[MDEV-34555] SIGSEGV in spider_conn_queue_and_merge_loop_check, and ASAN: heap-use-after-free in spider_conn_reset_queue_loop_check - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 10.5, 10.6, 10.11, 11.1(EOL), 11.2, 11.4, 11.6, 11.5(EOL)
Fix Version/s: N/A
Component/s: Storage Engine - Spider
Labels:
- ASAN
- memory_corruption

Description

Split for for this SIGSEGV listed in ~~MDEV-27902~~ and MDEV-34549:

SIGSEGV|spider_conn_queue_and_merge_loop_check|spider_conn_reset_queue_loop_check|spider_reset_conn_setted_parameter|spider_db_connect

One possible testcase:

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD 'PWD0');

CREATE TABLE tSpider (a INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

CREATE TABLE t2 (c INT,c2 CHAR(1)) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

XA START 'a';

SELECT * FROM information_schema.table_constraints;

SELECT SLEEP (1);

SELECT * FROM t2;

SELECT SLEEP (1);

SELECT * FROM t2;  # Debug builds common crash location

SELECT SLEEP (1);

SELECT * FROM t2;  # Optimized builds common crash location

Leads to:

bb-11.6-mdev-32492-27902-29962 11.6.0 0d7c712debbe5056da2c34b5daf3fbd5969d00dc (Optimized)
Core was generated by `/test/MDEV-32492-27902-29962_MD100724-mariadb-11.6.0-linux-x86_64-opt/bin/maria'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:344
Download failed: Invalid argument. Continuing without source file ./string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S.
[Current thread is 1 (LWP 2865706)]
(gdb) bt
#0 __memcpy_avx_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:344
#1 0x0000147894072d1a in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>)at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 spider_conn_queue_and_merge_loop_check (conn=conn@entry=0x14786062f4f8, lcptr=lcptr@entry=0x1478600481f8)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_conn.cc:1127
#3 0x0000147894072e7d in spider_conn_reset_queue_loop_check (conn=0x14786062f4f8)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_conn.cc:1239
#4 0x000014789407309f in spider_reset_conn_setted_parameter (conn=<optimized out>, thd=<optimized out>)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_conn.cc:259
#5 0x000014789405e9a6 in spider_db_connect (share=0x1478606327a8, conn=conn@entry=0x14786062f4f8, link_idx=0)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_db_conn.cc:131
#6 0x000014789405f660 in spider_db_conn_queue_action (conn=conn@entry=0x14786062f4f8)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_db_conn.cc:256
#7 0x0000147894064b80 in spider_db_before_query (conn=0x14786062f4f8, need_mon=<optimized out>)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_db_conn.cc:571
#8 0x0000147894064d82 in spider_db_set_names_internal (trx=0x1478601a5c58, share=0x1478606284c8, conn=conn@entry=0x14786062f4f8, all_link_idx=0, need_mon=0x147860016f30)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_db_conn.cc:799
#9 0x0000147894064f39 in spider_db_set_names (spider=<optimized out>, conn=conn@entry=0x14786062f4f8, link_idx=link_idx@entry=0)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_db_conn.cc:842
#10 0x00001478940db749 in spider_mbase_handler::show_table_status (this=0x14786062df90, link_idx=0, sts_mode=1, flag=<optimized out>)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_db_mysql.cc:13231
#11 0x000014789408e584 in spider_get_sts (share=0x1478606284c8, link_idx=0, tmp_time=tmp_time@entry=1720652489, spider=spider@entry=0x147860627910, sts_interval=sts_interval@entry=0, sts_mode=sts_mode@entry=1, sts_sync=sts_sync@entry=0, sts_sync_level=1, flag=82)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/spd_table.cc:7153
#12 0x00001478940bd6f7 in ha_spider::info (this=0x147860627910, flag=18)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/spider/ha_spider.cc:6560
#13 0x0000557629294ba1 in make_join_statistics (join=join@entry=0x147860019608, tables_list=@0x147860018188: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x147860019db8, last = 0x147860019db8, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x147860019960)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_select.cc:5611
#14 0x000055762929bb72 in JOIN::optimize_inner (this=this@entry=0x147860019608)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_select.cc:2683
#15 0x000055762929c31a in JOIN::optimize (this=this@entry=0x147860019608)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_select.cc:1984
#16 0x000055762929c411 in mysql_select (thd=thd@entry=0x147860000c68, tables=0x1478600185a8, fields=@0x147860018228: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x147860018558, last = 0x14786001a038, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x1478600195e0, unit=0x147860004f88, select_lex=0x147860017f70)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_select.cc:5320
#17 0x000055762929cc64 in handle_select (thd=thd@entry=0x147860000c68, lex=lex@entry=0x147860004ea8, result=result@entry=0x1478600195e0, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_select.cc:628
#18 0x000055762920ee75 in execute_sqlcom_select (thd=thd@entry=0x147860000c68, all_tables=0x1478600185a8)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_parse.cc:6147
#19 0x000055762921e10f in mysql_execute_command (thd=thd@entry=0x147860000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_parse.cc:3953
#20 0x000055762921f626 in mysql_parse (thd=0x147860000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_parse.cc:7867
#21 0x0000557629221805 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147860000c68, packet=packet@entry=0x147860008859 "SELECT * FROM t2", packet_length=packet_length@entry=16, blocking=blocking@entry=true)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_parse.cc:1991
#22 0x0000557629223df0 in do_command (thd=0x147860000c68, blocking=blocking@entry=true)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_parse.cc:1405
#23 0x000055762935369f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55762d4e5708, put_in_cache=put_in_cache@entry=true)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_connect.cc:1447
#24 0x00005576293539ed in handle_one_connection (arg=arg@entry=0x55762d4e5708)at /test/bb-11.6-mdev-32492-27902-29962_opt/sql/sql_connect.cc:1349
#25 0x0000557629709ecd in pfs_spawn_thread (arg=0x55762d48d6b8)at /test/bb-11.6-mdev-32492-27902-29962_opt/storage/perfschema/pfs.cc:2198
#26 0x00001478ab497ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
#27 0x00001478ab52847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

bb-11.6-mdev-32492-27902-29962 11.6.0 0d7c712debbe5056da2c34b5daf3fbd5969d00dc (Debug)
Core was generated by `/test/MDEV-32492-27902-29962_MD100724-mariadb-11.6.0-linux-x86_64-dbg/bin/maria'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:344
Download failed: Invalid argument. Continuing without source file ./string/../sysdeps/x86_64/multiarch/memmove-vec-unaligne
d-erms.S.
[Current thread is 1 (LWP 2958069)]
(gdb) bt
#0 __memcpy_avx_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:344
#1 0x000015522c099320 in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=0x8f8f8f8f8f8f8f8f)at /usr/include/x8
6_64-linux-gnu/bits/string_fortified.h:29
#2 spider_conn_queue_and_merge_loop_check (conn=conn@entry=0x1551fc1f3ea8, lcptr=lcptr@entry=0x1551fc0cbe68)at /test/bb-11.
6-mdev-32492-27902-29962_dbg/storage/spider/spd_conn.cc:1127
#3 0x000015522c09953a in spider_conn_reset_queue_loop_check (conn=conn@entry=0x1551fc1f3ea8)at /test/bb-11.6-mdev-32492-279
02-29962_dbg/storage/spider/spd_conn.cc:1239
#4 0x000015522c099773 in spider_reset_conn_setted_parameter (conn=conn@entry=0x1551fc1f3ea8, thd=thd@entry=0x1551fc000d58)a
t /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_conn.cc:259
#5 0x000015522c07d2c2 in spider_db_connect (share=0x1551fc0c2f58, conn=conn@entry=0x1551fc1f3ea8, link_idx=0)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_db_conn.cc:131
#6 0x000015522c07da5c in spider_db_conn_queue_action (conn=conn@entry=0x1551fc1f3ea8)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_db_conn.cc:256
#7 0x000015522c0849a0 in spider_db_before_query (conn=conn@entry=0x1551fc1f3ea8, need_mon=need_mon@entry=0x1551fc2c8eb0)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_db_conn.cc:571
#8 0x000015522c084fca in spider_db_set_names_internal (trx=0x1551fc273788, share=0x1551fc0c2f58, conn=conn@entry=0x1551fc1f3ea8, all_link_idx=0, need_mon=0x1551fc2c8eb0)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_db_conn.cc:798
#9 0x000015522c0852e7 in spider_db_set_names (spider=<optimized out>, conn=conn@entry=0x1551fc1f3ea8, link_idx=link_idx@entry=0)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_db_conn.cc:842
#10 0x000015522c111ee7 in spider_mbase_handler::show_table_status (this=0x1551fc0ca900, link_idx=0, sts_mode=1, flag=<optimized out>)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_db_mysql.cc:13231
#11 0x000015522c08a46a in spider_db_show_table_status (spider=spider@entry=0x1551fc0c23a0, link_idx=link_idx@entry=0, sts_mode=<optimized out>, sts_mode@entry=1, flag=flag@entry=82)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_db_conn.cc:5170
#12 0x000015522c0b67a3 in spider_get_sts (share=0x1551fc0c2f58, link_idx=0, tmp_time=tmp_time@entry=1720652513, spider=spider@entry=0x1551fc0c23a0, sts_interval=sts_interval@entry=0, sts_mode=sts_mode@entry=1, sts_sync=sts_sync@entry=0, sts_sync_level=1, flag=82)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/spd_table.cc:7153
#13 0x000015522c0ee175 in ha_spider::info (this=0x1551fc0c23a0, flag=18)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/spider/ha_spider.cc:6560
#14 0x000055c5f4172eaf in TABLE_LIST::fetch_number_of_rows (this=this@entry=0x1551fc01b068)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/table.cc:10128
#15 0x000055c5f40c37b0 in make_join_statistics (join=join@entry=0x1551fc01c0c8, tables_list=@0x1551fc01ac48: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1551fc01c888, last = 0x1551fc01c888, elements = 1}, <No data fields>}, keyuse_array=keyuse_array@entry=0x1551fc01c428)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_select.cc:5611
#16 0x000055c5f40cd506 in JOIN::optimize_inner (this=this@entry=0x1551fc01c0c8)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_select.cc:2683
#17 0x000055c5f40cdabc in JOIN::optimize (this=this@entry=0x1551fc01c0c8)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_select.cc:1984
#18 0x000055c5f40cdbdc in mysql_select (thd=thd@entry=0x1551fc000d58, tables=0x1551fc01b068, fields=@0x1551fc01ace8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1551fc01b018, last = 0x1551fc01cb08, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2165574400, result=0x1551fc01c0a0, unit=0x1551fc005240, select_lex=0x1551fc01aa30)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_select.cc:5320
#19 0x000055c5f40ce466 in handle_select (thd=thd@entry=0x1551fc000d58, lex=lex@entry=0x1551fc005160, result=result@entry=0x1551fc01c0a0, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_select.cc:628
#20 0x000055c5f402db4b in execute_sqlcom_select (thd=thd@entry=0x1551fc000d58, all_tables=0x1551fc01b068)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_parse.cc:6147
#21 0x000055c5f4038b57 in mysql_execute_command (thd=thd@entry=0x1551fc000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_parse.cc:3953
#22 0x000055c5f403f04c in mysql_parse (thd=thd@entry=0x1551fc000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x15524007a2a0)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_parse.cc:7867
#23 0x000055c5f404140f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1551fc000d58, packet=packet@entry=0x1551fc00b319 "SELECT * FROM t2", packet_length=packet_length@entry=16, blocking=blocking@entry=true)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_class.h:255
#24 0x000055c5f40438a5 in do_command (thd=0x1551fc000d58, blocking=blocking@entry=true)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_parse.cc:1405
#25 0x000055c5f41b364b in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c5f75286c8, put_in_cache=put_in_cache@entry=true)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_connect.cc:1447
#26 0x000055c5f41b3940 in handle_one_connection (arg=arg@entry=0x55c5f75286c8)at /test/bb-11.6-mdev-32492-27902-29962_dbg/sql/sql_connect.cc:1349
#27 0x000055c5f4614133 in pfs_spawn_thread (arg=0x55c5f74ba108)at /test/bb-11.6-mdev-32492-27902-29962_dbg/storage/perfschema/pfs.cc:2198
#28 0x0000155244497ada in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:444
#29 0x000015524452847c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

We also see an ASAN heap-use-after-free:

11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Optimized, UBASAN)
==3089516==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000034fe8 at pc 0x14f177cfc860 bp 0x14f179376ff0 sp 0x14f179376fe0
WRITE of size 4 at 0x612000034fe8 thread T12
#0 0x14f177cfc85f in spider_conn_reset_queue_loop_check(st_spider_conn*) /test/11.6_opt_san/storage/spider/spd_conn.cc:1238
#1 0x14f177cfd04e in spider_reset_conn_setted_parameter(st_spider_conn, THD) /test/11.6_opt_san/storage/spider/spd_conn.cc:259
#2 0x14f177c4ebbb in spider_db_connect(st_spider_share const, st_spider_conn, int) /test/11.6_opt_san/storage/spider/spd_db_conn.cc:131
#3 0x14f177c53882 in spider_db_conn_queue_action(st_spider_conn*) /test/11.6_opt_san/storage/spider/spd_db_conn.cc:256
#4 0x14f177c85c55 in spider_db_before_query(st_spider_conn, int) /test/11.6_opt_san/storage/spider/spd_db_conn.cc:571
#5 0x14f177c86c10 in spider_db_set_names_internal(st_spider_transaction, st_spider_share, st_spider_conn, int, int) /test/11.6_opt_san/storage/spider/spd_db_conn.cc:799
#6 0x14f177fc4f59 in spider_mbase_handler::show_table_status(int, int, unsigned int) /test/11.6_opt_san/storage/spider/spd_db_mysql.cc:13231
#7 0x14f177d7c303 in spider_get_sts(st_spider_share, int, long, ha_spider, double, int, int, int, unsigned int) /test/11.6_opt_san/storage/spider/spd_table.cc:7153
#8 0x14f177ee06ea in ha_spider::info(unsigned int) /test/11.6_opt_san/storage/spider/ha_spider.cc:6557
#9 0x5598c18e2910 in make_join_statistics /test/11.6_opt_san/sql/sql_select.cc:5606
#10 0x5598c191c5b1 in JOIN::optimize_inner() /test/11.6_opt_san/sql/sql_select.cc:2679
#11 0x5598c1923425 in JOIN::optimize() /test/11.6_opt_san/sql/sql_select.cc:1984
#12 0x5598c1923bc6 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.6_opt_san/sql/sql_select.cc:5315
#13 0x5598c1927a90 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.6_opt_san/sql/sql_select.cc:628
#14 0x5598c148faa0 in execute_sqlcom_select /test/11.6_opt_san/sql/sql_parse.cc:6147
#15 0x5598c14f3c92 in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:3953
#16 0x5598c1503042 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868
#17 0x5598c150f53e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892
#18 0x5598c151b418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405
#19 0x5598c1ea3c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447
#20 0x5598c1ea627c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349
#21 0x14f19ce97ad9 in start_thread nptl/pthread_create.c:444
#22 0x14f19cf2847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x612000034fe8 is located 40 bytes inside of 280-byte region [0x612000034fc0,0x6120000350d8)
freed by thread T12 here:
#0 0x5598c0c0e8c7 in free (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7fd38c7)
#1 0x14f177deb957 in spider_free_mem(st_spider_transaction, void, unsigned long) /test/11.6_opt_san/storage/spider/spd_malloc.cc:183
#2 0x14f177cfc68d in spider_conn_reset_queue_loop_check(st_spider_conn*) /test/11.6_opt_san/storage/spider/spd_conn.cc:1230
#3 0x14f177cfd04e in spider_reset_conn_setted_parameter(st_spider_conn, THD) /test/11.6_opt_san/storage/spider/spd_conn.cc:259
#4 0x14f177c4ebbb in spider_db_connect(st_spider_share const, st_spider_conn, int) /test/11.6_opt_san/storage/spider/spd_db_conn.cc:131
#5 0x14f177c53882 in spider_db_conn_queue_action(st_spider_conn*) /test/11.6_opt_san/storage/spider/spd_db_conn.cc:256
#6 0x14f177c85c55 in spider_db_before_query(st_spider_conn, int) /test/11.6_opt_san/storage/spider/spd_db_conn.cc:571
#7 0x14f177c86c10 in spider_db_set_names_internal(st_spider_transaction, st_spider_share, st_spider_conn, int, int) /test/11.6_opt_san/storage/spider/spd_db_conn.cc:799
#8 0x14f177fc4f59 in spider_mbase_handler::show_table_status(int, int, unsigned int) /test/11.6_opt_san/storage/spider/spd_db_mysql.cc:13231
#9 0x14f177d7c303 in spider_get_sts(st_spider_share, int, long, ha_spider, double, int, int, int, unsigned int) /test/11.6_opt_san/storage/spider/spd_table.cc:7153
#10 0x14f177ee06ea in ha_spider::info(unsigned int) /test/11.6_opt_san/storage/spider/ha_spider.cc:6557
#11 0x5598c18e2910 in make_join_statistics /test/11.6_opt_san/sql/sql_select.cc:5606
#12 0x5598c191c5b1 in JOIN::optimize_inner() /test/11.6_opt_san/sql/sql_select.cc:2679
#13 0x5598c1923425 in JOIN::optimize() /test/11.6_opt_san/sql/sql_select.cc:1984
#14 0x5598c1923bc6 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.6_opt_san/sql/sql_select.cc:5315
#15 0x5598c1927a90 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.6_opt_san/sql/sql_select.cc:628
#16 0x5598c148faa0 in execute_sqlcom_select /test/11.6_opt_san/sql/sql_parse.cc:6147
#17 0x5598c14f3c92 in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:3953
#18 0x5598c1503042 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868
#19 0x5598c150f53e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892
#20 0x5598c151b418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405
#21 0x5598c1ea3c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447
#22 0x5598c1ea627c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349
#23 0x14f19ce97ad9 in start_thread nptl/pthread_create.c:444

previously allocated by thread T12 here:
#0 0x5598c0c0ec17 in malloc (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7fd3c17)
#1 0x5598c5289f84 in my_malloc /test/11.6_opt_san/mysys/my_malloc.c:93
#2 0x14f177debdeb in spider_bulk_alloc_mem(st_spider_transaction, unsigned int, char const, char const*, unsigned long, unsigned long, ...) /test/11.6_opt_san/storage/spider/spd_malloc.cc:231
#3 0x14f177cfe6f0 in spider_conn_queue_loop_check(st_spider_conn, ha_spider, int) /test/11.6_opt_san/storage/spider/spd_conn.cc:1385
#4 0x14f177d1f54a in spider_get_conn(st_spider_share, int, char, st_spider_transaction, ha_spider, bool, bool, int*) /test/11.6_opt_san/storage/spider/spd_conn.cc:832
#5 0x14f177d3cb3f in spider_share_get_conns(ha_spider, st_spider_share, int*) /test/11.6_opt_san/storage/spider/spd_table.cc:5250
#6 0x14f177da41f2 in spider_init_share(char const, TABLE, THD, ha_spider, int, st_spider_share, TABLE_SHARE*, bool) /test/11.6_opt_san/storage/spider/spd_table.cc:5520
#7 0x14f177da600b in spider_get_share(char const, TABLE, THD, ha_spider, int*) /test/11.6_opt_san/storage/spider/spd_table.cc:5634
#8 0x14f177e9b5dc in ha_spider::open(char const*, int, unsigned int) /test/11.6_opt_san/storage/spider/ha_spider.cc:312
#9 0x5598c2b7f71d in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /test/11.6_opt_san/sql/handler.cc:3560
#10 0x5598c1d15707 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.6_opt_san/sql/table.cc:4599
#11 0x5598c10b224b in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.6_opt_san/sql/sql_base.cc:2240
#12 0x5598c10c8f99 in open_and_process_table /test/11.6_opt_san/sql/sql_base.cc:4174
#13 0x5598c10c8f99 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.6_opt_san/sql/sql_base.cc:4660
#14 0x5598c10ce2b4 in open_tables /test/11.6_opt_san/sql/sql_base.h:272
#15 0x5598c10ce2b4 in open_normal_and_derived_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/11.6_opt_san/sql/sql_base.cc:5698
#16 0x5598c10cea94 in open_tables_only_view_structure(THD, TABLE_LIST, bool) /test/11.6_opt_san/sql/sql_base.cc:5749
#17 0x5598c1972850 in fill_schema_table_by_open /test/11.6_opt_san/sql/sql_show.cc:4808
#18 0x5598c1a29815 in get_all_tables(THD, TABLE_LIST, Item*) /test/11.6_opt_san/sql/sql_show.cc:5608
#19 0x5598c1a37eb8 in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.6_opt_san/sql/sql_show.cc:9456
#20 0x5598c192fb2c in JOIN::exec_inner() /test/11.6_opt_san/sql/sql_select.cc:4974
#21 0x5598c1936983 in JOIN::exec() /test/11.6_opt_san/sql/sql_select.cc:4796
#22 0x5598c1923e8d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.6_opt_san/sql/sql_select.cc:5329
#23 0x5598c1927a90 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.6_opt_san/sql/sql_select.cc:628
#24 0x5598c148faa0 in execute_sqlcom_select /test/11.6_opt_san/sql/sql_parse.cc:6147
#25 0x5598c14f3c92 in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:3953
#26 0x5598c1503042 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868
#27 0x5598c150f53e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892
#28 0x5598c151b418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405
#29 0x5598c1ea3c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447
#30 0x5598c1ea627c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349
#31 0x14f19ce97ad9 in start_thread nptl/pthread_create.c:444

Thread T12 created by T0 here:
#0 0x5598c0bb2a35 in pthread_create (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7f77a35)
#1 0x5598c0c67dce in create_thread_to_handle_connection(CONNECT*) /test/11.6_opt_san/sql/mysqld.cc:6203
#2 0x5598c0c7b70f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.6_opt_san/sql/mysqld.cc:6327
#3 0x5598c0c7c7f7 in handle_connections_sockets() /test/11.6_opt_san/sql/mysqld.cc:6440
#4 0x5598c0c7f8cc in mysqld_main(int, char**) /test/11.6_opt_san/sql/mysqld.cc:6098
#5 0x14f19ce280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.6_opt_san/storage/spider/spd_conn.cc:1238 in spider_conn_reset_queue_loop_check(st_spider_conn*)
Shadow bytes around the buggy address:
0x0c247fffe9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fffe9b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c247fffe9c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fffe9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fffe9e0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c247fffe9f0: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
0x0c247fffea00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fffea10: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c247fffea20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fffea30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fffea40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3089516==ABORTING
240711 9:45:54 [ERROR] mysqld got signal 6 ;

Note: this bug still exists in bb-11.6-mdev-32492-27902-29962 and is thus not resolved by the ~~MDEV-27902~~ patch.

Attachments

Issue Links

duplicates

MDEV-34541 SIGSEGV in spider_db_conn::fin_loop_check, and ASAN: heap-use-after-free in spider_db_mbase::fin_loop_check on SHOW TABLE STATUS

Closed

relates to

MDEV-34549 SIGSEGV in my_strcoll_ascii_4bytes_found upon SELECT

Open

split from

MDEV-27902 Spider: Crashes, asserts, hangs, memory corruptions and ASAN heap-use-after-free's

Closed

Activity

People

Assignee:: Yuchen Pei

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-07-09 22:22

Updated:: 2024-07-16 08:33

Resolved:: 2024-07-11 02:28

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.