[MDEV-20214] parts.partition_basic_innodb failed in buildbot with AddressSanitizer: use-after-poison in Table_triggers_list::~Table_triggers_list Created: 2019-07-30  Updated: 2020-03-03

Status: Open
Project: MariaDB Server
Component/s: Server, Tests, Triggers
Affects Version/s: 10.4
Fix Version/s: 10.4

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None


 Description   

http://buildbot.askmonty.org/buildbot/builders/kvm-fulltest-big/builds/2872

bb-10.4-release 1c27eb7ebd2c95008ba9b4fdfdee4061

 
parts.partition_basic_innodb 'innodb'    w2 [ fail ]
 
        Test ended at 2019-07-28 15:24:15
 
 
 
CURRENT_TEST: parts.partition_basic_innodb
 
mysqltest: In included file "./suite/parts/inc/partition_trigg3.inc": 
included from ./suite/parts/inc/partition_check.inc at line 1097:
 
included from ./suite/parts/inc/partition_methods2.inc at line 225:
 
included from ./suite/parts/inc/partition_basic.inc at line 36:
 
included from /mnt/buildbot/build/mariadb-10.4.7/mysql-test/suite/parts/t/partition_basic_innodb.test at line 81:
 
At line 38: query 'CREATE TRIGGER trg_3 $event ON t1 FOR EACH ROW
 
BEGIN
 
SET new.f_int1 = @my_max1 + @counter,
 
new.f_int2 = @my_min2 - @counter,
 
new.f_charbig = '####updated per insert trigger####';
 
SET @counter = @counter + 1;
 
END' failed: 2013: Lost connection to MySQL server during query
 
 
 
The result from queries just before the failure was:
 
< snip >
 
SET new.f_int1 = new.f_int1 + @max_row,
 
new.f_int2 = new.f_int2 - @max_row,
 
new.f_charbig = '####updated per update trigger####';
 
END|
 
UPDATE t1
 
SET f_int1 = f_int1 + @max_row, f_int2 = f_int2 - @max_row,
 
f_charbig = '####updated per update statement itself####';
 
	
# check trigger-10 success: 	1
 
DROP TRIGGER trg_2;
 
UPDATE t1 SET f_int1 = CAST(f_char1 AS SIGNED INT),
 
f_int2 = CAST(f_char1 AS SIGNED INT),
 
f_charbig = CONCAT('===',f_char1,'===');
 
CREATE TRIGGER trg_3 BEFORE INSERT ON t1 FOR EACH ROW
 
BEGIN
 
SET new.f_int1 = @my_max1 + @counter,
 
new.f_int2 = @my_min2 - @counter,
 
new.f_charbig = '####updated per insert trigger####';
 
SET @counter = @counter + 1;
 
END|
 
 
 
More results from queries before failure can be found in /mnt/buildbot/build/mariadb-10.4.7/mysql-test/var/2/log/partition_basic_innodb.log
 
 
 
 
 
Server [mysqld.1 - pid: 14848, winpid: 14848, exit: 256] failed during test run
 
Server log from this test:
 
----------SERVER LOG START-----------
 
=================================================================
 
==14849==ERROR: AddressSanitizer: use-after-poison on address 0x620000597aa0 at pc 0x000000a62abb bp 0x7ff8ea0dc720 sp 0x7ff8ea0dc710
 
READ of size 8 at 0x620000597aa0 thread T27
 
    #0 0xa62aba in Table_triggers_list::~Table_triggers_list() /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_trigger.cc:1182
 
    #1 0xd22beb in intern_close_table /home/buildbot/buildbot/build/mariadb-10.4.7/sql/table_cache.cc:220
 
    #2 0xd22beb in tc_remove_table /home/buildbot/buildbot/build/mariadb-10.4.7/sql/table_cache.cc:260
 
    #3 0xd23c27 in tc_release_table(TABLE*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/table_cache.cc:474
 
    #4 0x75c4ea in close_thread_tables(THD*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_base.cc:1020
 
    #5 0x892fca in mysql_execute_command(THD*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_parse.cc:6164
 
    #6 0x8aac3a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_parse.cc:7908
 
    #7 0x8afd3d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_parse.cc:1843
 
    #8 0x8b498c in do_command(THD*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_parse.cc:1360
 
    #9 0xb46777 in do_handle_one_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_connect.cc:1404
 
    #10 0xb46b5a in handle_one_connection /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_connect.cc:1306
 
    #11 0x13ac62b in pfs_spawn_thread /home/buildbot/buildbot/build/mariadb-10.4.7/storage/perfschema/pfs.cc:1862
 
    #12 0x7ff9016046b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #13 0x7ff900aab82c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10682c)
 
 
 
0x620000597aa0 is located 2592 bytes inside of 3944-byte region [0x620000597080,0x620000597fe8)
 
allocated by thread T27 here:
 
    #0 0x7ff9025b1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
 
    #1 0x1dd1b5e in my_malloc /home/buildbot/buildbot/build/mariadb-10.4.7/mysys/my_malloc.c:101
 
    #2 0x1dbd995 in alloc_root /home/buildbot/buildbot/build/mariadb-10.4.7/mysys/my_alloc.c:250
 
    #3 0x881c2f in Query_arena::calloc(unsigned long) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_class.h:1052
 
    #4 0x881c2f in st_select_lex::add_table_to_list(THD*, Table_ident*, st_mysql_const_lex_string*, unsigned long, thr_lock_type, enum_mdl_type, List<Index_hint>*, List<String>*, st_mysql_lex_string*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_parse.cc:8095
 
    #5 0x828ba2 in init_lex_with_single_table(THD*, TABLE*, LEX*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_lex.cc:197
 
    #6 0x127817a in fix_fields_part_func /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_partition.cc:837
 
    #7 0x127aefd in fix_partition_func(THD*, TABLE*, bool) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_partition.cc:2016
 
    #8 0xacc3c3 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/table.cc:3824
 
    #9 0x761b3b in open_table(THD*, TABLE_LIST*, Open_table_context*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_base.cc:2086
 
    #10 0x76ac01 in open_and_process_table /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_base.cc:3841
 
    #11 0x76ac01 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_base.cc:4341
 
    #12 0x8db6b9 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_base.h:474
 
    #13 0x8db6b9 in mysql_test_update /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_prepare.cc:1365
 
    #14 0x8db6b9 in check_prepared_statement /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_prepare.cc:2330
 
    #15 0x8db6b9 in Prepared_statement::prepare(char const*, unsigned int) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_prepare.cc:4048
 
    #16 0x8df468 in mysqld_stmt_prepare(THD*, char const*, unsigned int) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_prepare.cc:2658
 
    #17 0x8af877 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_parse.cc:1786
 
    #18 0x8b498c in do_command(THD*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_parse.cc:1360
 
    #19 0xb46777 in do_handle_one_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_connect.cc:1404
 
    #20 0xb46b5a in handle_one_connection /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_connect.cc:1306
 
    #21 0x13ac62b in pfs_spawn_thread /home/buildbot/buildbot/build/mariadb-10.4.7/storage/perfschema/pfs.cc:1862
 
    #22 0x7ff9016046b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7ff90254f253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
 
    #1 0x13b4693 in spawn_thread_v1 /home/buildbot/buildbot/build/mariadb-10.4.7/storage/perfschema/pfs.cc:1912
 
    #2 0x664686 in inline_mysql_thread_create /home/buildbot/buildbot/build/mariadb-10.4.7/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x664686 in create_thread_to_handle_connection(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/mysqld.cc:6238
 
    #4 0x6708e3 in create_new_thread(CONNECT*) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/mysqld.cc:6308
 
    #5 0x670d20 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/mysqld.cc:6406
 
    #6 0x671950 in handle_connections_sockets() /home/buildbot/buildbot/build/mariadb-10.4.7/sql/mysqld.cc:6564
 
    #7 0x673981 in mysqld_main(int, char**) /home/buildbot/buildbot/build/mariadb-10.4.7/sql/mysqld.cc:5896
 
    #8 0x7ff9009c582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /home/buildbot/buildbot/build/mariadb-10.4.7/sql/sql_trigger.cc:1182 Table_triggers_list::~Table_triggers_list()
 
Shadow bytes around the buggy address:
 
  0x0c40800aaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c40800aaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c40800aaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c40800aaf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c40800aaf40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c40800aaf50: 00 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c40800aaf60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c40800aaf70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c40800aaf80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c40800aaf90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c40800aafa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
==14849==ABORTING



 Comments   
Comment by Alice Sherepa [ 2020-03-03 ]

I got it locally on bb-10.5-mdev_742 89407acfc9caa3e473 (based on a recent 10.5)

==38477==ERROR: AddressSanitizer: use-after-poison on address 0x619005a9f888 at pc 0x55814282d653 bp 0x7ff9561635e0 sp 0x7ff9561635d8
 
READ of size 8 at 0x619005a9f888 thread T26
 
    #0 0x55814282d652 in Table_triggers_list::~Table_triggers_list() /742/sql/sql_trigger.cc:1198
 
    #1 0x558142b80c00 in intern_close_table /742/sql/table_cache.cc:219
 
    #2 0x558142b80f3d in tc_remove_table /742/sql/table_cache.cc:259
 
    #3 0x558142b823ea in tc_release_table(TABLE*) /742/sql/table_cache.cc:473
 
    #4 0x5581423e7390 in close_thread_table(THD*, TABLE**) /742/sql/sql_base.cc:1070
 
    #5 0x5581423e6a23 in close_thread_tables(THD*) /742/sql/sql_base.cc:1012
 
    #6 0x55814258fd94 in mysql_execute_command(THD*) /742/sql/sql_parse.cc:5949
 
    #7 0x55814259ca5d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /742/sql/sql_parse.cc:7921
 
    #8 0x5581425732b7 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /742/sql/sql_parse.cc:1844
 
    #9 0x55814256fd05 in do_command(THD*) /742/sql/sql_parse.cc:1363
 
    #10 0x558142987f4b in do_handle_one_connection(CONNECT*, bool) /742/sql/sql_connect.cc:1422
 
    #11 0x5581429877e1 in handle_one_connection /742/sql/sql_connect.cc:1319
 
    #12 0x7ff97f394fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
    #13 0x7ff97e9c54ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
 
 
 
0x619005a9f888 is located 520 bytes inside of 1100-byte region [0x619005a9f680,0x619005a9facc)
 
allocated by thread T26 here:
 
    #0 0x7ff97f497330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
 
    #1 0x5581441d2a82 in sf_malloc /742/mysys/safemalloc.c:118
 
    #2 0x5581441a147b in my_malloc /742/mysys/my_malloc.c:101
 
    #3 0x55814417e8bb in alloc_root /742/mysys/my_alloc.c:250
 
    #4 0x55814417ffe0 in strmake_root /742/mysys/my_alloc.c:480
 
    #5 0x5581428aa45f in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /742/sql/table.cc:3766
 
    #6 0x5581423ec068 in open_table(THD*, TABLE_LIST*, Open_table_context*) /742/sql/sql_base.cc:2070
 
    #7 0x5581423f5388 in open_and_process_table /742/sql/sql_base.cc:3837
 
    #8 0x5581423f7e7d in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /742/sql/sql_base.cc:4309
 
    #9 0x5581423fd2a5 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /742/sql/sql_base.cc:5204
 
    #10 0x5581423e165f in open_and_lock_tables /742/sql/sql_base.h:271
 
    #11 0x5581423fc1f3 in open_n_lock_single_table(THD*, TABLE_LIST*, thr_lock_type, unsigned int, Prelocking_strategy*) /742/sql/sql_base.cc:5047
 
    #12 0x55814283818f in open_n_lock_single_table(THD*, TABLE_LIST*, thr_lock_type, unsigned int) /742/sql/sql_base.h:483
 
    #13 0x5581428299c8 in mysql_create_or_drop_trigger(THD*, TABLE_LIST*, bool) /742/sql/sql_trigger.cc:543
 
    #14 0x55814258e63a in mysql_execute_command(THD*) /742/sql/sql_parse.cc:5711
 
    #15 0x55814259ca5d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /742/sql/sql_parse.cc:7921
 
    #16 0x5581425732b7 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /742/sql/sql_parse.cc:1844
 
    #17 0x55814256fd05 in do_command(THD*) /742/sql/sql_parse.cc:1363
 
    #18 0x558142987f4b in do_handle_one_connection(CONNECT*, bool) /742/sql/sql_connect.cc:1422
 
    #19 0x5581429877e1 in handle_one_connection /742/sql/sql_connect.cc:1319
 
    #20 0x7ff97f394fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
Thread T26 created by T0 here:
 
    #0 0x7ff97f3fedb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x558144204cc7 in spawn_thread_noop /742/mysys/psi_noop.c:187
 
    #2 0x5581422808b5 in inline_mysql_thread_create /742/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x558142297021 in create_thread_to_handle_connection(CONNECT*) /742/sql/mysqld.cc:6065
 
    #4 0x55814229768f in create_new_thread(CONNECT*) /742/sql/mysqld.cc:6124
 
    #5 0x5581422979f3 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /742/sql/mysqld.cc:6189
 
    #6 0x558142298632 in handle_connections_sockets() /742/sql/mysqld.cc:6316
 
    #7 0x55814229677e in mysqld_main(int, char**) /742/sql/mysqld.cc:5728
 
    #8 0x55814227e784 in main /742/sql/main.cc:25
 
    #9 0x7ff97e8f009a in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /742/sql/sql_trigger.cc:1198 in Table_triggers_list::~Table_triggers_list()
 
Shadow bytes around the buggy address:
 
  0x0c3280b4bec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280b4bed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280b4bee0: 00 f7 00 06 f7 05 05 f7 00 00 f7 00 00 00 00 00
 
  0x0c3280b4bef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280b4bf00: 00 00 00 00 00 00 f7 00 00 00 04 f7 00 00 f7 f7
 
=>0x0c3280b4bf10: f7[f7]f7 f7 f7 f7 f7 f7 f7 f

Generated at Thu Feb 08 08:57:44 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.