Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35943

ASAN errors in Query_arena::free_items / fill_schema_table_from_frm

Details

    Description

      The test case below uses sys.schema_auto_increment_columns. It is not strictly necessary, it can be replaced with at least a user's view of the identical definition; but on whatever reason on my machine it usually only takes a few attempts before failing when it uses the sys view, but 50-100 attempts if it uses an identical custom view. So, I'll keep the sys view, the test case is non-determinstic enough already. I assume it will be re-written for the final commit anyway.

      --source include/have_innodb.inc
      --connect (con1,localhost,root,,)
      --send
        CREATE TEMPORARY TABLE tmp ENGINE=InnoDB AS select * from sys.schema_auto_increment_columns;
      --connection default
      CREATE TABLE t1 (a INT, CHECK (a IS NULL OR a IS TRUE));
      CREATE TABLE t2 (b INT) ENGINE=InnoDB;
       
      --connection con1
      --reap
      DROP TABLE t1, t2;
      --disconnect con1
      

      10.6 d77b9a4925c971364707d435028add41e8015173

      =================================================================
      ==1460037==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250002a5aa8 at pc 0x556a1355e021 bp 0x7f403615e060 sp 0x7f403615e058
      READ of size 8 at 0x6250002a5aa8 thread T12
          #0 0x556a1355e020 in Query_arena::free_items() /data/bld/10.6-asan/sql/sql_class.cc:4017
          #1 0x556a13a15b07 in closefrm(TABLE*) /data/bld/10.6-asan/sql/table.cc:4665
          #2 0x556a1386a28b in fill_schema_table_from_frm /data/bld/10.6-asan/sql/sql_show.cc:5098
          #3 0x556a1386bd60 in get_all_tables(THD*, TABLE_LIST*, Item*) /data/bld/10.6-asan/sql/sql_show.cc:5359
          #4 0x556a1389fd23 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/bld/10.6-asan/sql/sql_show.cc:9042
          #5 0x556a1376676c in JOIN::exec_inner() /data/bld/10.6-asan/sql/sql_select.cc:4896
          #6 0x556a137644ed in JOIN::exec() /data/bld/10.6-asan/sql/sql_select.cc:4717
          #7 0x556a1376896c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/10.6-asan/sql/sql_select.cc:5196
          #8 0x556a1373737b in handle_select(THD*, LEX*, select_result*, unsigned long) /data/bld/10.6-asan/sql/sql_select.cc:573
          #9 0x556a1395a313 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.6-asan/sql/sql_table.cc:12292
          #10 0x556a13695b84 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6166
          #11 0x556a136a2d5f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8208
          #12 0x556a13678122 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1908
          #13 0x556a13674e56 in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1421
          #14 0x556a13af78c0 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1386
          #15 0x556a13af741f in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1298
          #16 0x556a14770965 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
          #17 0x7f40464a81c3 in start_thread nptl/pthread_create.c:442
          #18 0x7f404652885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
       
      0x6250002a5aa8 is located 424 bytes inside of 8240-byte region [0x6250002a5900,0x6250002a7930)
      freed by thread T12 here:
          #0 0x7f40470b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
          #1 0x556a154ebc7e in my_free /data/bld/10.6-asan/mysys/my_malloc.c:213
          #2 0x556a154c08fb in free_root /data/bld/10.6-asan/mysys/my_alloc.c:435
          #3 0x556a13a14eee in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/bld/10.6-asan/sql/table.cc:4559
          #4 0x556a1386a087 in fill_schema_table_from_frm /data/bld/10.6-asan/sql/sql_show.cc:5082
          #5 0x556a1386bd60 in get_all_tables(THD*, TABLE_LIST*, Item*) /data/bld/10.6-asan/sql/sql_show.cc:5359
          #6 0x556a1389fd23 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/bld/10.6-asan/sql/sql_show.cc:9042
          #7 0x556a1376676c in JOIN::exec_inner() /data/bld/10.6-asan/sql/sql_select.cc:4896
          #8 0x556a137644ed in JOIN::exec() /data/bld/10.6-asan/sql/sql_select.cc:4717
          #9 0x556a1376896c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/10.6-asan/sql/sql_select.cc:5196
          #10 0x556a1373737b in handle_select(THD*, LEX*, select_result*, unsigned long) /data/bld/10.6-asan/sql/sql_select.cc:573
          #11 0x556a1395a313 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.6-asan/sql/sql_table.cc:12292
          #12 0x556a13695b84 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6166
          #13 0x556a136a2d5f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8208
          #14 0x556a13678122 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1908
          #15 0x556a13674e56 in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1421
          #16 0x556a13af78c0 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1386
          #17 0x556a13af741f in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1298
          #18 0x556a14770965 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
          #19 0x7f40464a81c3 in start_thread nptl/pthread_create.c:442
       
      previously allocated by thread T12 here:
          #0 0x7f40470b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
          #1 0x556a154eae45 in my_malloc /data/bld/10.6-asan/mysys/my_malloc.c:91
          #2 0x556a154be662 in init_alloc_root /data/bld/10.6-asan/mysys/my_alloc.c:88
          #3 0x556a13a4c278 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/10.6-asan/sql/thr_malloc.cc:64
          #4 0x556a13a11cc1 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/bld/10.6-asan/sql/table.cc:4179
          #5 0x556a1386a087 in fill_schema_table_from_frm /data/bld/10.6-asan/sql/sql_show.cc:5082
          #6 0x556a1386bd60 in get_all_tables(THD*, TABLE_LIST*, Item*) /data/bld/10.6-asan/sql/sql_show.cc:5359
          #7 0x556a1389fd23 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/bld/10.6-asan/sql/sql_show.cc:9042
          #8 0x556a1376676c in JOIN::exec_inner() /data/bld/10.6-asan/sql/sql_select.cc:4896
          #9 0x556a137644ed in JOIN::exec() /data/bld/10.6-asan/sql/sql_select.cc:4717
          #10 0x556a1376896c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/10.6-asan/sql/sql_select.cc:5196
          #11 0x556a1373737b in handle_select(THD*, LEX*, select_result*, unsigned long) /data/bld/10.6-asan/sql/sql_select.cc:573
          #12 0x556a1395a313 in Sql_cmd_create_table_like::execute(THD*) /data/bld/10.6-asan/sql/sql_table.cc:12292
          #13 0x556a13695b84 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:6166
          #14 0x556a136a2d5f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan/sql/sql_parse.cc:8208
          #15 0x556a13678122 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1908
          #16 0x556a13674e56 in do_command(THD*, bool) /data/bld/10.6-asan/sql/sql_parse.cc:1421
          #17 0x556a13af78c0 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan/sql/sql_connect.cc:1386
          #18 0x556a13af741f in handle_one_connection /data/bld/10.6-asan/sql/sql_connect.cc:1298
          #19 0x556a14770965 in pfs_spawn_thread /data/bld/10.6-asan/storage/perfschema/pfs.cc:2201
          #20 0x7f40464a81c3 in start_thread nptl/pthread_create.c:442
       
      Thread T12 created by T0 here:
          #0 0x7f4047049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
          #1 0x556a1476c6a0 in my_thread_create /data/bld/10.6-asan/storage/perfschema/my_thread.h:52
          #2 0x556a14770d54 in pfs_spawn_thread_v1 /data/bld/10.6-asan/storage/perfschema/pfs.cc:2252
          #3 0x556a133486a0 in inline_mysql_thread_create /data/bld/10.6-asan/include/mysql/psi/mysql_thread.h:1139
          #4 0x556a1335f76a in create_thread_to_handle_connection(CONNECT*) /data/bld/10.6-asan/sql/mysqld.cc:6016
          #5 0x556a1335fd7b in create_new_thread(CONNECT*) /data/bld/10.6-asan/sql/mysqld.cc:6075
          #6 0x556a13360066 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.6-asan/sql/mysqld.cc:6137
          #7 0x556a13360cfa in handle_connections_sockets() /data/bld/10.6-asan/sql/mysqld.cc:6260
          #8 0x556a1335dacf in run_main_loop /data/bld/10.6-asan/sql/mysqld.cc:5519
          #9 0x556a1335f039 in mysqld_main(int, char**) /data/bld/10.6-asan/sql/mysqld.cc:5917
          #10 0x556a13347968 in main /data/bld/10.6-asan/sql/main.cc:34
          #11 0x7f4046446249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/10.6-asan/sql/sql_class.cc:4017 in Query_arena::free_items()
      Shadow bytes around the buggy address:
        0x0c4a8004cb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c4a8004cb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c4a8004cb20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a8004cb30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a8004cb40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c4a8004cb50: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
        0x0c4a8004cb60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a8004cb70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a8004cb80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a8004cb90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c4a8004cba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==1460037==ABORTING
      

      The failure either started happening, or became probable enough to be noticed, after this commit in 10.6:

      commit deb20fb751f663f1f4b95656535e7368fe5cfa8e
      Commit:     Sergei Golubchik
      CommitDate: Thu Jan 9 10:00:36 2025 +0100
       
          MDEV-32919 Cannot select particular field from IS.tables in case table needs upgrade from MySQL 5.7
      

      Attachments

        Issue Links

          Activity

            There are no comments yet on this issue.

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.