[MDEV-18239] ASAN use-after-poison in process_str_arg / ... / mark_unsupported_func or unexpected ER_BAD_FIELD_ERROR upon ALTER TABLE Created: 2019-01-15  Updated: 2019-02-05  Resolved: 2019-02-05

Status: Closed
Project: MariaDB Server
Component/s: Data Definition - Alter Table
Affects Version/s: 10.2, 10.3, 10.4
Fix Version/s: 10.4.3, 10.2.22, 10.3.13

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: affects-tests

Issue Links:
Blocks
blocks MDEV-18258 ASAN READ of size 1 in append_identifier Closed

 Description    

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a INT, b SMALLINT) ENGINE=InnoDB;
 
 
 
--connect (con1,localhost,root,,test)
 
ALTER TABLE t1 ADD CONSTRAINT CHECK (b < 8);
 
--error ER_ALTER_OPERATION_NOT_SUPPORTED_REASON
 
ALTER TABLE t1 MODIFY COLUMN b INT, ALGORITHM=INPLACE;
 
 
 
--connection default
 
ALTER TABLE t1 ADD PRIMARY KEY (a);
 
 
 
# Cleanup
 
--connection default
 
DROP TABLE t1;
 
--disconnect con1

10.2 79078167c3

 
==900==ERROR: AddressSanitizer: use-after-poison on address 0x62b00002a9b8 at pc 0x7fbbd58c75fa bp 0x7fbbc4c91d80 sp 0x7fbbc4c91d58
 
READ of size 22741 at 0x62b00002a9b8 thread T27
 
    #0 0x7fbbd58c75f9 in __interceptor_strnlen (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2a5f9)
 
    #1 0x55664d7248bc in process_str_arg /data/src/10.2/strings/my_vsnprintf.c:205
 
    #2 0x55664d728c95 in my_vsnprintf_ex /data/src/10.2/strings/my_vsnprintf.c:626
 
    #3 0x55664d729c9b in my_vsnprintf /data/src/10.2/strings/my_vsnprintf.c:704
 
    #4 0x55664d729db5 in my_snprintf /data/src/10.2/strings/my_vsnprintf.c:713
 
    #5 0x55664c61c653 in mark_unsupported_func /data/src/10.2/sql/item.cc:1495
 
    #6 0x55664c61c80a in mark_unsupported_function(char const*, void*, unsigned int) /data/src/10.2/sql/item.cc:1510
 
    #7 0x55664c66aa47 in Item_field::check_vcol_func_processor(void*) /data/src/10.2/sql/item.h:2686
 
    #8 0x55664be29803 in Item::walk(bool (Item::*)(void*), bool, void*) (/data/bld/10.2-asan/bin/mysqld+0xabb803)
 
    #9 0x55664bf02546 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /data/src/10.2/sql/item.h:3937
 
    #10 0x55664bf03024 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /data/src/10.2/sql/item.h:4222
 
    #11 0x55664c5b0576 in check_expression(Virtual_column_info*, char const*, enum_vcol_info_type) /data/src/10.2/sql/field.cc:9874
 
    #12 0x55664c1eb16e in mysql_prepare_create_table /data/src/10.2/sql/sql_table.cc:4214
 
    #13 0x55664c1ee19d in mysql_create_frm_image(THD*, char const*, char const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /data/src/10.2/sql/sql_table.cc:4652
 
    #14 0x55664c1ef701 in create_table_impl /data/src/10.2/sql/sql_table.cc:4898
 
    #15 0x55664c20a998 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9244
 
    #16 0x55664c337250 in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:329
 
    #17 0x55664c000d67 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6228
 
    #18 0x55664c00b89d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8015
 
    #19 0x55664bfe628a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1826
 
    #20 0x55664bfe331f in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
 
    #21 0x55664c328dc6 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #22 0x55664c3287db in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #23 0x55664cd43a4b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #24 0x7fbbd5687493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #25 0x7fbbd3a6d93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x62b00003028c is located 0 bytes to the right of 24716-byte region [0x62b00002a200,0x62b00003028c)
 
allocated by thread T28 here:
 
    #0 0x7fbbd58f173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55664d661cd7 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55664d630f2e in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55664d611573 in reset_root_defaults /data/src/10.2/mysys/my_alloc.c:146
 
    #4 0x55664bf39437 in THD::init_for_queries() /data/src/10.2/sql/sql_class.cc:1306
 
    #5 0x55664c328198 in prepare_new_connection_state(THD*) /data/src/10.2/sql/sql_connect.cc:1172
 
    #6 0x55664c328821 in thd_prepare_connection(THD*) /data/src/10.2/sql/sql_connect.cc:1256
 
    #7 0x55664c328d9c in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1326
 
    #8 0x55664c3287db in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #9 0x55664cd43a4b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #10 0x7fbbd5687493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7fbbd58c0bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55664cd44013 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
 
    #2 0x55664bddfa9e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55664bdf4a3b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
 
    #4 0x55664bdf5140 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
 
    #5 0x55664bdf6157 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
 
    #6 0x55664bdf3f90 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
 
    #7 0x55664bddde3f in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fbbd39a52b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
Thread T28 created by T0 here:
 
    #0 0x7fbbd58c0bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55664cd44013 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
 
    #2 0x55664bddfa9e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55664bdf4a3b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
 
    #4 0x55664bdf5140 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
 
    #5 0x55664bdf6157 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
 
    #6 0x55664bdf3f90 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
 
    #7 0x55664bddde3f in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fbbd39a52b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison ??:0 __interceptor_strnlen
 
Shadow bytes around the buggy address:
 
  0x0c567fffd4e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd4f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd510: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c567fffd530: f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd540: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd550: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd560: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd570: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c567fffd580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==900==ABORTING

Not reproducible on 10.1.

Non-ASAN debug build doesn't crash, but produces a bad result, e.g.

At line 11: query 'ALTER TABLE t1 ADD PRIMARY KEY (a)' failed: 1300: Invalid utf8mb4 character string: '\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F\x8F

The same test case, but without a connection switch in the middle, also produces an unexpected result of a different sort:

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a INT, b SMALLINT) ENGINE=InnoDB;
 
 
 
ALTER TABLE t1 ADD CONSTRAINT CHECK (b < 8);
 
--error ER_ALTER_OPERATION_NOT_SUPPORTED_REASON
 
ALTER TABLE t1 MODIFY COLUMN b INT, ALGORITHM=INPLACE;
 
ALTER TABLE t1 ADD PRIMARY KEY (a);
 
 
 
# Cleanup
 
--connection default
 
DROP TABLE t1;


 At line 8: query 'ALTER TABLE t1 ADD PRIMARY KEY (a)' failed: 1054: Unknown column 'tmp_field' in 'CHECK'


Generated at Thu Feb 08 08:42:34 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.