Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Duplicate
-
N/A
Description
ASAN testing of bb-10.6-MDEV-31949 has found the following use-after-poison in xid_t::key_length(). All testcase reduction attempts have failed. The issue was observed a number of times in various bb-10.6-MDEV-31949 tests, but was never seen in BASE. Hopefully the detailed ASAN description is sufficient to find the issue in the code.
|
10.6.16 3455be1b4a925f43a1e7170029abf3304122409f |
==3970054==ERROR: AddressSanitizer: use-after-poison on address 0x619000432790 at pc 0x55d06bc89ba3 bp 0x151937da76d0 sp 0x151937da76c0
|
READ of size 8 at 0x619000432790 thread T14
|
#0 0x55d06bc89ba2 in xid_t::key_length() const /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.h:954
|
#1 0x55d06bc89ba2 in xid_t::length() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.h:945
|
#2 0x55d06bc89ba2 in xid_t::set(xid_t*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.h:896
|
#3 0x55d06bc89ba2 in Gtid_log_event::Gtid_log_event(THD*, unsigned long long, unsigned int, bool, unsigned short, bool, unsigned long long, bool, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log_event_server.cc:3333
|
#4 0x55d06bb2849d in MYSQL_BIN_LOG::write_gtid_event(THD*, bool, bool, unsigned long long, bool, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:6453
|
#5 0x55d06bb47e1b in MYSQL_BIN_LOG::write_transaction_or_stmt(MYSQL_BIN_LOG::group_commit_entry*, unsigned long long) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:8718
|
#6 0x55d06bb8415a in MYSQL_BIN_LOG::trx_group_commit_leader(MYSQL_BIN_LOG::group_commit_entry*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:8464
|
#7 0x55d06bb86d70 in MYSQL_BIN_LOG::write_transaction_to_binlog_events(MYSQL_BIN_LOG::group_commit_entry*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:8254
|
#8 0x55d06bb89264 in MYSQL_BIN_LOG::write_transaction_to_binlog(THD*, binlog_cache_mngr*, Log_event*, bool, bool, bool, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:7851
|
#9 0x55d06bb89f5b in binlog_flush_cache /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:1775
|
#10 0x55d06bb8c2c6 in binlog_rollback_flush_trx_cache /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:1916
|
#11 0x55d06bb8e080 in binlog_rollback /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:2402
|
#12 0x55d06afa6ed2 in ha_rollback_trans(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.cc:2224
|
#13 0x55d06aa84c54 in xa_trans_force_rollback(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/xa.cc:614
|
#14 0x55d06989fe1f in THD::cleanup() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_class.cc:1558
|
#15 0x55d0694e01bf in unlink_thd(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:2734
|
#16 0x55d06a445da2 in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1427
|
#17 0x55d06a4491dc in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1318
|
#18 0x15196a094b42 in start_thread nptl/pthread_create.c:442
|
#19 0x15196a1269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
|
|
0x619000432790 is located 272 bytes inside of 1072-byte region [0x619000432680,0x619000432ab0)
|
allocated by thread T14 here:
|
#0 0x55d06948c3f7 in __interceptor_malloc (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-opt/bin/mariadbd+0x77113f7)
|
#1 0x55d06d74c644 in my_malloc /test/bb-10.6-MDEV-31949_PATCH3_opt_san/mysys/my_malloc.c:91
|
#2 0x55d06d727d9f in reset_root_defaults /test/bb-10.6-MDEV-31949_PATCH3_opt_san/mysys/my_alloc.c:156
|
#3 0x55d06a4dd3a0 in fix_thd_mem_root /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sys_vars.cc:2995
|
#4 0x55d06a4dd3a0 in fix_thd_mem_root /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sys_vars.cc:2992
|
#5 0x55d06956d778 in sys_var::update(THD*, set_var*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/set_var.cc:213
|
#6 0x55d069570e46 in set_var::update(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/set_var.cc:863
|
#7 0x55d06957977d in sql_set_variables(THD*, List<set_var_base>*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/set_var.cc:745
|
#8 0x55d069bb6286 in mysql_execute_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:5065
|
#9 0x55d069bcb1e2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:8050
|
#10 0x55d069bd7255 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:1896
|
#11 0x55d069be2630 in do_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:1409
|
#12 0x55d06a446bdc in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1416
|
#13 0x55d06a4491dc in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1318
|
#14 0x15196a094b42 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T14 created by T0 here:
|
#0 0x55d069430215 in __interceptor_pthread_create (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-opt/bin/mariadbd+0x76b5215)
|
#1 0x55d0694e211e in create_thread_to_handle_connection(CONNECT*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:5996
|
#2 0x55d0694f3c4f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:6117
|
#3 0x55d0694f4a97 in handle_connections_sockets() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:6241
|
#4 0x55d0694f7a6d in mysqld_main(int, char**) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:5891
|
#5 0x15196a029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.h:954 in xid_t::key_length() const
|
Shadow bytes around the buggy address:
|
0x0c328007e4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c328007e4b0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c328007e4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c328007e4d0: 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c328007e4e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c328007e4f0: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c328007e500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c328007e510: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c328007e520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c328007e530: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c328007e540: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3970054==ABORTING
|
231004 22:12:20 [ERROR] mysqld got signal 6 ;
|
Attachments
Issue Links
- blocks
-
-
- In Review
-
- duplicates
-
-
- Closed
-
- is caused by
-
-
- In Review
-
- relates to
-
-
- Closed
-