[MDEV-27309] Server crash or ASAN memcpy-param-overlap upon INSERT into Aria/MyISAM table with DESC key Created: 2021-12-19  Updated: 2022-01-26  Resolved: 2022-01-26

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: N/A
Fix Version/s: 10.8.1

Type: Bug Priority: Blocker
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None
Environment:

preview-10.8-MDEV-13756-desc-indexes d6fa6e0a

Issue Links:
Problem/Incident
is caused by MDEV-13756 Implement descending index: KEY (a DE... Closed
Relates
relates to MDEV-27303 Table corruption after insert into a ... Closed

 Description   

Hopefully it has the same root cause and will be fixed together with MDEV-27303, but I'm not entirely sure

CREATE TABLE t1 (id INT, c BINARY(80), PRIMARY KEY(id)) ENGINE=Aria;
 
ALTER  TABLE t1 ADD KEY(c DESC, id);
 
INSERT INTO t1 VALUES (1,NULL),(2,''),(3,'');
 
 
 
# Cleanup
 
DROP TABLE t1;

preview-10.8-MDEV-13756-desc-indexes d6fa6e0a

 
==226322==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7fe8749ea687,0x7fe8749fa683) and [0x7fe8749eb4af, 0x7fe8749fb4ab) overlap
 
    #0 0x87ef14 in __asan_memcpy (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x87ef14)
 
    #1 0x225fdac in _ma_get_pack_key /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_search.c:1098:2
 
    #2 0x225727b in _ma_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_search.c:389:12
 
    #3 0x2322cd6 in w_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:646:9
 
    #4 0x2321fb3 in _ma_ck_real_write_btree /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:532:15
 
    #5 0x233a0f8 in _ma_ck_write_btree_with_log /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:498:10
 
    #6 0x2321b85 in _ma_ck_write_btree /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:456:10
 
    #7 0x232121d in _ma_ck_write /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:441:3
 
    #8 0x231e30b in maria_write /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_write.c:189:16
 
    #9 0x211c2c9 in ha_maria::write_row(unsigned char const*) /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ha_maria.cc:1271:10
 
    #10 0x19f79cc in handler::ha_write_row(unsigned char const*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/handler.cc:7516:3
 
    #11 0xcf54f3 in write_record(THD*, TABLE*, st_copy_info*, select_result*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_insert.cc:2156:12
 
    #12 0xce7baa in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_insert.cc:1127:14
 
    #13 0xdfee33 in mysql_execute_command(THD*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:4563:10
 
    #14 0xde008a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:8028:18
 
    #15 0xdd8dcb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:1894:7
 
    #16 0xde2da5 in do_command(THD*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:1402:17
 
    #17 0x140e6f5 in do_handle_one_connection(CONNECT*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_connect.cc:1418:11
 
    #18 0x140dd23 in handle_one_connection /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_connect.cc:1312:5
 
    #19 0x24eddf7 in pfs_spawn_thread /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/pfs.cc:2201:3
 
    #20 0x7fe87e134608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
 
    #21 0x7fe87de4b292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
 
 
 
Address 0x7fe8749ea687 is located in stack of thread T5 at offset 71 in frame
 
    #0 0x2256b2f in _ma_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_search.c:367
 
 
 
  This frame has 5 object(s):
 
    [32, 40) 'not_used' (line 369)
 
    [64, 2579) 't_buff' (line 370) <== Memory access at offset 71 partially overflows this variable
 
    [2720, 2728) 'page' (line 371) <== Memory access at offset 71 partially underflows this variable
 
    [2752, 2784) 'tmp_key' (line 374) <== Memory access at offset 71 partially underflows this variable
 
    [2816, 2848) '_db_stack_frame_' (line 375) <== Memory access at offset 71 partially underflows this variable
 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 
      (longjmp and C++ exceptions *are* supported)
 
Thread T5 created by T0 here:
 
    #0 0x86a97a in pthread_create (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x86a97a)
 
    #1 0x24ee48c in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/my_thread.h:48:10
 
    #2 0x24ee416 in pfs_spawn_thread_v1 /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/pfs.cc:2252:15
 
    #3 0x8b8e52 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/preview-10.8-MDEV-13756-desc-indexes/include/mysql/psi/mysql_thread.h:1139:11
 
    #4 0x8c9354 in create_thread_to_handle_connection(CONNECT*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:5965:19
 
    #5 0x8c9c83 in create_new_thread(CONNECT*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6024:3
 
    #6 0x8ca386 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6086:5
 
    #7 0x8c8122 in handle_connections_sockets() /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6210:9
 
    #8 0x8bcd2a in mysqld_main(int, char**) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:5860:3
 
    #9 0x8b1c41 in main /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/main.cc:34:10
 
    #10 0x7fe87dd500b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
 
 
 
Address 0x7fe8749eb4af is located in stack of thread T5 at offset 3695 in frame
 
    #0 0x2256b2f in _ma_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/maria/ma_search.c:367
 
 
 
  This frame has 5 object(s):
 
    [32, 40) 'not_used' (line 369)
 
    [64, 2579) 't_buff' (line 370)
 
    [2720, 2728) 'page' (line 371)
 
    [2752, 2784) 'tmp_key' (line 374)
 
    [2816, 2848) '_db_stack_frame_' (line 375) <== Memory access at offset 3695 overflows this variable
 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 
      (longjmp and C++ exceptions *are* supported)
 
SUMMARY: AddressSanitizer: memcpy-param-overlap (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x87ef14) in __asan_memcpy

Same but with MyISAM:

==226682==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f57cc655ec7,0x7f57cc665ec3) and [0x7f57cc656741, 0x7f57cc66673d) overlap
 
    #0 0x87ef14 in __asan_memcpy (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x87ef14)
 
    #1 0x33e5a07 in _mi_get_pack_key /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_search.c:857:2
 
    #2 0x33deb05 in _mi_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_search.c:264:12
 
    #3 0x3404268 in w_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:359:8
 
    #4 0x3403b68 in _mi_ck_real_write_btree /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:299:14
 
    #5 0x34036d5 in _mi_ck_write_btree /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:279:9
 
    #6 0x3402e5f in _mi_ck_write /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:250:5
 
    #7 0x3400fe7 in mi_write /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_write.c:125:13
 
    #8 0x32db8e9 in ha_myisam::write_row(unsigned char const*) /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/ha_myisam.cc:954:10
 
    #9 0x19f79cc in handler::ha_write_row(unsigned char const*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/handler.cc:7516:3
 
    #10 0xcf54f3 in write_record(THD*, TABLE*, st_copy_info*, select_result*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_insert.cc:2156:12
 
    #11 0xce7baa in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_insert.cc:1127:14
 
    #12 0xdfee33 in mysql_execute_command(THD*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:4563:10
 
    #13 0xde008a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:8028:18
 
    #14 0xdd8dcb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:1894:7
 
    #15 0xde2da5 in do_command(THD*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_parse.cc:1402:17
 
    #16 0x140e6f5 in do_handle_one_connection(CONNECT*, bool) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_connect.cc:1418:11
 
    #17 0x140dd23 in handle_one_connection /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/sql_connect.cc:1312:5
 
    #18 0x24eddf7 in pfs_spawn_thread /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/pfs.cc:2201:3
 
    #19 0x7f57d5d92608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
 
    #20 0x7f57d5aa9292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
 
 
 
Address 0x7f57cc655ec7 is located in stack of thread T5 at offset 103 in frame
 
    #0 0x33de43f in _mi_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_search.c:251
 
 
 
  This frame has 4 object(s):
 
    [32, 40) 'page.addr'
 
    [64, 72) 'not_used' (line 253)
 
    [96, 1304) 't_buff' (line 254) <== Memory access at offset 103 partially overflows this variable
 
    [1440, 1472) '_db_stack_frame_' (line 255) <== Memory access at offset 103 partially underflows this variable
 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 
      (longjmp and C++ exceptions *are* supported)
 
Thread T5 created by T0 here:
 
    #0 0x86a97a in pthread_create (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x86a97a)
 
    #1 0x24ee48c in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/my_thread.h:48:10
 
    #2 0x24ee416 in pfs_spawn_thread_v1 /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/perfschema/pfs.cc:2252:15
 
    #3 0x8b8e52 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/preview-10.8-MDEV-13756-desc-indexes/include/mysql/psi/mysql_thread.h:1139:11
 
    #4 0x8c9354 in create_thread_to_handle_connection(CONNECT*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:5965:19
 
    #5 0x8c9c83 in create_new_thread(CONNECT*) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6024:3
 
    #6 0x8ca386 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6086:5
 
    #7 0x8c8122 in handle_connections_sockets() /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:6210:9
 
    #8 0x8bcd2a in mysqld_main(int, char**) /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/mysqld.cc:5860:3
 
    #9 0x8b1c41 in main /data/src/preview-10.8-MDEV-13756-desc-indexes/sql/main.cc:34:10
 
    #10 0x7f57d59ae0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
 
 
 
Address 0x7f57cc656741 is located in stack of thread T5 at offset 2273 in frame
 
    #0 0x33de43f in _mi_seq_search /data/src/preview-10.8-MDEV-13756-desc-indexes/storage/myisam/mi_search.c:251
 
 
 
  This frame has 4 object(s):
 
    [32, 40) 'page.addr'
 
    [64, 72) 'not_used' (line 253)
 
    [96, 1304) 't_buff' (line 254)
 
    [1440, 1472) '_db_stack_frame_' (line 255) <== Memory access at offset 2273 overflows this variable
 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 
      (longjmp and C++ exceptions *are* supported)
 
SUMMARY: AddressSanitizer: memcpy-param-overlap (/mnt-hd8t/bld/10.8-desc-indexes-asan/bin/mariadbd+0x87ef14) in __asan_memcpy

Non-ASAN builds (debug and non-debug) crash, usually with half-baked stack traces.
InnoDB seems all right.

 Comments   
Comment by Sergei Golubchik [ 2021-12-20 ]

No, that's a very different one.

Comment by Sergei Golubchik [ 2021-12-20 ]

pushed into preview-10.8-MDEV-13756-desc-indexes

Generated at Thu Feb 08 09:51:56 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.