[MDEV-32647] ASAN build crashes after assigning CHAR/VARCHAR data type to dynamic column Created: 2023-11-01  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Dynamic Columns
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3

Type: Bug Priority: Major
Reporter: Ramesh Sivaraman Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None


 Description    

SET sql_mode='';
 
CREATE TABLE t (a varchar(10),b CHAR(20));
 
INSERT INTO t VALUES ('Laptop',COLUMN_CREATE ('color','black','price',500));
 
SELECT a,COLUMN_GET (b,'color' AS CHAR) AS color FROM t;

Leads to:

11.3.0 126157061b4376496c034a809ea4943e863d1465 (Optimized)

 
==3001831==ERROR: AddressSanitizer: use-after-poison on address 0x6190000938eb at pc 0x558bfaa9f4d2 bp 0x1473ab5163f0 sp 0x1473ab5163e0
 
READ of size 1 at 0x6190000938eb thread T12
 
    #0 0x558bfaa9f4d1 in dynamic_column_var_uint_get /test/11.3_opt_san/mysys/ma_dyncol.c:774
 
    #1 0x558bfaa9f4d1 in dynamic_column_string_read /test/11.3_opt_san/mysys/ma_dyncol.c:1087
 
    #2 0x558bfaa9f4d1 in dynamic_column_get_value /test/11.3_opt_san/mysys/ma_dyncol.c:2246
 
    #3 0x558bfaaa3440 in dynamic_column_get_internal /test/11.3_opt_san/mysys/ma_dyncol.c:2307
 
    #4 0x558bfaaa3440 in mariadb_dyncol_get_named /test/11.3_opt_san/mysys/ma_dyncol.c:2227
 
    #5 0x558bf8bfb598 in Item_dyncol_get::get_dyn_value(THD*, st_dynamic_column_value*, String*) /test/11.3_opt_san/sql/item_strfunc.cc:5317
 
    #6 0x558bf8bfc874 in Item_dyncol_get::val_str(String*) /test/11.3_opt_san/sql/item_strfunc.cc:5335
 
    #7 0x558bf8f49378 in Item_char_typecast::val_str_generic(String*) /test/11.3_opt_san/sql/item_timefunc.cc:3200
 
    #8 0x558bf7c7a3cd in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/11.3_opt_san/sql/sql_type.cc:7445
 
    #9 0x558bf6723351 in Protocol::send_result_set_row(List<Item>*) /test/11.3_opt_san/sql/protocol.cc:1334
 
    #10 0x558bf6a74f59 in select_send::send_data(List<Item>&) /test/11.3_opt_san/sql/sql_class.cc:3129
 
    #11 0x558bf7083d4b in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.3_opt_san/sql/sql_class.h:5913
 
    #12 0x558bf7083d4b in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.3_opt_san/sql/sql_class.h:5903
 
    #13 0x558bf7083d4b in end_send /test/11.3_opt_san/sql/sql_select.cc:24777
 
    #14 0x558bf6f7e007 in evaluate_join_record /test/11.3_opt_san/sql/sql_select.cc:23743
 
    #15 0x558bf6fd34d1 in sub_select(JOIN*, st_join_table*, bool) /test/11.3_opt_san/sql/sql_select.cc:23510
 
    #16 0x558bf71aea9e in do_select /test/11.3_opt_san/sql/sql_select.cc:23027
 
    #17 0x558bf71aea9e in JOIN::exec_inner() /test/11.3_opt_san/sql/sql_select.cc:4949
 
    #18 0x558bf71b3889 in JOIN::exec() /test/11.3_opt_san/sql/sql_select.cc:4726
 
    #19 0x558bf71a0c6c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.3_opt_san/sql/sql_select.cc:5257
 
    #20 0x558bf71a4903 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.3_opt_san/sql/sql_select.cc:628
 
    #21 0x558bf6d7b96f in execute_sqlcom_select /test/11.3_opt_san/sql/sql_parse.cc:6023
 
    #22 0x558bf6dcb595 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:3923
 
    #23 0x558bf6d4abd0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7742
 
    #24 0x558bf6da1cb8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893
 
    #25 0x558bf6dad51d in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406
 
    #26 0x558bf76fe47d in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1418
 
    #27 0x558bf7700aec in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1320
 
    #28 0x1473cdf8e608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #29 0x1473cd203132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 11.4.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

Bug confirmed present in:
MariaDB: 10.4.32 (dbg), 10.4.32 (opt), 10.5.23 (dbg), 10.5.23 (opt), 10.6.16 (dbg), 10.6.16 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.7 (dbg), 10.10.7 (opt), 10.11.6 (dbg), 10.11.6 (opt), 11.0.4 (dbg), 11.0.4 (opt), 11.1.3 (dbg), 11.1.3 (opt), 11.2.2 (dbg), 11.2.2 (opt), 11.3.0 (dbg), 11.3.0 (opt)

 Comments   
Comment by Ramesh Sivaraman [ 2023-11-01 ]

Following test cases crash the ASAN build with a slightly different stack

SET sql_mode='';
 
CREATE TABLE t (a CHAR(5),b VARCHAR(20));
 
INSERT INTO t VALUES ('Shirt',COLUMN_CREATE ('color','blue','size',0));
 
UPDATE t SET b=COLUMN_DELETE(b,'price') WHERE COLUMN_GET (b,'color' AS char)='blue';

Leads to

11.3.0 126157061b4376496c034a809ea4943e863d1465 (Optimized, UBASAN)

 
==774890==ERROR: AddressSanitizer: unknown-crash on address 0x6190000938e3 at pc 0x55ca1232e310 bp 0x14f9f2d81e80 sp 0x14f9f2d81628
 
READ of size 5 at 0x6190000938e3 thread T12
 
    #0 0x55ca1232e30f in __interceptor_memcmp.part.0 (/test/UBASAN_MD311023-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd+0x7d2130f)
 
    #1 0x55ca168d7449 in find_entry_named /test/11.3_opt_san/mysys/ma_dyncol.c:2054
 
    #2 0x55ca168d7449 in find_column /test/11.3_opt_san/mysys/ma_dyncol.c:2128
 
    #3 0x55ca168dd419 in dynamic_column_get_internal /test/11.3_opt_san/mysys/ma_dyncol.c:2304
 
    #4 0x55ca168dd419 in mariadb_dyncol_get_named /test/11.3_opt_san/mysys/ma_dyncol.c:2227
 
    #5 0x55ca14a35598 in Item_dyncol_get::get_dyn_value(THD*, st_dynamic_column_value*, String*) /test/11.3_opt_san/sql/item_strfunc.cc:5317
 
    #6 0x55ca14a36874 in Item_dyncol_get::val_str(String*) /test/11.3_opt_san/sql/item_strfunc.cc:5335
 
    #7 0x55ca14d83378 in Item_char_typecast::val_str_generic(String*) /test/11.3_opt_san/sql/item_timefunc.cc:3200
 
    #8 0x55ca14454539 in Arg_comparator::compare_string() /test/11.3_opt_san/sql/item_cmpfunc.cc:820
 
    #9 0x55ca1443801b in Arg_comparator::compare() /test/11.3_opt_san/sql/item_cmpfunc.h:104
 
    #10 0x55ca1443801b in Item_func_eq::val_int() /test/11.3_opt_san/sql/item_cmpfunc.cc:1829
 
    #11 0x55ca13311b96 in SQL_SELECT::skip_record(THD*) /test/11.3_opt_san/sql/opt_range.h:1916
 
    #12 0x55ca13311b96 in Sql_cmd_update::update_single_table(THD*) /test/11.3_opt_san/sql/sql_update.cc:921
 
    #13 0x55ca13322c3f in Sql_cmd_update::execute_inner(THD*) /test/11.3_opt_san/sql/sql_update.cc:3078
 
    #14 0x55ca12d6e430 in Sql_cmd_dml::execute(THD*) /test/11.3_opt_san/sql/sql_select.cc:33426
 
    #15 0x55ca12bf90e9 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:4372
 
    #16 0x55ca12b84bd0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7742
 
    #17 0x55ca12bdbcb8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893
 
    #18 0x55ca12be751d in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406
 
    #19 0x55ca1353847d in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1418
 
    #20 0x55ca1353aaec in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1320
 
    #21 0x14fa157f9608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #22 0x14fa14a6e132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)


SET sql_mode='';
 
CREATE TABLE t (a CHAR(20),b CHAR(20));
 
INSERT INTO t VALUES ('Laptop',COLUMN_CREATE ('color','black','price',0));
 
SELECT a,column_list (b) FROM t;

Leads to

11.3.0 126157061b4376496c034a809ea4943e863d1465 (Optimized, UBASAN)

 
==1819246==ERROR: AddressSanitizer: unknown-crash on address 0x6190000938f1 at pc 0x558057c01a90 bp 0x14a273368890 sp 0x14a273368038
 
READ of size 5 at 0x6190000938f1 thread T12
 
    #0 0x558057c01a8f in __interceptor_memcpy.part.0 (/test/UBASAN_MD311023-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd+0x7ce1a8f)
 
    #1 0x55805c1f5324 in mariadb_dyncol_list_named /test/11.3_opt_san/mysys/ma_dyncol.c:2548
 
    #2 0x55805a2cdfc4 in Item_func_dyncol_list::val_str(String*) /test/11.3_opt_san/sql/item_strfunc.cc:5696
 
    #3 0x5580593c73cd in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/11.3_opt_san/sql/sql_type.cc:7445
 
    #4 0x558057e70351 in Protocol::send_result_set_row(List<Item>*) /test/11.3_opt_san/sql/protocol.cc:1334
 
    #5 0x5580581c1f59 in select_send::send_data(List<Item>&) /test/11.3_opt_san/sql/sql_class.cc:3129
 
    #6 0x5580587d0d4b in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.3_opt_san/sql/sql_class.h:5913
 
    #7 0x5580587d0d4b in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.3_opt_san/sql/sql_class.h:5903
 
    #8 0x5580587d0d4b in end_send /test/11.3_opt_san/sql/sql_select.cc:24777
 
    #9 0x5580586cb007 in evaluate_join_record /test/11.3_opt_san/sql/sql_select.cc:23743
 
    #10 0x5580587204d1 in sub_select(JOIN*, st_join_table*, bool) /test/11.3_opt_san/sql/sql_select.cc:23510
 
    #11 0x5580588fba9e in do_select /test/11.3_opt_san/sql/sql_select.cc:23027
 
    #12 0x5580588fba9e in JOIN::exec_inner() /test/11.3_opt_san/sql/sql_select.cc:4949
 
    #13 0x558058900889 in JOIN::exec() /test/11.3_opt_san/sql/sql_select.cc:4726
 
    #14 0x5580588edc6c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.3_opt_san/sql/sql_select.cc:5257
 
    #15 0x5580588f1903 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.3_opt_san/sql/sql_select.cc:628
 
    #16 0x5580584c896f in execute_sqlcom_select /test/11.3_opt_san/sql/sql_parse.cc:6023
 
    #17 0x558058518595 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:3923
 
    #18 0x558058497bd0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7742
 
    #19 0x5580584eecb8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893
 
    #20 0x5580584fa51d in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406
 
    #21 0x558058e4b47d in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1418
 
    #22 0x558058e4daec in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1320
 
    #23 0x14a295de0608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #24 0x14a295055132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Generated at Thu Feb 08 10:32:56 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.