[MDEV-33235] ASAN & UBSAN errors in my_mb_wc_latin1 / my_convert_fix - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.7, 11.8
Fix Version/s: 10.5, 10.6, 10.11, 11.4, 11.7
Component/s: Character Sets, Virtual Columns
Labels:

Description

--source include/have_innodb.inc

CREATE TABLE t (a VARCHAR(256), f VARCHAR(256) AS ('')) ENGINE=InnoDB;

INSERT INTO t (a) VALUES ('foo');

ALTER TABLE t MODIFY f VARCHAR(1024) AS (CONVERT(a USING utf8mb3));

CREATE INDEX idx ON t (f(16));

# Cleanup

DROP TABLE t;

10.4 c9b0c006e0491c9f7a1dae07090db3cdb87da446
==1302833==ERROR: AddressSanitizer: use-after-poison on address 0x6290002a878d at pc 0x55d05836fadb bp 0x7f45d4a72e80 sp 0x7f45d4a72e78
READ of size 1 at 0x6290002a878d thread T27
#0 0x55d05836fada in my_mb_wc_latin1 /data/bld/10.4-asan/strings/ctype-latin1.c:372
#1 0x55d0583ea639 in my_convert_fix /data/bld/10.4-asan/strings/ctype.c:1164
#2 0x55d05697d914 in String_copier::well_formed_copy(charset_info_st const, char, unsigned long, charset_info_st const, char const, unsigned long, unsigned long) /data/bld/10.4-asan/sql/sql_string.cc:1089
#3 0x55d056f96d04 in String::copy(charset_info_st const, charset_info_st const, char const, unsigned long, unsigned long, String_copier) /data/bld/10.4-asan/sql/sql_string.h:959
#4 0x55d056f6dcf6 in String_copier_for_item::copy_with_warn(charset_info_st const, String, charset_info_st const, char const, unsigned int, unsigned int) /data/bld/10.4-asan/sql/item.cc:6542
#5 0x55d0570eefb1 in Item_func_conv_charset::val_str(String*) /data/bld/10.4-asan/sql/item_strfunc.cc:3568
#6 0x55d056f6f342 in Item::save_str_in_field(Field*, bool) /data/bld/10.4-asan/sql/item.cc:6784
#7 0x55d056cb39a5 in Type_handler_string_result::Item_save_in_field(Item, Field, bool) const /data/bld/10.4-asan/sql/sql_type.cc:3825
#8 0x55d056f6fae2 in Item::save_in_field(Field*, bool) /data/bld/10.4-asan/sql/item.cc:6832
#9 0x55d056a8d0a8 in TABLE::update_virtual_field(Field*, bool) /data/bld/10.4-asan/sql/table.cc:8642
#10 0x55d0578e1455 in innobase_get_computed_value(dtuple_t, dict_v_col_t const, dict_index_t const, mem_block_info_t, mem_block_info_t, dict_field_t const, THD, TABLE, unsigned char, dict_table_t const, upd_t const, bool) /data/bld/10.4-asan/storage/innobase/handler/ha_innodb.cc:20882
#11 0x55d057be525a in row_merge_buf_add /data/bld/10.4-asan/storage/innobase/row/row0merge.cc:576
#12 0x55d057bf2cb1 in row_merge_read_clustered_index /data/bld/10.4-asan/storage/innobase/row/row0merge.cc:2317
#13 0x55d057c023d9 in row_merge_build_indexes(trx_t, dict_table_t, dict_table_t, bool, dict_index_t, unsigned long const, unsigned long, TABLE, dtuple_t const, unsigned long const, unsigned long, ib_sequence_t&, bool, ut_stage_alter_t, dict_add_v_col_t const, TABLE, bool) /data/bld/10.4-asan/storage/innobase/row/row0merge.cc:4664
#14 0x55d0579586ea in ha_innobase::inplace_alter_table(TABLE, Alter_inplace_info) /data/bld/10.4-asan/storage/innobase/handler/handler0alter.cc:8752
#15 0x55d0569d897b in handler::ha_inplace_alter_table(TABLE, Alter_inplace_info) /data/bld/10.4-asan/sql/handler.h:4361
#16 0x55d0569b926e in mysql_inplace_alter_table /data/bld/10.4-asan/sql/sql_table.cc:8012
#17 0x55d0569cc2eb in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool) /data/bld/10.4-asan/sql/sql_table.cc:10582
#18 0x55d056746008 in mysql_execute_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:4258
#19 0x55d056760c74 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:8088
#20 0x55d056736893 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:1857
#21 0x55d056733402 in do_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:1378
#22 0x55d056b3a91c in do_handle_one_connection(CONNECT*) /data/bld/10.4-asan/sql/sql_connect.cc:1419
#23 0x55d056b3a233 in handle_one_connection /data/bld/10.4-asan/sql/sql_connect.cc:1323
#24 0x55d0577a0775 in pfs_spawn_thread /data/bld/10.4-asan/storage/perfschema/pfs.cc:1869
#25 0x7f45eaaa8043 in start_thread nptl/pthread_create.c:442
#26 0x7f45eab2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6290002a878d is located 1421 bytes inside of 16512-byte region [0x6290002a8200,0x6290002ac280)
allocated by thread T27 here:
#0 0x7f45eb0b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55d057a9b389 in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /data/bld/10.4-asan/storage/innobase/mem/mem0mem.cc:277
#2 0x55d057880cb2 in mem_heap_create_func /data/bld/10.4-asan/storage/innobase/include/mem0mem.inl:375
#3 0x55d0578dfb50 in innobase_allocate_row_for_vcol(THD, dict_index_t, mem_block_info_t, TABLE, VCOL_STORAGE*) /data/bld/10.4-asan/storage/innobase/handler/ha_innodb.cc:20713
#4 0x55d057be5150 in row_merge_buf_add /data/bld/10.4-asan/storage/innobase/row/row0merge.cc:568
#5 0x55d057bf2cb1 in row_merge_read_clustered_index /data/bld/10.4-asan/storage/innobase/row/row0merge.cc:2317
#6 0x55d057c023d9 in row_merge_build_indexes(trx_t, dict_table_t, dict_table_t, bool, dict_index_t, unsigned long const, unsigned long, TABLE, dtuple_t const, unsigned long const, unsigned long, ib_sequence_t&, bool, ut_stage_alter_t, dict_add_v_col_t const, TABLE, bool) /data/bld/10.4-asan/storage/innobase/row/row0merge.cc:4664
#7 0x55d0579586ea in ha_innobase::inplace_alter_table(TABLE, Alter_inplace_info) /data/bld/10.4-asan/storage/innobase/handler/handler0alter.cc:8752
#8 0x55d0569d897b in handler::ha_inplace_alter_table(TABLE, Alter_inplace_info) /data/bld/10.4-asan/sql/handler.h:4361
#9 0x55d0569b926e in mysql_inplace_alter_table /data/bld/10.4-asan/sql/sql_table.cc:8012
#10 0x55d0569cc2eb in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool) /data/bld/10.4-asan/sql/sql_table.cc:10582
#11 0x55d056746008 in mysql_execute_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:4258
#12 0x55d056760c74 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:8088
#13 0x55d056736893 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:1857
#14 0x55d056733402 in do_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:1378
#15 0x55d056b3a91c in do_handle_one_connection(CONNECT*) /data/bld/10.4-asan/sql/sql_connect.cc:1419
#16 0x55d056b3a233 in handle_one_connection /data/bld/10.4-asan/sql/sql_connect.cc:1323
#17 0x55d0577a0775 in pfs_spawn_thread /data/bld/10.4-asan/storage/perfschema/pfs.cc:1869
#18 0x7f45eaaa8043 in start_thread nptl/pthread_create.c:442

Thread T27 created by T0 here:
#0 0x7f45eb049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55d0577a0b62 in spawn_thread_v1 /data/bld/10.4-asan/storage/perfschema/pfs.cc:1919
#2 0x55d05643921c in inline_mysql_thread_create /data/bld/10.4-asan/include/mysql/psi/mysql_thread.h:1275
#3 0x55d0564509fb in create_thread_to_handle_connection(CONNECT*) /data/bld/10.4-asan/sql/mysqld.cc:6311
#4 0x55d056451146 in create_new_thread(CONNECT*) /data/bld/10.4-asan/sql/mysqld.cc:6381
#5 0x55d056451614 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.4-asan/sql/mysqld.cc:6479
#6 0x55d0564524c0 in handle_connections_sockets() /data/bld/10.4-asan/sql/mysqld.cc:6637
#7 0x55d05645015e in mysqld_main(int, char**) /data/bld/10.4-asan/sql/mysqld.cc:5969
#8 0x55d0564370a8 in main /data/bld/10.4-asan/sql/main.cc:25
#9 0x7f45eaa461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/bld/10.4-asan/strings/ctype-latin1.c:372 in my_mb_wc_latin1
Shadow bytes around the buggy address:
0x0c528004d0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c528004d0f0: 00[05]f7 f7 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528004d140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1302833==ABORTING

Attachments

Activity

People

Assignee:: Alexander Barkov

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-01-13 16:03

Updated:: 2024-12-24 05:50

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.