Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
N/A
-
Not for Release Notes
Description
I can only reproduce it on 10.6 (both main and bb-10.6-release), but not on 10.11+ (neither main nor bb-x-release). However, the test case seems to be fragile, depends on the presence of all these seemingly unrelated fields and keys, so maybe in 10.11 it just needs to be different.
--source include/have_innodb.inc
|
|
|
CREATE TABLE t ( |
pk bigint auto_increment, |
f01 timestamp, |
f02 varchar(8), |
f03 timestamp, |
f04 decimal, |
f05 varchar(8), |
f06 varchar(8), |
f07 varchar(8), |
f08 int, |
f09 varchar(8), |
f10 varchar(8), |
f11 int, |
f12 timestamp, |
f13 decimal, |
f14 varchar(8), |
primary key (pk), |
key (f06), |
key (f07), |
key (f08), |
key (f11), |
key (f12), |
key (f14) |
) ENGINE=InnoDB CHARACTER SET utf8mb4; |
INSERT INTO t () VALUES (); |
CREATE TRIGGER tr BEFORE INSERT ON t FOR EACH ROW SET @a=1; |
|
|
PREPARE stmt FROM "UPDATE t SET f03 = ?"; |
EXECUTE stmt USING DEFAULT; |
|
|
DROP TABLE t; |
|
10.6 18f85c8c681db74b35d3e042a998e4bccb1d6d98 |
==1069974==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000296618 at pc 0x556e691b435f bp 0x7fa3c849f3a0 sp 0x7fa3c849f398
|
READ of size 1 at 0x625000296618 thread T11
|
#0 0x556e691b435e in Field::is_null(long long) const /data/bld/10.6-asan-ubsan/sql/field.h:1400
|
#1 0x556e6aa6f3eb in Item_param::assign_default(Field*) /data/bld/10.6-asan-ubsan/sql/item.cc:5277
|
#2 0x556e6aa6fd88 in Item_param::save_in_field(Field*, bool) /data/bld/10.6-asan-ubsan/sql/item.cc:4596
|
#3 0x556e69446fe6 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/bld/10.6-asan-ubsan/sql/sql_base.cc:8751
|
#4 0x556e6944831b in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/bld/10.6-asan-ubsan/sql/sql_base.cc:8918
|
#5 0x556e69d2342b in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/bld/10.6-asan-ubsan/sql/sql_update.cc:1045
|
#6 0x556e69770d51 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:4477
|
#7 0x556e69827aeb in Prepared_statement::execute(String*, bool) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:5285
|
#8 0x556e6982b5ff in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:4691
|
#9 0x556e6982da2d in mysql_sql_stmt_execute(THD*) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:3721
|
#10 0x556e6976be67 in mysql_execute_command(THD*, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:4029
|
#11 0x556e6978dd03 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:8200
|
#12 0x556e69796fd3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:1908
|
#13 0x556e697a3c25 in do_command(THD*, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:1421
|
#14 0x556e69f256ed in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1386
|
#15 0x556e69f2684a in handle_one_connection /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1298
|
#16 0x556e6b957a9a in pfs_spawn_thread /data/bld/10.6-asan-ubsan/storage/perfschema/pfs.cc:2201
|
#17 0x7fa3d86a81c3 in start_thread nptl/pthread_create.c:442
|
#18 0x7fa3d872885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x625000296618 is located 1256 bytes to the right of 8240-byte region [0x625000294100,0x625000296130)
|
allocated by thread T11 here:
|
#0 0x7fa3d90b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x556e6cb8b455 in my_malloc /data/bld/10.6-asan-ubsan/mysys/my_malloc.c:91
|
#2 0x556e6cb5f355 in init_alloc_root /data/bld/10.6-asan-ubsan/mysys/my_alloc.c:88
|
#3 0x556e69dee499 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/10.6-asan-ubsan/sql/thr_malloc.cc:64
|
#4 0x556e69d5ca72 in alloc_table_share(char const*, char const*, char const*, unsigned int) /data/bld/10.6-asan-ubsan/sql/table.cc:348
|
#5 0x556e6a448e22 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/bld/10.6-asan-ubsan/sql/table_cache.cc:848
|
#6 0x556e69405ab9 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/bld/10.6-asan-ubsan/sql/sql_base.cc:1977
|
#7 0x556e6940da1c in open_and_process_table /data/bld/10.6-asan-ubsan/sql/sql_base.cc:3941
|
#8 0x556e6943f09a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/bld/10.6-asan-ubsan/sql/sql_base.cc:4425
|
#9 0x556e693c71f2 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/bld/10.6-asan-ubsan/sql/sql_base.h:487
|
#10 0x556e697f429a in mysql_test_update /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:1443
|
#11 0x556e697f9169 in check_prepared_statement /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:2503
|
#12 0x556e6980c784 in Prepared_statement::prepare(char const*, unsigned int) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:4473
|
#13 0x556e698196e5 in mysql_sql_stmt_prepare(THD*) /data/bld/10.6-asan-ubsan/sql/sql_prepare.cc:3055
|
#14 0x556e6976be5a in mysql_execute_command(THD*, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:4024
|
#15 0x556e6978dd03 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:8200
|
#16 0x556e69796fd3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:1908
|
#17 0x556e697a3c25 in do_command(THD*, bool) /data/bld/10.6-asan-ubsan/sql/sql_parse.cc:1421
|
#18 0x556e69f256ed in do_handle_one_connection(CONNECT*, bool) /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1386
|
#19 0x556e69f2684a in handle_one_connection /data/bld/10.6-asan-ubsan/sql/sql_connect.cc:1298
|
#20 0x556e6b957a9a in pfs_spawn_thread /data/bld/10.6-asan-ubsan/storage/perfschema/pfs.cc:2201
|
#21 0x7fa3d86a81c3 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T11 created by T0 here:
|
#0 0x7fa3d9049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x556e6b94d366 in my_thread_create /data/bld/10.6-asan-ubsan/storage/perfschema/my_thread.h:52
|
#2 0x556e6b954c8e in pfs_spawn_thread_v1 /data/bld/10.6-asan-ubsan/storage/perfschema/pfs.cc:2252
|
#3 0x556e69147c27 in inline_mysql_thread_create /data/bld/10.6-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
|
#4 0x556e69147c27 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.6-asan-ubsan/sql/mysqld.cc:6016
|
#5 0x556e69159a55 in create_new_thread(CONNECT*) /data/bld/10.6-asan-ubsan/sql/mysqld.cc:6075
|
#6 0x556e69159c73 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.6-asan-ubsan/sql/mysqld.cc:6137
|
#7 0x556e6915a8d6 in handle_connections_sockets() /data/bld/10.6-asan-ubsan/sql/mysqld.cc:6260
|
#8 0x556e6915ad6f in run_main_loop /data/bld/10.6-asan-ubsan/sql/mysqld.cc:5519
|
#9 0x556e6915c124 in mysqld_main(int, char**) /data/bld/10.6-asan-ubsan/sql/mysqld.cc:5917
|
#10 0x556e6912f8e1 in main /data/bld/10.6-asan-ubsan/sql/main.cc:34
|
#11 0x7fa3d8646249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/10.6-asan-ubsan/sql/field.h:1400 in Field::is_null(long long) const
|
Shadow bytes around the buggy address:
|
0x0c4a8004ac70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004ac80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004ac90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004aca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004acb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c4a8004acc0: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004acd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004ace0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004acf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004ad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8004ad10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1069974==ABORTING
|
The failure started happening after this commit in 10.6:
commit c27d78beb59b49bee7697a489743b4abe17bebe5
|
Author: Sergei Golubchik
|
Date: Mon Jun 30 15:44:50 2025 +0200
|
|
|
MDEV-36870 Spurious unrelated permission error when selecting from table with default that uses nextval(sequence)
|
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- is caused by
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Confirmed
-