Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
Description
The ASAN heap-use-after-free is present in dbg+opt builds. The SIGSEGV in opt builds only. Present in 10.5+ only.
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE SERVER s FOREIGN DATA WRAPPER MYSQL OPTIONS (HOST'',DATABASE'',USER'',PASSWORD'',SOCKET ''); |
CREATE TABLE t (c INT) ENGINE=Spider PARTITION BY KEY(c) (PARTITION p1 COMMENT='SRV "s"',PARTITION p2 COMMENT='SRV "s"'); |
SELECT * FROM t PARTITION (p2); |
DROP TABLE IF EXISTS mysql.spider_tables; |
SELECT * FROM t; |
SELECT * FROM t; |
Leads to:
|
11.3.2 63fb478f88e0061d149f5cdd3c4d21d4a35c7bd9 (Optimized) |
Core was generated by `/test/MD271223-mariadb-11.3.2-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x0000149804191b9c in ha_spider::open (this=0x1497dc1acab0,
|
name=<optimized out>, mode=<optimized out>, test_if_locked=<optimized out>)
|
at /test/11.3_opt/storage/spider/ha_spider.cc:366
|
[Current thread is 1 (Thread 0x149810084640 (LWP 2555469))]
|
(gdb) bt
|
#0 0x0000149804191b9c in ha_spider::open (this=0x1497dc1acab0, name=<optimized out>, mode=<optimized out>, test_if_locked=<optimized out>) at /test/11.3_opt/storage/spider/ha_spider.cc:366
|
#1 0x0000560e7b9c664a in handler::ha_open (this=0x1497dc1acab0, table_arg=<optimized out>, name=name@entry=0x149810081680 "./test/t#P#p1", mode=2, test_if_locked=1042, mem_root=mem_root@entry=0x0, partitions_to_open=0x0) at /test/11.3_opt/sql/handler.cc:3515
|
#2 0x0000560e7bc13389 in ha_partition::open_read_partitions (this=this@entry=0x1497dc0458c0, name_buff=name_buff@entry=0x149810081680 "./test/t#P#p1", name_buff_size=name_buff_size@entry=513) at /test/11.3_opt/sql/ha_partition.cc:8920
|
#3 0x0000560e7bc1345e in ha_partition::change_partitions_to_open (this=0x1497dc0458c0, partition_names=<optimized out>) at /test/11.3_opt/sql/ha_partition.cc:8963
|
#4 0x0000560e7b6c94b0 in set_partitions_as_used (t=<optimized out>, tl=0x1497dc0111a8) at /test/11.3_opt/sql/sql_base.cc:1658
|
#5 open_table (thd=0x1497dc000c68, table_list=0x1497dc0111a8, ot_ctx=0x149810081f70) at /test/11.3_opt/sql/sql_base.cc:2224
|
#6 0x0000560e7b6ccec2 in open_and_process_table (ot_ctx=0x149810081f70, has_prelocking_list=false, prelocking_strategy=0x149810082060, flags=0, counter=0x14981008200c, tables=0x1497dc0111a8, thd=0x1497dc000c68) at /test/11.3_opt/sql/sql_base.cc:4168
|
#7 open_tables (thd=thd@entry=0x1497dc000c68, options=@0x1497dc0064a8: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x149810081ff8, counter=counter@entry=0x14981008200c, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x149810082060) at /test/11.3_opt/sql/sql_base.cc:4654
|
#8 0x0000560e7b6cd76a in open_and_lock_tables (thd=thd@entry=0x1497dc000c68, options=<optimized out>, tables=<optimized out>, tables@entry=0x1497dc0111a8, derived=derived@entry=true, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x149810082060) at /test/11.3_opt/sql/sql_base.cc:5628
|
#9 0x0000560e7b7326b1 in open_and_lock_tables (flags=0, derived=true, tables=0x1497dc0111a8, thd=0x1497dc000c68) at /test/11.3_opt/sql/sql_base.h:528
|
#10 execute_sqlcom_select (thd=0x1497dc000c68, all_tables=0x1497dc0111a8) at /test/11.3_opt/sql/sql_parse.cc:5998
|
#11 0x0000560e7b741837 in mysql_execute_command (thd=0x1497dc000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.3_opt/sql/sql_parse.cc:3926
|
#12 0x0000560e7b742d76 in mysql_parse (thd=0x1497dc000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.3_opt/sql/sql_parse.cc:7798
|
#13 0x0000560e7b74551d in dispatch_command (command=COM_QUERY, thd=0x1497dc000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.3_opt/sql/sql_parse.cc:1992
|
#14 0x0000560e7b7472c0 in do_command (thd=0x1497dc000c68, blocking=blocking@entry=true) at /test/11.3_opt/sql/sql_parse.cc:1406
|
#15 0x0000560e7b87230f in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/11.3_opt/sql/sql_connect.cc:1417
|
#16 0x0000560e7b87265d in handle_one_connection (arg=arg@entry=0x560e7e35c2c8) at /test/11.3_opt/sql/sql_connect.cc:1319
|
#17 0x0000560e7bc1c141 in pfs_spawn_thread (arg=0x560e7e311268) at /test/11.3_opt/storage/perfschema/pfs.cc:2201
|
#18 0x0000149827c94ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
|
#19 0x0000149827d26850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
11.3.0 126157061b4376496c034a809ea4943e863d1465 (Optimized, UBASAN) |
==2703709==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000121cb0 at pc 0x15246aac3536 bp 0x15246b5473c0 sp 0x15246b5473b0
|
READ of size 8 at 0x621000121cb0 thread T12
|
#0 0x15246aac3535 in ha_spider::open(char const*, int, unsigned int) /test/11.3_opt_san/storage/spider/ha_spider.cc:315
|
#1 0x559f8e74a762 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.3_opt_san/sql/handler.cc:3511
|
#2 0x559f8fb8ad2e in ha_partition::open_read_partitions(char*, unsigned long) /test/11.3_opt_san/sql/ha_partition.cc:8940
|
#3 0x559f8fb8c8b5 in ha_partition::change_partitions_to_open(List<String>*) /test/11.3_opt_san/sql/ha_partition.cc:8983
|
#4 0x559f8cd295ce in set_partitions_as_used /test/11.3_opt_san/sql/sql_base.cc:1652
|
#5 0x559f8cd295ce in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.3_opt_san/sql/sql_base.cc:2218
|
#6 0x559f8cd3f6b9 in open_and_process_table /test/11.3_opt_san/sql/sql_base.cc:4159
|
#7 0x559f8cd3f6b9 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.3_opt_san/sql/sql_base.cc:4645
|
#8 0x559f8cd43b6c in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/11.3_opt_san/sql/sql_base.cc:5619
|
#9 0x559f8d0eae7d in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/11.3_opt_san/sql/sql_base.h:528
|
#10 0x559f8d0eae7d in execute_sqlcom_select /test/11.3_opt_san/sql/sql_parse.cc:5944
|
#11 0x559f8d14f7c3 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:3923
|
#12 0x559f8d15e302 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7742
|
#13 0x559f8d169925 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893
|
#14 0x559f8d175698 in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406
|
#15 0x559f8dab7e0c in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1418
|
#16 0x559f8daba40c in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1320
|
#17 0x15248d494ac2 in start_thread nptl/pthread_create.c:442
|
#18 0x15248d52684f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
|
 |
0x621000121cb0 is located 4016 bytes inside of 4064-byte region [0x621000120d00,0x621000121ce0)
|
freed by thread T12 here:
|
#0 0x559f8c8a43e7 in __interceptor_free (/test/UBASAN_MD021123-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd+0x7dc63e7)
|
#1 0x15246aa10757 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.3_opt_san/storage/spider/spd_malloc.cc:183
|
#2 0x15246a9c4e01 in spider_free_share(st_spider_share*) /test/11.3_opt_san/storage/spider/spd_table.cc:5639
|
#3 0x15246a9c6121 in spider_share_init_link_statuses(THD*, st_spider_share*, TABLE_SHARE*, int, bool, int*) /test/11.3_opt_san/storage/spider/spd_table.cc:4964
|
#4 0x15246a9ca5fd in spider_init_share(char const*, TABLE*, THD*, ha_spider*, int*, st_spider_share*, TABLE_SHARE*, bool) /test/11.3_opt_san/storage/spider/spd_table.cc:5331
|
#5 0x15246a9ccecb in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /test/11.3_opt_san/storage/spider/spd_table.cc:5512
|
#6 0x15246aac0c51 in ha_spider::open(char const*, int, unsigned int) /test/11.3_opt_san/storage/spider/ha_spider.cc:331
|
#7 0x559f8e74a762 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.3_opt_san/sql/handler.cc:3511
|
#8 0x559f8fb8ad2e in ha_partition::open_read_partitions(char*, unsigned long) /test/11.3_opt_san/sql/ha_partition.cc:8940
|
#9 0x559f8fb8c8b5 in ha_partition::change_partitions_to_open(List<String>*) /test/11.3_opt_san/sql/ha_partition.cc:8983
|
#10 0x559f8cd295ce in set_partitions_as_used /test/11.3_opt_san/sql/sql_base.cc:1652
|
#11 0x559f8cd295ce in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.3_opt_san/sql/sql_base.cc:2218
|
#12 0x559f8cd3f6b9 in open_and_process_table /test/11.3_opt_san/sql/sql_base.cc:4159
|
#13 0x559f8cd3f6b9 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.3_opt_san/sql/sql_base.cc:4645
|
#14 0x559f8cd43b6c in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/11.3_opt_san/sql/sql_base.cc:5619
|
#15 0x559f8d0eae7d in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/11.3_opt_san/sql/sql_base.h:528
|
#16 0x559f8d0eae7d in execute_sqlcom_select /test/11.3_opt_san/sql/sql_parse.cc:5944
|
#17 0x559f8d14f7c3 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:3923
|
#18 0x559f8d15e302 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7742
|
#19 0x559f8d169925 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893
|
#20 0x559f8d175698 in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406
|
#21 0x559f8dab7e0c in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1418
|
#22 0x559f8daba40c in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1320
|
#23 0x15248d494ac2 in start_thread nptl/pthread_create.c:442
|
 |
previously allocated by thread T12 here:
|
#0 0x559f8c8a4737 in __interceptor_malloc (/test/UBASAN_MD021123-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd+0x7dc6737)
|
#1 0x559f90dabc84 in my_malloc /test/11.3_opt_san/mysys/my_malloc.c:93
|
#2 0x15246aa10beb in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.3_opt_san/storage/spider/spd_malloc.cc:231
|
#3 0x15246a99d455 in spider_create_share(char const*, TABLE_SHARE*, partition_info*, unsigned int, int*) /test/11.3_opt_san/storage/spider/spd_table.cc:4660
|
#4 0x15246a9ccc18 in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /test/11.3_opt_san/storage/spider/spd_table.cc:5486
|
#5 0x15246aac0c51 in ha_spider::open(char const*, int, unsigned int) /test/11.3_opt_san/storage/spider/ha_spider.cc:331
|
#6 0x559f8e74a762 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.3_opt_san/sql/handler.cc:3511
|
#7 0x559f8fb8ad2e in ha_partition::open_read_partitions(char*, unsigned long) /test/11.3_opt_san/sql/ha_partition.cc:8940
|
#8 0x559f8fb8c8b5 in ha_partition::change_partitions_to_open(List<String>*) /test/11.3_opt_san/sql/ha_partition.cc:8983
|
#9 0x559f8cd295ce in set_partitions_as_used /test/11.3_opt_san/sql/sql_base.cc:1652
|
#10 0x559f8cd295ce in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.3_opt_san/sql/sql_base.cc:2218
|
#11 0x559f8cd3f6b9 in open_and_process_table /test/11.3_opt_san/sql/sql_base.cc:4159
|
#12 0x559f8cd3f6b9 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.3_opt_san/sql/sql_base.cc:4645
|
#13 0x559f8cd43b6c in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/11.3_opt_san/sql/sql_base.cc:5619
|
#14 0x559f8d0eae7d in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/11.3_opt_san/sql/sql_base.h:528
|
#15 0x559f8d0eae7d in execute_sqlcom_select /test/11.3_opt_san/sql/sql_parse.cc:5944
|
#16 0x559f8d14f7c3 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:3923
|
#17 0x559f8d15e302 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7742
|
#18 0x559f8d169925 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893
|
#19 0x559f8d175698 in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406
|
#20 0x559f8dab7e0c in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1418
|
#21 0x559f8daba40c in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1320
|
#22 0x15248d494ac2 in start_thread nptl/pthread_create.c:442
|
 |
Thread T12 created by T0 here:
|
#0 0x559f8c848555 in pthread_create (/test/UBASAN_MD021123-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd+0x7d6a555)
|
#1 0x559f8c8fd12e in create_thread_to_handle_connection(CONNECT*) /test/11.3_opt_san/sql/mysqld.cc:6152
|
#2 0x559f8c90ffcf in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.3_opt_san/sql/mysqld.cc:6276
|
#3 0x559f8c910f27 in handle_connections_sockets() /test/11.3_opt_san/sql/mysqld.cc:6400
|
#4 0x559f8c913f0d in mysqld_main(int, char**) /test/11.3_opt_san/sql/mysqld.cc:6047
|
#5 0x15248d429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
 |
SUMMARY: AddressSanitizer: heap-use-after-free /test/11.3_opt_san/storage/spider/ha_spider.cc:315 in ha_spider::open(char const*, int, unsigned int)
|
Shadow bytes around the buggy address:
|
0x0c428001c340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428001c350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428001c360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428001c370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428001c380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c428001c390: fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa
|
0x0c428001c3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c428001c3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c428001c3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c428001c3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c428001c3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2703709==ABORTING
|
240115 9:34:35 [ERROR] mysqld got signal 6 ;
|
|
11.3.0 126157061b4376496c034a809ea4943e863d1465 (Debug, UBASAN) |
==2724522==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000147630 at pc 0x1469c52d761b bp 0x1469c5cec530 sp 0x1469c5cec520
|
READ of size 8 at 0x621000147630 thread T12
|
#0 0x1469c52d761a in ha_spider::open(char const*, int, unsigned int) /test/11.3_dbg_san/storage/spider/ha_spider.cc:315
|
#1 0x56342542ef65 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.3_dbg_san/sql/handler.cc:3511
|
#2 0x5634269a0939 in ha_partition::open_read_partitions(char*, unsigned long) /test/11.3_dbg_san/sql/ha_partition.cc:8940
|
#3 0x5634269a15af in ha_partition::change_partitions_to_open(List<String>*) /test/11.3_dbg_san/sql/ha_partition.cc:8983
|
#4 0x56342376cbb0 in set_partitions_as_used /test/11.3_dbg_san/sql/sql_base.cc:1652
|
#5 0x563423798955 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.3_dbg_san/sql/sql_base.cc:2218
|
#6 0x5634237b0d9c in open_and_process_table /test/11.3_dbg_san/sql/sql_base.cc:4159
|
#7 0x5634237b0d9c in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.3_dbg_san/sql/sql_base.cc:4645
|
#8 0x5634237b7b64 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/11.3_dbg_san/sql/sql_base.cc:5619
|
#9 0x563423b7a976 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/11.3_dbg_san/sql/sql_base.h:528
|
#10 0x563423b7a976 in execute_sqlcom_select /test/11.3_dbg_san/sql/sql_parse.cc:5944
|
#11 0x563423be2e61 in mysql_execute_command(THD*, bool) /test/11.3_dbg_san/sql/sql_parse.cc:3923
|
#12 0x563423c0cd9b in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_dbg_san/sql/sql_parse.cc:7742
|
#13 0x563423c1cb19 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_dbg_san/sql/sql_parse.cc:1893
|
#14 0x563423c2ab9b in do_command(THD*, bool) /test/11.3_dbg_san/sql/sql_parse.cc:1406
|
#15 0x56342462e3ab in do_handle_one_connection(CONNECT*, bool) /test/11.3_dbg_san/sql/sql_connect.cc:1418
|
#16 0x56342462f8c6 in handle_one_connection /test/11.3_dbg_san/sql/sql_connect.cc:1320
|
#17 0x1469e7e94ac2 in start_thread nptl/pthread_create.c:442
|
#18 0x1469e7f2684f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
|
 |
0x621000147630 is located 4400 bytes inside of 4448-byte region [0x621000146500,0x621000147660)
|
freed by thread T12 here:
|
#0 0x5634232bd017 in free (/test/UBASAN_MD021123-mariadb-11.3.0-linux-x86_64-dbg/bin/mariadbd+0x7d66017)
|
#1 0x563427b3b5bb in my_free /test/11.3_dbg_san/mysys/my_malloc.c:221
|
#2 0x1469c5227022 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.3_dbg_san/storage/spider/spd_malloc.cc:183
|
#3 0x1469c51d9a7d in spider_free_share(st_spider_share*) /test/11.3_dbg_san/storage/spider/spd_table.cc:5639
|
#4 0x1469c51da7d4 in spider_share_init_error_free(st_spider_share*, bool, bool) /test/11.3_dbg_san/storage/spider/spd_table.cc:4885
|
#5 0x1469c51dab0a in spider_share_init_link_statuses(THD*, st_spider_share*, TABLE_SHARE*, int, bool, int*) /test/11.3_dbg_san/storage/spider/spd_table.cc:4964
|
#6 0x1469c51debc8 in spider_init_share(char const*, TABLE*, THD*, ha_spider*, int*, st_spider_share*, TABLE_SHARE*, bool) /test/11.3_dbg_san/storage/spider/spd_table.cc:5331
|
#7 0x1469c51e0e5b in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /test/11.3_dbg_san/storage/spider/spd_table.cc:5512
|
#8 0x1469c52d7943 in ha_spider::open(char const*, int, unsigned int) /test/11.3_dbg_san/storage/spider/ha_spider.cc:331
|
#9 0x56342542ef65 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.3_dbg_san/sql/handler.cc:3511
|
#10 0x5634269a0939 in ha_partition::open_read_partitions(char*, unsigned long) /test/11.3_dbg_san/sql/ha_partition.cc:8940
|
#11 0x5634269a15af in ha_partition::change_partitions_to_open(List<String>*) /test/11.3_dbg_san/sql/ha_partition.cc:8983
|
#12 0x56342376cbb0 in set_partitions_as_used /test/11.3_dbg_san/sql/sql_base.cc:1652
|
#13 0x563423798955 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.3_dbg_san/sql/sql_base.cc:2218
|
#14 0x5634237b0d9c in open_and_process_table /test/11.3_dbg_san/sql/sql_base.cc:4159
|
#15 0x5634237b0d9c in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.3_dbg_san/sql/sql_base.cc:4645
|
#16 0x5634237b7b64 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/11.3_dbg_san/sql/sql_base.cc:5619
|
#17 0x563423b7a976 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/11.3_dbg_san/sql/sql_base.h:528
|
#18 0x563423b7a976 in execute_sqlcom_select /test/11.3_dbg_san/sql/sql_parse.cc:5944
|
#19 0x563423be2e61 in mysql_execute_command(THD*, bool) /test/11.3_dbg_san/sql/sql_parse.cc:3923
|
#20 0x563423c0cd9b in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_dbg_san/sql/sql_parse.cc:7742
|
#21 0x563423c1cb19 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_dbg_san/sql/sql_parse.cc:1893
|
#22 0x563423c2ab9b in do_command(THD*, bool) /test/11.3_dbg_san/sql/sql_parse.cc:1406
|
#23 0x56342462e3ab in do_handle_one_connection(CONNECT*, bool) /test/11.3_dbg_san/sql/sql_connect.cc:1418
|
#24 0x56342462f8c6 in handle_one_connection /test/11.3_dbg_san/sql/sql_connect.cc:1320
|
#25 0x1469e7e94ac2 in start_thread nptl/pthread_create.c:442
|
 |
previously allocated by thread T12 here:
|
#0 0x5634232bd367 in malloc (/test/UBASAN_MD021123-mariadb-11.3.0-linux-x86_64-dbg/bin/mariadbd+0x7d66367)
|
#1 0x563427b3b23b in my_malloc /test/11.3_dbg_san/mysys/my_malloc.c:93
|
#2 0x1469c5227455 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.3_dbg_san/storage/spider/spd_malloc.cc:231
|
#3 0x1469c51b3564 in spider_create_share(char const*, TABLE_SHARE*, partition_info*, unsigned int, int*) /test/11.3_dbg_san/storage/spider/spd_table.cc:4660
|
#4 0x1469c51e0b8f in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /test/11.3_dbg_san/storage/spider/spd_table.cc:5486
|
#5 0x1469c52d7943 in ha_spider::open(char const*, int, unsigned int) /test/11.3_dbg_san/storage/spider/ha_spider.cc:331
|
#6 0x56342542ef65 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.3_dbg_san/sql/handler.cc:3511
|
#7 0x5634269a0939 in ha_partition::open_read_partitions(char*, unsigned long) /test/11.3_dbg_san/sql/ha_partition.cc:8940
|
#8 0x5634269a15af in ha_partition::change_partitions_to_open(List<String>*) /test/11.3_dbg_san/sql/ha_partition.cc:8983
|
#9 0x56342376cbb0 in set_partitions_as_used /test/11.3_dbg_san/sql/sql_base.cc:1652
|
#10 0x563423798955 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.3_dbg_san/sql/sql_base.cc:2218
|
#11 0x5634237b0d9c in open_and_process_table /test/11.3_dbg_san/sql/sql_base.cc:4159
|
#12 0x5634237b0d9c in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.3_dbg_san/sql/sql_base.cc:4645
|
#13 0x5634237b7b64 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/11.3_dbg_san/sql/sql_base.cc:5619
|
#14 0x563423b7a976 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/11.3_dbg_san/sql/sql_base.h:528
|
#15 0x563423b7a976 in execute_sqlcom_select /test/11.3_dbg_san/sql/sql_parse.cc:5944
|
#16 0x563423be2e61 in mysql_execute_command(THD*, bool) /test/11.3_dbg_san/sql/sql_parse.cc:3923
|
#17 0x563423c0cd9b in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_dbg_san/sql/sql_parse.cc:7742
|
#18 0x563423c1cb19 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_dbg_san/sql/sql_parse.cc:1893
|
#19 0x563423c2ab9b in do_command(THD*, bool) /test/11.3_dbg_san/sql/sql_parse.cc:1406
|
#20 0x56342462e3ab in do_handle_one_connection(CONNECT*, bool) /test/11.3_dbg_san/sql/sql_connect.cc:1418
|
#21 0x56342462f8c6 in handle_one_connection /test/11.3_dbg_san/sql/sql_connect.cc:1320
|
#22 0x1469e7e94ac2 in start_thread nptl/pthread_create.c:442
|
 |
Thread T12 created by T0 here:
|
#0 0x563423261185 in pthread_create (/test/UBASAN_MD021123-mariadb-11.3.0-linux-x86_64-dbg/bin/mariadbd+0x7d0a185)
|
#1 0x563423315b24 in create_thread_to_handle_connection(CONNECT*) /test/11.3_dbg_san/sql/mysqld.cc:6152
|
#2 0x563423327266 in create_new_thread(CONNECT*) /test/11.3_dbg_san/sql/mysqld.cc:6214
|
#3 0x563423327ae6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.3_dbg_san/sql/mysqld.cc:6276
|
#4 0x563423328b2d in handle_connections_sockets() /test/11.3_dbg_san/sql/mysqld.cc:6400
|
#5 0x56342332d640 in mysqld_main(int, char**) /test/11.3_dbg_san/sql/mysqld.cc:6047
|
#6 0x563423302f0a in main /test/11.3_dbg_san/sql/main.cc:34
|
#7 0x1469e7e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
 |
SUMMARY: AddressSanitizer: heap-use-after-free /test/11.3_dbg_san/storage/spider/ha_spider.cc:315 in ha_spider::open(char const*, int, unsigned int)
|
Shadow bytes around the buggy address:
|
0x0c4280020e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280020e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280020e90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280020ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4280020eb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c4280020ec0: fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa
|
0x0c4280020ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4280020ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4280020ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4280020f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4280020f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2724522==ABORTING
|
240115 9:34:55 [ERROR] mysqld got signal 6 ;
|
Bug confirmed present in:
MariaDB: 10.5.24, 10.6.17, 10.11.7, 11.0.5, 11.1.4, 11.2.3, 11.3.2, 11.4.0
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.33