[MDEV-17754] AddressSanitizer: heap-use-after-free in _ma_block_start_trans Created: 2018-11-16  Updated: 2023-04-27

Status: Confirmed
Project: MariaDB Server
Component/s: Storage Engine - Aria
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Major
Reporter: Alice Sherepa Assignee: Michael Widenius
Resolution: Unresolved Votes: 0
Labels: rr-profile

Attachments: File 130.7z    
Issue Links:
Relates
relates to MDEV-17622 Assertion `block->type == PAGECACHE_E... Closed
relates to MDEV-22829 SIGSEGV in _ma_reset_history on LOCK ... Closed

 Description   

Upd: See comments for an MTR test case

10.4 16d43150aefc5a9a7e75f4c4

 
 AddressSanitizer: heap-use-after-free on address 0x6110000ac678 at pc 0x561f50abe91e bp 0x7f7e94634f00 sp 0x7f7e94634ef0
 
WRITE of size 56 at 0x6110000ac678 thread T32
 
    #0 0x561f50abe91d in _ma_block_start_trans /git/10.4/storage/maria/ma_state.c:679
 
    #1 0x561f516b7df0 in thr_multi_lock /git/10.4/mysys/thr_lock.c:1318
 
    #2 0x561f508afcd9 in mysql_lock_tables(THD*, st_mysql_lock*, unsigned int) /git/10.4/sql/lock.cc:352
 
    #3 0x561f508af8b9 in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /git/10.4/sql/lock.cc:304
 
    #4 0x561f4fdd50c5 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /git/10.4/sql/sql_base.cc:5264
 
    #5 0x561f4fdd3888 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /git/10.4/sql/sql_base.cc:5009
 
    #6 0x561f4fd4d086 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /git/10.4/sql/sql_base.h:504
 
==21790==AddressSanitizer: while reporting a bug found another one. Ignoring.
 
    #7 0x561f4ff2dfd1 in execute_sqlcom_select /git/10.4/sql/sql_parse.cc:6475
 
    #8 0x561f4ff1d0e5 in mysql_execute_command(THD*) /git/10.4/sql/sql_parse.cc:3773
 
    #9 0x561f4ff36f30 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.4/sql/sql_parse.cc:8091
 
    #10 0x561f4ff11e2d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.4/sql/sql_parse.cc:1851
 
    #11 0x561f4ff0efc5 in do_command(THD*) /git/10.4/sql/sql_parse.cc:1396
 
    #12 0x561f50263e36 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1402
 
    #13 0x561f50263813 in handle_one_connection /git/10.4/sql/sql_connect.cc:1308
 
    #14 0x7f7ec36106b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #15 0x7f7ec2aa541c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
 
 
 
0x6110000ac678 is located 184 bytes inside of 252-byte region [0x6110000ac5c0,0x6110000ac6bc)
 
freed by thread T32 here:
 
    #0 0x7f7ec486f2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
 
    #1 0x561f516cf700 in free_memory /git/10.4/mysys/safemalloc.c:279
 
    #2 0x561f516ced8a in sf_free /git/10.4/mysys/safemalloc.c:197
 
    #3 0x561f516a1181 in my_free /git/10.4/mysys/my_malloc.c:221
 
    #4 0x561f50abdb9d in _ma_trnman_end_trans_hook /git/10.4/storage/maria/ma_state.c:552
 
    #5 0x561f50aff681 in trnman_end_trn /git/10.4/storage/maria/trnman.c:475
 
    #6 0x561f50b76cb4 in ma_commit /git/10.4/storage/maria/ma_commit.c:39
 
    #7 0x561f50af44df in ha_maria::external_lock(THD*, int) /git/10.4/storage/maria/ha_maria.cc:2841
 
    #8 0x561f5061d889 in handler::ha_external_lock(THD*, int) /git/10.4/sql/handler.cc:6163
 
    #9 0x561f508b2b13 in unlock_external /git/10.4/sql/lock.cc:713
 
    #10 0x561f508b0fde in mysql_unlock_read_tables(THD*, st_mysql_lock*) /git/10.4/sql/lock.cc:489
 
    #11 0x561f50006b6d in JOIN::join_free() /git/10.4/sql/sql_select.cc:12821
 
    #12 0x561f5002e6af in do_select /git/10.4/sql/sql_select.cc:18949
 
    #13 0x561f4ffccc74 in JOIN::exec_inner() /git/10.4/sql/sql_select.cc:4082
 
    #14 0x561f4ffca9b9 in JOIN::exec() /git/10.4/sql/sql_select.cc:3876
 
    #15 0x561f4ffcdd44 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.4/sql/sql_select.cc:4281
 
    #16 0x561f4ffa8294 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.4/sql/sql_select.cc:385
 
    #17 0x561f4ff2e98b in execute_sqlcom_select /git/10.4/sql/sql_parse.cc:6554
 
    #18 0x561f4ff1d0e5 in mysql_execute_command(THD*) /git/10.4/sql/sql_parse.cc:3773
 
    #19 0x561f4ff36f30 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.4/sql/sql_parse.cc:8091
 
    #20 0x561f4ff11e2d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.4/sql/sql_parse.cc:1851
 
    #21 0x561f4ff0efc5 in do_command(THD*) /git/10.4/sql/sql_parse.cc:1396
 
    #22 0x561f50263e36 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1402
 
    #23 0x561f50263813 in handle_one_connection /git/10.4/sql/sql_connect.cc:1308
 
    #24 0x7f7ec36106b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
 
 
previously allocated by thread T32 here:
 
    #0 0x7f7ec486f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
 
    #1 0x561f516ce75b in sf_malloc /git/10.4/mysys/safemalloc.c:118
 
    #2 0x561f516a08fe in my_malloc /git/10.4/mysys/my_malloc.c:101
 
    #3 0x561f50abab1d in _ma_setup_live_state /git/10.4/storage/maria/ma_state.c:82
 
    #4 0x561f50abe808 in _ma_block_start_trans /git/10.4/storage/maria/ma_state.c:663
 
    #5 0x561f516b7df0 in thr_multi_lock /git/10.4/mysys/thr_lock.c:1318
 
    #6 0x561f508afcd9 in mysql_lock_tables(THD*, st_mysql_lock*, unsigned int) /git/10.4/sql/lock.cc:352
 
    #7 0x561f508af8b9 in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /git/10.4/sql/lock.cc:304
 
    #8 0x561f4fdd50c5 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /git/10.4/sql/sql_base.cc:5264
 
    #9 0x561f4fdd3888 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /git/10.4/sql/sql_base.cc:5009
 
    #10 0x561f4fd4d086 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /git/10.4/sql/sql_base.h:504
 
    #11 0x561f4ff2dfd1 in execute_sqlcom_select /git/10.4/sql/sql_parse.cc:6475
 
    #12 0x561f4ff1d0e5 in mysql_execute_command(THD*) /git/10.4/sql/sql_parse.cc:3773
 
    #13 0x561f4ff36f30 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.4/sql/sql_parse.cc:8091
 
    #14 0x561f4ff11e2d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.4/sql/sql_parse.cc:1851
 
    #15 0x561f4ff0efc5 in do_command(THD*) /git/10.4/sql/sql_parse.cc:1396
 
    #16 0x561f50263e36 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1402
 
    #17 0x561f50263813 in handle_one_connection /git/10.4/sql/sql_connect.cc:1308
 
    #18 0x7f7ec36106b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
 
 
Thread T32 created by T0 here:
 
    #0 0x7f7ec480d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
 
    #1 0x561f516f8f64 in spawn_thread_noop /git/10.4/mysys/psi_noop.c:187
 
    #2 0x561f4fc880e4 in inline_mysql_thread_create /git/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x561f4fc9d2c2 in create_thread_to_handle_connection(CONNECT*) /git/10.4/sql/mysqld.cc:6330
 
    #4 0x561f4fc9d9c2 in create_new_thread(CONNECT*) /git/10.4/sql/mysqld.cc:6400
 
    #5 0x561f4fc9dd4d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /git/10.4/sql/mysqld.cc:6517
 
    #6 0x561f4fc9e9ca in handle_connections_sockets() /git/10.4/sql/mysqld.cc:6682
 
    #7 0x561f4fc9c782 in mysqld_main(int, char**) /git/10.4/sql/mysqld.cc:5952
 
    #8 0x561f4fc8680f in main /git/10.4/sql/main.cc:25
 
    #9 0x7f7ec29be82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /git/10.4/storage/maria/ma_state.c:679 _ma_block_start_trans
 
Shadow bytes around the buggy address:
 
  0x0c228000d870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c228000d880: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
 
  0x0c228000d890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c228000d8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
 
  0x0c228000d8b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
=>0x0c228000d8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
 
  0x0c228000d8d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
  0x0c228000d8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c228000d8f0: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
 
  0x0c228000d900: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c228000d910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
==21790==ABORTING


perl ./runall-new.pl --no-mask --seed=time --duration=500 --queries=10M --reporter=Backtrace,ErrorLog,Deadlock --validator=TransformerNoComparator --transformer=ConvertSubqueriesToViews,ConvertTablesToDerived,Count,DisableIndexes,DisableOptimizations,Distinct,EnableOptimizations,ExecuteAsCTE,ExecuteAsDeleteReturning,ExecuteAsDerived,ExecuteAsExcept,ExecuteAsExecuteImmediate,ExecuteAsInsertSelect,ExecuteAsIntersect,ExecuteAsSelectItem,ExecuteAsUnion,ExecuteAsUpdateDelete,ExecuteAsView,ExecuteAsWhereSubquery,Having,InlineSubqueries,InlineVirtualColumns,LimitRowsExamined,OrderBy,StraightJoin,ExecuteAsPreparedTwice,ExecuteAsTrigger,ExecuteAsSPTwice,ExecuteAsFunctionTwice --mysqld=--log_output=FILE --querytimeout=30 --redefine=conf/mariadb/versioning.yy --vcols --views=TEMPTABLE --grammar=conf/mariadb/instant_add.yy --gendata=conf/optimizer/blobs.zz --engine=Aria --mysqld=--default-storage-engine=Aria --threads=4 --mysqld=--big-tables --mysqld=--query_cache_size=1M --mysqld=--query_cache_type=1 --basedir1=/git/10.4 --vardir1=/1



 Comments   
Comment by Elena Stepanova [ 2020-08-07 ]

Note: The test case is non-deterministic, run with --repeat=N. It currently fails for me within ~3-5 attempts, but it can vary on different machines and builds.

--source include/have_sequence.inc
 
 
 
CREATE TABLE t1 (pk INT, a CHAR(8), PRIMARY KEY (pk), KEY (a)) ENGINE=Aria;
 
ALTER TABLE t1 DISABLE KEYS;
 
INSERT INTO t1 SELECT seq, CONCAT('seq',seq) FROM seq_1_to_100;
 
CREATE TABLE t2 (b INT);
 
 
 
--connect (con1,localhost,root,,test)
 
--send
 
  DELETE FROM t1 WHERE pk BETWEEN 2 AND 10;
 
 
 
--connection default
 
--send
 
  INSERT INTO t1 SELECT * FROM t2;
 
 
 
--connection con1
 
--reap
 
--error 1146
 
ALTER TABLE x;
 
SELECT * FROM t1;
 
 
 
# Cleanup
 
--disconnect con1
 
 
 
--connection default
 
--error 1136
 
--reap
 
DROP TABLE t1, t2;

10.2 ASAN caa474f8

 
==23349==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000027e78 at pc 0x55a75e81be12 bp 0x7f22a8fecd30 sp 0x7f22a8fecd28
 
WRITE of size 56 at 0x611000027e78 thread T6
 
    #0 0x55a75e81be11 in _ma_block_start_trans /data/src/10.2/storage/maria/ma_state.c:700
 
    #1 0x55a75eca7ce6 in thr_multi_lock /data/src/10.2/mysys/thr_lock.c:1317
 
    #2 0x55a75def3f83 in mysql_lock_tables(THD*, st_mysql_lock*, unsigned int) /data/src/10.2/sql/lock.cc:351
 
    #3 0x55a75def3b40 in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /data/src/10.2/sql/lock.cc:303
 
    #4 0x55a75d57bda2 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /data/src/10.2/sql/sql_base.cc:5073
 
    #5 0x55a75d57a8a3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4854
 
    #6 0x55a75d4fd323 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:509
 
    #7 0x55a75d68f99a in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6139
 
    #8 0x55a75d67e5f4 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3524
 
    #9 0x55a75d698ccb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
 
    #10 0x55a75d674dc5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #11 0x55a75d671e6a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1377
 
    #12 0x55a75d9af529 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #13 0x55a75d9aeef9 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #14 0x55a75ebb8a2c in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #15 0x7f22b50a34a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #16 0x7f22b31d7d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x611000027e78 is located 184 bytes inside of 252-byte region [0x611000027dc0,0x611000027ebc)
 
freed by thread T6 here:
 
    #0 0x7f22b537aa10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
 
    #1 0x55a75ecbf046 in free_memory /data/src/10.2/mysys/safemalloc.c:279
 
    #2 0x55a75ecbe6c0 in sf_free /data/src/10.2/mysys/safemalloc.c:197
 
    #3 0x55a75ec8f1cc in my_free /data/src/10.2/mysys/my_malloc.c:218
 
    #4 0x55a75e81b02a in _ma_trnman_end_trans_hook /data/src/10.2/storage/maria/ma_state.c:551
 
    #5 0x55a75e85911e in trnman_end_trn /data/src/10.2/storage/maria/trnman.c:474
 
    #6 0x55a75e8c8953 in ma_commit /data/src/10.2/storage/maria/ma_commit.c:73
 
    #7 0x55a75e850c3c in ha_maria::implicit_commit(THD*, bool) /data/src/10.2/storage/maria/ha_maria.cc:2926
 
    #8 0x55a75d68eb0e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6039
 
    #9 0x55a75d698ccb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
 
    #10 0x55a75d674dc5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #11 0x55a75d671e6a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1377
 
    #12 0x55a75d9af529 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #13 0x55a75d9aeef9 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #14 0x55a75ebb8a2c in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #15 0x7f22b50a34a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
previously allocated by thread T6 here:
 
    #0 0x7f22b537ad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x55a75ecbe097 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55a75ec8e92f in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55a75e818073 in _ma_setup_live_state /data/src/10.2/storage/maria/ma_state.c:81
 
    #4 0x55a75e81bcfc in _ma_block_start_trans /data/src/10.2/storage/maria/ma_state.c:684
 
    #5 0x55a75eca7ce6 in thr_multi_lock /data/src/10.2/mysys/thr_lock.c:1317
 
    #6 0x55a75def3f83 in mysql_lock_tables(THD*, st_mysql_lock*, unsigned int) /data/src/10.2/sql/lock.cc:351
 
    #7 0x55a75def3b40 in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /data/src/10.2/sql/lock.cc:303
 
    #8 0x55a75d57bda2 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /data/src/10.2/sql/sql_base.cc:5073
 
    #9 0x55a75d57a8a3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4854
 
    #10 0x55a75d4fd323 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:509
 
    #11 0x55a75e017fb0 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.2/sql/sql_delete.cc:252
 
    #12 0x55a75d68302d in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4362
 
    #13 0x55a75d698ccb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
 
    #14 0x55a75d674dc5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #15 0x55a75d671e6a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1377
 
    #16 0x55a75d9af529 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #17 0x55a75d9aeef9 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #18 0x55a75ebb8a2c in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #19 0x7f22b50a34a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T6 created by T0 here:
 
    #0 0x7f22b52e9f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x55a75ebb8e68 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x55a75d44f1a2 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x55a75d4639f6 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6518
 
    #4 0x55a75d4640d9 in create_new_thread /data/src/10.2/sql/mysqld.cc:6588
 
    #5 0x55a75d4650f1 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6863
 
    #6 0x55a75d462f35 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6137
 
    #7 0x55a75d44db2f in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7f22b310f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/storage/maria/ma_state.c:700 in _ma_block_start_trans
 
Shadow bytes around the buggy address:
 
  0x0c227fffcf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fffcf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fffcf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fffcfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fffcfb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
=>0x0c227fffcfc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
 
  0x0c227fffcfd0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
  0x0c227fffcfe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c227fffcff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa
 
  0x0c227fffd000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fffd010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==23349==ABORTING

A crash which sometimes happens on a non-ASAN build a bit later, on MTR post-testcase cleanup.

10.2 non-ASAN debug caa474f8

 
#3  <signal handler called>
 
#4  0x000055ceb3bd3c87 in l_find (head=0x7f51cc006720, cs=0x55ceb45d5620 <my_charset_bin>, hashnr=1073741824, key=0x55ceb3f541fa "", keylen=0, cursor=0x7f51e47130c0, pins=0x7f51c801a980, callback=0x0) at /data/src/10.2/mysys/lf_hash.c:112
 
#5  0x000055ceb3bd3ebc in l_insert (head=0x7f51c8022998, cs=0x55ceb45d5620 <my_charset_bin>, node=0x7f51cc01a990, pins=0x7f51c801a980, flags=1) at /data/src/10.2/mysys/lf_hash.c:179
 
#6  0x000055ceb3bd4b78 in initialize_bucket (hash=0x55ceb500ffa0 <digest_hash>, node=0x7f51c80229a8, bucket=2, pins=0x7f51c801a980) at /data/src/10.2/mysys/lf_hash.c:560
 
#7  0x000055ceb3bd4b02 in initialize_bucket (hash=0x55ceb500ffa0 <digest_hash>, node=0x7f51c80229c8, bucket=6, pins=0x7f51c801a980) at /data/src/10.2/mysys/lf_hash.c:552
 
#8  0x000055ceb3bd4b02 in initialize_bucket (hash=0x55ceb500ffa0 <digest_hash>, node=0x7f51c8022a08, bucket=14, pins=0x7f51c801a980) at /data/src/10.2/mysys/lf_hash.c:552
 
#9  0x000055ceb3bd486d in lf_hash_search_using_hash_value (hash=0x55ceb500ffa0 <digest_hash>, pins=0x7f51c801a980, hashnr=581353518, key=0x7f51e47132f0, keylen=212) at /data/src/10.2/mysys/lf_hash.c:483
 
#10 0x000055ceb3bd4a52 in lf_hash_search (hash=0x55ceb500ffa0 <digest_hash>, pins=0x7f51c801a980, key=0x7f51e47132f0, keylen=212) at /data/src/10.2/mysys/lf_hash.c:528
 
#11 0x000055ceb3b3c739 in find_or_create_digest (thread=0x7f51e80faa00, digest_storage=0x7f51cc004108, schema_name=0x7f51cc0041e8 "test", '\245' <repeats 188 times>, schema_name_length=0) at /data/src/10.2/storage/perfschema/pfs_digest.cc:236
 
#12 0x000055ceb3b72408 in end_statement_v1 (locker=0x7f51cc004140, stmt_da=0x7f51cc005ca0) at /data/src/10.2/storage/perfschema/pfs.cc:4844
 
#13 0x000055ceb31fc242 in inline_mysql_end_statement (locker=0x7f51cc004140, stmt_da=0x7f51cc005ca0) at /data/src/10.2/include/mysql/psi/mysql_statement.h:223
 
#14 0x000055ceb3202218 in dispatch_command (command=COM_QUERY, thd=0x7f51cc000af0, packet=0x7f51cc0088b1 "", packet_length=17, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:2403
 
#15 0x000055ceb31ff04a in do_command (thd=0x7f51cc000af0) at /data/src/10.2/sql/sql_parse.cc:1377
 
#16 0x000055ceb3355167 in do_handle_one_connection (connect=0x55ceb61a23b0) at /data/src/10.2/sql/sql_connect.cc:1336
 
#17 0x000055ceb3354ed2 in handle_one_connection (arg=0x55ceb61a23b0) at /data/src/10.2/sql/sql_connect.cc:1241
 
#18 0x000055ceb3b6bbda in pfs_spawn_thread (arg=0x55ceb61ad1a0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
 
#19 0x00007f51ebbb24a4 in start_thread (arg=0x7f51e4714700) at pthread_create.c:456
 
#20 0x00007f51e9ce6d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Alternatively, on some versions and builds the test can fail with MDEV-17622 or alike.

Generated at Thu Feb 08 08:38:51 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.