Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34735

Hang & Assertion `len > alloc_length' failed in Binary_string::realloc_raw & SIGSEGV in spider_get_select_limit_from_select_lex

Details

    Description

      INSTALL PLUGIN Spider SONAME 'ha_spider.so';
      ALTER TABLE mysql.procs_priv ENGINE=Spider COMMENT='';
      CREATE USER a@localhost;
      

      Cause the server to hang for some time, with no new CLI connections possible, followed by this assert:

      11.2.5 03807c8449cdccbf5b8afc0dddabb1d8ec7ba85a (Debug)

      mariadbd: /test/11.2_dbg/sql/sql_string.cc:93: bool Binary_string::realloc_raw(size_t): Assertion `len > alloc_length' failed.
      

      11.2.5 03807c8449cdccbf5b8afc0dddabb1d8ec7ba85a (Debug)

      Core was generated by `/test/MD200724-mariadb-11.2.5-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
      Program terminated with signal SIGABRT, Aborted.
      Download failed: Invalid argument.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
       
      warning: 44	./nptl/pthread_kill.c: No such file or directory
      [Current thread is 1 (LWP 2604358)]
      (gdb) bt
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      #1  __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
      #2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
      #3  0x00001467dda4526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
      #4  0x00001467dda288ff in __GI_abort () at ./stdlib/abort.c:79
      #5  0x00001467dda2881b in __assert_fail_base (fmt=0x1467ddbd01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56350f7bbf87 "len > alloc_length", file=file@entry=0x56350f61bb50 "/test/11.2_dbg/sql/sql_string.cc", line=line@entry=93, function=function@entry=0x56350f61bba0 "bool Binary_string::realloc_raw(size_t)") at ./assert/assert.c:94
      #6  0x00001467dda3b507 in __assert_fail (assertion=0x56350f7bbf87 "len > alloc_length", file=0x56350f61bb50 "/test/11.2_dbg/sql/sql_string.cc", line=93, function=0x56350f61bba0 "bool Binary_string::realloc_raw(size_t)")at ./assert/assert.c:103
      #7  0x000056350e9b1e07 in Binary_string::realloc_raw (this=this@entry=0x1467841c4590, alloc_length=alloc_length@entry=4294967293)at /test/11.2_dbg/sql/sql_string.cc:93
      #8  0x00001467dc97fd8c in Binary_string::realloc (arg_length=4294967292, this=0x1467841c4590) at /test/11.2_dbg/sql/sql_string.h:811
      #9  Binary_string::reserve (space_needed=11, this=0x1467841c4590)at /test/11.2_dbg/sql/sql_string.h:859
      #10 spider_string::reserve (this=this@entry=0x1467841c4580, space_needed=space_needed@entry=11)at /test/11.2_dbg/storage/spider/spd_malloc.cc:1033
      #11 0x00001467dc9b91ec in spider_mbase_handler::append_select_lock (this=<optimized out>, str=0x1467841c4580)at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:11560
      #12 0x00001467dc9b9261 in spider_mbase_handler::append_select_lock_part (this=<optimized out>, sql_type=<optimized out>)at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:11548
      #13 0x00001467dc989ff1 in ha_spider::append_select_lock_sql_part (this=this@entry=0x1467840572e0, sql_type=sql_type@entry=1)at /test/11.2_dbg/storage/spider/ha_spider.cc:11118
      #14 0x00001467dc98e58c in ha_spider::rnd_next_internal (this=this@entry=0x1467840572e0, buf=buf@entry=0x1467840aba70 ' ' <repeats 200 times>...)at /test/11.2_dbg/storage/spider/ha_spider.cc:5578
      #15 0x00001467dc98f122 in ha_spider::rnd_next (this=0x1467840572e0, buf=0x1467840aba70 ' ' <repeats 200 times>...)at /test/11.2_dbg/storage/spider/ha_spider.cc:5828
      #16 0x000056350ebf262d in handler::ha_rnd_next (this=0x1467840572e0, buf=0x1467840aba70 ' ' <repeats 200 times>...)at /test/11.2_dbg/sql/handler.cc:3672
      #17 0x000056350e8320de in handle_grant_table (thd=thd@entry=0x146784000d58, grant_table=@0x1467dcce0c48: {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x146784051f18}, which_table=which_table@entry=PROCS_PRIV_TABLE, drop=drop@entry=false, user_from=user_from@entry=0x1467840136e0, user_to=user_to@entry=0x0)at /test/11.2_dbg/sql/sql_acl.cc:10427
      #18 0x000056350e8446dc in handle_grant_data (thd=thd@entry=0x146784000d58, tables=@0x1467dcce0ba0: {p_user_table = 0x1467dcce0ba8, m_user_table_json = {<User_table> = {<Grant_table_base> = {min_columns = 3, start_priv_columns = 0, end_priv_columns = 3, m_table = 0x56351161a218}, _vptr.User_table = 0x56350fea7b50 <vtable for User_table_json+16>}, static JSON_SIZE = 1024}, m_user_table_tabular = {<User_table> = {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, _vptr.User_table = 0x56350fea7a10 <vtable for User_table_tabular+16>}, <No data fields>}, m_db_table = {<Grant_table_base> = {min_columns = 9, start_priv_columns = 3, end_priv_columns = 23, m_table = 0x5635115d1768}, <No data fields>}, m_tables_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x563511667bf8}, <No data fields>}, m_columns_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x563511694d58}, <No data fields>}, m_host_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, <No data fields>}, m_procs_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x146784051f18}, <No data fields>}, m_proxies_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x5635115ed378}, <No data fields>}, m_roles_mapping_table = {<Grant_table_base> = {min_columns = 4, start_priv_columns = 3, end_priv_columns = 4, m_table = 0x563511606b88}, <No data fields>}}, drop=drop@entry=false, user_from=user_from@entry=0x1467840136e0, user_to=user_to@entry=0x0) at /test/11.2_dbg/sql/sql_acl.cc:10910
      #19 0x000056350e8470e7 in mysql_create_user (thd=thd@entry=0x146784000d58, list=@0x1467840061c0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x146784013708, last = 0x146784013708, elements = 1}, <No data fields>}, handle_as_role=false) at /test/11.2_dbg/sql/sql_acl.cc:11126
      #20 0x000056350e8e411b in mysql_execute_command (thd=thd@entry=0x146784000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:5208
      #21 0x000056350e8e7753 in mysql_parse (thd=thd@entry=0x146784000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1467dcce1290)at /test/11.2_dbg/sql/sql_parse.cc:7920
      #22 0x000056350e8e9ada in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x146784000d58, packet=packet@entry=0x14678400b309 "CREATE USER a@localhost", packet_length=packet_length@entry=23, blocking=blocking@entry=true)at /test/11.2_dbg/sql/sql_class.h:247
      #23 0x000056350e8ebdff in do_command (thd=0x146784000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407
      #24 0x000056350ea52e61 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563511639b38, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439
      #25 0x000056350ea53156 in handle_one_connection (arg=arg@entry=0x563511639b38)at /test/11.2_dbg/sql/sql_connect.cc:1341
      #26 0x000056350eea4192 in pfs_spawn_thread (arg=0x563511608c88)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201
      #27 0x00001467dda9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      #28 0x00001467ddb29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      

      Opt and debug builds both hang. Debug builds eventually assert.

      Attachments

        Issue Links

          Activity

            Roel Roel Van de Paar added a comment - - edited

            The original testcase replays as MTR testcase without any modification. After the few minutes wait, we see:

            11.2.5 03807c8449cdccbf5b8afc0dddabb1d8ec7ba85a (Debug)

            CREATE USER a@localhost;
            main.test                                [ fail ]
                    Test ended at 2024-08-12 04:26:25
             
            CURRENT_TEST: main.test
            mysqltest: At line 3: query 'CREATE USER a@localhost' failed: <Unknown> (2013): Lost connection to server during query
             
             - found 'core' (0/5)
            

            Optimized builds OTOH are terminated with coredump after 900 seconds by MTR.

            Roel Roel Van de Paar added a comment - - edited The original testcase replays as MTR testcase without any modification. After the few minutes wait, we see: 11.2.5 03807c8449cdccbf5b8afc0dddabb1d8ec7ba85a (Debug) CREATE USER a@localhost; main.test [ fail ] Test ended at 2024-08-12 04:26:25   CURRENT_TEST: main.test mysqltest: At line 3: query 'CREATE USER a@localhost' failed: <Unknown> (2013): Lost connection to server during query   - found 'core' (0/5) Optimized builds OTOH are terminated with coredump after 900 seconds by MTR.
            Roel Roel Van de Paar added a comment - - edited

            Interestingly, in an UBASAN build we get a different crash: SIGSEGV in spider_get_select_limit_from_select_lex, a stack not recently seen, however previously seen in MDEV-26583.

            11.4.3 2ee061c2585430ce0b94085813dffb61355eac15 (Debug)

            Core was generated by `/test/UBASAN_MD020824-mariadb-11.4.3-linux-x86_64-dbg/bin/mariadbd --no-default'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            Download failed: Invalid argument.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
            #0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
             
            warning: 44	./nptl/pthread_kill.c: No such file or directory
            [Current thread is 1 (LWP 1942416)]
            (gdb) bt
            #0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
            #1  __pthread_kill_internal (signo=11, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
            #2  __GI___pthread_kill (threadid=<optimized out>, signo=11)at ./nptl/pthread_kill.c:89
            #3  0x000055cc5506a163 in my_write_core (sig=11)at /test/11.4_dbg_san/mysys/stacktrace.c:424
            #4  0x000055cc523ec013 in handle_fatal_signal (sig=<optimized out>)at /test/11.4_dbg_san/sql/signal_handler.cc:358
            #5  <signal handler called>
            #6  0x000015268f9a160e in spider_get_select_limit_from_select_lex (select_lex=select_lex@entry=0x479578c1b1468500, select_limit=select_limit@entry=0x152690efceb0, offset_limit=offset_limit@entry=0x152690efced0)at /test/11.4_dbg_san/storage/spider/spd_table.cc:7692
            #7  0x000015268f9a1a32 in spider_get_select_limit (spider=spider@entry=0x51f0000ad4b8, select_lex=select_lex@entry=0x152690efce90, select_limit=select_limit@entry=0x152690efceb0, offset_limit=offset_limit@entry=0x152690efced0)at /test/11.4_dbg_san/storage/spider/spd_table.cc:7710
            #8  0x000015268f9a2028 in spider_split_read_param (spider=spider@entry=0x51f0000ad4b8)at /test/11.4_dbg_san/storage/spider/spd_table.cc:7743
            #9  0x000015268f9a3bf6 in spider_set_result_list_param (spider=spider@entry=0x51f0000ad4b8)at /test/11.4_dbg_san/storage/spider/spd_table.cc:7329
            #10 0x000015268fb024a6 in ha_spider::rnd_init (this=0x51f0000ad4b8, scan=<optimized out>)at /test/11.4_dbg_san/storage/spider/ha_spider.cc:5368
            #11 0x000055cc52436145 in handler::ha_rnd_init (scan=true, this=0x51f0000ad4b8)at /test/11.4_dbg_san/sql/handler.h:3530
            #12 handler::ha_rnd_init_with_error (this=this@entry=0x51f0000ad4b8, scan=scan@entry=true) at /test/11.4_dbg_san/sql/handler.cc:3903
            #13 0x000055cc50603196 in handle_grant_table (thd=thd@entry=0x52b00015e218, grant_table=@0x152690efe048: {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x5190001b3598}, which_table=which_table@entry=PROCS_PRIV_TABLE, drop=drop@entry=false, user_from=user_from@entry=0x5290000eb2f8, user_to=user_to@entry=0x0)at /test/11.4_dbg_san/sql/sql_acl.cc:10434
            #14 0x000055cc5066741b in handle_grant_data (thd=thd@entry=0x52b00015e218, tables=@0x152690efdfa0: {p_user_table = 0x152690efdfa8, m_user_table_json = {<User_table> = {<Grant_table_base> = {min_columns = 3, start_priv_columns = 0, end_priv_columns = 3, m_table = 0x519000047998}, _vptr.User_table = 0x55cc5682da00 <vtable for User_table_json+16>}, static JSON_SIZE = 1024}, m_user_table_tabular = {<User_table> = {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, _vptr.User_table = 0x55cc5682d8c0 <vtable for User_table_tabular+16>}, <No data fields>}, m_db_table = {<Grant_table_base> = {min_columns = 9, start_priv_columns = 3, end_priv_columns = 24, m_table = 0x519000043398}, <No data fields>}, m_tables_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x519000054b98}, <No data fields>}, m_columns_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x519000056498}, <No data fields>}, m_host_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, <No data fields>}, m_procs_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x5190001b3598}, <No data fields>}, m_proxies_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x519000045198}, <No data fields>}, m_roles_mapping_table = {<Grant_table_base> = {min_columns = 4, start_priv_columns = 3, end_priv_columns = 4, m_table = 0x519000046598}, <No data fields>}}, drop=drop@entry=false, user_from=user_from@entry=0x5290000eb2f8, user_to=user_to@entry=0x0) at /test/11.4_dbg_san/sql/sql_acl.cc:10925
            #15 0x000055cc506787af in mysql_create_user (thd=thd@entry=0x52b00015e218, list=@0x52b0001633c8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5290000eb328, last = 0x5290000eb328, elements = 1}, <No data fields>}, handle_as_role=handle_as_role@entry=false)at /test/11.4_dbg_san/sql/sql_acl.cc:11141
            #16 0x000055cc50b88884 in mysql_execute_command (thd=thd@entry=0x52b00015e218, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.4_dbg_san/sql/sql_parse.cc:5169
            #17 0x000055cc50b9931c in mysql_parse (thd=thd@entry=0x52b00015e218, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x152690eff840)at /test/11.4_dbg_san/sql/sql_parse.cc:7862
            #18 0x000055cc50ba916c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x52b00015e218, packet=packet@entry=0x52900009b219 "CREATE USER a@localhost", packet_length=packet_length@entry=23, blocking=blocking@entry=true)at /test/11.4_dbg_san/sql/sql_parse.cc:1894
            #19 0x000055cc50bb78fd in do_command (thd=0x52b00015e218, blocking=blocking@entry=true) at /test/11.4_dbg_san/sql/sql_parse.cc:1407
            #20 0x000055cc515d688c in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5080000038b8, put_in_cache=put_in_cache@entry=true)at /test/11.4_dbg_san/sql/sql_connect.cc:1439
            #21 0x000055cc515d7da7 in handle_one_connection (arg=0x5080000038b8)at /test/11.4_dbg_san/sql/sql_connect.cc:1341
            #22 0x00001526b569ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
            #23 0x00001526b5729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            

            Roel Roel Van de Paar added a comment - - edited Interestingly, in an UBASAN build we get a different crash: SIGSEGV in spider_get_select_limit_from_select_lex, a stack not recently seen, however previously seen in MDEV-26583 . 11.4.3 2ee061c2585430ce0b94085813dffb61355eac15 (Debug) Core was generated by `/test/UBASAN_MD020824-mariadb-11.4.3-linux-x86_64-dbg/bin/mariadbd --no-default'. Program terminated with signal SIGSEGV, Segmentation fault. Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c. #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44   warning: 44 ./nptl/pthread_kill.c: No such file or directory [Current thread is 1 (LWP 1942416)] (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=11, threadid=<optimized out>)at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=<optimized out>, signo=11)at ./nptl/pthread_kill.c:89 #3 0x000055cc5506a163 in my_write_core (sig=11)at /test/11.4_dbg_san/mysys/stacktrace.c:424 #4 0x000055cc523ec013 in handle_fatal_signal (sig=<optimized out>)at /test/11.4_dbg_san/sql/signal_handler.cc:358 #5 <signal handler called> #6 0x000015268f9a160e in spider_get_select_limit_from_select_lex (select_lex=select_lex@entry=0x479578c1b1468500, select_limit=select_limit@entry=0x152690efceb0, offset_limit=offset_limit@entry=0x152690efced0)at /test/11.4_dbg_san/storage/spider/spd_table.cc:7692 #7 0x000015268f9a1a32 in spider_get_select_limit (spider=spider@entry=0x51f0000ad4b8, select_lex=select_lex@entry=0x152690efce90, select_limit=select_limit@entry=0x152690efceb0, offset_limit=offset_limit@entry=0x152690efced0)at /test/11.4_dbg_san/storage/spider/spd_table.cc:7710 #8 0x000015268f9a2028 in spider_split_read_param (spider=spider@entry=0x51f0000ad4b8)at /test/11.4_dbg_san/storage/spider/spd_table.cc:7743 #9 0x000015268f9a3bf6 in spider_set_result_list_param (spider=spider@entry=0x51f0000ad4b8)at /test/11.4_dbg_san/storage/spider/spd_table.cc:7329 #10 0x000015268fb024a6 in ha_spider::rnd_init (this=0x51f0000ad4b8, scan=<optimized out>)at /test/11.4_dbg_san/storage/spider/ha_spider.cc:5368 #11 0x000055cc52436145 in handler::ha_rnd_init (scan=true, this=0x51f0000ad4b8)at /test/11.4_dbg_san/sql/handler.h:3530 #12 handler::ha_rnd_init_with_error (this=this@entry=0x51f0000ad4b8, scan=scan@entry=true) at /test/11.4_dbg_san/sql/handler.cc:3903 #13 0x000055cc50603196 in handle_grant_table (thd=thd@entry=0x52b00015e218, grant_table=@0x152690efe048: {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x5190001b3598}, which_table=which_table@entry=PROCS_PRIV_TABLE, drop=drop@entry=false, user_from=user_from@entry=0x5290000eb2f8, user_to=user_to@entry=0x0)at /test/11.4_dbg_san/sql/sql_acl.cc:10434 #14 0x000055cc5066741b in handle_grant_data (thd=thd@entry=0x52b00015e218, tables=@0x152690efdfa0: {p_user_table = 0x152690efdfa8, m_user_table_json = {<User_table> = {<Grant_table_base> = {min_columns = 3, start_priv_columns = 0, end_priv_columns = 3, m_table = 0x519000047998}, _vptr.User_table = 0x55cc5682da00 <vtable for User_table_json+16>}, static JSON_SIZE = 1024}, m_user_table_tabular = {<User_table> = {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, _vptr.User_table = 0x55cc5682d8c0 <vtable for User_table_tabular+16>}, <No data fields>}, m_db_table = {<Grant_table_base> = {min_columns = 9, start_priv_columns = 3, end_priv_columns = 24, m_table = 0x519000043398}, <No data fields>}, m_tables_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x519000054b98}, <No data fields>}, m_columns_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x519000056498}, <No data fields>}, m_host_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, <No data fields>}, m_procs_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x5190001b3598}, <No data fields>}, m_proxies_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x519000045198}, <No data fields>}, m_roles_mapping_table = {<Grant_table_base> = {min_columns = 4, start_priv_columns = 3, end_priv_columns = 4, m_table = 0x519000046598}, <No data fields>}}, drop=drop@entry=false, user_from=user_from@entry=0x5290000eb2f8, user_to=user_to@entry=0x0) at /test/11.4_dbg_san/sql/sql_acl.cc:10925 #15 0x000055cc506787af in mysql_create_user (thd=thd@entry=0x52b00015e218, list=@0x52b0001633c8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5290000eb328, last = 0x5290000eb328, elements = 1}, <No data fields>}, handle_as_role=handle_as_role@entry=false)at /test/11.4_dbg_san/sql/sql_acl.cc:11141 #16 0x000055cc50b88884 in mysql_execute_command (thd=thd@entry=0x52b00015e218, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.4_dbg_san/sql/sql_parse.cc:5169 #17 0x000055cc50b9931c in mysql_parse (thd=thd@entry=0x52b00015e218, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x152690eff840)at /test/11.4_dbg_san/sql/sql_parse.cc:7862 #18 0x000055cc50ba916c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x52b00015e218, packet=packet@entry=0x52900009b219 "CREATE USER a@localhost", packet_length=packet_length@entry=23, blocking=blocking@entry=true)at /test/11.4_dbg_san/sql/sql_parse.cc:1894 #19 0x000055cc50bb78fd in do_command (thd=0x52b00015e218, blocking=blocking@entry=true) at /test/11.4_dbg_san/sql/sql_parse.cc:1407 #20 0x000055cc515d688c in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5080000038b8, put_in_cache=put_in_cache@entry=true)at /test/11.4_dbg_san/sql/sql_connect.cc:1439 #21 0x000055cc515d7da7 in handle_one_connection (arg=0x5080000038b8)at /test/11.4_dbg_san/sql/sql_connect.cc:1341 #22 0x00001526b569ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #23 0x00001526b5729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            ycp Yuchen Pei added a comment - - edited

            Testing the original case in mtr at 10.5 b304ec30308a86d87f29e509b988d3120b940f58 with ASAN, I get stack-use-after-return at spider_get_select_lex():

            ==1045813==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f21c111be28 at pc 0x7f21bed528d6 bp 0x7f21c21bf480 sp 0x7f21c21bf478
            READ of size 8 at 0x7f21c111be28 thread T16
                #0 0x7f21bed528d5 in spider_get_select_lex(ha_spider*) /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7590
                #1 0x7f21bed534e4 in spider_get_select_limit(ha_spider*, st_select_lex**, long long*, long long*) /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7620
                #2 0x7f21bed54635 in spider_split_read_param(ha_spider*) /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7658
                #3 0x7f21bed48449 in spider_set_result_list_param(ha_spider*) /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7216
                #4 0x7f21bef43cf7 in ha_spider::rnd_init(bool) /home/ycp/source/mariadb-server/10.5/src/storage/spider/ha_spider.cc:6675
                #5 0x55b3db9a4d20 in handler::ha_rnd_init(bool) /home/ycp/source/mariadb-server/10.5/src/sql/handler.h:3358
                #6 0x55b3dd45b94f in handler::ha_rnd_init_with_error(bool) /home/ycp/source/mariadb-server/10.5/src/sql/handler.cc:3405
                #7 0x55b3db6ad51e in handle_grant_table /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10267
                #8 0x55b3db6b1cfa in handle_grant_data /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10758
                #9 0x55b3db6b2d25 in mysql_create_user(THD*, List<LEX_USER>&, bool) /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10973
                #10 0x55b3dbc5895a in mysql_execute_command(THD*) /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:5499
                #11 0x55b3dbc8f46f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:8229
                #12 0x55b3dbc08341 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:1892
                #13 0x55b3dbbfc3ad in do_command(THD*) /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:1376
                #14 0x55b3dc740eb3 in do_handle_one_connection(CONNECT*, bool) /home/ycp/source/mariadb-server/10.5/src/sql/sql_connect.cc:1417
                #15 0x55b3dc73fca2 in handle_one_connection /home/ycp/source/mariadb-server/10.5/src/sql/sql_connect.cc:1319
                #16 0x55b3deb933a9 in pfs_spawn_thread /home/ycp/source/mariadb-server/10.5/src/storage/perfschema/pfs.cc:2201
                #17 0x7f21dea5ae55 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
                #18 0x7f21ddca8133 in start_thread nptl/pthread_create.c:442
                #19 0x7f21ddd27a3f in clone ../sysdeps/unix/sysv/linux/x86_64/clone.S:100
             
            Address 0x7f21c111be28 is located in stack of thread T16 at offset 7720 in frame
                #0 0x55b3db7272fb in Grant_tables::open_and_lock(THD*, int, thr_lock_type) /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:1986
             
              This frame has 5 object(s):
                [32, 36) 'counter' (line 1995)
                [48, 52) 'unused' (line 2001)
                [64, 72) 'first' (line 1990)
                [96, 128) '_db_stack_frame_' (line 1988)
                [160, 14496) 'tables' (line 1990) <== Memory access at offset 7720 is inside this variable
            

            On the surface, we see that spider accesses a TABLE_LIST from a TABLE requested from the sql layer:

            Thread 1 stopped.
            spider_get_select_lex (spider=0x51f0000ac728) at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7590
            7590	    DBUG_RETURN(table_list->select_lex);
            (rr) p spider->table->pos_in_table_list
            $21 = (TABLE_LIST *) 0x7f21c111bca0
            (rr) p spider->table
            $64 = (TABLE *) 0x519000182f08
             
            # stack:
             0 in spider_get_select_lex of /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7590
             1 in spider_get_select_limit of /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7620
             2 in spider_split_read_param of /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7658
             3 in spider_set_result_list_param of /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7216
             4 in ha_spider::rnd_init of /home/ycp/source/mariadb-server/10.5/src/storage/spider/ha_spider.cc:6675
             5 in handler::ha_rnd_init of /home/ycp/source/mariadb-server/10.5/src/sql/handler.h:3358
             6 in handler::ha_rnd_init_with_error of /home/ycp/source/mariadb-server/10.5/src/sql/handler.cc:3405
             7 in handle_grant_table of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10267
             8 in handle_grant_data of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10758
             9 in mysql_create_user of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10973
            10 in mysql_execute_command of /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:5499
             
            # in frame 7:
            (rr) p table
            $63 = (TABLE *) 0x519000182f08
            

            The TABLE_LIST is previously assigned to pos_in_table_list in

            (rr) wl spider->table->pos_in_table_list
            Hardware watchpoint 3: -location spider->table->pos_in_table_list
            (rr) rc
            Continuing.
             
            Thread 1 hit Hardware watchpoint 3: -location spider->table->pos_in_table_list
             
            Old value = (TABLE_LIST *) 0x7f21c111bca0
            New value = (TABLE_LIST *) 0x0
            0x000055b3dc52c573 in TABLE::init (this=0x519000182f08, thd=0x52b00008c288, tl=0x7f21c111bca0) at /home/ycp/source/mariadb-server/10.5/src/sql/table.cc:5554
            5554	  pos_in_table_list= tl;
             
            # stack:
             0 in TABLE::init of /home/ycp/source/mariadb-server/10.5/src/sql/table.cc:5554
             1 in open_table of /home/ycp/source/mariadb-server/10.5/src/sql/sql_base.cc:2136
             2 in open_and_process_table of /home/ycp/source/mariadb-server/10.5/src/sql/sql_base.cc:3819
             3 in open_tables of /home/ycp/source/mariadb-server/10.5/src/sql/sql_base.cc:4303
             4 in open_tables of /home/ycp/source/mariadb-server/10.5/src/sql/sql_base.h:479
             5 in Grant_tables::really_open of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:2126
             6 in Grant_tables::open_and_lock of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:1996
             7 in mysql_create_user of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10937
             8 in mysql_execute_command of /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:5499
            

            The open_tables() in Frame 3 iterates over next_global, where the start TABLE_LIST passed from open_tables() in Frame 4 is and reaches the offending TABLE_LIST after three iterations:

            # in the open_tables() in frame 4 above
            (rr) p tables[0]
            $53 = (TABLE_LIST *) 0x7f21c111a0a0
            (rr) p tables[0]->next_global->next_global->next_global
            $54 = (TABLE_LIST *) 0x7f21c111bca0
            

            In fact both TABLE_LIST's are part of the local variable tables in Grant_tables::open_and_lock() called earlier (also mentioned in the ASAN output):

            Thread 1 stopped.
            Grant_tables::open_and_lock (this=0x7f21c0db0cf0, thd=0x52b00008c288, which_tables=247, lock_type=TL_WRITE) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:2036
            2036	    m_roles_mapping_table.set_table(tables[ROLES_MAPPING_TABLE].table);
            (rr) p &tables[4]
            $22 = (TABLE_LIST *) 0x7f21c111bca0
            (rr) p &tables[0]
            $8 = (TABLE_LIST *) 0x7f21c111a0a0
            (rr) p tables[0].next_global->next_global->next_global
            $49 = (TABLE_LIST *) 0x7f21c111bca0
             
            # stack:
             0 in Grant_tables::open_and_lock of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:2036
             1 in mysql_create_user of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10937
             2 in mysql_execute_command of /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:5499
            

            It looks a bit strange to have a big array of TABLE_LIST as a local variable in Grant_tables::open_and_lock() containing the offending TABLE_LIST, initialise a TABLE with that TABLE_LIST, then after returning from Grant_tables::open_and_lock(), use the TABLE again. Also strange is that the TABLE_LIST goes out of scope but not the TABLE...

            ycp Yuchen Pei added a comment - - edited Testing the original case in mtr at 10.5 b304ec30308a86d87f29e509b988d3120b940f58 with ASAN, I get stack-use-after-return at spider_get_select_lex() : ==1045813==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f21c111be28 at pc 0x7f21bed528d6 bp 0x7f21c21bf480 sp 0x7f21c21bf478 READ of size 8 at 0x7f21c111be28 thread T16 #0 0x7f21bed528d5 in spider_get_select_lex(ha_spider*) /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7590 #1 0x7f21bed534e4 in spider_get_select_limit(ha_spider*, st_select_lex**, long long*, long long*) /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7620 #2 0x7f21bed54635 in spider_split_read_param(ha_spider*) /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7658 #3 0x7f21bed48449 in spider_set_result_list_param(ha_spider*) /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7216 #4 0x7f21bef43cf7 in ha_spider::rnd_init(bool) /home/ycp/source/mariadb-server/10.5/src/storage/spider/ha_spider.cc:6675 #5 0x55b3db9a4d20 in handler::ha_rnd_init(bool) /home/ycp/source/mariadb-server/10.5/src/sql/handler.h:3358 #6 0x55b3dd45b94f in handler::ha_rnd_init_with_error(bool) /home/ycp/source/mariadb-server/10.5/src/sql/handler.cc:3405 #7 0x55b3db6ad51e in handle_grant_table /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10267 #8 0x55b3db6b1cfa in handle_grant_data /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10758 #9 0x55b3db6b2d25 in mysql_create_user(THD*, List<LEX_USER>&, bool) /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10973 #10 0x55b3dbc5895a in mysql_execute_command(THD*) /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:5499 #11 0x55b3dbc8f46f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:8229 #12 0x55b3dbc08341 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:1892 #13 0x55b3dbbfc3ad in do_command(THD*) /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:1376 #14 0x55b3dc740eb3 in do_handle_one_connection(CONNECT*, bool) /home/ycp/source/mariadb-server/10.5/src/sql/sql_connect.cc:1417 #15 0x55b3dc73fca2 in handle_one_connection /home/ycp/source/mariadb-server/10.5/src/sql/sql_connect.cc:1319 #16 0x55b3deb933a9 in pfs_spawn_thread /home/ycp/source/mariadb-server/10.5/src/storage/perfschema/pfs.cc:2201 #17 0x7f21dea5ae55 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234 #18 0x7f21ddca8133 in start_thread nptl/pthread_create.c:442 #19 0x7f21ddd27a3f in clone ../sysdeps/unix/sysv/linux/x86_64/clone.S:100   Address 0x7f21c111be28 is located in stack of thread T16 at offset 7720 in frame #0 0x55b3db7272fb in Grant_tables::open_and_lock(THD*, int, thr_lock_type) /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:1986   This frame has 5 object(s): [32, 36) 'counter' (line 1995) [48, 52) 'unused' (line 2001) [64, 72) 'first' (line 1990) [96, 128) '_db_stack_frame_' (line 1988) [160, 14496) 'tables' (line 1990) <== Memory access at offset 7720 is inside this variable On the surface, we see that spider accesses a TABLE_LIST from a TABLE requested from the sql layer: Thread 1 stopped. spider_get_select_lex (spider=0x51f0000ac728) at /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7590 7590 DBUG_RETURN(table_list->select_lex); (rr) p spider->table->pos_in_table_list $21 = (TABLE_LIST *) 0x7f21c111bca0 (rr) p spider->table $64 = (TABLE *) 0x519000182f08   # stack: 0 in spider_get_select_lex of /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7590 1 in spider_get_select_limit of /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7620 2 in spider_split_read_param of /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7658 3 in spider_set_result_list_param of /home/ycp/source/mariadb-server/10.5/src/storage/spider/spd_table.cc:7216 4 in ha_spider::rnd_init of /home/ycp/source/mariadb-server/10.5/src/storage/spider/ha_spider.cc:6675 5 in handler::ha_rnd_init of /home/ycp/source/mariadb-server/10.5/src/sql/handler.h:3358 6 in handler::ha_rnd_init_with_error of /home/ycp/source/mariadb-server/10.5/src/sql/handler.cc:3405 7 in handle_grant_table of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10267 8 in handle_grant_data of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10758 9 in mysql_create_user of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10973 10 in mysql_execute_command of /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:5499   # in frame 7: (rr) p table $63 = (TABLE *) 0x519000182f08 The TABLE_LIST is previously assigned to pos_in_table_list in (rr) wl spider->table->pos_in_table_list Hardware watchpoint 3: -location spider->table->pos_in_table_list (rr) rc Continuing.   Thread 1 hit Hardware watchpoint 3: -location spider->table->pos_in_table_list   Old value = (TABLE_LIST *) 0x7f21c111bca0 New value = (TABLE_LIST *) 0x0 0x000055b3dc52c573 in TABLE::init (this=0x519000182f08, thd=0x52b00008c288, tl=0x7f21c111bca0) at /home/ycp/source/mariadb-server/10.5/src/sql/table.cc:5554 5554 pos_in_table_list= tl;   # stack: 0 in TABLE::init of /home/ycp/source/mariadb-server/10.5/src/sql/table.cc:5554 1 in open_table of /home/ycp/source/mariadb-server/10.5/src/sql/sql_base.cc:2136 2 in open_and_process_table of /home/ycp/source/mariadb-server/10.5/src/sql/sql_base.cc:3819 3 in open_tables of /home/ycp/source/mariadb-server/10.5/src/sql/sql_base.cc:4303 4 in open_tables of /home/ycp/source/mariadb-server/10.5/src/sql/sql_base.h:479 5 in Grant_tables::really_open of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:2126 6 in Grant_tables::open_and_lock of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:1996 7 in mysql_create_user of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10937 8 in mysql_execute_command of /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:5499 The open_tables() in Frame 3 iterates over next_global , where the start TABLE_LIST passed from open_tables() in Frame 4 is and reaches the offending TABLE_LIST after three iterations: # in the open_tables() in frame 4 above (rr) p tables[0] $53 = (TABLE_LIST *) 0x7f21c111a0a0 (rr) p tables[0]->next_global->next_global->next_global $54 = (TABLE_LIST *) 0x7f21c111bca0 In fact both TABLE_LIST 's are part of the local variable tables in Grant_tables::open_and_lock() called earlier (also mentioned in the ASAN output): Thread 1 stopped. Grant_tables::open_and_lock (this=0x7f21c0db0cf0, thd=0x52b00008c288, which_tables=247, lock_type=TL_WRITE) at /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:2036 2036 m_roles_mapping_table.set_table(tables[ROLES_MAPPING_TABLE].table); (rr) p &tables[4] $22 = (TABLE_LIST *) 0x7f21c111bca0 (rr) p &tables[0] $8 = (TABLE_LIST *) 0x7f21c111a0a0 (rr) p tables[0].next_global->next_global->next_global $49 = (TABLE_LIST *) 0x7f21c111bca0   # stack: 0 in Grant_tables::open_and_lock of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:2036 1 in mysql_create_user of /home/ycp/source/mariadb-server/10.5/src/sql/sql_acl.cc:10937 2 in mysql_execute_command of /home/ycp/source/mariadb-server/10.5/src/sql/sql_parse.cc:5499 It looks a bit strange to have a big array of TABLE_LIST as a local variable in Grant_tables::open_and_lock() containing the offending TABLE_LIST , initialise a TABLE with that TABLE_LIST , then after returning from Grant_tables::open_and_lock() , use the TABLE again. Also strange is that the TABLE_LIST goes out of scope but not the TABLE ...

            People

              ycp Yuchen Pei
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.