[MDEV-34632] Assertion `table->field[0]->ptr >= table->record[0] && table->field[0]->ptr <= table->record[0] + table->s->reclength' failed in void handler::assert_icp_limitations(uchar*) - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3, 11.5.2
Component/s: Virtual Columns
Labels:
- debug
- regression

Description

--source include/have_sequence.inc

SET sql_mode='';

CREATE TABLE t1 (a INT GENERATED ALWAYS AS (1) VIRTUAL,KEY(a)) ENGINE=MyISAM;

INSERT INTO t1 SELECT 1 FROM seq_1_to_100;

SELECT * FROM t1;

Leads to:

11.5.2 2f4b0ba328420980c23562da20ab0caa9d69b845 (Debug)

mariadbd: /test/11.5_dbg/sql/handler.cc:3847: void handler::assert_icp_limitations(uchar*): Assertion `table->field[0]->ptr >= table->record[0] && table->field[0]->ptr <= table->record[0] + table->s->reclength' failed.

11.5.2 2f4b0ba328420980c23562da20ab0caa9d69b845 (Debug)
Core was generated by `/test/MD180724-mariadb-11.5.2-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x152f00084700 (LWP 2823487))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x0000152f16816859 in __GI_abort () at abort.c:79
#2 0x0000152f16816729 in __assert_fail_base (fmt=0x152f169ac588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x564dda8738c0 "table->field[0]->ptr >= table->record[0] && table->field[0]->ptr <= table->record[0] + table->s->reclength", file=0x564dda871693 "/test/11.5_dbg/sql/handler.cc", line=3847, function=<optimized out>) at assert.c:92
#3 0x0000152f16827fd6 in __GI___assert_fail (assertion=assertion@entry=0x564dda8738c0 "table->field[0]->ptr >= table->record[0] && table->field[0]->ptr <= table->record[0] + table->s->reclength", file=file@entry=0x564dda871693 "/test/11.5_dbg/sql/handler.cc", line=line@entry=3847, function=function@entry=0x564dda873830 "void handler::assert_icp_limitations(uchar*)") at assert.c:101
#4 0x0000564dd9cd1710 in handler::assert_icp_limitations (buf=0x152ecc025f88 "\377", this=0x152ecc0263a0) at /test/11.5_dbg/sql/handler.cc:3847
#5 handler::ha_index_first (this=0x152ecc0263a0, buf=0x152ecc025f88 "\377") at /test/11.5_dbg/sql/handler.cc:3878
#6 0x0000564dd9a19f74 in join_read_first (tab=0x152ecc01d830) at /test/11.5_dbg/sql/sql_select.cc:24763
#7 0x0000564dd99e6fe9 in sub_select (join=0x152ecc01bfc8, join_tab=0x152ecc01d830, end_of_records=false) at /test/11.5_dbg/sql/sql_select.cc:23653
#8 0x0000564dd9a224bd in do_select (procedure=<optimized out>, join=0x152ecc01bfc8) at /test/11.5_dbg/sql/sql_select.cc:23167
#9 JOIN::exec_inner (this=this@entry=0x152ecc01bfc8) at /test/11.5_dbg/sql/sql_select.cc:5021
#10 0x0000564dd9a22a2c in JOIN::exec (this=this@entry=0x152ecc01bfc8) at /test/11.5_dbg/sql/sql_select.cc:4804
#11 0x0000564dd9a20856 in mysql_select (thd=thd@entry=0x152ecc000d48, tables=0x152ecc01af68, fields=@0x152ecc01abe8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152ecc01af18, last = 0x152ecc01af18, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x152ecc01bfa0, unit=0x152ecc005238, select_lex=0x152ecc01a930) at /test/11.5_dbg/sql/sql_select.cc:5337
#12 0x0000564dd9a2107f in handle_select (thd=thd@entry=0x152ecc000d48, lex=lex@entry=0x152ecc005158, result=result@entry=0x152ecc01bfa0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.5_dbg/sql/sql_select.cc:628
#13 0x0000564dd997c808 in execute_sqlcom_select (thd=thd@entry=0x152ecc000d48, all_tables=0x152ecc01af68) at /test/11.5_dbg/sql/sql_parse.cc:6147
#14 0x0000564dd9984f00 in mysql_execute_command (thd=thd@entry=0x152ecc000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.5_dbg/sql/sql_parse.cc:3953
#15 0x0000564dd9975992 in mysql_parse (thd=thd@entry=0x152ecc000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x152f000832f0) at /test/11.5_dbg/sql/sql_parse.cc:7867
#16 0x0000564dd998ce09 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152ecc000d48, packet=packet@entry=0x152ecc00b239 "", packet_length=packet_length@entry=16, blocking=blocking@entry=true) at /test/11.5_dbg/sql/sql_class.h:1638
#17 0x0000564dd998f90c in do_command (thd=0x152ecc000d48, blocking=blocking@entry=true) at /test/11.5_dbg/sql/sql_parse.cc:1405
#18 0x0000564dd9b16afd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x564ddc8bf358, put_in_cache=put_in_cache@entry=true) at /test/11.5_dbg/sql/sql_connect.cc:1447
#19 0x0000564dd9b170b2 in handle_one_connection (arg=arg@entry=0x564ddc8bf358) at /test/11.5_dbg/sql/sql_connect.cc:1349
#20 0x0000564dd9f9f95e in pfs_spawn_thread (arg=0x564ddc817ba8) at /test/11.5_dbg/storage/perfschema/pfs.cc:2201
#21 0x0000152f16d27609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#22 0x0000152f16913133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 11.5.2 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.26 (dbg), 10.5.26 (opt), 10.6.19 (dbg), 10.6.19 (opt), 10.11.9 (dbg), 10.11.9 (opt), 11.1.6 (dbg), 11.1.6 (opt), 11.2.5 (dbg), 11.2.5 (opt), 11.4.3 (dbg), 11.4.3 (opt), 11.5.2 (opt)

Attachments

Issue Links

is duplicated by

MDEV-30926 Segfault after MyISAM repair of vcol-indexed table

Closed

MDEV-32089 Assertion `!strcmp(&path[strlen(path) - strlen(dot_ext[IBD])], dot_ext[IBD])' failed in void mtr_t::log_file_op(mfile_type_t, uint32_t, const char*, const char*)

Closed

Activity

Ascending order - Click to sort in descending order

Ramesh Sivaraman created issue - 2024-07-22 05:55

Nikita Malyavin made changes - 2024-08-06 13:39

Field	Original Value	New Value
Status	Open [ 1 ]	In Progress [ 3 ]

Nikita Malyavin made changes - 2024-08-06 14:05

Assignee	Nikita Malyavin [ nikitamalyavin ]	Oleksandr Byelkin [ sanja ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Nikita Malyavin made changes - 2024-08-06 14:07

Fix Version/s	11.5 [ 29506 ]
Affects Version/s		10.5 [ 23123 ]
Affects Version/s		10.6 [ 24028 ]
Affects Version/s		10.7 [ 24805 ]
Affects Version/s		10.8 [ 26121 ]
Affects Version/s		10.9 [ 26905 ]
Affects Version/s		10.10 [ 27530 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.0 [ 28320 ]
Affects Version/s		11.1 [ 28549 ]
Affects Version/s		11.2 [ 28603 ]
Affects Version/s		11.3 [ 28565 ]
Affects Version/s		11.4 [ 29301 ]

Nikita Malyavin made changes - 2024-08-06 14:07

Fix Version/s

10.5 [ 23123 ]

Nikita Malyavin added a comment - 2024-08-06 14:08 - edited

reproducible on 10.5-11.5 with asan enabled, even without sequences:

SET sql_mode='';

CREATE TABLE t1 (a INT GENERATED ALWAYS AS (1) VIRTUAL,KEY(a)) ENGINE=MyISAM;

INSERT INTO t1 SELECT 1 UNION SELECT 1;

SELECT * FROM t1;

DROP TABLE t1;

Asan output:

==66270==ERROR: AddressSanitizer: heap-use-after-free on address 0x50700002a0a8 at pc 0x58cbd0d0187d bp 0x763dc0af7750 sp 0x763dc0af7748

READ of size 1 at 0x50700002a0a8 thread T5

    #0 0x58cbd0d0187c in Field::set_notnull(long long) /home/nik/mariadb/sql/field.h:1407:41

    #1 0x58cbd0e1f446 in save_int_value_in_field(Field*, long long, bool, bool) /home/nik/mariadb/sql/item.cc:7009:10

    #2 0x58cbd0e1f3f5 in Item_int::save_in_field(Field*, bool) /home/nik/mariadb/sql/item.cc:7016:10

    #3 0x58cbd0de7d19 in Item::save_in_field_no_warnings(Field*, bool) /home/nik/mariadb/sql/item.cc:1524:8

    #4 0x58cbd1314a34 in Field::get_mm_leaf_int(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*, bool) /home/nik/mariadb/sql/opt_range.cc:9032:19

    #5 0x58cbd0d138b6 in Field_int::get_mm_leaf(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*) /home/nik/mariadb/sql/field.h:2535:12

    #6 0x58cbd1311c17 in Item_bool_func::get_mm_leaf(RANGE_OPT_PARAM*, Field*, KEY_PART*, Item_func::Functype, Item*) /home/nik/mariadb/sql/opt_range.cc:8875:3

    #7 0x58cbd1303fa3 in Item_bool_func::get_mm_parts(RANGE_OPT_PARAM*, Field*, Item_func::Functype, Item*) /home/nik/mariadb/sql/opt_range.cc:8710:18

    #8 0x58cbd130f74e in Item_equal::get_mm_tree(RANGE_OPT_PARAM*, Item**) /home/nik/mariadb/sql/opt_range.cc:8639:13

    #9 0x58cbd12df3f8 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /home/nik/mariadb/sql/opt_range.cc:2895:23

    #10 0x58cbd198ea21 in get_quick_record_count(THD*, SQL_SELECT*, TABLE*, Bitmap<64u> const*, unsigned long long) /home/nik/mariadb/sql/sql_select.cc:4958:9

    #11 0x58cbd18ba3b0 in make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*) /home/nik/mariadb/sql/sql_select.cc:5685:20

    #12 0x58cbd18a984a in JOIN::optimize_inner() /home/nik/mariadb/sql/sql_select.cc:2414:7

    #13 0x58cbd1898a00 in JOIN::optimize() /home/nik/mariadb/sql/sql_select.cc:1765:10

    #14 0x58cbd187e7e4 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/nik/mariadb/sql/sql_select.cc:4900:19

    #15 0x58cbd187d89a in handle_select(THD*, LEX*, select_result*, unsigned long) /home/nik/mariadb/sql/sql_select.cc:449:10

    #16 0x58cbd177cfe2 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/nik/mariadb/sql/sql_parse.cc:6431:12

    #17 0x58cbd1763a2a in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:4030:12

    #18 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18

    #19 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7

    #20 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17

    #21 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11

    #22 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5

    #23 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3

    #24 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

    #25 0x763dce627dec  (/usr/lib/libc.so.6+0x92dec) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

    #26 0x763dce6aaee3 in clone (/usr/lib/libc.so.6+0x115ee3) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

0x50700002a0a8 is located 24 bytes inside of 72-byte region [0x50700002a090,0x50700002a0d8)

freed by thread T5 here:

    #0 0x58cbd0aa12a2 in free.part.0 (/home/nik/mariadb/bld/sql/mariadbd+0x1e882a2) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

    #1 0x58cbd33d9cae in my_free /home/nik/mariadb/mysys/my_malloc.c:213:3

    #2 0x58cbd322843e in chk_data_link /home/nik/mariadb/storage/myisam/mi_check.c:1349:3

    #3 0x58cbd320180e in ha_myisam::check(THD*, st_ha_check_opt*) /home/nik/mariadb/storage/myisam/ha_myisam.cc:1085:16

    #4 0x58cbd0d93573 in handler::ha_check(THD*, st_ha_check_opt*) /home/nik/mariadb/sql/handler.cc:4743:7

    #5 0x58cbd1d37ba4 in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), bool) /home/nik/mariadb/sql/sql_admin.cc:875:21

    #6 0x58cbd1d3e0bf in Sql_cmd_check_table::execute(THD*) /home/nik/mariadb/sql/sql_admin.cc:1490:8

    #7 0x58cbd1777c65 in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:6173:26

    #8 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18

    #9 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7

    #10 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17

    #11 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11

    #12 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5

    #13 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3

    #14 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

previously allocated by thread T5 here:

    #0 0x58cbd0aa2249 in malloc (/home/nik/mariadb/bld/sql/mariadbd+0x1e89249) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

    #1 0x58cbd33d8afa in my_malloc /home/nik/mariadb/mysys/my_malloc.c:91:29

    #2 0x58cbd33d91cb in my_realloc /home/nik/mariadb/mysys/my_malloc.c:143:5

    #3 0x58cbd32a79e3 in mi_alloc_rec_buff /home/nik/mariadb/storage/myisam/mi_open.c:763:27

    #4 0x58cbd32249ae in chk_data_link /home/nik/mariadb/storage/myisam/mi_check.c:954:8

    #5 0x58cbd320180e in ha_myisam::check(THD*, st_ha_check_opt*) /home/nik/mariadb/storage/myisam/ha_myisam.cc:1085:16

    #6 0x58cbd0d93573 in handler::ha_check(THD*, st_ha_check_opt*) /home/nik/mariadb/sql/handler.cc:4743:7

    #7 0x58cbd1d37ba4 in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), bool) /home/nik/mariadb/sql/sql_admin.cc:875:21

    #8 0x58cbd1d3e0bf in Sql_cmd_check_table::execute(THD*) /home/nik/mariadb/sql/sql_admin.cc:1490:8

    #9 0x58cbd1777c65 in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:6173:26

    #10 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18

    #11 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7

    #12 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17

    #13 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11

    #14 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5

    #15 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3

    #16 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

Thread T5 created by T0 here:

    #0 0x58cbd0a99e23 in pthread_create (/home/nik/mariadb/bld/sql/mariadbd+0x1e80e23) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

    #1 0x58cbd247d3cc in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/storage/perfschema/my_thread.h:52:10

    #2 0x58cbd247d35b in pfs_spawn_thread_v1 /home/nik/mariadb/storage/perfschema/pfs.cc:2252:15

    #3 0x58cbd1287aa2 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/include/mysql/psi/mysql_thread.h:1323:11

    #4 0x58cbd1287660 in create_thread_to_handle_connection(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6111:19

    #5 0x58cbd1287e97 in create_new_thread(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6170:3

    #6 0x58cbd1288321 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/nik/mariadb/sql/mysqld.cc:6235:5

    #7 0x58cbd12862eb in handle_connections_sockets() /home/nik/mariadb/sql/mysqld.cc:6362:9

    #8 0x58cbd127c1bb in mysqld_main(int, char**) /home/nik/mariadb/sql/mysqld.cc:5757:3

    #9 0x58cbd0aed7f1 in main /home/nik/mariadb/sql/main.cc:25:10

    #10 0x763dce5bac87  (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

    #11 0x763dce5bad4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)

    #12 0x58cbd09b6164 in _start (/home/nik/mariadb/bld/sql/mariadbd+0x1d9d164) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c)

SUMMARY: AddressSanitizer: heap-use-after-free /home/nik/mariadb/sql/field.h:1407:41 in Field::set_notnull(long long)

Shadow bytes around the buggy address:

  0x507000029e00: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00

  0x507000029e80: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd

  0x507000029f00: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00

  0x507000029f80: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00

  0x50700002a000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa

=>0x50700002a080: fa fa fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa

  0x50700002a100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd

  0x50700002a180: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd

  0x50700002a200: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd

  0x50700002a280: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x50700002a300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==66270==ABORTING

/usr/local/bin/rr: line 2: 66257 Aborted                 taskset -c 0-15 /usr/bin/rr $@

Nikita Malyavin added a comment - 2024-08-06 14:08 - edited reproducible on 10.5-11.5 with asan enabled, even without sequences: SET sql_mode= '' ; CREATE TABLE t1 (a INT GENERATED ALWAYS AS (1) VIRTUAL, KEY (a)) ENGINE=MyISAM; INSERT INTO t1 SELECT 1 UNION SELECT 1; SELECT * FROM t1; DROP TABLE t1; Asan output: ==66270==ERROR: AddressSanitizer: heap-use-after-free on address 0x50700002a0a8 at pc 0x58cbd0d0187d bp 0x763dc0af7750 sp 0x763dc0af7748 READ of size 1 at 0x50700002a0a8 thread T5 #0 0x58cbd0d0187c in Field::set_notnull(long long) /home/nik/mariadb/sql/field.h:1407:41 #1 0x58cbd0e1f446 in save_int_value_in_field(Field*, long long, bool, bool) /home/nik/mariadb/sql/item.cc:7009:10 #2 0x58cbd0e1f3f5 in Item_int::save_in_field(Field*, bool) /home/nik/mariadb/sql/item.cc:7016:10 #3 0x58cbd0de7d19 in Item::save_in_field_no_warnings(Field*, bool) /home/nik/mariadb/sql/item.cc:1524:8 #4 0x58cbd1314a34 in Field::get_mm_leaf_int(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*, bool) /home/nik/mariadb/sql/opt_range.cc:9032:19 #5 0x58cbd0d138b6 in Field_int::get_mm_leaf(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*) /home/nik/mariadb/sql/field.h:2535:12 #6 0x58cbd1311c17 in Item_bool_func::get_mm_leaf(RANGE_OPT_PARAM*, Field*, KEY_PART*, Item_func::Functype, Item*) /home/nik/mariadb/sql/opt_range.cc:8875:3 #7 0x58cbd1303fa3 in Item_bool_func::get_mm_parts(RANGE_OPT_PARAM*, Field*, Item_func::Functype, Item*) /home/nik/mariadb/sql/opt_range.cc:8710:18 #8 0x58cbd130f74e in Item_equal::get_mm_tree(RANGE_OPT_PARAM*, Item**) /home/nik/mariadb/sql/opt_range.cc:8639:13 #9 0x58cbd12df3f8 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /home/nik/mariadb/sql/opt_range.cc:2895:23 #10 0x58cbd198ea21 in get_quick_record_count(THD*, SQL_SELECT*, TABLE*, Bitmap<64u> const*, unsigned long long) /home/nik/mariadb/sql/sql_select.cc:4958:9 #11 0x58cbd18ba3b0 in make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*) /home/nik/mariadb/sql/sql_select.cc:5685:20 #12 0x58cbd18a984a in JOIN::optimize_inner() /home/nik/mariadb/sql/sql_select.cc:2414:7 #13 0x58cbd1898a00 in JOIN::optimize() /home/nik/mariadb/sql/sql_select.cc:1765:10 #14 0x58cbd187e7e4 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/nik/mariadb/sql/sql_select.cc:4900:19 #15 0x58cbd187d89a in handle_select(THD*, LEX*, select_result*, unsigned long) /home/nik/mariadb/sql/sql_select.cc:449:10 #16 0x58cbd177cfe2 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/nik/mariadb/sql/sql_parse.cc:6431:12 #17 0x58cbd1763a2a in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:4030:12 #18 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18 #19 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7 #20 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17 #21 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11 #22 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5 #23 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3 #24 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) #25 0x763dce627dec (/usr/lib/libc.so.6+0x92dec) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b) #26 0x763dce6aaee3 in clone (/usr/lib/libc.so.6+0x115ee3) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b) 0x50700002a0a8 is located 24 bytes inside of 72-byte region [0x50700002a090,0x50700002a0d8) freed by thread T5 here: #0 0x58cbd0aa12a2 in free.part.0 (/home/nik/mariadb/bld/sql/mariadbd+0x1e882a2) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) #1 0x58cbd33d9cae in my_free /home/nik/mariadb/mysys/my_malloc.c:213:3 #2 0x58cbd322843e in chk_data_link /home/nik/mariadb/storage/myisam/mi_check.c:1349:3 #3 0x58cbd320180e in ha_myisam::check(THD*, st_ha_check_opt*) /home/nik/mariadb/storage/myisam/ha_myisam.cc:1085:16 #4 0x58cbd0d93573 in handler::ha_check(THD*, st_ha_check_opt*) /home/nik/mariadb/sql/handler.cc:4743:7 #5 0x58cbd1d37ba4 in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), bool) /home/nik/mariadb/sql/sql_admin.cc:875:21 #6 0x58cbd1d3e0bf in Sql_cmd_check_table::execute(THD*) /home/nik/mariadb/sql/sql_admin.cc:1490:8 #7 0x58cbd1777c65 in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:6173:26 #8 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18 #9 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7 #10 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17 #11 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11 #12 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5 #13 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3 #14 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) previously allocated by thread T5 here: #0 0x58cbd0aa2249 in malloc (/home/nik/mariadb/bld/sql/mariadbd+0x1e89249) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) #1 0x58cbd33d8afa in my_malloc /home/nik/mariadb/mysys/my_malloc.c:91:29 #2 0x58cbd33d91cb in my_realloc /home/nik/mariadb/mysys/my_malloc.c:143:5 #3 0x58cbd32a79e3 in mi_alloc_rec_buff /home/nik/mariadb/storage/myisam/mi_open.c:763:27 #4 0x58cbd32249ae in chk_data_link /home/nik/mariadb/storage/myisam/mi_check.c:954:8 #5 0x58cbd320180e in ha_myisam::check(THD*, st_ha_check_opt*) /home/nik/mariadb/storage/myisam/ha_myisam.cc:1085:16 #6 0x58cbd0d93573 in handler::ha_check(THD*, st_ha_check_opt*) /home/nik/mariadb/sql/handler.cc:4743:7 #7 0x58cbd1d37ba4 in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), bool) /home/nik/mariadb/sql/sql_admin.cc:875:21 #8 0x58cbd1d3e0bf in Sql_cmd_check_table::execute(THD*) /home/nik/mariadb/sql/sql_admin.cc:1490:8 #9 0x58cbd1777c65 in mysql_execute_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:6173:26 #10 0x58cbd174cf86 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:8229:18 #11 0x58cbd1745df4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nik/mariadb/sql/sql_parse.cc:1892:7 #12 0x58cbd174f6e8 in do_command(THD*) /home/nik/mariadb/sql/sql_parse.cc:1376:17 #13 0x58cbd1cf5214 in do_handle_one_connection(CONNECT*, bool) /home/nik/mariadb/sql/sql_connect.cc:1417:11 #14 0x58cbd1cf4b8e in handle_one_connection /home/nik/mariadb/sql/sql_connect.cc:1319:5 #15 0x58cbd247cdf8 in pfs_spawn_thread /home/nik/mariadb/storage/perfschema/pfs.cc:2201:3 #16 0x58cbd09de6fd in asan_thread_start(void*) (/home/nik/mariadb/bld/sql/mariadbd+0x1dc56fd) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) Thread T5 created by T0 here: #0 0x58cbd0a99e23 in pthread_create (/home/nik/mariadb/bld/sql/mariadbd+0x1e80e23) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) #1 0x58cbd247d3cc in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/storage/perfschema/my_thread.h:52:10 #2 0x58cbd247d35b in pfs_spawn_thread_v1 /home/nik/mariadb/storage/perfschema/pfs.cc:2252:15 #3 0x58cbd1287aa2 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/nik/mariadb/include/mysql/psi/mysql_thread.h:1323:11 #4 0x58cbd1287660 in create_thread_to_handle_connection(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6111:19 #5 0x58cbd1287e97 in create_new_thread(CONNECT*) /home/nik/mariadb/sql/mysqld.cc:6170:3 #6 0x58cbd1288321 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/nik/mariadb/sql/mysqld.cc:6235:5 #7 0x58cbd12862eb in handle_connections_sockets() /home/nik/mariadb/sql/mysqld.cc:6362:9 #8 0x58cbd127c1bb in mysqld_main(int, char**) /home/nik/mariadb/sql/mysqld.cc:5757:3 #9 0x58cbd0aed7f1 in main /home/nik/mariadb/sql/main.cc:25:10 #10 0x763dce5bac87 (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b) #11 0x763dce5bad4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b) #12 0x58cbd09b6164 in _start (/home/nik/mariadb/bld/sql/mariadbd+0x1d9d164) (BuildId: b30f2cd3552cd9643d7a7e9a19b514830e2f182c) SUMMARY: AddressSanitizer: heap-use-after-free /home/nik/mariadb/sql/field.h:1407:41 in Field::set_notnull(long long) Shadow bytes around the buggy address: 0x507000029e00: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00 0x507000029e80: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd 0x507000029f00: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00 0x507000029f80: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x50700002a000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa =>0x50700002a080: fa fa fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa 0x50700002a100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd 0x50700002a180: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x50700002a200: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd 0x50700002a280: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50700002a300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==66270==ABORTING /usr/local/bin/rr: line 2: 66257 Aborted taskset -c 0-15 /usr/bin/rr $@

Oleksandr Byelkin added a comment - 2024-08-07 09:00

OK to push

Oleksandr Byelkin added a comment - 2024-08-07 09:00 OK to push

Oleksandr Byelkin made changes - 2024-08-07 09:00

Assignee	Oleksandr Byelkin [ sanja ]	Nikita Malyavin [ nikitamalyavin ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Nikita Malyavin made changes - 2024-08-07 13:55

Fix Version/s		10.5.26 [ 29832 ]
Fix Version/s	10.5 [ 23123 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

JiraAutomate made changes - 2024-08-07 13:55

Fix Version/s		10.6.19 [ 29833 ]
Fix Version/s		10.11.9 [ 29834 ]
Fix Version/s		11.1.6 [ 29835 ]
Fix Version/s		11.2.5 [ 29836 ]
Fix Version/s		11.4.3 [ 29837 ]
Fix Version/s		11.5.2 [ 29838 ]

Aleksey Midenkov made changes - 2024-09-23 18:27

Link

This issue is duplicated by ~~MDEV-30926~~ [ ~~MDEV-30926~~ ]

Aleksey Midenkov added a comment - 2024-09-23 18:32

The idea of `restore_vcos_after_repair()` was to not do move_fields() back and forth for each row.

Aleksey Midenkov added a comment - 2024-09-23 18:32 The idea of `restore_vcos_after_repair()` was to not do move_fields() back and forth for each row.

Nikita Malyavin added a comment - 2024-09-23 21:58

Yes, midenok you outline the idea correctly. However it's broken by a few reason. The most unbreakable reason is that compute_vcols can be called in parallel for a single TABLE instance. It means that we should recover the pointers in between the row operations.

I never saw repair operated in parallel, but there is a flag for that, so I suppose it actually does.

I'm never tired of reminding that move_fields api is severely biased by various misuses. This was another case why. It would be much better if the record parameter would be passed explicitly everywhere.

Nikita Malyavin added a comment - 2024-09-23 21:58 Yes, midenok you outline the idea correctly. However it's broken by a few reason. The most unbreakable reason is that compute_vcols can be called in parallel for a single TABLE instance. It means that we should recover the pointers in between the row operations. I never saw repair operated in parallel, but there is a flag for that, so I suppose it actually does. I'm never tired of reminding that move_fields api is severely biased by various misuses. This was another case why. It would be much better if the record parameter would be passed explicitly everywhere.

Marko Mäkelä made changes - 2024-09-24 05:55

Link

This issue is duplicated by ~~MDEV-32089~~ [ ~~MDEV-32089~~ ]

People

Assignee:: Nikita Malyavin

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2024-07-22 05:55

Updated:: 2024-09-24 05:55

Resolved:: 2024-08-07 13:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server