Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35546

[Draft] ASAN errors in wsrep_before_SE

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.5
    • 10.5
    • wsrep
    • None

    Description

      Reproducible, needs something in a reportable form.

      10.5 rel-asan 235f33e3606b79c5e3b75f4cfd1ca6d92320e9a2

      		 
      ==2400557==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000dd4a8 at pc 0x7f93736a8596 bp 0x7f9365f6ed90 sp 0x7f9365f6e540
      		 
      READ of size 1 at 0x6040000dd4a8 thread T6
      		 
          #0 0x7f93736a8595 in __interceptor_strcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:466
      		 
          #1 0x55b72f17d240 in wsrep_before_SE() /data/bld/10.5-rel-asan/sql/wsrep_sst.cc:364
      		 
          #2 0x55b72fb52974 in wsrep::server_state::on_sync() /data/bld/10.5-rel-asan/wsrep-lib/src/server_state.cpp:1063
      		 
          #3 0x55b72fb894fb in synced_cb /data/bld/10.5-rel-asan/wsrep-lib/src/wsrep_provider_v26.cpp:531
      		 
          #4 0x7f9370a71d22 in galera::ReplicatorSMM::process_sync(long) galera/src/replicator_smm.cpp:3104
      		 
          #5 0x7f9370a9b25d in galera::GcsActionSource::process(void*, bool&) galera/src/gcs_action_source.cpp:186
      		 
          #6 0x7f9370a6fa60 in galera::ReplicatorSMM::async_recv(void*) galera/src/replicator_smm.cpp:404
      		 
          #7 0x7f9370a4abaa in galera_recv galera/src/wsrep_provider.cpp:265
      		 
          #8 0x55b72fb8cdd5 in wsrep::wsrep_provider_v26::run_applier(wsrep::high_priority_service*) /data/bld/10.5-rel-asan/wsrep-lib/src/wsrep_provider_v26.cpp:866
      		 
          #9 0x55b72f19975e in wsrep_replication_process /data/bld/10.5-rel-asan/sql/wsrep_thd.cc:57
      		 
          #10 0x55b72f1691b9 in start_wsrep_THD(void*) /data/bld/10.5-rel-asan/sql/wsrep_mysqld.cc:3338
      		 
          #11 0x55b72f01631b in pfs_spawn_thread /data/bld/10.5-rel-asan/storage/perfschema/pfs.cc:2201
      		 
          #12 0x7f9372ca8043 in start_thread nptl/pthread_create.c:442
      		 
          #13 0x7f9372d2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
      0x6040000dd4a8 is located 24 bytes inside of 40-byte region [0x6040000dd490,0x6040000dd4b8)
      		 
      freed by thread T52 here:
      		 
          #0 0x7f93736b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
      		 
          #1 0x55b72e463694 in Sys_var_charptr_base::global_update_finish(char*) /data/bld/10.5-rel-asan/sql/sys_vars.inl:580
      		 
          #2 0x55b72e463694 in Sys_var_charptr_base::global_update(THD*, set_var*) /data/bld/10.5-rel-asan/sql/sys_vars.inl:587
      		 
          #3 0x55b72ddb717f in sys_var::update(THD*, set_var*) /data/bld/10.5-rel-asan/sql/set_var.cc:207
      		 
          #4 0x55b72ddb83f0 in set_var::update(THD*) /data/bld/10.5-rel-asan/sql/set_var.cc:859
      		 
          #5 0x55b72ddbbed5 in sql_set_variables(THD*, List<set_var_base>*, bool) /data/bld/10.5-rel-asan/sql/set_var.cc:746
      		 
          #6 0x55b72e058b5f in mysql_execute_command(THD*) /data/bld/10.5-rel-asan/sql/sql_parse.cc:5173
      		 
          #7 0x55b72e063a95 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/bld/10.5-rel-asan/sql/sql_parse.cc:8236
      		 
          #8 0x55b72e069e25 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/bld/10.5-rel-asan/sql/sql_parse.cc:1892
      		 
          #9 0x55b72e071045 in do_command(THD*) /data/bld/10.5-rel-asan/sql/sql_parse.cc:1376
      		 
          #10 0x55b72e413b0f in do_handle_one_connection(CONNECT*, bool) /data/bld/10.5-rel-asan/sql/sql_connect.cc:1417
      		 
          #11 0x55b72e4141ac in handle_one_connection /data/bld/10.5-rel-asan/sql/sql_connect.cc:1319
      		 
          #12 0x55b72f01631b in pfs_spawn_thread /data/bld/10.5-rel-asan/storage/perfschema/pfs.cc:2201
      		 
          #13 0x7f9372ca8043 in start_thread nptl/pthread_create.c:442
      		 
      previously allocated by thread T52 here:
      		 
          #0 0x7f93736b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x55b72f9d89f3 in my_malloc /data/bld/10.5-rel-asan/mysys/my_malloc.c:91
      		 
          #2 0x55b72f9d8f27 in my_memdup /data/bld/10.5-rel-asan/mysys/my_malloc.c:223
      		 
          #3 0x55b72e463564 in Sys_var_charptr_base::global_update_prepare(THD*, set_var*) /data/bld/10.5-rel-asan/sql/sys_vars.inl:568
      		 
          #4 0x55b72e463564 in Sys_var_charptr_base::global_update(THD*, set_var*) /data/bld/10.5-rel-asan/sql/sys_vars.inl:586
      		 
          #5 0x55b72ddb717f in sys_var::update(THD*, set_var*) /data/bld/10.5-rel-asan/sql/set_var.cc:207
      		 
          #6 0x55b72ddb83f0 in set_var::update(THD*) /data/bld/10.5-rel-asan/sql/set_var.cc:859
      		 
          #7 0x55b72ddbbed5 in sql_set_variables(THD*, List<set_var_base>*, bool) /data/bld/10.5-rel-asan/sql/set_var.cc:746
      		 
          #8 0x55b72e058b5f in mysql_execute_command(THD*) /data/bld/10.5-rel-asan/sql/sql_parse.cc:5173
      		 
          #9 0x55b72e063a95 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/bld/10.5-rel-asan/sql/sql_parse.cc:8236
      		 
          #10 0x55b72e069e25 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/bld/10.5-rel-asan/sql/sql_parse.cc:1892
      		 
          #11 0x55b72e071045 in do_command(THD*) /data/bld/10.5-rel-asan/sql/sql_parse.cc:1376
      		 
          #12 0x55b72e413b0f in do_handle_one_connection(CONNECT*, bool) /data/bld/10.5-rel-asan/sql/sql_connect.cc:1417
      		 
          #13 0x55b72e4141ac in handle_one_connection /data/bld/10.5-rel-asan/sql/sql_connect.cc:1319
      		 
          #14 0x55b72f01631b in pfs_spawn_thread /data/bld/10.5-rel-asan/storage/perfschema/pfs.cc:2201
      		 
          #15 0x7f9372ca8043 in start_thread nptl/pthread_create.c:442
      		 
      Thread T6 created by T0 here:
      		 
          #0 0x7f9373649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x55b72f0165a8 in my_thread_create /data/bld/10.5-rel-asan/storage/perfschema/my_thread.h:52
      		 
          #2 0x55b72f0165a8 in pfs_spawn_thread_v1 /data/bld/10.5-rel-asan/storage/perfschema/pfs.cc:2252
      		 
          #3 0x55b72f193cd4 in inline_mysql_thread_create /data/bld/10.5-rel-asan/include/mysql/psi/mysql_thread.h:1323
      		 
          #4 0x55b72f193cd4 in create_wsrep_THD /data/bld/10.5-rel-asan/sql/wsrep_thd.cc:91
      		 
          #5 0x55b72f194232 in wsrep_create_appliers(long, bool) /data/bld/10.5-rel-asan/sql/wsrep_thd.cc:137
      		 
          #6 0x55b72f167bbc in wsrep_init_startup(bool) /data/bld/10.5-rel-asan/sql/wsrep_mysqld.cc:988
      		 
          #7 0x55b72dd7d624 in init_server_components /data/bld/10.5-rel-asan/sql/mysqld.cc:4930
      		 
          #8 0x55b72dd8830e in mysqld_main(int, char**) /data/bld/10.5-rel-asan/sql/mysqld.cc:5589
      		 
          #9 0x7f9372c461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
      Thread T52 created by T0 here:
      		 
          #0 0x7f9373649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x55b72f0165a8 in my_thread_create /data/bld/10.5-rel-asan/storage/perfschema/my_thread.h:52
      		 
          #2 0x55b72f0165a8 in pfs_spawn_thread_v1 /data/bld/10.5-rel-asan/storage/perfschema/pfs.cc:2252
      		 
          #3 0x55b72dd7b07f in inline_mysql_thread_create /data/bld/10.5-rel-asan/include/mysql/psi/mysql_thread.h:1323
      		 
          #4 0x55b72dd7b07f in create_thread_to_handle_connection(CONNECT*) /data/bld/10.5-rel-asan/sql/mysqld.cc:6111
      		 
          #5 0x55b72dd867f2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.5-rel-asan/sql/mysqld.cc:6235
      		 
          #6 0x55b72dd871ba in handle_connections_sockets() /data/bld/10.5-rel-asan/sql/mysqld.cc:6362
      		 
          #7 0x55b72dd88f0b in mysqld_main(int, char**) /data/bld/10.5-rel-asan/sql/mysqld.cc:5757
      		 
          #8 0x7f9372c461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:466 in __interceptor_strcmp
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c0880013a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c0880013a50: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      		 
        0x0c0880013a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c0880013a70: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
      		 
        0x0c0880013a80: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      		 
      =>0x0c0880013a90: fa fa fd fd fd[fd]fd fa fa fa fa fa fa fa fa fa
      		 
        0x0c0880013aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c0880013ab0: fa fa 00 00 00 00 05 fa fa fa fa fa fa fa fa fa
      		 
        0x0c0880013ac0: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      		 
        0x0c0880013ad0: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      		 
        0x0c0880013ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2400557==ABORTING

      randgen 9e96d49d8e9e07a434e36b13387a01734a545078

      		 
      WSREP_PROVIDER=/home/elenst/galera/galera-26.4.20.so perl ./run.pl --compatibility=100599  --queries=1000000 --reporters=Backtrace,Deadlock,MemoryUsage,FeatureUsage --mysqld=--plugin-maturity=experimental --gendata=advanced --gendata=conf/zz/oltp.zz --gendata=conf/zz/innodb.zz --threads=6 --duration=200 --mysqld=--max-statement-time=20 --mysqld=--lock-wait-timeout=10 --mysqld=--innodb-lock-wait-timeout=5 --variator=ExecuteAsSPTwice --variator=RemoveIndexHints --variator=InlineSubqueries --mysqld=--innodb_checksum_algorithm=full_crc32 --grammar=conf/yy/wsrep.yy --engine=InnoDB --scenario=Galera --grammar=conf/yy/all_selects.yy:0.0001 --filter=conf/ff/replication.ff --mysqld=--transaction-isolation=SERIALIZABLE --mysqld=--explicit-defaults-for-timestamp=on --mysqld=--div_precision_increment=0 --mysqld=--query-cache-type=2 --mysqld=--delay_key_write=OFF --mysqld=--sync_frm=OFF --mysqld=--userstat=ON --base-port=14000 --basedir=/data/bld/10.5-rel-asan --vardir=/dev/shm/var-rqg1a --seed=1733013383

      Attachments

        Activity

          People

            elenst Elena Stepanova
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.