Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Duplicate
-
10.11.17
-
Can result in unexpected behaviour
-
Q3/2026 Server Maintenance
Description
--source include/have_binlog_format_row.inc
|
--source include/master-slave.inc
|
CREATE TABLE t (a TEXT, v TEXT AS (RIGHT(a, 1)) VIRTUAL) |
WITH SYSTEM VERSIONING AS SELECT 'before' AS a; |
|
|
UPDATE t SET a='after'; |
--sync_slave_with_master
|
SELECT * FROM t; |
--connection master
|
|
|
DROP TABLE t; |
--source include/rpl_end.inc |
The slave SQL thread errors with ER_KEY_NOT_FOUND, "Could not execute Update_rows_v1 event on table test.t; Can't find record in 't', ..."
mariadb-binlog -v on the master binary log or slave relay log reveals that the UPDATE part of the System-Versioned UPDATE has a before-image of v='r',a='before',… which should be v='e',a='before',….
The after-image is correct (v='r',a='after',…), and so is the step that INSERTs the previous version (v='e',a='before',…).
Unversioned tables are not affected.
PERSISTENT generated columns are also not affected (besides MDEV-30441).
Also affects BLOB, but (apparently) not numeric data types.
From MDEV-24646: mixing TEXT and BLOB leads to use-after-free, which is a crash risk.
--source include/have_binlog_format_row.inc
|
# BLOB → TEXT is also affected |
CREATE TABLE t (a TEXT, v BLOB AS (a) VIRTUAL) |
WITH SYSTEM VERSIONING AS SELECT 'foo' AS a; |
|
|
UPDATE t SET a='bar'; # or REPLACE |
|
|
# Cleanup
|
DROP TABLE t; |
|
10.11.17 b89cb5d5c7-ASAN |
==26818==ERROR: AddressSanitizer: heap-use-after-free on address 0x6d1a52937e68 at pc 0x70ea5491fdbb bp 0x6cea44316c80 sp 0x6cea44316428
|
READ of size 3 at 0x6d1a52937e68 thread T7
|
#0 0x70ea5491fdba in memcpy path/to/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
|
#1 0x5e3fea57c9f1 in Field_blob::pack(unsigned char*, unsigned char const*, unsigned int) path/to/src/sql/field.cc:9248
|
#2 0x5e3fea98ab87 in pack_row(TABLE*, st_bitmap const*, unsigned char*, unsigned char const*) path/to/src/sql/rpl_record.cc:106
|
#3 0x5e3fe9cd769a in THD::binlog_update_row(TABLE*, bool, unsigned char const*, unsigned char const*) path/to/src/sql/sql_class.cc:7443
|
#4 0x5e3fea612505 in Update_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*) path/to/src/sql/log_event.h:5575
|
#5 0x5e3fea603c4f in handler::binlog_log_row(TABLE*, unsigned char const*, unsigned char const*, bool (*)(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)) path/to/src/sql/handler.cc:7274
|
#6 0x5e3fea60a2e0 in handler::ha_update_row(unsigned char const*, unsigned char const*) path/to/src/sql/handler.cc:7905
|
#7 0x5e3fea0f94b0 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) path/to/src/sql/sql_update.cc:1137
|
#8 0x5e3fe9deb144 in mysql_execute_command(THD*, bool) path/to/src/sql/sql_parse.cc:4503
|
#9 0x5e3fe9df68dd in mysql_parse(THD*, char*, unsigned int, Parser_state*) path/to/src/sql/sql_parse.cc:8221
|
#10 0x5e3fe9dfa9a0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) path/to/src/sql/sql_parse.cc:1924
|
#11 0x5e3fe9dff2cf in do_command(THD*, bool) path/to/src/sql/sql_parse.cc:1434
|
#12 0x5e3fea201b66 in do_handle_one_connection(CONNECT*, bool) path/to/src/sql/sql_connect.cc:1475
|
#13 0x5e3fea202040 in handle_one_connection path/to/src/sql/sql_connect.cc:1387
|
#14 0x5e3feac6a285 in pfs_spawn_thread path/to/src/storage/perfschema/pfs.cc:2201
|
#15 0x70ea5485f802 in asan_thread_start path/to/libsanitizer/asan/asan_interceptors.cpp:239
|
#16 0x70ea536a3d63 (/lib/x86_64-linux-gnu/libc.so.6+0xa3d63) (BuildId: a5b27db7ef3036c1dacf2e4ddc2e052767129439)
|
#17 0x70ea537373fb (/lib/x86_64-linux-gnu/libc.so.6+0x1373fb) (BuildId: a5b27db7ef3036c1dacf2e4ddc2e052767129439)
|
|
|
0x6d1a52937e68 is located 24 bytes inside of 32-byte region [0x6d1a52937e50,0x6d1a52937e70)
|
freed by thread T7 here:
|
#0 0x70ea5492114b in free path/to/libsanitizer/asan/asan_malloc_linux.cpp:51
|
#1 0x5e3feb753841 in my_free path/to/src/mysys/my_malloc.c:217
|
|
|
previously allocated by thread T7 here:
|
#0 0x70ea5492261b in malloc path/to/libsanitizer/asan/asan_malloc_linux.cpp:67
|
#1 0x5e3feb7532d8 in my_malloc path/to/src/mysys/my_malloc.c:92
|
Attachments
Issue Links
- causes
-
MDEV-24646 ASAN heap-use-after-free in Field_blob::pack / THD::binlog_update_row upon DML on table with virtual column
-
- Closed
-
- duplicates
-
MDEV-39306 Index corruption on UPDATE when using versioned InnoDB table (on UPDATE)
-
- In Review
-
- is caused by
-
MDEV-15243 Server crashes in in Field_blob::pack upon REPLACE into view with virtual columns with binlog enabled
-
- Closed
-
- split from
-
MDEV-24646 ASAN heap-use-after-free in Field_blob::pack / THD::binlog_update_row upon DML on table with virtual column
-
- Closed
-