[MDEV-14842] AddressSanitizer: heap-use-after-free in _ma_copy_nontrans_state_information Created: 2018-01-01  Updated: 2019-05-01  Resolved: 2019-05-01

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - Aria, Storage Engine - RocksDB
Affects Version/s: 10.2
Fix Version/s: 10.2.16

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None


 Description   

Note: Possibly it has nothing to do with RocksDB, but it was the only intermediate error which has led me to the final effect, which seems to be in Aria. If necessary, please re-categorize and reassign.

--source include/have_log_bin.inc
 
--source include/have_binlog_format_mixed.inc
 
 
 
INSTALL SONAME 'ha_rocksdb';
 
CREATE TABLE t1 (i INT) ENGINE=RocksDB;
 
CREATE TABLE t2 (b INT) ENGINE=Aria;
 
--error 4056
 
ALTER TABLE t1 FORCE;
 
SELECT * FROM t2 ORDER BY RAND();
 
 
 
# Cleanup
 
DROP TABLE t1, t2;
 
UNINSTALL SONAME 'ha_rocksdb';

10.2 ASAN aed2050e40cb332d54e8d40eb7242309b962c4e1

 
READ of size 8 at 0x61100003a900 thread T6
 
    #0 0x55fea4761eec in _ma_copy_nontrans_state_information /data/src/10.2/storage/maria/ma_state.c:776
 
    #1 0x55fea4813469 in _ma_reenable_logging_for_table /data/src/10.2/storage/maria/ma_recovery.c:3597
 
    #2 0x55fea479775f in ha_maria::external_lock(THD*, int) /data/src/10.2/storage/maria/ha_maria.cc:2741
 
    #3 0x55fea42b95c5 in handler::ha_external_lock(THD*, int) /data/src/10.2/sql/handler.cc:5903
 
    #4 0x55fea4535dc5 in unlock_external /data/src/10.2/sql/lock.cc:719
 
    #5 0x55fea4533485 in mysql_unlock_tables(THD*, st_mysql_lock*, bool) /data/src/10.2/sql/lock.cc:429
 
    #6 0x55fea4533301 in mysql_unlock_tables(THD*, st_mysql_lock*) /data/src/10.2/sql/lock.cc:418
 
    #7 0x55fea3ba4ca6 in close_thread_tables(THD*) /data/src/10.2/sql/sql_base.cc:840
 
    #8 0x55fea3ccd643 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6283
 
    #9 0x55fea3cd752d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900
 
    #10 0x55fea3cb289e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805
 
    #11 0x55fea3caf93d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360
 
    #12 0x55fea3fe9b9c in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #13 0x55fea3fe95b1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #14 0x55fea49f2ceb in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863
 
    #15 0x7f7885cc7493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #16 0x7f78840ad93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x61100003a900 is located 128 bytes inside of 244-byte region [0x61100003a880,0x61100003a974)
 
freed by thread T6 here:
 
    #0 0x7f7885f31527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
 
    #1 0x55fea5326c6f in free_memory /data/src/10.2/mysys/safemalloc.c:279
 
    #2 0x55fea53262d0 in sf_free /data/src/10.2/mysys/safemalloc.c:197
 
    #3 0x55fea52f555c in my_free /data/src/10.2/mysys/my_malloc.c:217
 
    #4 0x55fea476092e in _ma_trnman_end_trans_hook /data/src/10.2/storage/maria/ma_state.c:546
 
    #5 0x55fea47a2088 in trnman_end_trn /data/src/10.2/storage/maria/trnman.c:473
 
    #6 0x55fea4813d14 in ma_commit /data/src/10.2/storage/maria/ma_commit.c:38
 
    #7 0x55fea47983b9 in ha_maria::implicit_commit(THD*, bool) /data/src/10.2/storage/maria/ha_maria.cc:2905
 
    #8 0x55fea3ccd634 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6278
 
    #9 0x55fea3cd752d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900
 
    #10 0x55fea3cb289e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805
 
    #11 0x55fea3caf93d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360
 
    #12 0x55fea3fe9b9c in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #13 0x55fea3fe95b1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #14 0x55fea49f2ceb in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863
 
    #15 0x7f7885cc7493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
previously allocated by thread T6 here:
 
    #0 0x7f7885f3173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55fea5325a72 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55fea52f4c94 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55fea475da9a in _ma_setup_live_state /data/src/10.2/storage/maria/ma_state.c:80
 
    #4 0x55fea47612f4 in _ma_block_start_trans /data/src/10.2/storage/maria/ma_state.c:637
 
    #5 0x55fea530eed9 in thr_multi_lock /data/src/10.2/mysys/thr_lock.c:1317
 
    #6 0x55fea4532967 in mysql_lock_tables(THD*, st_mysql_lock*, unsigned int) /data/src/10.2/sql/lock.cc:354
 
    #7 0x55fea4532453 in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /data/src/10.2/sql/lock.cc:303
 
    #8 0x55fea3bb7177 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /data/src/10.2/sql/sql_base.cc:4902
 
    #9 0x55fea3bb5cfc in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4691
 
    #10 0x55fea3b97b64 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:494
 
    #11 0x55fea3cce6c0 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6380
 
    #12 0x55fea3cbbd17 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3463
 
    #13 0x55fea3cd752d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900
 
    #14 0x55fea3cb289e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805
 
    #15 0x55fea3caf93d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360
 
    #16 0x55fea3fe9b9c in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #17 0x55fea3fe95b1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #18 0x55fea49f2ceb in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863
 
    #19 0x7f7885cc7493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T6 created by T0 here:
 
    #0 0x7f7885f00bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55fea49f32b3 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1913
 
    #2 0x55fea3ab228f in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55fea3ac6fd8 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6423
 
    #4 0x55fea3ac76dd in create_new_thread /data/src/10.2/sql/mysqld.cc:6493
 
    #5 0x55fea3ac86ee in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6768
 
    #6 0x55fea3ac6525 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6042
 
    #7 0x55fea3ab07bf in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7f7883fe52b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/storage/maria/ma_state.c:776 _ma_copy_nontrans_state_information
 
Shadow bytes around the buggy address:
 
  0x0c227ffff4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227ffff4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227ffff4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227ffff500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227ffff510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c227ffff520:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
 
  0x0c227ffff530: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
  0x0c227ffff540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c227ffff550: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
 
  0x0c227ffff560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c227ffff570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==32658==ABORTING



 Comments   
Comment by Elena Stepanova [ 2019-05-01 ]

The failure disappeared from 10.2 tree after this merge:

commit ff1d10ef9c8595136cc7687aa59e638cf31db332
 
Merge: 6f530c6 91dfb61
 
Author: Sergei Golubchik
 
Date:   Sun May 20 02:07:21 2018 +0200
 
 
 
    Merge branch '10.1' into 10.2

Generated at Thu Feb 08 08:16:42 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.