Issues not present in 10.6 base, which however does produce this outcome:
|
bb-10.6-MDEV-31949 d13a57ae8181f2a8fbee86838d5476740e050d50 (Debug) |
10.6.16-dbg>LOAD INDEX INTO CACHE c KEY(PRIMARY);
|
+--------+--------------+----------+-----------------------------------------------------------------------------------------------+
|
| Table | Op | Msg_type | Msg_text |
|
+--------+--------------+----------+-----------------------------------------------------------------------------------------------+
|
| test.c | preload_keys | Error | XAER_RMFAIL: The command cannot be executed when global transaction is in the PREPARED state |
|
| test.c | preload_keys | Error | XAER_RMFAIL: The command cannot be executed when global transaction is in the PREPARED state |
|
| test.c | preload_keys | error | Corrupt |
|
+--------+--------------+----------+-----------------------------------------------------------------------------------------------+
|
3 rows in set (0.003 sec)
|
Same result on optimized builds.
Additional testcase yielding a ASAN use-after-poison in event_xid_t::serialize (optimized builds) and xid_t::eq and (debug builds):
--source include/have_binlog_format_row.inc
|
CREATE TABLE t (a INT); |
XA START 'a'; |
INSERT INTO t VALUES (1); |
XA END 'a'; |
XA PREPARE 'a'; |
--error ER_XAER_RMFAIL
|
XA START 'a'; |
LOAD INDEX INTO CACHE t IGNORE LEAVES; |
Leads to:
|
bb-10.6-MDEV-31949 3455be1b4a925f43a1e7170029abf3304122409f (Optimized, UBASAN) |
==3694900==ERROR: AddressSanitizer: use-after-poison on address 0x62b000093308 at pc 0x55aaebd597f0 bp 0x151854bdbb70 sp 0x151854bdbb60
|
READ of size 8 at 0x62b000093308 thread T6
|
#0 0x55aaebd597ef in event_xid_t::serialize(char*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log_event.h:3215
|
#1 0x55aaebd597ef in serialize_with_xid(xid_t*, char*, char const*, unsigned long) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:1838
|
#2 0x55aaebd597ef in binlog_rollback_flush_trx_cache /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:1910
|
#3 0x55aaebd5a080 in binlog_rollback /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:2402
|
#4 0x55aaeb172ed2 in ha_rollback_trans(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.cc:2224
|
#5 0x55aaea698e8f in trans_rollback_implicit(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/transaction.cc:421
|
#6 0x55aaea682a90 in mysql_admin_table /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_admin.cc:1326
|
#7 0x55aaea693543 in mysql_preload_keys(THD*, TABLE_LIST*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_admin.cc:1470
|
#8 0x55aae9d8196e in mysql_execute_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:4103
|
#9 0x55aae9d971e2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:8050
|
#10 0x55aae9da3255 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:1896
|
#11 0x55aae9dae630 in do_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:1409
|
#12 0x55aaea612bdc in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1416
|
#13 0x55aaea6151dc in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1318
|
#14 0x15185a494b42 in start_thread nptl/pthread_create.c:442
|
#15 0x15185a5269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
|
|
0x62b000093308 is located 264 bytes inside of 24624-byte region [0x62b000093200,0x62b000099230)
|
allocated by thread T6 here:
|
#0 0x55aae96583f7 in __interceptor_malloc (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-opt/bin/mariadbd+0x77113f7)
|
#1 0x55aaed918644 in my_malloc /test/bb-10.6-MDEV-31949_PATCH3_opt_san/mysys/my_malloc.c:91
|
#2 0x55aaed8f3d9f in reset_root_defaults /test/bb-10.6-MDEV-31949_PATCH3_opt_san/mysys/my_alloc.c:156
|
#3 0x55aae9a4959e in THD::init_for_queries() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_class.cc:1412
|
#4 0x55aaea60d70e in prepare_new_connection_state(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1245
|
#5 0x55aaea60eff7 in thd_prepare_connection(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1339
|
#6 0x55aaea60eff7 in thd_prepare_connection(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1328
|
#7 0x55aaea611c77 in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1406
|
#8 0x55aaea6151dc in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1318
|
#9 0x15185a494b42 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T6 created by T0 here:
|
#0 0x55aae95fc215 in __interceptor_pthread_create (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-opt/bin/mariadbd+0x76b5215)
|
#1 0x55aae96ae11e in create_thread_to_handle_connection(CONNECT*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:5996
|
#2 0x55aae96bfc4f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:6117
|
#3 0x55aae96c0a97 in handle_connections_sockets() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:6241
|
#4 0x55aae96c3a6d in mysqld_main(int, char**) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:5891
|
#5 0x15185a429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log_event.h:3215 in event_xid_t::serialize(char*)
|
Shadow bytes around the buggy address:
|
0x0c568000a610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000a620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000a630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000a640: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
|
0x0c568000a650: 00 00 00 00 00 00 04 f7 00 00 00 00 06 f7 00 00
|
=>0x0c568000a660: f7[02]f7 00 00 00 00 00 f7 00 00 00 f7 02 f7 00
|
0x0c568000a670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000a690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000a6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000a6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3694900==ABORTING
|
231004 15:00:33 [ERROR] mysqld got signal 6 ;
|
|
bb-10.6-MDEV-31949 3455be1b4a925f43a1e7170029abf3304122409f (Debug, UBASAN) |
==3316626==ERROR: AddressSanitizer: use-after-poison on address 0x62b000093300 at pc 0x55e9f8fcfc5d bp 0x1548ba0d3e50 sp 0x1548ba0d3e40
|
READ of size 8 at 0x62b000093300 thread T6
|
#0 0x55e9f8fcfc5c in xid_t::eq(long, long, char const*) const /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.h:894
|
#1 0x55e9f8fcfc5c in xid_t::eq(xid_t*) const /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.h:892
|
#2 0x55e9f8fcfc5c in binlog_rollback_flush_trx_cache /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/log.cc:1908
|
#3 0x55e9f8fd275b in binlog_rollback /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/log.cc:2402
|
#4 0x55e9f825a5da in ha_rollback_trans(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.cc:2224
|
#5 0x55e9f763f592 in trans_rollback_implicit(THD*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/transaction.cc:421
|
#6 0x55e9f762d49f in mysql_admin_table /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_admin.cc:1326
|
#7 0x55e9f7635e63 in mysql_preload_keys(THD*, TABLE_LIST*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_admin.cc:1470
|
#8 0x55e9f6c377e9 in mysql_execute_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_parse.cc:4103
|
#9 0x55e9f6c61269 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_parse.cc:8050
|
#10 0x55e9f6c70fcd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_parse.cc:1896
|
#11 0x55e9f6c7f04a in do_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_parse.cc:1409
|
#12 0x55e9f75a818d in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1416
|
#13 0x55e9f75a96a8 in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1318
|
#14 0x1548bfc94b42 in start_thread nptl/pthread_create.c:442
|
#15 0x1548bfd269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
|
|
0x62b000093300 is located 256 bytes inside of 24624-byte region [0x62b000093200,0x62b000099230)
|
allocated by thread T6 here:
|
#0 0x55e9f64af387 in malloc (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-dbg/bin/mariadbd+0x7647387)
|
#1 0x55e9faaa2828 in my_malloc /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/mysys/my_malloc.c:91
|
#2 0x55e9faa81be2 in reset_root_defaults /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/mysys/my_alloc.c:156
|
#3 0x55e9f68db731 in THD::init_for_queries() /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_class.cc:1412
|
#4 0x55e9f75a3ea4 in prepare_new_connection_state(THD*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1245
|
#5 0x55e9f75a5652 in thd_prepare_connection(THD*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1339
|
#6 0x55e9f75a8a0c in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1406
|
#7 0x55e9f75a96a8 in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1318
|
#8 0x1548bfc94b42 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T6 created by T0 here:
|
#0 0x55e9f64531a5 in pthread_create (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-dbg/bin/mariadbd+0x75eb1a5)
|
#1 0x55e9f6509084 in create_thread_to_handle_connection(CONNECT*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:5996
|
#2 0x55e9f6515002 in create_new_thread(CONNECT*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:6055
|
#3 0x55e9f651585e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:6117
|
#4 0x55e9f6516a7e in handle_connections_sockets() /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:6241
|
#5 0x55e9f651d73e in mysqld_main(int, char**) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:5891
|
#6 0x55e9f64f4f2a in main /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/main.cc:34
|
#7 0x1548bfc29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.h:894 in xid_t::eq(long, long, char const*) const
|
Shadow bytes around the buggy address:
|
0x0c568000a610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000a620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000a630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000a640: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
|
0x0c568000a650: 00 00 00 00 00 00 04 f7 00 00 00 00 06 f7 00 00
|
=>0x0c568000a660:[f7]02 f7 00 00 00 00 00 f7 00 00 00 f7 02 f7 00
|
0x0c568000a670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000a690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000a6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000a6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3316626==ABORTING
|
231004 14:13:49 [ERROR] mysqld got signal 6 ;
|
All UniqueID's/stacks seen so far for this ticket:
is_async_xac || thd->lex->xid->eq(thd->transaction->xid_state.get_xid())|SIGABRT|binlog_rollback_flush_trx_cache|binlog_rollback|ha_rollback_trans|trans_rollback_implicit
|
SIGSEGV|serialize_xid|event_xid_t::serialize|serialize_with_xid|binlog_rollback_flush_trx_cache
|
ASAN|use-after-poison|sql/handler.h|xid_t::eq|xid_t::eq|binlog_rollback_flush_trx_cache|binlog_rollback
|
ASAN|use-after-poison|sql/log_event.h|event_xid_t::serialize|serialize_with_xid|binlog_rollback_flush_trx_cache|binlog_rollback
|
ASAN|use-after-poison|sql/handler.h|xid_t::is_null|xid_t::eq|xid_t::eq|binlog_rollback_flush_trx_cache
|
ASAN|use-after-poison|sql/log_event.h|serialize_xid|event_xid_t::serialize|serialize_with_xid|binlog_rollback_flush_trx_cache
|
Another ASAN stack observed on debug builds with this testcase. The issue could not be reproduced in MTR, in CLI only.
# mysqld options required for replay: --log-bin |
CREATE TABLE t1 (c INT); |
ALTER TABLE t1 ADD c2 BLOB; |
XA START 'a'; |
INSERT INTO t1 VALUES(0,0); |
XA END 'a'; |
XA PREPARE 'a'; |
LOAD INDEX INTO CACHE t1 INDEX (`PRIMARY`); |
Leads to:
|
bb-10.6-MDEV-31949 3455be1b4a925f43a1e7170029abf3304122409f (Debug, UBASAN) |
==1986981==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000b62f8 at pc 0x55f1cac99c44 bp 0x151d26778e50 sp 0x151d26778e40
|
READ of size 8 at 0x62b0000b62f8 thread T27
|
#0 0x55f1cac99c43 in xid_t::is_null() const /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.h:923
|
#1 0x55f1cac99c43 in xid_t::eq(long, long, char const*) const /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.h:894
|
#2 0x55f1cac99c43 in xid_t::eq(xid_t*) const /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.h:892
|
#3 0x55f1cac99c43 in binlog_rollback_flush_trx_cache /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/log.cc:1908
|
#4 0x55f1cac9c75b in binlog_rollback /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/log.cc:2402
|
#5 0x55f1c9f245da in ha_rollback_trans(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.cc:2224
|
#6 0x55f1c9309592 in trans_rollback_implicit(THD*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/transaction.cc:421
|
#7 0x55f1c92f749f in mysql_admin_table /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_admin.cc:1326
|
#8 0x55f1c92ffe63 in mysql_preload_keys(THD*, TABLE_LIST*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_admin.cc:1470
|
#9 0x55f1c89017e9 in mysql_execute_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_parse.cc:4103
|
#10 0x55f1c892b269 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_parse.cc:8050
|
#11 0x55f1c893afcd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_parse.cc:1896
|
#12 0x55f1c894904a in do_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_parse.cc:1409
|
#13 0x55f1c927218d in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1416
|
#14 0x55f1c92736a8 in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1318
|
#15 0x151d4a694ac2 in start_thread nptl/pthread_create.c:442
|
#16 0x151d4a726a3f (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f)
|
|
|
0x62b0000b62f8 is located 248 bytes inside of 24624-byte region [0x62b0000b6200,0x62b0000bc230)
|
allocated by thread T27 here:
|
#0 0x55f1c8179387 in malloc (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-dbg/bin/mariadbd+0x7647387)
|
#1 0x55f1cc76c828 in my_malloc /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/mysys/my_malloc.c:91
|
#2 0x55f1cc74bbe2 in reset_root_defaults /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/mysys/my_alloc.c:156
|
#3 0x55f1c85a5731 in THD::init_for_queries() /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_class.cc:1412
|
#4 0x55f1c926dea4 in prepare_new_connection_state(THD*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1245
|
#5 0x55f1c926f652 in thd_prepare_connection(THD*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1339
|
#6 0x55f1c9272a0c in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1406
|
#7 0x55f1c92736a8 in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/sql_connect.cc:1318
|
#8 0x151d4a694ac2 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T27 created by T0 here:
|
#0 0x55f1c811d1a5 in pthread_create (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-dbg/bin/mariadbd+0x75eb1a5)
|
#1 0x55f1c81d3084 in create_thread_to_handle_connection(CONNECT*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:5996
|
#2 0x55f1c81df002 in create_new_thread(CONNECT*) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:6055
|
#3 0x55f1c81df85e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:6117
|
#4 0x55f1c81e0a7e in handle_connections_sockets() /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:6241
|
#5 0x55f1c81e773e in mysqld_main(int, char**) /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/mysqld.cc:5891
|
#6 0x55f1c81bef2a in main /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/main.cc:34
|
#7 0x151d4a629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/bb-10.6-MDEV-31949_PATCH3_dbg_san/sql/handler.h:923 in xid_t::is_null() const
|
Shadow bytes around the buggy address:
|
0x0c568000ec00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000ec10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000ec20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000ec30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568000ec40: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
|
=>0x0c568000ec50: 00 00 00 00 00 00 00 01 f7 00 00 00 00 00 03[f7]
|
0x0c568000ec60: 00 00 f7 03 f7 00 00 00 00 00 f7 00 00 00 f7 00
|
0x0c568000ec70: f7 00 f7 00 00 00 f7 00 00 f7 03 f7 00 00 00 00
|
0x0c568000ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000ec90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c568000eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1986981==ABORTING
|
231005 16:06:40 [ERROR] mysqld got signal 6 ;
|
Another testcase
--source include/have_binlog_format_row.inc
|
CREATE TABLE t (c INT); |
XA START 'a'; |
INSERT INTO t VALUES (1); |
XA END 'a'; |
XA PREPARE 'a'; |
SET collation_connection=utf32_unicode_ci; |
--error ER_XAER_OUTSIDE # ?
|
XA COMMIT 'a'; |
LOAD INDEX INTO CACHE c1; |
As well as
--source include/have_binlog_format_row.inc
|
--source include/have_partition.inc
|
SET sql_mode=''; |
CREATE TABLE t (a BINARY (1),KEY(a)) PARTITION BY KEY(a) PARTITIONS 1; |
XA START 'a'; |
INSERT INTO t VALUES (1); |
XA END 'a'; |
XA PREPARE 'a'; |
CACHE INDEX t PARTITION (ALL) KEY(inx_b,PRIMARY) IN DEFAULT; |
Both lead to stacks already listed above. However, in both cases the following, as yet unseen use-after-poison in serialize_xid bug was observed also:
|
bb-10.6-MDEV-31949 3455be1b4a925f43a1e7170029abf3304122409f |
==62489==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000c431a at pc 0x55f42612c34f bp 0x14da305c0a90 sp 0x14da305c0a80
|
READ of size 1 at 0x62b0000c431a thread T14
|
#0 0x55f42612c34e in serialize_xid(char*, long, long, long, char const*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log_event.h:3166
|
#1 0x55f42612c34e in event_xid_t::serialize(char*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log_event.h:3215
|
#2 0x55f42612c34e in serialize_with_xid(xid_t*, char*, char const*, unsigned long) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:1838
|
#3 0x55f42612c34e in binlog_rollback_flush_trx_cache /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:1910
|
#4 0x55f42612d080 in binlog_rollback /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:2402
|
#5 0x55f425545ed2 in ha_rollback_trans(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.cc:2224
|
#6 0x55f424a6be8f in trans_rollback_implicit(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/transaction.cc:421
|
#7 0x55f424a55a90 in mysql_admin_table /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_admin.cc:1326
|
#8 0x55f424a6618b in mysql_assign_to_keycache(THD*, TABLE_LIST*, st_mysql_const_lex_string const*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_admin.cc:1442
|
#9 0x55f424151620 in mysql_execute_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:4092
|
#10 0x55f42416a1e2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:8050
|
#11 0x55f424176255 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:1896
|
#12 0x55f424181630 in do_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:1409
|
#13 0x55f4249e5bdc in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1416
|
#14 0x55f4249e81dc in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1318
|
#15 0x14da62894b42 in start_thread nptl/pthread_create.c:442
|
#16 0x14da629269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
|
|
0x62b0000c431a is located 282 bytes inside of 24624-byte region [0x62b0000c4200,0x62b0000ca230)
|
allocated by thread T14 here:
|
#0 0x55f423a2b3f7 in __interceptor_malloc (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-opt/bin/mariadbd+0x77113f7)
|
#1 0x55f427ceb644 in my_malloc /test/bb-10.6-MDEV-31949_PATCH3_opt_san/mysys/my_malloc.c:91
|
#2 0x55f427cc6d9f in reset_root_defaults /test/bb-10.6-MDEV-31949_PATCH3_opt_san/mysys/my_alloc.c:156
|
#3 0x55f423e1c59e in THD::init_for_queries() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_class.cc:1412
|
#4 0x55f4249e070e in prepare_new_connection_state(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1245
|
#5 0x55f4249e1ff7 in thd_prepare_connection(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1339
|
#6 0x55f4249e1ff7 in thd_prepare_connection(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1328
|
#7 0x55f4249e4c77 in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1406
|
#8 0x55f4249e81dc in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1318
|
#9 0x14da62894b42 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T14 created by T0 here:
|
#0 0x55f4239cf215 in __interceptor_pthread_create (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-opt/bin/mariadbd+0x76b5215)
|
#1 0x55f423a8111e in create_thread_to_handle_connection(CONNECT*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:5996
|
#2 0x55f423a92c4f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:6117
|
#3 0x55f423a93a97 in handle_connections_sockets() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:6241
|
#4 0x55f423a96a6d in mysqld_main(int, char**) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:5891
|
#5 0x14da62829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log_event.h:3166 in serialize_xid(char*, long, long, long, char const*)
|
Shadow bytes around the buggy address:
|
0x0c5680010810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5680010820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5680010830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5680010840: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
|
0x0c5680010850: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
|
=>0x0c5680010860: 00 00 00[02]f7 07 f7 00 00 00 00 00 f7 00 00 00
|
0x0c5680010870: f7 06 f7 00 00 f7 00 00 00 f7 00 00 f7 00 f7 00
|
0x0c5680010880: 00 06 f7 00 00 00 f7 00 00 f7 03 f7 00 00 00 00
|
0x0c5680010890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c56800108a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c56800108b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==62489==ABORTING
|
231004 9:34:59 [ERROR] mysqld got signal 6 ;
|
The patch is in
7b0229771bd..4704c227714 HEAD > bb-10.6MDEV-31949
Roel, to
> if the ASAN use-after-poison's, stack looping and stack smashing have been addressed?
it's been covered to not use THD::lex::xid which could be by a command that has nothing to do with XA transaction (like LOAD-INDEX).
> I've not seen these two myisam specific commands ...
While the LOAD INDEX and CACHE INDEX may be MyISAM/Aria specific, the issue described here happens with InnoDB also:
--source include/have_binlog_format_row.inc
|
--source include/have_innodb.inc
|
CREATE TABLE t (c INT KEY) ENGINE=InnoDB; |
XA START 'a'; |
INSERT INTO t VALUES (1); |
XA END 'a'; |
XA PREPARE 'a'; |
LOAD INDEX INTO CACHE c KEY(PRIMARY); |
> we should not overhype MDEV-32455 significance.
I agree, based on your your findings there (i.e. no other DML/DDL creates the same issue).
I left a note on the patch for Andrei's consideration, but it generally looks good for testing as-is.
bnestere Thank you. I see this patch https://github.com/MariaDB/server/commit/6665e9a1c94881a8ab7519ea95ac3b7ccd48da74#diff-cd4de883246bcdf57f734aea6688c188bc386fc676789b2c1acc9f8079b1c7f7 - will it be merged to bb-10.6-MDEV-31949? What does it fix?
Elkin Please confirm if you will make the additional change to binlog_commit_flush_trx_cache as per bnestere's note? Thank you
Roel, right, the Brandon's note is accounted now
bbaa623621a..79665710367 HEAD -> bb-10.6-MDEV-31949
|
|
The bb-10.6-MDEV-31949 is ready for re-testing.
Fixed as part and in the branch of MDEV-31949.
bnestere ^ One question left for you above. Thanks
Roel it was an alternative suggestion to Andrei's patch, but we discussed it over Zoom and decided against that approach, so i will delete the branch. Good observation, thanks for following up 