Percona Server moved to https://jira.percona.com/projects/PS

main.group_min_max fails under ASan on 5.5 only

Bug #1588169 reported by Laurynas Biveinis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
High
Laurynas Biveinis
Percona Server moved to https://jira.percona.com/projects/PS 5.5.50-38.0
5.6
Invalid
Undecided
Unassigned
5.7
Invalid
Undecided
Unassigned

Bug Description

main.group_min_max w1 [ fail ]
...
mysqltest: At line 348: query 'explain select a1,a2,b, max(c) from t2 where (c < 'a0') group by a1,a2,b' failed: 2013: Lost connection to MySQL server during query
...
=================================================================
==30982==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001c659e2 at pc 0x7fc3d1eb4676 bp 0x7fc3b914d6b0 sp 0x7fc3b914ce58
READ of size 17 at 0x000001c659e2 thread T494
    #0 0x7fc3d1eb4675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
    #1 0xc21f3a in QUICK_GROUP_MIN_MAX_SELECT::add_range(SEL_ARG*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/opt_range.cc:10905
    #2 0xc22fd5 in TRP_GROUP_MIN_MAX::make_quick(PARAM*, bool, st_mem_root*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/opt_range.cc:10670
    #3 0xc19b20 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/opt_range.cc:2450
    #4 0x72cdfa in get_quick_record_count /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:2697
    #5 0x72cdfa in make_join_statistics /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:3143
    #6 0x735bab in JOIN::optimize() /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:1115
    #7 0x745464 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:2648
    #8 0x7462c9 in mysql_explain_union(THD*, st_select_lex_unit*, select_result*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_select.cc:17474
    #9 0x66d5b5 in execute_sqlcom_select /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:4838
    #10 0x680f1c in mysql_execute_command(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:2361
    #11 0x693331 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:6058
    #12 0x6970ce in dispatch_command(enum_server_command, THD*, char*, unsigned int) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:1075
    #13 0x69b88d in do_command(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_parse.cc:789
    #14 0x8956ad in do_handle_one_connection(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_connect.cc:1418
    #15 0x89594e in handle_one_connection /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/sql_connect.cc:1325
    #16 0xd914dc in pfs_spawn_thread /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/storage/perfschema/pfs.cc:1015
    #17 0x7fc3d180b6f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #18 0x7fc3d03b6b5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

0x000001c659e2 is located 0 bytes to the right of global variable 'is_null_string' defined in '/mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/opt_range.cc:93:14' (0x1c659e0) of size 2
  'is_null_string' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 memcmp
Shadow bytes around the buggy address:
  0x000080384ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080384af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080384b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080384b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080384b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080384b30: 00 00 00 00 00 00 00 00 00 00 00 00[02]f9 f9 f9
  0x000080384b40: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080384b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080384b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080384b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080384b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
Thread T494 created by T0 here:
    #0 0x7fc3d1e73253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0xd94a99 in spawn_thread_v1 /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/storage/perfschema/pfs.cc:1038
    #2 0x519d5d in inline_mysql_thread_create /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/include/mysql/psi/mysql_thread.h:1049
    #3 0x519d5d in create_thread_to_handle_connection(THD*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/mysqld.cc:5289
    #4 0x51b4d9 in create_new_thread /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/mysqld.cc:5387
    #5 0x51b4d9 in handle_connections_sockets() /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/mysqld.cc:5647
    #6 0x51e8c0 in mysqld_main(int, char**) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/mysqld.cc:4901
    #7 0x505e3e in main /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-64bit/sql/main.cc:25
    #8 0x7fc3d02d082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

==30982==ABORTING
----------SERVER LOG END-------------

This is probably upstream bug 67244 "OUT-OF-BOUND READS IN LOOSE INDEX SCAN", which was fixed in 5.6+ only, and the fix would be to backport

commit 2129981969a9ad2f929fb888659078af383cdf11
Author: Tor Didriksen <email address hidden>
Date: Wed Oct 31 12:07:25 2012 +0100

    Bug#14771291 OUT-OF-BOUND READS IN LOOSE INDEX SCAN

    Prevent reading past-the-end of is_null_string

Tags: asan ci upstream
Laurynas Biveinis (laurynas-biveinis)
tags: added: asan ci upstream
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

https://github.com/percona/percona-server/pull/574, https://github.com/percona/percona-server/pull/575, https://github.com/percona/percona-server/pull/576

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-3452

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.