[MDEV-34541] SIGSEGV in spider_db_conn::fin_loop_check, and ASAN: heap-use-after-free in spider_db_mbase::fin_loop_check on SHOW TABLE STATUS - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL), 11.6(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3
Component/s: Storage Engine - Spider
Labels:
- ASAN
- memory_corruption

Description

SET sql_mode='', GLOBAL table_open_cache=10;

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');

CREATE TABLE t1 (c INT) ENGINE=InnoDB;

CREATE TABLE t2 (c INT) ENGINE=InnoDB;

CREATE TABLE t3 (c INT) ENGINE=InnoDB;

CREATE TABLE ta (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

CREATE TABLE t5 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

CREATE TABLE t6 (c INT KEY) ENGINE=InnoDB PARTITION BY RANGE (c) (PARTITION p VALUES LESS THAN (5));

CREATE TABLE t7 (a INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

CREATE TABLE t8 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

SELECT * FROM t8;

CREATE TEMPORARY TABLE t7 (c INT) ENGINE=InnoDB SELECT * FROM t7;

CALL foo;

CREATE TEMPORARY TABLE t7 (c INT) ENGINE=InnoDB;

SELECT * FROM t7 JOIN t6 ON tc=t0.c;

SHOW TABLE STATUS;

Leads to:

11.2.5 a21e49cbcc5f4adb1a1b4970ceead6a85e968063 (Debug)
Core was generated by `/test/MD190624-mariadb-11.2.5-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 spider_db_conn::fin_loop_check (this=0x1497a81e3090)at /test/11.2_dbg/storage/spider/spd_db_include.cc:93
[Current thread is 1 (LWP 3090672)]
(gdb) bt
#0 spider_db_conn::fin_loop_check (this=0x1497a81e3090)at /test/11.2_dbg/storage/spider/spd_db_include.cc:93
#1 0x00001497dc0832a7 in spider_db_conn_queue_action (conn=conn@entry=0x1497a81f3798)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:553
#2 0x00001497dc0897fa in spider_db_before_query (conn=conn@entry=0x1497a81f3798, need_mon=need_mon@entry=0x1497a81c6200)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:571
#3 0x00001497dc089c7a in spider_db_query (conn=conn@entry=0x1497a81f3798, query=query@entry=0x1497f00bcde0 "set @old_lock_wait_timeout=@@session.lock_wait_timeout;set session lock_wait_timeout=1;", length=length@entry=87, quick_mode=quick_mode@entry=-1, need_mon=need_mon@entry=0x1497a81c6200)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:640
#4 0x00001497dc0f5e7f in spider_set_lock_wait_timeout (seconds=seconds@entry=1, conn=conn@entry=0x1497a81f3798, need_mon=0x1497a81c6200)at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:13141
#5 0x00001497dc112cd3 in spider_mbase_handler::show_table_status (this=0x1497a8260dc0, link_idx=0, sts_mode=1, flag=<optimized out>)at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:13232
#6 0x00001497dc08f2c1 in spider_db_show_table_status (spider=spider@entry=0x1497a8312de0, link_idx=link_idx@entry=0, sts_mode=<optimized out>, sts_mode@entry=1, flag=flag@entry=88)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:5170
#7 0x00001497dc0b78eb in spider_get_sts (share=share@entry=0x1497a8196a98, link_idx=0, tmp_time=tmp_time@entry=1720386552, spider=spider@entry=0x1497a8312de0, sts_interval=sts_interval@entry=10, sts_mode=sts_mode@entry=1, sts_sync=sts_sync@entry=0, sts_sync_level=1, flag=88) at /test/11.2_dbg/storage/spider/spd_table.cc:6623
#8 0x00001497dc0bfc16 in spider_share_get_sts_crd (thd=thd@entry=0x1497a8000d58, spider=spider@entry=0x1497a8312de0, share=share@entry=0x1497a8196a98, table=table@entry=0x1497a80a3a28, init_share=init_share@entry=true, has_lock=has_lock@entry=false, error_num=0x1497f00bd380)at /test/11.2_dbg/storage/spider/spd_table.cc:4854
#9 0x00001497dc0c0878 in spider_init_share (table_name=table_name@entry=0x1497a8186e90 "./test/ta", table=table@entry=0x1497a80a3a28, thd=thd@entry=0x1497a8000d58, spider=spider@entry=0x1497a8312de0, error_num=error_num@entry=0x1497f00bd380, share=share@entry=0x1497a8196a98, table_share=0x1497a8186800, new_share=true) at /test/11.2_dbg/storage/spider/spd_table.cc:5013
#10 0x00001497dc0c0c1d in spider_get_share (table_name=table_name@entry=0x1497a8186e90 "./test/ta", table=0x1497a80a3a28, thd=thd@entry=0x1497a8000d58, spider=spider@entry=0x1497a8312de0, error_num=error_num@entry=0x1497f00bd380)at /test/11.2_dbg/storage/spider/spd_table.cc:5104
#11 0x00001497dc0e6606 in ha_spider::open (this=0x1497a8312de0, name=0x1497a8186e90 "./test/ta", mode=<optimized out>, test_if_locked=<optimized out>)at /test/11.2_dbg/storage/spider/ha_spider.cc:312
#12 0x000055fa7a15064f in handler::ha_open (this=0x1497a8312de0, table_arg=table_arg@entry=0x1497a80a3a28, name=0x1497a8186e90 "./test/ta", mode=mode@entry=2, test_if_locked=test_if_locked@entry=18, mem_root=mem_root@entry=0x0, partitions_to_open=0x0)at /test/11.2_dbg/sql/handler.cc:3557
#13 0x000055fa79f6d6fa in open_table_from_share (thd=thd@entry=0x1497a8000d58, share=share@entry=0x1497a8186800, alias=alias@entry=0x1497a8281b88, db_stat=db_stat@entry=33, prgflag=prgflag@entry=8, ha_open_flags=18, outparam=0x1497a80a3a28, is_create_table=false, partitions_to_open=0x0)at /test/11.2_dbg/sql/table.cc:4575
#14 0x000055fa79dbb2f0 in open_table (thd=thd@entry=0x1497a8000d58, table_list=table_list@entry=0x1497a8281b40, ot_ctx=ot_ctx@entry=0x1497f00bdcf0) at /test/11.2_dbg/sql/sql_base.cc:2247
#15 0x000055fa79dbee72 in open_and_process_table (ot_ctx=0x1497f00bdcf0, has_prelocking_list=false, prelocking_strategy=0x1497f00bdd88, flags=1090, counter=0x1497f00bdd84, tables=0x1497a8281b40, thd=0x1497a8000d58)at /test/11.2_dbg/sql/sql_base.cc:4180
#16 open_tables (thd=thd@entry=0x1497a8000d58, options=@0x1497f00bf540: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x1497f00bdd78, counter=counter@entry=0x1497f00bdd84, flags=1090, prelocking_strategy=prelocking_strategy@entry=0x1497f00bdd88)at /test/11.2_dbg/sql/sql_base.cc:4666
#17 0x000055fa79dbff29 in open_tables (prelocking_strategy=0x1497f00bdd88, flags=<optimized out>, counter=0x1497f00bdd84, tables=0x1497f00bdd78, thd=0x1497a8000d58) at /test/11.2_dbg/sql/sql_base.h:271
#18 open_normal_and_derived_tables (thd=thd@entry=0x1497a8000d58, tables=<optimized out>, tables@entry=0x1497a8281b40, flags=<optimized out>, dt_phases=dt_phases@entry=3)at /test/11.2_dbg/sql/sql_base.cc:5704
#19 0x000055fa79dc001c in open_tables_only_view_structure (thd=thd@entry=0x1497a8000d58, table_list=table_list@entry=0x1497a8281b40, can_deadlock=can_deadlock@entry=false)at /test/11.2_dbg/sql/sql_base.cc:5755
#20 0x000055fa79edc014 in fill_schema_table_by_open (thd=thd@entry=0x1497a8000d58, mem_root=mem_root@entry=0x1497f00bfdd0, is_show_fields_or_keys=is_show_fields_or_keys@entry=false, table=table@entry=0x1497a806f2a0, schema_table=schema_table@entry=0x55fa7b5612a0 <schema_tables+2432>, orig_db_name=orig_db_name@entry=0x1497a80174e8, orig_table_name=0x1497a80175b0, open_tables_state_backup=0x1497f00bfe10, can_deadlock=false) at /test/11.2_dbg/sql/sql_show.cc:4747
#21 0x000055fa79eff045 in get_all_tables (thd=0x1497a8000d58, tables=<optimized out>, cond=<optimized out>)at /test/11.2_dbg/sql/sql_show.cc:5501
#22 0x000055fa79f00506 in get_schema_tables_result (join=join@entry=0x1497a8016b88, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC)at /test/11.2_dbg/sql/sql_show.cc:9328
#23 0x000055fa79ed50f2 in JOIN::exec_inner (this=this@entry=0x1497a8016b88)at /test/11.2_dbg/sql/sql_select.cc:4975
#24 0x000055fa79ed5c5e in JOIN::exec (this=this@entry=0x1497a8016b88)at /test/11.2_dbg/sql/sql_select.cc:4795
#25 0x000055fa79ed39cd in mysql_select (thd=thd@entry=0x1497a8000d58, tables=0x1497a8015650, fields=@0x1497a8005d88: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1497a8013cd0, last = 0x1497a8015610, elements = 20}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2701396736, result=0x1497a8016b60, unit=0x1497a8005298, select_lex=0x1497a8005ad0) at /test/11.2_dbg/sql/sql_select.cc:5333
#26 0x000055fa79ed41f6 in handle_select (thd=thd@entry=0x1497a8000d58, lex=lex@entry=0x1497a80051b8, result=result@entry=0x1497a8016b60, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.2_dbg/sql/sql_select.cc:628
#27 0x000055fa79e331e8 in execute_sqlcom_select (thd=thd@entry=0x1497a8000d58, all_tables=0x1497a8015650) at /test/11.2_dbg/sql/sql_parse.cc:6161
#28 0x000055fa79e3e7fe in mysql_execute_command (thd=thd@entry=0x1497a8000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:3984
#29 0x000055fa79e45010 in mysql_parse (thd=thd@entry=0x1497a8000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1497f00c22e0)at /test/11.2_dbg/sql/sql_parse.cc:7920
#30 0x000055fa79e473d3 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1497a8000d58, packet=packet@entry=0x1497a800b2f9 "SHOW TABLE STATUS", packet_length=packet_length@entry=17, blocking=blocking@entry=true)at /test/11.2_dbg/sql/sql_class.h:247
#31 0x000055fa79e4976c in do_command (thd=0x1497a8000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407
#32 0x000055fa79fb0c49 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55fa7dabb848, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439
#33 0x000055fa79fb0f3e in handle_one_connection (arg=arg@entry=0x55fa7dabb848)at /test/11.2_dbg/sql/sql_connect.cc:1341
#34 0x000055fa7a40352c in pfs_spawn_thread (arg=0x55fa7da1e528)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201
#35 0x00001497f3e97ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
#36 0x00001497f3f2847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

If we change the table name 'ta' to 't4' in the testcase, the bug does not reproduce, suggesting a memory corruption issue.

This is confirmed by ASAN heap-use-after-free, including in optimized builds:

11.5.0 e4afa610539ae01164485554e2de839bea9de816 (Optimized, UBASAN)
==3229201==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000038768 at pc 0x1516393014c5 bp 0x15163a6d3500 sp 0x15163a6d34f0
WRITE of size 4 at 0x612000038768 thread T13
#0 0x1516393014c4 in spider_db_mbase::fin_loop_check() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:3368
#1 0x15163905b785 in spider_db_conn_queue_action(st_spider_conn*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:561
#2 0x15163908be25 in spider_db_before_query(st_spider_conn, int) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:579
#3 0x15163908cbfa in spider_db_query(st_spider_conn, char const, unsigned int, int, int*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:648
#4 0x1516393292b8 in spider_set_lock_wait_timeout /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:13094
#5 0x1516393ca527 in spider_mbase_handler::show_table_status(int, int, unsigned int) /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:13185
#6 0x151639182013 in spider_get_sts(st_spider_share, int, long, ha_spider, double, int, int, int, unsigned int) /test/11.5_opt_san/storage/spider/spd_table.cc:7147
#7 0x1516391a5e86 in spider_share_get_sts_crd(THD, ha_spider, st_spider_share, TABLE, bool, bool, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5384
#8 0x1516391aa7cb in spider_init_share(char const, TABLE, THD, ha_spider, int, st_spider_share, TABLE_SHARE*, bool) /test/11.5_opt_san/storage/spider/spd_table.cc:5543
#9 0x1516391abc1b in spider_get_share(char const, TABLE, THD, ha_spider, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5634
#10 0x1516392a00cc in ha_spider::open(char const*, int, unsigned int) /test/11.5_opt_san/storage/spider/ha_spider.cc:312
#11 0x5576bc1c8d28 in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /test/11.5_opt_san/sql/handler.cc:3513
#12 0x5576bb378d07 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.5_opt_san/sql/table.cc:4582
#13 0x5576ba72a97b in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.5_opt_san/sql/sql_base.cc:2232
#14 0x5576ba741a59 in open_and_process_table /test/11.5_opt_san/sql/sql_base.cc:4165
#15 0x5576ba741a59 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.5_opt_san/sql/sql_base.cc:4651
#16 0x5576ba746d74 in open_tables /test/11.5_opt_san/sql/sql_base.h:271
#17 0x5576ba746d74 in open_normal_and_derived_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/11.5_opt_san/sql/sql_base.cc:5690
#18 0x5576ba747554 in open_tables_only_view_structure(THD, TABLE_LIST, bool) /test/11.5_opt_san/sql/sql_base.cc:5741
#19 0x5576bafdf0f2 in fill_schema_table_by_open /test/11.5_opt_san/sql/sql_show.cc:4772
#20 0x5576bb0953d2 in get_all_tables(THD, TABLE_LIST, Item*) /test/11.5_opt_san/sql/sql_show.cc:5549
#21 0x5576bb0a3c58 in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.5_opt_san/sql/sql_show.cc:9397
#22 0x5576baf9cdfc in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4952
#23 0x5576bafa3a83 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
#24 0x5576baf9115d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.5_opt_san/sql/sql_select.cc:5304
#25 0x5576baf94d60 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
#26 0x5576bab02b00 in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
#27 0x5576bab68149 in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
#28 0x5576bab77382 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
#29 0x5576bab82853 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
#30 0x5576bab8f428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
#31 0x5576bb5076fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
#32 0x5576bb509cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
#33 0x15165de97ad9 in start_thread nptl/pthread_create.c:444
#34 0x15165df2847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x612000038768 is located 40 bytes inside of 296-byte region [0x612000038740,0x612000038868)
freed by thread T13 here:
#0 0x5576ba28b8c7 in free (/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7ec68c7)
#1 0x1516391f0567 in spider_free_mem(st_spider_transaction, void, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
#2 0x15163910193a in spider_conn_queue_and_merge_loop_check(st_spider_conn, st_spider_conn_loop_check) /test/11.5_opt_san/storage/spider/spd_conn.cc:1188
#3 0x151639104e4b in spider_conn_queue_loop_check(st_spider_conn, ha_spider, int) /test/11.5_opt_san/storage/spider/spd_conn.cc:1446
#4 0x1516391256ba in spider_get_conn(st_spider_share, int, char, st_spider_transaction, ha_spider, bool, bool, int*) /test/11.5_opt_san/storage/spider/spd_conn.cc:832
#5 0x15163914284f in spider_share_get_conns(ha_spider, st_spider_share, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5250
#6 0x1516391a9e02 in spider_init_share(char const, TABLE, THD, ha_spider, int, st_spider_share, TABLE_SHARE*, bool) /test/11.5_opt_san/storage/spider/spd_table.cc:5520
#7 0x1516391abc1b in spider_get_share(char const, TABLE, THD, ha_spider, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5634
#8 0x1516392a00cc in ha_spider::open(char const*, int, unsigned int) /test/11.5_opt_san/storage/spider/ha_spider.cc:312
#9 0x5576bc1c8d28 in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /test/11.5_opt_san/sql/handler.cc:3513
#10 0x5576bb378d07 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.5_opt_san/sql/table.cc:4582
#11 0x5576ba72a97b in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.5_opt_san/sql/sql_base.cc:2232
#12 0x5576ba741a59 in open_and_process_table /test/11.5_opt_san/sql/sql_base.cc:4165
#13 0x5576ba741a59 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.5_opt_san/sql/sql_base.cc:4651
#14 0x5576ba746d74 in open_tables /test/11.5_opt_san/sql/sql_base.h:271
#15 0x5576ba746d74 in open_normal_and_derived_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/11.5_opt_san/sql/sql_base.cc:5690
#16 0x5576ba747554 in open_tables_only_view_structure(THD, TABLE_LIST, bool) /test/11.5_opt_san/sql/sql_base.cc:5741
#17 0x5576bafdf0f2 in fill_schema_table_by_open /test/11.5_opt_san/sql/sql_show.cc:4772
#18 0x5576bb0953d2 in get_all_tables(THD, TABLE_LIST, Item*) /test/11.5_opt_san/sql/sql_show.cc:5549
#19 0x5576bb0a3c58 in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.5_opt_san/sql/sql_show.cc:9397
#20 0x5576baf9cdfc in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4952
#21 0x5576bafa3a83 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
#22 0x5576baf9115d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.5_opt_san/sql/sql_select.cc:5304
#23 0x5576baf94d60 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
#24 0x5576bab02b00 in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
#25 0x5576bab68149 in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
#26 0x5576bab77382 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
#27 0x5576bab82853 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
#28 0x5576bab8f428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
#29 0x5576bb5076fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
#30 0x5576bb509cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
#31 0x15165de97ad9 in start_thread nptl/pthread_create.c:444

previously allocated by thread T13 here:
#0 0x5576ba28bc17 in __interceptor_malloc (/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7ec6c17)
#1 0x5576be88b234 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
#2 0x1516391f09fb in spider_bulk_alloc_mem(st_spider_transaction, unsigned int, char const, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
#3 0x151639101106 in spider_conn_queue_and_merge_loop_check(st_spider_conn, st_spider_conn_loop_check) /test/11.5_opt_san/storage/spider/spd_conn.cc:1141
#4 0x151639104e4b in spider_conn_queue_loop_check(st_spider_conn, ha_spider, int) /test/11.5_opt_san/storage/spider/spd_conn.cc:1446
#5 0x1516391256ba in spider_get_conn(st_spider_share, int, char, st_spider_transaction, ha_spider, bool, bool, int*) /test/11.5_opt_san/storage/spider/spd_conn.cc:832
#6 0x15163914284f in spider_share_get_conns(ha_spider, st_spider_share, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5250
#7 0x1516391a9e02 in spider_init_share(char const, TABLE, THD, ha_spider, int, st_spider_share, TABLE_SHARE*, bool) /test/11.5_opt_san/storage/spider/spd_table.cc:5520
#8 0x1516391abc1b in spider_get_share(char const, TABLE, THD, ha_spider, int*) /test/11.5_opt_san/storage/spider/spd_table.cc:5634
#9 0x1516392a00cc in ha_spider::open(char const*, int, unsigned int) /test/11.5_opt_san/storage/spider/ha_spider.cc:312
#10 0x5576bc1c8d28 in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /test/11.5_opt_san/sql/handler.cc:3513
#11 0x5576bb378d07 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.5_opt_san/sql/table.cc:4582
#12 0x5576ba72a97b in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.5_opt_san/sql/sql_base.cc:2232
#13 0x5576ba741a59 in open_and_process_table /test/11.5_opt_san/sql/sql_base.cc:4165
#14 0x5576ba741a59 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.5_opt_san/sql/sql_base.cc:4651
#15 0x5576ba746d74 in open_tables /test/11.5_opt_san/sql/sql_base.h:271
#16 0x5576ba746d74 in open_normal_and_derived_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/11.5_opt_san/sql/sql_base.cc:5690
#17 0x5576ba747554 in open_tables_only_view_structure(THD, TABLE_LIST, bool) /test/11.5_opt_san/sql/sql_base.cc:5741
#18 0x5576bafdf0f2 in fill_schema_table_by_open /test/11.5_opt_san/sql/sql_show.cc:4772
#19 0x5576bb0953d2 in get_all_tables(THD, TABLE_LIST, Item*) /test/11.5_opt_san/sql/sql_show.cc:5549
#20 0x5576bb0a3c58 in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.5_opt_san/sql/sql_show.cc:9397
#21 0x5576baf9cdfc in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4952
#22 0x5576bafa3a83 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
#23 0x5576baf9115d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.5_opt_san/sql/sql_select.cc:5304
#24 0x5576baf94d60 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
#25 0x5576bab02b00 in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
#26 0x5576bab68149 in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
#27 0x5576bab77382 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
#28 0x5576bab82853 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
#29 0x5576bab8f428 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
#30 0x5576bb5076fc in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
#31 0x5576bb509cfc in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347

Thread T13 created by T0 here:
#0 0x5576ba22fa35 in __interceptor_pthread_create (/test/UBASAN_MD250524-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7e6aa35)
#1 0x5576ba2e44de in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
#2 0x5576ba2f76ff in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
#3 0x5576ba2f87e7 in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
#4 0x5576ba2fb8ed in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
#5 0x15165de280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:3368 in spider_db_mbase::fin_loop_check()
Shadow bytes around the buggy address:
0x0c247ffff090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247ffff0a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c247ffff0b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247ffff0d0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x0c247ffff0e0: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
0x0c247ffff0f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247ffff100: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c247ffff110: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247ffff120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247ffff130: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3229201==ABORTING
240708 7:10:28 [ERROR] mysqld got signal 6 ;

Attachments

Issue Links

is duplicated by

MDEV-34555 SIGSEGV in spider_conn_queue_and_merge_loop_check, and ASAN: heap-use-after-free in spider_conn_reset_queue_loop_check

Closed

relates to

MDEV-32864 Assertion failure during server shutdown after executing SHOW TABLE STATUS on a spider table

Confirmed

Activity

Transition	Time In Source Status	Execution Times

Yuchen Pei made transition - 2024-07-10 05:45

Open

Confirmed

2d 8h 26m

Yuchen Pei made transition - 2024-07-10 05:45

Confirmed

In Review

21s

Alexey Botchkov made transition - 2024-07-15 08:18

In Review

Stalled

5d 2h 32m

Yuchen Pei made transition - 2024-07-16 09:15

Stalled

Closed

1d 57m

People

Assignee:: Yuchen Pei

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2024-07-07 21:19

Updated:: 2024-08-06 04:29

Resolved:: 2024-07-16 09:15

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server