Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36446

ASAN: federated.federatedx_create_handlers - federatedx_txn::release - heap-use-after-free

Details

    Description

      federated.federatedx_create_handlers

      		 
      CURRENT_TEST: federated.federatedx_create_handlers
      		 
      mysqltest: At line 266: query 'INSERT INTO federated.t2
      		 
      SELECT * FROM (SELECT * FROM federated.t1 LIMIT 100) dt' failed: <Unknown> (2013): Lost connection to server during query
      		 
       
      		 
      The result from queries just before the failure was:
      		 
      < snip >
      		 
      END WHILE;
      		 
      COMMIT;
      		 
      END
      		 
      $$
      		 
      connection master;
      		 
      CREATE TABLE federated.t1 (
      		 
      a varchar(100) NOT NULL default '123'
      		 
      )
      		 
      ENGINE="FEDERATED" DEFAULT CHARSET=latin1
      		 
      CONNECTION='mysql://root@127.0.0.1:SLAVE_PORT/federated/t1';
      		 
      CREATE TABLE federated.t2 (
      		 
      a varchar(100) NOT NULL default '123'
      		 
      )
      		 
      ENGINE="FEDERATED" DEFAULT CHARSET=latin1
      		 
      CONNECTION='mysql://root@127.0.0.1:SLAVE_PORT/federated/t2';
      		 
      SELECT COUNT(DISTINCT a) FROM federated.t1;
      		 
      COUNT(DISTINCT a)
      		 
      70000
      		 
      INSERT INTO federated.t2
      		 
      SELECT * FROM (SELECT * FROM federated.t1 LIMIT 100) dt;
      		 
       
      		 
      More results from queries before failure can be found in /build/mysql-test/var/3/log/federatedx_create_handlers.log

      heap-use-after-free

      		 
      ==717591==ERROR: AddressSanitizer: heap-use-after-free on address 0x7d8baa499279 at pc 0x7b7ba8ecc9d0 bp 0x7b7ba1fd7440 sp 0x7b7ba1fd7438
      		 
      WRITE of size 1 at 0x7d8baa499279 thread T6
      		 
          #0 0x7b7ba8ecc9cf in federatedx_txn::release(federatedx_io**) /source/storage/federatedx/federatedx_txn.cc:158:13
      		 
          #1 0x7b7ba8ec0ef6 in ha_federatedx::external_lock(THD*, int) /source/storage/federatedx/ha_federatedx.cc:3520:10
      		 
          #2 0x55c4e162fd3e in handler::ha_external_lock(THD*, int) /source/sql/handler.cc:7242:3
      		 
          #3 0x55c4e1b63a30 in handler::ha_external_unlock(THD*) /source/sql/handler.h:3562:45
      		 
          #4 0x55c4e1b63a30 in unlock_external(THD*, TABLE**, unsigned int) /source/sql/lock.cc:730:11
      		 
          #5 0x55c4e1b64082 in mysql_unlock_tables(THD*, st_mysql_lock*, bool) /source/sql/lock.cc:435:12
      		 
          #6 0x55c4e08687ff in close_thread_tables(THD*) /source/sql/sql_base.cc:980:12
      		 
          #7 0x55c4e0abb712 in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:6231:3
      		 
          #8 0x55c4e0a97ed6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /source/sql/sql_parse.cc:8209:18
      		 
          #9 0x55c4e0a9017b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /source/sql/sql_parse.cc:1908:7
      		 
          #10 0x55c4e0a99e3b in do_command(THD*, bool) /source/sql/sql_parse.cc:1421:17
      		 
          #11 0x55c4e1019d8c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1386:11
      		 
          #12 0x55c4e1019712 in handle_one_connection /source/sql/sql_connect.cc:1298:5
      		 
          #13 0x55c4e064d316 in asan_thread_start(void*) asan_interceptors.cpp.o
      		 
          #14 0x7f7bab5c91c3  (/lib/x86_64-linux-gnu/libc.so.6+0x891c3) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
      		 
          #15 0x7f7bab64985b  (/lib/x86_64-linux-gnu/libc.so.6+0x10985b) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
      		 
       
      		 
      0x7d8baa499279 is located 377 bytes inside of 4144-byte region [0x7d8baa499100,0x7d8baa49a130)
      		 
      freed by thread T6 here:
      		 
          #0 0x55c4e064f6f6 in free (/build/sql/mariadbd+0x1bb86f6) (BuildId: 8dd156f9be57c49a82ab9133e5f87cd59ed12b4d)
      		 
          #1 0x55c4e2ac52cb in free_root /source/mysys/my_alloc.c:435:7
      		 
          #2 0x7b7ba8ebede2 in free_server(federatedx_txn*, st_fedrated_server*) /source/storage/federatedx/ha_federatedx.cc:1704:5
      		 
          #3 0x7b7ba8eaa247 in free_share(federatedx_txn*, st_federatedx_share*) /source/storage/federatedx/ha_federatedx.cc:1737:5
      		 
          #4 0x7b7ba8ec3ac1 in ha_federatedx_derived_handler::end_scan() /source/storage/federatedx/federatedx_pushdown.cc:220:3
      		 
          #5 0x55c4e0d808db in Pushdown_derived::execute() /source/sql/derived_handler.cc:86:22
      		 
          #6 0x55c4e0956d5a in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /source/sql/sql_derived.cc:1238:37
      		 
          #7 0x55c4e09597c6 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /source/sql/sql_derived.cc:200:15
      		 
          #8 0x55c4e0c42eab in st_join_table::preread_init() /source/sql/sql_select.cc:15193:7
      		 
          #9 0x55c4e0b82be2 in sub_select(JOIN*, st_join_table*, bool) /source/sql/sql_select.cc:22349:49
      		 
          #10 0x55c4e0c00b72 in do_select(JOIN*, Procedure*) /source/sql/sql_select.cc:21914:14
      		 
          #11 0x55c4e0bfe7d4 in JOIN::exec_inner() /source/sql/sql_select.cc:4939:50
      		 
          #12 0x55c4e0bfb70b in JOIN::exec() /source/sql/sql_select.cc:4717:3
      		 
          #13 0x55c4e0b86354 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /source/sql/sql_select.cc:5196:9
      		 
          #14 0x55c4e0b855a3 in handle_select(THD*, LEX*, select_result*, unsigned long) /source/sql/sql_select.cc:573:10
      		 
          #15 0x55c4e0ac9b7f in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:4825:16
      		 
          #16 0x55c4e0a97ed6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /source/sql/sql_parse.cc:8209:18
      		 
          #17 0x55c4e0a9017b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /source/sql/sql_parse.cc:1908:7
      		 
          #18 0x55c4e0a99e3b in do_command(THD*, bool) /source/sql/sql_parse.cc:1421:17
      		 
          #19 0x55c4e1019d8c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1386:11
      		 
          #20 0x55c4e1019712 in handle_one_connection /source/sql/sql_connect.cc:1298:5
      		 
          #21 0x55c4e064d316 in asan_thread_start(void*) asan_interceptors.cpp.o
      		 
       
      		 
      previously allocated by thread T6 here:
      		 
          #0 0x55c4e064f994 in malloc (/build/sql/mariadbd+0x1bb8994) (BuildId: 8dd156f9be57c49a82ab9133e5f87cd59ed12b4d)
      		 
          #1 0x55c4e2ae5512 in my_malloc /source/mysys/my_malloc.c:91:29
      		 
          #2 0x55c4e2ac3a6e in init_alloc_root /source/mysys/my_alloc.c:88:22
      		 
          #3 0x7b7ba8ebdf76 in get_server(st_federatedx_share*, TABLE*) /source/storage/federatedx/ha_federatedx.cc:1552:3
      		 
          #4 0x7b7ba8ea9e3b in get_share(char const*, TABLE*) /source/storage/federatedx/ha_federatedx.cc:1658:21
      		 
          #5 0x7b7ba8ec1d82 in ha_federatedx_derived_handler::init_scan() /source/storage/federatedx/federatedx_pushdown.cc:159:10
      		 
          #6 0x55c4e0d803f6 in Pushdown_derived::execute() /source/sql/derived_handler.cc:56:22
      		 
          #7 0x55c4e0956d5a in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /source/sql/sql_derived.cc:1238:37
      		 
          #8 0x55c4e09597c6 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /source/sql/sql_derived.cc:200:15
      		 
          #9 0x55c4e0c42eab in st_join_table::preread_init() /source/sql/sql_select.cc:15193:7
      		 
          #10 0x55c4e0b82be2 in sub_select(JOIN*, st_join_table*, bool) /source/sql/sql_select.cc:22349:49
      		 
          #11 0x55c4e0c00b72 in do_select(JOIN*, Procedure*) /source/sql/sql_select.cc:21914:14
      		 
          #12 0x55c4e0bfe7d4 in JOIN::exec_inner() /source/sql/sql_select.cc:4939:50
      		 
          #13 0x55c4e0bfb70b in JOIN::exec() /source/sql/sql_select.cc:4717:3
      		 
          #14 0x55c4e0b86354 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /source/sql/sql_select.cc:5196:9
      		 
          #15 0x55c4e0b855a3 in handle_select(THD*, LEX*, select_result*, unsigned long) /source/sql/sql_select.cc:573:10
      		 
          #16 0x55c4e0ac9b7f in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:4825:16
      		 
          #17 0x55c4e0a97ed6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /source/sql/sql_parse.cc:8209:18
      		 
          #18 0x55c4e0a9017b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /source/sql/sql_parse.cc:1908:7
      		 
          #19 0x55c4e0a99e3b in do_command(THD*, bool) /source/sql/sql_parse.cc:1421:17
      		 
          #20 0x55c4e1019d8c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1386:11
      		 
          #21 0x55c4e1019712 in handle_one_connection /source/sql/sql_connect.cc:1298:5
      		 
          #22 0x55c4e064d316 in asan_thread_start(void*) asan_interceptors.cpp.o
      		 
       
      		 
      Thread T6 created by T0 here:
      		 
          #0 0x55c4e06339e1 in pthread_create (/build/sql/mariadbd+0x1b9c9e1) (BuildId: 8dd156f9be57c49a82ab9133e5f87cd59ed12b4d)
      		 
          #1 0x55c4e06a4acc in create_thread_to_handle_connection(CONNECT*) /source/sql/mysqld.cc:6016:19
      		 
          #2 0x55c4e06a5baa in handle_connections_sockets() /source/sql/mysqld.cc:6260:9
      		 
          #3 0x55c4e06a3df0 in run_main_loop() /source/sql/mysqld.cc:5519:3
      		 
          #4 0x55c4e069b52e in mysqld_main(int, char**) /source/sql/mysqld.cc:5917:3
      		 
          #5 0x7f7bab567249  (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /source/storage/federatedx/federatedx_txn.cc:158:13 in federatedx_txn::release(federatedx_io**)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29214 ASAN errors in federatedx_txn::txn_commit (or txn_rollback), assertion `server->io_count == 0' failure

          • Major - Major loss of function.
          • Confirmed

          Activity

            There are no comments yet on this issue.

            People

              Unassigned Unassigned
              danblack Daniel Black
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.