[MDEV-13829] Server crash / ASAN errors in post_kill_notification Created: 2017-09-17  Updated: 2023-11-27

Status: Open
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-29729 SUMMARY: AddressSanitizer: heap-use-a... Open

 Description   

SIGSEGV crashes have been seen, but the result is much easier to achieve on an ASAN build.

10.4 64f44b22d9a3dab3d4c0b77addbcbdafde57b466

 
==3142241==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000112ad0 at pc 0x55f4affc829f bp 0x7fb859cdcd90 sp 0x7fb859cdcd88
 
READ of size 8 at 0x615000112ad0 thread T41
 
    #0 0x55f4affc829e in post_kill_notification(THD*) /data/bld/10.4-asan/sql/scheduler.cc:118
 
    #1 0x55f4afaab92a in THD::awake_no_mutex(killed_state) /data/bld/10.4-asan/sql/sql_class.cc:1888
 
    #2 0x55f4afbf55b7 in kill_one_thread(THD*, unsigned long long, killed_state, killed_type) /data/bld/10.4-asan/sql/sql_parse.cc:9276
 
    #3 0x55f4afbf6199 in sql_kill /data/bld/10.4-asan/sql/sql_parse.cc:9399
 
    #4 0x55f4afbdde70 in mysql_execute_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:5686
 
    #5 0x55f4afbeda6a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:8060
 
    #6 0x55f4afbc3ae1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/bld/10.4-asan/sql/sql_parse.cc:1857
 
    #7 0x55f4afbc0650 in do_command(THD*) /data/bld/10.4-asan/sql/sql_parse.cc:1378
 
    #8 0x55f4affc6d14 in do_handle_one_connection(CONNECT*) /data/bld/10.4-asan/sql/sql_connect.cc:1419
 
    #9 0x55f4affc662b in handle_one_connection /data/bld/10.4-asan/sql/sql_connect.cc:1323
 
    #10 0x7fb88e4a8043 in start_thread nptl/pthread_create.c:442
 
    #11 0x7fb88e52861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x615000112ad0 is located 464 bytes inside of 504-byte region [0x615000112900,0x615000112af8)
 
freed by thread T36 here:
 
    #0 0x7fb88eab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
 
    #1 0x55f4b1767b71 in my_free /data/bld/10.4-asan/mysys/my_malloc.c:222
 
    #2 0x55f4b08e3fac in vio_delete /data/bld/10.4-asan/vio/vio.c:322
 
    #3 0x55f4afaa8fb6 in THD::free_connection() /data/bld/10.4-asan/sql/sql_class.cc:1593
 
    #4 0x55f4af8d331a in unlink_thd(THD*) /data/bld/10.4-asan/sql/mysqld.cc:2653
 
    #5 0x55f4af8d3d54 in one_thread_per_connection_end(THD*, bool) /data/bld/10.4-asan/sql/mysqld.cc:2789
 
    #6 0x55f4affc6edd in do_handle_one_connection(CONNECT*) /data/bld/10.4-asan/sql/sql_connect.cc:1430
 
    #7 0x55f4affc662b in handle_one_connection /data/bld/10.4-asan/sql/sql_connect.cc:1323
 
    #8 0x7fb88e4a8043 in start_thread nptl/pthread_create.c:442
 
 
 
previously allocated by thread T0 here:
 
    #0 0x7fb88eab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 
    #1 0x55f4b1766fd2 in my_malloc /data/bld/10.4-asan/mysys/my_malloc.c:101
 
    #2 0x55f4b08e3919 in mysql_socket_vio_new /data/bld/10.4-asan/vio/vio.c:221
 
    #3 0x55f4af8e011b in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.4-asan/sql/mysqld.cc:6437
 
    #4 0x55f4af8e11d9 in handle_connections_sockets() /data/bld/10.4-asan/sql/mysqld.cc:6622
 
    #5 0x55f4af8dee77 in mysqld_main(int, char**) /data/bld/10.4-asan/sql/mysqld.cc:5954
 
    #6 0x55f4af8c60b8 in main /data/bld/10.4-asan/sql/main.cc:25
 
    #7 0x7fb88e4461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
Thread T41 created by T0 here:
 
    #0 0x7fb88ea49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x55f4b17c7a28 in spawn_thread_noop /data/bld/10.4-asan/mysys/psi_noop.c:187
 
    #2 0x55f4af8c7f89 in inline_mysql_thread_create /data/bld/10.4-asan/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55f4af8df714 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.4-asan/sql/mysqld.cc:6296
 
    #4 0x55f4af8dfe5f in create_new_thread(CONNECT*) /data/bld/10.4-asan/sql/mysqld.cc:6366
 
    #5 0x55f4af8e032d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.4-asan/sql/mysqld.cc:6464
 
    #6 0x55f4af8e11d9 in handle_connections_sockets() /data/bld/10.4-asan/sql/mysqld.cc:6622
 
    #7 0x55f4af8dee77 in mysqld_main(int, char**) /data/bld/10.4-asan/sql/mysqld.cc:5954
 
    #8 0x55f4af8c60b8 in main /data/bld/10.4-asan/sql/main.cc:25
 
    #9 0x7fb88e4461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
Thread T36 created by T0 here:
 
    #0 0x7fb88ea49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x55f4b17c7a28 in spawn_thread_noop /data/bld/10.4-asan/mysys/psi_noop.c:187
 
    #2 0x55f4af8c7f89 in inline_mysql_thread_create /data/bld/10.4-asan/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55f4af8df714 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.4-asan/sql/mysqld.cc:6296
 
    #4 0x55f4af8dfe5f in create_new_thread(CONNECT*) /data/bld/10.4-asan/sql/mysqld.cc:6366
 
    #5 0x55f4af8e032d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.4-asan/sql/mysqld.cc:6464
 
    #6 0x55f4af8e11d9 in handle_connections_sockets() /data/bld/10.4-asan/sql/mysqld.cc:6622
 
    #7 0x55f4af8dee77 in mysqld_main(int, char**) /data/bld/10.4-asan/sql/mysqld.cc:5954
 
    #8 0x55f4af8c60b8 in main /data/bld/10.4-asan/sql/main.cc:25
 
    #9 0x7fb88e4461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/10.4-asan/sql/scheduler.cc:118 in post_kill_notification(THD*)
 
Shadow bytes around the buggy address:
 
  0x0c2a8001a500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
 
  0x0c2a8001a510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2a8001a520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2a8001a530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2a8001a540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c2a8001a550: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fa
 
  0x0c2a8001a560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2a8001a570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2a8001a580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2a8001a590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2a8001a5a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==3142241==ABORTING

To reproduce (remember to set the correct basedir):

git clone https://github.com/MariaDB/randgen --branch mdev13829 rqg-mdev13829
 
cd rqg-mdev13829
 
perl ./run.pl --threads=8 --duration=300 --queries=100M --grammar=mdev13829.yy --nometadata-reload --mysqld=--max-statement-time=5 --mysqld=--lock-wait-timeout=3 --mysqld=--innodb-lock-wait-timeout=2 --trials=5 --output="post_kill_notification" --vardir=/dev/shm/var-mdev13829 --basedir=/data/bld/10.4-asan

It fails within seconds for me on 10.4-11.2 ASAN builds. However, I couldn't reproduce it under rr in a limited number of attempts.

The grammar (same as mdev13829.yy in the branch above):

query_init:
 
  CREATE TABLE IF NOT EXISTS test.t (pk INT PRIMARY KEY);
 
 
 
query:
 
  REPLACE INTO test.t (`pk`) VALUES (1) |
 
  SELECT ID INTO @kill FROM INFORMATION_SCHEMA.PROCESSLIST WHERE USER != 'system user' AND Command != 'Sleep' ORDER BY ID LIMIT 1 ;; KILL @kill ;



 Comments   
Comment by Alice Sherepa [ 2020-07-22 ]

I am getting smth similar on 10.5:

10.5 4ec032b492de5c392f66

 
=================================================================
 
==14546==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160023009d0 at pc 0x55f48b119001 bp 0x7fa9186a55f0 sp 0x7fa9186a55e8
 
READ of size 8 at 0x6160023009d0 thread T134
 
    #0 0x55f48b119000 in post_kill_notification(THD*) /10.5/sql/scheduler.cc:103
 
    #1 0x55f48abdbc86 in THD::awake_no_mutex(killed_state) /10.5/sql/sql_class.cc:1914
 
    #2 0x55f48ad26bce in kill_one_thread(THD*, long long, killed_state, killed_type) /10.5/sql/sql_parse.cc:9185
 
    #3 0x55f48ad2793b in sql_kill /10.5/sql/sql_parse.cc:9305
 
    #4 0x55f48ad0e9ad in mysql_execute_command(THD*) /10.5/sql/sql_parse.cc:5494
 
    #5 0x55f48ad1f453 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/sql/sql_parse.cc:7993
 
    #6 0x55f48acf636c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/sql/sql_parse.cc:1866
 
    #7 0x55f48acf2c84 in do_command(THD*) /10.5/sql/sql_parse.cc:1347
 
    #8 0x55f48b116f6c in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1411
 
    #9 0x55f48b1168c9 in handle_one_connection /10.5/sql/sql_connect.cc:1313
 
    #10 0x55f48bdcc37d in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #11 0x7fa979fc4fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
    #12 0x7fa9795cb4ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
 
 
 
0x6160023009d0 is located 592 bytes inside of 636-byte region [0x616002300780,0x6160023009fc)
 
freed by thread T133 here:
 
    #0 0x7fa97a0c6fb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
 
    #1 0x55f48ca27215 in free_memory /10.5/mysys/safemalloc.c:279
 
    #2 0x55f48ca26843 in sf_free /10.5/mysys/safemalloc.c:197
 
    #3 0x55f48c9f56cb in my_free /10.5/mysys/my_malloc.c:209
 
    #4 0x55f48ba3d3aa in vio_delete /10.5/vio/vio.c:344
 
    #5 0x55f48abd8fab in THD::free_connection() /10.5/sql/sql_class.cc:1610
 
    #6 0x55f48aa09a3b in unlink_thd(THD*) /10.5/sql/mysqld.cc:2612
 
    #7 0x55f48b1170b0 in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1422
 
    #8 0x55f48b1168c9 in handle_one_connection /10.5/sql/sql_connect.cc:1313
 
    #9 0x55f48bdcc37d in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #10 0x7fa979fc4fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
previously allocated by thread T133 here:
 
    #0 0x7fa97a0c7330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
 
    #1 0x55f48ca26229 in sf_malloc /10.5/mysys/safemalloc.c:118
 
    #2 0x55f48c9f491d in my_malloc /10.5/mysys/my_malloc.c:88
 
    #3 0x55f48ba3cd01 in mysql_socket_vio_new /10.5/vio/vio.c:243
 
    #4 0x55f48b117d29 in CONNECT::create_thd(THD*) /10.5/sql/sql_connect.cc:1536
 
    #5 0x55f48b116b71 in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1357
 
    #6 0x55f48b1168c9 in handle_one_connection /10.5/sql/sql_connect.cc:1313
 
    #7 0x55f48bdcc37d in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #8 0x7fa979fc4fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
Thread T134 created by T0 here:
 
    #0 0x7fa97a02edb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x55f48bdc7274 in my_thread_create /10.5/storage/perfschema/my_thread.h:34
 
    #2 0x55f48bdcc76c in pfs_spawn_thread_v1 /10.5/storage/perfschema/pfs.cc:2252
 
    #3 0x55f48a9fef94 in inline_mysql_thread_create /10.5/include/mysql/psi/mysql_thread.h:1321
 
    #4 0x55f48aa14646 in create_thread_to_handle_connection(CONNECT*) /10.5/sql/mysqld.cc:6020
 
    #5 0x55f48aa14cb4 in create_new_thread(CONNECT*) /10.5/sql/mysqld.cc:6079
 
    #6 0x55f48aa15018 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/sql/mysqld.cc:6144
 
    #7 0x55f48aa15c57 in handle_connections_sockets() /10.5/sql/mysqld.cc:6271
 
    #8 0x55f48aa13ead in mysqld_main(int, char**) /10.5/sql/mysqld.cc:5666
 
    #9 0x55f48a9fd774 in main /10.5/sql/main.cc:25
 
    #10 0x7fa9794f609a in __libc_start_main ../csu/libc-start.c:308
 
 
 
Thread T133 created by T0 here:
 
    #0 0x7fa97a02edb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x55f48bdc7274 in my_thread_create /10.5/storage/perfschema/my_thread.h:34
 
    #2 0x55f48bdcc76c in pfs_spawn_thread_v1 /10.5/storage/perfschema/pfs.cc:2252
 
    #3 0x55f48a9fef94 in inline_mysql_thread_create /10.5/include/mysql/psi/mysql_thread.h:1321
 
    #4 0x55f48aa14646 in create_thread_to_handle_connection(CONNECT*) /10.5/sql/mysqld.cc:6020
 
    #5 0x55f48aa14cb4 in create_new_thread(CONNECT*) /10.5/sql/mysqld.cc:6079
 
    #6 0x55f48aa15018 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/sql/mysqld.cc:6144
 
    #7 0x55f48aa15c57 in handle_connections_sockets() /10.5/sql/mysqld.cc:6271
 
    #8 0x55f48aa13ead in mysqld_main(int, char**) /10.5/sql/mysqld.cc:5666
 
    #9 0x55f48a9fd774 in main /10.5/sql/main.cc:25
 
    #10 0x7fa9794f609a in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.5/sql/scheduler.cc:103 in post_kill_notification(THD*)
 
Shadow bytes around the buggy address:
 
  0x0c2c804580e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2c804580f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c80458100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c80458110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c80458120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c2c80458130: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
 
  0x0c2c80458140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2c80458150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c80458160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c80458170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c2c80458180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==14546==ABORTING

Comment by Elena Stepanova [ 2023-11-27 ]

Much more rarely another failure was seen:

==3024651==ERROR: AddressSanitizer: global-buffer-overflow on address 0x561050c1fa26 at pc 0x5610507f0d84 bp 0x7f99b9437970 sp 0x7f99b9437968
 
READ of size 1 at 0x561050c1fa26 thread T43
 
    #0 0x5610507f0d83 in my_charlen_utf8 /data/src/10.4/strings/ctype-utf8.c:5203
 
    #1 0x5610507f0def in my_well_formed_char_length_utf8 /data/src/10.4/strings/ctype-mb.inl:187
 
    #2 0x56105078dfb3 in my_copy_fix_mb /data/src/10.4/strings/ctype-mb.c:406
 
    #3 0x56104ed7dff7 in String_copier::well_formed_copy(charset_info_st const*, char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long) /data/src/10.4/sql/sql_string.cc:1086
 
    #4 0x56104f2bba4f in Field_longstr::well_formed_copy_with_check(char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long, bool, unsigned int*) (/mnt8t/inst/10.4-asan/bin/mysqld+0x1aa1a4f)
 
    #5 0x56104f291b61 in Field_varstring::store(char const*, unsigned long, charset_info_st const*) /data/src/10.4/sql/field.cc:7749
 
    #6 0x56104ed0c542 in processlist_callback /data/src/10.4/sql/sql_show.cc:3331
 
    #7 0x56104ed5a3e5 in int THD_list::iterate<processlist_callback_arg>(char (*)(THD*, processlist_callback_arg*), processlist_callback_arg*) /data/src/10.4/sql/sql_class.h:7338
 
    #8 0x56104ed0e3a1 in fill_schema_processlist(THD*, TABLE_LIST*, Item*) /data/src/10.4/sql/sql_show.cc:3412
 
    #9 0x56104ed50016 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.4/sql/sql_show.cc:9224
 
    #10 0x56104ec1b24f in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4582
 
    #11 0x56104ec1911b in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4407
 
    #12 0x56104ec1d1a9 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4846
 
    #13 0x56104ebeda8c in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
 
    #14 0x56104eb5cf30 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6475
 
    #15 0x56104eb4a445 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3978
 
    #16 0x56104eb661e4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8013
 
    #17 0x56104eb3c40f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #18 0x56104eb38f7e in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #19 0x56104f22b4f8 in threadpool_process_request /data/src/10.4/sql/threadpool_common.cc:376
 
    #20 0x56104f22aa53 in tp_callback(TP_connection*) /data/src/10.4/sql/threadpool_common.cc:197
 
    #21 0x56104f8506e7 in worker_main /data/src/10.4/sql/threadpool_generic.cc:1610
 
    #22 0x56104fbad5c1 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #23 0x7f9c60ea8043 in start_thread nptl/pthread_create.c:442
 
    #24 0x7f9c60f2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x561050c1fa26 is located 58 bytes to the left of global variable '*.LC622' defined in '/data/src/10.4/sql/sql_parse.cc' (0x561050c1fa60) of size 5
 
  '*.LC622' is ascii string 'Quit'
 
0x561050c1fa26 is located 0 bytes to the right of global variable '*.LC621' defined in '/data/src/10.4/sql/sql_parse.cc' (0x561050c1fa20) of size 6
 
  '*.LC621' is ascii string 'Sleep'
 
SUMMARY: AddressSanitizer: global-buffer-overflow /data/src/10.4/strings/ctype-utf8.c:5203 in my_charlen_utf8
 
Shadow bytes around the buggy address:
 
  0x0ac28a17bef0: 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 00 00 00 00
 
  0x0ac28a17bf00: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 00 04 f9 f9
 
  0x0ac28a17bf10: f9 f9 f9 f9 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9
 
  0x0ac28a17bf20: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
 
  0x0ac28a17bf30: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 02 f9
 
=>0x0ac28a17bf40: f9 f9 f9 f9[06]f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
 
  0x0ac28a17bf50: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
 
  0x0ac28a17bf60: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 02 f9 f9
 
  0x0ac28a17bf70: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 
  0x0ac28a17bf80: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 03 f9 f9
 
  0x0ac28a17bf90: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
Thread T43 created by T0 here:
 
    #0 0x7f9c61449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x56104fbad9ae in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x56104f849c4d in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x56104f84c398 in create_worker /data/src/10.4/sql/threadpool_generic.cc:950
 
    #4 0x56104f84c96d in wake_or_create_thread /data/src/10.4/sql/threadpool_generic.cc:1030
 
    #5 0x56104f84d956 in queue_put /data/src/10.4/sql/threadpool_generic.cc:1184
 
    #6 0x56104f84ec36 in TP_pool_generic::add(TP_connection*) /data/src/10.4/sql/threadpool_generic.cc:1389
 
    #7 0x56104f22b8b3 in tp_add_connection /data/src/10.4/sql/threadpool_common.cc:442
 
    #8 0x56104e85ae01 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6359
 
    #9 0x56104e85b2cf in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6457
 
    #10 0x56104e85c17b in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6615
 
    #11 0x56104e859e19 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5947
 
    #12 0x56104e8410b8 in main /data/src/10.4/sql/main.cc:25
 
    #13 0x7f9c60e461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
==3024651==ABORTING

It should probably be filed separately, but the first reported failure prevents the second one from being reproduced easily.

Comment by Elena Stepanova [ 2023-11-27 ]

Assigning to serg as the report looks similar to MDEV-29729 which was already assigned to him. Since neither report has a good reproducer, I'll keep both open, whichever works better.

Generated at Thu Feb 08 08:08:42 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.