Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL)
Description
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); |
CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; |
INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); |
CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"'; |
SELECT * FROM t2 WHERE c=0; |
Leads to:
|
11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN) |
==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
|
READ of size 1 at 0x60b0000274ea thread T12
|
#0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
|
#1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
|
#2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
|
#3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
|
#4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
|
#5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
|
#6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
|
#7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
|
#8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
|
#9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
|
#10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
|
#11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
|
#12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
|
#13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
|
#14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
|
#15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
|
#16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
|
#17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
|
#18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
#23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
|
#24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
|
freed by thread T12 here:
|
#0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
|
#1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
|
#2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
|
#3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
|
#4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
|
#5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
|
#6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
|
#7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
|
#8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
|
#9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
|
#10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
|
#11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
|
#12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
|
#13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
|
#14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
|
#15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
|
#16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
#21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
|
|
|
previously allocated by thread T12 here:
|
#0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
|
#1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
|
#2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
|
#3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
|
#4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
|
#5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
|
#6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
|
#7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
|
#8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
|
#9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
|
#10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
|
#11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
|
#12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
|
#13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
|
#14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
|
#15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
|
#16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
|
#17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
#22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
|
|
|
Thread T12 created by T0 here:
|
#0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
|
#1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
|
#2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
|
#3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
|
#4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
|
#5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
|
Shadow bytes around the buggy address:
|
0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
|
0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
|
0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
|
0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
|
=>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
|
0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==168604==ABORTING
|
240426 14:06:32 [ERROR] mysqld got signal 6 ;
|
And on debug to (differs: Protocol_text::store_str vs Protocol::store
|
11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN) |
==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
|
READ of size 1 at 0x60b000034a0a thread T10
|
#0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
|
#1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
|
#2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
|
#3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
|
#4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
|
#5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
|
#6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
|
#7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
|
#8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
|
#9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
|
#10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
|
#11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
|
#12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
|
#13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
|
#14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
|
#15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
|
#16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
|
#17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
|
#18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
|
#19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
|
#20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
|
#21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
|
#22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
|
#23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
|
#24 0x14988048f189 in start_thread nptl/pthread_create.c:444
|
#25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
|
freed by thread T10 here:
|
#0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
|
#1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
|
#2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
|
#3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
|
#4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
|
#5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
|
#6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
|
#7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
|
#8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
|
#9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
|
#10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
|
#11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
|
#12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
|
#13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
|
#14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
|
#15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
|
#16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
|
#17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
|
#18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
|
#19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
|
#20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
|
#21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
|
#22 0x14988048f189 in start_thread nptl/pthread_create.c:444
|
|
|
previously allocated by thread T10 here:
|
#0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
|
#1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
|
#2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
|
#3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
|
#4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
|
#5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
|
#6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
|
#7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
|
#8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
|
#9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
|
#10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
|
#11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
|
#12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
|
#13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
|
#14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
|
#15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
|
#16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
|
#17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
|
#18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
|
#19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
|
#20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
|
#21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
|
#22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
|
#23 0x14988048f189 in start_thread nptl/pthread_create.c:444
|
|
|
Thread T10 created by T0 here:
|
#0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
|
#1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
|
#2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
|
#3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
|
#4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
|
#5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
|
#6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
|
#7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
|
Shadow bytes around the buggy address:
|
0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
|
0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
|
0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
=>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==186631==ABORTING
|
240426 14:06:32 [ERROR] mysqld got signal 6 ;
|
Setup:
Compiled with a recent version of GCC (I use GCC 12.3.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
Bug confirmed present in:
MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)
Attachments
Issue Links
- duplicates
-
MDEV-33742 do not create spider group by handler when all tables are constant
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
Activity
All UniqeID's/stacks seen across versions (11.1-11.5):
ASAN|heap-use-after-free|sql/protocol.cc|__interceptor_memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol::store
|
ASAN|heap-use-after-free|sql/protocol.cc|__interceptor_memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol_text::store_str
|
ASAN|heap-use-after-free|sql/protocol.cc|memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol::store
|
ASAN|heap-use-after-free|sql/protocol.cc|memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol_text::store_str
|
Oddly, the issue does not reproduce at the CLI in 11.3.3 opt specifically/only, but does in MTR for the same version.
looks like an 11.0-regression. passed on 10.11 22a69c782710b2bb53917603f5ecc8f6e0d0819a and failed on 11.0 e3ac7b803357cd0c798933419df99ce3081c0d81
it's actually a bit more complicated than that. there's another commit af4df93cf855228f094f2a19f7dd0bdc005035cf that is an ancestor of 10.11 where the bug exists
A "reverse bisect" shows that the following commit that has not yet propagated to 11.0 fixes the main test case
f9e0ebeca49 * upstream/bb-10.4-mdev-33742 MDEV-33742 Do not create group by handler when all tables are constant
|
It is not clear why, though, beyond the fact that the table is indeed const with the conditioning of the key c = 1. I tried a few adjacent testcases and they all pass. I think we can close this ticket as a duplicate of MDEV-33742.
Nevertheless, I pushed a commit to 10.4 that simply adds the testcase in this ticket to improve coverage. No reviews needed because it just adds a testcase.
3f2a5b28c6c upstream/bb-10.4-mdev-34003 MDEV-34003 Add testcase spider/bugfix.mdev_34003
|
This MTR testcase causes a core to be generated on UB+ASAN builds, AND it reproduces both issues mentioned above on opt/dbg in the error log.
--source include/have_innodb.inc--let $SOCKET= `SELECT @@global.socket`--error 12720The core generated shows the crash to happen in ASAN based upon the crash in mariadbd:
11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)
#10 0x000055aa00070702 in __sanitizer::Abort() ()#11 0x000055aa0007d681 in __sanitizer::Die() ()#12 0x000055aa0005acbe in __asan::ScopedInErrorReport::~ScopedInErrorReport() ()#13 0x000055aa0005a1b6 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()#14 0x000055a9fffdaf99 in memcpy ()#15 0x000055aa0025ab90 in Protocol::net_store_data (length=1, from=0x60b0000190aa "1", this=0x62b00017a7a0)at /test/11.5_opt_san/sql/protocol.cc:61#16 Protocol::store_string_aux (this=0x62b00017a7a0, from=0x60b0000190aa "1", length=1, fromcs=<optimized out>,tocs=<optimized out>) at /test/11.5_opt_san/sql/protocol.cc:1491#17 0x000055aa01e716bd in Protocol::store (cs=0x55aa0d5d33c0 <my_charset_bin>, length=1, from=0x60b0000190aa "1",this=0x62b00017a7a0) at /test/11.5_opt_san/sql/protocol.h:157#18 Field_longstr::send (this=<optimized out>, protocol=0x62b00017a7a0) at /test/11.5_opt_san/sql/field.cc:7379#19 0x000055aa0024d352 in Protocol_text::store (this=0x62b00017a7a0, field=0x61900030d6a0)at /test/11.5_opt_san/sql/protocol.cc:1643The ASAN crash itself can perhaps be ignored.