Percona Server moved to https://jira.percona.com/projects/PS

ADDRESS SANITIZER REPORTS FAILURE IN MAIN.PARTITION_ORDER ON MYSQL-TRUNK

Bug #1588386 reported by Laurynas Biveinis on 2016-06-02

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Percona Server moved to https://jira.percona.com/projects/PS	Status tracked in 5.7
5.5	Fix Released	High	Laurynas Biveinis	Percona Server moved to https://jira.percona.com/projects/PS 5.5.50-38.0
5.6	Fix Released	High	Laurynas Biveinis	Percona Server moved to https://jira.percona.com/projects/PS 5.6.31-77.0
5.7	Invalid	Undecided	Unassigned

Bug Description

parts.partition_bit_myisam w3 [ fail ]
...
CURRENT_TEST: parts.partition_bit_myisam
mysqltest: In included file "./suite/parts/inc/partition_bit.inc":
included from ./suite/parts/inc/partition_bit.inc at line 48:
At line 48: query 'select hex(a) from t1' failed: 2013: Lost connection to MySQL server during query
...
=================================================================
==18175==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060002c6275 at pc 0x7f322348e676 bp 0x7f3207ed79f0 sp 0x7f3207ed7198
READ of size 64 at 0x6060002c6275 thread T841
    #0 0x7f322348e675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
    #1 0x957d8d in Field_bit::cmp_max(unsigned char const*, unsigned char const*, unsigned int) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/field.cc:8761
    #2 0xb5f919 in key_rec_cmp /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/key.cc:598
    #3 0xd4dda2 in _downheap /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/mysys/queues.c:293
    #4 0xd4e122 in queue_fix /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/mysys/queues.c:365
    #5 0x1285d70 in ha_partition::handle_ordered_index_scan(unsigned char*, bool) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/ha_partition.cc:5356
    #6 0x1286e41 in ha_partition::common_first_last(unsigned char*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/ha_partition.cc:4711
    #7 0x1286f72 in ha_partition::index_first(unsigned char*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/ha_partition.cc:4660
    #8 0x719732 in join_read_first /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:12715
    #9 0x6fe6e8 in sub_select(JOIN*, st_join_table*, bool) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:11907
    #10 0x718286 in do_select /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:11673
    #11 0x756715 in JOIN::exec() /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:2443
    #12 0x7451ad in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:2662
    #13 0x745a0c in handle_select(THD*, LEX*, select_result*, unsigned long) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:315
    #14 0x66d883 in execute_sqlcom_select /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:4868
    #15 0x680f1c in mysql_execute_command(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:2361
    #16 0x693331 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:6058
    #17 0x6970ce in dispatch_command(enum_server_command, THD*, char*, unsigned int) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:1075
    #18 0x69b88d in do_command(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:789
    #19 0x8956ad in do_handle_one_connection(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_connect.cc:1418
    #20 0x89594e in handle_one_connection /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_connect.cc:1325
    #21 0xd914dc in pfs_spawn_thread /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/storage/perfschema/pfs.cc:1015
    #22 0x7f3222de56f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #23 0x7f3221990b5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

0x6060002c6275 is located 0 bytes to the right of 53-byte region [0x6060002c6240,0x6060002c6275)
allocated by thread T841 here:
    #0 0x7f32234af54a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9854a)
    #1 0xd41419 in my_malloc /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/mysys/my_malloc.c:38
    #2 0x1281db9 in ha_partition::init_record_priority_queue() /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/ha_partition.cc:4328
    #3 0x128258c in ha_partition::index_init(unsigned int, bool) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/ha_partition.cc:4422
    #4 0x719641 in handler::ha_index_init(unsigned int, bool) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/handler.h:1426
    #5 0x719641 in join_read_first /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:12708
    #6 0x6fe6e8 in sub_select(JOIN*, st_join_table*, bool) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:11907
    #7 0x718286 in do_select /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:11673
    #8 0x756715 in JOIN::exec() /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:2443
    #9 0x7451ad in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:2662
    #10 0x745a0c in handle_select(THD*, LEX*, select_result*, unsigned long) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:315
    #11 0x66d883 in execute_sqlcom_select /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:4868
    #12 0x680f1c in mysql_execute_command(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:2361
    #13 0x693331 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:6058
    #14 0x6970ce in dispatch_command(enum_server_command, THD*, char*, unsigned int) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:1075
    #15 0x69b88d in do_command(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:789
    #16 0x8956ad in do_handle_one_connection(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_connect.cc:1418
    #17 0x89594e in handle_one_connection /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_connect.cc:1325
    #18 0xd914dc in pfs_spawn_thread /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/storage/perfschema/pfs.cc:1015
    #19 0x7f3222de56f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)

Thread T841 created by T0 here:
    #0 0x7f322344d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0xd94a99 in spawn_thread_v1 /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/storage/perfschema/pfs.cc:1038
    #2 0x519d5d in inline_mysql_thread_create /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/include/mysql/psi/mysql_thread.h:1049
    #3 0x519d5d in create_thread_to_handle_connection(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/mysqld.cc:5289
    #4 0x51b4d9 in create_new_thread /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/mysqld.cc:5387
    #5 0x51b4d9 in handle_connections_sockets() /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/mysqld.cc:5647
    #6 0x51e8c0 in mysqld_main(int, char**) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/mysqld.cc:4901
    #7 0x505e3e in main /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/main.cc:25
    #8 0x7f32218aa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp
Shadow bytes around the buggy address:
  0x0c0c80050bf0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80050c00: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c80050c10: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80050c20: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80050c30: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x0c0c80050c40: fd fd fd fd fa fa fa fa 00 00 00 00 00 00[05]fa
  0x0c0c80050c50: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c80050c60: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0c80050c70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80050c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80050c90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==18175==ABORTING

Tags:

Revision history for this message

Laurynas Biveinis (laurynas-biveinis) wrote on 2016-06-02:

The fix seems to be backporting

commit f0d7a37c48cd423ea48c32c644d1da3c4d5898e7
Author: Mattias Jonsson <email address hidden>
Date: Thu Feb 13 16:47:31 2014 +0100

Bug#17957894: ADDRESS SANITIZER REPORTS FAILURE IN MAIN.PARTITION_ORDER ON MYSQL-TRUNK

Bad length in memcmp in Field_bit::cmp_max().

tags:

added: asan ci upstream

Revision history for this message

Laurynas Biveinis (laurynas-biveinis) wrote on 2016-06-03:

https://github.com/percona/percona-server/pull/591, https://github.com/percona/percona-server/pull/592, https://github.com/percona/percona-server/pull/593

Revision history for this message

Shahriyar Rzayev (rzayev-sehriyar) wrote on 2018-01-25:

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-3456

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.