Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39711

UPDATE on System-Versioned Tables uses the after-value in Row-format Binlog's before-image for non-trivial Text/Blob Virtual Columns

    XMLWordPrintable

Details

    Description

      --source include/have_binlog_format_row.inc
      --source include/master-slave.inc
      CREATE TABLE t (a TEXT, v TEXT AS (RIGHT(a, 1)) VIRTUAL)
        WITH SYSTEM VERSIONING AS SELECT 'before' AS a;
       
      UPDATE t SET a='after';
      --sync_slave_with_master
        SELECT * FROM t;
      --connection master
       
      DROP TABLE t;
      --source include/rpl_end.inc
      

      The slave SQL thread errors with ER_KEY_NOT_FOUND, "Could not execute Update_rows_v1 event on table test.t; Can't find record in 't', ..."
      mariadb-binlog -v on the master binary log or slave relay log reveals that the UPDATE part of the System-Versioned UPDATE has a before-image of v='r',a='before',… which should be v='e',a='before',….
      The after-image is correct (v='r',a='after',…), and so is the step that INSERTs the previous version (v='e',a='before',…).

      Unversioned tables are not affected.
      PERSISTENT generated columns are also not affected (besides MDEV-30441).
      Also affects BLOB, but (apparently) not numeric data types.

      From MDEV-24646: mixing TEXT and BLOB leads to use-after-free, which is a crash risk.

      --source include/have_binlog_format_row.inc
      # BLOB → TEXT is also affected
      CREATE TABLE t (a TEXT, v BLOB AS (a) VIRTUAL)
        WITH SYSTEM VERSIONING AS SELECT 'foo' AS a;
       
      UPDATE t SET a='bar'; # or REPLACE
       
      # Cleanup
      DROP TABLE t;
      

      10.11.17 b89cb5d5c7-ASAN

      ==26818==ERROR: AddressSanitizer: heap-use-after-free on address 0x6d1a52937e68 at pc 0x70ea5491fdbb bp 0x6cea44316c80 sp 0x6cea44316428
      READ of size 3 at 0x6d1a52937e68 thread T7
          #0 0x70ea5491fdba in memcpy path/to/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
          #1 0x5e3fea57c9f1 in Field_blob::pack(unsigned char*, unsigned char const*, unsigned int) path/to/src/sql/field.cc:9248
          #2 0x5e3fea98ab87 in pack_row(TABLE*, st_bitmap const*, unsigned char*, unsigned char const*) path/to/src/sql/rpl_record.cc:106
          #3 0x5e3fe9cd769a in THD::binlog_update_row(TABLE*, bool, unsigned char const*, unsigned char const*) path/to/src/sql/sql_class.cc:7443
          #4 0x5e3fea612505 in Update_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*) path/to/src/sql/log_event.h:5575
          #5 0x5e3fea603c4f in handler::binlog_log_row(TABLE*, unsigned char const*, unsigned char const*, bool (*)(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)) path/to/src/sql/handler.cc:7274
          #6 0x5e3fea60a2e0 in handler::ha_update_row(unsigned char const*, unsigned char const*) path/to/src/sql/handler.cc:7905
          #7 0x5e3fea0f94b0 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) path/to/src/sql/sql_update.cc:1137
          #8 0x5e3fe9deb144 in mysql_execute_command(THD*, bool) path/to/src/sql/sql_parse.cc:4503
          #9 0x5e3fe9df68dd in mysql_parse(THD*, char*, unsigned int, Parser_state*) path/to/src/sql/sql_parse.cc:8221
          #10 0x5e3fe9dfa9a0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) path/to/src/sql/sql_parse.cc:1924
          #11 0x5e3fe9dff2cf in do_command(THD*, bool) path/to/src/sql/sql_parse.cc:1434
          #12 0x5e3fea201b66 in do_handle_one_connection(CONNECT*, bool) path/to/src/sql/sql_connect.cc:1475
          #13 0x5e3fea202040 in handle_one_connection path/to/src/sql/sql_connect.cc:1387
          #14 0x5e3feac6a285 in pfs_spawn_thread path/to/src/storage/perfschema/pfs.cc:2201
          #15 0x70ea5485f802 in asan_thread_start path/to/libsanitizer/asan/asan_interceptors.cpp:239
          #16 0x70ea536a3d63  (/lib/x86_64-linux-gnu/libc.so.6+0xa3d63) (BuildId: a5b27db7ef3036c1dacf2e4ddc2e052767129439)
          #17 0x70ea537373fb  (/lib/x86_64-linux-gnu/libc.so.6+0x1373fb) (BuildId: a5b27db7ef3036c1dacf2e4ddc2e052767129439)
       
      0x6d1a52937e68 is located 24 bytes inside of 32-byte region [0x6d1a52937e50,0x6d1a52937e70)
      freed by thread T7 here:
          #0 0x70ea5492114b in free path/to/libsanitizer/asan/asan_malloc_linux.cpp:51
          #1 0x5e3feb753841 in my_free path/to/src/mysys/my_malloc.c:217
       
      previously allocated by thread T7 here:
          #0 0x70ea5492261b in malloc path/to/libsanitizer/asan/asan_malloc_linux.cpp:67
          #1 0x5e3feb7532d8 in my_malloc path/to/src/mysys/my_malloc.c:92
      

      Attachments

        Issue Links

          Activity

            People

              midenok Aleksey Midenkov
              ParadoxV5 Jimmy Hú
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 3d
                  3d
                  Remaining:
                  Remaining Estimate - 0d
                  0d
                  Logged:
                  Time Spent - 2h 25m Time Not Required
                  2h 25m

                  Git Integration

                    Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.