Details
-
Bug
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
10.6, 10.11, 11.4, 11.8, 12.2
-
None
Description
INSTALL SONAME 'ha_federatedx'; |
|
|
eval CREATE SERVER fedlink FOREIGN DATA WRAPPER mysql OPTIONS (USER 'root', HOST '127.0.0.1', DATABASE 'test', PORT $MASTER_MYPORT); |
|
|
CREATE TABLE t AS SELECT 1 AS a; |
CREATE TABLE fed_t ENGINE=FEDERATED CONNECTION = 'fedlink/t'; |
UPDATE fed_t SET a = 2; |
|
|
--source include/restart_mysqld.inc
|
|
|
DROP TABLE fed_t, t; |
DROP SERVER fedlink; |
|
|
UNINSTALL SONAME 'ha_federatedx'; |
|
10.11 c69ea9b286aceee1e72ffe3713db543633115cbe |
==344864==ERROR: AddressSanitizer: heap-use-after-free on address 0x62c0000b69b8 at pc 0x5589c68d71d3 bp 0x7ffe7816d4c0 sp 0x7ffe7816d4b8
|
READ of size 4 at 0x62c0000b69b8 thread T0
|
#0 0x5589c68d71d2 in std::__atomic_base<int>::load(std::memory_order) const /usr/include/c++/12/bits/atomic_base.h:488
|
#1 0x5589c68d71d2 in Atomic_counter<int>::operator int() const /data/bld/10.11-asan-ubsan/include/my_counter.h:45
|
#2 0x5589c68d71d2 in thd_async_state::pending_ops() /data/bld/10.11-asan-ubsan/sql/sql_class.h:2710
|
#3 0x5589c68d71d2 in thd_async_state::wait_for_pending_ops() /data/bld/10.11-asan-ubsan/sql/sql_class.h:2725
|
#4 0x5589c8810213 in net_real_write /data/bld/10.11-asan-ubsan/sql/net_serv.cc:678
|
#5 0x5589c8811505 in net_flush /data/bld/10.11-asan-ubsan/sql/net_serv.cc:411
|
#6 0x5589c88125f2 in net_write_command /data/bld/10.11-asan-ubsan/sql/net_serv.cc:561
|
#7 0x5589c7c5ee38 in cli_advanced_command /data/bld/10.11-asan-ubsan/sql-common/client.c:503
|
#8 0x5589c7c54c9f in mysql_close_slow_part /data/bld/10.11-asan-ubsan/sql-common/client.c:3428
|
#9 0x5589c7c54dff in server_mysql_close /data/bld/10.11-asan-ubsan/sql-common/client.c:3440
|
#10 0x7ff354b97514 in federatedx_io_mysql::~federatedx_io_mysql() /data/bld/10.11-asan-ubsan/storage/federatedx/federatedx_io_mysql.cc:154
|
#11 0x7ff354b97754 in federatedx_io_mysql::~federatedx_io_mysql() /data/bld/10.11-asan-ubsan/storage/federatedx/federatedx_io_mysql.cc:158
|
#12 0x7ff354b8ea03 in federatedx_txn::close(st_fedrated_server*) /data/bld/10.11-asan-ubsan/storage/federatedx/federatedx_txn.cc:88
|
#13 0x7ff354b5146b in free_server /data/bld/10.11-asan-ubsan/storage/federatedx/ha_federatedx.cc:1693
|
#14 0x7ff354b51ac5 in free_share /data/bld/10.11-asan-ubsan/storage/federatedx/ha_federatedx.cc:1732
|
#15 0x7ff354b6f14f in ha_federatedx::close() /data/bld/10.11-asan-ubsan/storage/federatedx/ha_federatedx.cc:1866
|
#16 0x5589c7df6df3 in handler::ha_close() /data/bld/10.11-asan-ubsan/sql/handler.cc:3599
|
#17 0x5589c71be5b2 in closefrm(TABLE*) /data/bld/10.11-asan-ubsan/sql/table.cc:4683
|
#18 0x5589c78f1312 in intern_close_table /data/bld/10.11-asan-ubsan/sql/table_cache.cc:230
|
#19 0x5589c78f2d32 in tc_purge() /data/bld/10.11-asan-ubsan/sql/table_cache.cc:324
|
#20 0x5589c67a21ec in purge_tables() /data/bld/10.11-asan-ubsan/sql/sql_base.cc:332
|
#21 0x5589c78ef4c6 in tdc_start_shutdown() /data/bld/10.11-asan-ubsan/sql/table_cache.cc:649
|
#22 0x5589c63cd9b3 in clean_up /data/bld/10.11-asan-ubsan/sql/mysqld.cc:1986
|
#23 0x5589c63e57aa in mysqld_main(int, char**) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6068
|
#24 0x5589c63b8931 in main /data/bld/10.11-asan-ubsan/sql/main.cc:34
|
#25 0x7ff35fa46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
#26 0x7ff35fa46304 in __libc_start_main_impl ../csu/libc-start.c:360
|
#27 0x5589c63b8860 in _start (/share8t/bld/10.11-asan-ubsan/sql/mariadbd+0x78e8860)
|
|
|
0x62c0000b69b8 is located 26552 bytes inside of 28384-byte region [0x62c0000b0200,0x62c0000b70e0)
|
freed by thread T5 here:
|
#0 0x7ff360eb76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
|
#1 0x5589c9fbd9b9 in my_free /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:217
|
#2 0x5589c68c8a7e in ilink::operator delete(void*, unsigned long) /data/bld/10.11-asan-ubsan/sql/sql_list.h:683
|
#3 0x5589c68c8a7e in THD::~THD() /data/bld/10.11-asan-ubsan/sql/sql_class.cc:1834
|
#4 0x5589c738116b in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1516
|
#5 0x5589c7382062 in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
|
#6 0x5589c8d03de6 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
|
#7 0x7ff35faa81c3 in start_thread nptl/pthread_create.c:442
|
|
|
previously allocated by thread T5 here:
|
#0 0x7ff360eb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x5589c9fbd25f in my_malloc /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:92
|
#2 0x5589c63ed459 in ilink::operator new(unsigned long) /data/bld/10.11-asan-ubsan/sql/sql_list.h:678
|
#3 0x5589c737fb68 in CONNECT::create_thd(THD*) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1598
|
#4 0x5589c73809c4 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1431
|
#5 0x5589c7382062 in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
|
#6 0x5589c8d03de6 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
|
#7 0x7ff35faa81c3 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T5 created by T0 here:
|
#0 0x7ff360e49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x5589c8cf96b2 in my_thread_create /data/bld/10.11-asan-ubsan/storage/perfschema/my_thread.h:52
|
#2 0x5589c8d00fda in pfs_spawn_thread_v1 /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2252
|
#3 0x5589c63d10ac in inline_mysql_thread_create /data/bld/10.11-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
|
#4 0x5589c63d10ac in create_thread_to_handle_connection(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6146
|
#5 0x5589c63e2f36 in create_new_thread(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6205
|
#6 0x5589c63e3154 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6267
|
#7 0x5589c63e3d95 in handle_connections_sockets() /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6390
|
#8 0x5589c63e4241 in run_main_loop /data/bld/10.11-asan-ubsan/sql/mysqld.cc:5646
|
#9 0x5589c63e5607 in mysqld_main(int, char**) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6047
|
#10 0x5589c63b8931 in main /data/bld/10.11-asan-ubsan/sql/main.cc:34
|
#11 0x7ff35fa46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/12/bits/atomic_base.h:488 in std::__atomic_base<int>::load(std::memory_order) const
|
Shadow bytes around the buggy address:
|
0x0c588000ece0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c588000ecf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c588000ed00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c588000ed10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c588000ed20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c588000ed30: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
|
0x0c588000ed40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c588000ed50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c588000ed60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c588000ed70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c588000ed80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==344864==ABORTING
|