Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38526

Federatedx: ASAN: use-after-poison memory corruption on SAVEPOINT

    XMLWordPrintable

Details

    • Can result in data loss

    Description

      INSTALL SONAME 'ha_federatedx';
      		 
      eval CREATE SERVER srv FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT);
      		 
      CREATE TABLE t1 (c INT) ENGINE=MyISAM;
      		 
      CREATE TABLE t2 (c INT) CONNECTION='srv/t1' ENGINE=Federated;
      		 
      XA START 'a';
      		 
      CREATE TEMPORARY TABLE t2 (c INT) CONNECTION='srv/t1' ENGINE=Federated;
      		 
      INSERT INTO t2 VALUES (0);
      		 
      SAVEPOINT sp;

      Leads to:

      CS 12.2.0 fd15fd2765b53d0c070dd01d86fb231024b8f284 (Debug, UBASAN, Clang 21.1.3-20250923) Build 10/11/2025

      		 
      ==2648660==ERROR: AddressSanitizer: use-after-poison on address 0x7191c58e59a8 at pc 0x6f40bdbb3fe3 bp 0x6f40bf900410 sp 0x6f40bf900408
      		 
      WRITE of size 8 at 0x7191c58e59a8 thread T13
      		 
          #0 0x6f40bdbb3fe2 in federatedx_txn::sp_acquire(unsigned long*) /test/12.2_dbg_san/storage/federatedx/federatedx_txn.cc:301:6
      		 
          #1 0x6f40bdb86756 in ha_federatedx::savepoint_set(THD*, void*) /test/12.2_dbg_san/storage/federatedx/ha_federatedx.cc:3561:10
      		 
          #2 0x59294ca49e04 in ha_savepoint(THD*, st_savepoint*) /test/12.2_dbg_san/sql/handler.cc:3145:15
      		 
          #3 0x59294e23893f in trans_savepoint(THD*, st_mysql_const_lex_string) /test/12.2_dbg_san/sql/transaction.cc:675:7
      		 
          #4 0x59294d9e0a81 in mysql_execute_command(THD*, bool) /test/12.2_dbg_san/sql/sql_parse.cc:5569:9
      		 
          #5 0x59294d9be1e8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.2_dbg_san/sql/sql_parse.cc:7888:18
      		 
          #6 0x59294d9b79a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.2_dbg_san/sql/sql_parse.cc:1878:7
      		 
          #7 0x59294d9c062a in do_command(THD*, bool) /test/12.2_dbg_san/sql/sql_parse.cc:1417:17
      		 
          #8 0x59294e1cdb3c in do_handle_one_connection(CONNECT*, bool) /test/12.2_dbg_san/sql/sql_connect.cc:1503:11
      		 
          #9 0x59294e1cd645 in handle_one_connection /test/12.2_dbg_san/sql/sql_connect.cc:1415:5
      		 
          #10 0x59294c91cb4a in asan_thread_start(void*) crtstuff.c
      		 
          #11 0x7341c6a9ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #12 0x7341c6b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x7191c58e59a8 is located 168 bytes inside of 8184-byte region [0x7191c58e5900,0x7191c58e78f8)
      		 
      allocated by thread T13 here:
      		 
          #0 0x59294c91f2c8 in malloc (/test/UBASAN_MD101125-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3c982c8) (BuildId: 7b0cb8241b81c77e02045f0095ce4e038036f58e)
      		 
          #1 0x59294fb883a6 in my_malloc /test/12.2_dbg_san/mysys/my_malloc.c:93:29
      		 
          #2 0x59294fb3a236 in reset_root_defaults /test/12.2_dbg_san/mysys/my_alloc.c:247:30
      		 
          #3 0x59294d569dcb in THD::init_for_queries() /test/12.2_dbg_san/sql/sql_class.cc:1530:3
      		 
          #4 0x59294e1cc739 in prepare_new_connection_state(THD*) /test/12.2_dbg_san/sql/sql_connect.cc:1341:8
      		 
          #5 0x59294e1cf8be in thd_prepare_connection(THD*) /test/12.2_dbg_san/sql/sql_connect.cc:1436:3
      		 
          #6 0x59294e1cdb20 in do_handle_one_connection(CONNECT*, bool) /test/12.2_dbg_san/sql/sql_connect.cc:1493:9
      		 
          #7 0x59294e1cd645 in handle_one_connection /test/12.2_dbg_san/sql/sql_connect.cc:1415:5
      		 
          #8 0x59294c91cb4a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T13 created by T0 here:
      		 
          #0 0x59294c903245 in pthread_create (/test/UBASAN_MD101125-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3c7c245) (BuildId: 7b0cb8241b81c77e02045f0095ce4e038036f58e)
      		 
          #1 0x59294c976b8c in create_thread_to_handle_connection(CONNECT*) /test/12.2_dbg_san/sql/mysqld.cc:6273:19
      		 
          #2 0x59294c977c15 in handle_connections_sockets() /test/12.2_dbg_san/sql/mysqld.cc:6509:9
      		 
          #3 0x59294c97619a in run_main_loop() /test/12.2_dbg_san/sql/mysqld.cc:5751:3
      		 
          #4 0x59294c96bb3e in mysqld_main(int, char**) /test/12.2_dbg_san/sql/mysqld.cc:6174:3
      		 
          #5 0x7341c6a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x7341c6a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x59294c879b54 in _start (/test/UBASAN_MD101125-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bf2b54) (BuildId: 7b0cb8241b81c77e02045f0095ce4e038036f58e)
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison /test/12.2_dbg_san/storage/federatedx/federatedx_txn.cc:301:6 in federatedx_txn::sp_acquire(unsigned long*)
      		 
      Shadow bytes around the buggy address:
      		 
        0x7191c58e5700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x7191c58e5780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x7191c58e5800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x7191c58e5880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x7191c58e5900: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
      		 
      =>0x7191c58e5980: f7 03 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x7191c58e5a00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x7191c58e5a80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x7191c58e5b00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x7191c58e5b80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x7191c58e5c00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
       
      		 
      NOTE: the stack trace above identifies the code that *accessed* the poisoned memory.
      		 
      To identify the code that *poisoned* the memory, try the experimental setting ASAN_OPTIONS=poison_history_size=<size>.
      		 
      ==2648660==ABORTING

      Setup:

      Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
      		 
        # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
      		 
      Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
      		 
          export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

      SAN Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  101125  759e3523e3d832b174cf0a612704da38b2557b40  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  10.6   opt  101125  759e3523e3d832b174cf0a612704da38b2557b40  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  10.11  dbg  101125  536cd151f0370216d9ba4c15f40c7037060972a5  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  10.11  opt  101125  536cd151f0370216d9ba4c15f40c7037060972a5  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  11.4   dbg  101125  a1bb5c94fda453baa99e57e3927eaa7cd3c8bafe  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  11.4   opt  101125  a1bb5c94fda453baa99e57e3927eaa7cd3c8bafe  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  11.8   dbg  101125  e0428264d0095472c015eb58c46be68ca1a320ee  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  11.8   opt  101125  e0428264d0095472c015eb58c46be68ca1a320ee  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  12.1   dbg  101125  ba00960fdaee67a4efff6866e31f446bf486a1c2  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  12.1   opt  101125  ba00960fdaee67a4efff6866e31f446bf486a1c2  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  12.2   dbg  101125  fd15fd2765b53d0c070dd01d86fb231024b8f284  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  12.2   opt  101125  fd15fd2765b53d0c070dd01d86fb231024b8f284  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  12.3   dbg  091225  e85bc659188be021897e8578aec42becfbb58c27  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      CS  12.3   opt  091225  e85bc659188be021897e8578aec42becfbb58c27  ASAN|use-after-poison|storage/federatedx/federatedx_txn.cc|federatedx_txn::sp_acquire|ha_federatedx::savepoint_set|ha_savepoint|trans_savepoint
      		 
      ES  10.6   dbg  101125  f0d4d34fb0314b03fddb71fb9dbde372744a8c13  No bug found                  
      ES  10.6   opt  101125  f0d4d34fb0314b03fddb71fb9dbde372744a8c13  No bug found                  
      ES  11.4   dbg  101125  b81ec4b57a5ddce88b8e2b2d16b64625ffdaa0e6  No bug found                  
      ES  11.4   opt  101125  b81ec4b57a5ddce88b8e2b2d16b64625ffdaa0e6  No bug found                  
      ES  11.8   dbg  101125  db36e8fb3bcdae26dd0acdcb2b52f7f4eb014df6  No bug found                  
      ES  11.8   opt  101125  db36e8fb3bcdae26dd0acdcb2b52f7f4eb014df6  No bug found

      No crashes observed in regular dbg/opt builds.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-38449 GTT+ha_federatedx: Assertion `sp && savepoint_next && *sp && *sp <= savepoint_level' failed and memory corruption on RELEASE SAVEPOINT

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              sanja Oleksandr Byelkin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.