[MDEV-31898] ASAN: unknown-crash in ha_mroonga::storage_write_row_multiple_column_index upon ALTER TABLE Created: 2023-08-10  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Data Definition - Alter Table, Storage Engine - Mroonga
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Description    

install soname 'ha_mroonga';
 
 
 
CREATE TABLE t (a INT, b INT, KEY(a,b)) ENGINE=Mroonga;
 
INSERT INTO t VALUES (1,1),(2,2);
 
ALTER TABLE t MODIFY b CHAR(128);
 
 
 
# Cleanup
 
DROP TABLE t;
 
uninstall soname 'ha_mroonga';

10.4 b54e4bf0

 
==1183348==ERROR: AddressSanitizer: unknown-crash on address 0x6190000884c1 at pc 0x7f921a24814b bp 0x7f9211e191c0 sp 0x7f9211e18970
 
READ of size 128 at 0x6190000884c1 thread T5
 
    #0 0x7f921a24814a in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
 
    #1 0x55ee44555d43 in Field_string::get_key_image(unsigned char*, unsigned int, Field::imagetype) /data/src/10.4/sql/field.cc:7666
 
    #2 0x55ee44882455 in key_copy(unsigned char*, unsigned char const*, st_key*, unsigned int, bool) /data/src/10.4/sql/key.cc:160
 
    #3 0x7f9210943468 in ha_mroonga::storage_write_row_multiple_column_index(unsigned char const*, unsigned int, st_key*, _grn_obj*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6242
 
    #4 0x7f92109b9d92 in ha_mroonga::storage_add_index_multiple_columns(st_key*, unsigned int, _grn_obj**, _grn_obj**, bool) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:14476
 
    #5 0x7f92109c2784 in ha_mroonga::storage_inplace_alter_table_add_index(TABLE*, Alter_inplace_info*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:15016
 
    #6 0x7f92109c6ca6 in ha_mroonga::storage_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:15444
 
    #7 0x7f92109c6ff9 in ha_mroonga::inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:15460
 
    #8 0x55ee4409ee9d in handler::ha_inplace_alter_table(TABLE*, Alter_inplace_info*) /data/src/10.4/sql/handler.h:4355
 
    #9 0x55ee4408047b in mysql_inplace_alter_table /data/src/10.4/sql/sql_table.cc:7918
 
    #10 0x55ee44092c34 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10446
 
    #11 0x55ee442196bb in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:531
 
    #12 0x55ee43e22e34 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
 
    #13 0x55ee43e2e6ae in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #14 0x55ee43e04979 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #15 0x55ee43e014e8 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #16 0x55ee44200a47 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #17 0x55ee4420035e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #18 0x55ee44e6fdd3 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #19 0x7f9219bc8fd3 in start_thread nptl/pthread_create.c:442
 
    #20 0x7f9219c495bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x6190000884c1 is located 65 bytes inside of 992-byte region [0x619000088480,0x619000088860)
 
allocated by thread T5 here:
 
    #0 0x7f921a2b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 
    #1 0x55ee459b92ca in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #2 0x55ee45995cf0 in alloc_root /data/src/10.4/mysys/my_alloc.c:251
 
    #3 0x55ee45997428 in strmake_root /data/src/10.4/mysys/my_alloc.c:481
 
    #4 0x55ee4412db60 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.4/sql/table.cc:3800
 
    #5 0x55ee43c7ffff in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.4/sql/sql_base.cc:2114
 
    #6 0x55ee43c89620 in open_and_process_table /data/src/10.4/sql/sql_base.cc:3914
 
    #7 0x55ee43c8c0dc in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:4395
 
    #8 0x55ee43c911f8 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:5342
 
    #9 0x55ee43beb04b in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.4/sql/sql_base.h:503
 
    #10 0x55ee43d590d3 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:764
 
    #11 0x55ee43e166d8 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4613
 
    #12 0x55ee43e2e6ae in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #13 0x55ee43e04979 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #14 0x55ee43e014e8 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #15 0x55ee44200a47 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #16 0x55ee4420035e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #17 0x55ee44e6fdd3 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #18 0x7f9219bc8fd3 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f921a249726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x55ee44e701c0 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x55ee43b0cf89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55ee43b24690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
 
    #4 0x55ee43b24ddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
 
    #5 0x55ee43b252a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
 
    #6 0x55ee43b26155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
 
    #7 0x55ee43b23df3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
 
    #8 0x55ee43b0b0b8 in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f9219b67189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: unknown-crash ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
 
Shadow bytes around the buggy address:
 
  0x0c3280009040: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280009050: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280009060: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
 
  0x0c3280009070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280009080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
=>0x0c3280009090: 00 00 00 00 f7 02 f7 00[01]00 01 f7 00 00 00 f7
 
  0x0c32800090a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c32800090b0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
 
  0x0c32800090c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c32800090d0: 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00
 
  0x0c32800090e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb

A variation of the test case causes an assertion failure on 10.5+:

10.5 8852afe3

 
mariadbd: /data/src/10.5/sql/field.h:1169: const uchar* Field::ptr_in_record(const uchar*) const: Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0' failed.
 
230814 17:44:37 [ERROR] mysqld got signal 6 ;
 
 
 
#9  0x00007ff3d9c53df2 in __GI___assert_fail (assertion=0x55f8e6646c60 "l_offset >= 0 && table->s->rec_buff_length - l_offset > 0", file=0x55f8e6646960 "/data/src/10.5/sql/field.h", line=1169, function=0x55f8e6646cc0 "const uchar* Field::ptr_in_record(const uchar*) const") at ./assert/assert.c:101
 
#10 0x000055f8e48be931 in Field::ptr_in_record (this=0x6190000a65a8, record=0x61f0000348b8 "\360!\330\016\001") at /data/src/10.5/sql/field.h:1169
 
#11 0x000055f8e501e06e in key_copy (to_key=0x62100012fd01 "\a", from_record=0x61f0000348b8 "\360!\330\016\001", key_info=0x61d000265398, key_length=162, with_zerofill=false) at /data/src/10.5/sql/key.cc:144
 
#12 0x00007ff3d0bd861d in ha_mroonga::storage_write_row_multiple_column_index (this=0x62200002b938, buf=0x61f0000348b8 "\360!\330\016\001", record_id=1, key_info=0x61d000265398, index_column=0x60e00002bfc0) at /data/src/10.5/storage/mroonga/ha_mroonga.cpp:6218
 
#13 0x00007ff3d0c4e9da in ha_mroonga::storage_add_index_multiple_columns (this=0x62200002b938, key_info=0x61d000265398, num_of_keys=1, index_tables=0x60300004c5e8, index_columns=0x60300004c618, skip_unique_key=false) at /data/src/10.5/storage/mroonga/ha_mroonga.cpp:14442
 
#14 0x00007ff3d0c573b0 in ha_mroonga::storage_inplace_alter_table_add_index (this=0x62200002b938, altered_table=0x7ff3d2205c00, ha_alter_info=0x7ff3d2204f60) at /data/src/10.5/storage/mroonga/ha_mroonga.cpp:14978
 
#15 0x00007ff3d0c5b891 in ha_mroonga::storage_inplace_alter_table (this=0x62200002b938, altered_table=0x7ff3d2205c00, ha_alter_info=0x7ff3d2204f60) at /data/src/10.5/storage/mroonga/ha_mroonga.cpp:15404
 
#16 0x00007ff3d0c5bbe4 in ha_mroonga::inplace_alter_table (this=0x62200002b938, altered_table=0x7ff3d2205c00, ha_alter_info=0x7ff3d2204f60) at /data/src/10.5/storage/mroonga/ha_mroonga.cpp:15420
 
#17 0x000055f8e47f49f4 in handler::ha_inplace_alter_table (this=0x62200002b938, altered_table=0x7ff3d2205c00, ha_alter_info=0x7ff3d2204f60) at /data/src/10.5/sql/handler.h:4523
 
#18 0x000055f8e47d1faa in mysql_inplace_alter_table (thd=0x62b000069218, table_list=0x62b000038398, table=0x6190000a0598, altered_table=0x7ff3d2205c00, ha_alter_info=0x7ff3d2204f60, target_mdl_request=0x7ff3d2205180, alter_ctx=0x7ff3d2206680) at /data/src/10.5/sql/sql_table.cc:8146
 
#19 0x000055f8e47e7619 in mysql_alter_table (thd=0x62b000069218, new_db=0x62b00006dca8, new_name=0x62b00006e0f8, create_info=0x7ff3d2207450, table_list=0x62b000038398, recreate_info=0x7ff3d2207280, alter_info=0x7ff3d2207320, order_num=0, order=0x0, ignore=false, if_exists=false) at /data/src/10.5/sql/sql_table.cc:10892
 
#20 0x000055f8e498a564 in Sql_cmd_alter_table::execute (this=0x62b000038bf8, thd=0x62b000069218) at /data/src/10.5/sql/sql_alter.cc:598
 
#21 0x000055f8e453ef4a in mysql_execute_command (thd=0x62b000069218) at /data/src/10.5/sql/sql_parse.cc:6083
 
#22 0x000055f8e454c485 in mysql_parse (thd=0x62b000069218, rawbuf=0x62b000038238 "ALTER TABLE t7 MODIFY COLUMN IF EXISTS col_varchar VARBINARY(40964)", length=67, parser_state=0x7ff3d2208c10, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:8118
 
#23 0x000055f8e4521e26 in dispatch_command (command=COM_QUERY, thd=0x62b000069218, packet=0x629000253219 "ALTER TABLE t7 MODIFY COLUMN IF EXISTS col_varchar VARBINARY(40964)", packet_length=67, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1891
 
#24 0x000055f8e451e7b9 in do_command (thd=0x62b000069218) at /data/src/10.5/sql/sql_parse.cc:1375
 
#25 0x000055f8e496d81f in do_handle_one_connection (connect=0x608000002b38, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1416
 
#26 0x000055f8e496d1e7 in handle_one_connection (arg=0x608000002ab8) at /data/src/10.5/sql/sql_connect.cc:1318
 
#27 0x000055f8e55b9db6 in pfs_spawn_thread (arg=0x615000005318) at /data/src/10.5/storage/perfschema/pfs.cc:2201
 
#28 0x00007ff3d9ca7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#29 0x00007ff3d9d285bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81


Generated at Thu Feb 08 10:27:18 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.