Server crash or ASAN errors in _mi_write_blob_record upon using BINARY of certain lengths as vector column

CREATE TABLE t (pk INT PRIMARY KEY, v BINARY(252) NOT NULL, VECTOR (v)) ENGINE=MyISAM;

INSERT INTO t VALUES (1,x'00000000');

# Cleanup

DROP TABLE t;

==2511194==ERROR: AddressSanitizer: unknown-crash on address 0x60e000034cb800 at pc 0x7fcc6384814b bp 0x7fcc57a9e620 sp 0x7fcc57a9ddd0

READ of size 33280 at 0x60e000034cb800 thread T5

    #0 0x7fcc6384814a in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827

    #1 0x556cb6fb3c4c in _mi_rec_pack /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/storage/myisam/mi_dynrec.c:998

    #2 0x556cb6fab79e in _mi_write_blob_record /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/storage/myisam/mi_dynrec.c:290

    #3 0x556cb7017bc9 in mi_write /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/storage/myisam/mi_write.c:146

    #4 0x556cb6f55ad3 in ha_myisam::write_row(unsigned char const*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/storage/myisam/ha_myisam.cc:963

    #5 0x556cb5baf787 in handler::ha_write_row(unsigned char const*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/handler.cc:8159

    #6 0x556cb5fbbe36 in FVectorNode::save(TABLE*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/vector_mhnsw.cc:959

    #7 0x556cb5fbec82 in mhnsw_insert(TABLE*, st_key*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/vector_mhnsw.cc:1166

    #8 0x556cb5059ca0 in TABLE::hlindexes_on_insert() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_base.cc:9919

    #9 0x556cb5baf884 in handler::ha_write_row(unsigned char const*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/handler.cc:8163

    #10 0x556cb512b63d in write_record(THD*, TABLE*, st_copy_info*, select_result*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_insert.cc:2322

    #11 0x556cb5121d6d in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_insert.cc:1179

    #12 0x556cb51f2037 in mysql_execute_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_parse.cc:4458

    #13 0x556cb5209bf9 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_parse.cc:7873

    #14 0x556cb51e0c1b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_parse.cc:1892

    #15 0x556cb51dd92f in do_command(THD*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_parse.cc:1405

    #16 0x556cb56cd188 in do_handle_one_connection(CONNECT*, bool) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_connect.cc:1448

    #17 0x556cb56ccb49 in handle_one_connection /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/sql_connect.cc:1350

    #18 0x556cb6370671 in pfs_spawn_thread /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/storage/perfschema/pfs.cc:2198

    #19 0x7fcc630a8043 in start_thread nptl/pthread_create.c:442

    #20 0x7fcc6312861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Address 0x60e000034cb800 is a wild pointer inside of access range of size 0x000000008200.

SUMMARY: AddressSanitizer: unknown-crash ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy

Thread T5 created by T0 here:

    #0 0x7fcc63849726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207

    #1 0x556cb636c413 in my_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/storage/perfschema/my_thread.h:38

    #2 0x556cb6370a60 in pfs_spawn_thread_v1 /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/storage/perfschema/pfs.cc:2249

    #3 0x556cb4df9c33 in inline_mysql_thread_create /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/include/mysql/psi/mysql_thread.h:1139

    #4 0x556cb4e123fa in create_thread_to_handle_connection(CONNECT*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/mysqld.cc:6267

    #5 0x556cb4e12a1f in create_new_thread(CONNECT*) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/mysqld.cc:6329

    #6 0x556cb4e12d0a in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/mysqld.cc:6391

    #7 0x556cb4e13992 in handle_connections_sockets() /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/mysqld.cc:6504

    #8 0x556cb4e11c77 in mysqld_main(int, char**) /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/mysqld.cc:6162

    #9 0x556cb4df8d58 in main /data/bld/preview-11.7-bb-11.6-MDEV-32887-vector-asan/sql/main.cc:34

    #10 0x7fcc630461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

==2511194==ABORTING

241006 14:40:32 [ERROR] mysqld got signal 6 ;

Sorry, we probably made a mistake, and this is a bug.

Your assistance in bug reporting will enable us to fix this for the next release.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 11.7.0-MariaDB-debug-log source revision: 77be73c489fb7c21ca58e78cef10e0c166f293d8

key_buffer_size=1048576

read_buffer_size=131072

max_used_connections=1

max_threads=153

thread_count=1

It is possible that mysqld could use up to 

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 64017 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62c0000c0218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7fcc57aa1bd0 thread_stack 0xb00000

sanitizer_common/sanitizer_common_interceptors.inc:4277(__interceptor_backtrace.part.0)[0x7fcc63851f31]

mysys/stacktrace.c:215(my_print_stacktrace)[0x556cb70fc554]

sql/signal_handler.cc:239(handle_fatal_signal)[0x556cb5b67d28]

libc_sigaction.c:0(__restore_rt)[0x7fcc6305afd0]

nptl/pthread_kill.c:44(__pthread_kill_implementation)[0x7fcc630a9d3c]

posix/raise.c:27(__GI_raise)[0x7fcc6305af32]

stdlib/abort.c:81(__GI_abort)[0x7fcc63045472]

sanitizer_common/sanitizer_posix_libcdep.cpp:137(__sanitizer::Abort())[0x7fcc638d650f]

sanitizer_common/sanitizer_termination.cpp:59(__sanitizer::Die())[0x7fcc638e2ba1]

asan/asan_report.cpp:190(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7fcc638c1f5e]

asan/asan_report.cpp:479(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7fcc638c14c6]

sanitizer_common/sanitizer_common_interceptors.inc:827(memcpy)[0x7fcc6384816a]

myisam/mi_dynrec.c:999(_mi_rec_pack)[0x556cb6fb3c4d]

myisam/mi_dynrec.c:290(_mi_write_blob_record)[0x556cb6fab79f]

myisam/mi_write.c:146(mi_write)[0x556cb7017bca]

myisam/ha_myisam.cc:963(ha_myisam::write_row(unsigned char const*))[0x556cb6f55ad4]

sql/handler.cc:8159(handler::ha_write_row(unsigned char const*))[0x556cb5baf788]

sql/vector_mhnsw.cc:959(FVectorNode::save(TABLE*))[0x556cb5fbbe37]

sql/vector_mhnsw.cc:1166(mhnsw_insert(TABLE*, st_key*))[0x556cb5fbec83]

sql/sql_base.cc:9919(TABLE::hlindexes_on_insert())[0x556cb5059ca1]

sql/handler.cc:8163(handler::ha_write_row(unsigned char const*))[0x556cb5baf885]

sql/sql_insert.cc:2322(write_record(THD*, TABLE*, st_copy_info*, select_result*))[0x556cb512b63e]

sql/sql_insert.cc:1179(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x556cb5121d6e]

sql/sql_parse.cc:4458(mysql_execute_command(THD*, bool))[0x556cb51f2038]

sql/sql_parse.cc:7873(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x556cb5209bfa]

sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x556cb51e0c1c]

sql/sql_parse.cc:1405(do_command(THD*, bool))[0x556cb51dd930]

sql/sql_connect.cc:1448(do_handle_one_connection(CONNECT*, bool))[0x556cb56cd189]

sql/sql_connect.cc:1352(handle_one_connection)[0x556cb56ccb4a]

perfschema/pfs.cc:2200(pfs_spawn_thread)[0x556cb6370672]

nptl/pthread_create.c:442(start_thread)[0x7fcc630a8044]

x86_64/clone3.S:83(clone3)[0x7fcc6312861c]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x6290000e6238): INSERT INTO t VALUES (1,x'00000000')

Connection ID (thread ID): 4

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on,cset_narrowing=on,sargable_casefold=on

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mariadbd/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /dev/shm/var_auto_pDiE/mysqld.1/data

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             514730               514730               processes 

Max open files            65536                65536                files     

Max locked memory         16876769280          16876769280          bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       514730               514730               signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

Kernel version: Linux version 6.1.0-13-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)

CREATE TABLE t (pk INT PRIMARY KEY, v BINARY(255) NOT NULL, VECTOR (v)) ENGINE=MyISAM;

INSERT INTO t VALUES (1,x'00000000');

bug.vec7-83a                             [ fail ]

        Test ended at 2024-10-06 14:45:27

CURRENT_TEST: bug.vec7-83a

mysqltest: At line 2: query 'INSERT INTO t VALUES (1,x'00000000')' failed: ER_TRUNCATED_WRONG_VALUE_FOR_FIELD (1366): Incorrect vector value: '...' for column `test`.`t`.`v` at row 1