE=Mroonga; |
CREATE TEMPORARY TABLE t_mroonga (b INT) ENGINE=Mroonga; |
--connection default
|
--source include/restart_mysqld.inc
|
|
|
# Cleanup
|
UNINSTALL SONAME 'ha_mroonga'; |
|
10.4 7d7ea799 |
==2560996==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000933c8 at pc 0x7fc5a7b14cc4 bp 0x7fc5a095a580 sp 0x7fc5a095a578
|
READ of size 8 at 0x62b0000933c8 thread T6
|
#0 0x7fc5a7b14cc3 in ha_mroonga::create_share_for_create() const /data/src/10.4/storage/mroonga/ha_mroonga.cpp:3047
|
#1 0x7fc5a7b13061 in ha_mroonga::table_flags() const /data/src/10.4/storage/mroonga/ha_mroonga.cpp:2908
|
#2 0x55594d73b1e1 in handler::init() /data/src/10.4/sql/handler.h:3172
|
#3 0x55594db8f021 in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /data/src/10.4/sql/handler.cc:317
|
#4 0x55594d9e21ef in THD::rm_temporary_table(handlerton*, char const*) /data/src/10.4/sql/temporary_tables.cc:697
|
#5 0x55594d9e6fdf in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.4/sql/temporary_tables.cc:1465
|
#6 0x55594d9e12e1 in THD::close_temporary_tables() /data/src/10.4/sql/temporary_tables.cc:539
|
#7 0x55594d2c6c65 in THD::cleanup() /data/src/10.4/sql/sql_class.cc:1527
|
#8 0x55594d0f21f3 in unlink_thd(THD*) /data/src/10.4/sql/mysqld.cc:2633
|
#9 0x55594d0f2cf6 in one_thread_per_connection_end(THD*, bool) /data/src/10.4/sql/mysqld.cc:2782
|
#10 0x55594d7db5c4 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1431
|
#11 0x55594d7dad12 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
|
#12 0x55594e44be7b in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#13 0x7fc5b0dc8fd3 in start_thread nptl/pthread_create.c:442
|
#14 0x7fc5b0e495bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x62b0000933c8 is located 456 bytes inside of 24608-byte region [0x62b000093200,0x62b000099220)
|
allocated by thread T6 here:
|
#0 0x7fc5b14b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x55594ef959b8 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#2 0x55594ef71b54 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:155
|
#3 0x55594d2c5d9a in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1388
|
#4 0x55594d7da62e in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1254
|
#5 0x55594d7dad58 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1339
|
#6 0x55594d7db35a in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1410
|
#7 0x55594d7dad12 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
|
#8 0x55594e44be7b in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#9 0x7fc5b0dc8fd3 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T6 created by T0 here:
|
#0 0x7fc5b1449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x55594e44c268 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
|
#2 0x55594d0e6f89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
|
#3 0x55594d0fe690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
|
#4 0x55594d0feddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
|
#5 0x55594d0ff2a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
|
#6 0x55594d100155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
|
#7 0x55594d0fddf3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
|
#8 0x55594d0e50b8 in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fc5b0d67189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/storage/mroonga/ha_mroonga.cpp:3047 in ha_mroonga::create_share_for_create() const
|
Shadow bytes around the buggy address:
|
0x0c568000a620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000a630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000a640: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a650: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a660: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c568000a670: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
|
0x0c568000a680: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a690: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a6a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a6b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a6c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
INSTALL SONAME 'ha_mroonga'; |
|
|
--connect (con1,localhost,root,,)
|
CREATE TEMPORARY TABLE t1 (a INT) ENGINE=Mroonga; |
CREATE TEMPORARY TABLE t2 (b INT) ENGINE=Mroonga; |
--connection default
|
--source include/restart_mysqld.inc
|
|
|
# Cleanup
|
UNINSTALL SONAME 'ha_mroonga'; |
==2561422==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x4000000050 bytes
|
#0 0x7fedd76b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x55caa7f4e9b8 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#2 0x55caa7f4fa68 in my_strndup /data/src/10.4/mysys/my_malloc.c:256
|
#3 0x7fedcdf14d11 in ha_mroonga::create_share_for_create() const /data/src/10.4/storage/mroonga/ha_mroonga.cpp:3047
|
#4 0x7fedcdf13061 in ha_mroonga::table_flags() const /data/src/10.4/storage/mroonga/ha_mroonga.cpp:2908
|
#5 0x55caa66f41e1 in handler::init() /data/src/10.4/sql/handler.h:3172
|
#6 0x55caa6b48021 in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /data/src/10.4/sql/handler.cc:317
|
#7 0x55caa699b1ef in THD::rm_temporary_table(handlerton*, char const*) /data/src/10.4/sql/temporary_tables.cc:697
|
#8 0x55caa699ffdf in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.4/sql/temporary_tables.cc:1465
|
#9 0x55caa699a2e1 in THD::close_temporary_tables() /data/src/10.4/sql/temporary_tables.cc:539
|
#10 0x55caa627fc65 in THD::cleanup() /data/src/10.4/sql/sql_class.cc:1527
|
#11 0x55caa60ab1f3 in unlink_thd(THD*) /data/src/10.4/sql/mysqld.cc:2633
|
#12 0x55caa60abcf6 in one_thread_per_connection_end(THD*, bool) /data/src/10.4/sql/mysqld.cc:2782
|
#13 0x55caa67945c4 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1431
|
#14 0x55caa6793d12 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
|
#15 0x55caa7404e7b in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#16 0x7fedd70a7fd3 in start_thread nptl/pthread_create.c:442
|
|
|
==2561422==HINT: if you don't care about these errors you may set allocator_may_return_null=1
|
SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 in __interceptor_malloc
|
Thread T6 created by T0 here:
|
#0 0x7fedd7649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x55caa7405268 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
|
#2 0x55caa609ff89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
|
#3 0x55caa60b7690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
|
#4 0x55caa60b7ddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
|
#5 0x55caa60b82a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
|
#6 0x55caa60b9155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
|
#7 0x55caa60b6df3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
|
#8 0x55caa609e0b8 in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fedd7046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
Attachments
Activity
It still fails, with a very slightly different stack trace
|
10.4 7d7ea79916 with the patch above |
==2788089==ERROR: AddressSanitizer: use-after-poison on address 0x62b000093528 at pc 0x5632f52425f1 bp 0x7fc14300e560 sp 0x7fc14300e558
|
READ of size 8 at 0x62b000093528 thread T6
|
#0 0x5632f52425f0 in TABLE_LIST::get_table_name() const /data/src/10.4-mroonga/sql/table.h:2916
|
#1 0x7fc14a314c97 in ha_mroonga::create_share_for_create() const /data/src/10.4-mroonga/storage/mroonga/ha_mroonga.cpp:3045
|
#2 0x7fc14a313061 in ha_mroonga::table_flags() const /data/src/10.4-mroonga/storage/mroonga/ha_mroonga.cpp:2908
|
#3 0x5632f57431e1 in handler::init() /data/src/10.4-mroonga/sql/handler.h:3172
|
#4 0x5632f5b97021 in get_new_handler(TABLE_SHARE*, st_mem_root*, handlerton*) /data/src/10.4-mroonga/sql/handler.cc:317
|
#5 0x5632f59ea1ef in THD::rm_temporary_table(handlerton*, char const*) /data/src/10.4-mroonga/sql/temporary_tables.cc:697
|
#6 0x5632f59eefdf in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.4-mroonga/sql/temporary_tables.cc:1465
|
#7 0x5632f59e92e1 in THD::close_temporary_tables() /data/src/10.4-mroonga/sql/temporary_tables.cc:539
|
#8 0x5632f52cec65 in THD::cleanup() /data/src/10.4-mroonga/sql/sql_class.cc:1527
|
#9 0x5632f50fa1f3 in unlink_thd(THD*) /data/src/10.4-mroonga/sql/mysqld.cc:2633
|
#10 0x5632f50facf6 in one_thread_per_connection_end(THD*, bool) /data/src/10.4-mroonga/sql/mysqld.cc:2782
|
#11 0x5632f57e35c4 in do_handle_one_connection(CONNECT*) /data/src/10.4-mroonga/sql/sql_connect.cc:1431
|
#12 0x5632f57e2d12 in handle_one_connection /data/src/10.4-mroonga/sql/sql_connect.cc:1324
|
#13 0x5632f6453e7b in pfs_spawn_thread /data/src/10.4-mroonga/storage/perfschema/pfs.cc:1869
|
#14 0x7fc1533c8fd3 in start_thread nptl/pthread_create.c:442
|
#15 0x7fc1534495bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x62b000093528 is located 808 bytes inside of 24608-byte region [0x62b000093200,0x62b000099220)
|
allocated by thread T6 here:
|
#0 0x7fc153ab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x5632f6f9d9b8 in my_malloc /data/src/10.4-mroonga/mysys/my_malloc.c:101
|
#2 0x5632f6f79b54 in reset_root_defaults /data/src/10.4-mroonga/mysys/my_alloc.c:155
|
#3 0x5632f52cdd9a in THD::init_for_queries() /data/src/10.4-mroonga/sql/sql_class.cc:1388
|
#4 0x5632f57e262e in prepare_new_connection_state(THD*) /data/src/10.4-mroonga/sql/sql_connect.cc:1254
|
#5 0x5632f57e2d58 in thd_prepare_connection(THD*) /data/src/10.4-mroonga/sql/sql_connect.cc:1339
|
#6 0x5632f57e335a in do_handle_one_connection(CONNECT*) /data/src/10.4-mroonga/sql/sql_connect.cc:1410
|
#7 0x5632f57e2d12 in handle_one_connection /data/src/10.4-mroonga/sql/sql_connect.cc:1324
|
#8 0x5632f6453e7b in pfs_spawn_thread /data/src/10.4-mroonga/storage/perfschema/pfs.cc:1869
|
#9 0x7fc1533c8fd3 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T6 created by T0 here:
|
#0 0x7fc153a49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x5632f6454268 in spawn_thread_v1 /data/src/10.4-mroonga/storage/perfschema/pfs.cc:1919
|
#2 0x5632f50eef89 in inline_mysql_thread_create /data/src/10.4-mroonga/include/mysql/psi/mysql_thread.h:1275
|
#3 0x5632f5106690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4-mroonga/sql/mysqld.cc:6287
|
#4 0x5632f5106ddb in create_new_thread(CONNECT*) /data/src/10.4-mroonga/sql/mysqld.cc:6357
|
#5 0x5632f51072a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4-mroonga/sql/mysqld.cc:6455
|
#6 0x5632f5108155 in handle_connections_sockets() /data/src/10.4-mroonga/sql/mysqld.cc:6613
|
#7 0x5632f5105df3 in mysqld_main(int, char**) /data/src/10.4-mroonga/sql/mysqld.cc:5945
|
#8 0x5632f50ed0b8 in main /data/src/10.4-mroonga/sql/main.cc:25
|
#9 0x7fc153367189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4-mroonga/sql/table.h:2916 in TABLE_LIST::get_table_name() const
|
Shadow bytes around the buggy address:
|
0x0c568000a650: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a660: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a670: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a680: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a690: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c568000a6a0: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a6b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a6c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a6d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a6e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c568000a6f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
|
Ah, we can't use THD::lex::query_tables in THD::cleanup() but THD::lex::query_tables isn't nullptr...
serg Do you know how to detect whether we can use THD::lex::query_tables or not? (We can't use thd->lex->query_tables != nullptr for it in THD::cleanup()...)
How about this? (This is from upstream.)
From cf02f74c71049c4d0aafaf2a9640dfe5cea634be Mon Sep 17 00:00:00 2001From: Sutou Kouhei <kou@clear-code.com>Date: Sun, 10 Sep 2023 14:49:01 +0900Subject: [PATCH] Use LEX::query_tables instead of LEX::first_select_lex()Because ha_mroonga::create_share_for_create() isn't for SELECT. SoLEX::first_select_lex() isn't suitable.---storage/mroonga/ha_mroonga.cpp | 12 ++++++------1 file changed, 6 insertions(+), 6 deletions(-)diff --git a/storage/mroonga/ha_mroonga.cpp b/storage/mroonga/ha_mroonga.cppindex 8486471a392..ac4f02d7781 100644--- a/storage/mroonga/ha_mroonga.cpp+++ b/storage/mroonga/ha_mroonga.cpp@@ -2997,7 +2997,6 @@ int ha_mroonga::create_share_for_create() constTHD *thd = ha_thd();LEX *lex = thd->lex;HA_CREATE_INFO *create_info = &lex->create_info;- TABLE_LIST *table_list = MRN_LEX_GET_TABLE_LIST(lex);MRN_DBUG_ENTER_METHOD();wrap_handler_for_create = NULL;table_for_create.reset();@@ -3043,11 +3042,12 @@ int ha_mroonga::create_share_for_create() const}mrn_init_alloc_root(&mem_root_for_create, 1024, 0, MYF(0));analyzed_for_create = true;- if (table_list) {- share_for_create.table_name = mrn_my_strndup(table_list->table_name.str,- table_list->table_name.length,- MYF(MY_WME));- share_for_create.table_name_length = table_list->table_name.length;+ if (lex->query_tables && lex->query_tables->get_table_name()) {+ share_for_create.table_name =+ mrn_my_strdup(lex->query_tables->get_table_name(),+ MYF(MY_WME));+ share_for_create.table_name_length =+ strlen(lex->query_tables->get_table_name());}share_for_create.table_share = &table_share_for_create;table_for_create.s = &table_share_for_create;--2.40.1