[MDEV-15746] ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS Created: 2018-04-01  Updated: 2019-04-28  Resolved: 2018-05-10

Status: Closed
Project: MariaDB Server
Component/s: Data Definition - Alter Table, Prepared Statements
Affects Version/s: 10.2, 10.3
Fix Version/s: 10.2.15, 10.3.7

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-14697 Server crashes in in TABLE::mark_defa... Closed
relates to MDEV-15537 Server crashes in mysql_prepare_alter... Closed
relates to MDEV-17177 Crash in Item_func_in::cleanup() for ... Closed
relates to MDEV-17869 AddressSanitizer: use-after-poison in... Closed
relates to MDEV-19300 Server crashes while executing ALTER ... Closed

 Description    

CREATE TABLE t1 (b BLOB DEFAULT '');
 
PREPARE stmt FROM "ALTER TABLE t1 FORCE";
 
EXECUTE stmt;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.2 ASAN 55f4e4800b

 
==31069==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000080590 at pc 0x55c8d0ce4a15 bp 0x7feecd0a8110 sp 0x7feecd0a8108
 
WRITE of size 8 at 0x619000080590 thread T5
 
    #0 0x55c8d0ce4a14 in Item_change_list::rollback_item_tree_changes() /data/src/10.2/sql/sql_class.cc:2691
 
    #1 0x55c8d0def5bb in Prepared_statement::cleanup_stmt() /data/src/10.2/sql/sql_prepare.cc:3837
 
    #2 0x55c8d0df5f00 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4802
 
    #3 0x55c8d0df159f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
 
    #4 0x55c8d0dec1cf in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3311
 
    #5 0x55c8d0d9177f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3495
 
    #6 0x55c8d0daceda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7914
 
    #7 0x55c8d0d880eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1815
 
    #8 0x55c8d0d8518f in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1369
 
    #9 0x55c8d10c08cf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #10 0x55c8d10c02e4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #11 0x55c8d1acbfc3 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #12 0x7feed952d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #13 0x7feed791393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x619000080590 is located 784 bytes inside of 1100-byte region [0x619000080280,0x6190000806cc)
 
freed by thread T5 here:
 
    #0 0x7feed9797527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
 
    #1 0x55c8d23ecd9d in free_memory /data/src/10.2/mysys/safemalloc.c:279
 
    #2 0x55c8d23ec3a3 in sf_free /data/src/10.2/mysys/safemalloc.c:197
 
    #3 0x55c8d23bb68a in my_free /data/src/10.2/mysys/my_malloc.c:217
 
    #4 0x55c8d239cd00 in free_root /data/src/10.2/mysys/my_alloc.c:398
 
    #5 0x55c8d1019c03 in closefrm(TABLE*) /data/src/10.2/sql/table.cc:3442
 
    #6 0x55c8d1220494 in intern_close_table /data/src/10.2/sql/table_cache.cc:222
 
    #7 0x55c8d12206fa in tc_remove_table /data/src/10.2/sql/table_cache.cc:260
 
    #8 0x55c8d122152b in tc_release_table(TABLE*) /data/src/10.2/sql/table_cache.cc:460
 
    #9 0x55c8d0c795bf in close_thread_table(THD*, TABLE**) /data/src/10.2/sql/sql_base.cc:900
 
    #10 0x55c8d0c7830b in close_all_tables_for_name(THD*, TABLE_SHARE*, ha_extra_function, TABLE*) /data/src/10.2/sql/sql_base.cc:674
 
    #11 0x55c8d0fa7fa7 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9571
 
    #12 0x55c8d10cec2e in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:324
 
    #13 0x55c8d0da2b0b in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6220
 
    #14 0x55c8d0df5c24 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4774
 
    #15 0x55c8d0df159f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
 
    #16 0x55c8d0dec1cf in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3311
 
    #17 0x55c8d0d9177f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3495
 
    #18 0x55c8d0daceda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7914
 
    #19 0x55c8d0d880eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1815
 
    #20 0x55c8d0d8518f in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1369
 
    #21 0x55c8d10c08cf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #22 0x55c8d10c02e4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #23 0x55c8d1acbfc3 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #24 0x7feed952d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7feed979773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55c8d23ebb13 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55c8d23badc2 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55c8d239bc65 in alloc_root /data/src/10.2/mysys/my_alloc.c:241
 
    #4 0x55c8d1016642 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3060
 
    #5 0x55c8d0c7d3c6 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1877
 
    #6 0x55c8d0c83958 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3409
 
    #7 0x55c8d0c86080 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3928
 
    #8 0x55c8d0f6cd71 in open_tables /data/src/10.2/sql/sql_base.h:237
 
    #9 0x55c8d0fa40ad in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:8750
 
    #10 0x55c8d10cec2e in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:324
 
    #11 0x55c8d0da2b0b in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6220
 
    #12 0x55c8d0df5c24 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4774
 
    #13 0x55c8d0df159f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4203
 
    #14 0x55c8d0dec1cf in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3311
 
    #15 0x55c8d0d9177f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3495
 
    #16 0x55c8d0daceda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7914
 
    #17 0x55c8d0d880eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1815
 
    #18 0x55c8d0d8518f in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1369
 
    #19 0x55c8d10c08cf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #20 0x55c8d10c02e4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #21 0x55c8d1acbfc3 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #22 0x7feed952d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7feed9766bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55c8d1acc58b in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
 
    #2 0x55c8d0b82cde in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55c8d0b97b15 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6436
 
    #4 0x55c8d0b9821a in create_new_thread /data/src/10.2/sql/mysqld.cc:6506
 
    #5 0x55c8d0b9922b in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6781
 
    #6 0x55c8d0b9706a in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6055
 
    #7 0x55c8d0b8107f in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7feed784b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/sql/sql_class.cc:2691 Item_change_list::rollback_item_tree_changes()
 
Shadow bytes around the buggy address:
 
  0x0c3280008060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280008070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280008080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280008090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c32800080a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c32800080b0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c32800080c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c32800080d0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
 
  0x0c32800080e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c32800080f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280008100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==31069==ABORTING
 
180402  1:49:38 [ERROR] mysqld got signal 6 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.2.15-MariaDB-debug-log
 
key_buffer_size=1048576
 
read_buffer_size=131072
 
stdlib/abort.c:91(__GI_abort)[0x7feed785f3fa]
 
/usr/lib/x86_64-linux-gnu/libasan.so.1(+0x61f29)[0x7feed97a4f29]
 
/usr/lib/x86_64-linux-gnu/libasan.so.1(+0x59ca5)[0x7feed979cca5]
 
/usr/lib/x86_64-linux-gnu/libasan.so.1(+0x5daa2)[0x7feed97a0aa2]
 
/usr/lib/x86_64-linux-gnu/libasan.so.1(__asan_report_error+0x3d9)[0x7feed979c139]
 
/usr/lib/x86_64-linux-gnu/libasan.so.1(__asan_report_store8+0x27)[0x7feed979d107]
 
sql/sql_class.cc:2691(Item_change_list::rollback_item_tree_changes())[0x55c8d0ce4a15]
 
sql/sql_prepare.cc:3838(Prepared_statement::cleanup_stmt())[0x55c8d0def5bc]
 
sql/sql_prepare.cc:4809(Prepared_statement::execute(String*, bool))[0x55c8d0df5f01]
 
sql/sql_prepare.cc:4203(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x55c8d0df15a0]
 
sql/sql_prepare.cc:3312(mysql_sql_stmt_execute(THD*))[0x55c8d0dec1d0]
 
sql/sql_parse.cc:3496(mysql_execute_command(THD*))[0x55c8d0d91780]
 
sql/sql_parse.cc:7914(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55c8d0dacedb]
 
sql/sql_parse.cc:1817(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55c8d0d880ec]
 
sql/sql_parse.cc:1369(do_command(THD*))[0x55c8d0d85190]
 
sql/sql_connect.cc:1335(do_handle_one_connection(CONNECT*))[0x55c8d10c08d0]
 
sql/sql_connect.cc:1242(handle_one_connection)[0x55c8d10c02e5]
 
perfschema/pfs.cc:1864(pfs_spawn_thread)[0x55c8d1acbfc4]
 
nptl/pthread_create.c:333(start_thread)[0x7feed952d494]
 
x86_64/clone.S:99(clone)[0x7feed791393f]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x62b000000320): ALTER TABLE t1 FORCE
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED


Generated at Thu Feb 08 08:23:42 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.