[MDEV-29748] ASAN errors or server crash in File_parser::parse upon concurrent view operations Created: 2022-10-08  Updated: 2022-10-24  Resolved: 2022-10-24

Status: Closed
Project: MariaDB Server
Component/s: Views
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4, 10.10.2

Type: Bug Priority: Blocker
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: regression


 Description   

The test case is for reproducing purposes only, don't put it into the regression suite! Create a deterministic one instead.

--delimiter $$
 
--connect (con1,localhost,root,,)
 
--let $con1id= `SELECT CONNECTION_ID()`
 
--send
 
  LOOP
 
    CREATE OR REPLACE VIEW v AS SELECT 'x' AS a;
 
  END LOOP $$
 
 
 
--connect (con2,localhost,root,,)
 
--let $con2id= `SELECT CONNECTION_ID()`
 
--send
 
  BEGIN NOT ATOMIC
 
    DECLARE CONTINUE HANDLER FOR SQLEXCEPTION BEGIN END;
 
    LOOP
 
      UPDATE v SET a = 'x';
 
    END LOOP;
 
  END $$
 
 
 
--connection default
 
--delimiter ;
 
--let $run= 10000
 
while ($run)
 
{
 
  SELECT * FROM v;
 
  --dec $run
 
}
 
 
 
# Cleanup
 
--eval KILL $con1id
 
--eval KILL $con2id
 
DROP VIEW IF EXISTS v;

10.3 d099bcad

 
==3858398==ERROR: AddressSanitizer: use-after-poison on address 0x61900015887b at pc 0x55a948b42569 bp 0x7fd439e0e770 sp 0x7fd439e0e768
 
WRITE of size 1 at 0x61900015887b thread T7
 
    #0 0x55a948b42568 in File_parser::parse(unsigned char*, st_mem_root*, File_option*, unsigned int, Unknown_key_hook*) const /data/src/10.3/sql/parse_file.cc:845
 
    #1 0x55a94909b7f5 in mariadb_view_version_get(TABLE_SHARE*) /data/src/10.3/sql/sql_view.cc:1186
 
    #2 0x55a94909be8d in mysql_make_view(THD*, TABLE_SHARE*, TABLE_LIST*, bool) /data/src/10.3/sql/sql_view.cc:1256
 
    #3 0x55a948c660b4 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1911
 
    #4 0x55a948c6f99d in open_and_process_table /data/src/10.3/sql/sql_base.cc:3733
 
    #5 0x55a948c71fe1 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4208
 
    #6 0x55a948d31238 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/src/10.3/sql/sql_base.h:473
 
    #7 0x55a94907a98d in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:354
 
    #8 0x55a948ddca5b in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344
 
    #9 0x55a948bc76a3 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3708
 
    #10 0x55a948bc5e7e in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3438
 
    #11 0x55a948bc6e4c in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3614
 
    #12 0x55a948bb8bd6 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1377
 
    #13 0x55a948bbea3d in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2404
 
    #14 0x55a948dd3960 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:3019
 
    #15 0x55a948de6eeb in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5693
 
    #16 0x55a948df5607 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7855
 
    #17 0x55a948dccc55 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
 
    #18 0x55a948dc980d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
 
    #19 0x55a94918ca81 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #20 0x55a94918c37d in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #21 0x55a94a737e9e in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
 
    #22 0x7fd444bcdea6 in start_thread nptl/pthread_create.c:477
 
    #23 0x7fd444aedaee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfcaee)
 
 
 
0x61900015887b is located 507 bytes inside of 992-byte region [0x619000158680,0x619000158a60)
 
allocated by thread T7 here:
 
    #0 0x7fd445470e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
 
    #1 0x55a94a84c1ba in my_malloc /data/src/10.3/mysys/my_malloc.c:101
 
    #2 0x55a94a828f79 in alloc_root /data/src/10.3/mysys/my_alloc.c:251
 
    #3 0x55a948b26a45 in Sql_alloc::operator new(unsigned long, st_mem_root*) /data/src/10.3/sql/sql_alloc.h:39
 
    #4 0x55a948b402e5 in sql_parse_prepare(st_mysql_const_lex_string const*, st_mem_root*, bool) /data/src/10.3/sql/parse_file.cc:425
 
    #5 0x55a9490abd62 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:632
 
    #6 0x55a94936a95a in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
 
    #7 0x55a948c65d23 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1859
 
    #8 0x55a948c6f99d in open_and_process_table /data/src/10.3/sql/sql_base.cc:3733
 
    #9 0x55a948c71fe1 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4208
 
    #10 0x55a948d31238 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/src/10.3/sql/sql_base.h:473
 
    #11 0x55a94907a98d in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:354
 
    #12 0x55a948ddca5b in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4344
 
    #13 0x55a948bc76a3 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3708
 
    #14 0x55a948bc5e7e in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3438
 
    #15 0x55a948bc6e4c in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3614
 
    #16 0x55a948bb8bd6 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1377
 
    #17 0x55a948bbea3d in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2404
 
    #18 0x55a948dd3960 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:3019
 
    #19 0x55a948de6eeb in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5693
 
    #20 0x55a948df5607 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7855
 
    #21 0x55a948dccc55 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
 
    #22 0x55a948dc980d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
 
    #23 0x55a94918ca81 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #24 0x55a94918c37d in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #25 0x55a94a737e9e in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
 
    #26 0x7fd444bcdea6 in start_thread nptl/pthread_create.c:477
 
 
 
Thread T7 created by T0 here:
 
    #0 0x7fd44541c2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
 
    #1 0x55a94a73828b in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
 
    #2 0x55a948b01d76 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55a948b19f39 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
 
    #4 0x55a948b1a699 in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
 
    #5 0x55a948b1b7f2 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
 
    #6 0x55a948b192b9 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
 
    #7 0x55a948b00604 in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7fd444a14d09 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/parse_file.cc:845 in File_parser::parse(unsigned char*, st_mem_root*, File_option*, unsigned int, Unknown_key_hook*) const
 
Shadow bytes around the buggy address:
 
  0x0c32800230b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c32800230c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c32800230d0: 00 00 00 00 f7 00 00 00 00 00 f7 00 00 00 00 00
 
  0x0c32800230e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c32800230f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c3280023100: 00 00 00 00 00 00 00 04 f7 00 00 04 f7 00 00[03]
 
  0x0c3280023110: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280023120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280023130: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280023140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
 
  0x0c3280023150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==3858398==ABORTING

The failure started happening on 10.3 after this commit:

commit f65ba9aeb7eea75656c74da7c20cb4157cb8d943 98e62e631706f982a6b0e3a63909fa96f98aac5a
 
Author:     Oleksandr Byelkin
 
AuthorDate: Wed Apr 17 15:50:59 2019 +0200
 
Commit:     Oleksandr Byelkin
 
CommitDate: Fri Sep 30 12:11:37 2022 +0200
 
 
 
    MDEV-17124: mariadb 10.1.34, views and prepared statements:  ERROR 1615 (HY000): Prepared statement needs to be re-prepared



 Comments   
Comment by Oleksandr Byelkin [ 2022-10-12 ]

can not repeat with --rr, repeatable with --debug.

Comment by Oleksandr Byelkin [ 2022-10-12 ]

The problem was that 2 threads used the same MEM_ROOT simultaneously.

Comment by Oleksandr Byelkin [ 2022-10-12 ] 

commit 19772f9c277cf6953c4fc4302276b390ab39c871 (HEAD -> bb-10.3-MDEV-29748, origin/bb-10.3-MDEV-29748)
 
Author: Oleksandr Byelkin <sanja@mariadb.com>
 
Date:   Wed Oct 12 15:59:46 2022 +0200
 
 
 
    MDEV-29748 ASAN errors or server crash in File_parser::parse upon concurrent view operations
 
    
    Prevent simultaniouse access to a view table SHARE (and so its MEM_ROOT) from different threads.

Comment by Oleksandr Byelkin [ 2022-10-18 ] 

commit 39e20ca7e288aeb0dc732e3d107e81852ca0b04b (HEAD -> bb-10.3-MDEV-29748, origin/bb-10.3-MDEV-29748)
 
Author: Oleksandr Byelkin <sanja@mariadb.com>
 
Date:   Wed Oct 12 15:59:46 2022 +0200
 
 
 
    MDEV-29748 ASAN errors or server crash in File_parser::parse upon concurrent view operations
 
    
    Read the version of the view share when we read definition to prevent
 
    simultaniouse access to a view table SHARE (and so its MEM_ROOT)
 
    from different threads.

Comment by Sergei Golubchik [ 2022-10-24 ]

39e20ca7e28 is ok to push

Generated at Thu Feb 08 10:11:00 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.