Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32679

[Draft] ASAN errors in Binary_string::copy / cmp_item_sort_string::store_value

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Duplicate
    • 10.4(EOL), 10.5
    • N/A
    • Server
    • None

    Description

      Reproducible on 10.4 and 10.5 (only?), needs cleaning.
      Can be a duplicate of some other similar reports, e.g. MDEV-32424, MDEV-26822, ...

      r10.test

      10.4 9e321a44

      ==3006714==ERROR: AddressSanitizer: unknown-crash on address 0x6240001f2f04 at pc 0x7fa404447cf9 bp 0x7fa3e22987e0 sp 0x7fa3e2297f90
      READ of size 48830 at 0x6240001f2f04 thread T30
          #0 0x7fa404447cf8 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:810
          #1 0x556c87480fda in Binary_string::copy(Binary_string const&) /data/src/10.4/sql/sql_string.cc:252
          #2 0x556c8715847f in String::copy(String const&) /data/src/10.4/sql/sql_string.h:926
          #3 0x556c87b00d35 in cmp_item_sort_string::store_value(Item*) /data/src/10.4/sql/item_cmpfunc.h:1584
          #4 0x556c87b027c5 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.4/sql/item_cmpfunc.h:1925
          #5 0x556c87b04131 in Predicant_to_list_comparator::cmp(Item_args*, unsigned int*, bool*) (/mnt8t/bld/10.4-asan/bin/mysqld+0x1be3131)
          #6 0x556c87ad4518 in Item_func_case_simple::find_item() /data/src/10.4/sql/item_cmpfunc.cc:3026
          #7 0x556c87ad4c87 in Item_func_case::int_op() /data/src/10.4/sql/item_cmpfunc.cc:3064
          #8 0x556c87b4bf11 in Item_func_hybrid_field_type::val_decimal_from_int_op(my_decimal*) /data/src/10.4/sql/item_func.cc:837
          #9 0x556c877bf758 in Type_handler_int_result::Item_func_hybrid_field_type_val_decimal(Item_func_hybrid_field_type*, my_decimal*) const /data/src/10.4/sql/sql_type.cc:4970
          #10 0x556c87214c08 in Item_func_hybrid_field_type::val_decimal(my_decimal*) /data/src/10.4/sql/item_func.h:811
          #11 0x556c877a2ecf in VDec::VDec(Item*) /data/src/10.4/sql/sql_type.cc:195
          #12 0x556c87abb51a in Arg_comparator::compare_decimal() /data/src/10.4/sql/item_cmpfunc.cc:874
          #13 0x556c87afd98b in Arg_comparator::compare() /data/src/10.4/sql/item_cmpfunc.h:104
          #14 0x556c87ac6781 in Item_func_eq::val_int() /data/src/10.4/sql/item_cmpfunc.cc:1790
          #15 0x556c87b4ae41 in Item_int_func::val_real() /data/src/10.4/sql/item_func.cc:756
          #16 0x556c87c6e898 in Item_sum_variance::add() /data/src/10.4/sql/item_sum.cc:2271
          #17 0x556c87c8965b in Aggregator_simple::add() /data/src/10.4/sql/item_sum.h:723
          #18 0x556c873dff1d in Item_sum::aggregator_add() /data/src/10.4/sql/item_sum.h:565
          #19 0x556c873dfbab in Item_sum::reset_and_add() /data/src/10.4/sql/item_sum.h:450
          #20 0x556c873bd06e in init_sum_functions /data/src/10.4/sql/sql_select.cc:26156
          #21 0x556c873a12b9 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:22347
          #22 0x556c87397555 in evaluate_join_record /data/src/10.4/sql/sql_select.cc:21149
          #23 0x556c873964aa in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:20961
          #24 0x556c87393c95 in do_select /data/src/10.4/sql/sql_select.cc:20443
          #25 0x556c87322b10 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4625
          #26 0x556c8732011b in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4407
          #27 0x556c873241a9 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4846
          #28 0x556c872f4a8c in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
          #29 0x556c87263f30 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6475
          #30 0x556c87251445 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3978
          #31 0x556c8726d1e4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8013
          #32 0x556c8724340f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
          #33 0x556c8723ff7e in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
          #34 0x556c879324f8 in threadpool_process_request /data/src/10.4/sql/threadpool_common.cc:376
          #35 0x556c87931a53 in tp_callback(TP_connection*) /data/src/10.4/sql/threadpool_common.cc:197
          #36 0x556c87f576e7 in worker_main /data/src/10.4/sql/threadpool_generic.cc:1610
          #37 0x7fa403ea8043 in start_thread nptl/pthread_create.c:442
          #38 0x7fa403f2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
       
      0x6240001f3ce8 is located 0 bytes to the right of 7144-byte region [0x6240001f2100,0x6240001f3ce8)
      allocated by thread T30 here:
          #0 0x7fa4044b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
          #1 0x556c88dff190 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #2 0x556c88ddb937 in alloc_root /data/src/10.4/mysys/my_alloc.c:258
          #3 0x556c8756eb07 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.4/sql/table.cc:3845
          #4 0x556c870bd55b in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.4/sql/sql_base.cc:2114
          #5 0x556c870c6bb1 in open_and_process_table /data/src/10.4/sql/sql_base.cc:3915
          #6 0x556c870c966d in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:4397
          #7 0x556c870ce788 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:5344
          #8 0x556c87028505 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.4/sql/sql_base.h:503
          #9 0x556c872634b0 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6396
          #10 0x556c87251445 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3978
          #11 0x556c8726d1e4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8013
          #12 0x556c8724340f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
          #13 0x556c8723ff7e in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
          #14 0x556c879324f8 in threadpool_process_request /data/src/10.4/sql/threadpool_common.cc:376
          #15 0x556c87931a53 in tp_callback(TP_connection*) /data/src/10.4/sql/threadpool_common.cc:197
          #16 0x556c87f576e7 in worker_main /data/src/10.4/sql/threadpool_generic.cc:1610
          #17 0x7fa403ea8043 in start_thread nptl/pthread_create.c:442
       
      Thread T30 created by T0 here:
          #0 0x7fa404449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
          #1 0x556c88e5fdd2 in spawn_thread_noop /data/src/10.4/mysys/psi_noop.c:187
          #2 0x556c87f50c4d in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
          #3 0x556c87f53398 in create_worker /data/src/10.4/sql/threadpool_generic.cc:950
          #4 0x556c87f5396d in wake_or_create_thread /data/src/10.4/sql/threadpool_generic.cc:1030
          #5 0x556c87f54956 in queue_put /data/src/10.4/sql/threadpool_generic.cc:1184
          #6 0x556c87f55c36 in TP_pool_generic::add(TP_connection*) /data/src/10.4/sql/threadpool_generic.cc:1389
          #7 0x556c879328b3 in tp_add_connection /data/src/10.4/sql/threadpool_common.cc:442
          #8 0x556c86f61e01 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6359
          #9 0x556c86f622cf in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6457
          #10 0x556c86f6317b in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6615
          #11 0x556c86f60e19 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5947
          #12 0x556c86f480b8 in main /data/src/10.4/sql/main.cc:25
          #13 0x7fa403e461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
       
      SUMMARY: AddressSanitizer: unknown-crash ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:810 in __interceptor_memmove
      Shadow bytes around the buggy address:
        0x0c4880036590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c48800365a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c48800365b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c48800365c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c48800365d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c48800365e0:[04]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c48800365f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c4880036600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c4880036610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c4880036620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c4880036630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==3006714==ABORTING
      

      Also reproducible on earlier 10.4 (not a recent regression).

      Attachments

        1. r10.test
          310 kB
          Elena Stepanova

        Issue Links

          Activity

            People

              Unassigned Unassigned
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.