[MDEV-35490] MDEV-35393: 10.5: ASAN unknown-crash in Field_varstring::reset() on INSERT - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.11, 11.2(EOL), 11.4, 11.6(EOL), 11.7(EOL), 11.8
Fix Version/s: 10.5, 10.11, 11.4
Component/s: Character Sets, Data types
Labels:
None

Description

Significantly connected with the fixed ~~MDEV-35393~~, we have this testcase:

SET sql_mode='';

SET SESSION collation_server=filename;

DROP SCHEMA test;

CREATE DATABASE test;

USE test;

CREATE TABLE t (c1 CHAR(1),c2 CHAR(255),c3 CHAR(255),c4 CHAR(255),c5 CHAR(255),c6 CHAR(255),c7 CHAR(255),c8 CHAR(255),c9 CHAR(255),c10 CHAR(255),c11 CHAR(255),c12 CHAR(255),c13 CHAR(255),c14 CHAR(255),c15 CHAR(255),c16 CHAR(255),c17 CHAR(255),c18 CHAR(255),c19 CHAR(255),c20 CHAR(255),c21 CHAR(255),c22 CHAR(255),c23 CHAR(255),c24 CHAR(255),c25 CHAR(255),c26 CHAR(255),c27 CHAR(255),c28 CHAR(255),c29 CHAR(255),c30 CHAR(255),c31 CHAR(255),c32 CHAR(255)) ENGINE=MEMORY;

INSERT INTO t VALUES ();

INSERT INTO t SELECT * FROM t;

Which leads to:

CS 10.5.28 cf2d49ddcfdb158e46dcd9cc575c54205b5eef50 (Optimized, UBASAN)
==3934225==ERROR: AddressSanitizer: unknown-crash on address 0x5310000462a6 at pc 0x5582c7e37e13 bp 0x14ab50efd840 sp 0x14ab50efcfe8
WRITE of size 1277 at 0x5310000462a6 thread T16
#0 0x5582c7e37e12 in memset (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-opt/bin/mariadbd+0x7a48e12)
#1 0x5582c9aa18f6 in Field_varstring::reset() /test/10.5_opt_san/sql/field.h:4156
#2 0x5582c9ada85b in set_field_to_null_with_conversions(Field*, bool) /test/10.5_opt_san/sql/field_conv.cc:213
#3 0x5582c82ac912 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/10.5_opt_san/sql/sql_base.cc:8911
#4 0x5582c82adfd5 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/10.5_opt_san/sql/sql_base.cc:8966
#5 0x5582c841a97e in select_insert::send_data(List<Item>&) /test/10.5_opt_san/sql/sql_insert.cc:4170
#6 0x5582c895035f in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.5_opt_san/sql/sql_class.h:5580
#7 0x5582c895035f in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.5_opt_san/sql/sql_class.h:5570
#8 0x5582c895035f in end_send /test/10.5_opt_san/sql/sql_select.cc:22518
#9 0x5582c8a24de5 in do_select /test/10.5_opt_san/sql/sql_select.cc:20762
#10 0x5582c8a24de5 in JOIN::exec_inner() /test/10.5_opt_san/sql/sql_select.cc:4661
#11 0x5582c8a29763 in JOIN::exec() /test/10.5_opt_san/sql/sql_select.cc:4441
#12 0x5582c8a167a3 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.5_opt_san/sql/sql_select.cc:4918
#13 0x5582c8a1ba10 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.5_opt_san/sql/sql_select.cc:449
#14 0x5582c867aef5 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4838
#15 0x5582c86865ee in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8237
#16 0x5582c8694634 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891
#17 0x5582c86a7f20 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375
#18 0x5582c8f509dc in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1407
#19 0x5582c8f52a1c in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1319
#20 0x14ab7709ca93 in start_thread nptl/pthread_create.c:447
#21 0x14ab77129c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x5310000462a6 is located 39590 bytes inside of 79128-byte region [0x53100003c800,0x53100004fd18)
allocated by thread T16 here:
#0 0x5582c7eb2097 in __interceptor_malloc (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-opt/bin/mariadbd+0x7ac3097)
#1 0x5582cc591be4 in my_malloc /test/10.5_opt_san/mysys/my_malloc.c:91
#2 0x5582cc56a70b in alloc_root /test/10.5_opt_san/mysys/my_alloc.c:244
#3 0x5582c8dd1a5f in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/10.5_opt_san/sql/table.cc:4075
#4 0x5582c82615bf in open_table(THD, TABLE_LIST, Open_table_context*) /test/10.5_opt_san/sql/sql_base.cc:2024
#5 0x5582c827acf9 in open_and_process_table /test/10.5_opt_san/sql/sql_base.cc:3819
#6 0x5582c827acf9 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/10.5_opt_san/sql/sql_base.cc:4303
#7 0x5582c828169c in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/10.5_opt_san/sql/sql_base.cc:5250
#8 0x5582c846a8de in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/10.5_opt_san/sql/sql_base.h:509
#9 0x5582c846a8de in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.5_opt_san/sql/sql_insert.cc:760
#10 0x5582c8660643 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4650
#11 0x5582c86865ee in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8237
#12 0x5582c8694634 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891
#13 0x5582c86a7f20 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375
#14 0x5582c8f509dc in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1407
#15 0x5582c8f52a1c in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1319
#16 0x14ab7709ca93 in start_thread nptl/pthread_create.c:447

Thread T16 created by T0 here:
#0 0x5582c7e55f45 in pthread_create (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-opt/bin/mariadbd+0x7a66f45)
#1 0x5582c7f0885e in create_thread_to_handle_connection(CONNECT*) /test/10.5_opt_san/sql/mysqld.cc:6116
#2 0x5582c7f1a1ed in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.5_opt_san/sql/mysqld.cc:6240
#3 0x5582c7f1af82 in handle_connections_sockets() /test/10.5_opt_san/sql/mysqld.cc:6367
#4 0x5582c7f1ccc6 in run_main_loop /test/10.5_opt_san/sql/mysqld.cc:5357
#5 0x5582c7f1ccc6 in mysqld_main(int, char**) /test/10.5_opt_san/sql/mysqld.cc:5768
#6 0x14ab7702a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x14ab7702a28a in __libc_start_main_impl ../csu/libc-start.c:360
#8 0x5582c7e22d04 in _start (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-opt/bin/mariadbd+0x7a33d04)

SUMMARY: AddressSanitizer: unknown-crash (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-opt/bin/mariadbd+0x7a48e12) in memset
Shadow bytes around the buggy address:
0x0a6280000c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0a6280000c50: 00 00 00 00[06]00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3934225==ABORTING
241123 9:37:58 [ERROR] mysqld got signal 6 ;

CS 10.5.28 cf2d49ddcfdb158e46dcd9cc575c54205b5eef50 (Debug, UBASAN)
==3934171==ERROR: AddressSanitizer: unknown-crash on address 0x5310000462a6 at pc 0x5644413b86e3 bp 0x14b764cfe2f0 sp 0x14b764cfda98
WRITE of size 1277 at 0x5310000462a6 thread T27
#0 0x5644413b86e2 in memset (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-dbg/bin/mariadbd+0x84ec6e2)
#1 0x5644431044e8 in Field_varstring::reset() /test/10.5_dbg_san/sql/field.h:4156
#2 0x564443143172 in set_field_to_null_with_conversions(Field*, bool) /test/10.5_dbg_san/sql/field_conv.cc:213
#3 0x56444326387a in save_field_in_field /test/10.5_dbg_san/sql/item.cc:6769
#4 0x564443263ee1 in Item_field::save_in_field(Field*, bool) /test/10.5_dbg_san/sql/item.cc:6834
#5 0x56444184586b in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/10.5_dbg_san/sql/sql_base.cc:8911
#6 0x564441845dea in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/10.5_dbg_san/sql/sql_base.cc:8966
#7 0x5644419b6535 in select_insert::store_values(List<Item>&) /test/10.5_dbg_san/sql/sql_insert.cc:4238
#8 0x5644419c0cbc in select_insert::send_data(List<Item>&) /test/10.5_dbg_san/sql/sql_insert.cc:4170
#9 0x564441eb8320 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.5_dbg_san/sql/sql_class.h:5580
#10 0x564441eb8320 in end_send /test/10.5_dbg_san/sql/sql_select.cc:22518
#11 0x564441fa9d65 in do_select /test/10.5_dbg_san/sql/sql_select.cc:20762
#12 0x564441fa9d65 in JOIN::exec_inner() /test/10.5_dbg_san/sql/sql_select.cc:4661
#13 0x564441fac0f3 in JOIN::exec() /test/10.5_dbg_san/sql/sql_select.cc:4441
#14 0x564441f9a396 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.5_dbg_san/sql/sql_select.cc:4918
#15 0x564441f9f9c7 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449
#16 0x564441c17d8b in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4838
#17 0x564441c37ecf in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8237
#18 0x564441c4765c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891
#19 0x564441c55eb4 in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375
#20 0x56444254d868 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1407
#21 0x56444254ea27 in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1319
#22 0x14b78dc9ca93 in start_thread nptl/pthread_create.c:447
#23 0x14b78dd29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x5310000462a6 is located 39590 bytes inside of 79128-byte region [0x53100003c800,0x53100004fd18)
allocated by thread T27 here:
#0 0x564441432967 in malloc (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-dbg/bin/mariadbd+0x8566967)
#1 0x564445ea2a0c in my_malloc /test/10.5_dbg_san/mysys/my_malloc.c:91
#2 0x564445e80938 in alloc_root /test/10.5_dbg_san/mysys/my_alloc.c:244
#3 0x56444239e239 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/10.5_dbg_san/sql/table.cc:4075
#4 0x5644417faaa1 in open_table(THD, TABLE_LIST, Open_table_context*) /test/10.5_dbg_san/sql/sql_base.cc:2024
#5 0x56444180f0d5 in open_and_process_table /test/10.5_dbg_san/sql/sql_base.cc:3819
#6 0x56444180f0d5 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/10.5_dbg_san/sql/sql_base.cc:4303
#7 0x564441817a37 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/10.5_dbg_san/sql/sql_base.cc:5250
#8 0x564441a0c7ec in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/10.5_dbg_san/sql/sql_base.h:509
#9 0x564441a0c7ec in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.5_dbg_san/sql/sql_insert.cc:760
#10 0x564441c131fc in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4650
#11 0x564441c37ecf in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8237
#12 0x564441c4765c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891
#13 0x564441c55eb4 in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375
#14 0x56444254d868 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1407
#15 0x56444254ea27 in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1319
#16 0x14b78dc9ca93 in start_thread nptl/pthread_create.c:447

Thread T27 created by T0 here:
#0 0x5644413d6815 in pthread_create (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-dbg/bin/mariadbd+0x850a815)
#1 0x56444148d56a in create_thread_to_handle_connection(CONNECT*) /test/10.5_dbg_san/sql/mysqld.cc:6116
#2 0x564441498ea8 in create_new_thread(CONNECT*) /test/10.5_dbg_san/sql/mysqld.cc:6175
#3 0x5644414995d0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.5_dbg_san/sql/mysqld.cc:6240
#4 0x56444149a452 in handle_connections_sockets() /test/10.5_dbg_san/sql/mysqld.cc:6367
#5 0x5644414a117a in run_main_loop /test/10.5_dbg_san/sql/mysqld.cc:5357
#6 0x5644414a117a in mysqld_main(int, char**) /test/10.5_dbg_san/sql/mysqld.cc:5768
#7 0x56444147850a in main /test/10.5_dbg_san/sql/main.cc:25
#8 0x14b78dc2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x14b78dc2a28a in __libc_start_main_impl ../csu/libc-start.c:360
#10 0x5644413a35d4 in _start (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-dbg/bin/mariadbd+0x84d75d4)

SUMMARY: AddressSanitizer: unknown-crash (/test/UBASAN_MD221124-mariadb-10.5.28-linux-x86_64-dbg/bin/mariadbd+0x84ec6e2) in memset
Shadow bytes around the buggy address:
0x0a6280000c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0a6280000c50: 00 00 00 00[06]00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3934171==ABORTING
241123 9:37:59 [ERROR] mysqld got signal 6 ;

CS 11.2.6 67c0fd2a41034eae1ea04b81cace6a154783aedd (Optimized, UBASAN)
==3934223==ERROR: AddressSanitizer: unknown-crash on address 0x5310000462a6 at pc 0x5620a9e55a83 bp 0x14b12eefd1d0 sp 0x14b12eefc978
WRITE of size 1277 at 0x5310000462a6 thread T13
#0 0x5620a9e55a82 in __interceptor_memset (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-opt/bin/mariadbd+0x82f3a82)
#1 0x5620abf2efa6 in Field_varstring::reset() /test/11.2_opt_san/sql/field.h:4202
#2 0x5620abf585bb in set_field_to_null_with_conversions(Field*, bool) /test/11.2_opt_san/sql/field_conv.cc:213
#3 0x5620aa451816 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/11.2_opt_san/sql/sql_base.cc:9389
#4 0x5620aa453265 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/11.2_opt_san/sql/sql_base.cc:9444
#5 0x5620aa5f407e in select_insert::send_data(List<Item>&) /test/11.2_opt_san/sql/sql_insert.cc:4271
#6 0x5620aabe8ab3 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.2_opt_san/sql/sql_class.h:5990
#7 0x5620aabe8ab3 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.2_opt_san/sql/sql_class.h:5980
#8 0x5620aabe8ab3 in end_send /test/11.2_opt_san/sql/sql_select.cc:25413
#9 0x5620aacc1dac in do_select /test/11.2_opt_san/sql/sql_select.cc:23545
#10 0x5620aacc1dac in JOIN::exec_inner() /test/11.2_opt_san/sql/sql_select.cc:5045
#11 0x5620aacc6dd3 in JOIN::exec() /test/11.2_opt_san/sql/sql_select.cc:4822
#12 0x5620aacb426d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.2_opt_san/sql/sql_select.cc:5360
#13 0x5620aacb7eb0 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.2_opt_san/sql/sql_select.cc:642
#14 0x5620aa865601 in mysql_execute_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:4691
#15 0x5620aa870102 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.2_opt_san/sql/sql_parse.cc:7951
#16 0x5620aa880ffa in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.2_opt_san/sql/sql_parse.cc:1905
#17 0x5620aa8913a6 in do_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:1418
#18 0x5620ab2625d4 in do_handle_one_connection(CONNECT*, bool) /test/11.2_opt_san/sql/sql_connect.cc:1429
#19 0x5620ab26460c in handle_one_connection /test/11.2_opt_san/sql/sql_connect.cc:1341
#20 0x14b153a9ca93 in start_thread nptl/pthread_create.c:447
#21 0x14b153b29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x5310000462a6 is located 39590 bytes inside of 79128-byte region [0x53100003c800,0x53100004fd18)
allocated by thread T13 here:
#0 0x5620a9ecfd07 in __interceptor_malloc (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-opt/bin/mariadbd+0x836dd07)
#1 0x5620ae7e57b4 in my_malloc /test/11.2_opt_san/mysys/my_malloc.c:93
#2 0x5620ae7bf40c in root_alloc /test/11.2_opt_san/mysys/my_alloc.c:66
#3 0x5620ae7bf40c in alloc_root /test/11.2_opt_san/mysys/my_alloc.c:332
#4 0x5620ab0d5114 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.2_opt_san/sql/table.cc:4326
#5 0x5620aa404c99 in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.2_opt_san/sql/sql_base.cc:2245
#6 0x5620aa422239 in open_and_process_table /test/11.2_opt_san/sql/sql_base.cc:4178
#7 0x5620aa422239 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.2_opt_san/sql/sql_base.cc:4664
#8 0x5620aa42672c in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/11.2_opt_san/sql/sql_base.cc:5638
#9 0x5620aa649fe4 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/11.2_opt_san/sql/sql_base.h:532
#10 0x5620aa649fe4 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.2_opt_san/sql/sql_insert.cc:774
#11 0x5620aa851085 in mysql_execute_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:4500
#12 0x5620aa870102 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.2_opt_san/sql/sql_parse.cc:7951
#13 0x5620aa880ffa in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.2_opt_san/sql/sql_parse.cc:1905
#14 0x5620aa8913a6 in do_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:1418
#15 0x5620ab2625d4 in do_handle_one_connection(CONNECT*, bool) /test/11.2_opt_san/sql/sql_connect.cc:1429
#16 0x5620ab26460c in handle_one_connection /test/11.2_opt_san/sql/sql_connect.cc:1341
#17 0x14b153a9ca93 in start_thread nptl/pthread_create.c:447

Thread T13 created by T0 here:
#0 0x5620a9e73bb5 in pthread_create (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-opt/bin/mariadbd+0x8311bb5)
#1 0x5620a9f2961e in create_thread_to_handle_connection(CONNECT*) /test/11.2_opt_san/sql/mysqld.cc:6246
#2 0x5620a9f3d1af in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.2_opt_san/sql/mysqld.cc:6370
#3 0x5620a9f3e107 in handle_connections_sockets() /test/11.2_opt_san/sql/mysqld.cc:6494
#4 0x5620a9f41113 in run_main_loop /test/11.2_opt_san/sql/mysqld.cc:5746
#5 0x5620a9f41113 in mysqld_main(int, char**) /test/11.2_opt_san/sql/mysqld.cc:6147
#6 0x14b153a2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x14b153a2a28a in __libc_start_main_impl ../csu/libc-start.c:360
#8 0x5620a9e40974 in _start (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-opt/bin/mariadbd+0x82de974)

SUMMARY: AddressSanitizer: unknown-crash (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-opt/bin/mariadbd+0x82f3a82) in __interceptor_memset
Shadow bytes around the buggy address:
0x0a6280000c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0a6280000c50: 00 00 00 00[06]00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3934223==ABORTING
241123 9:37:59 [ERROR] mysqld got signal 6 ;

CS 11.2.6 67c0fd2a41034eae1ea04b81cace6a154783aedd (Debug, UBASAN)
==3651054==ERROR: AddressSanitizer: unknown-crash on address 0x5310000462a6 at pc 0x55d3130e8793 bp 0x14e3392fdc80 sp 0x14e3392fd428
WRITE of size 1277 at 0x5310000462a6 thread T12
#0 0x55d3130e8792 in memset (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd+0x8879792)
#1 0x55d3152dbe08 in Field_varstring::reset() /test/11.2_dbg_san/sql/field.h:4202
#2 0x55d31530a6b1 in set_field_to_null_with_conversions(Field*, bool) /test/11.2_dbg_san/sql/field_conv.cc:213
#3 0x55d3154348a6 in save_field_in_field /test/11.2_dbg_san/sql/item.cc:6902
#4 0x55d315434ea3 in Item_field::save_in_field(Field*, bool) /test/11.2_dbg_san/sql/item.cc:6964
#5 0x55d3136d0789 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/11.2_dbg_san/sql/sql_base.cc:9389
#6 0x55d3136d0cca in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/11.2_dbg_san/sql/sql_base.cc:9444
#7 0x55d31386b8e9 in select_insert::store_values(List<Item>&) /test/11.2_dbg_san/sql/sql_insert.cc:4337
#8 0x55d313877324 in select_insert::send_data(List<Item>&) /test/11.2_dbg_san/sql/sql_insert.cc:4271
#9 0x55d313e07b06 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.2_dbg_san/sql/sql_class.h:5990
#10 0x55d313e07b06 in end_send /test/11.2_dbg_san/sql/sql_select.cc:25413
#11 0x55d313f2d52c in do_select /test/11.2_dbg_san/sql/sql_select.cc:23545
#12 0x55d313f2d52c in JOIN::exec_inner() /test/11.2_dbg_san/sql/sql_select.cc:5045
#13 0x55d313f2faaa in JOIN::exec() /test/11.2_dbg_san/sql/sql_select.cc:4822
#14 0x55d313f1dc63 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.2_dbg_san/sql/sql_select.cc:5360
#15 0x55d313f221b1 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.2_dbg_san/sql/sql_select.cc:642
#16 0x55d313aeaf6c in mysql_execute_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:4691
#17 0x55d313b07b6b in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.2_dbg_san/sql/sql_parse.cc:7951
#18 0x55d313b16d93 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1905
#19 0x55d313b255fe in do_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1418
#20 0x55d314549936 in do_handle_one_connection(CONNECT*, bool) /test/11.2_dbg_san/sql/sql_connect.cc:1429
#21 0x55d31454aaf5 in handle_one_connection /test/11.2_dbg_san/sql/sql_connect.cc:1341
#22 0x14e35dc9ca93 in start_thread nptl/pthread_create.c:447
#23 0x14e35dd29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x5310000462a6 is located 39590 bytes inside of 79128-byte region [0x53100003c800,0x53100004fd18)
allocated by thread T12 here:
#0 0x55d313162a17 in malloc (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd+0x88f3a17)
#1 0x55d317fea2fd in my_malloc /test/11.2_dbg_san/mysys/my_malloc.c:93
#2 0x55d317fc0f01 in root_alloc /test/11.2_dbg_san/mysys/my_alloc.c:66
#3 0x55d317fc235b in alloc_root /test/11.2_dbg_san/mysys/my_alloc.c:332
#4 0x55d31439122d in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.2_dbg_san/sql/table.cc:4326
#5 0x55d313683bc2 in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.2_dbg_san/sql/sql_base.cc:2245
#6 0x55d31369ba90 in open_and_process_table /test/11.2_dbg_san/sql/sql_base.cc:4178
#7 0x55d31369ba90 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.2_dbg_san/sql/sql_base.cc:4664
#8 0x55d3136a28bf in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/11.2_dbg_san/sql/sql_base.cc:5638
#9 0x55d3138c8286 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/11.2_dbg_san/sql/sql_base.h:532
#10 0x55d3138c8286 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.2_dbg_san/sql/sql_insert.cc:774
#11 0x55d313ae5e31 in mysql_execute_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:4500
#12 0x55d313b07b6b in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.2_dbg_san/sql/sql_parse.cc:7951
#13 0x55d313b16d93 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1905
#14 0x55d313b255fe in do_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1418
#15 0x55d314549936 in do_handle_one_connection(CONNECT*, bool) /test/11.2_dbg_san/sql/sql_connect.cc:1429
#16 0x55d31454aaf5 in handle_one_connection /test/11.2_dbg_san/sql/sql_connect.cc:1341
#17 0x14e35dc9ca93 in start_thread nptl/pthread_create.c:447

Thread T12 created by T0 here:
#0 0x55d3131068c5 in __interceptor_pthread_create (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd+0x88978c5)
#1 0x55d3131bbd85 in create_thread_to_handle_connection(CONNECT*) /test/11.2_dbg_san/sql/mysqld.cc:6246
#2 0x55d3131cfc16 in create_new_thread(CONNECT*) /test/11.2_dbg_san/sql/mysqld.cc:6308
#3 0x55d3131d0496 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.2_dbg_san/sql/mysqld.cc:6370
#4 0x55d3131d14dd in handle_connections_sockets() /test/11.2_dbg_san/sql/mysqld.cc:6494
#5 0x55d3131d6016 in run_main_loop /test/11.2_dbg_san/sql/mysqld.cc:5746
#6 0x55d3131d6016 in mysqld_main(int, char**) /test/11.2_dbg_san/sql/mysqld.cc:6147
#7 0x55d3131a85ba in main /test/11.2_dbg_san/sql/main.cc:34
#8 0x14e35dc2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x14e35dc2a28a in __libc_start_main_impl ../csu/libc-start.c:360
#10 0x55d3130d3684 in _start (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd+0x8864684)

SUMMARY: AddressSanitizer: unknown-crash (/test/UBASAN_MD221124-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd+0x8879792) in memset
Shadow bytes around the buggy address:
0x0a6280000c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0a6280000c50: 00 00 00 00[06]00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a6280000ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3651054==ABORTING
241123 9:04:31 [ERROR] mysqld got signal 6 ;

However, it does not crash 10.6, which is likely due to the ~~MDEV-35393~~ fix. Normally I would have added this as a simple comment to ~~MDEV-35393~~, however 10.5 was not listed as an affected nor fixed version, leading to this new report. The stack also differs a bit which may warrant investigation.

All UniqueID's/stacks seen with this testcase:

ASAN|unknown-crash|sql/field.h|__interceptor_memset|Field_varstring::reset|set_field_to_null_with_conversions|fill_record

ASAN|unknown-crash|sql/field.h|__interceptor_memset|Field_varstring::reset|set_field_to_null_with_conversions|save_field_in_field

ASAN|unknown-crash|sql/field.h|memset|Field_varstring::reset|set_field_to_null_with_conversions|fill_record

ASAN|unknown-crash|sql/field.h|memset|Field_varstring::reset|set_field_to_null_with_conversions|save_field_in_field

Bug confirmed present in:
MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.2.6 (dbg), 11.2.6 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.6.2 (dbg), 11.6.2 (opt), 11.7.1 (dbg), 11.7.1 (opt), 11.8.0 (dbg), 11.8.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.6.21 (dbg), 10.6.21 (opt)

Possibly backporting the 10.6 fix to 10.5 will suffice, though the slightly offset stacks may need review also.

Attachments

Issue Links

relates to

MDEV-35392 Assertion `!__asan_region_is_poisoned((vo id*) dest,templ->mysql_col_len)' failed in void row_sel_field_store_in_mysql_format_func(byte *, const mysql_row_templ_t *, const byte *, ulint)

Closed

MDEV-35393 ASAN unknown-crash in Field_varstring::reset when inserting NULL value to a table with filename charset

Closed

Activity

Roel Van de Paar added a comment - 2024-11-22 22:55

Also see https://jira.mariadb.org/browse/MDEV-35392?focusedCommentId=294948&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-294948 - ~~MDEV-35392~~ was/is equally present in 10.5.

Roel Van de Paar added a comment - 2024-11-22 22:55 Also see https://jira.mariadb.org/browse/MDEV-35392?focusedCommentId=294948&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-294948 - MDEV-35392 was/is equally present in 10.5.

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024-11-22 22:51

Updated:: 2025-02-14 11:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server