[MDEV-24655] Unexpected results or ASAN use-after-poison in Field::cmp_binary or in row_sel_store_mysql_field_func upon updating virtual column Created: 2021-01-22  Updated: 2021-06-07  Resolved: 2021-06-07

Status: Closed
Project: MariaDB Server
Component/s: Data Manipulation - Update, Virtual Columns
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.2.38, 10.3.29, 10.4.19, 10.5.10

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Nikita Malyavin
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-24583 ASAN use-after-poison in create_tmp_t... Closed

 Description   

With MyISAM

 
CREATE TABLE t1 (id INT PRIMARY KEY, a INT, b VARBINARY(8), c TINYINT AS (a)) ENGINE=MyISAM;
 
INSERT INTO t1 (id,a) VALUES (1,242);
 
--error ER_WARN_DATA_OUT_OF_RANGE
 
REPLACE INTO t1 (id) VALUES (1);
 
UPDATE t1 SET a = 1;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.2 29d9897f ASAN

 
==1592797==ERROR: AddressSanitizer: use-after-poison on address 0x619000088555 at pc 0x7fb9d2f05dfd bp 0x7fb9c7c7fec0 sp 0x7fb9c7c7f668
 
READ of size 4 at 0x619000088555 thread T5
 
    #0 0x7fb9d2f05dfc  (/lib/x86_64-linux-gnu/libasan.so.5+0xdadfc)
 
    #1 0x558e7fcf9037 in Field::cmp_binary(unsigned char const*, unsigned char const*, unsigned int) /data/src/10.2/sql/field.h:1066
 
    #2 0x558e7fcf9195 in Field::cmp_binary_offset(unsigned int) /data/src/10.2/sql/field.h:1070
 
    #3 0x558e7fe130a5 in compare_record(TABLE const*) /data/src/10.2/sql/sql_update.cc:116
 
    #4 0x558e7fe1837c in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool, unsigned long long*, unsigned long long*) /data/src/10.2/sql/sql_update.cc:768
 
    #5 0x558e7fb95d69 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4033
 
    #6 0x558e7fbaf7eb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #7 0x558e7fb88830 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #8 0x558e7fb855ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #9 0x558e7ff0db1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #10 0x558e7ff0d3e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #11 0x558e812a95d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #12 0x7fb9d29d1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
    #13 0x7fb9d25ab292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x619000088555 is located 213 bytes inside of 1100-byte region [0x619000088480,0x6190000888cc)
 
allocated by thread T5 here:
 
    #0 0x7fb9d2f38bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x558e813c612c in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x558e81392091 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x558e8136f703 in alloc_root /data/src/10.2/mysys/my_alloc.c:243
 
    #4 0x558e8137109c in strmake_root /data/src/10.2/mysys/my_alloc.c:451
 
    #5 0x558e7fe53ff3 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3097
 
    #6 0x558e7fa6a3b9 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1934
 
    #7 0x558e7fa72344 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
 
    #8 0x558e7fa7471e in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
 
    #9 0x558e7fa782a4 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
 
    #10 0x558e7f9ef46d in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
 
    #11 0x558e7fb2e15d in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
 
    #12 0x558e7fb96b91 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
 
    #13 0x558e7fbaf7eb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #14 0x558e7fb88830 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #15 0x558e7fb855ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #16 0x558e7ff0db1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #17 0x558e7ff0d3e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #18 0x558e812a95d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #19 0x7fb9d29d1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fb9d2e65805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x558e812a99ca in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x558e7f92a083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x558e7f941c2b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
 
    #4 0x558e7f9423c6 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
 
    #5 0x558e7f943558 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
 
    #6 0x558e7f940f7c in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
 
    #7 0x558e7f92893c in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fb9d24b00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0xdadfc) 
Shadow bytes around the buggy address:
 
  0x0c3280009050: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280009060: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280009070: f7 f7 f7 f7 f7 f7 f7 f7 f7 04 fa fa fa fa fa fa
 
  0x0c3280009080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280009090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c32800090a0: 00 f7 03 f7 00 00 03 00 00 03[f7]00 00 00 00 00
 
  0x0c32800090b0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c32800090c0: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
 
  0x0c32800090d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c32800090e0: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c32800090f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1592797==ABORTING

With InnoDB

 
--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (id INT PRIMARY KEY, a INT, b VARBINARY(8), c TINYINT AS (a)) ENGINE=InnoDB;
 
INSERT INTO t1 (id,a) VALUES (1,242);
 
--error ER_WARN_DATA_OUT_OF_RANGE
 
REPLACE INTO t1 (id) VALUES (1);
 
UPDATE t1 SET a = 1;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.2 29d9897f ASAN

 
==1593047==ERROR: AddressSanitizer: use-after-poison on address 0x6190000db349 at pc 0x7f0a0dfc1480 bp 0x7f09f6f29330 sp 0x7f09f6f28ad8
 
READ of size 9 at 0x6190000db349 thread T27
 
    #0 0x7f0a0dfc147f  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
 
    #1 0x559e13daa4d1 in row_sel_store_mysql_field_func /data/src/10.2/storage/innobase/row/row0sel.cc:3077
 
    #2 0x559e13dab76e in row_sel_store_mysql_rec /data/src/10.2/storage/innobase/row/row0sel.cc:3245
 
    #3 0x559e13db85f6 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /data/src/10.2/storage/innobase/row/row0sel.cc:5623
 
    #4 0x559e13a818fc in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:9394
 
    #5 0x559e13a84ca2 in ha_innobase::index_first(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:9771
 
    #6 0x559e13a85379 in ha_innobase::rnd_next(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:9864
 
    #7 0x559e13552216 in handler::ha_rnd_next(unsigned char*) /data/src/10.2/sql/handler.cc:2669
 
    #8 0x559e138ff8e1 in rr_sequential(READ_RECORD*) /data/src/10.2/sql/records.cc:492
 
    #9 0x559e1318c0ee in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool, unsigned long long*, unsigned long long*) /data/src/10.2/sql/sql_update.cc:751
 
    #10 0x559e12f09d69 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4033
 
    #11 0x559e12f237eb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #12 0x559e12efc830 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #13 0x559e12ef95ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #14 0x559e13281b1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #15 0x559e132813e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #16 0x559e1461d5d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #17 0x7f0a0dacc608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
    #18 0x7f0a0d6a6292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x6190000db349 is located 457 bytes inside of 1100-byte region [0x6190000db180,0x6190000db5cc)
 
allocated by thread T27 here:
 
    #0 0x7f0a0e033bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x559e1473a12c in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x559e14706091 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x559e146e3703 in alloc_root /data/src/10.2/mysys/my_alloc.c:243
 
    #4 0x559e146e5139 in memdup_root /data/src/10.2/mysys/my_alloc.c:464
 
    #5 0x559e131b8777 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.2/sql/table.cc:1288
 
    #6 0x559e131b4143 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.2/sql/table.cc:684
 
    #7 0x559e13406065 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
 
    #8 0x559e12ddd7f0 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
 
    #9 0x559e12de6344 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
 
    #10 0x559e12de871e in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
 
    #11 0x559e12dec2a4 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
 
    #12 0x559e12d6346d in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
 
    #13 0x559e12ea215d in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
 
    #14 0x559e12f0ab91 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
 
    #15 0x559e12f237eb in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #16 0x559e12efc830 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #17 0x559e12ef95ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #18 0x559e13281b1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #19 0x559e132813e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #20 0x559e1461d5d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #21 0x7f0a0dacc608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f0a0df60805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x559e1461d9ca in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x559e12c9e083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x559e12cb5c2b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
 
    #4 0x559e12cb63c6 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
 
    #5 0x559e12cb7558 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
 
    #6 0x559e12cb4f7c in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
 
    #7 0x559e12c9c93c in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7f0a0d5ab0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f) 
Shadow bytes around the buggy address:
 
  0x0c3280013610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
 
  0x0c3280013620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280013630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280013640: 00 f7 00 00 f7 01 f7 00 00 00 00 00 00 00 00 00
 
  0x0c3280013650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c3280013660: 00 02 f7 00 f7 00 00 03 f7[01]f7 00 00 00 00 00
 
  0x0c3280013670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280013680: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280013690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
 
  0x0c32800136a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c32800136b0: 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1593047==ABORTING

Non-ASAN builds don't crash, but the results are rather odd. I have no clear opinion on how it should behave, but the way it does not seems inconsistent:

CREATE TABLE t1 (id INT PRIMARY KEY, a INT, b VARBINARY(8), c TINYINT AS (a)) ENGINE=MyISAM;
 
INSERT INTO t1 (id,a) VALUES (1,242);
 
SELECT * FROM t1;
 
--error ER_WARN_DATA_OUT_OF_RANGE
 
REPLACE INTO t1 (id) VALUES (1);
 
SELECT * FROM t1;
 
UPDATE t1 SET a = 1;
 
SELECT * FROM t1;
 
 
 
# Cleanup
 
DROP TABLE t1;

So, the first INSERT works without an error or a warning, and the value is truncated:

INSERT INTO t1 (id,a) VALUES (1,242);
 
SELECT * FROM t1;
 
id	a	b	c
 
1	242	NULL	127

The following REPLACE fails, but it does change something anyway:

REPLACE INTO t1 (id) VALUES (1);
 
ERROR 22003: Out of range value for column 'c' at row 1
 
SELECT * FROM t1;
 
id	a	b	c
 
1	242	NULL	NULL

and finall the UPDATE works, again without a warning or an error, but the value of the virtual column remains NULL:

UPDATE t1 SET a = 1;
 
SELECT * FROM t1;
 
id	a	b	c
 
1	242	NULL	NULL



 Comments   
Comment by Elena Stepanova [ 2021-01-22 ]

Slightly less recognizable stack trace with a non-debug ASAN build:

10.2 29d9897f non-debug ASAN

 
==1593280==ERROR: AddressSanitizer: use-after-poison on address 0x6190000875ed at pc 0x7fd3110ebdfd bp 0x7fd305f548a0 sp 0x7fd305f54048
 
READ of size 4 at 0x6190000875ed thread T5
 
    #0 0x7fd3110ebdfc  (/lib/x86_64-linux-gnu/libasan.so.5+0xdadfc)
 
    #1 0x5569c8add1e7 in compare_record(TABLE const*) /data/src/10.2/sql/sql_update.cc:116
 
    #2 0x5569c8ae2a08 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool, unsigned long long*, unsigned long long*) /data/src/10.2/sql/sql_update.cc:768
 
    #3 0x5569c8885a0b in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4033
 
    #4 0x5569c889733f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #5 0x5569c88a08cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #6 0x5569c88a57a5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #7 0x5569c8ba5776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #8 0x5569c8ba5ebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #9 0x5569c9e72458 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #10 0x7fd310bb7608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
    #11 0x7fd310791292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x6190000875ed is located 109 bytes inside of 992-byte region [0x619000087580,0x619000087960)
 
allocated by thread T5 here:
 
    #0 0x7fd31111ebc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x5569c9f2ad96 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #2 0x5569c9f165eb in alloc_root /data/src/10.2/mysys/my_alloc.c:243
 
    #3 0x5569c9f173a9 in strmake_root /data/src/10.2/mysys/my_alloc.c:451
 
    #4 0x5569c8b227b8 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3097
 
    #5 0x5569c877df55 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1934
 
    #6 0x5569c8789651 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
 
    #7 0x5569c8789651 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
 
    #8 0x5569c878ab21 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
 
    #9 0x5569c8833745 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
 
    #10 0x5569c8833745 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
 
    #11 0x5569c887f319 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
 
    #12 0x5569c889733f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #13 0x5569c88a08cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #14 0x5569c88a57a5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #15 0x5569c8ba5776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #16 0x5569c8ba5ebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #17 0x5569c9e72458 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #18 0x7fd310bb7608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fd31104b805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x5569c9e7b43e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x5569c867a6e2 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x5569c867a6e2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
 
    #4 0x5569c868ad43 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
 
    #5 0x5569c868ad43 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
 
    #6 0x5569c868d257 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
 
    #7 0x7fd3106960b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0xdadfc) 
Shadow bytes around the buggy address:
 
  0x0c3280008e60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280008e70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280008e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
 
  0x0c3280008e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280008ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
=>0x0c3280008eb0: 00 00 00 00 f7 03 f7 00 00 03 00 00 03[f7]00 00
 
  0x0c3280008ec0: 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280008ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
 
  0x0c3280008ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280008ef0: 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00
 
  0x0c3280008f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1593280==ABORTING

Comment by Elena Stepanova [ 2021-02-18 ]

Same idea and likely the same root cause, although a totally different stack trace:

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a INT) ENGINE=InnoDB;
 
INSERT INTO t1 VALUES (1),(2);
 
 
 
CREATE TABLE t2 (b INT) ENGINE=InnoDB;
 
INSERT INTO t1 VALUES (3),(4);
 
 
 
CREATE TABLE t3 (
 
  pk INT,
 
  c INT,
 
  d TINYINT GENERATED ALWAYS AS (c) STORED,
 
  PRIMARY KEY (pk)
 
) ENGINE=InnoDB;
 
 
 
INSERT IGNORE INTO t3 (pk, c) VALUES (1,257),(2,258);
 
 
 
--error ER_WARN_DATA_OUT_OF_RANGE
 
REPLACE INTO t3 (pk, c) VALUES (3,NULL),(2,NULL);
 
 
 
UPDATE t1 JOIN t2 SET t2.b = NULL WHERE t2.b IN (SELECT c FROM t3);
 
 
 
# Cleanup
 
 
 
DROP TABLE t1, t2, t3;

10.2 5ecaf52d

 
==61035==ERROR: AddressSanitizer: use-after-poison on address 0x6190000dfe38 at pc 0x56308a3ef1ad bp 0x7fc0a9771930 sp 0x7fc0a9771920
 
READ of size 1 at 0x6190000dfe38 thread T27
 
    #0 0x56308a3ef1ac in Field::is_null_in_record(unsigned char const*) const /data/src/10.2/sql/field.h:1145
 
    #1 0x56308a3a19f7 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:17208
 
    #2 0x56308a6dcc21 in setup_sj_materialization_part1(st_join_table*) /data/src/10.2/sql/opt_subselect.cc:3855
 
    #3 0x56308a372eac in make_outerjoin_info /data/src/10.2/sql/sql_select.cc:9859
 
    #4 0x56308a33263e in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:1664
 
    #5 0x56308a32c9e7 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1118
 
    #6 0x56308a348073 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3823
 
    #7 0x56308a514bd3 in mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**) /data/src/10.2/sql/sql_update.cc:1641
 
    #8 0x56308a28bdfb in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4109
 
    #9 0x56308a2a5169 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #10 0x56308a27e1ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #11 0x56308a27af6d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #12 0x56308a603924 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #13 0x56308a6031e7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #14 0x56308b99faab in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #15 0x7fc0c0314608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #16 0x7fc0bfeee292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x6190000dfe38 is located 440 bytes inside of 1100-byte region [0x6190000dfc80,0x6190000e00cc)
 
allocated by thread T27 here:
 
    #0 0x7fc0c087bbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x56308babc606 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x56308ba8856b in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x56308ba65bdd in alloc_root /data/src/10.2/mysys/my_alloc.c:243
 
    #4 0x56308ba67613 in memdup_root /data/src/10.2/mysys/my_alloc.c:464
 
    #5 0x56308a53a5f2 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.2/sql/table.cc:1288
 
    #6 0x56308a535fb7 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.2/sql/table.cc:684
 
    #7 0x56308a787e75 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
 
    #8 0x56308a15f134 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
 
    #9 0x56308a167c82 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
 
    #10 0x56308a16a05c in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
 
    #11 0x56308a16dbe2 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
 
    #12 0x56308a0e4db1 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
 
    #13 0x56308a223abd in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
 
    #14 0x56308a28c50f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
 
    #15 0x56308a2a5169 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #16 0x56308a27e1ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #17 0x56308a27af6d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #18 0x56308a603924 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #19 0x56308a6031e7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #20 0x56308b99faab in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #21 0x7fc0c0314608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7fc0c07a8805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x56308b99fe9c in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x56308a020083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x56308a037c54 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
 
    #4 0x56308a0383ef in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
 
    #5 0x56308a039581 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
 
    #6 0x56308a036fa5 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
 
    #7 0x56308a01e93c in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fc0bfdf30b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/field.h:1145 in Field::is_null_in_record(unsigned char const*) const
 
Shadow bytes around the buggy address:
 
  0x0c3280013f70: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
 
  0x0c3280013f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280013f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280013fa0: 00 f7 00 00 f7 01 f7 00 00 00 00 00 00 00 00 00
 
  0x0c3280013fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c3280013fc0: 00 02 f7 00 f7 00 02[f7]01 f7 00 00 00 00 00 00
 
  0x0c3280013fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280013fe0: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280013ff0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
 
  0x0c3280014000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280014010: 00 00 00 00 00 f7 00 00 f7 04 fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==61035==ABORTING

Comment by Elena Stepanova [ 2021-06-07 ]

It was fixed by the patch for MDEV-24583 (at least all test cases from the description and comments stopped failing after that patch, and the bug itself looks very related).

Generated at Thu Feb 08 09:31:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.