Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37221

ASAN errors in lex_string_set / st_select_lex::restore_item_list_names upon 2nd execution with nested view and union

    XMLWordPrintable

Details

    Description

      CREATE TABLE t (f INT);
      		 
      INSERT INTO t VALUES (1),(2); # Optional, fails either way
      		 
      CREATE VIEW v1 AS SELECT * FROM t;
      		 
      CREATE VIEW v2 AS SELECT * FROM v1 UNION SELECT * FROM v1;
      		 
       
      		 
      PREPARE stmt FROM 'SELECT * FROM v2 WHERE f > 0';
      		 
      EXECUTE stmt;
      		 
      EXECUTE stmt;
      		 
       
      		 
      DROP VIEW v2;
      		 
      DROP VIEW v1;
      		 
      DROP TABLE t;

      10.6 4d19e55441fe92fc483c795b020240884d78f46f

      		 
      ==2280189==ERROR: AddressSanitizer: use-after-poison on address 0x62d00005cb70 at pc 0x7f8b6404a731 bp 0x7f8b58c3e390 sp 0x7f8b58c3db40
      		 
      READ of size 2 at 0x62d00005cb70 thread T5
      		 
          #0 0x7f8b6404a730 in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
      		 
          #1 0x55b2a73f2343 in lex_string_set /data/bld/10.6-asan-ubsan/include/m_string.h:233
      		 
          #2 0x55b2a7499f80 in st_select_lex::restore_item_list_names() /data/bld/10.6-asan-ubsan/sql/sql_lex.cc:11547
      		 
          #3 0x55b2a7347137 in mysql_derived_reinit /data/bld/10.6-asan-ubsan/sql/sql_derived.cc:1367
      		 
          #4 0x55b2a734c80a in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/bld/10.6-asan-ubsan/sql/sql_derived.cc:200
      		 
          #5 0x55b2a7b9269b in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/bld/10.6-asan-ubsan/sql/table.cc:9671
      		 
          #6 0x55b2a73e0b46 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/bld/10.6-asan-ubsan/sql/sql_lex.h:4577
      		 
          #7 0x55b2a7426761 in st_select_lex::handle_derived(LEX*, unsigned int) /data/bld/10.6-asan-ubsan/sql/sql_lex.cc:5092
      		 
          #8 0x55b2a7617a2f in reinit_stmt_before_use(THD*, LEX*) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:3251
      		 
          #9 0x55b2a7619e97 in Prepared_statement::execute(String*, bool) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:5247
      		 
          #10 0x55b2a761e5ff in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:4691
      		 
          #11 0x55b2a7620a2d in mysql_sql_stmt_execute(THD*) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:3721
      		 
          #12 0x55b2a755ee67 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:4029
      		 
          #13 0x55b2a7580d03 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:8200
      		 
          #14 0x55b2a7589fd3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:1908
      		 
          #15 0x55b2a7596c25 in do_command(THD*, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:1421
      		 
          #16 0x55b2a7d186ed in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1386
      		 
          #17 0x55b2a7d1984a in handle_one_connection /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1298
      		 
          #18 0x55b2a97482d6 in pfs_spawn_thread /data/bld/10.6-asan-ubsan/storage/perfschema/pfs.cc:2201
      		 
          #19 0x7f8b62ca81c3 in start_thread nptl/pthread_create.c:442
      		 
          #20 0x7f8b62d2885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x62d00005cb70 is located 10096 bytes inside of 32816-byte region [0x62d00005a400,0x62d000062430)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7f8b640b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x55b2aa97bb61 in my_malloc /data/bld/10.6-asan-ubsan/mysys/my_malloc.c:91
      		 
          #2 0x55b2aa95019a in reset_root_defaults /data/bld/10.6-asan-ubsan/mysys/my_alloc.c:155
      		 
          #3 0x55b2a72ab2d1 in THD::init_for_queries() /data/bld/10.6-asan-ubsan/sql/sql_class.cc:1486
      		 
          #4 0x55b2a7d15381 in prepare_new_connection_state(THD*) /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1225
      		 
          #5 0x55b2a7d16336 in thd_prepare_connection(THD*) /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1319
      		 
          #6 0x55b2a7d18c75 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1376
      		 
          #7 0x55b2a7d1984a in handle_one_connection /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1298
      		 
          #8 0x55b2a97482d6 in pfs_spawn_thread /data/bld/10.6-asan-ubsan/storage/perfschema/pfs.cc:2201
      		 
          #9 0x7f8b62ca81c3 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f8b64049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x55b2a973dba2 in my_thread_create /data/bld/10.6-asan-ubsan/storage/perfschema/my_thread.h:52
      		 
          #2 0x55b2a97454ca in pfs_spawn_thread_v1 /data/bld/10.6-asan-ubsan/storage/perfschema/pfs.cc:2252
      		 
          #3 0x55b2a6f3ac27 in inline_mysql_thread_create /data/bld/10.6-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x55b2a6f3ac27 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.6-asan-ubsan/sql/mysqld.cc:6016
      		 
          #5 0x55b2a6f4ca55 in create_new_thread(CONNECT*) /data/bld/10.6-asan-ubsan/sql/mysqld.cc:6075
      		 
          #6 0x55b2a6f4cc73 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.6-asan-ubsan/sql/mysqld.cc:6137
      		 
          #7 0x55b2a6f4d8d6 in handle_connections_sockets() /data/bld/10.6-asan-ubsan/sql/mysqld.cc:6260
      		 
          #8 0x55b2a6f4dd6f in run_main_loop /data/bld/10.6-asan-ubsan/sql/mysqld.cc:5519
      		 
          #9 0x55b2a6f4f124 in mysqld_main(int, char**) /data/bld/10.6-asan-ubsan/sql/mysqld.cc:5917
      		 
          #10 0x55b2a6f228e1 in main /data/bld/10.6-asan-ubsan/sql/main.cc:34
      		 
          #11 0x7f8b62c46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389 in __interceptor_strlen
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c5a80003910: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5a80003920: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5a80003930: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5a80003940: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5a80003950: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      =>0x0c5a80003960: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7
      		 
        0x0c5a80003970: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5a80003980: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5a80003990: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5a800039a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5a800039b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb

      The failure started happening after this commit in 10.5.26:

      commit 48b256a7e283a84802d94060b77bce1e0eab81a0
      		 
      Author: Rex
      		 
      Date:   Tue Jul 2 12:27:41 2024 +1100
      		 
       
      		 
          MDEV-34506 2nd execution name resolution problem with pushdown into unions

      No obvious immediate effect on a non-instrumented build.

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-34506 2nd execution name resolution problem with pushdown into unions

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-36474 Prepared statement with derived table column name specification within used view causing memory use-after-free

          • Major - Major loss of function.
          • Stalled

          Activity

            People

              Johnston Rex Johnston
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.