[MDEV-17071] Server crashes in TABLE_LIST::get_tablenr or ASAN use-after-poison in write_record upon INSERT into view Created: 2018-08-25  Updated: 2023-04-27

Status: Confirmed
Project: MariaDB Server
Component/s: Data Manipulation - Insert, Data Manipulation - Update, Views
Affects Version/s: 5.5, 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-17699 AddressSanitizer: use-after-poison i... Closed

 Description    

CREATE  TABLE t1 (a INT, b INT NOT NULL, UNIQUE(b));
 
INSERT INTO t1 VALUES (10, 0);
 
CREATE TABLE t2 (c INT);
 
CREATE  ALGORITHM=MERGE VIEW v AS SELECT * FROM t1 JOIN t2;
 
ALTER TABLE t1 ADD d VARCHAR(16);
 
INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL;
 
 
 
# Cleanup
 
DROP VIEW v;
 
DROP TABLE t1, t2;

10.4 631c5ab4

 
#3  <signal handler called>
 
#4  0x00005598efe91c86 in TABLE_LIST::get_tablenr (this=0xffffffffffffffff) at /data/src/10.4/sql/table.h:2178
 
#5  0x00005598efe7e259 in st_select_lex::save_leaf_tables (this=0x7facd4013a30, thd=0x7facd4000b00) at /data/src/10.4/sql/sql_lex.cc:4914
 
#6  0x00005598efe63953 in mysql_insert (thd=0x7facd4000b00, table_list=0x7facd4013250, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_UPDATE, ignore=false) at /data/src/10.4/sql/sql_insert.cc:1264
 
#7  0x00005598efeb1a13 in mysql_execute_command (thd=0x7facd4000b00) at /data/src/10.4/sql/sql_parse.cc:4524
 
#8  0x00005598efebe331 in mysql_parse (thd=0x7facd4000b00, rawbuf=0x7facd4013128 "INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL", length=61, parser_state=0x7face5d77170, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7912
 
#9  0x00005598efea9284 in dispatch_command (command=COM_QUERY, thd=0x7facd4000b00, packet=0x7facd4008331 "INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL", packet_length=61, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1841
 
#10 0x00005598efea78e8 in do_command (thd=0x7facd4000b00) at /data/src/10.4/sql/sql_parse.cc:1359
 
#11 0x00005598f00318b9 in do_handle_one_connection (connect=0x5598f402b060) at /data/src/10.4/sql/sql_connect.cc:1412
 
#12 0x00005598f0031608 in handle_one_connection (arg=0x5598f402b060) at /data/src/10.4/sql/sql_connect.cc:1316
 
#13 0x00005598f0a6935f in pfs_spawn_thread (arg=0x5598f4060450) at /data/src/10.4/storage/perfschema/pfs.cc:1862
 
#14 0x00007faced71a4a4 in start_thread (arg=0x7face5d78700) at pthread_create.c:456
 
#15 0x00007facebc62d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Reproducible on all 10.x, with at least MyISAM, InnoDB, Aria.

10.4 ASAN 631c5ab4

 
==16627==ERROR: AddressSanitizer: use-after-poison on address 0x62b000068280 at pc 0x7f7069e16d7b bp 0x7f705f396690 sp 0x7f705f395e40
 
WRITE of size 26 at 0x62b000068280 thread T5
 
    #0 0x7f7069e16d7a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
 
    #1 0x55e2a87b1fee in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:1814
 
    #2 0x55e2a87acc9f in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1076
 
    #3 0x55e2a885e76a in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4524
 
    #4 0x55e2a887669a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7912
 
    #5 0x55e2a884ddf1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1841
 
    #6 0x55e2a884ab40 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1359
 
    #7 0x55e2a8be6745 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #8 0x55e2a8be60f9 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #9 0x55e2aa1cd4db in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #10 0x7f7069ba44a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #11 0x7f70680ecd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x62b00006828c is located 0 bytes to the right of 24716-byte region [0x62b000062200,0x62b00006828c)
 
allocated by thread T5 here:
 
    #0 0x7f7069e7bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x55e2aa30f68c in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
 
    #2 0x55e2aa2e0330 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #3 0x55e2aa2beae9 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:151
 
    #4 0x55e2a874578b in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1387
 
    #5 0x55e2a8be5ab6 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247
 
    #6 0x55e2a8be613f in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331
 
    #7 0x55e2a8be66fb in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
 
    #8 0x55e2a8be60f9 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #9 0x55e2aa1cd4db in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #10 0x7f7069ba44a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f7069deaf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x55e2aa1cd8c8 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
    #2 0x55e2a858da38 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x55e2a85a289f in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6240
 
    #4 0x55e2a85a2f82 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6310
 
    #5 0x55e2a85a330d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6408
 
    #6 0x55e2a85a3f5f in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6566
 
    #7 0x55e2a85a2120 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5898
 
    #8 0x55e2a858b91f in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f70680242e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) 
Shadow bytes around the buggy address:
 
  0x0c5680005000: 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7 00 00
 
  0x0c5680005010: 00 00 00 00 00 00 00 00 f7 00 00 00 f7 00 00 00
 
  0x0c5680005020: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
 
  0x0c5680005030: 00 00 00 00 f7 02 f7 02 f7 02 f7 00 00 f7 00 00
 
  0x0c5680005040: f7 00 00 f7 00 00 f7 00 00 f7 00 00 f7 00 00 00
 
=>0x0c5680005050:[f7]04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5680005060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5680005070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5680005080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5680005090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c56800050a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==16627==ABORTING

ASAN variation is reproducible on 10.x and 5.5.

 Comments   
Comment by Elena Stepanova [ 2019-12-08 ]

The variation of test case below produces the same stack trace on a 10.3 debug build, but a different one on ASAN build.
On whatever reason it happens non-deterministically, even though there is no concurrency in the test. Run with --repeat=N before giving up. For me it usually fails within 2-3 attempts, but it can vary on different machines and builds.

CREATE TABLE t1 (a TIMESTAMP(2) WITH SYSTEM VERSIONING, b TIMESTAMP(2), UNIQUE(a));
 
REPLACE INTO t1 (b) VALUES ('2028-12-03'),('2028-12-03');
 
 
 
CREATE TABLE t2 (a TIMESTAMP(2)) WITH SYSTEM VERSIONING;
 
 
 
CREATE ALGORITHM=MERGE VIEW v AS SELECT * FROM t1 NATURAL JOIN t2;
 
 
 
INSERT IGNORE INTO v (b) VALUES (NULL) ON DUPLICATE KEY UPDATE a = 0;
 
 
 
# Cleanup
 
DROP VIEW v;
 
DROP TABLE t1, t2;

10.3 ASAN e5e58777

 
==3599==ERROR: AddressSanitizer: use-after-poison on address 0x629000523947 at pc 0x558f619057a7 bp 0x7f3dbec9b2f0 sp 0x7f3dbec9b2e8
 
READ of size 8 at 0x629000523947 thread T27
 
    #0 0x558f619057a6 in base_list_iterator::next_fast() /data/src/10.3/sql/sql_list.h:442
 
    #1 0x558f61a5d21a in List_iterator_fast<TABLE_LIST>::operator++(int) /data/src/10.3/sql/sql_list.h:562
 
    #2 0x558f61b3373e in st_select_lex::save_leaf_tables(THD*) /data/src/10.3/sql/sql_lex.cc:4792
 
    #3 0x558f61aeee40 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:1260
 
    #4 0x558f61b88c34 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4455
 
    #5 0x558f61b9f172 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
 
    #6 0x558f61b79e5e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
 
    #7 0x558f61b76d3d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
 
    #8 0x558f61eec9fa in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #9 0x558f61eec3c1 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #10 0x7f3de27c54a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #11 0x7f3de0d0cd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x629000523947 is located 1863 bytes inside of 16460-byte region [0x629000523200,0x62900052724c)
 
allocated by thread T27 here:
 
    #0 0x7f3de2a9cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x558f634813a7 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
 
    #2 0x558f63453230 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
 
    #3 0x558f63433961 in alloc_root /data/src/10.3/mysys/my_alloc.c:250
 
    #4 0x558f6192f506 in Item::operator new(unsigned long, st_mem_root*) /data/src/10.3/sql/item.h:650
 
    #5 0x558f61c1807d in st_select_lex::vers_setup_conds(THD*, TABLE_LIST*) /data/src/10.3/sql/sql_select.cc:886
 
    #6 0x558f61c1a8db in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:1070
 
    #7 0x558f61ddc1f2 in st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long, bool) /data/src/10.3/sql/sql_union.cc:655
 
    #8 0x558f61ddf14c in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long) /data/src/10.3/sql/sql_union.cc:981
 
    #9 0x558f61ad2614 in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.3/sql/sql_derived.cc:770
 
    #10 0x558f61acf5e2 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_derived.cc:199
 
    #11 0x558f61e55ca8 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/table.cc:8287
 
    #12 0x558f61b0f10f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_lex.h:4019
 
    #13 0x558f61af07ca in mysql_prepare_insert(THD*, TABLE_LIST*, TABLE*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool) /data/src/10.3/sql/sql_insert.cc:1507
 
    #14 0x558f61aeb9d7 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:772
 
    #15 0x558f61b88c34 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4455
 
    #16 0x558f61b9f172 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
 
    #17 0x558f61b79e5e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
 
    #18 0x558f61b76d3d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
 
    #19 0x558f61eec9fa in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #20 0x558f61eec3c1 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #21 0x7f3de27c54a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f3de2a0bf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x558f634ab601 in spawn_thread_noop /data/src/10.3/mysys/psi_noop.c:187
 
    #2 0x558f618e3bb0 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x558f618f8ebc in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6600
 
    #4 0x558f618f959f in create_new_thread /data/src/10.3/sql/mysqld.cc:6670
 
    #5 0x558f618fa5b7 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6945
 
    #6 0x558f618f838c in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6222
 
    #7 0x558f618e22cf in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7f3de0c442e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/sql_list.h:442 in base_list_iterator::next_fast()
 
Shadow bytes around the buggy address:
 
  0x0c528009c6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528009c6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528009c6f0: 00 00 00 00 00 00 f7 00 00 f7 00 00 f7 00 00 f7
 
  0x0c528009c700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528009c710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
 
=>0x0c528009c720: 00 00 f7 00 00 f7 00 00[f7]04 f7 00 00 00 00 00
 
  0x0c528009c730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
 
  0x0c528009c740: 00 00 00 00 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7
 
  0x0c528009c750: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c528009c760: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c528009c770: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==3599==ABORTING

10.3 debug e5e58777

 
#3  <signal handler called>
 
#4  0x000055d886137d41 in TABLE_LIST::get_tablenr (this=0x7fbe0c01563f) at /data/src/10.3/sql/table.h:2134
 
#5  0x000055d88612a21d in st_select_lex::save_leaf_tables (this=0x7fbe0c005148, thd=0x7fbe0c000af0) at /data/src/10.3/sql/sql_lex.cc:4796
 
#6  0x000055d886110924 in mysql_insert (thd=0x7fbe0c000af0, table_list=0x7fbe0c012740, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_UPDATE, ignore=true) at /data/src/10.3/sql/sql_insert.cc:1260
 
#7  0x000055d886153cdf in mysql_execute_command (thd=0x7fbe0c000af0) at /data/src/10.3/sql/sql_parse.cc:4455
 
#8  0x000055d88615f5e3 in mysql_parse (thd=0x7fbe0c000af0, rawbuf=0x7fbe0c012608 "INSERT IGNORE INTO v (b) VALUES (NULL) ON DUPLICATE KEY UPDATE a = 0", length=68, parser_state=0x7fbe6c04c630, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7818
 
#9  0x000055d88614c12f in dispatch_command (command=COM_QUERY, thd=0x7fbe0c000af0, packet=0x7fbe0c008c71 "INSERT IGNORE INTO v (b) VALUES (NULL) ON DUPLICATE KEY UPDATE a = 0", packet_length=68, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
 
#10 0x000055d88614aa77 in do_command (thd=0x7fbe0c000af0) at /data/src/10.3/sql/sql_parse.cc:1401
 
#11 0x000055d8862c1fb4 in do_handle_one_connection (connect=0x55d889322480) at /data/src/10.3/sql/sql_connect.cc:1403
 
#12 0x000055d8862c1d16 in handle_one_connection (arg=0x55d889322480) at /data/src/10.3/sql/sql_connect.cc:1308
 
#13 0x00007fbe713794a4 in start_thread (arg=0x7fbe6c04d700) at pthread_create.c:456
 
#14 0x00007fbe6f8c0d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Generated at Thu Feb 08 08:33:42 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.