[MDEV-18891] ASAN heap-use-after-free in innobase_get_computed_value on concurrent DELETE from table with long index Created: 2019-03-12  Updated: 2019-04-02  Resolved: 2019-04-02

Status: Closed
Project: MariaDB Server
Component/s: Data types, Storage Engine - InnoDB
Affects Version/s: 10.4
Fix Version/s: 10.4.4

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-18799 Long unique does not work after faile... Closed
Problem/Incident
is caused by MDEV-371 Unique indexes for blobs Closed
Relates
relates to MDEV-17005 ASAN heap-use-after-free in innobase_... Closed

 Description   

Note: Before MDEV-371 the ALTER wasn't possible.

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (b BLOB, i INT) ENGINE=InnoDB;
 
REPLACE INTO t1 VALUES (NULL,0);
 
 
 
--connect (con1,localhost,root,,test)
 
ALTER TABLE t1 ADD UNIQUE (b);
 
--send
 
DELETE FROM t1;
 
 
 
--connection default
 
DELETE FROM t1;
 
 
 
# Cleanup
 
--disconnect con1
 
--connection default
 
DROP TABLE t1;

10.4 a796f1f ASAN

 
==6095==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000107939 at pc 0x5627280c4eab bp 0x7fb2a9dd6840 sp 0x7fb2a9dd6838
 
READ of size 10 at 0x619000107939 thread T28
 
    #0 0x5627280c4eaa in innobase_get_computed_value(dtuple_t const*, dict_v_col_t const*, dict_index_t const*, mem_block_info_t**, mem_block_info_t*, dict_field_t const*, THD*, TABLE*, unsigned char*, dict_table_t const*, upd_t*, dict_foreign_t*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:20786
 
    #1 0x5627283d7227 in row_upd_store_v_row /data/src/10.4/storage/innobase/row/row0upd.cc:2182
 
    #2 0x5627283d7879 in row_upd_store_row(upd_node_t*, THD*, TABLE*) /data/src/10.4/storage/innobase/row/row0upd.cc:2246
 
    #3 0x5627283dbd6f in row_upd_del_mark_clust_rec /data/src/10.4/storage/innobase/row/row0upd.cc:2981
 
    #4 0x5627283dcd8d in row_upd_clust_step /data/src/10.4/storage/innobase/row/row0upd.cc:3171
 
    #5 0x5627283dd907 in row_upd /data/src/10.4/storage/innobase/row/row0upd.cc:3293
 
    #6 0x5627283de622 in row_upd_step(que_thr_t*) /data/src/10.4/storage/innobase/row/row0upd.cc:3437
 
    #7 0x562728344f15 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.4/storage/innobase/row/row0mysql.cc:1890
 
    #8 0x562728095baf in ha_innobase::delete_row(unsigned char const*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:9025
 
    #9 0x5627278c1839 in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6810
 
    #10 0x562727cbb601 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:297
 
    #11 0x562727cb3e7c in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:843
 
    #12 0x562727100f3a in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5032
 
    #13 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
 
    #14 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
 
    #15 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
 
    #16 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
 
    #17 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
 
    #18 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #19 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #20 0x7fb2c470093e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x619000107939 is located 441 bytes inside of 1100-byte region [0x619000107780,0x619000107bcc)
 
freed by thread T28 here:
 
    #0 0x7fb2c6584527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
 
    #1 0x5627289f6a69 in free_memory /data/src/10.4/mysys/safemalloc.c:279
 
    #2 0x5627289f606f in sf_free /data/src/10.4/mysys/safemalloc.c:197
 
    #3 0x5627289c6ab8 in my_free /data/src/10.4/mysys/my_malloc.c:222
 
    #4 0x5627289a6a0a in free_root /data/src/10.4/mysys/my_alloc.c:428
 
    #5 0x5627273a4499 in TABLE_SHARE::destroy() /data/src/10.4/sql/table.cc:498
 
    #6 0x5627273a46a5 in free_table_share(TABLE_SHARE*) /data/src/10.4/sql/table.cc:514
 
    #7 0x56272769dc7e in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.4/sql/temporary_tables.cc:1447
 
    #8 0x5627276992da in THD::drop_temporary_table(TABLE*, bool*, bool) /data/src/10.4/sql/temporary_tables.cc:646
 
    #9 0x56272733950a in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10135
 
    #10 0x5627274942ee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:499
 
    #11 0x56272710b5d9 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6393
 
    #12 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
 
    #13 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
 
    #14 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
 
    #15 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
 
    #16 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
 
    #17 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #18 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
previously allocated by thread T28 here:
 
    #0 0x7fb2c658473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x5627289f57df in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
 
    #2 0x5627289c60da in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #3 0x5627289a57d2 in alloc_root /data/src/10.4/mysys/my_alloc.c:250
 
    #4 0x5627289a7344 in memdup_root /data/src/10.4/mysys/my_alloc.c:491
 
    #5 0x5627273ac2cb in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.4/sql/table.cc:1611
 
    #6 0x56272769ae5f in THD::create_temporary_table(handlerton*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*) /data/src/10.4/sql/temporary_tables.cc:965
 
    #7 0x5627276964bc in THD::create_and_open_tmp_table(handlerton*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, bool, bool) /data/src/10.4/sql/temporary_tables.cc:76
 
    #8 0x562727338464 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9990
 
    #9 0x5627274942ee in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:499
 
    #10 0x56272710b5d9 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6393
 
    #11 0x562727115f8a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8204
 
    #12 0x5627270edf07 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
 
    #13 0x5627270ead58 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
 
    #14 0x56272747e921 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
 
    #15 0x56272747e31a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
 
    #16 0x562728045888 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
 
    #17 0x7fb2c631a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T28 created by T0 here:
 
    #0 0x7fb2c6553bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x562728045e50 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
 
    #2 0x562726e36476 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x562726e4b6ed in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6141
 
    #4 0x562726e4bdf2 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6211
 
    #5 0x562726e4c182 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6309
 
    #6 0x562726e4cdce in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6467
 
    #7 0x562726e4af28 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5799
 
    #8 0x562726e342ff in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7fb2c46382b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/innobase/handler/ha_innodb.cc:20786 innobase_get_computed_value(dtuple_t const*, dict_v_col_t const*, dict_index_t const*, mem_block_info_t**, mem_block_info_t*, dict_field_t const*, THD*, TABLE*, unsigned char*, dict_table_t const*, upd_t*, dict_foreign_t*)
 
Shadow bytes around the buggy address:
 
  0x0c3280018ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280018ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280018ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280018f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280018f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c3280018f20: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
 
  0x0c3280018f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280018f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280018f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280018f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280018f70: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==6095==ABORTING



 Comments   
Comment by Elena Stepanova [ 2019-03-12 ]

It might also be a duplicate of MDEV-17005, with the difference that this variation affects a table with a long index.

Comment by Sachin Setiya (Inactive) [ 2019-03-12 ]

Mdev-18799 fix solves this issue.

Generated at Thu Feb 08 08:47:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.