[MDEV-19633] ASAN use-after-poison in tree_insert() in main.func_gconcat Created: 2019-05-29  Updated: 2019-09-10  Resolved: 2019-06-14

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.2
Fix Version/s: 10.2.25, 10.3.16, 10.4.6

Type: Bug Priority: Major
Reporter: Eugene Kosov (Inactive) Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None


 Description   

Found here http://buildbot.askmonty.org/buildbot/builders/kvm-asan/builds/1368/steps/mtr_nm/logs/stdio

main.func_gconcat                        w1 [ fail ]
 
        Test ended at 2019-05-28 15:06:24
 
 
 
CURRENT_TEST: main.func_gconcat
 
mysqltest: At line 880: query 'SELECT GROUP_CONCAT(concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1) ORDER BY 2,1,3,4,6,5,8,7) AS c
 
FROM seq_1_to_200000' failed: 2013: Lost connection to MySQL server during query
 
 
 
The result from queries just before the failure was:
 
< snip >
 
Warning	1260	Row 3 was cut by GROUP_CONCAT()
 
INSERT INTO t1 VALUES (REPEAT('a', 499999), 3), (REPEAT('b', 500000), 4);
 
SELECT LENGTH(GROUP_CONCAT(f1 ORDER BY f2)) FROM t1 GROUP BY f2;
 
LENGTH(GROUP_CONCAT(f1 ORDER BY f2))
 
499999
 
499999
 
499999
 
499999
 
499999
 
Warnings:
 
Warning	1260	Row 1 was cut by GROUP_CONCAT()
 
Warning	1260	Row 2 was cut by GROUP_CONCAT()
 
Warning	1260	Row 3 was cut by GROUP_CONCAT()
 
Warning	1260	Row 5 was cut by GROUP_CONCAT()
 
DROP TABLE t1;
 
SET group_concat_max_len= DEFAULT;
 
set session group_concat_max_len=1024;
 
set max_session_mem_used=16*1024*1024;
 
SELECT GROUP_CONCAT(concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1) ORDER BY 2,1,3,4,6,5,8,7) AS c
 
FROM seq_1_to_200000;
 
 
 
More results from queries before failure can be found in /dev/shm/var/1/log/func_gconcat.log
 
 
 
 
 
Server [mysqld.1 - pid: 2633, winpid: 2633, exit: 256] failed during test run
 
Server log from this test:
 
----------SERVER LOG START-----------
 
=================================================================
 
==2634==ERROR: AddressSanitizer: use-after-poison on address 0x629000b59330 at pc 0x7f3637155935 bp 0x7f362a27d260 sp 0x7f362a27ca08
 
READ of size 240 at 0x629000b59330 thread T5
 
    #0 0x7f3637155934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
 
    #1 0x5606f503f3ad in tree_insert /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:255
 
    #2 0x5606f4245d54 in copy_to_tree /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.cc:3475
 
    #3 0x5606f5041277 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:551
 
    #4 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #5 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #6 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #7 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #8 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #9 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #10 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #11 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #12 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #13 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #14 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #15 0x5606f5041197 in tree_walk_left_root_right /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:550
 
    #16 0x5606f50410ec in tree_walk /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:538
 
    #17 0x5606f424608b in Item_func_group_concat::repack_tree(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.cc:3493
 
    #18 0x5606f4246d7d in Item_func_group_concat::add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.cc:3561
 
    #19 0x5606f424b173 in Aggregator_simple::add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.h:708
 
    #20 0x5606f3ba8dcf in Item_sum::aggregator_add() (/home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld+0xeffdcf)
 
    #21 0x5606f3b8c949 in update_sum_func /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:23756
 
    #22 0x5606f3b749a3 in end_send_group(JOIN*, st_join_table*, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:20175
 
    #23 0x5606f3b6bb9f in evaluate_join_record /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:19010
 
    #24 0x5606f3b6adfc in sub_select(JOIN*, st_join_table*, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:18829
 
    #25 0x5606f3b68c3f in do_select /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:18334
 
    #26 0x5606f3b0a6d9 in JOIN::exec_inner() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3625
 
    #27 0x5606f3b083df in JOIN::exec() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3420
 
    #28 0x5606f3b0b72c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3820
 
    #29 0x5606f3aeae20 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:376
 
    #30 0x5606f3a728bc in execute_sqlcom_select /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:6493
 
    #31 0x5606f3a5fcb1 in mysql_execute_command(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:3534
 
    #32 0x5606f3a7b020 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:8027
 
    #33 0x5606f3a566aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:1833
 
    #34 0x5606f3a53827 in do_command(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:1387
 
    #35 0x5606f3d7dd0f in do_handle_one_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_connect.cc:1335
 
    #36 0x5606f3d7d717 in handle_one_connection /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_connect.cc:1241
 
    #37 0x5606f45339bd in pfs_spawn_thread /home/buildbot/buildbot/build/mariadb-10.2.25/storage/perfschema/pfs.cc:1862
 
    #38 0x7f36359836b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #39 0x7f3634e1882c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10682c)
 
 
 
0x629000b59330 is located 304 bytes inside of 16352-byte region [0x629000b59200,0x629000b5d1e0)
 
allocated by thread T5 here:
 
    #0 0x7f3637161602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
 
    #1 0x5606f501bc52 in my_malloc /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/my_malloc.c:101
 
    #2 0x5606f4ffd4f1 in alloc_root /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/my_alloc.c:242
 
    #3 0x5606f503f1ed in tree_insert /home/buildbot/buildbot/build/mariadb-10.2.25/mysys/tree.c:243
 
    #4 0x5606f4246ee7 in Item_func_group_concat::add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.cc:3564
 
    #5 0x5606f424b173 in Aggregator_simple::add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.h:708
 
    #6 0x5606f3ba8dcf in Item_sum::aggregator_add() (/home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld+0xeffdcf)
 
    #7 0x5606f3ba8a63 in Item_sum::reset_and_add() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/item_sum.h:440
 
    #8 0x5606f3b8c892 in init_sum_functions /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:23738
 
    #9 0x5606f3b74847 in end_send_group(JOIN*, st_join_table*, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:20167
 
    #10 0x5606f3b6bb9f in evaluate_join_record /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:19010
 
    #11 0x5606f3b6a76e in sub_select(JOIN*, st_join_table*, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:18790
 
    #12 0x5606f3b68c3f in do_select /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:18334
 
    #13 0x5606f3b0a6d9 in JOIN::exec_inner() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3625
 
    #14 0x5606f3b083df in JOIN::exec() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3420
 
    #15 0x5606f3b0b72c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:3820
 
    #16 0x5606f3aeae20 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_select.cc:376
 
    #17 0x5606f3a728bc in execute_sqlcom_select /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:6493
 
    #18 0x5606f3a5fcb1 in mysql_execute_command(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:3534
 
    #19 0x5606f3a7b020 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:8027
 
    #20 0x5606f3a566aa in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:1833
 
    #21 0x5606f3a53827 in do_command(THD*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_parse.cc:1387
 
    #22 0x5606f3d7dd0f in do_handle_one_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_connect.cc:1335
 
    #23 0x5606f3d7d717 in handle_one_connection /home/buildbot/buildbot/build/mariadb-10.2.25/sql/sql_connect.cc:1241
 
    #24 0x5606f45339bd in pfs_spawn_thread /home/buildbot/buildbot/build/mariadb-10.2.25/storage/perfschema/pfs.cc:1862
 
    #25 0x7f36359836b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f36370ff253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
 
    #1 0x5606f4533daa in spawn_thread_v1 /home/buildbot/buildbot/build/mariadb-10.2.25/storage/perfschema/pfs.cc:1912
 
    #2 0x5606f386150e in inline_mysql_thread_create /home/buildbot/buildbot/build/mariadb-10.2.25/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x5606f3875a46 in create_thread_to_handle_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld.cc:6506
 
    #4 0x5606f3876146 in create_new_thread /home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld.cc:6576
 
    #5 0x5606f3877189 in handle_connections_sockets() /home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld.cc:6851
 
    #6 0x5606f3874f91 in mysqld_main(int, char**) /home/buildbot/buildbot/build/mariadb-10.2.25/sql/mysqld.cc:6125
 
    #7 0x5606f385f91f in main /home/buildbot/buildbot/build/mariadb-10.2.25/sql/main.cc:25
 
    #8 0x7f3634d3282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison ??:0 __asan_memcpy
 
Shadow bytes around the buggy address:
 
  0x0c5280163210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280163220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280163230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280163240: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5280163250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c5280163260: 00 00 00 00 00 00[f7]00 00 00 00 00 00 00 00 00
 
  0x0c5280163270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5280163280: 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00
 
  0x0c5280163290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c52801632a0: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
 
  0x0c52801632b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
==2634==ABORTING



 Comments   
Comment by Varun Gupta (Inactive) [ 2019-09-10 ]

Found that 10.1 also fails with this , so this needs to be ported to 10.1

Generated at Thu Feb 08 08:53:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.