[MDEV-22099] ASAN heap-use-after-free in _ma_record_pos Created: 2020-03-31  Updated: 2023-11-08

Status: Confirmed
Project: MariaDB Server
Component/s: Storage Engine - Aria
Affects Version/s: 10.4, 10.5, 10.5.22
Fix Version/s: 10.4

Type: Bug Priority: Major
Reporter: Alice Sherepa Assignee: Michael Widenius
Resolution: Unresolved Votes: 0
Labels: None


 Description    

create  event q1 on schedule at now() do set @a=1;
 
create  event q2 on schedule at now() do set @a=2;
 
 
 
select 1 from (information_schema.`events` as t1 
  join mysql.`event` as t2 on (t2.`created` = t1.`created`)) 
where (t2.`db` < t1.`event_name`);

10.5 63f922dae192dd4579c39

 
==25641==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200002f058 at pc 0x56293037c50b bp 0x7f781de6aa70 sp 0x7f781de6aa68
 
READ of size 8 at 0x61200002f058 thread T5
 
    #0 0x56293037c50a in _ma_record_pos /10.5/storage/maria/ma_range.c:195
 
    #1 0x56293037bc77 in maria_records_in_range /10.5/storage/maria/ma_range.c:104
 
    #2 0x562930203a82 in ha_maria::records_in_range(unsigned int, st_key_range const*, st_key_range const*, st_page_range*) /10.5/storage/maria/ha_maria.cc:3323
 
    #3 0x56292eda8fa7 in handler::multi_range_read_info_const(unsigned int, st_range_seq_if*, void*, unsigned int, unsigned int*, unsigned int*, Cost_estimate*) /10.5/sql/multi_range_read.cc:177
 
    #4 0x56292edb4d45 in DsMrr_impl::dsmrr_info_const(unsigned int, st_range_seq_if*, void*, unsigned int, unsigned int*, unsigned int*, Cost_estimate*) /10.5/sql/multi_range_read.cc:1708
 
    #5 0x562930207947 in ha_maria::multi_range_read_info_const(unsigned int, st_range_seq_if*, void*, unsigned int, unsigned int*, unsigned int*, Cost_estimate*) /10.5/storage/maria/ha_maria.cc:3986
 
    #6 0x56292f48c784 in check_quick_select /10.5/sql/opt_range.cc:11113
 
    #7 0x56292f473c6b in get_key_scans_params /10.5/sql/opt_range.cc:7400
 
    #8 0x56292f4575e3 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /10.5/sql/opt_range.cc:2897
 
    #9 0x56292ea17000 in test_if_quick_select /10.5/sql/sql_select.cc:21499
 
    #10 0x56292ea16aa3 in join_init_quick_read_record /10.5/sql/sql_select.cc:21469
 
    #11 0x56292ea10ab1 in sub_select(JOIN*, st_join_table*, bool) /10.5/sql/sql_select.cc:20601
 
    #12 0x56292ea122d1 in evaluate_join_record /10.5/sql/sql_select.cc:20827
 
    #13 0x56292ea10c6c in sub_select(JOIN*, st_join_table*, bool) /10.5/sql/sql_select.cc:20604
 
    #14 0x56292ea0ecfa in do_select /10.5/sql/sql_select.cc:20138
 
    #15 0x56292e99cf13 in JOIN::exec_inner() /10.5/sql/sql_select.cc:4463
 
    #16 0x56292e99a565 in JOIN::exec() /10.5/sql/sql_select.cc:4244
 
    #17 0x56292e99e47a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.5/sql/sql_select.cc:4668
 
    #18 0x56292e9707a9 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.5/sql/sql_select.cc:417
 
    #19 0x56292e8e2790 in execute_sqlcom_select /10.5/sql/sql_parse.cc:6168
 
    #20 0x56292e8d0bb2 in mysql_execute_command(THD*) /10.5/sql/sql_parse.cc:3901
 
    #21 0x56292e8ed7de in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/sql/sql_parse.cc:7953
 
    #22 0x56292e8c35d8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/sql/sql_parse.cc:1839
 
    #23 0x56292e8c000d in do_command(THD*) /10.5/sql/sql_parse.cc:1358
 
    #24 0x56292ecdbe90 in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1422
 
    #25 0x56292ecdb72b in handle_one_connection /10.5/sql/sql_connect.cc:1319
 
    #26 0x56292f7125b9 in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #27 0x7f782a102fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
    #28 0x7f78294f74ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
 
 
 
0x61200002f058 is located 152 bytes inside of 276-byte region [0x61200002efc0,0x61200002f0d4)
 
freed by thread T5 here:
 
    #0 0x7f782a204fb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
 
    #1 0x562930613472 in free_memory /10.5/mysys/safemalloc.c:279
 
    #2 0x562930612a9f in sf_free /10.5/mysys/safemalloc.c:197
 
    #3 0x5629305e1bfc in my_free /10.5/mysys/my_malloc.c:209
 
    #4 0x5629301c1d3a in _ma_remove_table_from_trnman /10.5/storage/maria/ma_state.c:594
 
    #5 0x5629302c53c1 in maria_extra /10.5/storage/maria/ma_extra.c:410
 
    #6 0x5629301ff1b5 in ha_maria::extra(ha_extra_function) /10.5/storage/maria/ha_maria.cc:2646
 
    #7 0x56292e76508b in close_system_tables(THD*, Open_tables_backup*) /10.5/sql/sql_base.cc:9075
 
    #8 0x56292f5863be in Event_db_repository::fill_schema_events(THD*, TABLE_LIST*, char const*) /10.5/sql/event_db_repository.cc:569
 
    #9 0x56292ec71035 in Events::fill_schema_events(THD*, TABLE_LIST*, Item*) /10.5/sql/events.cc:846
 
    #10 0x56292eac31e1 in get_schema_tables_result(JOIN*, enum_schema_table_state) /10.5/sql/sql_show.cc:8636
 
    #11 0x56292e99c67a in JOIN::exec_inner() /10.5/sql/sql_select.cc:4420
 
    #12 0x56292e99a565 in JOIN::exec() /10.5/sql/sql_select.cc:4244
 
    #13 0x56292e99e47a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.5/sql/sql_select.cc:4668
 
    #14 0x56292e9707a9 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.5/sql/sql_select.cc:417
 
    #15 0x56292e8e2790 in execute_sqlcom_select /10.5/sql/sql_parse.cc:6168
 
    #16 0x56292e8d0bb2 in mysql_execute_command(THD*) /10.5/sql/sql_parse.cc:3901
 
    #17 0x56292e8ed7de in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/sql/sql_parse.cc:7953
 
    #18 0x56292e8c35d8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/sql/sql_parse.cc:1839
 
    #19 0x56292e8c000d in do_command(THD*) /10.5/sql/sql_parse.cc:1358
 
    #20 0x56292ecdbe90 in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1422
 
    #21 0x56292ecdb72b in handle_one_connection /10.5/sql/sql_connect.cc:1319
 
    #22 0x56292f7125b9 in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #23 0x7f782a102fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7f782a205330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
 
    #1 0x562930612484 in sf_malloc /10.5/mysys/safemalloc.c:118
 
    #2 0x5629305e0e4d in my_malloc /10.5/mysys/my_malloc.c:88
 
    #3 0x5629301be4b1 in _ma_setup_live_state /10.5/storage/maria/ma_state.c:82
 
    #4 0x5629301c2520 in _ma_block_start_trans /10.5/storage/maria/ma_state.c:664
 
    #5 0x5629305fa13e in thr_multi_lock /10.5/mysys/thr_lock.c:1318
 
    #6 0x56292f39f9b6 in mysql_lock_tables(THD*, st_mysql_lock*, unsigned int) /10.5/sql/lock.cc:348
 
    #7 0x56292f39f557 in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /10.5/sql/lock.cc:300
 
    #8 0x56292e74e091 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /10.5/sql/sql_base.cc:5497
 
    #9 0x56292e74c283 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /10.5/sql/sql_base.cc:5217
 
    #10 0x56292e6a7e24 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /10.5/sql/sql_base.h:509
 
    #11 0x56292e8e1d08 in execute_sqlcom_select /10.5/sql/sql_parse.cc:6089
 
    #12 0x56292e8d0bb2 in mysql_execute_command(THD*) /10.5/sql/sql_parse.cc:3901
 
    #13 0x56292e8ed7de in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/sql/sql_parse.cc:7953
 
    #14 0x56292e8c35d8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/sql/sql_parse.cc:1839
 
    #15 0x56292e8c000d in do_command(THD*) /10.5/sql/sql_parse.cc:1358
 
    #16 0x56292ecdbe90 in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1422
 
    #17 0x56292ecdb72b in handle_one_connection /10.5/sql/sql_connect.cc:1319
 
    #18 0x56292f7125b9 in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #19 0x7f782a102fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f782a16cdb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x56292f70d4b0 in my_thread_create /10.5/storage/perfschema/my_thread.h:34
 
    #2 0x56292f7129a8 in pfs_spawn_thread_v1 /10.5/storage/perfschema/pfs.cc:2252
 
    #3 0x56292e5cd18a in inline_mysql_thread_create /10.5/include/mysql/psi/mysql_thread.h:1321
 
    #4 0x56292e5e3371 in create_thread_to_handle_connection(CONNECT*) /10.5/sql/mysqld.cc:6113
 
    #5 0x56292e5e39df in create_new_thread(CONNECT*) /10.5/sql/mysqld.cc:6172
 
    #6 0x56292e5e3d43 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/sql/mysqld.cc:6237
 
    #7 0x56292e5e4982 in handle_connections_sockets() /10.5/sql/mysqld.cc:6364
 
    #8 0x56292e5e2b24 in mysqld_main(int, char**) /10.5/sql/mysqld.cc:5772
 
    #9 0x56292e5cb954 in main /10.5/sql/main.cc:25
 
    #10 0x7f782942209a in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.5/storage/maria/ma_range.c:195 in _ma_record_pos
 
Shadow bytes around the buggy address:
 
  0x0c247fffddb0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
 
  0x0c247fffddc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
  0x0c247fffddd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c247fffdde0: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
 
  0x0c247fffddf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
=>0x0c247fffde00: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
 
  0x0c247fffde10: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
 
  0x0c247fffde20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
  0x0c247fffde30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c247fffde40: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
 
  0x0c247fffde50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==25641==ABORTING



 Comments   
Comment by Alice Sherepa [ 2021-02-22 ]

still repeatable on 10.4, but not on 10.5

10.4 901bcde2dded205

 
Version: '10.4.18-MariaDB-debug-log'  socket: '/10.4/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
 
=================================================================
 
==12134==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100000d900 at pc 0x5593f1a8e1fd bp 0x7fdcd9410050 sp 0x7fdcd9410048
 
READ of size 8 at 0x61100000d900 thread T5
 
    #0 0x5593f1a8e1fc in _ma_record_pos /10.4/storage/maria/ma_range.c:192
 
    #1 0x5593f1a8d97a in maria_records_in_range /10.4/storage/maria/ma_range.c:102
 
    #2 0x5593f191ad5f in ha_maria::records_in_range(unsigned int, st_key_range*, st_key_range*) /10.4/storage/maria/ha_maria.cc:3296
 
    #3 0x5593f07758dd in handler::multi_range_read_info_const(unsigned int, st_range_seq_if*, void*, unsigned int, unsigned int*, unsigned int*, Cost_estimate*) /10.4/sql/multi_range_read.cc:126
 
    #4 0x5593f07816c5 in DsMrr_impl::dsmrr_info_const(unsigned int, st_range_seq_if*, void*, unsigned int, unsigned int*, unsigned int*, Cost_estimate*) /10.4/sql/multi_range_read.cc:1546
 
    #5 0x5593f191e8c3 in ha_maria::multi_range_read_info_const(unsigned int, st_range_seq_if*, void*, unsigned int, unsigned int*, unsigned int*, Cost_estimate*) /10.4/storage/maria/ha_maria.cc:3939
 
    #6 0x5593f0e9b7b6 in check_quick_select /10.4/sql/opt_range.cc:11170
 
    #7 0x5593f0e82a3d in get_key_scans_params /10.4/sql/opt_range.cc:7430
 
    #8 0x5593f0e661a3 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /10.4/sql/opt_range.cc:2926
 
    #9 0x5593f0428ee6 in test_if_quick_select /10.4/sql/sql_select.cc:21297
 
    #10 0x5593f0428989 in join_init_quick_read_record /10.4/sql/sql_select.cc:21267
 
    #11 0x5593f0422967 in sub_select(JOIN*, st_join_table*, bool) /10.4/sql/sql_select.cc:20402
 
    #12 0x5593f0424123 in evaluate_join_record /10.4/sql/sql_select.cc:20625
 
    #13 0x5593f0422b22 in sub_select(JOIN*, st_join_table*, bool) /10.4/sql/sql_select.cc:20405
 
    #14 0x5593f0420d7f in do_select /10.4/sql/sql_select.cc:19943
 
    #15 0x5593f03b20a4 in JOIN::exec_inner() /10.4/sql/sql_select.cc:4486
 
    #16 0x5593f03af713 in JOIN::exec() /10.4/sql/sql_select.cc:4268
 
    #17 0x5593f03b36bd in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/sql/sql_select.cc:4703
 
    #18 0x5593f0385305 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/sql/sql_select.cc:410
 
    #19 0x5593f02f8655 in execute_sqlcom_select /10.4/sql/sql_parse.cc:6417
 
    #20 0x5593f02e5e7b in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3936
 
    #21 0x5593f0301768 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7958
 
    #22 0x5593f02d895c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1855
 
    #23 0x5593f02d53db in do_command(THD*) /10.4/sql/sql_parse.cc:1373
 
    #24 0x5593f06b5392 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412
 
    #25 0x5593f06b4c34 in handle_one_connection /10.4/sql/sql_connect.cc:1316
 
    #26 0x5593f1cf49c4 in pfs_spawn_thread /10.4/storage/perfschema/pfs.cc:1869
 
    #27 0x7fdce2e8efa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
    #28 0x7fdce24954ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
 
 
 
0x61100000d900 is located 128 bytes inside of 252-byte region [0x61100000d880,0x61100000d97c)
 
freed by thread T5 here:
 
    #0 0x7fdce2f90fb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
 
    #1 0x5593f1e3bc94 in free_memory /10.4/mysys/safemalloc.c:279
 
    #2 0x5593f1e3b2c2 in sf_free /10.4/mysys/safemalloc.c:197
 
    #3 0x5593f1e0ac7d in my_free /10.4/mysys/my_malloc.c:222
 
    #4 0x5593f18d99a1 in _ma_remove_table_from_trnman /10.4/storage/maria/ma_state.c:593
 
    #5 0x5593f19d8f68 in maria_extra /10.4/storage/maria/ma_extra.c:410
 
    #6 0x5593f19166cb in ha_maria::extra(ha_extra_function) /10.4/storage/maria/ha_maria.cc:2629
 
    #7 0x5593f0183cf2 in close_system_tables(THD*, Open_tables_backup*) /10.4/sql/sql_base.cc:9142
 
    #8 0x5593f0f9454a in Event_db_repository::fill_schema_events(THD*, TABLE_LIST*, char const*) /10.4/sql/event_db_repository.cc:570
 
    #9 0x5593f065757d in Events::fill_schema_events(THD*, TABLE_LIST*, Item*) /10.4/sql/events.cc:843
 
    #10 0x5593f04dc53f in get_schema_tables_result(JOIN*, enum_schema_table_state) /10.4/sql/sql_show.cc:8921
 
    #11 0x5593f03b180b in JOIN::exec_inner() /10.4/sql/sql_select.cc:4443
 
    #12 0x5593f03af713 in JOIN::exec() /10.4/sql/sql_select.cc:4268
 
    #13 0x5593f03b36bd in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/sql/sql_select.cc:4703
 
    #14 0x5593f0385305 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/sql/sql_select.cc:410
 
    #15 0x5593f02f8655 in execute_sqlcom_select /10.4/sql/sql_parse.cc:6417
 
    #16 0x5593f02e5e7b in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3936
 
    #17 0x5593f0301768 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7958
 
    #18 0x5593f02d895c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1855
 
    #19 0x5593f02d53db in do_command(THD*) /10.4/sql/sql_parse.cc:1373
 
    #20 0x5593f06b5392 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412
 
    #21 0x5593f06b4c34 in handle_one_connection /10.4/sql/sql_connect.cc:1316
 
    #22 0x5593f1cf49c4 in pfs_spawn_thread /10.4/storage/perfschema/pfs.cc:1869
 
    #23 0x7fdce2e8efa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7fdce2f91330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
 
    #1 0x5593f1e3aca8 in sf_malloc /10.4/mysys/safemalloc.c:118
 
    #2 0x5593f1e0a1ba in my_malloc /10.4/mysys/my_malloc.c:101
 
    #3 0x5593f18d6125 in _ma_setup_live_state /10.4/storage/maria/ma_state.c:82
 
    #4 0x5593f18da187 in _ma_block_start_trans /10.4/storage/maria/ma_state.c:663
 
    #5 0x5593f1e22e8f in thr_multi_lock /10.4/mysys/thr_lock.c:1318
 
    #6 0x5593f0dc7379 in mysql_lock_tables(THD*, st_mysql_lock*, unsigned int) /10.4/sql/lock.cc:349
 
    #7 0x5593f0dc6f1a in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /10.4/sql/lock.cc:301
 
    #8 0x5593f016d061 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /10.4/sql/sql_base.cc:5585
 
    #9 0x5593f016b43b in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /10.4/sql/sql_base.cc:5322
 
    #10 0x5593f00c9910 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /10.4/sql/sql_base.h:503
 
    #11 0x5593f02f7be3 in execute_sqlcom_select /10.4/sql/sql_parse.cc:6338
 
    #12 0x5593f02e5e7b in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3936
 
    #13 0x5593f0301768 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:7958
 
    #14 0x5593f02d895c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1855
 
    #15 0x5593f02d53db in do_command(THD*) /10.4/sql/sql_parse.cc:1373
 
    #16 0x5593f06b5392 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1412
 
    #17 0x5593f06b4c34 in handle_one_connection /10.4/sql/sql_connect.cc:1316
 
    #18 0x5593f1cf49c4 in pfs_spawn_thread /10.4/storage/perfschema/pfs.cc:1869
 
    #19 0x7fdce2e8efa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fdce2ef8db0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x5593f1cf4db1 in spawn_thread_v1 /10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x5593efff17b5 in inline_mysql_thread_create /10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x5593f0008b15 in create_thread_to_handle_connection(CONNECT*) /10.4/sql/mysqld.cc:6259
 
    #4 0x5593f000926a in create_new_thread(CONNECT*) /10.4/sql/mysqld.cc:6329
 
    #5 0x5593f0009744 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/sql/mysqld.cc:6427
 
    #6 0x5593f000a5f1 in handle_connections_sockets() /10.4/sql/mysqld.cc:6585
 
    #7 0x5593f0008279 in mysqld_main(int, char**) /10.4/sql/mysqld.cc:5917
 
    #8 0x5593effef684 in main /10.4/sql/main.cc:25
 
    #9 0x7fdce23c009a in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.4/storage/maria/ma_range.c:192 in _ma_record_pos
 
Shadow bytes around the buggy address:
 
  0x0c227fff9ad0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
 
  0x0c227fff9ae0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c227fff9af0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c227fff9b00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
  0x0c227fff9b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c227fff9b20:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c227fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==12134==ABORTING
 
----------SERVER LOG END-------------

Comment by Rick Pizzi [ 2023-10-25 ]

monty Just got this crash, possibly related?

#0  0x00007f074f4efaa1 in pthread_kill () from /lib64/libpthread.so.0
 
#1  0x0000558f6a01623e in handle_fatal_signal (sig=11) at /usr/src/debug/MariaDB-/src_0/sql/signal_handler.cc:360
 
#2  <signal handler called>
 
#3  0x00007f074ea5d7f6 in __memcpy_ssse3_back () from /lib64/libc.so.6
 
#4  0x0000558f6a234f10 in memcpy (__len=65538, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:51
 
#5  _ma_get_pack_key (int_key=0x7f05f8156740, page_flag=0, nod_flag=0, page_pos=0x7f05f8156730) at /usr/src/debug/MariaDB-/src_0/storage/maria/ma_search.c:1143
 
#6  0x0000558f6a233201 in _ma_seq_search (key=0x7f05f8157150, ma_page=<optimized out>, comp_flag=262250, ret_pos=0x7f05f8157090, buff=0x7f05ac58f548 "\a\347\nA.V. TRASF", last_key=0x7f05f8157070 "")
 
    at /usr/src/debug/MariaDB-/src_0/storage/maria/ma_search.c:389
 
#7  0x0000558f6a259488 in _ma_search_pos (info=info@entry=0x7f05ac58ae38, key=key@entry=0x7f05f8157150, nextflag=262250, pos=8192, final_page=final_page@entry=0x7f05f8157258)
 
    at /usr/src/debug/MariaDB-/src_0/storage/maria/ma_range.c:232
 
#8  0x0000558f6a259861 in _ma_record_pos (final_page=<optimized out>, search_flag=<optimized out>, keypart_map=1, key_data=<optimized out>, info=0x7f05ac58ae38)
 
    at /usr/src/debug/MariaDB-/src_0/storage/maria/ma_range.c:189
 
#9  maria_records_in_range (info=0x7f05ac58ae38, inx=<optimized out>, min_key=<optimized out>, max_key=<optimized out>, pages=0x7f05f8157250) at /usr/src/debug/MariaDB-/src_0/storage/maria/ma_range.c:105
 
#10 0x0000558f69f2b605 in handler::multi_range_read_info_const (this=0x7f05ac400ad0, keyno=keyno@entry=0, seq=0x7f05f8157390, seq_init_param=<optimized out>, n_ranges_arg=<optimized out>, 
    bufsz=bufsz@entry=0x7f05f8157310, flags=flags@entry=0x7f05f8157300, cost=cost@entry=0x7f05f8157c80) at /usr/src/debug/MariaDB-/src_0/sql/multi_range_read.cc:177
 
#11 0x0000558f69f2de39 in DsMrr_impl::dsmrr_info_const (this=0x7f05ac4011e8, keyno=0, seq=<optimized out>, seq_init_param=<optimized out>, n_ranges=<optimized out>, bufsz=0x7f05f8157b40, flags=0x7f05f8157b20, 
    cost=0x7f05f8157c80) at /usr/src/debug/MariaDB-/src_0/sql/multi_range_read.cc:1712
 
#12 0x0000558f6a151c10 in check_quick_select (param=0x7f05f8157cc0, idx=<optimized out>, index_only=index_only@entry=false, tree=tree@entry=0x7f05aed84af0, update_tbl_stats=update_tbl_stats@entry=true, 
    mrr_flags=0x7f05f8157b20, bufsize=bufsize@entry=0x7f05f8157b40, cost=0x7f05f8157c80, is_ror_scan=0x7f05f8157b10) at /usr/src/debug/MariaDB-/src_0/sql/opt_range.cc:11591
 
#13 0x0000558f6a1575a9 in get_key_scans_params (read_time=<optimized out>, for_range_access=true, index_read_must_be_used=<optimized out>, tree=<optimized out>, param=0x7f05f8157cc0)
 
    at /usr/src/debug/MariaDB-/src_0/sql/opt_range.cc:7503
 
#14 SQL_SELECT::test_quick_select (this=0x7f05ac06eda8, thd=<optimized out>, keys_to_use=..., prev_tables=<optimized out>, limit=<optimized out>, force_quick_range=false, ordered_output=false, 
    remove_false_parts_of_where=true, only_single_index_range_scan=<optimized out>) at /usr/src/debug/MariaDB-/src_0/sql/opt_range.cc:2951
 
#15 0x0000558f69e5fea0 in JOIN::optimize_inner (this=0x7f05ac139770) at /usr/src/debug/MariaDB-/src_0/sql/sql_select.cc:4921
 
#16 0x0000558f69e60992 in JOIN::optimize (this=0x7f05ac139770) at /usr/src/debug/MariaDB-/src_0/sql/sql_select.cc:1739
 
#17 0x0000558f69e60a67 in mysql_select (thd=0x7f05ac1735c8, tables=0x7f05ac135920, fields=..., conds=0x7f05ac138380, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, 
    result=0x7f05ac139748, unit=0x7f05ac1775b8, select_lex=0x7f05ac1350d8) at /usr/src/debug/MariaDB-/src_0/sql/sql_select.cc:4863
 
#18 0x0000558f69e616e4 in handle_select (thd=thd@entry=0x7f05ac1735c8, lex=lex@entry=0x7f05ac1774f0, result=result@entry=0x7f05ac139748, setup_tables_done_option=setup_tables_done_option@entry=0)
 
    at /usr/src/debug/MariaDB-/src_0/sql/sql_select.cc:462
 
#19 0x0000558f69cac3d4 in execute_sqlcom_select (thd=thd@entry=0x7f05ac1735c8, all_tables=0x7f05ac135920) at /usr/src/debug/MariaDB-/src_0/sql/sql_parse.cc:6368
 
#20 0x0000558f69e01f91 in mysql_execute_command (thd=thd@entry=0x7f05ac1735c8) at /usr/src/debug/MariaDB-/src_0/sql/sql_parse.cc:4025
 
#21 0x0000558f69e04bd5 in mysql_parse (thd=thd@entry=0x7f05ac1735c8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f05f815b370, is_com_multi=is_com_multi@entry=false, 
    is_next_command=is_next_command@entry=false) at /usr/src/debug/MariaDB-/src_0/sql/sql_parse.cc:8145
 
#22 0x0000558f69e0769b in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f05ac1735c8, 
    packet=packet@entry=0x7f05aec55129 "select v.Codice as Vincolo, v.Descrizione as VincoloDesc from cvinccap vc  inner join cvincoli v on vc.Codice=v.Codice and vc.AnnoGestione=v.AnnoGestione where TipoBilancio='E' and vc.AnnoGestione=202"..., packet_length=packet_length@entry=241, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)
 
    at /usr/src/debug/MariaDB-/src_0/sql/sql_parse.cc:1892
 
#23 0x0000558f69e09713 in do_command (thd=0x7f05ac1735c8) at /usr/src/debug/MariaDB-/src_0/sql/sql_parse.cc:1376
 
#24 0x0000558f69efa0a9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558f6f3505b8, put_in_cache=put_in_cache@entry=true) at /usr/src/debug/MariaDB-/src_0/sql/sql_connect.cc:1416
 
#25 0x0000558f69efa354 in handle_one_connection (arg=arg@entry=0x558f6f3505b8) at /usr/src/debug/MariaDB-/src_0/sql/sql_connect.cc:1318
 
#26 0x0000558f6a29db97 in pfs_spawn_thread (arg=0x558f6f301b18) at /usr/src/debug/MariaDB-/src_0/storage/perfschema/pfs.cc:2201
 
#27 0x00007f074f4eaea5 in start_thread () from /lib64/libpthread.so.0
 
#28 0x00007f074ea05b0d in clone () from /lib64/libc.so.6

Comment by Rick Pizzi [ 2023-10-25 ]

This is on 10.5.22 (ES) ^^^

Generated at Thu Feb 08 09:12:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.