[MDEV-35852] ASAN heap-use-after-free in WSREP_DEBUG after INSERT DELAYED - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.6, 11.4
Fix Version/s: 10.5.28, 10.6.21, 10.11.11, 11.4.5, 11.7.2
Component/s: Galera
Labels:
- regression

Description

The failure used to happen in 10.5/10.6-enterprise, but was fixed long ago in MENT-668, and isn't reproducible there anymore. Of course, 10.5/10.6-ES still fail with leak sanitizer issues, but that's a different problem, not specific to this particular scenario.

There is a commit related to MENT-668 in 11.4-enterprise, too, but either it isn't sufficient anymore, or it was overridden by something else. So, technically it is a regression, thus I'm filing it as "critical". The scenario itself isn't of any importance, and the workaround is "don't do it", but the bigger concern is that what in general happened in 11.4 ES that the failure re-appeared.

Put the test case under suite/galera/t.
The library version doesn't make a difference, I tried to run it with galera 26.4.20 ES and CS, and with 26.4.14 from Debian repos, the result was the same.

--source include/galera_cluster.inc

CREATE TABLE t (a INT) ENGINE=InnoDB;

--error ER_DELAYED_NOT_SUPPORTED

INSERT DELAYED INTO t VALUES ();

DROP TABLE t;

11.4-enterprise 00388266725b1a89880d19ee420cc9e0a07d34e7
==657424==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300009eb18 at pc 0x7fd907662571 bp 0x7fd8eebb3c70 sp 0x7fd8eebb3420
READ of size 2 at 0x60300009eb18 thread T25
2025-01-11 21:59:09 0 [Note] /share8t/bld/11.4-enterprise-asan/sql/mariadbd (initiated by: unknown): Normal shutdown
2025-01-11 21:59:09 0 [Note] WSREP: Shutdown replication
2025-01-11 21:59:09 0 [Note] WSREP: Server status change synced -> disconnecting
2025-01-11 21:59:09 0 [Note] WSREP: Closing send monitor...
2025-01-11 21:59:09 0 [Note] WSREP: Closed send monitor.
2025-01-11 21:59:09 0 [Note] WSREP: gcomm: terminating thread
2025-01-11 21:59:09 0 [Note] WSREP: gcomm: joining thread
#0 0x7fd907662570 in __interceptor_strnlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:403
#1 0x55a489a44c5e in process_str_arg /data/bld/11.4-enterprise-asan/strings/my_vsnprintf.c:277
#2 0x55a489a4911c in my_vsnprintf_ex /data/bld/11.4-enterprise-asan/strings/my_vsnprintf.c:729
#3 0x55a489a4a25c in my_vsnprintf /data/bld/11.4-enterprise-asan/strings/my_vsnprintf.c:816
#4 0x55a4886fce23 in vprint_msg_to_blackbox(loglevel, char const, __va_list_tag) /data/bld/11.4-enterprise-asan/sql/log.cc:9989
#5 0x55a4886fd703 in sql_print_information_bb(char const*, ...) /data/bld/11.4-enterprise-asan/sql/log.cc:10048
#6 0x55a48835fdeb in ha_rollback_trans(THD*, bool) /data/bld/11.4-enterprise-asan/sql/handler.cc:2380
#7 0x55a487ef0c0e in trans_rollback(THD*) /data/bld/11.4-enterprise-asan/sql/transaction.cc:387
#8 0x55a487877e1c in THD::cleanup() /data/bld/11.4-enterprise-asan/sql/sql_class.cc:1664
#9 0x55a48787888a in THD::free_connection() /data/bld/11.4-enterprise-asan/sql/sql_class.cc:1742
#10 0x55a4878793f3 in THD::~THD() /data/bld/11.4-enterprise-asan/sql/sql_class.cc:1836
#11 0x55a48792a831 in Delayed_insert::~Delayed_insert() /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:2510
#12 0x55a48792a85d in Delayed_insert::~Delayed_insert() /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:2510
#13 0x55a487911e3f in handle_delayed_insert /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:3569
#14 0x55a488b438a9 in pfs_spawn_thread /data/bld/11.4-enterprise-asan/storage/perfschema/pfs.cc:2201
#15 0x7fd906ea8043 in start_thread nptl/pthread_create.c:442
#16 0x7fd906f2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x60300009eb18 is located 24 bytes inside of 32-byte region [0x60300009eb00,0x60300009eb20)
freed by thread T25 here:
#0 0x7fd9076b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x55a4898fceb4 in my_free /data/bld/11.4-enterprise-asan/mysys/my_malloc.c:221
#2 0x55a48792a782 in Delayed_insert::~Delayed_insert() /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:2507
#3 0x55a48792a85d in Delayed_insert::~Delayed_insert() /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:2510
#4 0x55a487911e3f in handle_delayed_insert /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:3569
#5 0x55a488b438a9 in pfs_spawn_thread /data/bld/11.4-enterprise-asan/storage/perfschema/pfs.cc:2201
#6 0x7fd906ea8043 in start_thread nptl/pthread_create.c:442

previously allocated by thread T24 here:
#0 0x7fd9076b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55a4898fbfe5 in my_malloc /data/bld/11.4-enterprise-asan/mysys/my_malloc.c:93
#2 0x55a4898fd3e0 in my_strndup /data/bld/11.4-enterprise-asan/mysys/my_malloc.c:254
#3 0x55a48790a753 in delayed_get_table /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:2650
#4 0x55a4878fc492 in open_and_lock_for_insert_delayed /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:590
#5 0x55a4878fd3a7 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:769
#6 0x55a4879cf34f in mysql_execute_command(THD*, bool) /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:4482
#7 0x55a4879e7610 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:7924
#8 0x55a4879e60c8 in wsrep_mysql_parse /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:7734
#9 0x55a4879bdcf4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:1899
#10 0x55a4879bab2d in do_command(THD*, bool) /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:1425
#11 0x55a487ea8f08 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.4-enterprise-asan/sql/sql_connect.cc:1429
#12 0x55a487ea8a67 in handle_one_connection /data/bld/11.4-enterprise-asan/sql/sql_connect.cc:1341
#13 0x55a488b438a9 in pfs_spawn_thread /data/bld/11.4-enterprise-asan/storage/perfschema/pfs.cc:2201
#14 0x7fd906ea8043 in start_thread nptl/pthread_create.c:442

Thread T25 created by T24 here:
#0 0x7fd907649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55a488b3f5e4 in my_thread_create /data/bld/11.4-enterprise-asan/storage/perfschema/my_thread.h:52
#2 0x55a488b43c98 in pfs_spawn_thread_v1 /data/bld/11.4-enterprise-asan/storage/perfschema/pfs.cc:2252
#3 0x55a4878f8929 in inline_mysql_thread_create /data/bld/11.4-enterprise-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x55a48790ac11 in delayed_get_table /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:2683
#5 0x55a4878fc492 in open_and_lock_for_insert_delayed /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:590
#6 0x55a4878fd3a7 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/bld/11.4-enterprise-asan/sql/sql_insert.cc:769
#7 0x55a4879cf34f in mysql_execute_command(THD*, bool) /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:4482
#8 0x55a4879e7610 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:7924
#9 0x55a4879e60c8 in wsrep_mysql_parse /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:7734
#10 0x55a4879bdcf4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:1899
#11 0x55a4879bab2d in do_command(THD*, bool) /data/bld/11.4-enterprise-asan/sql/sql_parse.cc:1425
#12 0x55a487ea8f08 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.4-enterprise-asan/sql/sql_connect.cc:1429
#13 0x55a487ea8a67 in handle_one_connection /data/bld/11.4-enterprise-asan/sql/sql_connect.cc:1341
#14 0x55a488b438a9 in pfs_spawn_thread /data/bld/11.4-enterprise-asan/storage/perfschema/pfs.cc:2201
#15 0x7fd906ea8043 in start_thread nptl/pthread_create.c:442

Thread T24 created by T0 here:
#0 0x7fd907649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55a488b3f5e4 in my_thread_create /data/bld/11.4-enterprise-asan/storage/perfschema/my_thread.h:52
#2 0x55a488b43c98 in pfs_spawn_thread_v1 /data/bld/11.4-enterprise-asan/storage/perfschema/pfs.cc:2252
#3 0x55a4875e3920 in inline_mysql_thread_create /data/bld/11.4-enterprise-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x55a4875fc1e1 in create_thread_to_handle_connection(CONNECT*) /data/bld/11.4-enterprise-asan/sql/mysqld.cc:6291
#5 0x55a4875fc806 in create_new_thread(CONNECT*) /data/bld/11.4-enterprise-asan/sql/mysqld.cc:6353
#6 0x55a4875fcaf1 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.4-enterprise-asan/sql/mysqld.cc:6415
#7 0x55a4875fd779 in handle_connections_sockets() /data/bld/11.4-enterprise-asan/sql/mysqld.cc:6528
#8 0x55a4875fa27f in run_main_loop /data/bld/11.4-enterprise-asan/sql/mysqld.cc:5759
#9 0x55a4875fbab0 in mysqld_main(int, char**) /data/bld/11.4-enterprise-asan/sql/mysqld.cc:6192
#10 0x55a4875e2be8 in main /data/bld/11.4-enterprise-asan/sql/main.cc:34
#11 0x7fd906e461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:403 in __interceptor_strnlen
Shadow bytes around the buggy address:
0x0c068000bd10: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c068000bd20: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
0x0c068000bd30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
0x0c068000bd40: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa 00 00
0x0c068000bd50: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
=>0x0c068000bd60: fd fd fd[fd]fa fa fd fd fd fd fa fa fd fd fd fd
0x0c068000bd70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
0x0c068000bd80: 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
0x0c068000bd90: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
0x0c068000bda0: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
0x0c068000bdb0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==657424==ABORTING

Attachments

Activity

Transition	Time In Source Status	Execution Times

Jan Lindström made transition - 2025-01-15 06:09

Open

In Progress

3d 9h 54m

Jan Lindström made transition - 2025-01-16 09:50

In Progress

In Review

1d 3h 41m

Julius Goryavsky made transition - 2025-01-20 15:11

In Review

Stalled

4d 5h 20m

Julius Goryavsky made transition - 2025-01-20 15:13

Stalled

Closed

1m 36s

People

Assignee:: Julius Goryavsky

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-01-11 20:15

Updated:: 2025-02-02 17:32

Resolved:: 2025-01-20 15:13

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server