Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL), 11.6(EOL)
Description
SET sql_mode='', GLOBAL table_open_cache=10; |
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); |
CREATE TABLE t1 (c INT) ENGINE=InnoDB; |
CREATE TABLE t2 (c INT) ENGINE=InnoDB; |
CREATE TABLE t3 (c INT) ENGINE=InnoDB; |
CREATE TABLE ta (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"'; |
CREATE TABLE t5 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"'; |
CREATE TABLE t6 (c INT KEY) ENGINE=InnoDB PARTITION BY RANGE (c) (PARTITION p VALUES LESS THAN (5)); |
CREATE TABLE t7 (a INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"'; |
CREATE TABLE t8 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"'; |
SELECT * FROM t8; |
CREATE TEMPORARY TABLE t7 (c INT) ENGINE=InnoDB SELECT * FROM t7; |
CALL foo;
|
CREATE TEMPORARY TABLE t7 (c INT) ENGINE=InnoDB; |
SELECT * FROM t7 JOIN t6 ON tc=t0.c; |
SHOW TABLE STATUS; |
Leads to:
|
11.2.5 a21e49cbcc5f4adb1a1b4970ceead6a85e968063 (Debug) |
Core was generated by `/test/MD190624-mariadb-11.2.5-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 spider_db_conn::fin_loop_check (this=0x1497a81e3090)at /test/11.2_dbg/storage/spider/spd_db_include.cc:93
|
[Current thread is 1 (LWP 3090672)]
|
(gdb) bt
|
#0 spider_db_conn::fin_loop_check (this=0x1497a81e3090)at /test/11.2_dbg/storage/spider/spd_db_include.cc:93
|
#1 0x00001497dc0832a7 in spider_db_conn_queue_action (conn=conn@entry=0x1497a81f3798)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:553
|
#2 0x00001497dc0897fa in spider_db_before_query (conn=conn@entry=0x1497a81f3798, need_mon=need_mon@entry=0x1497a81c6200)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:571
|
#3 0x00001497dc089c7a in spider_db_query (conn=conn@entry=0x1497a81f3798, query=query@entry=0x1497f00bcde0 "set @old_lock_wait_timeout=@@session.lock_wait_timeout;set session lock_wait_timeout=1;", length=length@entry=87, quick_mode=quick_mode@entry=-1, need_mon=need_mon@entry=0x1497a81c6200)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:640
|
#4 0x00001497dc0f5e7f in spider_set_lock_wait_timeout (seconds=seconds@entry=1, conn=conn@entry=0x1497a81f3798, need_mon=0x1497a81c6200)at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:13141
|
#5 0x00001497dc112cd3 in spider_mbase_handler::show_table_status (this=0x1497a8260dc0, link_idx=0, sts_mode=1, flag=<optimized out>)at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:13232
|
#6 0x00001497dc08f2c1 in spider_db_show_table_status (spider=spider@entry=0x1497a8312de0, link_idx=link_idx@entry=0, sts_mode=<optimized out>, sts_mode@entry=1, flag=flag@entry=88)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:5170
|
#7 0x00001497dc0b78eb in spider_get_sts (share=share@entry=0x1497a8196a98, link_idx=0, tmp_time=tmp_time@entry=1720386552, spider=spider@entry=0x1497a8312de0, sts_interval=sts_interval@entry=10, sts_mode=sts_mode@entry=1, sts_sync=sts_sync@entry=0, sts_sync_level=1, flag=88) at /test/11.2_dbg/storage/spider/spd_table.cc:6623
|
#8 0x00001497dc0bfc16 in spider_share_get_sts_crd (thd=thd@entry=0x1497a8000d58, spider=spider@entry=0x1497a8312de0, share=share@entry=0x1497a8196a98, table=table@entry=0x1497a80a3a28, init_share=init_share@entry=true, has_lock=has_lock@entry=false, error_num=0x1497f00bd380)at /test/11.2_dbg/storage/spider/spd_table.cc:4854
|
#9 0x00001497dc0c0878 in spider_init_share (table_name=table_name@entry=0x1497a8186e90 "./test/ta", table=table@entry=0x1497a80a3a28, thd=thd@entry=0x1497a8000d58, spider=spider@entry=0x1497a8312de0, error_num=error_num@entry=0x1497f00bd380, share=share@entry=0x1497a8196a98, table_share=0x1497a8186800, new_share=true) at /test/11.2_dbg/storage/spider/spd_table.cc:5013
|
#10 0x00001497dc0c0c1d in spider_get_share (table_name=table_name@entry=0x1497a8186e90 "./test/ta", table=0x1497a80a3a28, thd=thd@entry=0x1497a8000d58, spider=spider@entry=0x1497a8312de0, error_num=error_num@entry=0x1497f00bd380)at /test/11.2_dbg/storage/spider/spd_table.cc:5104
|
#11 0x00001497dc0e6606 in ha_spider::open (this=0x1497a8312de0, name=0x1497a8186e90 "./test/ta", mode=<optimized out>, test_if_locked=<optimized out>)at /test/11.2_dbg/storage/spider/ha_spider.cc:312
|
#12 0x000055fa7a15064f in handler::ha_open (this=0x1497a8312de0, table_arg=table_arg@entry=0x1497a80a3a28, name=0x1497a8186e90 "./test/ta", mode=mode@entry=2, test_if_locked=test_if_locked@entry=18, mem_root=mem_root@entry=0x0, partitions_to_open=0x0)at /test/11.2_dbg/sql/handler.cc:3557
|
#13 0x000055fa79f6d6fa in open_table_from_share (thd=thd@entry=0x1497a8000d58, share=share@entry=0x1497a8186800, alias=alias@entry=0x1497a8281b88, db_stat=db_stat@entry=33, prgflag=prgflag@entry=8, ha_open_flags=18, outparam=0x1497a80a3a28, is_create_table=false, partitions_to_open=0x0)at /test/11.2_dbg/sql/table.cc:4575
|
#14 0x000055fa79dbb2f0 in open_table (thd=thd@entry=0x1497a8000d58, table_list=table_list@entry=0x1497a8281b40, ot_ctx=ot_ctx@entry=0x1497f00bdcf0) at /test/11.2_dbg/sql/sql_base.cc:2247
|
#15 0x000055fa79dbee72 in open_and_process_table (ot_ctx=0x1497f00bdcf0, has_prelocking_list=false, prelocking_strategy=0x1497f00bdd88, flags=1090, counter=0x1497f00bdd84, tables=0x1497a8281b40, thd=0x1497a8000d58)at /test/11.2_dbg/sql/sql_base.cc:4180
|
#16 open_tables (thd=thd@entry=0x1497a8000d58, options=@0x1497f00bf540: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x1497f00bdd78, counter=counter@entry=0x1497f00bdd84, flags=1090, prelocking_strategy=prelocking_strategy@entry=0x1497f00bdd88)at /test/11.2_dbg/sql/sql_base.cc:4666
|
#17 0x000055fa79dbff29 in open_tables (prelocking_strategy=0x1497f00bdd88, flags=<optimized out>, counter=0x1497f00bdd84, tables=0x1497f00bdd78, thd=0x1497a8000d58) at /test/11.2_dbg/sql/sql_base.h:271
|
#18 open_normal_and_derived_tables (thd=thd@entry=0x1497a8000d58, tables=<optimized out>, tables@entry=0x1497a8281b40, flags=<optimized out>, dt_phases=dt_phases@entry=3)at /test/11.2_dbg/sql/sql_base.cc:5704
|
#19 0x000055fa79dc001c in open_tables_only_view_structure (thd=thd@entry=0x1497a8000d58, table_list=table_list@entry=0x1497a8281b40, can_deadlock=can_deadlock@entry=false)at /test/11.2_dbg/sql/sql_base.cc:5755
|
#20 0x000055fa79edc014 in fill_schema_table_by_open (thd=thd@entry=0x1497a8000d58, mem_root=mem_root@entry=0x1497f00bfdd0, is_show_fields_or_keys=is_show_fields_or_keys@entry=false, table=table@entry=0x1497a806f2a0, schema_table=schema_table@entry=0x55fa7b5612a0 <schema_tables+2432>, orig_db_name=orig_db_name@entry=0x1497a80174e8, orig_table_name=0x1497a80175b0, open_tables_state_backup=0x1497f00bfe10, can_deadlock=false) at /test/11.2_dbg/sql/sql_show.cc:4747
|
#21 0x000055fa79eff045 in get_all_tables (thd=0x1497a8000d58, tables=<optimized out>, cond=<optimized out>)at /test/11.2_dbg/sql/sql_show.cc:5501
|
#22 0x000055fa79f00506 in get_schema_tables_result (join=join@entry=0x1497a8016b88, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC)at /test/11.2_dbg/sql/sql_show.cc:9328
|
#23 0x000055fa79ed50f2 in JOIN::exec_inner (this=this@entry=0x1497a8016b88)at /test/11.2_dbg/sql/sql_select.cc:4975
|
#24 0x000055fa79ed5c5e in JOIN::exec (this=this@entry=0x1497a8016b88)at /test/11.2_dbg/sql/sql_select.cc:4795
|
#25 0x000055fa79ed39cd in mysql_select (thd=thd@entry=0x1497a8000d58, tables=0x1497a8015650, fields=@0x1497a8005d88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1497a8013cd0, last = 0x1497a8015610, elements = 20}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2701396736, result=0x1497a8016b60, unit=0x1497a8005298, select_lex=0x1497a8005ad0) at /test/11.2_dbg/sql/sql_select.cc:5333
|
#26 0x000055fa79ed41f6 in handle_select (thd=thd@entry=0x1497a8000d58, lex=lex@entry=0x1497a80051b8, result=result@entry=0x1497a8016b60, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.2_dbg/sql/sql_select.cc:628
|
#27 0x000055fa79e331e8 in execute_sqlcom_select (thd=thd@entry=0x1497a8000d58, all_tables=0x1497a8015650) at /test/11.2_dbg/sql/sql_parse.cc:6161
|
#28 0x000055fa79e3e7fe in mysql_execute_command (thd=thd@entry=0x1497a8000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:3984
|
#29 0x000055fa79e45010 in mysql_parse (thd=thd@entry=0x1497a8000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1497f00c22e0)at /test/11.2_dbg/sql/sql_parse.cc:7920
|
#30 0x000055fa79e473d3 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1497a8000d58, packet=packet@entry=0x1497a800b2f9 "SHOW TABLE STATUS", packet_length=packet_length@entry=17, blocking=blocking@entry=true)at /test/11.2_dbg/sql/sql_class.h:247
|
#31 0x000055fa79e4976c in do_command (thd=0x1497a8000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407
|
#32 0x000055fa79fb0c49 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55fa7dabb848, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439
|
#33 0x000055fa79fb0f3e in handle_one_connection (arg=arg@entry=0x55fa7dabb848)at /test/11.2_dbg/sql/sql_connect.cc:1341
|
#34 0x000055fa7a40352c in pfs_spawn_thread (arg=0x55fa7da1e528)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201
|
#35 0x00001497f3e97ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
|
#36 0x00001497f3f2847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
If we change the table name 'ta' to 't4' in the testcase, the bug does not reproduce, suggesting a memory corruption issue.
This is confirmed by ASAN heap-use-after-free, including in optimized builds:
|
11.5.0 e4afa610539ae01164485554e2de839bea9de816 (Optimized, UBASAN) |
==3229201==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000038768 at pc 0x1516393014c5 bp 0x15163a6d3500 sp 0x15163a6d34f0
|
WRITE of size 4 at 0x612000038768 thread T13
|
#0 0x1516393014c4 in spider_db_mbase::fin_loop_check() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:3368
|
#1 0x15163905b785 in spider_db_conn_queue_action(st_spider_conn*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:561
|
#2 0x15163908be25 in spider_db_before_query(st_spider_conn*, int*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:579
|
#3 0x15163908cbfa in spider_db_query(st_spider_conn*, char const*, unsigned int, int, int*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:648
|
#4 0x1516393292b8 in spider_set_lock_wait_timeout /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:13094
|
#5 0x1516393ca527 in spider_mbase_handler::show_table_status(int, int, unsigned int) /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:13185
|
#6 0x151639182013 in spider_get_sts(st_spider_share*, int, long, ha_spider*, double, int, int, int, unsigned int) /test/11.5_opt_san/storage/spider/spd_table.cc:7147
|
#7 0x1516391a5e86 in spider_share_get_sts_crd(THD*, ha_spider*, st_spider_share*, TABLE*, bool, bool, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5384
|
#8 0x1516391aa7cb in spider_init_share(char const*, TABLE*, THD*, ha_spider*, int*, st_spider_share*, TABLE_SHARE*, bool) /test/11.5_opt_san/storage/spider/spd_table.cc:5543
|
#9 0x1516391abc1b in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5634
|
#10 0x1516392a00cc in ha_spider::open(char const*, int, unsigned int) /test/11.5_opt_san/storage/spider/ha_spider.cc:312
|
#11 0x5576bc1c8d28 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.5_opt_san/sql/handler.cc:3513
|
#12 0x5576bb378d07 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/11.5_opt_san/sql/table.cc:4582
|
#13 0x5576ba72a97b in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.5_opt_san/sql/sql_base.cc:2232
|
#14 0x5576ba741a59 in open_and_process_table /test/11.5_opt_san/sql/sql_base.cc:4165
|
#15 0x5576ba741a59 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.5_opt_san/sql/sql_base.cc:4651
|
#16 0x5576ba746d74 in open_tables /test/11.5_opt_san/sql/sql_base.h:271
|
#17 0x5576ba746d74 in open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /test/11.5_opt_san/sql/sql_base.cc:5690
|
#18 0x5576ba747554 in open_tables_only_view_structure(THD*, TABLE_LIST*, bool) /test/11.5_opt_san/sql/sql_base.cc:5741
|
#19 0x5576bafdf0f2 in fill_schema_table_by_open /test/11.5_opt_san/sql/sql_show.cc:4772
|
#20 0x5576bb0953d2 in get_all_tables(THD*, TABLE_LIST*, Item*) /test/11.5_opt_san/sql/sql_show.cc:5549
|
#21 0x5576bb0a3c58 in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.5_opt_san/sql/sql_show.cc:9397
|
#22 0x5576baf9cdfc in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4952
|
#23 0x5576bafa3a83 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
|
#24 0x5576baf9115d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
|
#25 0x5576baf94d60 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
|
#26 0x5576bab02b00 in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
|
#27 0x5576bab68149 in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
|
#28 0x5576bab77382 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#29 0x5576bab82853 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#30 0x5576bab8f428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#31 0x5576bb5076fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#32 0x5576bb509cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
#33 0x15165de97ad9 in start_thread nptl/pthread_create.c:444
|
#34 0x15165df2847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x612000038768 is located 40 bytes inside of 296-byte region [0x612000038740,0x612000038868)
|
freed by thread T13 here:
|
#0 0x5576ba28b8c7 in free (/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7ec68c7)
|
#1 0x1516391f0567 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
|
#2 0x15163910193a in spider_conn_queue_and_merge_loop_check(st_spider_conn*, st_spider_conn_loop_check*) /test/11.5_opt_san/storage/spider/spd_conn.cc:1188
|
#3 0x151639104e4b in spider_conn_queue_loop_check(st_spider_conn*, ha_spider*, int) /test/11.5_opt_san/storage/spider/spd_conn.cc:1446
|
#4 0x1516391256ba in spider_get_conn(st_spider_share*, int, char*, st_spider_transaction*, ha_spider*, bool, bool, int*) /test/11.5_opt_san/storage/spider/spd_conn.cc:832
|
#5 0x15163914284f in spider_share_get_conns(ha_spider*, st_spider_share*, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5250
|
#6 0x1516391a9e02 in spider_init_share(char const*, TABLE*, THD*, ha_spider*, int*, st_spider_share*, TABLE_SHARE*, bool) /test/11.5_opt_san/storage/spider/spd_table.cc:5520
|
#7 0x1516391abc1b in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5634
|
#8 0x1516392a00cc in ha_spider::open(char const*, int, unsigned int) /test/11.5_opt_san/storage/spider/ha_spider.cc:312
|
#9 0x5576bc1c8d28 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.5_opt_san/sql/handler.cc:3513
|
#10 0x5576bb378d07 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/11.5_opt_san/sql/table.cc:4582
|
#11 0x5576ba72a97b in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.5_opt_san/sql/sql_base.cc:2232
|
#12 0x5576ba741a59 in open_and_process_table /test/11.5_opt_san/sql/sql_base.cc:4165
|
#13 0x5576ba741a59 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.5_opt_san/sql/sql_base.cc:4651
|
#14 0x5576ba746d74 in open_tables /test/11.5_opt_san/sql/sql_base.h:271
|
#15 0x5576ba746d74 in open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /test/11.5_opt_san/sql/sql_base.cc:5690
|
#16 0x5576ba747554 in open_tables_only_view_structure(THD*, TABLE_LIST*, bool) /test/11.5_opt_san/sql/sql_base.cc:5741
|
#17 0x5576bafdf0f2 in fill_schema_table_by_open /test/11.5_opt_san/sql/sql_show.cc:4772
|
#18 0x5576bb0953d2 in get_all_tables(THD*, TABLE_LIST*, Item*) /test/11.5_opt_san/sql/sql_show.cc:5549
|
#19 0x5576bb0a3c58 in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.5_opt_san/sql/sql_show.cc:9397
|
#20 0x5576baf9cdfc in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4952
|
#21 0x5576bafa3a83 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
|
#22 0x5576baf9115d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
|
#23 0x5576baf94d60 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
|
#24 0x5576bab02b00 in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
|
#25 0x5576bab68149 in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
|
#26 0x5576bab77382 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#27 0x5576bab82853 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#28 0x5576bab8f428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#29 0x5576bb5076fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#30 0x5576bb509cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
#31 0x15165de97ad9 in start_thread nptl/pthread_create.c:444
|
|
|
previously allocated by thread T13 here:
|
#0 0x5576ba28bc17 in __interceptor_malloc (/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7ec6c17)
|
#1 0x5576be88b234 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
|
#2 0x1516391f09fb in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
|
#3 0x151639101106 in spider_conn_queue_and_merge_loop_check(st_spider_conn*, st_spider_conn_loop_check*) /test/11.5_opt_san/storage/spider/spd_conn.cc:1141
|
#4 0x151639104e4b in spider_conn_queue_loop_check(st_spider_conn*, ha_spider*, int) /test/11.5_opt_san/storage/spider/spd_conn.cc:1446
|
#5 0x1516391256ba in spider_get_conn(st_spider_share*, int, char*, st_spider_transaction*, ha_spider*, bool, bool, int*) /test/11.5_opt_san/storage/spider/spd_conn.cc:832
|
#6 0x15163914284f in spider_share_get_conns(ha_spider*, st_spider_share*, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5250
|
#7 0x1516391a9e02 in spider_init_share(char const*, TABLE*, THD*, ha_spider*, int*, st_spider_share*, TABLE_SHARE*, bool) /test/11.5_opt_san/storage/spider/spd_table.cc:5520
|
#8 0x1516391abc1b in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5634
|
#9 0x1516392a00cc in ha_spider::open(char const*, int, unsigned int) /test/11.5_opt_san/storage/spider/ha_spider.cc:312
|
#10 0x5576bc1c8d28 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.5_opt_san/sql/handler.cc:3513
|
#11 0x5576bb378d07 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/11.5_opt_san/sql/table.cc:4582
|
#12 0x5576ba72a97b in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.5_opt_san/sql/sql_base.cc:2232
|
#13 0x5576ba741a59 in open_and_process_table /test/11.5_opt_san/sql/sql_base.cc:4165
|
#14 0x5576ba741a59 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.5_opt_san/sql/sql_base.cc:4651
|
#15 0x5576ba746d74 in open_tables /test/11.5_opt_san/sql/sql_base.h:271
|
#16 0x5576ba746d74 in open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /test/11.5_opt_san/sql/sql_base.cc:5690
|
#17 0x5576ba747554 in open_tables_only_view_structure(THD*, TABLE_LIST*, bool) /test/11.5_opt_san/sql/sql_base.cc:5741
|
#18 0x5576bafdf0f2 in fill_schema_table_by_open /test/11.5_opt_san/sql/sql_show.cc:4772
|
#19 0x5576bb0953d2 in get_all_tables(THD*, TABLE_LIST*, Item*) /test/11.5_opt_san/sql/sql_show.cc:5549
|
#20 0x5576bb0a3c58 in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.5_opt_san/sql/sql_show.cc:9397
|
#21 0x5576baf9cdfc in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4952
|
#22 0x5576bafa3a83 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
|
#23 0x5576baf9115d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
|
#24 0x5576baf94d60 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
|
#25 0x5576bab02b00 in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
|
#26 0x5576bab68149 in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
|
#27 0x5576bab77382 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
|
#28 0x5576bab82853 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
|
#29 0x5576bab8f428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
|
#30 0x5576bb5076fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
|
#31 0x5576bb509cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
|
|
|
Thread T13 created by T0 here:
|
#0 0x5576ba22fa35 in __interceptor_pthread_create (/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7e6aa35)
|
#1 0x5576ba2e44de in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
|
#2 0x5576ba2f76ff in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
|
#3 0x5576ba2f87e7 in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
|
#4 0x5576ba2fb8ed in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
|
#5 0x15165de280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:3368 in spider_db_mbase::fin_loop_check()
|
Shadow bytes around the buggy address:
|
0x0c247ffff090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c247ffff0a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
0x0c247ffff0b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c247ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c247ffff0d0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
|
=>0x0c247ffff0e0: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
|
0x0c247ffff0f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c247ffff100: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
|
0x0c247ffff110: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c247ffff120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c247ffff130: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3229201==ABORTING
|
240708 7:10:28 [ERROR] mysqld got signal 6 ;
|
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Confirmed
-
Activity
Hi holyfoot, ptal thanks
e8579467a23 upstream/bb-10.5-mdev-34541 MDEV-34541 Clean up spider self reference check
|
4265bf2be74 MDEV-34541 Fix ha_spider::update_row() override
|
Now includes the MDEV-34555 testcase
Thanks for the review - pushed 132270d3de73163f0198c72e8352a388c69a1be5 to 10.5
For the record, this testcase:
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE USER Spider@localhost IDENTIFIED BY''; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS(SOCKET '../socket.sock',DATABASE'',user 'Spider',PASSWORD''); |
CREATE TABLE t1(c INT KEY,c1 BLOB,c2 TEXT)ENGINE=InnoDB; |
CREATE TABLE t2(c INT KEY,c1 BLOB,c2 TEXT)ENGINE=InnoDB; |
CREATE TABLE t3(from_id INT UNSIGNED,to_id INT UNSIGNED,weight FLOAT,KEY(from_id,to_id)) ENGINE=Spider; |
CREATE TABLE t4(fid INT KEY,g MULTIPOINT)ENGINE=Spider; |
CREATE TABLE t5(a INT UNSIGNED,b INT UNSIGNED,c CHAR(1),d BINARY (1),e CHAR(1),f BINARY (1),g BLOB,h BLOB,id INT,KEY(b),KEY(e)) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"'; |
CREATE TABLE t6(id GEOMETRY,KEY(id (1))) ENGINE=Spider; |
CREATE TABLE t7(c1 CHAR(1)); |
CREATE TABLE t8(c1 DEC,c2 CHAR(1),c3 INT(1),c4 CHAR (1) KEY,c5 DEC UNIQUE KEY,c6 NUMERIC(0,0) DEFAULT 3); |
SET GLOBAL wait_timeout=True; |
CREATE TABLE t9(a INT,b INT,KEY(a)) ENGINE=Spider; |
SET GLOBAL table_open_cache=-1; |
CREATE TABLE t10(f INT)ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"'; |
SHOW TABLE STATUS; |
SELECT SLEEP(1); |
SHOW TABLE STATUS; |
Produces a slightly different stack, but this stack looks to also be resolved in the patch as tested in 10.5. The outcome in 10.5 is:
|
10.5.26 b8f92ade57691a78cc97c5d79eae0a27a10cb8f2 (Debug) |
10.5.26-dbg>show warnings;
|
+---------+-------+-----------------------------------------------------+
|
| Level | Code | Message |
|
+---------+-------+-----------------------------------------------------+
|
| Warning | 12702 | Remote table 'test.t' is not found |
|
| Warning | 1429 | Unable to connect to foreign data source: localhost |
|
| Warning | 1429 | Unable to connect to foreign data source: localhost |
|
| Warning | 12702 | Remote table 'test.t' is not found |
|
| Warning | 1429 | Unable to connect to foreign data source: localhost |
|
| Warning | 1429 | Unable to connect to foreign data source: localhost |
|
+---------+-------+-----------------------------------------------------+
|
6 rows in set (0.000 sec)
|
MTR Testcase
--source include/have_innodb.inc--source include/have_partition.inc--let $SOCKET= `SELECT @@global.socket`--error 12702--error 12702--error ER_SP_DOES_NOT_EXISTCALL foo;--error ER_BAD_FIELD_ERROR