Percona Server moved to https://jira.percona.com/projects/PS

handle_fatal_signal (sig=11) in list_delete

Bug #1532635 reported by Roel Van de Paar
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Invalid
Undecided
Unassigned
5.6
Triaged
High
Unassigned
5.7
Triaged
High
Unassigned

Bug Description

+bt
#0 0x00007fa7b5b8a741 in __pthread_kill (threadid=<optimized out>, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1 0x000000000181182c in my_write_core (sig=11) at /git/PS-5.7_dbg/mysys/stacktrace.c:247
#2 0x0000000000e609e3 in handle_fatal_signal (sig=11) at /git/PS-5.7_dbg/sql/signal_handler.cc:223
#3 <signal handler called>
#4 0x00000000017f1a8c in list_delete (root=0x7fa6d04525d0, element=0x7fa6d0452580) at /git/PS-5.7_dbg/mysys/list.c:51
#5 0x000000000153a275 in plugin_var_memalloc_session_update (thd=0x7fa6d0419000, var=0x2b79820 <mysql_sysvar_ft_user_stopword_table>, dest=0x7fa6d04534d0, value=0x0) at /git/PS-5.7_dbg/sql/sql_plugin.cc:3235
#6 0x000000000153a90a in sys_var_pluginvar::session_update (this=0x7fa7a8faa2d8, thd=0x7fa6d0419000, var=0x7fa6d042bb18) at /git/PS-5.7_dbg/sql/sql_plugin.cc:3398
#7 0x000000000144c73d in sys_var::update (this=0x7fa7a8faa2d8, thd=0x7fa6d0419000, var=0x7fa6d042bb18) at /git/PS-5.7_dbg/sql/set_var.cc:196
#8 0x000000000144cdda in sys_var::set_default (this=0x7fa7a8faa2d8, thd=0x7fa6d0419000, var=0x7fa6d042bb18) at /git/PS-5.7_dbg/sql/set_var.cc:292
#9 0x000000000144ddba in set_var::update (this=0x7fa6d042bb18, thd=0x7fa6d0419000) at /git/PS-5.7_dbg/sql/set_var.cc:812
#10 0x000000000144d662 in sql_set_variables (thd=0x7fa6d0419000, var_list=0x7fa6d041b9a8) at /git/PS-5.7_dbg/sql/set_var.cc:669
#11 0x0000000001509c69 in mysql_execute_command (thd=0x7fa6d0419000, first_level=true) at /git/PS-5.7_dbg/sql/sql_parse.cc:3787
#12 0x000000000150f2ae in mysql_parse (thd=0x7fa6d0419000, parser_state=0x7fa7b6177500) at /git/PS-5.7_dbg/sql/sql_parse.cc:5786
#13 0x00000000015042c5 in dispatch_command (thd=0x7fa6d0419000, com_data=0x7fa7b6177c90, command=COM_QUERY) at /git/PS-5.7_dbg/sql/sql_parse.cc:1445
#14 0x00000000015031df in do_command (thd=0x7fa6d0419000) at /git/PS-5.7_dbg/sql/sql_parse.cc:1008
#15 0x000000000163aabf in handle_connection (arg=0x7fa701ff47f0) at /git/PS-5.7_dbg/sql/conn_handler/connection_handler_per_thread.cc:313
#16 0x0000000001840094 in pfs_spawn_thread (arg=0x7fa701ea8220) at /git/PS-5.7_dbg/storage/perfschema/pfs.cc:2192
#17 0x00007fa7b5b85dc5 in start_thread (arg=0x7fa7b6178700) at pthread_create.c:308
#18 0x00007fa7b3fe421d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

DROP DATABASE test;CREATE DATABASE test;USE test;
create table user_stopword(value varchar(0)) engine=innodb;
set session innodb_ft_user_stopword_table="test/user_stopword";
SET STATEMENT myisam_sort_buffer_size=0,myisam_repair_threads=0,sort_buffer_size=0,binlog_format=row,keep_files_on_create=OFF,max_join_size=0 FOR EXECUTE stmt0;
SET SESSION innodb_ft_user_stopword_table=default;

Laurynas Biveinis (laurynas-biveinis)
tags: added: set-statement
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :
Download full text (4.2 KiB)

This is a 5.6 bug too (ASan build):

==23553==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000510 at pc 0x00010d8aa06c bp 0x7000009351e0 sp 0x7000009351d8
READ of size 8 at 0x604000000510 thread T20
    #0 0x10d8aa06b in list_delete list.c:47
    #1 0x10d586b47 in plugin_var_memalloc_session_update(THD*, st_mysql_sys_var*, char**, char const*) sql_plugin.cc:3071
    #2 0x10d5867ae in sys_var_pluginvar::session_update(THD*, set_var*) sql_plugin.cc:3232
    #3 0x10d355fe9 in sys_var::update(THD*, set_var*) set_var.cc:197
    #4 0x10d356a1b in sys_var::set_default(THD*, set_var*) set_var.cc:258
    #5 0x10d3580d1 in set_var::update(THD*) set_var.cc:679
    #6 0x10d357877 in sql_set_variables(THD*, List<set_var_base>*) set_var.cc:579
    #7 0x10d5264a8 in mysql_execute_command(THD*) sql_parse.cc:4178
    #8 0x10d5203d4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) sql_parse.cc:6973
    #9 0x10d51aaee in dispatch_command(enum_server_command, THD*, char*, unsigned int) sql_parse.cc:1442
    #10 0x10d51ef34 in do_command(THD*) sql_parse.cc:1054
    #11 0x10d45ac39 in do_handle_one_connection(THD*) sql_connect.cc:1541
    #12 0x10d45a79c in handle_one_connection sql_connect.cc:1444
    #13 0x10de07093 in pfs_spawn_thread pfs.cc:1860
    #14 0x7fff920ebc12 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x3c12)
    #15 0x7fff920ebb8f in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x3b8f)
    #16 0x7fff920e9374 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x1374)

0x604000000510 is located 0 bytes inside of 43-byte region [0x604000000510,0x60400000053b)
freed by thread T20 here:
    #0 0x10f82fb49 in wrap_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.2/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42b49)
    #1 0x10d8e3a09 in my_free my_malloc.c:140
    #2 0x10d5880ef in plugin_var_memalloc_free(system_variables*) sql_plugin.cc:3094
    #3 0x10d587f83 in free_system_variables(system_variables*, bool) sql_plugin.cc:4059
    #4 0x10d5242b3 in mysql_execute_command(THD*) sql_parse.cc:5554
    #5 0x10d5203d4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) sql_parse.cc:6973
    #6 0x10d51aaee in dispatch_command(enum_server_command, THD*, char*, unsigned int) sql_parse.cc:1442
    #7 0x10d51ef34 in do_command(THD*) sql_parse.cc:1054
    #8 0x10d45ac39 in do_handle_one_connection(THD*) sql_connect.cc:1541
    #9 0x10d45a79c in handle_one_connection sql_connect.cc:1444
    #10 0x10de07093 in pfs_spawn_thread pfs.cc:1860
    #11 0x7fff920ebc12 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x3c12)
    #12 0x7fff920ebb8f in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x3b8f)
    #13 0x7fff920e9374 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x1374)

previously allocated by thread T20 here:
    #0 0x10f82f980 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.2/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42980)
    #1 0x10d8e3264 in my_malloc my_malloc.c:38
    #2 0x10d5869ed in plugin_var_memalloc_session_update(THD*, st_mysql_sys_...

Read more...

tags: removed: qa57
Roel Van de Paar (roel11)
tags: added: qa qa57
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-954

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.