[MDEV-21630] Server crashes in mysql_derived_prepare on 2nd execution of SP with views, ASAN: heap-use-after-free in mysql_derived_prepare Created: 2020-02-01  Updated: 2023-12-12

Status: Confirmed
Project: MariaDB Server
Component/s: Data Manipulation - Update, Stored routines, Views
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 0
Labels: ASAN, memory_not_freed

Issue Links:
Relates
relates to MDEV-19817 Server crashes in Multiupdate_prelock... Confirmed
relates to MDEV-20410 Pure virtual method called in Item_re... Closed
relates to MDEV-33001 ASAN heap-use-after-free in mysql_ins... Open
relates to MDEV-24823 Crash with invalid multi-table update... Closed

 Description   

We have other open bugs for multi-update (and of course for views and 2nd execution), but I haven't found the exact match, so I'm filing it separately.

CREATE TABLE t1 (a INT);
 
CREATE ALGORITHM=MERGE VIEW v1 AS SELECT a FROM t1;
 
CREATE ALGORITHM=MERGE VIEW v2 AS SELECT * FROM ( SELECT v1.a FROM t1, v1 ) AS sq;
 
CREATE PROCEDURE p() UPDATE v2 SET a = 2;
 
 
 
--error ER_NON_UPDATABLE_TABLE
 
CALL p;
 
CREATE OR REPLACE TABLE t1 (b INT);
 
CALL p;
 
 
 
# Cleanup
 
DROP PROCEDURE p;
 
DROP VIEW v2;
 
DROP VIEW v1;
 
DROP TABLE t1;

10.4 d87b725e

 
#3  <signal handler called>
 
#4  0x0000559533b1a574 in mysql_derived_prepare (thd=0x7f4090000af0, lex=0x7f409013ec68, derived=0x7f4090047a08) at /data/src/10.4/sql/sql_derived.cc:908
 
#5  0x0000559533b19227 in mysql_derived_merge_for_insert (thd=0x7f4090000af0, lex=0x7f409013ec68, derived=0x7f4090047a08) at /data/src/10.4/sql/sql_derived.cc:541
 
#6  0x0000559533b18326 in mysql_handle_derived (lex=0x7f409013ec68, phases=16) at /data/src/10.4/sql/sql_derived.cc:126
 
#7  0x0000559533c863c5 in Multiupdate_prelocking_strategy::handle_end (this=0x7f40a005aa10, thd=0x7f4090000af0) at /data/src/10.4/sql/sql_update.cc:1680
 
#8  0x0000559533c86bb5 in mysql_multi_update_prepare (thd=0x7f4090000af0) at /data/src/10.4/sql/sql_update.cc:1846
 
#9  0x0000559533b74b6a in mysql_execute_command (thd=0x7f4090000af0) at /data/src/10.4/sql/sql_parse.cc:4408
 
#10 0x0000559533a8412e in sp_instr_stmt::exec_core (this=0x7f40901860d8, thd=0x7f4090000af0, nextp=0x7f40a005b6a4) at /data/src/10.4/sql/sp_head.cc:3683
 
#11 0x0000559533a83503 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7f4090186120, thd=0x7f4090000af0, nextp=0x7f40a005b6a4, open_tables=false, instr=0x7f40901860d8) at /data/src/10.4/sql/sp_head.cc:3415
 
#12 0x0000559533a83cf2 in sp_instr_stmt::execute (this=0x7f40901860d8, thd=0x7f4090000af0, nextp=0x7f40a005b6a4) at /data/src/10.4/sql/sp_head.cc:3589
 
#13 0x0000559533a7d3eb in sp_head::execute (this=0x7f4090184ba8, thd=0x7f4090000af0, merge_da_on_success=true) at /data/src/10.4/sql/sp_head.cc:1361
 
#14 0x0000559533a8021f in sp_head::execute_procedure (this=0x7f4090184ba8, thd=0x7f4090000af0, args=0x7f40900058e0) at /data/src/10.4/sql/sp_head.cc:2366
 
#15 0x0000559533b7018d in do_execute_sp (thd=0x7f4090000af0, sp=0x7f4090184ba8) at /data/src/10.4/sql/sql_parse.cc:3015
 
#16 0x0000559533b70e74 in Sql_cmd_call::execute (this=0x7f4090013240, thd=0x7f4090000af0) at /data/src/10.4/sql/sql_parse.cc:3257
 
#17 0x0000559533b7c241 in mysql_execute_command (thd=0x7f4090000af0) at /data/src/10.4/sql/sql_parse.cc:6102
 
#18 0x0000559533b81903 in mysql_parse (thd=0x7f4090000af0, rawbuf=0x7f4090013198 "CALL p", length=6, parser_state=0x7f40a005d160, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7901
 
#19 0x0000559533b6cad0 in dispatch_command (command=COM_QUERY, thd=0x7f4090000af0, packet=0x7f40900083a1 "CALL p", packet_length=6, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1842
 
#20 0x0000559533b6b15d in do_command (thd=0x7f4090000af0) at /data/src/10.4/sql/sql_parse.cc:1360
 
#21 0x0000559533cf4377 in do_handle_one_connection (connect=0x559537e0c7d0) at /data/src/10.4/sql/sql_connect.cc:1412
 
#22 0x0000559533cf40c6 in handle_one_connection (arg=0x559537e0c7d0) at /data/src/10.4/sql/sql_connect.cc:1316
 
#23 0x00005595346fc8c9 in pfs_spawn_thread (arg=0x559537d2fa90) at /data/src/10.4/storage/perfschema/pfs.cc:1869
 
#24 0x00007f40a7e3c4a4 in start_thread (arg=0x7f40a005e700) at pthread_create.c:456
 
#25 0x00007f40a5f70d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Fails the same way on debug and non-debug builds.
Reproducible with at least MyISAM, InnoDB, Aria.
Reproducible on 10.2-10.5, the test case is not applicable to 10.1.

 Comments   
Comment by Roel Van de Paar [ 2023-02-24 ]

Additional testcase. Note the t, in the UPDATE is necessary, or we will get ERROR 1288 (HY000): The target table d of the UPDATE is not updatable, giving a hint as to where the issue may be.

CREATE PROCEDURE p() UPDATE t,(SELECT 1 FROM (SELECT 1 FROM t WHERE c=0) a) d SET c=1;
 
CREATE TABLE t (a INT) ENGINE=InnoDB;
 
CREATE TEMPORARY TABLE t (c INT) ENGINE=InnoDB;
 
CALL p();
 
DROP TEMPORARY TABLE t;
 
CALL p();

Leads to:

11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Debug)

 
Core was generated by `/test/MD180223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00005638afc69d62 in mysql_derived_prepare (thd=thd@entry=0x14ab60000d58, 
    lex=lex@entry=0x14ab60046020, derived=derived@entry=0x14ab6004a890)
 
    at /test/11.0_dbg/sql/sql_derived.cc:949
 
949	      delete derived->derived_result;
 
[Current thread is 1 (Thread 0x14ac1808d640 (LWP 1874037))]
 
(gdb) bt
 
#0  0x00005638afc69d62 in mysql_derived_prepare (thd=thd@entry=0x14ab60000d58, lex=lex@entry=0x14ab60046020, derived=derived@entry=0x14ab6004a890) at /test/11.0_dbg/sql/sql_derived.cc:949
 
#1  0x00005638afc69e80 in mysql_derived_merge_for_insert (thd=0x14ab60000d58, lex=0x14ab60046020, derived=0x14ab6004a890) at /test/11.0_dbg/sql/sql_derived.cc:532
 
#2  0x00005638afc679a9 in mysql_handle_derived (lex=lex@entry=0x14ab60046020, phases=phases@entry=16) at /test/11.0_dbg/sql/sql_derived.cc:123
 
#3  0x00005638afdb630a in Multiupdate_prelocking_strategy::handle_end (this=0x14ac1808a910, thd=0x14ab60000d58) at /test/11.0_dbg/sql/sql_update.cc:1733
 
#4  0x00005638afc3a79d in open_tables (thd=thd@entry=0x14ab60000d58, options=@0x14ab60047660: {m_options = DDL_options_st::OPT_NONE}, start=start@entry=0x14ac1808a908, counter=counter@entry=0x14ac1808a904, flags=0, prelocking_strategy=prelocking_strategy@entry=0x14ac1808a910) at /test/11.0_dbg/sql/sql_base.cc:4709
 
#5  0x00005638afdb85ab in open_tables (prelocking_strategy=0x14ac1808a910, flags=<optimized out>, counter=0x14ac1808a904, tables=0x14ac1808a908, thd=0x14ab60000d58) at /test/11.0_dbg/sql/sql_base.h:266
 
#6  mysql_multi_update_prepare (thd=thd@entry=0x14ab60000d58) at /test/11.0_dbg/sql/sql_update.cc:1890
 
#7  0x00005638afcb5a68 in mysql_execute_command (thd=0x14ab60000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:4455
 
#8  0x00005638afbf23c2 in sp_instr_stmt::exec_core (this=0x14ab60049bc0, thd=<optimized out>, nextp=0x14ac1808b374) at /test/11.0_dbg/sql/sp_head.cc:3857
 
#9  0x00005638afbff5d4 in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x14ab60049c08, thd=thd@entry=0x14ab60000d58, nextp=nextp@entry=0x14ac1808b374, open_tables=open_tables@entry=false, instr=instr@entry=0x14ab60049bc0) at /test/11.0_dbg/sql/sp_head.cc:3582
 
#10 0x00005638afbffd43 in sp_instr_stmt::execute (this=0x14ab60049bc0, thd=0x14ab60000d58, nextp=0x14ac1808b374) at /test/11.0_dbg/sql/sp_head.cc:3763
 
#11 0x00005638afbf8338 in sp_head::execute (this=this@entry=0x14ab60044000, thd=thd@entry=0x14ab60000d58, merge_da_on_success=merge_da_on_success@entry=true) at /test/11.0_dbg/sql/sp_head.cc:1459
 
#12 0x00005638afbfa5da in sp_head::execute_procedure (this=0x14ab60044000, thd=thd@entry=0x14ab60000d58, args=0x14ab60005ed8) at /test/11.0_dbg/sql/sp_head.cc:2446
 
#13 0x00005638afca8473 in do_execute_sp (thd=thd@entry=0x14ab60000d58, sp=sp@entry=0x14ab60044000) at /test/11.0_dbg/sql/sql_parse.cc:3026
 
#14 0x00005638afcacc00 in Sql_cmd_call::execute (this=0x14ab600131e8, thd=0x14ab60000d58) at /test/11.0_dbg/sql/sql_parse.cc:3271
 
#15 0x00005638afcb9db6 in mysql_execute_command (thd=thd@entry=0x14ab60000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:6003
 
#16 0x00005638afcbb7cf in mysql_parse (thd=thd@entry=0x14ab60000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14ac1808c2c0) at /test/11.0_dbg/sql/sql_parse.cc:8002
 
#17 0x00005638afcbd963 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14ab60000d58, packet=packet@entry=0x14ab6000ae19 "CALL p()", packet_length=packet_length@entry=8, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:242
 
#18 0x00005638afcbf7bc in do_command (thd=0x14ab60000d58, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
 
#19 0x00005638afe106e2 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5638b26ec358, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
 
#20 0x00005638afe10941 in handle_one_connection (arg=0x5638b26ec358) at /test/11.0_dbg/sql/sql_connect.cc:1318
 
#21 0x000014ac371d0b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#22 0x000014ac37262a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 10.3.38 (dbg), 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.7.8 (dbg), 10.8.8 (dbg), 10.9.6 (dbg), 10.10.4 (dbg), 10.11.2 (dbg), 11.0.1 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.38 (opt), 10.6.13 (opt), 10.7.8 (opt), 10.8.8 (opt), 10.9.6 (opt), 10.10.4 (opt), 10.11.2 (opt), 11.0.1 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

Comment by Roel Van de Paar [ 2023-02-24 ]

The testcase in the previous comment also produces two ASAN heap-use-after-free stacks on dbg/opt:

11.0.1 4d09050ca77a7efac4565d46e4bcd85a5f210c53 (Debug, UBASAN)

 
==1926638==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000071358 at pc 0x555e6d806783 bp 0x1536f4d0d710 sp 0x1536f4d0d700
 
READ of size 8 at 0x625000071358 thread T19
 
    #0 0x555e6d806782 in mysql_derived_prepare /test/11.0_dbg_san/sql/sql_derived.cc:947
 
    #1 0x555e6d80743d in mysql_derived_merge_for_insert /test/11.0_dbg_san/sql/sql_derived.cc:532
 
    #2 0x555e6d7f5ac3 in mysql_handle_derived(LEX*, unsigned int) /test/11.0_dbg_san/sql/sql_derived.cc:123
 
    #3 0x555e6e22033d in Multiupdate_prelocking_strategy::handle_end(THD*) /test/11.0_dbg_san/sql/sql_update.cc:1731
 
    #4 0x555e6d67a01a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.0_dbg_san/sql/sql_base.cc:4709
 
    #5 0x555e6e2321cf in open_tables /test/11.0_dbg_san/sql/sql_base.h:266
 
    #6 0x555e6e2321cf in mysql_multi_update_prepare(THD*) /test/11.0_dbg_san/sql/sql_update.cc:1888
 
    #7 0x555e6daad310 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:4453
 
    #8 0x555e6d478ecd in sp_instr_stmt::exec_core(THD*, unsigned int*) /test/11.0_dbg_san/sql/sp_head.cc:3857
 
    #9 0x555e6d4da0d7 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /test/11.0_dbg_san/sql/sp_head.cc:3582
 
    #10 0x555e6d4e00dc in sp_instr_stmt::execute(THD*, unsigned int*) /test/11.0_dbg_san/sql/sp_head.cc:3763
 
    #11 0x555e6d4a6fc3 in sp_head::execute(THD*, bool) /test/11.0_dbg_san/sql/sp_head.cc:1459
 
    #12 0x555e6d4b6442 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_dbg_san/sql/sp_head.cc:2446
 
    #13 0x555e6da45d4e in do_execute_sp /test/11.0_dbg_san/sql/sql_parse.cc:3026
 
    #14 0x555e6da62c42 in Sql_cmd_call::execute(THD*) /test/11.0_dbg_san/sql/sql_parse.cc:3271
 
    #15 0x555e6dacafac in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6001
 
    #16 0x555e6dad48b1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8000
 
    #17 0x555e6dae460f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #18 0x555e6daf23d9 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #19 0x555e6e494503 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #20 0x555e6e495a1e in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #21 0x153717ac4b42 in start_thread nptl/pthread_create.c:442
 
    #22 0x153717b569ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
0x625000071358 is located 2648 bytes inside of 8208-byte region [0x625000070900,0x625000072910)
 
freed by thread T19 here:
 
    #0 0x555e6d16bfc7 in __interceptor_free (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd+0x789bfc7)
 
    #1 0x555e717d6b63 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213
 
    #2 0x555e717b5247 in root_free /test/11.0_dbg_san/mysys/my_alloc.c:78
 
    #3 0x555e717b7569 in free_root /test/11.0_dbg_san/mysys/my_alloc.c:495
 
    #4 0x555e6d4a9e37 in sp_head::execute(THD*, bool) /test/11.0_dbg_san/sql/sp_head.cc:1548
 
    #5 0x555e6d4b6442 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_dbg_san/sql/sp_head.cc:2446
 
    #6 0x555e6da45d4e in do_execute_sp /test/11.0_dbg_san/sql/sql_parse.cc:3026
 
    #7 0x555e6da62c42 in Sql_cmd_call::execute(THD*) /test/11.0_dbg_san/sql/sql_parse.cc:3271
 
    #8 0x555e6dacafac in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6001
 
    #9 0x555e6dad48b1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8000
 
    #10 0x555e6dae460f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #11 0x555e6daf23d9 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #12 0x555e6e494503 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #13 0x555e6e495a1e in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #14 0x153717ac4b42 in start_thread nptl/pthread_create.c:442
 
 
 
previously allocated by thread T19 here:
 
    #0 0x555e6d16c317 in __interceptor_malloc (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd+0x789c317)
 
    #1 0x555e717d6805 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91
 
    #2 0x555e717b50d8 in root_alloc /test/11.0_dbg_san/mysys/my_alloc.c:66
 
    #3 0x555e717b6528 in alloc_root /test/11.0_dbg_san/mysys/my_alloc.c:332
 
    #4 0x555e6da4b2d4 in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned long) /test/11.0_dbg_san/sql/sql_class.h:1210
 
    #5 0x555e6da4b2d4 in alloc_query(THD*, char const*, unsigned long) /test/11.0_dbg_san/sql/sql_parse.cc:2727
 
    #6 0x555e6d4ddd89 in sp_instr_stmt::execute(THD*, unsigned int*) /test/11.0_dbg_san/sql/sp_head.cc:3750
 
    #7 0x555e6d4a6fc3 in sp_head::execute(THD*, bool) /test/11.0_dbg_san/sql/sp_head.cc:1459
 
    #8 0x555e6d4b6442 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_dbg_san/sql/sp_head.cc:2446
 
    #9 0x555e6da45d4e in do_execute_sp /test/11.0_dbg_san/sql/sql_parse.cc:3026
 
    #10 0x555e6da62c42 in Sql_cmd_call::execute(THD*) /test/11.0_dbg_san/sql/sql_parse.cc:3271
 
    #11 0x555e6dacafac in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6001
 
    #12 0x555e6dad48b1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8000
 
    #13 0x555e6dae460f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #14 0x555e6daf23d9 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #15 0x555e6e494503 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #16 0x555e6e495a1e in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #17 0x153717ac4b42 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T19 created by T0 here:
 
    #0 0x555e6d110155 in __interceptor_pthread_create (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd+0x7840155)
 
    #1 0x555e6d1c6068 in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6100
 
    #2 0x555e6d1d33a1 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6159
 
    #3 0x555e6d1d3bfd in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6221
 
    #4 0x555e6d1d4c4e in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6345
 
    #5 0x555e6d1dc4df in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:5995
 
    #6 0x555e6d1b1eaa in main /test/11.0_dbg_san/sql/main.cc:34
 
    #7 0x153717a59d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/sql/sql_derived.cc:947 in mysql_derived_prepare
 
Shadow bytes around the buggy address:
 
  0x0c4a80006210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80006220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80006230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80006240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80006250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c4a80006260: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
 
  0x0c4a80006270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80006280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80006290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a800062a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a800062b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07
 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc

11.0.1 4d09050ca77a7efac4565d46e4bcd85a5f210c53 (Optimized, UBASAN)

 
==1913760==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000a5b48 at pc 0x55ec92be9b7e bp 0x1543ad0d8350 sp 0x1543ad0d8340
 
READ of size 8 at 0x6250000a5b48 thread T18
 
    #0 0x55ec92be9b7d in mysql_derived_prepare /test/11.0_opt_san/sql/sql_derived.cc:947
 
    #1 0x55ec92bd975e in mysql_handle_derived(LEX*, unsigned int) /test/11.0_opt_san/sql/sql_derived.cc:123
 
    #2 0x55ec9355fc3d in Multiupdate_prelocking_strategy::handle_end(THD*) /test/11.0_opt_san/sql/sql_update.cc:1731
 
    #3 0x55ec92a7ab75 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.0_opt_san/sql/sql_base.cc:4709
 
    #4 0x55ec93590a3f in open_tables /test/11.0_opt_san/sql/sql_base.h:266
 
    #5 0x55ec93590a3f in mysql_multi_update_prepare(THD*) /test/11.0_opt_san/sql/sql_update.cc:1888
 
    #6 0x55ec92e7dc0e in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:4453
 
    #7 0x55ec9288b69f in sp_instr_stmt::exec_core(THD*, unsigned int*) /test/11.0_opt_san/sql/sp_head.cc:3857
 
    #8 0x55ec928e1415 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /test/11.0_opt_san/sql/sp_head.cc:3582
 
    #9 0x55ec928e7dbd in sp_instr_stmt::execute(THD*, unsigned int*) /test/11.0_opt_san/sql/sp_head.cc:3763
 
    #10 0x55ec928b42fa in sp_head::execute(THD*, bool) /test/11.0_opt_san/sql/sp_head.cc:1459
 
    #11 0x55ec928c0608 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_opt_san/sql/sp_head.cc:2446
 
    #12 0x55ec92e20152 in do_execute_sp /test/11.0_opt_san/sql/sql_parse.cc:3026
 
    #13 0x55ec92e3de3a in Sql_cmd_call::execute(THD*) /test/11.0_opt_san/sql/sql_parse.cc:3271
 
    #14 0x55ec92e766dc in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:6001
 
    #15 0x55ec92e9a542 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8000
 
    #16 0x55ec92ea7fa5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
 
    #17 0x55ec92eb1700 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
 
    #18 0x55ec9379203c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
 
    #19 0x55ec9379463c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
 
    #20 0x1543cfa11b42 in start_thread nptl/pthread_create.c:442
 
    #21 0x1543cfaa39ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
0x6250000a5b48 is located 2632 bytes inside of 8208-byte region [0x6250000a5100,0x6250000a7110)
 
freed by thread T18 here:
 
    #0 0x55ec925ce4e7 in __interceptor_free (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd+0x79094e7)
 
    #1 0x55ec9691e166 in root_free /test/11.0_opt_san/mysys/my_alloc.c:78
 
    #2 0x55ec9691e166 in free_root /test/11.0_opt_san/mysys/my_alloc.c:495
 
    #3 0x55ec928b4e30 in sp_head::execute(THD*, bool) /test/11.0_opt_san/sql/sp_head.cc:1548
 
    #4 0x55ec928c0608 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_opt_san/sql/sp_head.cc:2446
 
    #5 0x55ec92e20152 in do_execute_sp /test/11.0_opt_san/sql/sql_parse.cc:3026
 
    #6 0x55ec92e3de3a in Sql_cmd_call::execute(THD*) /test/11.0_opt_san/sql/sql_parse.cc:3271
 
    #7 0x55ec92e766dc in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:6001
 
    #8 0x55ec92e9a542 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8000
 
    #9 0x55ec92ea7fa5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
 
    #10 0x55ec92eb1700 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
 
    #11 0x55ec9379203c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
 
    #12 0x55ec9379463c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
 
    #13 0x1543cfa11b42 in start_thread nptl/pthread_create.c:442
 
 
 
previously allocated by thread T18 here:
 
    #0 0x55ec925ce837 in malloc (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd+0x7909837)
 
    #1 0x55ec96941724 in my_malloc /test/11.0_opt_san/mysys/my_malloc.c:91
 
    #2 0x55ec9691d11c in root_alloc /test/11.0_opt_san/mysys/my_alloc.c:66
 
    #3 0x55ec9691d11c in alloc_root /test/11.0_opt_san/mysys/my_alloc.c:332
 
    #4 0x55ec92e2a06e in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned long) /test/11.0_opt_san/sql/sql_class.h:1210
 
    #5 0x55ec92e2a06e in alloc_query(THD*, char const*, unsigned long) /test/11.0_opt_san/sql/sql_parse.cc:2727
 
    #6 0x55ec928e5de0 in sp_instr_stmt::execute(THD*, unsigned int*) /test/11.0_opt_san/sql/sp_head.cc:3750
 
    #7 0x55ec928b42fa in sp_head::execute(THD*, bool) /test/11.0_opt_san/sql/sp_head.cc:1459
 
    #8 0x55ec928c0608 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_opt_san/sql/sp_head.cc:2446
 
    #9 0x55ec92e20152 in do_execute_sp /test/11.0_opt_san/sql/sql_parse.cc:3026
 
    #10 0x55ec92e3de3a in Sql_cmd_call::execute(THD*) /test/11.0_opt_san/sql/sql_parse.cc:3271
 
    #11 0x55ec92e766dc in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:6001
 
    #12 0x55ec92e9a542 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8000
 
    #13 0x55ec92ea7fa5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
 
    #14 0x55ec92eb1700 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
 
    #15 0x55ec9379203c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
 
    #16 0x55ec9379463c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
 
    #17 0x1543cfa11b42 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T18 created by T0 here:
 
    #0 0x55ec92572675 in pthread_create (/test/UBASAN_MD130223-mariadb-11.0.1-linux-x86_64-opt/bin/mariadbd+0x78ad675)
 
    #1 0x55ec92626d3e in create_thread_to_handle_connection(CONNECT*) /test/11.0_opt_san/sql/mysqld.cc:6100
 
    #2 0x55ec9263904f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_opt_san/sql/mysqld.cc:6221
 
    #3 0x55ec92639fd7 in handle_connections_sockets() /test/11.0_opt_san/sql/mysqld.cc:6345
 
    #4 0x55ec9263d03d in mysqld_main(int, char**) /test/11.0_opt_san/sql/mysqld.cc:5995
 
    #5 0x1543cf9a6d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_opt_san/sql/sql_derived.cc:947 in mysql_derived_prepare
 
Shadow bytes around the buggy address:
 
  0x0c4a8000cb10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8000cb20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8000cb30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8000cb40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8000cb50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c4a8000cb60: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
 
  0x0c4a8000cb70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8000cb80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8000cb90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8000cba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8000cbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07
 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc

Comment by Roel Van de Paar [ 2023-02-24 ]

The original testcase gives similar (but not identical for optimized builds) ASAN stacks.

Comment by Roel Van de Paar [ 2023-02-24 ]

Stacks observed accross versions:

SIGSEGV|Binary_string::free|Binary_string::~Binary_string|String::~String|Copy_field::~Copy_field  # 10.4 opt
 
SIGSEGV|mysql_derived_prepare|mysql_handle_derived|Multiupdate_prelocking_strategy::handle_end|Multiupdate_prelocking_strategy::handle_end   # 10.5 opt
 
SIGSEGV|mysql_derived_prepare|mysql_derived_merge_for_insert|mysql_handle_derived|Multiupdate_prelocking_strategy::handle_end

Comment by Andrei Elkin [ 2023-12-12 ]

Considering that mysql_derived_prepare is also in just reported MDEV-33001, the latter may relate.

Generated at Thu Feb 08 09:08:36 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.