[MDEV-37710] ASAN errors in find_type2 upon executing a procedure from sys schema - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Progress (View Workflow)
Priority: Blocker
Resolution: Unresolved
Affects Version/s: 10.11
Fix Version/s: 10.11
Component/s: Performance Schema, Stored routines
Labels:
- regression

Description

The test case is for reproducing purposes only, don't put it into a regression suite, create a deterministic one without a sleep instead.
sys.diagnostics is a huge procedure, I suppose after the issue is analyzed, the guilty part may be extracted, and then the threads can be serialized. Until then, I assume the test remains non-deterministic.

I'm keeping the use of sys.diagnostics as is to indicate that it is a very realistic use case rather than a crazy testing invention: the procedure is clearly meant to be executed over a period of a time, in parallel with other activities.

--send

  CALL sys.diagnostics(3, 1, 'full');

--connect (con1,localhost,root,,)

--sleep 1.5

CREATE FUNCTION f() RETURNS INT RETURN 1;

--connection default

--reap

DROP FUNCTION f;

10.11 cd36925ac16cf109c70939ee01ad5227a0cb9680
==2627316==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500039e100 at pc 0x5616f4aae641 bp 0x7f33c3bdea20 sp 0x7f33c3bdea18
READ of size 4 at 0x62500039e100 thread T5
#0 0x5616f4aae640 in find_type2(st_typelib const, char const, unsigned long, charset_info_st const*) /data/bld/10.11-asan-ubsan/sql/strfunc.cc:169
#1 0x5616f562d32f in Field_enum::store(char const, unsigned long, charset_info_st const) /data/bld/10.11-asan-ubsan/sql/field.cc:9448
#2 0x5616f5827fe8 in Item::save_str_in_field(Field*, bool) /data/bld/10.11-asan-ubsan/sql/item.cc:7056
#3 0x5616f500c2a1 in Type_handler_string_result::Item_save_in_field(Item, Field, bool) const /data/bld/10.11-asan-ubsan/sql/sql_type.cc:4412
#4 0x5616f57b20b1 in Item::save_in_field(Field*, bool) /data/bld/10.11-asan-ubsan/sql/item.cc:7104
#5 0x5616f55c0f31 in Field::sp_prepare_and_store_item(THD, Item*) /data/bld/10.11-asan-ubsan/sql/field.cc:1511
#6 0x5616f3f54d68 in THD::sp_eval_expr(Field, Item*) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:453
#7 0x5616f3fce274 in sp_rcontext::set_return_value(THD, Item*) /data/bld/10.11-asan-ubsan/sql/sp_rcontext.cc:440
#8 0x5616f3f40455 in sp_instr_freturn::exec_core(THD, unsigned int) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:4373
#9 0x5616f3f78a9c in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:3661
#10 0x5616f3f7dcff in sp_instr_freturn::execute(THD, unsigned int) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:4330
#11 0x5616f3f8cdb0 in sp_head::execute(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:1464
#12 0x5616f3f9aafd in sp_head::execute_function(THD, Item, unsigned int, Field, sp_rcontext*, Query_arena) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:2228
#13 0x5616f57fb8d4 in Item_sp::execute_impl(THD, Item*, unsigned int) /data/bld/10.11-asan-ubsan/sql/item.cc:3000
#14 0x5616f57fcab9 in Item_sp::execute(THD, bool, Item**, unsigned int) /data/bld/10.11-asan-ubsan/sql/item.cc:2914
#15 0x5616f5b0617d in Item_func_sp::execute() /data/bld/10.11-asan-ubsan/sql/item_func.cc:6723
#16 0x5616f5b57dff in Item_func_sp::val_str(String*) (/share8t/bld/10.11-asan-ubsan/sql/mariadbd+0x9729dff)
#17 0x5616f58e5ff5 in Arg_comparator::compare_string() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.cc:819
#18 0x5616f5992b06 in Arg_comparator::compare() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.h:117
#19 0x5616f5906de3 in Item_func_eq::val_bool() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.cc:1845
#20 0x5616f3f544bc in sp_instr_jump_if_not::exec_core(THD, unsigned int) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:4251
#21 0x5616f3f78a9c in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:3661
#22 0x5616f3f7da8e in sp_instr_jump_if_not::execute(THD, unsigned int) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:4233
#23 0x5616f3f8cdb0 in sp_head::execute(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:1464
#24 0x5616f3f96f48 in sp_head::execute_procedure(THD, List<Item>) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:2483
#25 0x5616f4418275 in do_execute_sp /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:3085
#26 0x5616f4430d69 in Sql_cmd_call::execute(THD*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:3330
#27 0x5616f447d0af in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6165
#28 0x5616f4481942 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8180
#29 0x5616f448accd in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1906
#30 0x5616f4497909 in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1419
#31 0x5616f4c8fc3f in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
#32 0x5616f4c90d9c in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
#33 0x5616f6601aa8 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
#34 0x7f33cdca81c3 in start_thread nptl/pthread_create.c:442
#35 0x7f33cdd2885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x62500039e100 is located 4096 bytes inside of 8184-byte region [0x62500039d100,0x62500039f0f8)
freed by thread T5 here:
#0 0x7f33cf0b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x5616f78ba8a9 in my_free /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:217
#2 0x5616f788e1cb in root_free /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:77
#3 0x5616f78901d1 in free_root /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:511
#4 0x5616f3f5579c in sp_head::destroy(sp_head*) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:543
#5 0x5616f3f3ae58 in hash_free_sp_head /data/bld/10.11-asan-ubsan/sql/sp_cache.cc:287
#6 0x5616f784fc7b in my_hash_delete /data/bld/10.11-asan-ubsan/mysys/hash.c:641
#7 0x5616f3f3bb8d in sp_cache::remove(sp_head*) /data/bld/10.11-asan-ubsan/sql/sp_cache.cc:59
#8 0x5616f3f3bb8d in sp_cache_flush_obsolete(sp_cache, sp_head) /data/bld/10.11-asan-ubsan/sql/sp_cache.cc:238
#9 0x5616f61291fa in Sp_handler::sp_cache_routine(THD, Database_qualified_name const, sp_head**) const /data/bld/10.11-asan-ubsan/sql/sp.cc:2824
#10 0x5616f61424af in Sroutine_hash_entry::sp_cache_routine(THD, sp_head*) const /data/bld/10.11-asan-ubsan/sql/sp.cc:2789
#11 0x5616f40ace0e in open_and_process_routine /data/bld/10.11-asan-ubsan/sql/sql_base.cc:3847
#12 0x5616f4106b5b in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/bld/10.11-asan-ubsan/sql/sql_base.cc:4769
#13 0x5616f4109d06 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/bld/10.11-asan-ubsan/sql/sql_base.cc:5686
#14 0x5616f3fba335 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/bld/10.11-asan-ubsan/sql/sql_base.h:519
#15 0x5616f3f772e6 in sp_instr::exec_open_and_lock_tables(THD, TABLE_LIST) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:3790
#16 0x5616f3f78beb in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:3657
#17 0x5616f3f7da8e in sp_instr_jump_if_not::execute(THD, unsigned int) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:4233
#18 0x5616f3f8cdb0 in sp_head::execute(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:1464
#19 0x5616f3f96f48 in sp_head::execute_procedure(THD, List<Item>) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:2483
#20 0x5616f4418275 in do_execute_sp /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:3085
#21 0x5616f4430d69 in Sql_cmd_call::execute(THD*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:3330
#22 0x5616f447d0af in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6165
#23 0x5616f4481942 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8180
#24 0x5616f448accd in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1906
#25 0x5616f4497909 in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1419
#26 0x5616f4c8fc3f in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
#27 0x5616f4c90d9c in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
#28 0x5616f6601aa8 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
#29 0x7f33cdca81c3 in start_thread nptl/pthread_create.c:442

previously allocated by thread T5 here:
#0 0x7f33cf0b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x5616f78ba14f in my_malloc /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:92
#2 0x5616f788e057 in root_alloc /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:66
#3 0x5616f788e60a in init_alloc_root /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:178
#4 0x5616f4b53c16 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/10.11-asan-ubsan/sql/thr_malloc.cc:64
#5 0x5616f3f58b6b in sp_head::create(sp_package, Sp_handler const, enum_sp_aggregate_type) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:522
#6 0x5616f436fef0 in LEX::make_sp_head(THD, sp_name const, Sp_handler const*, enum_sp_aggregate_type) /data/bld/10.11-asan-ubsan/sql/sql_lex.cc:7467
#7 0x5616f43713da in LEX::make_sp_head_no_recursive(THD, sp_name const, Sp_handler const*, enum_sp_aggregate_type) /data/bld/10.11-asan-ubsan/sql/sql_lex.cc:7510
#8 0x5616f439c64f in LEX::stmt_create_stored_function_start(DDL_options_st const&, enum_sp_aggregate_type, sp_name const*) /data/bld/10.11-asan-ubsan/sql/sql_lex.cc:11754
#9 0x5616f53a4586 in MYSQLparse(THD*) /data/bld/10.11-asan-ubsan/sql/sql_yacc.yy:18327
#10 0x5616f4453d06 in parse_sql(THD, Parser_state, Object_creation_ctx*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:10581
#11 0x5616f611f1bd in sp_compile /data/bld/10.11-asan-ubsan/sql/sp.cc:875
#12 0x5616f6124d6c in Sp_handler::db_load_routine(THD, Database_qualified_name const, sp_head*, unsigned long long, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_sp_chistics const&, AUTHID const&, long long, long long, sp_package, Stored_program_creation_ctx*) const /data/bld/10.11-asan-ubsan/sql/sp.cc:1002
#13 0x5616f612868f in Sp_handler::db_find_routine(THD, Database_qualified_name const, sp_head**) const /data/bld/10.11-asan-ubsan/sql/sp.cc:765
#14 0x5616f6128bf8 in Sp_handler::db_find_and_cache_routine(THD, Database_qualified_name const, sp_head**) const /data/bld/10.11-asan-ubsan/sql/sp.cc:788
#15 0x5616f6129317 in Sp_handler::sp_cache_routine(THD, Database_qualified_name const, sp_head**) const /data/bld/10.11-asan-ubsan/sql/sp.cc:2829
#16 0x5616f61424af in Sroutine_hash_entry::sp_cache_routine(THD, sp_head*) const /data/bld/10.11-asan-ubsan/sql/sp.cc:2789
#17 0x5616f40ace0e in open_and_process_routine /data/bld/10.11-asan-ubsan/sql/sql_base.cc:3847
#18 0x5616f4106b5b in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/bld/10.11-asan-ubsan/sql/sql_base.cc:4769
#19 0x5616f4109d06 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/bld/10.11-asan-ubsan/sql/sql_base.cc:5686
#20 0x5616f3fba335 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/bld/10.11-asan-ubsan/sql/sql_base.h:519
#21 0x5616f441967c in execute_sqlcom_select /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6348
#22 0x5616f445f2ee in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:4008
#23 0x5616f3f3f415 in sp_instr_stmt::exec_core(THD, unsigned int) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:3950
#24 0x5616f3f78a9c in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:3661
#25 0x5616f3f7c039 in sp_instr_stmt::execute(THD, unsigned int) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:3853
#26 0x5616f3f8cdb0 in sp_head::execute(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:1464
#27 0x5616f3f96f48 in sp_head::execute_procedure(THD, List<Item>) /data/bld/10.11-asan-ubsan/sql/sp_head.cc:2483
#28 0x5616f4418275 in do_execute_sp /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:3085
#29 0x5616f4430d69 in Sql_cmd_call::execute(THD*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:3330

Thread T5 created by T0 here:
#0 0x7f33cf049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x5616f65f7374 in my_thread_create /data/bld/10.11-asan-ubsan/storage/perfschema/my_thread.h:52
#2 0x5616f65fec9c in pfs_spawn_thread_v1 /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2252
#3 0x5616f3cec0ec in inline_mysql_thread_create /data/bld/10.11-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
#4 0x5616f3cec0ec in create_thread_to_handle_connection(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6139
#5 0x5616f3cfde7d in create_new_thread(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6198
#6 0x5616f3cfe09b in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6260
#7 0x5616f3cfecdc in handle_connections_sockets() /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6383
#8 0x5616f3cff188 in run_main_loop /data/bld/10.11-asan-ubsan/sql/mysqld.cc:5639
#9 0x5616f3d0054e in mysqld_main(int, char**) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6040
#10 0x5616f3cd3971 in main /data/bld/10.11-asan-ubsan/sql/main.cc:34
#11 0x7f33cdc46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/10.11-asan-ubsan/sql/strfunc.cc:169 in find_type2(st_typelib const, char const, unsigned long, charset_info_st const*)
Shadow bytes around the buggy address:
0x0c4a8006bbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bbe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bc00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bc10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a8006bc20:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bc30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bc40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bc60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8006bc70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2627316==ABORTING

The failure started happening after this commit in 10.11 (after 10.11.14):

commit 852e4510fa662c571a42f550278d4abd09e3c5cf

Author: Dmitry Shulga

Date:   Wed Jul 23 09:34:47 2025 +0700

    MDEV-26115: Crash when calling stored function in FOR loop argument

Attachments

Issue Links

is caused by

MDEV-26115 Crash when calling stored function in FOR loop argument

Closed

Activity

People

Assignee:: Dmitry Shulga

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-09-22 17:23

Updated:: Yesterday 03:27

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.