[MDEV-35375] SIGSEGV in spider_send_query when using HANDLER ... READ ... NEXT, thread hang, ASAN: heap-use-after-free in spider_send_query - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.2, 11.4, 11.6, 11.7
Fix Version/s: 10.5, 10.6, 10.11, 11.2, 11.4, 11.6
Component/s: Storage Engine - Spider
Labels:
- ASAN
- mutex
- thread_hang

Description

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE TABLE t (c INT, KEY(c)) ENGINE=Spider;

HANDLER t OPEN;

HANDLER t READ c NEXT;

SELECT * FROM t;

HANDLER t READ c NEXT;

Leads to:

CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Debug)
2024-11-09 11:16:51 4 [ERROR] mysql_ha_read: Got error 12701 when reading table 't'

CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Debug)
Core was generated by `/test/MD141024-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 spider_send_query (spider=spider@entry=0x14b9c004cfe0, table=0x14b9c00546e8, link_idx=link_idx@entry=0, link_ok=0, error_num=error_num@entry=0x14ba0d1b2b20)at /test/11.2_dbg/storage/spider/ha_spider.cc:1360

[Current thread is 1 (LWP 2034817)]
(gdb) bt
#0 spider_send_query (spider=spider@entry=0x14b9c004cfe0, table=0x14b9c00546e8, link_idx=link_idx@entry=0, link_ok=0, error_num=error_num@entry=0x14ba0d1b2b20)at /test/11.2_dbg/storage/spider/ha_spider.cc:1360
#1 0x000014ba0af9b2b2 in ha_spider::index_first_internal (this=0x14b9c004cfe0, buf=0x14b9c046d148 "\377")at /test/11.2_dbg/storage/spider/ha_spider.cc:1914
#2 0x000014ba0af9b442 in ha_spider::index_first (this=0x14b9c004cfe0, buf=0x14b9c046d148 "\377")at /test/11.2_dbg/storage/spider/ha_spider.cc:1970
#3 0x0000555dd653480e in handler::ha_index_first (this=0x14b9c004cfe0, buf=0x14b9c046d148 "\377") at /test/11.2_dbg/sql/handler.cc:3844
#4 0x0000555dd61d368e in mysql_ha_read (thd=thd@entry=0x14b9c0000d58, tables=tables@entry=0x14b9c00137a0, mode=<optimized out>, keyname=0x14b9c0013eb0 "c", key_expr=<optimized out>, ha_rkey_mode=HA_READ_KEY_EXACT, cond=0x0, select_limit_cnt=1, offset_limit_cnt=0) at /test/11.2_dbg/sql/sql_handler.cc:918
#5 0x0000555dd6220731 in mysql_execute_command (thd=thd@entry=0x14b9c0000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_limit.h:94
#6 0x0000555dd62232ce in mysql_parse (thd=thd@entry=0x14b9c0000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14ba0d1b32a0)at /test/11.2_dbg/sql/sql_parse.cc:7938
#7 0x0000555dd6225786 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14b9c0000d58, packet=packet@entry=0x14b9c000b319 "", packet_length=packet_length@entry=21, blocking=blocking@entry=true)at /test/11.2_dbg/sql/sql_class.h:248
#8 0x0000555dd62279c2 in do_command (thd=0x14b9c0000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407
#9 0x0000555dd6394fe7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x555dd9772608, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439
#10 0x0000555dd63952ef in handle_one_connection (arg=arg@entry=0x555dd9772608)at /test/11.2_dbg/sql/sql_connect.cc:1341
#11 0x0000555dd67dcf14 in pfs_spawn_thread (arg=0x555dd96c5328)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201
#12 0x000014ba13e9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#13 0x000014ba13f29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

And on an UB+ASAN builds we see a heap-use-after-free in spider_send_query:

CS 11.7.0 35cebfdc513f92b143b1a7229c480f4f684f1698 (Optimized, UBASAN)
2024-11-09 11:24:48 0 [Note] /test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd: ready for connections.
Version: '11.7.0-MariaDB' socket: '/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/socket.sock' port: 12916 MariaDB Server
2024-11-09 11:24:49 5 [ERROR] mysql_ha_read: Got error 12701 when reading table 't'
=================================================================
==2872507==ERROR: AddressSanitizer: heap-use-after-free on address 0x51d000366314 at pc 0x14e3873e5aba bp 0x14e3886fce90 sp 0x14e3886fce80
READ of size 4 at 0x51d000366314 thread T12
#0 0x14e3873e5ab9 in spider_send_query /test/11.7_opt_san/storage/spider/ha_spider.cc:1359
#1 0x14e3874084d8 in ha_spider::index_first_internal(unsigned char*) /test/11.7_opt_san/storage/spider/ha_spider.cc:1914
#2 0x55d61e06fcfd in handler::ha_index_first(unsigned char*) /test/11.7_opt_san/sql/handler.cc:3917
#3 0x55d61c5d1f66 in mysql_ha_read(THD, TABLE_LIST, enum_ha_read_modes, char const, List<Item>, ha_rkey_function, Item*, unsigned long long, unsigned long long) /test/11.7_opt_san/sql/sql_handler.cc:917
#4 0x55d61c870859 in mysql_execute_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:5463
#5 0x55d61c886922 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.7_opt_san/sql/sql_parse.cc:7889
#6 0x55d61c89832a in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.7_opt_san/sql/sql_parse.cc:1892
#7 0x55d61c8a8fe6 in do_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:1405
#8 0x55d61d2b237c in do_handle_one_connection(CONNECT*, bool) /test/11.7_opt_san/sql/sql_connect.cc:1448
#9 0x55d61d2b49b4 in handle_one_connection /test/11.7_opt_san/sql/sql_connect.cc:1350
#10 0x14e3ad89ca93 in start_thread nptl/pthread_create.c:447
#11 0x14e3ad929c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x51d000366314 is located 660 bytes inside of 2384-byte region [0x51d000366080,0x51d0003669d0)
freed by thread T12 here:
#0 0x55d61beb2da7 in free (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x8513da7)
#1 0x14e387394cc7 in spider_free_mem(st_spider_transaction, void, unsigned long) /test/11.7_opt_san/storage/spider/spd_malloc.cc:182
#2 0x14e3872ac8e9 in spider_free_conn(st_spider_conn*) /test/11.7_opt_san/storage/spider/spd_conn.cc:823
#3 0x14e3871cb362 in spider_free_trx_conn(st_spider_transaction*, bool) /test/11.7_opt_san/storage/spider/spd_trx.cc:113
#4 0x14e3871e6024 in spider_rollback(handlerton, THD, bool) /test/11.7_opt_san/storage/spider/spd_trx.cc:3219
#5 0x55d61e04480e in ha_rollback_trans(THD*, bool) /test/11.7_opt_san/sql/handler.cc:2336
#6 0x55d61d3472f6 in trans_rollback_stmt(THD*) /test/11.7_opt_san/sql/transaction.cc:566
#7 0x55d61c5d0370 in mysql_ha_read(THD, TABLE_LIST, enum_ha_read_modes, char const, List<Item>, ha_rkey_function, Item*, unsigned long long, unsigned long long) /test/11.7_opt_san/sql/sql_handler.cc:1021
#8 0x55d61c870859 in mysql_execute_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:5463
#9 0x55d61c886922 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.7_opt_san/sql/sql_parse.cc:7889
#10 0x55d61c89832a in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.7_opt_san/sql/sql_parse.cc:1892
#11 0x55d61c8a8fe6 in do_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:1405
#12 0x55d61d2b237c in do_handle_one_connection(CONNECT*, bool) /test/11.7_opt_san/sql/sql_connect.cc:1448
#13 0x55d61d2b49b4 in handle_one_connection /test/11.7_opt_san/sql/sql_connect.cc:1350
#14 0x14e3ad89ca93 in start_thread nptl/pthread_create.c:447

previously allocated by thread T12 here:
#0 0x55d61beb30f7 in malloc (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x85140f7)
#1 0x55d6208bfb84 in my_malloc /test/11.7_opt_san/mysys/my_malloc.c:93
#2 0x14e38739515b in spider_bulk_alloc_mem(st_spider_transaction, unsigned int, char const, char const*, unsigned long, unsigned long, ...) /test/11.7_opt_san/storage/spider/spd_malloc.cc:230
#3 0x14e3872b9db8 in spider_create_conn(st_spider_share, ha_spider, int, int, int*) /test/11.7_opt_san/storage/spider/spd_conn.cc:423
#4 0x14e3872c3ea2 in spider_get_conn(st_spider_share, int, char, st_spider_transaction, ha_spider, bool, bool, int*) /test/11.7_opt_san/storage/spider/spd_conn.cc:728
#5 0x14e3872e642f in spider_share_get_conns(ha_spider, st_spider_share, int*) /test/11.7_opt_san/storage/spider/spd_table.cc:5191
#6 0x14e38734d2f2 in spider_init_share(char const, TABLE, THD, ha_spider, int, st_spider_share, TABLE_SHARE*, bool) /test/11.7_opt_san/storage/spider/spd_table.cc:5461
#7 0x14e38734f10b in spider_get_share(char const, TABLE, THD, ha_spider, int*) /test/11.7_opt_san/storage/spider/spd_table.cc:5575
#8 0x14e38742fd7c in ha_spider::open(char const*, int, unsigned int) /test/11.7_opt_san/storage/spider/ha_spider.cc:311
#9 0x55d61e0613a0 in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /test/11.7_opt_san/sql/handler.cc:3615
#10 0x55d61d115e76 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.7_opt_san/sql/table.cc:4603
#11 0x55d61c3ff2cc in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.7_opt_san/sql/sql_base.cc:2240
#12 0x55d61c41d2d9 in open_and_process_table /test/11.7_opt_san/sql/sql_base.cc:4174
#13 0x55d61c41d2d9 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.7_opt_san/sql/sql_base.cc:4660
#14 0x55d61c5caddf in open_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/11.7_opt_san/sql/sql_base.h:502
#15 0x55d61c5caddf in mysql_ha_open(THD, TABLE_LIST, SQL_HANDLER*) /test/11.7_opt_san/sql/sql_handler.cc:349
#16 0x55d61c870ca1 in mysql_execute_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:5448
#17 0x55d61c886922 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.7_opt_san/sql/sql_parse.cc:7889
#18 0x55d61c89832a in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.7_opt_san/sql/sql_parse.cc:1892
#19 0x55d61c8a8fe6 in do_command(THD*, bool) /test/11.7_opt_san/sql/sql_parse.cc:1405
#20 0x55d61d2b237c in do_handle_one_connection(CONNECT*, bool) /test/11.7_opt_san/sql/sql_connect.cc:1448
#21 0x55d61d2b49b4 in handle_one_connection /test/11.7_opt_san/sql/sql_connect.cc:1350
#22 0x14e3ad89ca93 in start_thread nptl/pthread_create.c:447

Thread T12 created by T0 here:
#0 0x55d61be56fa5 in __interceptor_pthread_create (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x84b7fa5)
#1 0x55d61bf0d2de in create_thread_to_handle_connection(CONNECT*) /test/11.7_opt_san/sql/mysqld.cc:6271
#2 0x55d61bf2170f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.7_opt_san/sql/mysqld.cc:6395
#3 0x55d61bf227f7 in handle_connections_sockets() /test/11.7_opt_san/sql/mysqld.cc:6508
#4 0x55d61bf25a0c in mysqld_main(int, char**) /test/11.7_opt_san/sql/mysqld.cc:6166
#5 0x14e3ad82a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x14e3ad82a28a in __libc_start_main_impl ../csu/libc-start.c:360
#7 0x55d61be23d64 in _start (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-opt/bin/mariadbd+0x8484d64)

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.7_opt_san/storage/spider/ha_spider.cc:1359 in spider_send_query
Shadow bytes around the buggy address:
0x0a3a80064c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0a3a80064c60: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3a80064cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2872507==ABORTING
241109 11:24:50 [ERROR] mysqld got signal 6 ;

CS 11.7.0 35cebfdc513f92b143b1a7229c480f4f684f1698 (Debug, UBASAN)
2024-11-09 11:25:16 0 [Note] /test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-dbg/bin/mariadbd: ready for connections.
Version: '11.7.0-MariaDB-debug' socket: '/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-dbg/socket.sock' port: 12099 MariaDB Server
2024-11-09 11:25:17 5 [ERROR] mysql_ha_read: Got error 12701 when reading table 't'
=================================================================
==2888025==ERROR: AddressSanitizer: heap-use-after-free on address 0x51f0000abb94 at pc 0x14f49e1c4054 bp 0x14f49f4fd9e0 sp 0x14f49f4fd9d0
READ of size 4 at 0x51f0000abb94 thread T12
#0 0x14f49e1c4053 in spider_send_query /test/11.7_dbg_san/storage/spider/ha_spider.cc:1359
#1 0x14f49e1e3fbe in ha_spider::index_first_internal(unsigned char*) /test/11.7_dbg_san/storage/spider/ha_spider.cc:1914
#2 0x14f49e1e4ede in ha_spider::index_first(unsigned char*) /test/11.7_dbg_san/storage/spider/ha_spider.cc:1970
#3 0x55754659f5b4 in handler::ha_index_first(unsigned char*) /test/11.7_dbg_san/sql/handler.cc:3917
#4 0x5575449ddbee in mysql_ha_read(THD, TABLE_LIST, enum_ha_read_modes, char const, List<Item>, ha_rkey_function, Item*, unsigned long long, unsigned long long) /test/11.7_dbg_san/sql/sql_handler.cc:917
#5 0x557544c8909e in mysql_execute_command(THD*, bool) /test/11.7_dbg_san/sql/sql_parse.cc:5463
#6 0x557544c95d98 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.7_dbg_san/sql/sql_parse.cc:7889
#7 0x557544ca5d12 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.7_dbg_san/sql/sql_parse.cc:1892
#8 0x557544cb4925 in do_command(THD*, bool) /test/11.7_dbg_san/sql/sql_parse.cc:1405
#9 0x557545716917 in do_handle_one_connection(CONNECT*, bool) /test/11.7_dbg_san/sql/sql_connect.cc:1448
#10 0x557545717e45 in handle_one_connection /test/11.7_dbg_san/sql/sql_connect.cc:1350
#11 0x14f4c489ca93 in start_thread nptl/pthread_create.c:447
#12 0x14f4c4929c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x51f0000abb94 is located 788 bytes inside of 3152-byte region [0x51f0000ab880,0x51f0000ac4d0)
freed by thread T12 here:
#0 0x5575442c7707 in __interceptor_free (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-dbg/bin/mariadbd+0x8a89707)
#1 0x557549221235 in my_free /test/11.7_dbg_san/mysys/my_malloc.c:221
#2 0x14f49e16dace in spider_free_mem(st_spider_transaction, void, unsigned long) /test/11.7_dbg_san/storage/spider/spd_malloc.cc:182
#3 0x14f49e08b8df in spider_free_conn(st_spider_conn*) /test/11.7_dbg_san/storage/spider/spd_conn.cc:823
#4 0x14f49e0aa257 in spider_free_conn_from_trx(st_spider_transaction, st_spider_conn, bool, bool, int*) /test/11.7_dbg_san/storage/spider/spd_conn.cc:370
#5 0x14f49dfb6aad in spider_free_trx_conn(st_spider_transaction*, bool) /test/11.7_dbg_san/storage/spider/spd_trx.cc:113
#6 0x14f49dfcdc2d in spider_rollback(handlerton, THD, bool) /test/11.7_dbg_san/storage/spider/spd_trx.cc:3219
#7 0x55754657f439 in ha_rollback_trans(THD*, bool) /test/11.7_dbg_san/sql/handler.cc:2336
#8 0x5575457b7cdc in trans_rollback_stmt(THD*) /test/11.7_dbg_san/sql/transaction.cc:566
#9 0x5575449e0828 in mysql_ha_read(THD, TABLE_LIST, enum_ha_read_modes, char const, List<Item>, ha_rkey_function, Item*, unsigned long long, unsigned long long) /test/11.7_dbg_san/sql/sql_handler.cc:1021
#10 0x557544c8909e in mysql_execute_command(THD*, bool) /test/11.7_dbg_san/sql/sql_parse.cc:5463
#11 0x557544c95d98 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.7_dbg_san/sql/sql_parse.cc:7889
#12 0x557544ca5d12 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.7_dbg_san/sql/sql_parse.cc:1892
#13 0x557544cb4925 in do_command(THD*, bool) /test/11.7_dbg_san/sql/sql_parse.cc:1405
#14 0x557545716917 in do_handle_one_connection(CONNECT*, bool) /test/11.7_dbg_san/sql/sql_connect.cc:1448
#15 0x557545717e45 in handle_one_connection /test/11.7_dbg_san/sql/sql_connect.cc:1350
#16 0x14f4c489ca93 in start_thread nptl/pthread_create.c:447

previously allocated by thread T12 here:
#0 0x5575442c7a57 in __interceptor_malloc (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-dbg/bin/mariadbd+0x8a89a57)
#1 0x557549220eb5 in my_malloc /test/11.7_dbg_san/mysys/my_malloc.c:93
#2 0x14f49e16df01 in spider_bulk_alloc_mem(st_spider_transaction, unsigned int, char const, char const*, unsigned long, unsigned long, ...) /test/11.7_dbg_san/storage/spider/spd_malloc.cc:230
#3 0x14f49e09838c in spider_create_conn(st_spider_share, ha_spider, int, int, int*) /test/11.7_dbg_san/storage/spider/spd_conn.cc:423
#4 0x14f49e09f5a6 in spider_get_conn(st_spider_share, int, char, st_spider_transaction, ha_spider, bool, bool, int*) /test/11.7_dbg_san/storage/spider/spd_conn.cc:728
#5 0x14f49e0bfc5a in spider_share_get_conns(ha_spider, st_spider_share, int*) /test/11.7_dbg_san/storage/spider/spd_table.cc:5191
#6 0x14f49e124179 in spider_init_share(char const, TABLE, THD, ha_spider, int, st_spider_share, TABLE_SHARE*, bool) /test/11.7_dbg_san/storage/spider/spd_table.cc:5461
#7 0x14f49e125592 in spider_get_share(char const, TABLE, THD, ha_spider, int*) /test/11.7_dbg_san/storage/spider/spd_table.cc:5575
#8 0x14f49e205488 in ha_spider::open(char const*, int, unsigned int) /test/11.7_dbg_san/storage/spider/ha_spider.cc:311
#9 0x55754658ec64 in handler::ha_open(TABLE, char const, int, unsigned int, st_mem_root, List<String>) /test/11.7_dbg_san/sql/handler.cc:3615
#10 0x55754554586e in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.7_dbg_san/sql/table.cc:4603
#11 0x5575448329ff in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.7_dbg_san/sql/sql_base.cc:2240
#12 0x557544841946 in open_and_process_table /test/11.7_dbg_san/sql/sql_base.cc:4174
#13 0x557544841946 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.7_dbg_san/sql/sql_base.cc:4660
#14 0x5575449d3b26 in open_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/11.7_dbg_san/sql/sql_base.h:502
#15 0x5575449d3b26 in mysql_ha_open(THD, TABLE_LIST, SQL_HANDLER*) /test/11.7_dbg_san/sql/sql_handler.cc:349
#16 0x557544c88baa in mysql_execute_command(THD*, bool) /test/11.7_dbg_san/sql/sql_parse.cc:5448
#17 0x557544c95d98 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.7_dbg_san/sql/sql_parse.cc:7889
#18 0x557544ca5d12 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.7_dbg_san/sql/sql_parse.cc:1892
#19 0x557544cb4925 in do_command(THD*, bool) /test/11.7_dbg_san/sql/sql_parse.cc:1405
#20 0x557545716917 in do_handle_one_connection(CONNECT*, bool) /test/11.7_dbg_san/sql/sql_connect.cc:1448
#21 0x557545717e45 in handle_one_connection /test/11.7_dbg_san/sql/sql_connect.cc:1350
#22 0x14f4c489ca93 in start_thread nptl/pthread_create.c:447

Thread T12 created by T0 here:
#0 0x55754426b905 in pthread_create (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-dbg/bin/mariadbd+0x8a2d905)
#1 0x557544320f83 in create_thread_to_handle_connection(CONNECT*) /test/11.7_dbg_san/sql/mysqld.cc:6271
#2 0x557544335aa5 in create_new_thread(CONNECT*) /test/11.7_dbg_san/sql/mysqld.cc:6333
#3 0x557544336325 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.7_dbg_san/sql/mysqld.cc:6395
#4 0x5575443375aa in handle_connections_sockets() /test/11.7_dbg_san/sql/mysqld.cc:6508
#5 0x55754433bfc9 in mysqld_main(int, char**) /test/11.7_dbg_san/sql/mysqld.cc:6166
#6 0x55754430d5fa in main /test/11.7_dbg_san/sql/main.cc:34
#7 0x14f4c482a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x14f4c482a28a in __libc_start_main_impl ../csu/libc-start.c:360
#9 0x5575442386c4 in _start (/test/UBASAN_MD171024-mariadb-11.7.0-linux-x86_64-dbg/bin/mariadbd+0x89fa6c4)

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.7_dbg_san/storage/spider/ha_spider.cc:1359 in spider_send_query
Shadow bytes around the buggy address:
0x0a3e8000d720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0a3e8000d770: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d7b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a3e8000d7c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2888025==ABORTING
241109 11:25:18 [ERROR] mysqld got signal 6 ;

Bug confirmed present in:
MariaDB: 10.5.27 (dbg), 10.6.20 (dbg), 10.11.10 (dbg), 10.11.10 (opt), 11.2.6 (dbg), 11.4.4 (dbg), 11.4.4 (opt), 11.6.2 (dbg), 11.6.2 (opt), 11.7.0 (dbg), 11.7.0 (opt)

Special:
MariaDB: 10.5.27 (opt), 10.6.20 (opt), 11.2.6 (opt)

For 10.5.27 and 10.6.20 opt we only see:

CS 10.6.20 cd97caef84a842cf388866cfc0a0ec32b86a9c13 (Optimized)
2024-11-09 11:08:10 4 [ERROR] mysql_ha_read: Got error 12701 when reading table 't'
2024-11-09 11:08:10 4 [ERROR] mysql_ha_read: Got error 12701 when reading table 't'

But the testcase does not SIGSEGV for these two optimized builds. 11.2.6 opt otoh shows a thread hang:

CS 11.2.6 12a91b57e27b979819924cf89614e6e51f24b37b (Optimized)
11.2.6-opt> SHOW PROCESSLIST;
+----+-------------+-----------+------+---------+------+----------------------------------------------------+-----------------------+----------+
\| Id \| User \| Host \| db \| Command \| Time \| State \| Info \| Progress \|
+----+-------------+-----------+------+---------+------+----------------------------------------------------+-----------------------+----------+
\| 4 \| root \| localhost \| test \| Query \| 253 \| starting \| HANDLER t READ c NEXT \| 0.000 \|
\| 5 \| system user \| \| NULL \| Daemon \| NULL \| Spider table background statistics action handler \| NULL \| 0.000 \|
\| 6 \| system user \| \| NULL \| Daemon \| NULL \| Spider table background cardinality action handler \| NULL \| 0.000 \|
\| 7 \| root \| localhost \| test \| Query \| 0 \| starting \| show processlist \| 0.000 \|
+----+-------------+-----------+------+---------+------+----------------------------------------------------+-----------------------+----------+
4 rows in set (0.000 sec)

This thread hang looks to be deterministic.

Attachments

Activity

People

Assignee:: Yuchen Pei

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024-11-09 00:14

Updated:: 2024-11-09 00:40

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.