[MDEV-32881] Server crash or ASAN errors upon creating Mroonga tables with certain character sets - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.1, 11.2
Component/s: Storage Engine - Mroonga
Labels:
None

Description

INSTALL SONAME 'ha_mroonga';

CREATE TABLE t (f TEXT, FULLTEXT(f)) ENGINE=Mroonga CHARACTER SET gbk;

# Cleanup

DROP TABLE t;

UNINSTALL SONAME 'ha_mroonga';

10.4 64f44b22d9a3dab3d4c0b77addbcbdafde57b466
==2661561==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700002490c at pc 0x7f3add6fe3e2 bp 0x7f3adf330f30 sp 0x7f3adf330f28
READ of size 4 at 0x61700002490c thread T5
#0 0x7f3add6fe3e1 in _grn_obj_remove /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:9789
#1 0x7f3add6ff59f in grn_obj_remove /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:9879
#2 0x7f3add51aeeb in ha_mroonga::storage_create(char const, TABLE, HA_CREATE_INFO, st_mroonga_share) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:3604
#3 0x7f3add523ba7 in ha_mroonga::create(char const, TABLE, HA_CREATE_INFO*) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:4255
#4 0x5563f50fe848 in handler::ha_create(char const, TABLE, HA_CREATE_INFO*) /data/bld/10.4-asan/sql/handler.cc:4853
#5 0x5563f5102f32 in ha_create_table(THD, char const, char const, char const, HA_CREATE_INFO, st_mysql_const_unsigned_lex_string) /data/bld/10.4-asan/sql/handler.cc:5321
#6 0x5563f4b94008 in create_table_impl /data/bld/10.4-asan/sql/sql_table.cc:5214
#7 0x5563f4b94925 in mysql_create_table_no_lock(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /data/bld/10.4-asan/sql/sql_table.cc:5298
#8 0x5563f4b959d3 in mysql_create_table(THD, TABLE_LIST, Table_specification_st, Alter_info) /data/bld/10.4-asan/sql/sql_table.cc:5457
#9 0x5563f4bc4841 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.4-asan/sql/sql_table.cc:11919
#10 0x5563f4943117 in mysql_execute_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:6264
#11 0x5563f494ea6a in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:8060
#12 0x5563f4924ae1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:1857
#13 0x5563f4921650 in do_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:1378
#14 0x5563f4d27d14 in do_handle_one_connection(CONNECT*) /data/bld/10.4-asan/sql/sql_connect.cc:1419
#15 0x5563f4d2762b in handle_one_connection /data/bld/10.4-asan/sql/sql_connect.cc:1323
#16 0x5563f598c26b in pfs_spawn_thread /data/bld/10.4-asan/storage/perfschema/pfs.cc:1869
#17 0x7f3ae84a8043 in start_thread nptl/pthread_create.c:442
#18 0x7f3ae852861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x61700002490c is located 12 bytes inside of 760-byte region [0x617000024900,0x617000024bf8)
freed by thread T5 here:
#0 0x7f3ae8ab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7f3adddc3393 in grn_free_default /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/alloc.c:827
#2 0x7f3add93c596 in grn_array_close /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/hash.c:621
#3 0x7f3add70de27 in grn_obj_close /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:10827
#4 0x7f3add6fdcad in _grn_obj_remove_array /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:9639
#5 0x7f3add6fed24 in _grn_obj_remove /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:9825
#6 0x7f3add6ff59f in grn_obj_remove /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:9879
#7 0x7f3add51fcda in ha_mroonga::storage_create_index_table(TABLE, char const, _grn_obj, st_mroonga_share, st_key, _grn_obj*, unsigned int) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:3919
#8 0x7f3add5210bf in ha_mroonga::storage_create_index(TABLE, char const, _grn_obj, st_mroonga_share, st_key, _grn_obj, _grn_obj*, unsigned int) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:4047
#9 0x7f3add522a1f in ha_mroonga::storage_create_indexes(TABLE, char const, _grn_obj, st_mroonga_share) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:4157
#10 0x7f3add51ae5c in ha_mroonga::storage_create(char const, TABLE, HA_CREATE_INFO, st_mroonga_share) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:3601
#11 0x7f3add523ba7 in ha_mroonga::create(char const, TABLE, HA_CREATE_INFO*) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:4255
#12 0x5563f50fe848 in handler::ha_create(char const, TABLE, HA_CREATE_INFO*) /data/bld/10.4-asan/sql/handler.cc:4853
#13 0x5563f5102f32 in ha_create_table(THD, char const, char const, char const, HA_CREATE_INFO, st_mysql_const_unsigned_lex_string) /data/bld/10.4-asan/sql/handler.cc:5321
#14 0x5563f4b94008 in create_table_impl /data/bld/10.4-asan/sql/sql_table.cc:5214
#15 0x5563f4b94925 in mysql_create_table_no_lock(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /data/bld/10.4-asan/sql/sql_table.cc:5298
#16 0x5563f4b959d3 in mysql_create_table(THD, TABLE_LIST, Table_specification_st, Alter_info) /data/bld/10.4-asan/sql/sql_table.cc:5457
#17 0x5563f4bc4841 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.4-asan/sql/sql_table.cc:11919
#18 0x5563f4943117 in mysql_execute_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:6264
#19 0x5563f494ea6a in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:8060
#20 0x5563f4924ae1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:1857
#21 0x5563f4921650 in do_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:1378
#22 0x5563f4d27d14 in do_handle_one_connection(CONNECT*) /data/bld/10.4-asan/sql/sql_connect.cc:1419
#23 0x5563f4d2762b in handle_one_connection /data/bld/10.4-asan/sql/sql_connect.cc:1323
#24 0x5563f598c26b in pfs_spawn_thread /data/bld/10.4-asan/storage/perfschema/pfs.cc:1869
#25 0x7f3ae84a8043 in start_thread nptl/pthread_create.c:442

previously allocated by thread T5 here:
#0 0x7f3ae8ab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7f3adddc2f59 in grn_calloc_default /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/alloc.c:803
#2 0x7f3add93b266 in grn_array_create /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/hash.c:537
#3 0x7f3add6718cf in grn_table_create_with_max_n_subrecs /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:1221
#4 0x7f3add671ea2 in grn_table_create /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:1249
#5 0x7f3add519d44 in ha_mroonga::storage_create(char const, TABLE, HA_CREATE_INFO, st_mroonga_share) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:3491
#6 0x7f3add523ba7 in ha_mroonga::create(char const, TABLE, HA_CREATE_INFO*) /data/bld/10.4-asan/storage/mroonga/ha_mroonga.cpp:4255
#7 0x5563f50fe848 in handler::ha_create(char const, TABLE, HA_CREATE_INFO*) /data/bld/10.4-asan/sql/handler.cc:4853
#8 0x5563f5102f32 in ha_create_table(THD, char const, char const, char const, HA_CREATE_INFO, st_mysql_const_unsigned_lex_string) /data/bld/10.4-asan/sql/handler.cc:5321
#9 0x5563f4b94008 in create_table_impl /data/bld/10.4-asan/sql/sql_table.cc:5214
#10 0x5563f4b94925 in mysql_create_table_no_lock(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /data/bld/10.4-asan/sql/sql_table.cc:5298
#11 0x5563f4b959d3 in mysql_create_table(THD, TABLE_LIST, Table_specification_st, Alter_info) /data/bld/10.4-asan/sql/sql_table.cc:5457
#12 0x5563f4bc4841 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.4-asan/sql/sql_table.cc:11919
#13 0x5563f4943117 in mysql_execute_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:6264
#14 0x5563f494ea6a in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:8060
#15 0x5563f4924ae1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:1857
#16 0x5563f4921650 in do_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:1378
#17 0x5563f4d27d14 in do_handle_one_connection(CONNECT*) /data/bld/10.4-asan/sql/sql_connect.cc:1419
#18 0x5563f4d2762b in handle_one_connection /data/bld/10.4-asan/sql/sql_connect.cc:1323
#19 0x5563f598c26b in pfs_spawn_thread /data/bld/10.4-asan/storage/perfschema/pfs.cc:1869
#20 0x7f3ae84a8043 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f3ae8a49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x5563f598c658 in spawn_thread_v1 /data/bld/10.4-asan/storage/perfschema/pfs.cc:1919
#2 0x5563f4628f89 in inline_mysql_thread_create /data/bld/10.4-asan/include/mysql/psi/mysql_thread.h:1275
#3 0x5563f4640714 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.4-asan/sql/mysqld.cc:6296
#4 0x5563f4640e5f in create_new_thread(CONNECT*) /data/bld/10.4-asan/sql/mysqld.cc:6366
#5 0x5563f464132d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.4-asan/sql/mysqld.cc:6464
#6 0x5563f46421d9 in handle_connections_sockets() /data/bld/10.4-asan/sql/mysqld.cc:6622
#7 0x5563f463fe77 in mysqld_main(int, char**) /data/bld/10.4-asan/sql/mysqld.cc:5954
#8 0x5563f46270b8 in main /data/bld/10.4-asan/sql/main.cc:25
#9 0x7f3ae84461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/10.4-asan/storage/mroonga/vendor/groonga/lib/db.c:9789 in _grn_obj_remove
Shadow bytes around the buggy address:
0x0c2e7fffc8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffc8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffc8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffc900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c2e7fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2e7fffc920: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fffc930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fffc940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fffc950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fffc960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fffc970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2661561==ABORTING

Crashes on non-ASAN builds are also occasionally seen.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2023-11-25 18:55

Updated:: 2 hours ago

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.