[MDEV-29963] SIGSEGV in spider_db_mbase::append_lock_tables on LOCK TABLES Created: 2022-11-07  Updated: 2023-11-22  Resolved: 2023-11-17

Status: Closed
Project: MariaDB Server
Component/s: Locking, Storage Engine - Spider
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.1
Fix Version/s: 10.4.33, 10.5.24, 10.6.17, 10.11.7, 11.0.5, 11.1.4, 11.2.3

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Yuchen Pei
Resolution: Fixed Votes: 0
Labels: locking, regression

Issue Links:
Blocks
blocks MDEV-31357 ASAN heap-use-after-free in spider_li... Closed
Duplicate
is duplicated by MDEV-29854 SIGSEGV in spider_string::length on ... Closed
PartOf
includes MDEV-31357 ASAN heap-use-after-free in spider_li... Closed
Relates
relates to MDEV-27240 SIGSEGV in ha_spider::store_lock on L... Closed

 Description   

On a 10.11 debug build, this testcase results in the MDEV-29854 stack. On optimized builds, it looks to be a different issue.

INSTALL PLUGIN Spider SONAME 'ha_spider.so';
 
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET'',DATABASE'',USER'',PASSWORD '');
 
CREATE TABLE t (a INT) ENGINE=Spider;
 
CREATE TABLE t2 (b INT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"';
 
LOCK TABLES t AS a READ,t2 AS b LOW_PRIORITY WRITE,t2 AS c WRITE;
 
DROP TABLE t2;
 
CREATE TABLE t2 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"';
 
LOCK TABLES t2 WRITE;

Leads to:

10.11.1 50c5743adc87e1cdec1431a02558f6540fe5a6d5 (Optimized)

 
Core was generated by `/test/MD221022-mariadb-10.11.1-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  spider_db_mbase::append_lock_tables (str=<optimized out>, 
    this=<optimized out>)
 
    at /test/10.11_opt/storage/spider/spd_db_mysql.cc:3678
 
3678	    switch (tmp_spider->wide_handler->lock_type)
 
[Current thread is 1 (Thread 0x154848051700 (LWP 1408423))]
 
(gdb) bt
 
#0  spider_db_mbase::append_lock_tables (str=<optimized out>, this=<optimized out>) at /test/10.11_opt/storage/spider/spd_db_mysql.cc:3678
 
#1  spider_db_mbase::append_lock_tables (this=0x1547a0088b70, str=0x1547a008c730) at /test/10.11_opt/storage/spider/spd_db_mysql.cc:3652
 
#2  0x00001548389aa92c in spider_mbase_handler::lock_tables (this=0x1547a008c6d0, link_idx=0) at /test/10.11_opt/storage/spider/spd_db_mysql.cc:14578
 
#3  0x00001548389a1ecb in ha_spider::lock_tables (this=this@entry=0x1547a008a760) at /test/10.11_opt/storage/spider/ha_spider.cc:12214
 
#4  0x00001548389a2200 in ha_spider::external_lock (this=0x1547a008a760, thd=<optimized out>, lock_type=1) at /test/10.11_opt/storage/spider/ha_spider.cc:921
 
#5  0x000055bd59af5d78 in handler::ha_external_lock (this=0x1547a008a760, thd=thd@entry=0x1547a0000c58, lock_type=lock_type@entry=1) at /test/10.11_opt/sql/handler.cc:7095
 
#6  0x000055bd59c0b8f9 in lock_external (count=<optimized out>, tables=0x1547a008a718, thd=0x1547a0000c58) at /test/10.11_opt/sql/lock.cc:396
 
#7  mysql_lock_tables (thd=thd@entry=0x1547a0000c58, sql_lock=sql_lock@entry=0x1547a008a6e8, flags=flags@entry=0) at /test/10.11_opt/sql/lock.cc:341
 
#8  0x000055bd59c0c3cf in mysql_lock_tables (thd=thd@entry=0x1547a0000c58, tables=0x1547a00111f8, count=count@entry=1, flags=flags@entry=0) at /test/10.11_opt/sql/lock.cc:304
 
#9  0x000055bd59836a42 in lock_tables (thd=thd@entry=0x1547a0000c58, tables=tables@entry=0x1547a0010920, count=<optimized out>, flags=flags@entry=0) at /test/10.11_opt/sql/sql_base.cc:5821
 
#10 0x000055bd598a0a54 in lock_tables_open_and_lock_tables (thd=thd@entry=0x1547a0000c58, tables=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:2958
 
#11 0x000055bd598ab643 in mysql_execute_command (thd=0x1547a0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:5124
 
#12 0x000055bd59898335 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1547a0000c58) at /test/10.11_opt/sql/sql_parse.cc:8023
 
#13 mysql_parse (thd=0x1547a0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.11_opt/sql/sql_parse.cc:7945
 
#14 0x000055bd598a40ea in dispatch_command (command=COM_QUERY, thd=0x1547a0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.11_opt/sql/sql_class.h:1346
 
#15 0x000055bd598a5ee2 in do_command (thd=0x1547a0000c58, blocking=blocking@entry=true) at /test/10.11_opt/sql/sql_parse.cc:1407
 
#16 0x000055bd599bffbf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55bd5d2bdce8, put_in_cache=put_in_cache@entry=true) at /test/10.11_opt/sql/sql_connect.cc:1416
 
#17 0x000055bd599c029d in handle_one_connection (arg=0x55bd5d2bdce8) at /test/10.11_opt/sql/sql_connect.cc:1318
 
#18 0x000015485fefe609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#19 0x000015485faea133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: [10.11.1 (dbg) (MDEV-29854)], 10.11.1 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.3 (dbg), 10.9.3 (opt), 10.10.2 (dbg), 10.10.2 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-11-07 ]

This looks to be a very recent regression.
8f9df08f02294f4828d40ef0a298dc0e72b01f60 (13 Sep 22) is not affected.
49cee4e21a8e3cc0eccff3a6f9e493247344e24f (22 Sep 22) is not affected.

Comment by Roel Van de Paar [ 2022-11-07 ]

MTR testcase

INSTALL PLUGIN Spider SONAME 'ha_spider.so';
 
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET'',DATABASE'',USER'',PASSWORD '');
 
CREATE TABLE t (a INT) ENGINE=Spider;
 
CREATE TABLE t2 (b INT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"';
 
--error 1429
 
LOCK TABLES t AS a READ,t2 AS b LOW_PRIORITY WRITE,t2 AS c WRITE;
 
DROP TABLE t2;
 
CREATE TABLE t2 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"';
 
LOCK TABLES t2 WRITE;

Comment by Nayuta Yanagisawa (Inactive) [ 2022-11-08 ]

The server crashes with the following stack (debug build):

2154a1fc3566e994601a05875fdb65bd6f6d7133

 
Thread 2 received signal SIGSEGV, Segmentation fault.
 
[Switching to Thread 786646.786663]
 
0x00007fdadeb80090 in Static_binary_string::length (this=0x11) at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_string.h:223
 
223       inline uint32 length() const { return str_length;}
 
(rr) bt
 
#0  0x00007fdadeb80090 in Static_binary_string::length (this=0x11) at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_string.h:223
 
#1  0x00007fdadebe87c3 in spider_string::length (this=0x1) at /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_malloc.cc:406
 
#2  0x00007fdadeb95dee in spider_link_get_key (link_for_hash=0x7fdad8178178, length=0x7fdaf00a4650, not_used=1 '\001')
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_table.cc:447
 
#3  0x0000559ccd339de9 in my_hash_key (hash=0x7fdad8172ef8, record=0x7fdad8178178 "\330\337\026\330\332\177", length=0x7fdaf00a4650, first=1 '\001')
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:196
 
#4  0x0000559ccd33a2be in hashcmp (hash=0x7fdad8172ef8, pos=0x7fdad8173068, key=0x7fdad816ac08 "`auto_test_local`.`t`", length=21)
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:371
 
#5  0x0000559ccd33a0c5 in my_hash_first_from_hash_value (hash=0x7fdad8172ef8, hash_value=3322437136, key=0x7fdad816ac08 "`auto_test_local`.`t`", length=21, 
    current_record=0x7fdaf00a471c) at /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:288
 
#6  0x0000559ccd339f36 in my_hash_search_using_hash_value (hash=0x7fdad8172ef8, hash_value=3322437136, key=0x7fdad816ac08 "`auto_test_local`.`t`", length=21)
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:244
 
#7  0x00007fdadec6f8ae in spider_mbase_handler::append_lock_tables_list (this=0x7fdad817a7f0, conn=0x7fdad81722d8, link_idx=0, appended=0x7fdaf00a4804)
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:13855
 
#8  0x00007fdadec2df61 in ha_spider::append_lock_tables_list (this=0x7fdad8175020) at /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:16187
 
#9  0x00007fdadebf982b in ha_spider::store_lock (this=0x7fdad8175020, thd=0x7fdad8001708, to=0x7fdad81770c8, lock_type=TL_WRITE)
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:1115
 
#10 0x0000559cccb5bb0b in get_lock_data (thd=0x7fdad8001708, table_ptr=0x7fdad80152e8, count=1, flags=1)
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/lock.cc:812
 
#11 0x0000559cccb5a238 in mysql_lock_tables (thd=0x7fdad8001708, tables=0x7fdad80152e8, count=1, flags=0)
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/lock.cc:301
 
#12 0x0000559ccc5c11f1 in lock_tables (thd=0x7fdad8001708, tables=0x7fdad8014a18, count=1, flags=0)
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:5486
 
#13 0x0000559ccc66a28c in lock_tables_open_and_lock_tables (thd=0x7fdad8001708, tables=0x7fdad8014a18)
 
    at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:3024
 
#14 0x0000559ccc67190c in mysql_execute_command (thd=0x7fdad8001708) at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:5186
 
#15 0x0000559ccc67b4cf in mysql_parse (thd=0x7fdad8001708, rawbuf=0x7fdad8014950 "LOCK TABLES t2 WRITE", length=20, parser_state=0x7fdaf00a5280, is_com_multi=false, 
    is_next_command=false) at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:8087
 
#16 0x0000559ccc666d0a in dispatch_command (command=COM_QUERY, thd=0x7fdad8001708, packet=0x7fdad800c069 "LOCK TABLES t2 WRITE", packet_length=20, is_com_multi=false, 
    is_next_command=false) at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1891
 
#17 0x0000559ccc6654ac in do_command (thd=0x7fdad8001708) at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1375
 
#18 0x0000559ccc82199e in do_handle_one_connection (connect=0x559ccff033a8, put_in_cache=true) at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1416
 
#19 0x0000559ccc82170e in handle_one_connection (arg=0x559ccff033a8) at /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1318
 
#20 0x0000559cccd6b91c in pfs_spawn_thread (arg=0x559ccff03488) at /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/perfschema/pfs.cc:2201
 
#21 0x00007fdafa52db43 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
 
#22 0x00007fdafa5bebb4 in clone () from /lib/x86_64-linux-gnu/libc.so.6

The result of git-bisect:

2154a1fc3566e994601a05875fdb65bd6f6d7133 is the first bad commit
 
commit 2154a1fc3566e994601a05875fdb65bd6f6d7133
 
Author: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com>
 
Date:   Thu Sep 29 18:50:29 2022 +0900
 
 
 
    MDEV-29484 Assertion `!trx_free || !trx->locked_connections' failed in spider_free_trx_conn on LOCK TABLES
 
    
    In MDEV-28352, we've modified spider_free_trx_conn() so that it frees
 
    a connection only when the connection is locking no remote table.
 
    
    However, when a user connection to a Spider node is disconnected, the
 
    corresponding connections to remote data nodes from the Spider node
 
    must be freed immediately.
 
    
    Thus, the modification above leads an assertion error on the debug
 
    build and a hang on the non-debug build. We partly revert MDEV-28352
 
    to fix the problem.
 
 
 
 .../mysql-test/spider/bugfix/r/mdev_29484.result   | 39 ++++++++++++++++++
 
 .../mysql-test/spider/bugfix/t/mdev_29484.cnf      |  3 ++
 
 .../mysql-test/spider/bugfix/t/mdev_29484.test     | 47 ++++++++++++++++++++++
 
 storage/spider/spd_trx.cc                          | 14 ++++---
 
 4 files changed, 98 insertions(+), 5 deletions(-)
 
 create mode 100644 storage/spider/mysql-test/spider/bugfix/r/mdev_29484.result
 
 create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_29484.cnf
 
 create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_29484.test
 
bisect found first bad commit

Comment by Nayuta Yanagisawa (Inactive) [ 2022-11-08 ]

heap-use-after-free

093ec49b6b6948ee8d5a560cd2f862e38844c223 (10.11 HEAD)

 
==809768==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000953c8 at pc 0x7f87db08a42c bp 0x7f87db5b9f40 sp 0x7f87db5b9f30
 
READ of size 8 at 0x6070000953c8 thread T13
 
    #0 0x7f87db08a42b in spider_link_get_key(st_spider_link_for_hash*, unsigned long*, char) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_table.cc:385
 
    #1 0x55f4591b1219 in my_hash_key /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:196
 
    #2 0x55f4591b21f4 in hashcmp /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:379
 
    #3 0x55f4591b1b0d in my_hash_first_from_hash_value /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:290
 
    #4 0x55f4591b16e9 in my_hash_search_using_hash_value /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:244
 
    #5 0x7f87db2b3b2c in spider_mbase_handler::append_lock_tables_list(st_spider_conn*, int, int*) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:13131
 
    #6 0x7f87db20f167 in ha_spider::append_lock_tables_list() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:12082
 
    #7 0x7f87db17a2aa in ha_spider::store_lock(THD*, st_thr_lock_data**, thr_lock_type) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:775
 
    #8 0x55f45815d4b0 in get_lock_data(THD*, TABLE**, unsigned int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/lock.cc:826
 
    #9 0x55f458158bdc in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/lock.cc:301
 
    #10 0x55f4573088e9 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:5818
 
    #11 0x55f4574ac7ce in lock_tables_open_and_lock_tables /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:2961
 
    #12 0x55f4574bc60f in mysql_execute_command(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:5126
 
    #13 0x55f4574d03db in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:7998
 
    #14 0x55f4574a6099 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1894
 
    #15 0x55f4574a2d76 in do_command(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1407
 
    #16 0x55f4579697ad in do_handle_one_connection(CONNECT*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1416
 
    #17 0x55f457969138 in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1318
 
    #18 0x55f4585b786a in pfs_spawn_thread /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/perfschema/pfs.cc:2201
 
    #19 0x7f87e6604b42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)
 
    #20 0x7f87e66969ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
0x6070000953c8 is located 56 bytes inside of 80-byte region [0x607000095390,0x6070000953e0)
 
freed by thread T13 here:
 
    #0 0x7f87e7285517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
 
    #1 0x55f459219150 in my_free /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/my_malloc.c:211
 
    #2 0x7f87db14ad34 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_malloc.cc:183
 
    #3 0x7f87db281cf6 in spider_mbase_handler::~spider_mbase_handler() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:8605
 
    #4 0x7f87db282156 in spider_mysql_handler::~spider_mysql_handler() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:8616
 
    #5 0x7f87db2821e3 in spider_mysql_handler::~spider_mysql_handler() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:8616
 
    #6 0x7f87db176734 in ha_spider::close() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:517
 
    #7 0x55f457dcc9f4 in handler::ha_close() /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/handler.cc:3400
 
    #8 0x55f457881f38 in closefrm(TABLE*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table.cc:4534
 
    #9 0x55f457beb706 in intern_close_table /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table_cache.cc:225
 
    #10 0x55f457bf3d01 in TDC_element::flush_unused(bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table_cache.cc:1298
 
    #11 0x55f457bf234c in tdc_remove_referenced_share(THD*, TABLE_SHARE*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table_cache.cc:1009
 
    #12 0x55f457bf2b46 in tdc_remove_table(THD*, char const*, char const*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table_cache.cc:1067
 
    #13 0x55f457774a4a in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_table.cc:1583
 
    #14 0x55f457772786 in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_table.cc:1187
 
    #15 0x55f4574bb6ef in mysql_execute_command(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:4949
 
    #16 0x55f4574d03db in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:7998
 
    #17 0x55f4574a6099 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1894
 
    #18 0x55f4574a2d76 in do_command(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1407
 
    #19 0x55f4579697ad in do_handle_one_connection(CONNECT*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1416
 
    #20 0x55f457969138 in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1318
 
    #21 0x55f4585b786a in pfs_spawn_thread /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/perfschema/pfs.cc:2201
 
    #22 0x7f87e6604b42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)
 
 
 
previously allocated by thread T13 here:
 
    #0 0x7f87e7285867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
 
    #1 0x55f4592182c9 in my_malloc /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/my_malloc.c:90
 
    #2 0x7f87db14b49f in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_malloc.cc:231
 
    #3 0x7f87db282dfa in spider_mbase_handler::init() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:8662
 
    #4 0x7f87db0dd030 in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_table.cc:5345
 
    #5 0x7f87db172b89 in ha_spider::open(char const*, int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:313
 
    #6 0x55f457dcb704 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/handler.cc:3331
 
    #7 0x55f457880d67 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table.cc:4430
 
    #8 0x55f4572f3b95 in open_table(THD*, TABLE_LIST*, Open_table_context*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:2178
 
    #9 0x55f4572ff124 in open_and_process_table /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:4108
 
    #10 0x55f457301d91 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:4595
 
    #11 0x55f45749a8f0 in open_tables /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.h:266
 
    #12 0x55f4574abfaa in lock_tables_open_and_lock_tables /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:2865
 
    #13 0x55f4574bc60f in mysql_execute_command(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:5126
 
    #14 0x55f4574d03db in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:7998
 
    #15 0x55f4574a6099 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1894
 
    #16 0x55f4574a2d76 in do_command(THD*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1407
 
    #17 0x55f4579697ad in do_handle_one_connection(CONNECT*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1416
 
    #18 0x55f457969138 in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1318
 
    #19 0x55f4585b786a in pfs_spawn_thread /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/perfschema/pfs.cc:2201
 
    #20 0x7f87e6604b42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)
 
 
 
Thread T13 created by T0 here:
 
    #0 0x7f87e7229685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
 
    #1 0x55f4585b32f2 in my_thread_create /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/perfschema/my_thread.h:52
 
    #2 0x55f4585b7c5d in pfs_spawn_thread_v1 /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/perfschema/pfs.cc:2252
 
    #3 0x55f4570d1f28 in inline_mysql_thread_create /home/nayuta_mariadb/repo/mariadb-server/10.11/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x55f4570ea92a in create_thread_to_handle_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:6103
 
    #5 0x55f4570eafc0 in create_new_thread(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:6162
 
    #6 0x55f4570eb333 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:6224
 
    #7 0x55f4570ebd1d in handle_connections_sockets() /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:6348
 
    #8 0x55f4570ea0fe in mysqld_main(int, char**) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:5998
 
    #9 0x55f4570d124c in main /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/main.cc:34
 
    #10 0x7f87e6599d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_table.cc:385 in spider_link_get_key(st_spider_link_for_hash*, unsigned long*, char)
 
Shadow bytes around the buggy address:
 
  0x0c0e8000aa20: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
 
  0x0c0e8000aa30: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd
 
  0x0c0e8000aa40: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c0e8000aa50: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
 
  0x0c0e8000aa60: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
 
=>0x0c0e8000aa70: fa fa fd fd fd fd fd fd fd[fd]fd fd fa fa fa fa
 
  0x0c0e8000aa80: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
 
  0x0c0e8000aa90: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
 
  0x0c0e8000aaa0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
 
  0x0c0e8000aab0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c0e8000aac0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==809768==ABORTING

Comment by Nayuta Yanagisawa (Inactive) [ 2022-11-08 ]

The heap-use-after-free also occurs on 10.3-10.10.

The following two commits are only applied to 10.5+.

https://github.com/MariaDB/server/commit/a26700cca579926cddf9a48c45f13b32785746bb
https://github.com/MariaDB/server/commit/2154a1fc3566e994601a05875fdb65bd6f6d7133

Further, the heap-use-after-free occurs even on mariadb-10.3.30. Thus, it is highly likely that the present issue has been latent for a long time. I conclude that the issue is not a recent regression.

10.3.30

 
==933148==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600010bdc8 at pc 0x7f3350437e6a bp 0x7f335083e2e0 sp 0x7f335083e2d0
 
READ of size 8 at 0x60600010bdc8 thread T29
 
    #0 0x7f3350437e69 in spider_link_get_key(st_spider_link_for_hash*, unsigned long*, char) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_table.cc:448
 
    #1 0x55e8898440e3 in my_hash_key /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:196
 
    #2 0x55e88984500a in hashcmp /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:371
 
    #3 0x55e889844993 in my_hash_first_from_hash_value /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:288
 
    #4 0x55e8898445b3 in my_hash_search_using_hash_value /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/hash.c:244
 
    #5 0x7f335063dea4 in spider_mbase_handler::append_lock_tables_list(st_spider_conn*, int, int*) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:11881
 
    #6 0x7f3350512efd in ha_spider::store_lock(THD*, st_thr_lock_data**, thr_lock_type) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:1167
 
    #7 0x55e8887e43e0 in get_lock_data(THD*, TABLE**, unsigned int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/lock.cc:789
 
    #8 0x55e8887dfee6 in mysql_lock_tables(THD*, TABLE**, unsigned int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/lock.cc:296
 
    #9 0x55e887be40f3 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:5391
 
    #10 0x55e887d46f71 in lock_tables_open_and_lock_tables /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:2954
 
    #11 0x55e887d5589c in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:4999
 
    #12 0x55e887d69ec9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:7870
 
    #13 0x55e887d4063f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1852
 
    #14 0x55e887d3d148 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1398
 
    #15 0x55e888112857 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1403
 
    #16 0x55e888112145 in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1308
 
    #17 0x7f3363151b42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)
 
    #18 0x7f33631e39ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
0x60600010bdc8 is located 40 bytes inside of 64-byte region [0x60600010bda0,0x60600010bde0)
 
freed by thread T29 here:
 
    #0 0x7f3363db0517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
 
    #1 0x55e8898aceba in my_free /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/my_malloc.c:223
 
    #2 0x7f33504e5558 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_malloc.cc:187
 
    #3 0x7f335060c09a in spider_mbase_handler::~spider_mbase_handler() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:7082
 
    #4 0x7f335060c4b2 in spider_mysql_handler::~spider_mysql_handler() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:7093
 
    #5 0x7f335060c53f in spider_mysql_handler::~spider_mysql_handler() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:7093
 
    #6 0x7f335050f176 in ha_spider::close() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:726
 
    #7 0x55e8884e3e70 in handler::ha_close() /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/handler.cc:2835
 
    #8 0x55e888046ea6 in closefrm(TABLE*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table.cc:3674
 
    #9 0x55e8882fcde0 in intern_close_table /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table_cache.cc:222
 
    #10 0x55e8883047d9 in tdc_remove_table(THD*, enum_tdc_remove_table_type, char const*, char const*, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table_cache.cc:1151
 
    #11 0x55e887f7c8be in mysql_rm_table_no_locks(THD*, TABLE_LIST*, bool, bool, bool, bool, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_table.cc:2517
 
    #12 0x55e887f7a6f8 in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_table.cc:2132
 
    #13 0x55e887d54c0d in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:4847
 
    #14 0x55e887d69ec9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:7870
 
    #15 0x55e887d4063f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1852
 
    #16 0x55e887d3d148 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1398
 
    #17 0x55e888112857 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1403
 
    #18 0x55e888112145 in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1308
 
    #19 0x7f3363151b42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)
 
 
 
previously allocated by thread T29 here:
 
    #0 0x7f3363db0867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
 
    #1 0x55e8898ac2bb in my_malloc /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/my_malloc.c:101
 
    #2 0x7f33504e5cbc in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_malloc.cc:235
 
    #3 0x7f335060d04d in spider_mbase_handler::init() /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_db_mysql.cc:7137
 
    #4 0x7f3350480d35 in spider_get_share(char const*, TABLE*, THD*, ha_spider*, int*) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_table.cc:5507
 
    #5 0x7f335050a3c1 in ha_spider::open(char const*, int, unsigned int) /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/ha_spider.cc:359
 
    #6 0x55e8884e2de9 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/handler.cc:2769
 
    #7 0x55e888045e30 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/table.cc:3574
 
    #8 0x55e887bd17a4 in open_table(THD*, TABLE_LIST*, Open_table_context*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:1992
 
    #9 0x55e887bdaa5d in open_and_process_table /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:3715
 
    #10 0x55e887bdd0a8 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.cc:4190
 
    #11 0x55e887d36b37 in open_tables /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_base.h:250
 
    #12 0x55e887d4674f in lock_tables_open_and_lock_tables /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:2858
 
    #13 0x55e887d5589c in mysql_execute_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:4999
 
    #14 0x55e887d69ec9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:7870
 
    #15 0x55e887d4063f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1852
 
    #16 0x55e887d3d148 in do_command(THD*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_parse.cc:1398
 
    #17 0x55e888112857 in do_handle_one_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1403
 
    #18 0x55e888112145 in handle_one_connection /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/sql_connect.cc:1308
 
    #19 0x7f3363151b42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42)
 
 
 
Thread T29 created by T0 here:
 
    #0 0x7f3363d54685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
 
    #1 0x55e88990d4d7 in spawn_thread_noop /home/nayuta_mariadb/repo/mariadb-server/10.11/mysys/psi_noop.c:187
 
    #2 0x55e887a6147e in inline_mysql_thread_create /home/nayuta_mariadb/repo/mariadb-server/10.11/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55e887a7a7ba in create_thread_to_handle_connection(CONNECT*) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:6664
 
    #4 0x55e887a7af6f in create_new_thread /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:6734
 
    #5 0x55e887a7c119 in handle_connections_sockets() /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:6992
 
    #6 0x55e887a79a57 in mysqld_main(int, char**) /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/mysqld.cc:6286
 
    #7 0x55e887a5fc7c in main /home/nayuta_mariadb/repo/mariadb-server/10.11/sql/main.cc:25
 
    #8 0x7f33630e6d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /home/nayuta_mariadb/repo/mariadb-server/10.11/storage/spider/spd_table.cc:448 in spider_link_get_key(st_spider_link_for_hash*, unsigned long*, char)
 
Shadow bytes around the buggy address:
 
  0x0c0c80019760: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
 
  0x0c0c80019770: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c0c80019780: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
 
  0x0c0c80019790: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
 
  0x0c0c800197a0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
 
=>0x0c0c800197b0: fa fa fa fa fd fd fd fd fd[fd]fd fd fa fa fa fa
 
  0x0c0c800197c0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
 
  0x0c0c800197d0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c0c800197e0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
 
  0x0c0c800197f0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
 
  0x0c0c80019800: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==933148==ABORTING

Comment by Yuchen Pei [ 2023-05-15 ]

Could get a crash with the test case at https://jira.mariadb.org/browse/MDEV-29963?focusedCommentId=240930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-240930 with 11.1 4e5b771e980edfdad5c5414aa62c81d409d585a4

Comment by Yuchen Pei [ 2023-10-12 ]

Here's an initial patch that fixes the issue

d54c281aa93 * upstream/bb-11.0-mdev-30014 MDEV-29963 Spider should clear its lock lists when locking fails

Comment by Yuchen Pei [ 2023-10-13 ]

Hi holyfoot, ptal thanks (based on 11.0)

upstream/bb-11.0-ycp-mdev-29963 bb-11.0-ycp fb3b7ccd253dbee5219bf8e7c6a2f75bf0e47996
 
MDEV-29963 MDEV-31357 Spider should clear its lock lists when locking fails
 
 
 
Spider populates its lock lists (a hash) in store_lock(), and normally
 
clears them in the actual lock_tables(). However, if lock_tables()
 
fails, there's no reset_lock() method for storage engine handlers,
 
which can cause bad things to happen. For example, if one of the table
 
involved is dropped and recreated, or simply TRUNCATEd, when executing
 
LOCK TABLES again, the lock lists would be queried again in
 
store_lock(), which could cause access to freed space associated with
 
the dropped table.

For a 10.4 version, see 8b5548f0862474091fb13660c197e03d57ab296e

Comment by Alexey Botchkov [ 2023-10-30 ]

ok to push.

Comment by Yuchen Pei [ 2023-11-17 ]

pushing the following to 10.4 - no conflicts when merging to higher version.

52a5b16b573 upstream/bb-10.4-mdev-29963 MDEV-29963 MDEV-31357 Spider should clear its lock lists when locking fails

Generated at Thu Feb 08 10:12:36 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.