[MDEV-35943] ASAN errors in Query_arena::free_items / fill_schema_table_from_frm - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: N/A
Fix Version/s: 10.6.21, 10.11.11, 11.4.5, 11.7.2
Component/s: Information Schema
Labels:
- regression

Description

The test case below uses sys.schema_auto_increment_columns. It is not strictly necessary, it can be replaced with at least a user's view of the identical definition; but on whatever reason on my machine it usually only takes a few attempts before failing when it uses the sys view, but 50-100 attempts if it uses an identical custom view. So, I'll keep the sys view, the test case is non-determinstic enough already. I assume it will be re-written for the final commit anyway.

--source include/have_innodb.inc

--connect (con1,localhost,root,,)

--send

  CREATE TEMPORARY TABLE tmp ENGINE=InnoDB AS select * from sys.schema_auto_increment_columns;

--connection default

CREATE TABLE t1 (a INT, CHECK (a IS NULL OR a IS TRUE));

CREATE TABLE t2 (b INT) ENGINE=InnoDB;

--connection con1

--reap

DROP TABLE t1, t2;

--disconnect con1

10.6 d77b9a4925c971364707d435028add41e8015173
=================================================================
==1460037==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250002a5aa8 at pc 0x556a1355e021 bp 0x7f403615e060 sp 0x7f403615e058
READ of size 8 at 0x6250002a5aa8 thread T12
#0 0x556a1355e020 in Query_arena::free_items() /data/bld/10.6-asan/sql/sql_class.cc:4017
#1 0x556a13a15b07 in closefrm(TABLE*) /data/bld/10.6-asan/sql/table.cc:4665
#2 0x556a1386a28b in fill_schema_table_from_frm /data/bld/10.6-asan/sql/sql_show.cc:5098
#3 0x556a1386bd60 in get_all_tables(THD, TABLE_LIST, Item*) /data/bld/10.6-asan/sql/sql_show.cc:5359
#4 0x556a1389fd23 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/bld/10.6-asan/sql/sql_show.cc:9042
#5 0x556a1376676c in JOIN::exec_inner() /data/bld/10.6-asan/sql/sql_select.cc:4896
#6 0x556a137644ed in JOIN::exec() /data/bld/10.6-asan/sql/sql_select.cc:4717
#7 0x556a1376896c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/10.6-asan/sql/sql_select.cc:5196
#8 0x556a1373737b in handle_select(THD, LEX, select_result*, unsigned long) /data/bld/10.6-asan/sql/sql_select.cc:573
#9 0x556a1395a313 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.6-asan/sql/sql_table.cc:12292
#10 0x556a13695b84 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6166
#11 0x556a136a2d5f in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8208
#12 0x556a13678122 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1908
#13 0x556a13674e56 in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1421
#14 0x556a13af78c0 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1386
#15 0x556a13af741f in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1298
#16 0x556a14770965 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
#17 0x7f40464a81c3 in start_thread nptl/pthread_create.c:442
#18 0x7f404652885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6250002a5aa8 is located 424 bytes inside of 8240-byte region [0x6250002a5900,0x6250002a7930)
freed by thread T12 here:
#0 0x7f40470b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x556a154ebc7e in my_free /data/bld/10.6-asan/mysys/my_malloc.c:213
#2 0x556a154c08fb in free_root /data/bld/10.6-asan/mysys/my_alloc.c:435
#3 0x556a13a14eee in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /data/bld/10.6-asan/sql/table.cc:4559
#4 0x556a1386a087 in fill_schema_table_from_frm /data/bld/10.6-asan/sql/sql_show.cc:5082
#5 0x556a1386bd60 in get_all_tables(THD, TABLE_LIST, Item*) /data/bld/10.6-asan/sql/sql_show.cc:5359
#6 0x556a1389fd23 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/bld/10.6-asan/sql/sql_show.cc:9042
#7 0x556a1376676c in JOIN::exec_inner() /data/bld/10.6-asan/sql/sql_select.cc:4896
#8 0x556a137644ed in JOIN::exec() /data/bld/10.6-asan/sql/sql_select.cc:4717
#9 0x556a1376896c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/10.6-asan/sql/sql_select.cc:5196
#10 0x556a1373737b in handle_select(THD, LEX, select_result*, unsigned long) /data/bld/10.6-asan/sql/sql_select.cc:573
#11 0x556a1395a313 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.6-asan/sql/sql_table.cc:12292
#12 0x556a13695b84 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6166
#13 0x556a136a2d5f in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8208
#14 0x556a13678122 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1908
#15 0x556a13674e56 in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1421
#16 0x556a13af78c0 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1386
#17 0x556a13af741f in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1298
#18 0x556a14770965 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
#19 0x7f40464a81c3 in start_thread nptl/pthread_create.c:442

previously allocated by thread T12 here:
#0 0x7f40470b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x556a154eae45 in my_malloc /data/bld/10.6-asan/mysys/my_malloc.c:91
#2 0x556a154be662 in init_alloc_root /data/bld/10.6-asan/mysys/my_alloc.c:88
#3 0x556a13a4c278 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/10.6-asan/sql/thr_malloc.cc:64
#4 0x556a13a11cc1 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /data/bld/10.6-asan/sql/table.cc:4179
#5 0x556a1386a087 in fill_schema_table_from_frm /data/bld/10.6-asan/sql/sql_show.cc:5082
#6 0x556a1386bd60 in get_all_tables(THD, TABLE_LIST, Item*) /data/bld/10.6-asan/sql/sql_show.cc:5359
#7 0x556a1389fd23 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/bld/10.6-asan/sql/sql_show.cc:9042
#8 0x556a1376676c in JOIN::exec_inner() /data/bld/10.6-asan/sql/sql_select.cc:4896
#9 0x556a137644ed in JOIN::exec() /data/bld/10.6-asan/sql/sql_select.cc:4717
#10 0x556a1376896c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/10.6-asan/sql/sql_select.cc:5196
#11 0x556a1373737b in handle_select(THD, LEX, select_result*, unsigned long) /data/bld/10.6-asan/sql/sql_select.cc:573
#12 0x556a1395a313 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.6-asan/sql/sql_table.cc:12292
#13 0x556a13695b84 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6166
#14 0x556a136a2d5f in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8208
#15 0x556a13678122 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1908
#16 0x556a13674e56 in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1421
#17 0x556a13af78c0 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1386
#18 0x556a13af741f in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1298
#19 0x556a14770965 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
#20 0x7f40464a81c3 in start_thread nptl/pthread_create.c:442

Thread T12 created by T0 here:
#0 0x7f4047049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x556a1476c6a0 in my_thread_create /data/bld/10.6-asan/storage/perfschema/my_thread.h:52
#2 0x556a14770d54 in pfs_spawn_thread_v1 /data/bld/10.6-asan/storage/perfschema/pfs.cc:2252
#3 0x556a133486a0 in inline_mysql_thread_create /data/bld/10.6-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x556a1335f76a in create_thread_to_handle_connection(CONNECT*) /data/bld/10.6-asan/sql/mysqld.cc:6016
#5 0x556a1335fd7b in create_new_thread(CONNECT*) /data/bld/10.6-asan/sql/mysqld.cc:6075
#6 0x556a13360066 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.6-asan/sql/mysqld.cc:6137
#7 0x556a13360cfa in handle_connections_sockets() /data/bld/10.6-asan/sql/mysqld.cc:6260
#8 0x556a1335dacf in run_main_loop /data/bld/10.6-asan/sql/mysqld.cc:5519
#9 0x556a1335f039 in mysqld_main(int, char**) /data/bld/10.6-asan/sql/mysqld.cc:5917
#10 0x556a13347968 in main /data/bld/10.6-asan/sql/main.cc:34
#11 0x7f4046446249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/10.6-asan/sql/sql_class.cc:4017 in Query_arena::free_items()
Shadow bytes around the buggy address:
0x0c4a8004cb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a8004cb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a8004cb20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8004cb30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8004cb40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a8004cb50: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c4a8004cb60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8004cb70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8004cb80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8004cb90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8004cba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1460037==ABORTING

The failure either started happening, or became probable enough to be noticed, after this commit in 10.6:

commit deb20fb751f663f1f4b95656535e7368fe5cfa8e

Commit:     Sergei Golubchik

CommitDate: Thu Jan 9 10:00:36 2025 +0100

    MDEV-32919 Cannot select particular field from IS.tables in case table needs upgrade from MySQL 5.7

Attachments

Issue Links

is caused by

MDEV-32919 Cannot select particular field from IS.tables in case table needs upgrade from MySQL 5.7

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-01-26 17:28

Updated:: 2025-01-29 13:55

Resolved:: 2025-01-28 10:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server