[MDEV-19859] ASAN heap-use-after-free dict0mem.h:519:10 in id_name_t::operator char const*() const Created: 2019-06-25  Updated: 2023-04-27

Status: Open
Project: MariaDB Server
Component/s: Storage Engine - InnoDB, Virtual Columns
Affects Version/s: 10.3, 10.4
Fix Version/s: 10.4

Type: Bug Priority: Major
Reporter: Aleksey Midenkov Assignee: Nikita Malyavin
Resolution: Unresolved Votes: 0
Labels: None

Attachments: File mdev16222.diff    
Issue Links:
Duplicate
duplicates MDEV-18259 ASAN heap-use-after-free or server cr... Closed
Relates
relates to MDEV-16222 Assertion `0' failed in row_purge_rem... Closed

 Description   

Reproduce

Apply attached patch and run versioning.y with --repeat=100.

Result

    #0 0x1dda430 in id_name_t::operator char const*() const /home/midenok/src/mariadb/10.4/src/storage/innobase/include/dict0mem.h:519:10
 
    #1 0x265a50f in operator<<(std::ostream&, id_name_t const&) /home/midenok/src/mariadb/10.4/src/storage/innobase/dict/dict0mem.cc:94:18
 
    #2 0x2222733 in row_purge_poss_sec(purge_node_t*, dict_index_t*, dtuple_t const*, btr_pcur_t*, mtr_t*, bool) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0purge.cc:330:3
 
    #3 0x222ddef in row_purge_remove_sec_if_poss_leaf(purge_node_t*, dict_index_t*, dtuple_t const*) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0purge.cc:582:7
 
    #4 0x222d163 in row_purge_remove_sec_if_poss(purge_node_t*, dict_index_t*, dtuple_t const*) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0purge.cc:695:6
 
    #5 0x222a2d2 in row_purge_del_mark(purge_node_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0purge.cc:769:4
 
    #6 0x22277ef in row_purge_record_func(purge_node_t*, unsigned char*, que_thr_t const*, bool) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0purge.cc:1195:12
 
    #7 0x2223c2d in row_purge(purge_node_t*, unsigned char*, que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0purge.cc:1262:18
 
    #8 0x2223883 in row_purge_step(que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0purge.cc:1321:3
 
    #9 0x20baf6e in que_thr_step(que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/que/que0que.cc:1042:9
 
    #10 0x20b8f68 in que_run_threads_low(que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/que/que0que.cc:1104:14
 
    #11 0x20b89b7 in que_run_threads(que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/que/que0que.cc:1144:2
 
    #12 0x23620c2 in trx_purge(unsigned long, bool) /home/midenok/src/mariadb/10.4/src/storage/innobase/trx/trx0purge.cc:1315:2
 
    #13 0x22dd185 in srv_do_purge(unsigned long*) /home/midenok/src/mariadb/10.4/src/storage/innobase/srv/srv0srv.cc:2590:20
 
    #14 0x22dc5eb in srv_purge_coordinator_thread /home/midenok/src/mariadb/10.4/src/storage/innobase/srv/srv0srv.cc:2716:22
 
    #15 0x7f7fa76cd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9181)
 
    #16 0x7f7fa6b71b1e in clone /build/glibc-KRRWSm/glibc-2.29/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
 
 
 
0x618000071518 is located 152 bytes inside of 784-byte region [0x618000071480,0x618000071790)
 
freed by thread T24 here:
 
    #0 0x7bd4d8 in __interceptor_free (/home/midenok/src/mariadb/10.4/build/sql/mysqld+0x7bd4d8)
 
    #1 0x1ffbeff in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/mem/mem0mem.cc:415:3
 
    #2 0x265cf1d in mem_heap_free(mem_block_info_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/include/mem0mem.ic:432:3
 
    #3 0x266455a in dict_mem_index_free(dict_index_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/dict/dict0mem.cc:1069:2
 
    #4 0x25f3d9b in dict_index_remove_from_cache_low(dict_table_t*, dict_index_t*, unsigned long) /home/midenok/src/mariadb/10.4/src/storage/innobase/dict/dict0dict.cc:2370:2
 
    #5 0x25eb980 in dict_sys_t::remove(dict_table_t*, bool, bool) /home/midenok/src/mariadb/10.4/src/storage/innobase/dict/dict0dict.cc:1899:3
 
    #6 0x21d263f in row_drop_table_from_cache(char const*, dict_table_t*, trx_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0mysql.cc:3267:11
 
    #7 0x21c955b in row_drop_table_for_mysql(char const*, trx_t*, enum_sql_command, bool, bool) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0mysql.cc:3741:9
 
    #8 0x1de1d21 in ha_innobase::delete_table(char const*, enum_sql_command) /home/midenok/src/mariadb/10.4/src/storage/innobase/handler/ha_innodb.cc:12957:8
 
    #9 0x1d93155 in ha_innobase::delete_table(char const*) /home/midenok/src/mariadb/10.4/src/storage/innobase/handler/ha_innodb.cc:13082:9
 
CURRENT_TEST: versioning.y
 
    #10 0x160aa09 in handler::ha_delete_table(char const*) /home/midenok/src/mariadb/10.4/src/sql/handler.cc:4702:10
 
    #11 0x160a2b7 in ha_delete_table(THD*, handlerton*, char const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, bool) /home/midenok/src/mariadb/10.4/src/sql/handler.cc:2595:7
 
    #12 0xefa885 in mysql_rm_table_no_locks(THD*, TABLE_LIST*, bool, bool, bool, bool, bool, bool) /home/midenok/src/mariadb/10.4/src/sql/sql_table.cc:2503:14
 
    #13 0xef7cea in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool) /home/midenok/src/mariadb/10.4/src/sql/sql_table.cc:2118:10
 
    #14 0xc0393a in mysql_execute_command(THD*) /home/midenok/src/mariadb/10.4/src/sql/sql_parse.cc:4846:10
 
    #15 0xbe8b34 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/midenok/src/mariadb/10.4/src/sql/sql_parse.cc:7892:18
 
    #16 0xbe1834 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/midenok/src/mariadb/10.4/src/sql/sql_parse.cc:1826:7
 
    #17 0xbea6e2 in do_command(THD*) /home/midenok/src/mariadb/10.4/src/sql/sql_parse.cc:1359:17
 
    #18 0x1128ab5 in do_handle_one_connection(CONNECT*) /home/midenok/src/mariadb/10.4/src/sql/sql_connect.cc:1403:11
 
    #19 0x11281d1 in handle_one_connection /home/midenok/src/mariadb/10.4/src/sql/sql_connect.cc:1306:3
 
    #20 0x2e5d0c4 in pfs_spawn_thread /home/midenok/src/mariadb/10.4/src/storage/perfschema/pfs.cc:1862:3
 
    #21 0x7f7fa76cd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9181)
 
 
 
previously allocated by thread T24 here:
 
    #0 0x7bd8b7 in __interceptor_malloc (/home/midenok/src/mariadb/10.4/build/sql/mysqld+0x7bd8b7)
 
    #1 0x1ffac6e in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /home/midenok/src/mariadb/10.4/src/storage/innobase/mem/mem0mem.cc:269:37
 
    #2 0x1ffbaea in mem_heap_add_block(mem_block_info_t*, unsigned long) /home/midenok/src/mariadb/10.4/src/storage/innobase/mem/mem0mem.cc:374:14
 
    #3 0x265c069 in mem_heap_alloc(mem_block_info_t*, unsigned long) /home/midenok/src/mariadb/10.4/src/storage/innobase/include/mem0mem.ic:201:11
 
    #4 0x265bcc1 in mem_heap_zalloc(mem_block_info_t*, unsigned long) /home/midenok/src/mariadb/10.4/src/storage/innobase/include/mem0mem.ic:170:16
 
    #5 0x2661d12 in dict_mem_index_create(dict_table_t*, char const*, unsigned long, unsigned long) /home/midenok/src/mariadb/10.4/src/storage/innobase/dict/dict0mem.cc:742:3
 
    #6 0x25f983e in dict_index_build_internal_non_clust(dict_index_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/dict/dict0dict.cc:2855:14
 
    #7 0x25f4aea in dict_index_add_to_cache(dict_index_t*, unsigned long, bool, dberr_t*, dict_add_v_col_t const*) /home/midenok/src/mariadb/10.4/src/storage/innobase/dict/dict0dict.cc:2201:6
 
    #8 0x25cc029 in dict_create_index_step(que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/dict/dict0crea.cc:1327:17
 
    #9 0x20bafff in que_thr_step(que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/que/que0que.cc:1052:9
 
    #10 0x20b8f68 in que_run_threads_low(que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/que/que0que.cc:1104:14
 
    #11 0x20b89b7 in que_run_threads(que_thr_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/que/que0que.cc:1144:2
 
    #12 0x21c2edc in row_create_index_for_mysql(dict_index_t*, trx_t*, unsigned long const*) /home/midenok/src/mariadb/10.4/src/storage/innobase/row/row0mysql.cc:2544:3
 
    #13 0x1ddf780 in create_index(trx_t*, TABLE const*, dict_table_t*, unsigned int) /home/midenok/src/mariadb/10.4/src/storage/innobase/handler/ha_innodb.cc:11345:3
 
    #14 0x1d8e9a8 in create_table_info_t::create_table(bool) /home/midenok/src/mariadb/10.4/src/storage/innobase/handler/ha_innodb.cc:12456:19
 
    #15 0x1de0a5f in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*, bool, trx_t*) /home/midenok/src/mariadb/10.4/src/storage/innobase/handler/ha_innodb.cc:12688:20
 
    #16 0x1d90982 in ha_innobase::create(char const*, TABLE*, HA_CREATE_INFO*) /home/midenok/src/mariadb/10.4/src/storage/innobase/handler/ha_innodb.cc:12741:9
 
    #17 0x16243d1 in handler::ha_create(char const*, TABLE*, HA_CREATE_INFO*) /home/midenok/src/mariadb/10.4/src/sql/handler.cc:4736:14
 
    #18 0x162abbe in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*) /home/midenok/src/mariadb/10.4/src/sql/handler.cc:5200:22
 
    #19 0xf0a2be in create_table_impl(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, char const*, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /home/midenok/src/mariadb/10.4/src/sql/sql_table.cc:5048:11
 
    #20 0xf07efc in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /home/midenok/src/mariadb/10.4/src/sql/sql_table.cc:5132:8
 
    #21 0xf0b57c in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /home/midenok/src/mariadb/10.4/src/sql/sql_table.cc:5224:7
 
    #22 0xf482d5 in Sql_cmd_create_table_like::execute(THD*) /home/midenok/src/mariadb/10.4/src/sql/sql_table.cc:11348:12
 
    #23 0xc0df67 in mysql_execute_command(THD*) /home/midenok/src/mariadb/10.4/src/sql/sql_parse.cc:6082:26
 
    #24 0xbe8b34 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/midenok/src/mariadb/10.4/src/sql/sql_parse.cc:7892:18
 
    #25 0xbe1834 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/midenok/src/mariadb/10.4/src/sql/sql_parse.cc:1826:7
 
    #26 0xbea6e2 in do_command(THD*) /home/midenok/src/mariadb/10.4/src/sql/sql_parse.cc:1359:17
 
    #27 0x1128ab5 in do_handle_one_connection(CONNECT*) /home/midenok/src/mariadb/10.4/src/sql/sql_connect.cc:1403:11
 
    #28 0x11281d1 in handle_one_connection /home/midenok/src/mariadb/10.4/src/sql/sql_connect.cc:1306:3
 
    #29 0x2e5d0c4 in pfs_spawn_thread /home/midenok/src/mariadb/10.4/src/storage/perfschema/pfs.cc:1862:3
 
 
 
Thread T17 created by T0 here:
 
    #0 0x714a80 in pthread_create (/home/midenok/src/mariadb/10.4/build/sql/mysqld+0x714a80)
 
    #1 0x2044d8c in os_thread_create_func(void* (*)(void*), void*, unsigned long*) /home/midenok/src/mariadb/10.4/src/storage/innobase/os/os0thread.cc:132:12
 
    #2 0x22ef097 in srv_start(bool) /home/midenok/src/mariadb/10.4/src/storage/innobase/srv/srv0start.cc:2298:46
 
    #3 0x1daef11 in innodb_init(void*) /home/midenok/src/mariadb/10.4/src/storage/innobase/handler/ha_innodb.cc:4270:8
 
    #4 0x15fc294 in ha_initialize_handlerton(st_plugin_int*) /home/midenok/src/mariadb/10.4/src/sql/handler.cc:557:31
 
    #5 0xc390c9 in plugin_initialize(st_mem_root*, st_plugin_int*, int*, char**, bool) /home/midenok/src/mariadb/10.4/src/sql/sql_plugin.cc:1437:9
 
    #6 0xc37d5a in plugin_init(int*, char**, int) /home/midenok/src/mariadb/10.4/src/sql/sql_plugin.cc:1719:15
 
    #7 0x80f43c in init_server_components() /home/midenok/src/mariadb/10.4/src/sql/mysqld.cc:5202:7
 
    #8 0x808f92 in mysqld_main(int, char**) /home/midenok/src/mariadb/10.4/src/sql/mysqld.cc:5725:7
 
    #9 0x7fcef1 in main /home/midenok/src/mariadb/10.4/src/sql/main.cc:25:10
 
    #10 0x7f7fa6a7ab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
 
 
 
Thread T24 created by T0 here:
 
    #0 0x714a80 in pthread_create (/home/midenok/src/mariadb/10.4/build/sql/mysqld+0x714a80)
 
    #1 0x2e62eab in spawn_thread_v1(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/midenok/src/mariadb/10.4/src/storage/perfschema/pfs.cc:1912:15
 
    #2 0x805a6a in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/midenok/src/mariadb/10.4/src/include/mysql/psi/mysql_thread.h:1268:11
 
    #3 0x816976 in create_thread_to_handle_connection(CONNECT*) /home/midenok/src/mariadb/10.4/src/sql/mysqld.cc:6234:15
 
    #4 0x8173d9 in create_new_thread(CONNECT*) /home/midenok/src/mariadb/10.4/src/sql/mysqld.cc:6304:3
 
    #5 0x81825e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/midenok/src/mariadb/10.4/src/sql/mysqld.cc:6402:3
 
    #6 0x81501b in handle_connections_sockets() /home/midenok/src/mariadb/10.4/src/sql/mysqld.cc:6560:5
 
    #7 0x80997a in mysqld_main(int, char**) /home/midenok/src/mariadb/10.4/src/sql/mysqld.cc:5892:3
 
    #8 0x7fcef1 in main /home/midenok/src/mariadb/10.4/src/sql/main.cc:25:10
 
    #9 0x7f7fa6a7ab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /home/midenok/src/mariadb/10.4/src/storage/innobase/include/dict0mem.h:519:10 in id_name_t::operator char const*() const
 
Shadow bytes around the buggy address:
 
  0x0c3080006250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080006260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3080006270: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
 
  0x0c3080006280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3080006290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c30800062a0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c30800062b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c30800062c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c30800062d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c30800062e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c30800062f0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==16101==ABORTING


Generated at Thu Feb 08 08:54:54 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.