[MDEV-14750] Valgrind Invalid read, ASAN heap-use-after-free in Item_ident::print upon SHOW CREATE on partitioned table Created: 2017-12-23  Updated: 2018-08-29  Resolved: 2018-05-15

Status: Closed
Project: MariaDB Server
Component/s: Admin statements, Server
Affects Version/s: 10.2, 10.3
Fix Version/s: 10.2.15, 10.3.7

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: affects-tests

Issue Links:
Relates
relates to MDEV-17065 Crash on SHOW CREATE TABLE with CHECK... Closed

 Description    

--source include/have_partition.inc
 
 
 
CREATE TABLE t_partition (f1 INT) PARTITION BY HASH(f1) PARTITIONS 2;
 
 
 
SELECT * FROM t_partition AS tbl;
 
SHOW CREATE TABLE t_partition;
 
 
 
# Cleanup
 
DROP TABLE t_partition;

10.2 6e7ca6b0b29a7 ASAN

 
==22663==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000028670 at pc 0x5564419ffd6c bp 0x7ff5cb3ff6d0 sp 0x7ff5cb3ff6c8
 
READ of size 1 at 0x60c000028670 thread T5
 
    #0 0x5564419ffd6b in Item_ident::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:2671
 
    #1 0x556441a226d5 in Item_field::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:7341
 
    #2 0x5564419f02ec in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.2/sql/item.cc:584
 
    #3 0x556441598207 in Item::print_for_table_def(String*) /data/src/10.2/sql/item.h:1307
 
    #4 0x556441dd433a in generate_partition_syntax(THD*, partition_info*, unsigned int*, bool, HA_CREATE_INFO*, Alter_info*) /data/src/10.2/sql/sql_partition.cc:2287
 
    #5 0x55644154ff58 in show_create_table(THD*, TABLE_LIST*, String*, Table_specification_st*, enum_with_db_name) /data/src/10.2/sql/sql_show.cc:2297
 
    #6 0x55644154845f in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /data/src/10.2/sql/sql_show.cc:1251
 
    #7 0x556441548bff in mysqld_show_create(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_show.cc:1324
 
    #8 0x5564413e4728 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4222
 
    #9 0x5564413fc5cf in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900
 
    #10 0x5564413d7940 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805
 
    #11 0x5564413d49df in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360
 
    #12 0x55644170e892 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #13 0x55644170e2a7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #14 0x556442116f2b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863
 
    #15 0x7ff5d7886493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #16 0x7ff5d5c6c93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x60c000028670 is located 112 bytes inside of 124-byte region [0x60c000028600,0x60c00002867c)
 
freed by thread T5 here:
 
    #0 0x7ff5d7af0527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
 
    #1 0x556442a4abf1 in free_memory /data/src/10.2/mysys/safemalloc.c:279
 
    #2 0x556442a4a252 in sf_free /data/src/10.2/mysys/safemalloc.c:197
 
    #3 0x556442a194de in my_free /data/src/10.2/mysys/my_malloc.c:217
 
    #4 0x5564411f9347 in String::free() /data/src/10.2/sql/sql_string.h:351
 
    #5 0x5564415b26b3 in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:44
 
    #6 0x556441217f69 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
 
    #7 0x5564415b3684 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:187
 
    #8 0x55644166f1f5 in TABLE::init(THD*, TABLE_LIST*) /data/src/10.2/sql/table.cc:4464
 
    #9 0x5564412ce7bb in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1938
 
    #10 0x5564412d48a8 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3409
 
    #11 0x5564412d6fd0 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3928
 
    #12 0x55644137dc93 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/src/10.2/sql/sql_base.h:463
 
    #13 0x556441548101 in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /data/src/10.2/sql/sql_show.cc:1229
 
    #14 0x556441548bff in mysqld_show_create(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_show.cc:1324
 
    #15 0x5564413e4728 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4222
 
    #16 0x5564413fc5cf in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900
 
    #17 0x5564413d7940 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805
 
    #18 0x5564413d49df in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360
 
    #19 0x55644170e892 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #20 0x55644170e2a7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #21 0x556442116f2b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863
 
    #22 0x7ff5d7886493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7ff5d7af073f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x556442a499f4 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x556442a18c16 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x5564415b2712 in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:47
 
    #4 0x556441217f69 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
 
    #5 0x5564415b3684 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:187
 
    #6 0x556441664553 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3025
 
    #7 0x5564412ce316 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1877
 
    #8 0x5564412d48a8 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3409
 
    #9 0x5564412d6fd0 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3928
 
    #10 0x5564412dacd6 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4682
 
    #11 0x5564412bca56 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:494
 
    #12 0x5564413f3762 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6380
 
    #13 0x5564413e0db9 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3463
 
    #14 0x5564413fc5cf in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900
 
    #15 0x5564413d7940 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805
 
    #16 0x5564413d49df in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360
 
    #17 0x55644170e892 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #18 0x55644170e2a7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #19 0x556442116f2b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863
 
    #20 0x7ff5d7886493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7ff5d7abfbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x5564421174f3 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1913
 
    #2 0x5564411d718f in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x5564411ebed8 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6423
 
    #4 0x5564411ec5dd in create_new_thread /data/src/10.2/sql/mysqld.cc:6493
 
    #5 0x5564411ed5ee in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6768
 
    #6 0x5564411eb425 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6042
 
    #7 0x5564411d56bf in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7ff5d5ba42b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/sql/item.cc:2671 Item_ident::print(String*, enum_query_type)
 
Shadow bytes around the buggy address:
 
  0x0c187fffd070: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c187fffd080: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
  0x0c187fffd090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c187fffd0a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c187fffd0b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
=>0x0c187fffd0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
 
  0x0c187fffd0d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c187fffd0e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
  0x0c187fffd0f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c187fffd100: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c187fffd110: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==22663==ABORTING

10.2 6e7ca6b0b2 valgrind

 
==30373== Thread 6:
 
==30373== Invalid read of size 1
 
==30373==    at 0x951081: Item_ident::print(String*, enum_query_type) (item.cc:2671)
 
==30373==    by 0x95E727: Item_field::print(String*, enum_query_type) (item.cc:7341)
 
==30373==    by 0x94B536: Item::print_parenthesised(String*, enum_query_type, precedence) (item.cc:584)
 
==30373==    by 0x766AA1: Item::print_for_table_def(String*) (item.h:1307)
 
==30373==    by 0xAEB721: generate_partition_syntax(THD*, partition_info*, unsigned int*, bool, HA_CREATE_INFO*, Alter_info*) (sql_partition.cc:2287)
 
==30373==    by 0x74CB57: show_create_table(THD*, TABLE_LIST*, String*, Table_specification_st*, enum_with_db_name) (sql_show.cc:2297)
 
==30373==    by 0x749006: mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) (sql_show.cc:1251)
 
==30373==    by 0x749526: mysqld_show_create(THD*, TABLE_LIST*) (sql_show.cc:1324)
 
==30373==    by 0x6BA3F3: mysql_execute_command(THD*) (sql_parse.cc:4222)
 
==30373==    by 0x6C5D33: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7900)
 
==30373==    by 0x6B3C3F: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1805)
 
==30373==    by 0x6B259D: do_command(THD*) (sql_parse.cc:1360)
 
==30373==    by 0x8058EA: do_handle_one_connection(CONNECT*) (sql_connect.cc:1335)
 
==30373==    by 0x805677: handle_one_connection (sql_connect.cc:1241)
 
==30373==    by 0xC456B1: pfs_spawn_thread (pfs.cc:1863)
 
==30373==    by 0x4E3F493: start_thread (pthread_create.c:333)
 
==30373==  Address 0xd84bf38 is 8 bytes inside a block of size 16 free'd
 
==30373==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
 
==30373==    by 0x10EE624: my_free (my_malloc.c:217)
 
==30373==    by 0x5E2666: String::free() (sql_string.h:351)
 
==30373==    by 0x7722B2: String::real_alloc(unsigned long) (sql_string.cc:44)
 
==30373==    by 0x5EF6DC: String::alloc(unsigned long) (sql_string.h:361)
 
==30373==    by 0x7727FE: String::copy(char const*, unsigned long, charset_info_st const*) (sql_string.cc:187)
 
==30373==    by 0x7C06F6: TABLE::init(THD*, TABLE_LIST*) (table.cc:4464)
 
==30373==    by 0x644A91: open_table(THD*, TABLE_LIST*, Open_table_context*) (sql_base.cc:1938)
 
==30373==    by 0x6472C8: open_and_process_table(THD*, LEX*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) (sql_base.cc:3409)
 
==30373==    by 0x648403: open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) (sql_base.cc:3928)
 
==30373==    by 0x69026C: open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) (sql_base.h:463)
 
==30373==    by 0x748E4A: mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) (sql_show.cc:1229)
 
==30373==    by 0x749526: mysqld_show_create(THD*, TABLE_LIST*) (sql_show.cc:1324)
 
==30373==    by 0x6BA3F3: mysql_execute_command(THD*) (sql_parse.cc:4222)
 
==30373==    by 0x6C5D33: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7900)
 
==30373==    by 0x6B3C3F: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1805)
 
==30373==  Block was alloc'd at
 
==30373==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
 
==30373==    by 0x10EE12D: my_malloc (my_malloc.c:101)
 
==30373==    by 0x7722D9: String::real_alloc(unsigned long) (sql_string.cc:47)
 
==30373==    by 0x5EF6DC: String::alloc(unsigned long) (sql_string.h:361)
 
==30373==    by 0x7727FE: String::copy(char const*, unsigned long, charset_info_st const*) (sql_string.cc:187)
 
==30373==    by 0x7BC591: open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) (table.cc:3025)
 
==30373==    by 0x64483B: open_table(THD*, TABLE_LIST*, Open_table_context*) (sql_base.cc:1877)
 
==30373==    by 0x6472C8: open_and_process_table(THD*, LEX*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) (sql_base.cc:3409)
 
==30373==    by 0x648403: open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) (sql_base.cc:3928)
 
==30373==    by 0x649BF7: open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) (sql_base.cc:4682)
 
==30373==    by 0x63CD94: open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) (sql_base.h:494)
 
==30373==    by 0x6C1ECE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6380)
 
==30373==    by 0x6B834E: mysql_execute_command(THD*) (sql_parse.cc:3463)
 
==30373==    by 0x6C5D33: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7900)
 
==30373==    by 0x6B3C3F: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1805)
 
==30373==    by 0x6B259D: do_command(THD*) (sql_parse.cc:1360)

Reproducible on earlier builds as well.
Not reproducible on 10.1.

 Comments   
Comment by Elena Stepanova [ 2018-04-17 ]

A different test case with a different stack trace but the same result:

CREATE TABLE IF NOT EXISTS table_virtual (a INT, b INT AS (a) VIRTUAL);
 
CREATE TABLE IF NOT EXISTS t2 (c INT);
 
 
 
CREATE PROCEDURE p() SELECT * FROM table_virtual AS t1, t2;
 
CALL p;
 
ALTER TABLE table_virtual FORCE;
 
 
 
# Cleanup
 
DROP PROCEDURE p;
 
DROP TABLE table_virtual, t2;

10.2 ASAN bc2501453c3

 
==9472==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000d4f0 at pc 0x56333daa830a bp 0x7f3e0c7eb5e0 sp 0x7f3e0c7eb5d8
 
READ of size 1 at 0x60c00000d4f0 thread T5
 
    #0 0x56333daa8309 in Item_ident::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:2697
 
    #1 0x56333dacad41 in Item_field::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:7390
 
    #2 0x56333da982d8 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.2/sql/item.cc:582
 
    #3 0x56333d63f3e1 in Item::print_for_table_def(String*) /data/src/10.2/sql/item.h:1312
 
    #4 0x56333d63fc43 in Virtual_column_info::print(String*) /data/src/10.2/sql/item.h:6039
 
    #5 0x56333d74c7ac in pack_expression /data/src/10.2/sql/unireg.cc:553
 
    #6 0x56333d74ca00 in pack_vcols /data/src/10.2/sql/unireg.cc:574
 
    #7 0x56333d748da1 in build_frm_image(THD*, char const*, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /data/src/10.2/sql/unireg.cc:131
 
    #8 0x56333d6800d6 in mysql_create_frm_image(THD*, char const*, char const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /data/src/10.2/sql/sql_table.cc:4660
 
    #9 0x56333d6813c0 in create_table_impl /data/src/10.2/sql/sql_table.cc:4896
 
    #10 0x56333d69c305 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9205
 
    #11 0x56333d7c4d94 in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:324
 
    #12 0x56333d498b0b in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6220
 
    #13 0x56333d4a2eda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7914
 
    #14 0x56333d47e0eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1815
 
    #15 0x56333d47b18f in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1369
 
    #16 0x56333d7b6a35 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #17 0x56333d7b644a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #18 0x56333e1c2129 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #19 0x7f3e18c75493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #20 0x7f3e1705b93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

Generated at Thu Feb 08 08:15:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.