Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35100

ASAN errors in my_uca_scanner_next_with_nchars_utf8mb4 / Histogram_json_hb::find_bucket

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.11, 11.2(EOL), 11.4, 11.6(EOL)
    • 10.11, 11.4
    • Character Sets
    • None

    Description

      Note that in 11.6 the utf8mb4 character set and the UCA collation became default, so the issue becomes more important there.

      CREATE TABLE t (a BINARY(255), b CHAR(255) AS (a)) CHARACTER SET=utf8mb4 COLLATE=utf8mb4_uca1400_ai_ci;
      		 
      INSERT INTO t (a) VALUES ('foo'),('bar');
      		 
      ANALYZE TABLE t PERSISTENT FOR ALL;
      		 
      SELECT * FROM t WHERE b LIKE 'foo%';
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t;

      10.11 8a6a4c947a0ca3d2fdca752d7440bdc5c6c83e37

      		 
      ==2136712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100001b300 at pc 0x5574d62ab643 bp 0x7fc6dadd4f00 sp 0x7fc6dadd4ef8
      		 
      READ of size 1 at 0x61100001b300 thread T5
      		 
          #0 0x5574d62ab642 in my_uca_scanner_next_with_nchars_utf8mb4 /data/bld/10.11-asan/strings/ctype-uca-scanner_next.inl:125
      		 
          #1 0x5574d62acecf in my_uca_scanner_next_pad_trim_utf8mb4 /data/bld/10.11-asan/strings/ctype-uca.inl:408
      		 
          #2 0x5574d62ad48c in my_uca_strnncollsp_nchars_onelevel_utf8mb4 /data/bld/10.11-asan/strings/ctype-uca.inl:502
      		 
          #3 0x5574d62ad75f in my_uca_strnncollsp_nchars_utf8mb4 /data/bld/10.11-asan/strings/ctype-uca.inl:566
      		 
          #4 0x5574d4be8bb6 in Field_string::cmp(unsigned char const*, unsigned char const*) const /data/bld/10.11-asan/sql/field.cc:7716
      		 
          #5 0x5574d47bd46b in Field::key_cmp(unsigned char const*, unsigned char const*) const (/mnt8t/bld/10.11-asan/sql/mariadbd+0x21de46b)
      		 
          #6 0x5574d48f5a41 in Histogram_json_hb::find_bucket(Field const*, unsigned char const*, int*) /data/bld/10.11-asan/sql/opt_histogram_json.cc:1158
      		 
          #7 0x5574d48f4dc2 in Histogram_json_hb::range_selectivity(Field*, st_key_range*, st_key_range*, double) /data/bld/10.11-asan/sql/opt_histogram_json.cc:991
      		 
          #8 0x5574d45eef5d in get_column_range_cardinality(Field*, st_key_range*, st_key_range*, unsigned int) /data/bld/10.11-asan/sql/sql_statistics.cc:4293
      		 
          #9 0x5574d3fc8d84 in records_in_column_ranges /data/bld/10.11-asan/sql/opt_range.cc:3358
      		 
          #10 0x5574d3fcb1e7 in calculate_cond_selectivity_for_table(THD*, TABLE*, Item**) /data/bld/10.11-asan/sql/opt_range.cc:3690
      		 
          #11 0x5574d4473878 in make_join_statistics /data/bld/10.11-asan/sql/sql_select.cc:6078
      		 
          #12 0x5574d44505fa in JOIN::optimize_inner() /data/bld/10.11-asan/sql/sql_select.cc:2640
      		 
          #13 0x5574d444909c in JOIN::optimize() /data/bld/10.11-asan/sql/sql_select.cc:1954
      		 
          #14 0x5574d446b609 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/10.11-asan/sql/sql_select.cc:5206
      		 
          #15 0x5574d443a403 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/10.11-asan/sql/sql_select.cc:600
      		 
          #16 0x5574d435ed9d in execute_sqlcom_select /data/bld/10.11-asan/sql/sql_parse.cc:6401
      		 
          #17 0x5574d434cd4c in mysql_execute_command(THD*, bool) /data/bld/10.11-asan/sql/sql_parse.cc:3988
      		 
          #18 0x5574d43696bb in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-asan/sql/sql_parse.cc:8161
      		 
          #19 0x5574d433ee23 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-asan/sql/sql_parse.cc:1895
      		 
          #20 0x5574d433bb50 in do_command(THD*, bool) /data/bld/10.11-asan/sql/sql_parse.cc:1408
      		 
          #21 0x5574d4801bbf in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan/sql/sql_connect.cc:1417
      		 
          #22 0x5574d480157b in handle_one_connection /data/bld/10.11-asan/sql/sql_connect.cc:1319
      		 
          #23 0x5574d542c7ab in pfs_spawn_thread /data/bld/10.11-asan/storage/perfschema/pfs.cc:2201
      		 
          #24 0x7fc6e42a8043 in start_thread nptl/pthread_create.c:442
      		 
          #25 0x7fc6e432861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x61100001b300 is located 0 bytes to the right of 256-byte region [0x61100001b200,0x61100001b300)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7fc6e4eb94c8 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
      		 
          #1 0x5574d437ecdf in std::__new_allocator<char>::allocate(unsigned long, void const*) /usr/include/c++/12/bits/new_allocator.h:137
      		 
          #2 0x5574d437ec1c in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:464
      		 
          #3 0x5574d437e563 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_create(unsigned long&, unsigned long) /usr/include/c++/12/bits/basic_string.tcc:155
      		 
          #4 0x5574d437dff7 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) /usr/include/c++/12/bits/basic_string.tcc:225
      		 
          #5 0x5574d48f8207 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned long, std::allocator<char> const&) /usr/include/c++/12/bits/basic_string.h:620
      		 
          #6 0x5574d48f308f in Histogram_json_hb::parse_bucket(st_json_engine_t*, Field*, double*, bool*, char const**) /data/bld/10.11-asan/sql/opt_histogram_json.cc:728
      		 
          #7 0x5574d48f390b in Histogram_json_hb::parse(st_mem_root*, char const*, char const*, Field*, char const*, unsigned long) /data/bld/10.11-asan/sql/opt_histogram_json.cc:793
      		 
          #8 0x5574d45f63fa in Column_stat::get_stat_values(Column_statistics*, st_mem_root*, bool) /data/bld/10.11-asan/sql/sql_statistics.cc:1270
      		 
          #9 0x5574d45e7dfa in read_statistics_for_table /data/bld/10.11-asan/sql/sql_statistics.cc:3095
      		 
          #10 0x5574d45e9ace in read_statistics_for_tables(THD*, TABLE_LIST*, bool) /data/bld/10.11-asan/sql/sql_statistics.cc:3352
      		 
          #11 0x5574d4842bb3 in mysql_admin_table /data/bld/10.11-asan/sql/sql_admin.cc:1389
      		 
          #12 0x5574d4844349 in Sql_cmd_analyze_table::execute(THD*) /data/bld/10.11-asan/sql/sql_admin.cc:1566
      		 
          #13 0x5574d435c904 in mysql_execute_command(THD*, bool) /data/bld/10.11-asan/sql/sql_parse.cc:6142
      		 
          #14 0x5574d43696bb in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-asan/sql/sql_parse.cc:8161
      		 
          #15 0x5574d433ee23 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-asan/sql/sql_parse.cc:1895
      		 
          #16 0x5574d433bb50 in do_command(THD*, bool) /data/bld/10.11-asan/sql/sql_parse.cc:1408
      		 
          #17 0x5574d4801bbf in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan/sql/sql_connect.cc:1417
      		 
          #18 0x5574d480157b in handle_one_connection /data/bld/10.11-asan/sql/sql_connect.cc:1319
      		 
          #19 0x5574d542c7ab in pfs_spawn_thread /data/bld/10.11-asan/storage/perfschema/pfs.cc:2201
      		 
          #20 0x7fc6e42a8043 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7fc6e4e49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x5574d54284e6 in my_thread_create /data/bld/10.11-asan/storage/perfschema/my_thread.h:52
      		 
          #2 0x5574d542cb9a in pfs_spawn_thread_v1 /data/bld/10.11-asan/storage/perfschema/pfs.cc:2252
      		 
          #3 0x5574d3f628d5 in inline_mysql_thread_create /data/bld/10.11-asan/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x5574d3f7a7a9 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.11-asan/sql/mysqld.cc:6176
      		 
          #5 0x5574d3f7adba in create_new_thread(CONNECT*) /data/bld/10.11-asan/sql/mysqld.cc:6235
      		 
          #6 0x5574d3f7b0a5 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.11-asan/sql/mysqld.cc:6297
      		 
          #7 0x5574d3f7ba29 in handle_connections_sockets() /data/bld/10.11-asan/sql/mysqld.cc:6421
      		 
          #8 0x5574d3f7a026 in mysqld_main(int, char**) /data/bld/10.11-asan/sql/mysqld.cc:6071
      		 
          #9 0x5574d3f61958 in main /data/bld/10.11-asan/sql/main.cc:34
      		 
          #10 0x7fc6e42461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/10.11-asan/strings/ctype-uca-scanner_next.inl:125 in my_uca_scanner_next_with_nchars_utf8mb4
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c227fffb610: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      		 
        0x0c227fffb620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c227fffb630: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
      		 
        0x0c227fffb640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c227fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c227fffb660:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c227fffb670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c227fffb680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c227fffb690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c227fffb6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c227fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2136712==ABORTING

      Attachments

        Activity

          People

            bar Alexander Barkov
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.