[MDEV-18258] ASAN READ of size 1 in append_identifier Created: 2019-01-15  Updated: 2020-02-19  Resolved: 2019-02-06

Status: Closed
Project: MariaDB Server
Component/s: Server, Virtual Columns
Affects Version/s: 10.3, 10.4
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Elena Stepanova
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Blocks
is blocked by MDEV-18239 ASAN use-after-poison in process_str_... Closed

 Description   

https://travis-ci.org/elenst/travis-tests/jobs/479392162

10.4 29f77d41f531

 
=================================================================
 
==23130==ERROR: AddressSanitizer: unknown-crash on address 0x62b00013ba82 at pc 0x5571cd2b1e3c bp 0x7fdfc59d3390 sp 0x7fdfc59d3380
 
READ of size 1 at 0x62b00013ba82 thread T41
 
    #0 0x5571cd2b1e3b in append_identifier(THD*, String*, char const*, unsigned long) /home/travis/src/sql/sql_show.cc:1642
 
    #1 0x5571cd87eff9 in append_identifier /home/travis/src/sql/sql_show.h:88
 
    #2 0x5571cd897c7a in Item_ident::print(String*, enum_query_type) /home/travis/src/sql/item.cc:3130
 
    #3 0x5571cd8b94e7 in Item_field::print(String*, enum_query_type) /home/travis/src/sql/item.cc:7578
 
    #4 0x5571cd881d6c in Item::print_parenthesised(String*, enum_query_type, precedence) /home/travis/src/sql/item.cc:421
 
    #5 0x5571cd96f92e in Item_func::print_op(String*, enum_query_type) /home/travis/src/sql/item_func.cc:620
 
    #6 0x5571cd9296ce in Item_bool_rowready_func2::print(String*, enum_query_type) /home/travis/src/sql/item_cmpfunc.h:515
 
    #7 0x5571cd881d6c in Item::print_parenthesised(String*, enum_query_type, precedence) /home/travis/src/sql/item.cc:421
 
    #8 0x5571cd2ff50b in Item::print_for_table_def(String*) /home/travis/src/sql/item.h:1645
 
    #9 0x5571cd2ffd43 in Virtual_column_info::print(String*) /home/travis/src/sql/item.h:7139
 
    #10 0x5571cd420081 in pack_expression /home/travis/src/sql/unireg.cc:639
 
    #11 0x5571cd420483 in pack_vcols /home/travis/src/sql/unireg.cc:676
 
    #12 0x5571cd41c8ea in build_frm_image(THD*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /home/travis/src/sql/unireg.cc:194
 
    #13 0x5571cd33d13d in mysql_create_frm_image(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /home/travis/src/sql/sql_table.cc:4703
 
    #14 0x5571cd33e57b in create_table_impl /home/travis/src/sql/sql_table.cc:4944
 
    #15 0x5571cd35a041 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /home/travis/src/sql/sql_table.cc:9562
 
    #16 0x5571cd49b7bf in Sql_cmd_alter_table::execute(THD*) /home/travis/src/sql/sql_alter.cc:497
 
    #17 0x5571cd15251b in mysql_execute_command(THD*) /home/travis/src/sql/sql_parse.cc:6314
 
    #18 0x5571cd15cd6f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/travis/src/sql/sql_parse.cc:8116
 
    #19 0x5571cd137aea in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/travis/src/sql/sql_parse.cc:1852
 
    #20 0x5571cd134c82 in do_command(THD*) /home/travis/src/sql/sql_parse.cc:1397
 
    #21 0x5571cd48c904 in do_handle_one_connection(CONNECT*) /home/travis/src/sql/sql_connect.cc:1402
 
    #22 0x5571cd48c2e1 in handle_one_connection /home/travis/src/sql/sql_connect.cc:1308
 
    #23 0x7fdfd9b3f6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #24 0x7fdfd8fd441c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
 
ASAN:SIGSEGV
 
==23130==AddressSanitizer: while reporting a bug found another one. Ignoring.

elenst-jira-refs f6970b243ba Toolbox: 044abffdc1

 
perl ./runall-new.pl --basedir=/home/travis/server --vardir=/home/travis/logs/vardir --duration=350 --threads=6 --seed=1547487570 --short-column-names --reporters=Backtrace,ErrorLog,Deadlock --validators=TransformerNoComparator --transformers=ExecuteAsExecuteImmediate,ExecuteAsInsertSelect,ExecuteAsUpdateDelete --redefine=conf/mariadb/alter_table.yy --redefine=conf/mariadb/instant_add.yy --redefine=conf/mariadb/modules/alter_table_columns.yy --redefine=conf/mariadb/modules/alter_table_indexes.yy --redefine=conf/mariadb/bulk_insert.yy --redefine=conf/mariadb/modules/admin.yy --redefine=conf/mariadb/modules/foreign_keys.yy -redefine=conf/mariadb/modules/locks.yy --redefine=conf/mariadb/modules/sql_mode.yy --redefine=conf/mariadb/redefine_temporary_tables.yy --redefine=conf/mariadb/versioning.yy --redefine=conf/mariadb/sequences.yy --mysqld=--log_output=FILE --mysqld=--max-statement-time=15 --mysqld=--lock-wait-timeout=10 --mysqld=--loose-innodb-lock-wait-timeout=5 --mysqld=--loose-debug_assert_on_not_freed_memory=0 --mysqld=--innodb-buffer-pool-size=2G --grammar=conf/runtime/alter_online.yy --gendata=conf/runtime/alter_online.zz --filter=/home/travis/mariadb-toolbox/travis/10.4-combo-filter-asan.ff --scenario=Restart

The same ASAN error was mentioned in alice's comment to MDEV-16110, but the bug has been fixed and the fix is already in 10.4, so it's something different.

Can't reproduce, hitting other bugs instead, e.g. MDEV-18239.

 Comments   
Comment by Elena Stepanova [ 2019-01-19 ]

Here is a dirty test case, which intermittently causes the described ASAN failure, as well as some other problems

--source include/have_innodb.inc
 
 
 
CREATE OR REPLACE TABLE `t1` (scol8 CHAR NOT NULL ) ENGINE=InnoDB;
 
ALTER TABLE `t1` /*!100301 */ ADD COLUMN IF NOT EXISTS ( n TIME NOT NULL ), LOCK=EXCLUSIVE, ADD COLUMN IF NOT EXISTS `col_int_nokey` SMALLINT NOT NULL  /* QNO 1144 CON_ID 18 */;
 
ALTER ONLINE TABLE `t1` /*!100301 WAIT 1 */ ADD CONSTRAINT x UNIQUE ind3 USING HASH ( `col_int_nokey` ASC ) COMMENT 'harsh', LOCK=EXCLUSIVE  /* QNO 2440 CON_ID 16 */;
 
ALTER ONLINE IGNORE TABLE `t1` /*!100301 WAIT 5 */ FORCE, LOCK=DEFAULT, ADD CONSTRAINT CHECK (`col_int_nokey` < 1);
 
--connect (con1,localhost,root,,test)
 
--error ER_ALTER_OPERATION_NOT_SUPPORTED_REASON
 
ALTER ONLINE TABLE `t1` /*!100301 NOWAIT */ MODIFY `col_int_nokey` DATETIME DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP  /* QNO 4433 CON_ID 14 */;
 
--send
 
ALTER IGNORE TABLE `t011` /*!100301 WAIT 2 */ ADD FOREIGN KEY a ( `col_int_nokey` ) REFERENCES `t013` (c5), ALGORITHM=COPY, LOCK=SHARED /* QNO 4452 CON_ID 14 */;
 
--connection default
 
ALTER TABLE `t1` DROP INDEX ind3;
 
--connection con1
 
--error ER_NO_SUCH_TABLE
 
--reap
 
 
 
DROP TABLE `t1`;

10.4 ASAN 4edb29380c

 
==15969==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000afc8d at pc 0x5604397ce30e bp 0x7fc3ca6e1340 sp 0x7fc3ca6e1338
 
READ of size 1 at 0x62b0000afc8d thread T27
 
    #0 0x5604397ce30d in append_identifier(THD*, String*, char const*, unsigned long) /data/src/10.4/sql/sql_show.cc:1642
 
    #1 0x560439dc8aef in append_identifier /data/src/10.4/sql/sql_show.h:88
 
    #2 0x560439de1e28 in Item_ident::print(String*, enum_query_type) /data/src/10.4/sql/item.cc:3130
 
    #3 0x560439e03e17 in Item_field::print(String*, enum_query_type) /data/src/10.4/sql/item.cc:7578
 
    #4 0x560439dcb7d8 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.4/sql/item.cc:421
 
    #5 0x560439ebbc4e in Item_func::print_op(String*, enum_query_type) /data/src/10.4/sql/item_func.cc:620
 
    #6 0x560439e74ee4 in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.4/sql/item_cmpfunc.h:515
 
    #7 0x560439dcb7d8 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.4/sql/item.cc:421
 
    #8 0x56043981ffd5 in Item::print_for_table_def(String*) /data/src/10.4/sql/item.h:1645
 
    #9 0x56043982081f in Virtual_column_info::print(String*) /data/src/10.4/sql/item.h:7139
 
    #10 0x56043994c4d8 in pack_expression /data/src/10.4/sql/unireg.cc:639
 
    #11 0x56043994c8b8 in pack_vcols /data/src/10.4/sql/unireg.cc:676
 
    #12 0x5604399486b0 in build_frm_image(THD*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /data/src/10.4/sql/unireg.cc:194
 
    #13 0x560439861572 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /data/src/10.4/sql/sql_table.cc:4703
 
    #14 0x5604398629df in create_table_impl /data/src/10.4/sql/sql_table.cc:4944
 
    #15 0x56043987ed94 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9568
 
    #16 0x5604399cc317 in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:497
 
    #17 0x56043966489f in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6314
 
    #18 0x56043966f2b2 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8116
 
    #19 0x56043964977f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1852
 
    #20 0x560439646807 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1397
 
    #21 0x5604399bcd06 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
 
    #22 0x5604399bc712 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
 
    #23 0x56043a523383 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #24 0x7fc3d6088493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #25 0x7fc3d446e93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x62b0000afc8d is located 2701 bytes inside of 24716-byte region [0x62b0000af200,0x62b0000b528c)
 
allocated by thread T28 here:
 
    #0 0x7fc3d62f273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x56043aece1d6 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
 
    #2 0x56043ae9eb53 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #3 0x56043ae7dd49 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:151
 
    #4 0x560439552b4f in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1338
 
    #5 0x5604399bc0c6 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1239
 
    #6 0x5604399bc758 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1323
 
    #7 0x5604399bccdc in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1393
 
    #8 0x5604399bc712 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
 
    #9 0x56043a523383 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #10 0x7fc3d6088493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7fc3d62c1bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x56043a52394b in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
    #2 0x5604393a0d86 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x5604393b6fa4 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6438
 
    #4 0x5604393b76a9 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6508
 
    #5 0x5604393b7a39 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6625
 
    #6 0x5604393b8685 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6790
 
    #7 0x5604393b6461 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:6060
 
    #8 0x56043939ec0f in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7fc3d43a62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
Thread T28 created by T0 here:
 
    #0 0x7fc3d62c1bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x56043a52394b in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
    #2 0x5604393a0d86 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x5604393b6fa4 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6438
 
    #4 0x5604393b76a9 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6508
 
    #5 0x5604393b7a39 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6625
 
    #6 0x5604393b8685 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6790
 
    #7 0x5604393b6461 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:6060
 
    #8 0x56043939ec0f in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7fc3d43a62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/sql_show.cc:1642 append_identifier(THD*, String*, char const*, unsigned long)
 
Shadow bytes around the buggy address:
 
  0x0c568000df40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c568000df90: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==15969==ABORTING

MDEV-18239:

10.4 ASAN 4edb29380c

 
==15862==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000afc88 at pc 0x7f9bc41005fa bp 0x7f9bb8519580 sp 0x7f9bb8519558
 
READ of size 22021 at 0x62b0000afc88 thread T27
 
    #0 0x7f9bc41005f9 in __interceptor_strnlen (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2a5f9)
 
    #1 0x5558b6e61fd0 in process_str_arg /data/src/10.4/strings/my_vsnprintf.c:205
 
    #2 0x5558b6e663a9 in my_vsnprintf_ex /data/src/10.4/strings/my_vsnprintf.c:626
 
    #3 0x5558b6e673af in my_vsnprintf /data/src/10.4/strings/my_vsnprintf.c:704
 
    #4 0x5558b6e674c9 in my_snprintf /data/src/10.4/strings/my_vsnprintf.c:713
 
    #5 0x5558b5c8b563 in mark_unsupported_func /data/src/10.4/sql/item.cc:1374
 
    #6 0x5558b5c8b71a in mark_unsupported_function(char const*, void*, unsigned int) /data/src/10.4/sql/item.cc:1389
 
    #7 0x5558b533538d in Item_field::check_vcol_func_processor(void*) /data/src/10.4/sql/item.h:3420
 
    #8 0x5558b52a8519 in Item::walk(bool (Item::*)(void*), bool, void*) /data/src/10.4/sql/item.h:1782
 
    #9 0x5558b53d233a in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /data/src/10.4/sql/item.h:2448
 
    #10 0x5558b53d34a2 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /data/src/10.4/sql/item.h:5062
 
    #11 0x5558b5c0cf54 in check_expression(Virtual_column_info*, st_mysql_const_lex_string*, enum_vcol_info_type) /data/src/10.4/sql/field.cc:10316
 
    #12 0x5558b5715fd2 in mysql_prepare_create_table /data/src/10.4/sql/sql_table.cc:4241
 
    #13 0x5558b5719485 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /data/src/10.4/sql/sql_table.cc:4697
 
    #14 0x5558b571a9df in create_table_impl /data/src/10.4/sql/sql_table.cc:4944
 
    #15 0x5558b5736d94 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9568
 
    #16 0x5558b5884317 in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:497
 
    #17 0x5558b551c89f in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6314
 
    #18 0x5558b55272b2 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8116
 
    #19 0x5558b550177f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1852
 
    #20 0x5558b54fe807 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1397
 
    #21 0x5558b5874d06 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
 
    #22 0x5558b5874712 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
 
    #23 0x5558b63db383 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #24 0x7f9bc3ec0493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #25 0x7f9bc22a693e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x62b0000b528c is located 0 bytes to the right of 24716-byte region [0x62b0000af200,0x62b0000b528c)
 
allocated by thread T28 here:
 
    #0 0x7f9bc412a73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x5558b6d861d6 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
 
    #2 0x5558b6d56b53 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #3 0x5558b6d35d49 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:151
 
    #4 0x5558b540ab4f in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1338
 
    #5 0x5558b58740c6 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1239
 
    #6 0x5558b5874758 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1323
 
    #7 0x5558b5874cdc in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1393
 
    #8 0x5558b5874712 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
 
    #9 0x5558b63db383 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #10 0x7f9bc3ec0493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f9bc40f9bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x5558b63db94b in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
    #2 0x5558b5258d86 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x5558b526efa4 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6438
 
    #4 0x5558b526f6a9 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6508
 
    #5 0x5558b526fa39 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6625
 
    #6 0x5558b5270685 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6790
 
    #7 0x5558b526e461 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:6060
 
    #8 0x5558b5256c0f in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f9bc21de2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
Thread T28 created by T0 here:
 
    #0 0x7f9bc40f9bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x5558b63db94b in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
    #2 0x5558b5258d86 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x5558b526efa4 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6438
 
    #4 0x5558b526f6a9 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6508
 
    #5 0x5558b526fa39 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6625
 
    #6 0x5558b5270685 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6790
 
    #7 0x5558b526e461 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:6060
 
    #8 0x5558b5256c0f in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f9bc21de2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison ??:0 __interceptor_strnlen
 
Shadow bytes around the buggy address:
 
  0x0c568000df40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c568000df90: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==15862==ABORTING

MDEV-16679:

10.4 ASAN 4edb29380c

 
==16448==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000afc88 at pc 0x557f7d72295d bp 0x7f721ced2440 sp 0x7f721ced2438
 
READ of size 1 at 0x62b0000afc88 thread T27
 
    #0 0x557f7d72295c in Item_ident::print(String*, enum_query_type) /data/src/10.4/sql/item.cc:3096
 
    #1 0x557f7d744e17 in Item_field::print(String*, enum_query_type) /data/src/10.4/sql/item.cc:7578
 
    #2 0x557f7d70c7d8 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.4/sql/item.cc:421
 
    #3 0x557f7d7fcc4e in Item_func::print_op(String*, enum_query_type) /data/src/10.4/sql/item_func.cc:620
 
    #4 0x557f7d7b5ee4 in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.4/sql/item_cmpfunc.h:515
 
    #5 0x557f7d70c7d8 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.4/sql/item.cc:421
 
    #6 0x557f7d160fd5 in Item::print_for_table_def(String*) /data/src/10.4/sql/item.h:1645
 
    #7 0x557f7d16181f in Virtual_column_info::print(String*) /data/src/10.4/sql/item.h:7139
 
    #8 0x557f7d28d4d8 in pack_expression /data/src/10.4/sql/unireg.cc:639
 
    #9 0x557f7d28d8b8 in pack_vcols /data/src/10.4/sql/unireg.cc:676
 
    #10 0x557f7d2896b0 in build_frm_image(THD*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /data/src/10.4/sql/unireg.cc:194
 
    #11 0x557f7d1a2572 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /data/src/10.4/sql/sql_table.cc:4703
 
    #12 0x557f7d1a39df in create_table_impl /data/src/10.4/sql/sql_table.cc:4944
 
    #13 0x557f7d1bfd94 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9568
 
    #14 0x557f7d30d317 in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:497
 
    #15 0x557f7cfa589f in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6314
 
    #16 0x557f7cfb02b2 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8116
 
    #17 0x557f7cf8a77f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1852
 
    #18 0x557f7cf87807 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1397
 
    #19 0x557f7d2fdd06 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
 
    #20 0x557f7d2fd712 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
 
    #21 0x557f7de64383 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #22 0x7f7228879493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #23 0x7f7226c5f93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x62b0000afc88 is located 2696 bytes inside of 24716-byte region [0x62b0000af200,0x62b0000b528c)
 
allocated by thread T28 here:
 
    #0 0x7f7228ae373f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x557f7e80f1d6 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
 
    #2 0x557f7e7dfb53 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #3 0x557f7e7bed49 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:151
 
    #4 0x557f7ce93b4f in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1338
 
    #5 0x557f7d2fd0c6 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1239
 
    #6 0x557f7d2fd758 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1323
 
    #7 0x557f7d2fdcdc in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1393
 
    #8 0x557f7d2fd712 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1308
 
    #9 0x557f7de64383 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #10 0x7f7228879493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f7228ab2bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x557f7de6494b in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
    #2 0x557f7cce1d86 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x557f7ccf7fa4 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6438
 
    #4 0x557f7ccf86a9 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6508
 
    #5 0x557f7ccf8a39 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6625
 
    #6 0x557f7ccf9685 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6790
 
    #7 0x557f7ccf7461 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:6060
 
    #8 0x557f7ccdfc0f in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f7226b972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
Thread T28 created by T0 here:
 
    #0 0x7f7228ab2bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x557f7de6494b in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
    #2 0x557f7cce1d86 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x557f7ccf7fa4 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6438
 
    #4 0x557f7ccf86a9 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6508
 
    #5 0x557f7ccf8a39 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6625
 
    #6 0x557f7ccf9685 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6790
 
    #7 0x557f7ccf7461 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:6060
 
    #8 0x557f7ccdfc0f in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f7226b972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/item.cc:3096 Item_ident::print(String*, enum_query_type)
 
Shadow bytes around the buggy address:
 
  0x0c568000df40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000df80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c568000df90: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c568000dfe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==16448==ABORTING

10.2 ASAN 37ffdb44e

 
CURRENT_TEST: bug.append4
 
mysqltest: At line 13: query 'ALTER TABLE `t1` DROP INDEX ind3' failed: 1054: Unknown column 'a' in 'CHECK'

Comment by Elena Stepanova [ 2019-01-19 ]

For now, I'm going to assume that it's the same issue as MDEV-18239 and will re-check it after MDEV-18239 is fixed.

Comment by Elena Stepanova [ 2019-02-06 ]

Not reproducible after MDEV-18239 fix.

Generated at Thu Feb 08 08:42:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.