[MDEV-37955] Mroonga: ASAN stack-buffer-overflow from open_table_def, Assertions `strlen(db) <= (64*3)' in MDL_key::mdl_key_init and `is_null() || is_empty() || !check_name(*this)' failed in Lex_ident_db::Lex_ident_db on DROP TABLE - Jira

INSTALL SONAME 'ha_mroonga';

DROP TABLE `##################################################_long`.`#################################################_long`;

CS 12.2.0 8d08350dd3cac91df23a7dfbde23c276d7c7cd2b (Debug, Clang 21.1.3-20250923) Build 16/10/2025
mariadbd: /test/12.2_dbg/sql/lex_ident.h:190: Lex_ident_db::Lex_ident_db(const LEX_CSTRING &): Assertion `is_null() \|\| is_empty() \|\| !check_name(*this)' failed.

CS 12.2.0 8d08350dd3cac91df23a7dfbde23c276d7c7cd2b (Debug, Clang 21.1.3-20250923) Build 16/10/2025
Core was generated by `/test/MD161025-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 1893636)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x000073a19164526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x000073a1916288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x000073a19162881b in __assert_fail_base (fmt=0x73a1917d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x73a12a8b68e6 "is_null() \|\| is_empty() \|\| !check_name(*this)", file=file@entry=0x73a12a8ada62 "/test/12.2_dbg/sql/lex_ident.h", line=line@entry=190, function=function@entry=0x73a12a8d0ab5 "Lex_ident_db::Lex_ident_db(const LEX_CSTRING &)") at ./assert/assert.c:94
#6 0x000073a19163b507 in __assert_fail (assertion=0x73a12a8b68e6 "is_null() \|\| is_empty() \|\| !check_name(*this)", file=0x73a12a8ada62 "/test/12.2_dbg/sql/lex_ident.h", line=190, function=0x73a12a8d0ab5 "Lex_ident_db::Lex_ident_db(const LEX_CSTRING &)")at ./assert/assert.c:103
#7 0x000073a12a97c21a in Lex_ident_db::Lex_ident_db (this=0x73a1637f4368, str=@0x73a1637f4460: {str = 0x73a1637f6010 "@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023"..., length = 255}) at /test/12.2_dbg/sql/lex_ident.h:190
#8 0x000073a12a978f83 in TABLE_LIST::init_one_table (this=0x73a1637f48b8, db_arg=0x73a1637f4460, table_name_arg=0x73a1637f4450, alias_arg=0x0, lock_type_arg=TL_WRITE) at /test/12.2_dbg/sql/table.h:2518
#9 0x000073a12a942150 in ha_mroonga::delete_table (this=0x73a0a40201e8, name=0x73a1637fbee0 "./@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@00"...)at /test/12.2_dbg/storage/mroonga/ha_mroonga.cpp:5124
#10 0x00005bbbf809052c in hton_drop_table (hton=0x73a0a403b508, path=0x73a1637fbee0 "./@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@00"...)at /test/12.2_dbg/sql/handler.cc:580
#11 0x00005bbbf809622e in ha_delete_table (thd=0x73a0a4000d58, hton=0x73a0a403b508, path=0x73a1637fbee0 "./@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@00"..., db=0x73a1637fb878, alias=0x73a1637fb868, generate_warning=false)at /test/12.2_dbg/sql/handler.cc:3339
#12 0x00005bbbf809d64b in delete_table_force (thd=0x73a0a4000d58, plugin=0x73a0a569f278, arg=0x73a1637fb370)at /test/12.2_dbg/sql/handler.cc:5899
#13 0x00005bbbf852b9a4 in plugin_foreach_with_mask (thd=0x73a0a4000d58, func=0x5bbbf809d5b0 <delete_table_force(THD, st_plugin_int, void)>, type=1, state_mask=8, arg=0x73a1637fb370)at /test/12.2_dbg/sql/sql_plugin.cc:2557
#14 0x00005bbbf809d568 in ha_delete_table_force (thd=0x73a0a4000d58, path=0x73a1637fbee0 "./@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@0023@00"..., db=0x73a1637fb878, alias=0x73a1637fb868)at /test/12.2_dbg/sql/handler.cc:5945
#15 0x00005bbbf8614f84 in mysql_rm_table_no_locks (thd=0x73a0a4000d58, tables=0x73a0a401a218, current_db=0x73a0a4000e00, ddl_log_state=0x73a1637fb930, if_exists=false, drop_temporary=false, drop_view=false, drop_sequence=false, dont_log_query=false, dont_free_locks=false) at /test/12.2_dbg/sql/sql_table.cc:1804
#16 0x00005bbbf8613541 in mysql_rm_table (thd=0x73a0a4000d58, tables=0x73a0a401a218, if_exists=false, drop_temporary=false, drop_sequence=false, dont_log_query=false)at /test/12.2_dbg/sql/sql_table.cc:1255
#17 0x00005bbbf84fbf6e in mysql_execute_command (thd=0x73a0a4000d58, is_called_from_prepared_stmt=false) at /test/12.2_dbg/sql/sql_parse.cc:4770
#18 0x00005bbbf84f1818 in mysql_parse (thd=0x73a0a4000d58, rawbuf=0x73a0a4019ea0 "DROP TABLE `", '#' <repeats 50 times>, "_long`.`", '#' <repeats 49 times>, "_long`", length=125, parser_state=0x73a1637fda00)at /test/12.2_dbg/sql/sql_parse.cc:7886
#19 0x00005bbbf84eeff9 in dispatch_command (command=COM_QUERY, thd=0x73a0a4000d58, packet=0x73a0a400b219 "DROP TABLE `", '#' <repeats 50 times>, "_long`.`", '#' <repeats 49 times>, "_long`", packet_length=125, blocking=true)at /test/12.2_dbg/sql/sql_parse.cc:1878
#20 0x00005bbbf84f229a in do_command (thd=0x73a0a4000d58, blocking=true)at /test/12.2_dbg/sql/sql_parse.cc:1417
#21 0x00005bbbf86e4f2e in do_handle_one_connection (connect=0x5bbbfaf18818, put_in_cache=true) at /test/12.2_dbg/sql/sql_connect.cc:1503
#22 0x00005bbbf86e4d11 in handle_one_connection (arg=0x5bbbfae74428)at /test/12.2_dbg/sql/sql_connect.cc:1415
#23 0x000073a19169ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#24 0x000073a191729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 161025 8258b2fd56e6c7fad64d3877ca01049778f1a541 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
CS 10.6 opt 161025 8258b2fd56e6c7fad64d3877ca01049778f1a541 No bug found
CS 10.11 dbg 161025 1ac22707205c433a42e60e7340299e9bbf988157 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
CS 10.11 opt 161025 1ac22707205c433a42e60e7340299e9bbf988157 No bug found
CS 11.4 dbg 161025 b2c1ba820b6cda723c58f2ba01ccf2e379b7f313 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
CS 11.4 opt 161025 b2c1ba820b6cda723c58f2ba01ccf2e379b7f313 No bug found
CS 11.8 dbg 161025 29d8f65470394f740fa548e4a4a822273d7362e8 is_null() \|\| is_empty() \|\| !check_name(*this)\|SIGABRT\|Lex_ident_db::Lex_ident_db\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table\|hton_drop_table
CS 11.8 opt 161025 29d8f65470394f740fa548e4a4a822273d7362e8 No bug found
CS 12.1 dbg 161025 d29fb34b8390accaa7700c3a87911180f3fa3dff is_null() \|\| is_empty() \|\| !check_name(*this)\|SIGABRT\|Lex_ident_db::Lex_ident_db\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table\|hton_drop_table
CS 12.1 opt 161025 d29fb34b8390accaa7700c3a87911180f3fa3dff No bug found
CS 12.2 dbg 161025 8d08350dd3cac91df23a7dfbde23c276d7c7cd2b is_null() \|\| is_empty() \|\| !check_name(*this)\|SIGABRT\|Lex_ident_db::Lex_ident_db\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table\|hton_drop_table
CS 12.2 opt 161025 8d08350dd3cac91df23a7dfbde23c276d7c7cd2b No bug found
ES 10.6 dbg 161025 7fb6f2133cd2a150fb551bb517a3bb6588d79ad6 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
ES 10.6 opt 161025 7fb6f2133cd2a150fb551bb517a3bb6588d79ad6 No bug found
ES 11.4 dbg 161025 bfe2cfd839dacf10f700bb320c09527945d1d6e2 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
ES 11.4 opt 161025 bfe2cfd839dacf10f700bb320c09527945d1d6e2 No bug found
ES 11.8 dbg 161025 08dc6f5144533a3c8747c5d67d363258b4e2ed20 is_null() \|\| is_empty() \|\| !check_name(*this)\|SIGABRT\|Lex_ident_db::Lex_ident_db\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table\|hton_drop_table
ES 11.8 opt 161025 08dc6f5144533a3c8747c5d67d363258b4e2ed20 No bug found

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 161025 8258b2fd56e6c7fad64d3877ca01049778f1a541 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
CS 10.6 opt 161025 8258b2fd56e6c7fad64d3877ca01049778f1a541 ASAN\|stack-buffer-overflow\|strings/strxmov.c\|strxmov\|open_table_def\|mrn_create_tmp_table_share\|ha_mroonga::delete_table
CS 10.11 dbg 161025 1ac22707205c433a42e60e7340299e9bbf988157 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
CS 10.11 opt 161025 1ac22707205c433a42e60e7340299e9bbf988157 ASAN\|stack-buffer-overflow\|strings/strxmov.c\|strxmov\|open_table_def\|mrn_create_tmp_table_share\|ha_mroonga::delete_table
CS 11.4 dbg 161025 b2c1ba820b6cda723c58f2ba01ccf2e379b7f313 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
CS 11.4 opt 161025 b2c1ba820b6cda723c58f2ba01ccf2e379b7f313 ASAN\|stack-buffer-overflow\|strings/strxmov.c\|strxmov\|open_table_def\|mrn_create_tmp_table_share\|ha_mroonga::delete_table
CS 11.8 dbg 161025 29d8f65470394f740fa548e4a4a822273d7362e8 is_null() \|\| is_empty() \|\| !check_name(*this)\|SIGABRT\|Lex_ident_db::Lex_ident_db\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table\|hton_drop_table
CS 11.8 opt 161025 29d8f65470394f740fa548e4a4a822273d7362e8 No bug found
CS 12.1 dbg 161025 d29fb34b8390accaa7700c3a87911180f3fa3dff is_null() \|\| is_empty() \|\| !check_name(*this)\|SIGABRT\|Lex_ident_db::Lex_ident_db\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table\|hton_drop_table
CS 12.1 opt 161025 d29fb34b8390accaa7700c3a87911180f3fa3dff No bug found
CS 12.2 dbg 161025 8d08350dd3cac91df23a7dfbde23c276d7c7cd2b is_null() \|\| is_empty() \|\| !check_name(*this)\|SIGABRT\|Lex_ident_db::Lex_ident_db\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table\|hton_drop_table
CS 12.2 opt 161025 8d08350dd3cac91df23a7dfbde23c276d7c7cd2b No bug found
ES 10.6 dbg 161025 7fb6f2133cd2a150fb551bb517a3bb6588d79ad6 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
ES 10.6 opt 161025 7fb6f2133cd2a150fb551bb517a3bb6588d79ad6 ASAN\|stack-buffer-overflow\|strings/strxmov.c\|strxmov\|open_table_def\|mrn_create_tmp_table_share\|ha_mroonga::delete_table
ES 11.4 dbg 161025 bfe2cfd839dacf10f700bb320c09527945d1d6e2 strlen(db) <= (64*3)\|SIGABRT\|MDL_key::mdl_key_init\|MDL_request::init_with_source\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table
ES 11.4 opt 161025 bfe2cfd839dacf10f700bb320c09527945d1d6e2 No bug found
ES 11.8 dbg 161025 08dc6f5144533a3c8747c5d67d363258b4e2ed20 is_null() \|\| is_empty() \|\| !check_name(*this)\|SIGABRT\|Lex_ident_db::Lex_ident_db\|TABLE_LIST::init_one_table\|ha_mroonga::delete_table\|hton_drop_table
ES 11.8 opt 161025 08dc6f5144533a3c8747c5d67d363258b4e2ed20 No bug found

Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

Mroonga: ASAN stack-buffer-overflow from open_table_def, Assertions `strlen(db) <= (643)' in MDL_key::mdl_key_init and `is_null() || is_empty() || !check_name(this)' failed in Lex_ident_db::Lex_ident_db on DROP TABLE

Details

Description

Attachments

Activity

People

Dates