[MDEV-32199] ASAN errors in dd_frm_type upon concurrent CREATE TABLE and TRIGGER Created: 2023-09-18  Updated: 2023-09-18

Status: Confirmed
Project: MariaDB Server
Component/s: Data Definition - Create Table, Triggers
Affects Version/s: 10.4, 10.5
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Minor
Reporter: Elena Stepanova Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: not-10.6+


 Description   

Set to Minor because it only affects 10.4 and 10.5, and the race condition scenario is unlikely.

The test case is for reproducible purposes only, don't put it into the regression suite!

The test case is non-deterministic, but the loop is already inside the test, so there is no need to run with --repeat. The amount of loops can be increased instead. It usually fails for me on 10.4-10.5 within several loops.

--connect (con1,localhost,root,,)
 
 
 
--let $run= 1000
 
while ($run)
 
{
 
  --send
 
    CREATE TABLE t (col varbinary(60000));
 
 
 
  --connection default
 
  --error 0,ER_NO_SUCH_TABLE
 
  CREATE TRIGGER tr AFTER INSERT ON t FOR EACH ROW INSERT INTO tx VALUES (1);
 
 
 
  --connection con1
 
  --reap
 
  DROP TABLE t;
 
  --dec $run
 
}

10.4 18990f00

 
==2232297==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b0000a8cd1 at pc 0x56533b7133a6 bp 0x7f22466c8420 sp 0x7f22466c8418
 
READ of size 2 at 0x62b0000a8cd1 thread T5
 
    #0 0x56533b7133a5 in dd_frm_type(THD*, char*, st_mysql_const_lex_string*, bool*) /data/src/10.4/sql/datadict.cc:151
 
    #1 0x56533b537062 in mysql_create_or_drop_trigger(THD*, TABLE_LIST*, bool) /data/src/10.4/sql/sql_trigger.cc:543
 
    #2 0x56533b2ac91c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6048
 
    #3 0x56533b2b90b8 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8012
 
    #4 0x56533b28f347 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #5 0x56533b28beb6 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #6 0x56533b68b74f in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #7 0x56533b68b066 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #8 0x56533c2fc1cf in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #9 0x7f224e4a7fd3 in start_thread nptl/pthread_create.c:442
 
    #10 0x7f224e5285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
Address 0x62b0000a8cd1 is a wild pointer inside of access range of size 0x000000000002.
 
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.4/sql/datadict.cc:151 in dd_frm_type(THD*, char*, st_mysql_const_lex_string*, bool*)
 
Shadow bytes around the buggy address:
 
  0x0c568000d140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c568000d150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c568000d160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c568000d170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c568000d180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
=>0x0c568000d190: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
 
  0x0c568000d1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c568000d1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c568000d1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c568000d1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c568000d1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
Thread T5 created by T0 here:
 
    #0 0x7f224ea49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x56533c2fc5bc in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x56533af96f89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x56533afae6b6 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6289
 
    #4 0x56533afaee01 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6359
 
    #5 0x56533afaf2cf in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6457
 
    #6 0x56533afb017b in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6615
 
    #7 0x56533afade19 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5947
 
    #8 0x56533af950b8 in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f224e446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
==2232297==ABORTING


Generated at Thu Feb 08 10:29:35 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.