[MDEV-33676] Server crashes when REPAIR TABLE is executed after setting minimum max_session_mem_used value + ASAN heap-use-after-free in prepare_for_repair - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5
Fix Version/s: 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5
Component/s: None
Labels:
None

Description

SET max_session_mem_used=8192;

CREATE TABLE t (id INT) ENGINE=MyISAM;

REPAIR LOCAL TABLE t USE_FRM;

REPAIR LOCAL TABLE t USE_FRM;

Leads to:

11.5.0 929c2e06aae47f2dabf51b843ac84911de95bc7f (Debug)
Core was generated by `/test/MD290224-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000564d4839ba70 in TDC_element::flush (this=0x8f8f8f8f8f8f8f8f,
thd=thd@entry=0x1497c8000d48, mark_flushed=mark_flushed@entry=true)
at /test/server_dbg/sql/table_cache.cc:1275
[Current thread is 1 (Thread 0x1498180d8700 (LWP 2236029))]
(gdb) bt
#0 0x0000564d4839ba70 in TDC_element::flush (this=0x8f8f8f8f8f8f8f8f, thd=thd@entry=0x1497c8000d48, mark_flushed=mark_flushed@entry=true) at /test/server_dbg/sql/table_cache.cc:1275
#1 0x0000564d482a3ded in prepare_for_repair (thd=thd@entry=0x1497c8000d48, table_list=0x1497c8018eb0, check_opt=check_opt@entry=0x1497c8006500) at /test/server_dbg/sql/sql_admin.cc:235
#2 0x0000564d482a50aa in mysql_admin_table (thd=thd@entry=0x1497c8000d48, tables=tables@entry=0x1497c8018eb0, check_opt=check_opt@entry=0x1497c8006500, operator_name=operator_name@entry=0x564d495ef190 <msg_repair>, lock_type=lock_type@entry=TL_WRITE, org_open_for_modify=org_open_for_modify@entry=true, repair_table_use_frm=true, extra_open_options=32, prepare_func=0x564d482a392c <prepare_for_repair(THD, TABLE_LIST, HA_CHECK_OPT)>, operator_func=(int (handler::)(handler * const, THD , HA_CHECK_OPT )) 0x564d4844b546 <handler::ha_repair(THD, st_ha_check_opt)>, view_operator_func=0x564d4823e544 <view_repair(THD, TABLE_LIST, st_ha_check_opt*)>, is_cmd_replicated=true) at /test/server_dbg/sql/sql_admin.cc:723
#3 0x0000564d482a8217 in Sql_cmd_repair_table::execute (this=<optimized out>, thd=0x1497c8000d48) at /test/server_dbg/sql/sql_admin.cc:1642
#4 0x0000564d4811d43e in mysql_execute_command (thd=thd@entry=0x1497c8000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/server_dbg/sql/sql_parse.cc:5803
#5 0x0000564d48104ef4 in mysql_parse (thd=thd@entry=0x1497c8000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1498180d72b0) at /test/server_dbg/sql/sql_parse.cc:7815
#6 0x0000564d48112d85 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1497c8000d48, packet=packet@entry=0x1497c800b1c9 "", packet_length=packet_length@entry=28, blocking=blocking@entry=true) at /test/server_dbg/sql/sql_class.h:1604
#7 0x0000564d481156cb in do_command (thd=0x1497c8000d48, blocking=blocking@entry=true) at /test/server_dbg/sql/sql_parse.cc:1406
#8 0x0000564d482931f3 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x564d4ad259d8, put_in_cache=put_in_cache@entry=true) at /test/server_dbg/sql/sql_connect.cc:1437
#9 0x0000564d482937a8 in handle_one_connection (arg=arg@entry=0x564d4ad259d8) at /test/server_dbg/sql/sql_connect.cc:1339
#10 0x0000564d4870b4f2 in pfs_spawn_thread (arg=0x564d4aca5ea8) at /test/server_dbg/storage/perfschema/pfs.cc:2201
#11 0x000014981ac4d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#12 0x000014981a839133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.25 (dbg), 10.6.18 (dbg), 10.11.8 (dbg), 11.0.6 (dbg), 11.1.4 (dbg), 11.2.4 (dbg), 11.3.2 (dbg), 11.4.2 (dbg), 11.5.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.33 (dbg), 10.4.33 (opt), 10.4.34 (opt), 10.5.25 (opt), 10.6.18 (opt), 10.11.8 (opt), 11.0.6 (opt), 11.1.4 (opt), 11.2.4 (opt), 11.3.2 (opt), 11.4.2 (opt), 11.5.0 (opt)

11.4.2 058510a62ff9056223685d2bc544c6bff13d226f (Optimized, UBASAN)
==410246==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000043a58 at pc 0x55bd5f0feb2d bp 0x1481a14db410 sp 0x1481a14db400
READ of size 8 at 0x61a000043a58 thread T12
#0 0x55bd5f0feb2c in prepare_for_repair /test/server_opt_san/sql/sql_admin.cc:235
#1 0x55bd5f1077eb in mysql_admin_table /test/server_opt_san/sql/sql_admin.cc:723
#2 0x55bd5f1155d2 in Sql_cmd_repair_table::execute(THD*) /test/server_opt_san/sql/sql_admin.cc:1642
#3 0x55bd5e73ca92 in mysql_execute_command(THD*, bool) /test/server_opt_san/sql/sql_parse.cc:5803
#4 0x55bd5e6cb1d0 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/server_opt_san/sql/sql_parse.cc:7815
#5 0x55bd5e720b00 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/server_opt_san/sql/sql_parse.cc:1893
#6 0x55bd5e72c79d in do_command(THD*, bool) /test/server_opt_san/sql/sql_parse.cc:1406
#7 0x55bd5f0911bd in do_handle_one_connection(CONNECT*, bool) /test/server_opt_san/sql/sql_connect.cc:1437
#8 0x55bd5f09382c in handle_one_connection /test/server_opt_san/sql/sql_connect.cc:1339
#9 0x1481c55d1608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#10 0x1481c4846132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024-03-14 06:45

Updated:: 2024-03-14 06:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.