[MDEV-34632] Assertion `table->field[0]->ptr >= table->record[0] && table->field[0]->ptr <= table->record[0] + table->s->reclength' failed in void handler::assert_icp_limitations(uchar*) - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3, 11.5.2
Component/s: Virtual Columns
Labels:
- debug
- regression

Description

--source include/have_sequence.inc

SET sql_mode='';

CREATE TABLE t1 (a INT GENERATED ALWAYS AS (1) VIRTUAL,KEY(a)) ENGINE=MyISAM;

INSERT INTO t1 SELECT 1 FROM seq_1_to_100;

SELECT * FROM t1;

Leads to:

11.5.2 2f4b0ba328420980c23562da20ab0caa9d69b845 (Debug)

mariadbd: /test/11.5_dbg/sql/handler.cc:3847: void handler::assert_icp_limitations(uchar*): Assertion `table->field[0]->ptr >= table->record[0] && table->field[0]->ptr <= table->record[0] + table->s->reclength' failed.

11.5.2 2f4b0ba328420980c23562da20ab0caa9d69b845 (Debug)
Core was generated by `/test/MD180724-mariadb-11.5.2-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x152f00084700 (LWP 2823487))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x0000152f16816859 in __GI_abort () at abort.c:79
#2 0x0000152f16816729 in __assert_fail_base (fmt=0x152f169ac588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x564dda8738c0 "table->field[0]->ptr >= table->record[0] && table->field[0]->ptr <= table->record[0] + table->s->reclength", file=0x564dda871693 "/test/11.5_dbg/sql/handler.cc", line=3847, function=<optimized out>) at assert.c:92
#3 0x0000152f16827fd6 in __GI___assert_fail (assertion=assertion@entry=0x564dda8738c0 "table->field[0]->ptr >= table->record[0] && table->field[0]->ptr <= table->record[0] + table->s->reclength", file=file@entry=0x564dda871693 "/test/11.5_dbg/sql/handler.cc", line=line@entry=3847, function=function@entry=0x564dda873830 "void handler::assert_icp_limitations(uchar*)") at assert.c:101
#4 0x0000564dd9cd1710 in handler::assert_icp_limitations (buf=0x152ecc025f88 "\377", this=0x152ecc0263a0) at /test/11.5_dbg/sql/handler.cc:3847
#5 handler::ha_index_first (this=0x152ecc0263a0, buf=0x152ecc025f88 "\377") at /test/11.5_dbg/sql/handler.cc:3878
#6 0x0000564dd9a19f74 in join_read_first (tab=0x152ecc01d830) at /test/11.5_dbg/sql/sql_select.cc:24763
#7 0x0000564dd99e6fe9 in sub_select (join=0x152ecc01bfc8, join_tab=0x152ecc01d830, end_of_records=false) at /test/11.5_dbg/sql/sql_select.cc:23653
#8 0x0000564dd9a224bd in do_select (procedure=<optimized out>, join=0x152ecc01bfc8) at /test/11.5_dbg/sql/sql_select.cc:23167
#9 JOIN::exec_inner (this=this@entry=0x152ecc01bfc8) at /test/11.5_dbg/sql/sql_select.cc:5021
#10 0x0000564dd9a22a2c in JOIN::exec (this=this@entry=0x152ecc01bfc8) at /test/11.5_dbg/sql/sql_select.cc:4804
#11 0x0000564dd9a20856 in mysql_select (thd=thd@entry=0x152ecc000d48, tables=0x152ecc01af68, fields=@0x152ecc01abe8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152ecc01af18, last = 0x152ecc01af18, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x152ecc01bfa0, unit=0x152ecc005238, select_lex=0x152ecc01a930) at /test/11.5_dbg/sql/sql_select.cc:5337
#12 0x0000564dd9a2107f in handle_select (thd=thd@entry=0x152ecc000d48, lex=lex@entry=0x152ecc005158, result=result@entry=0x152ecc01bfa0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.5_dbg/sql/sql_select.cc:628
#13 0x0000564dd997c808 in execute_sqlcom_select (thd=thd@entry=0x152ecc000d48, all_tables=0x152ecc01af68) at /test/11.5_dbg/sql/sql_parse.cc:6147
#14 0x0000564dd9984f00 in mysql_execute_command (thd=thd@entry=0x152ecc000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.5_dbg/sql/sql_parse.cc:3953
#15 0x0000564dd9975992 in mysql_parse (thd=thd@entry=0x152ecc000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x152f000832f0) at /test/11.5_dbg/sql/sql_parse.cc:7867
#16 0x0000564dd998ce09 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152ecc000d48, packet=packet@entry=0x152ecc00b239 "", packet_length=packet_length@entry=16, blocking=blocking@entry=true) at /test/11.5_dbg/sql/sql_class.h:1638
#17 0x0000564dd998f90c in do_command (thd=0x152ecc000d48, blocking=blocking@entry=true) at /test/11.5_dbg/sql/sql_parse.cc:1405
#18 0x0000564dd9b16afd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x564ddc8bf358, put_in_cache=put_in_cache@entry=true) at /test/11.5_dbg/sql/sql_connect.cc:1447
#19 0x0000564dd9b170b2 in handle_one_connection (arg=arg@entry=0x564ddc8bf358) at /test/11.5_dbg/sql/sql_connect.cc:1349
#20 0x0000564dd9f9f95e in pfs_spawn_thread (arg=0x564ddc817ba8) at /test/11.5_dbg/storage/perfschema/pfs.cc:2201
#21 0x0000152f16d27609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#22 0x0000152f16913133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 11.5.2 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.26 (dbg), 10.5.26 (opt), 10.6.19 (dbg), 10.6.19 (opt), 10.11.9 (dbg), 10.11.9 (opt), 11.1.6 (dbg), 11.1.6 (opt), 11.2.5 (dbg), 11.2.5 (opt), 11.4.3 (dbg), 11.4.3 (opt), 11.5.2 (opt)

Attachments

Issue Links

is duplicated by

MDEV-30926 Segfault after MyISAM repair of vcol-indexed table

Closed

MDEV-32089 Assertion `!strcmp(&path[strlen(path) - strlen(dot_ext[IBD])], dot_ext[IBD])' failed in void mtr_t::log_file_op(mfile_type_t, uint32_t, const char*, const char*)

Closed

Activity

Ascending order - Click to sort in descending order

Nikita Malyavin added a comment - 2024-08-06 14:08 - edited

reproducible on 10.5-11.5 with asan enabled, even without sequences:

SET sql_mode='';

CREATE TABLE t1 (a INT GENERATED ALWAYS AS (1) VIRTUAL,KEY(a)) ENGINE=MyISAM;

INSERT INTO t1 SELECT 1 UNION SELECT 1;

SELECT * FROM t1;

DROP TABLE t1;

Asan output:

==66270==ERROR: AddressSanitizer: heap-use-after-free on address 0x50700002a0a8 at pc 0x58cbd0d0187d bp 0x763dc0af7750 sp 0x763dc0af7748

READ of size 1 at 0x50700002a0a8 thread T5

    #0 0x58cbd0d0187c in Field::set_notnull(long long) /home/nik/mariadb/sql/field.h:1407:41

    #1 0x58cbd0e1f446 in save_int_value_in_field(Field*, long long, bool, bool) /home/nik/mariadb/sql/item.cc:7009:10

    #2 0x58cbd0e1f3f5 in Item_int::save_in_field(Field*, bool) /home/nik/mariadb/sql/item.cc:7016:10

    #3 0x58cbd0de7d19 in Item::save_in_field_no_warnings(Field*, bool) /home/nik/mariadb/sql/item.cc:1524:8

    #4 0x58cbd1314a34 in Field::get_mm_leaf_int(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*, bool) /home/nik/mariadb/sql/opt_range.cc:9032:19

    #5 0x58cbd0d138b6 in Field_int::get_mm_leaf(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*) /home/nik/mariadb/sql/field.h:2535:12

    #6 0x58cbd1311c17 in Item_bool_func::get_mm_leaf(RANGE_OPT_PARAM*, Field*, KEY_PART*, Item_func::Functype, Item*) /home/nik/mariadb/sql/opt_range.cc:8875:3

    #7 0x58cbd1303fa3 in Item_bool_func::get_mm_parts(RANGE_OPT_PARAM*, Field*, Item_func::Functype, Item*) /home/nik/mariadb/sql/opt_range.cc:8710:18

    #8 0x58cbd130f74e in Item_equal::get_mm_tree(RANGE_OPT_PARAM*, Item**) /home/nik/mariadb/sql/opt_range.cc:8639:13

    #9 0x58cbd12df3f8 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /home/nik/mariadb/sql/opt_range.cc:2895:23

    #10 0x58cbd198ea21 in get_quick_record_count(THD*, SQL_SELECT*, TABLE*, Bitmap<64u> const*, unsigned long long) /home/nik/mariadb/sql/sql_select.cc:4958:9

    #11 0x58cbd18ba3b0 in make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*) /home/nik/mariadb/sql/sql_select.cc:5685:20

    #12 0x58cbd18a984a in JOIN::optimize_inner() /home/nik/mariadb/sql/sql_select.cc:2414:7

    #13 0x58cbd1898a00 in JOIN::optimize() /home/nik/mariadb/sql/sql_select.cc:1765:10

    #14 0x58cbd187e7e4 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/nik/mariadb/sql/sql_select.cc:4900:19

    #15 0x58cbd187d89a in handle_select(THD*, LEX*, select_result*, unsigned long) /home/nik/mariadb/sql/sql_select.cc:449:10

    #16 0x58cbd177cfe2 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/nik/mariadb/sql/sql_parse.cc:6431:12

    #17 0x58cbd1763a2a in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:4030:12

    #18 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18

    #19 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7

    #20 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17

    #21 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11

    #22 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5

    #23 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3

    #24 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

    #25 0x763dce627dec  (/usr/lib/libc.so.6+0x92dec) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

    #26 0x763dce6aaee3 in clone (/usr/lib/libc.so.6+0x115ee3) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

0x50700002a0a8 is located 24 bytes inside of 72-byte region [0x50700002a090,0x50700002a0d8)

freed by thread T5 here:

    #0 0x58cbd0aa12a2 in free.part.0 (/home/nik/mariadb/bld/sql/mariadbd+0x1e882a2) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

    #1 0x58cbd33d9cae in my_free /home/nik/mariadb/mysys/my_malloc.c:213:3

    #2 0x58cbd322843e in chk_data_link /home/nik/mariadb/storage/myisam/mi_check.c:1349:3

    #3 0x58cbd320180e in ha_myisam::check(THD*, st_ha_check_opt*) /home/nik/mariadb/storage/myisam/ha_myisam.cc:1085:16

    #4 0x58cbd0d93573 in handler::ha_check(THD*, st_ha_check_opt*) /home/nik/mariadb/sql/handler.cc:4743:7

    #5 0x58cbd1d37ba4 in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), bool) /home/nik/mariadb/sql/sql_admin.cc:875:21

    #6 0x58cbd1d3e0bf in Sql_cmd_check_table::execute(THD*) /home/nik/mariadb/sql/sql_admin.cc:1490:8

    #7 0x58cbd1777c65 in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:6173:26

    #8 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18

    #9 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7

    #10 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17

    #11 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11

    #12 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5

    #13 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3

    #14 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

previously allocated by thread T5 here:

    #0 0x58cbd0aa2249 in malloc (/home/nik/mariadb/bld/sql/mariadbd+0x1e89249) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

    #1 0x58cbd33d8afa in my_malloc /home/nik/mariadb/mysys/my_malloc.c:91:29

    #2 0x58cbd33d91cb in my_realloc /home/nik/mariadb/mysys/my_malloc.c:143:5

    #3 0x58cbd32a79e3 in mi_alloc_rec_buff /home/nik/mariadb/storage/myisam/mi_open.c:763:27

    #4 0x58cbd32249ae in chk_data_link /home/nik/mariadb/storage/myisam/mi_check.c:954:8

    #5 0x58cbd320180e in ha_myisam::check(THD*, st_ha_check_opt*) /home/nik/mariadb/storage/myisam/ha_myisam.cc:1085:16

    #6 0x58cbd0d93573 in handler::ha_check(THD*, st_ha_check_opt*) /home/nik/mariadb/sql/handler.cc:4743:7

    #7 0x58cbd1d37ba4 in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), bool) /home/nik/mariadb/sql/sql_admin.cc:875:21

    #8 0x58cbd1d3e0bf in Sql_cmd_check_table::execute(THD*) /home/nik/mariadb/sql/sql_admin.cc:1490:8

    #9 0x58cbd1777c65 in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:6173:26

    #10 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18

    #11 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7

    #12 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17

    #13 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11

    #14 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5

    #15 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3

    #16 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

Thread T5 created by T0 here:

    #0 0x58cbd0a99e23 in pthread_create (/home/nik/mariadb/bld/sql/mariadbd+0x1e80e23) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

    #1 0x58cbd247d3cc in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/storage/perfschema/my_thread.h:52:10

    #2 0x58cbd247d35b in pfs_spawn_thread_v1 /home/nik/mariadb/storage/perfschema/pfs.cc:2252:15

    #3 0x58cbd1287aa2 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/include/mysql/psi/mysql_thread.h:1323:11

    #4 0x58cbd1287660 in create_thread_to_handle_connection(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6111:19

    #5 0x58cbd1287e97 in create_new_thread(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6170:3

    #6 0x58cbd1288321 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/nik/mariadb/sql/mysqld.cc:6235:5

    #7 0x58cbd12862eb in handle_connections_sockets() /home/nik/mariadb/sql/mysqld.cc:6362:9

    #8 0x58cbd127c1bb in mysqld_main(int, char**) /home/nik/mariadb/sql/mysqld.cc:5757:3

    #9 0x58cbd0aed7f1 in main /home/nik/mariadb/sql/main.cc:25:10

    #10 0x763dce5bac87  (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

    #11 0x763dce5bad4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

    #12 0x58cbd09b6164 in _start (/home/nik/mariadb/bld/sql/mariadbd+0x1d9d164) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

SUMMARY: AddressSanitizer: heap-use-after-free /home/nik/mariadb/sql/field.h:1407:41 in Field::set_notnull(long long)

Shadow bytes around the buggy address:

  0x507000029e00: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00

  0x507000029e80: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd

  0x507000029f00: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00

  0x507000029f80: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00

  0x50700002a000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa

=>0x50700002a080: fa fa fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa

  0x50700002a100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd

  0x50700002a180: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd

  0x50700002a200: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd

  0x50700002a280: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x50700002a300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==66270==ABORTING

/usr/local/bin/rr: line 2: 66257 Aborted                 taskset -c 0-15 /usr/bin/rr $@

Nikita Malyavin added a comment - 2024-08-06 14:08 - edited reproducible on 10.5-11.5 with asan enabled, even without sequences: SET sql_mode= '' ; CREATE TABLE t1 (a INT GENERATED ALWAYS AS (1) VIRTUAL, KEY (a)) ENGINE=MyISAM; INSERT INTO t1 SELECT 1 UNION SELECT 1; SELECT * FROM t1; DROP TABLE t1; Asan output: ==66270==ERROR: AddressSanitizer: heap-use-after-free on address 0x50700002a0a8 at pc 0x58cbd0d0187d bp 0x763dc0af7750 sp 0x763dc0af7748 READ of size 1 at 0x50700002a0a8 thread T5 #0 0x58cbd0d0187c in Field::set_notnull(long long) /home/nik/mariadb/sql/field.h:1407:41 #1 0x58cbd0e1f446 in save_int_value_in_field(Field*, long long, bool, bool) /home/nik/mariadb/sql/item.cc:7009:10 #2 0x58cbd0e1f3f5 in Item_int::save_in_field(Field*, bool) /home/nik/mariadb/sql/item.cc:7016:10 #3 0x58cbd0de7d19 in Item::save_in_field_no_warnings(Field*, bool) /home/nik/mariadb/sql/item.cc:1524:8 #4 0x58cbd1314a34 in Field::get_mm_leaf_int(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*, bool) /home/nik/mariadb/sql/opt_range.cc:9032:19 #5 0x58cbd0d138b6 in Field_int::get_mm_leaf(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*) /home/nik/mariadb/sql/field.h:2535:12 #6 0x58cbd1311c17 in Item_bool_func::get_mm_leaf(RANGE_OPT_PARAM*, Field*, KEY_PART*, Item_func::Functype, Item*) /home/nik/mariadb/sql/opt_range.cc:8875:3 #7 0x58cbd1303fa3 in Item_bool_func::get_mm_parts(RANGE_OPT_PARAM*, Field*, Item_func::Functype, Item*) /home/nik/mariadb/sql/opt_range.cc:8710:18 #8 0x58cbd130f74e in Item_equal::get_mm_tree(RANGE_OPT_PARAM*, Item**) /home/nik/mariadb/sql/opt_range.cc:8639:13 #9 0x58cbd12df3f8 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /home/nik/mariadb/sql/opt_range.cc:2895:23 #10 0x58cbd198ea21 in get_quick_record_count(THD*, SQL_SELECT*, TABLE*, Bitmap<64u> const*, unsigned long long) /home/nik/mariadb/sql/sql_select.cc:4958:9 #11 0x58cbd18ba3b0 in make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*) /home/nik/mariadb/sql/sql_select.cc:5685:20 #12 0x58cbd18a984a in JOIN::optimize_inner() /home/nik/mariadb/sql/sql_select.cc:2414:7 #13 0x58cbd1898a00 in JOIN::optimize() /home/nik/mariadb/sql/sql_select.cc:1765:10 #14 0x58cbd187e7e4 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/nik/mariadb/sql/sql_select.cc:4900:19 #15 0x58cbd187d89a in handle_select(THD*, LEX*, select_result*, unsigned long) /home/nik/mariadb/sql/sql_select.cc:449:10 #16 0x58cbd177cfe2 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/nik/mariadb/sql/sql_parse.cc:6431:12 #17 0x58cbd1763a2a in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:4030:12 #18 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18 #19 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7 #20 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17 #21 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11 #22 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5 #23 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3 #24 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) #25 0x763dce627dec (/usr/lib/libc.so.6+0x92dec) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b) #26 0x763dce6aaee3 in clone (/usr/lib/libc.so.6+0x115ee3) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b) 0x50700002a0a8 is located 24 bytes inside of 72-byte region [0x50700002a090,0x50700002a0d8) freed by thread T5 here: #0 0x58cbd0aa12a2 in free.part.0 (/home/nik/mariadb/bld/sql/mariadbd+0x1e882a2) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) #1 0x58cbd33d9cae in my_free /home/nik/mariadb/mysys/my_malloc.c:213:3 #2 0x58cbd322843e in chk_data_link /home/nik/mariadb/storage/myisam/mi_check.c:1349:3 #3 0x58cbd320180e in ha_myisam::check(THD*, st_ha_check_opt*) /home/nik/mariadb/storage/myisam/ha_myisam.cc:1085:16 #4 0x58cbd0d93573 in handler::ha_check(THD*, st_ha_check_opt*) /home/nik/mariadb/sql/handler.cc:4743:7 #5 0x58cbd1d37ba4 in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), bool) /home/nik/mariadb/sql/sql_admin.cc:875:21 #6 0x58cbd1d3e0bf in Sql_cmd_check_table::execute(THD*) /home/nik/mariadb/sql/sql_admin.cc:1490:8 #7 0x58cbd1777c65 in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:6173:26 #8 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18 #9 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7 #10 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17 #11 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11 #12 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5 #13 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3 #14 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) previously allocated by thread T5 here: #0 0x58cbd0aa2249 in malloc (/home/nik/mariadb/bld/sql/mariadbd+0x1e89249) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) #1 0x58cbd33d8afa in my_malloc /home/nik/mariadb/mysys/my_malloc.c:91:29 #2 0x58cbd33d91cb in my_realloc /home/nik/mariadb/mysys/my_malloc.c:143:5 #3 0x58cbd32a79e3 in mi_alloc_rec_buff /home/nik/mariadb/storage/myisam/mi_open.c:763:27 #4 0x58cbd32249ae in chk_data_link /home/nik/mariadb/storage/myisam/mi_check.c:954:8 #5 0x58cbd320180e in ha_myisam::check(THD*, st_ha_check_opt*) /home/nik/mariadb/storage/myisam/ha_myisam.cc:1085:16 #6 0x58cbd0d93573 in handler::ha_check(THD*, st_ha_check_opt*) /home/nik/mariadb/sql/handler.cc:4743:7 #7 0x58cbd1d37ba4 in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), bool) /home/nik/mariadb/sql/sql_admin.cc:875:21 #8 0x58cbd1d3e0bf in Sql_cmd_check_table::execute(THD*) /home/nik/mariadb/sql/sql_admin.cc:1490:8 #9 0x58cbd1777c65 in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:6173:26 #10 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18 #11 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7 #12 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17 #13 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11 #14 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5 #15 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3 #16 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) Thread T5 created by T0 here: #0 0x58cbd0a99e23 in pthread_create (/home/nik/mariadb/bld/sql/mariadbd+0x1e80e23) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) #1 0x58cbd247d3cc in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/storage/perfschema/my_thread.h:52:10 #2 0x58cbd247d35b in pfs_spawn_thread_v1 /home/nik/mariadb/storage/perfschema/pfs.cc:2252:15 #3 0x58cbd1287aa2 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/include/mysql/psi/mysql_thread.h:1323:11 #4 0x58cbd1287660 in create_thread_to_handle_connection(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6111:19 #5 0x58cbd1287e97 in create_new_thread(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6170:3 #6 0x58cbd1288321 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/nik/mariadb/sql/mysqld.cc:6235:5 #7 0x58cbd12862eb in handle_connections_sockets() /home/nik/mariadb/sql/mysqld.cc:6362:9 #8 0x58cbd127c1bb in mysqld_main(int, char**) /home/nik/mariadb/sql/mysqld.cc:5757:3 #9 0x58cbd0aed7f1 in main /home/nik/mariadb/sql/main.cc:25:10 #10 0x763dce5bac87 (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b) #11 0x763dce5bad4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b) #12 0x58cbd09b6164 in _start (/home/nik/mariadb/bld/sql/mariadbd+0x1d9d164) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) SUMMARY: AddressSanitizer: heap-use-after-free /home/nik/mariadb/sql/field.h:1407:41 in Field::set_notnull(long long) Shadow bytes around the buggy address: 0x507000029e00: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00 0x507000029e80: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd 0x507000029f00: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00 0x507000029f80: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x50700002a000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa =>0x50700002a080: fa fa fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa 0x50700002a100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd 0x50700002a180: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x50700002a200: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd 0x50700002a280: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50700002a300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==66270==ABORTING /usr/local/bin/rr: line 2: 66257 Aborted taskset -c 0-15 /usr/bin/rr $@

Oleksandr Byelkin added a comment - 2024-08-07 09:00

OK to push

Oleksandr Byelkin added a comment - 2024-08-07 09:00 OK to push

Aleksey Midenkov added a comment - 2024-09-23 18:32

The idea of `restore_vcos_after_repair()` was to not do move_fields() back and forth for each row.

Aleksey Midenkov added a comment - 2024-09-23 18:32 The idea of `restore_vcos_after_repair()` was to not do move_fields() back and forth for each row.

Nikita Malyavin added a comment - 2024-09-23 21:58

Yes, midenok you outline the idea correctly. However it's broken by a few reason. The most unbreakable reason is that compute_vcols can be called in parallel for a single TABLE instance. It means that we should recover the pointers in between the row operations.

I never saw repair operated in parallel, but there is a flag for that, so I suppose it actually does.

I'm never tired of reminding that move_fields api is severely biased by various misuses. This was another case why. It would be much better if the record parameter would be passed explicitly everywhere.

Nikita Malyavin added a comment - 2024-09-23 21:58 Yes, midenok you outline the idea correctly. However it's broken by a few reason. The most unbreakable reason is that compute_vcols can be called in parallel for a single TABLE instance. It means that we should recover the pointers in between the row operations. I never saw repair operated in parallel, but there is a flag for that, so I suppose it actually does. I'm never tired of reminding that move_fields api is severely biased by various misuses. This was another case why. It would be much better if the record parameter would be passed explicitly everywhere.

People

Assignee:: Nikita Malyavin

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2024-07-22 05:55

Updated:: 2024-09-24 05:55

Resolved:: 2024-08-07 13:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server