field-t deletes Fake_TABLE objects through base TABLE pointer w/o virtual dtor

Bug #1677130 reported by Laurynas Biveinis on 2017-03-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Invalid
Undecided
Unassigned
5.6
Fix Released
Low
Laurynas Biveinis
5.7
Fix Released
Low
Laurynas Biveinis

Bug Description

Copy of https://bugs.mysql.com/bug.php?id=85678:

[29 Mar 6:50] Laurynas Biveinis
Description:
On Yakkety, running field-t unit test with ASan gives

./merge_large_tests

# Run 21 FieldTest.CopyFieldSet
=================================================================
==358==ERROR: AddressSanitizer: new-delete-type-mismatch on 0x61f00000ee80 in thread T0:
  object passed to delete has wrong type:
  size of the allocated type: 3400 bytes;
  size of the deallocated type: 2272 bytes.
    #0 0x7f5d7c171bf0 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc8bf0)
    #1 0x562bac66f6c4 in field_unittests::FieldTest_CopyFieldSet_Test::TestBody() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/field-t.cc:403
    #2 0x562bad87d41d in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
    #3 0x562bad87d41d in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
    #4 0x562bad85ffdd in testing::Test::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2475
    #5 0x562bad860367 in testing::TestInfo::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2656
    #6 0x562bad86069c in testing::TestCase::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2774
    #7 0x562bad8621f3 in testing::internal::UnitTestImpl::RunAllTests() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4649
    #8 0x562bad862b71 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
    #9 0x562bad862b71 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
    #10 0x562bad862b71 in testing::UnitTest::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4257
    #11 0x562bac5cda68 in RUN_ALL_TESTS() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/include/gtest/gtest.h:2233
    #12 0x562bac5cda68 in main /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/gunit_test_main_server.cc:72
    #13 0x7f5d79f243f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
    #14 0x562bac5d4c39 in _start (/mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/build/unittest/gunit/merge_large_tests-t+0x4d6c39)

0x61f00000ee80 is located 0 bytes inside of 3400-byte region [0x61f00000ee80,0x61f00000fbc8)
allocated by thread T0 here:
    #0 0x7f5d7c170ef0 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7ef0)
    #1 0x562bac66aa3a in field_unittests::FieldTest::create_field_set(st_typelib*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/field-t.cc:372
    #2 0x562bac66f2b0 in field_unittests::FieldTest_CopyFieldSet_Test::TestBody() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/field-t.cc:386
    #3 0x562bad87d41d in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
    #4 0x562bad87d41d in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
    #5 0x562bad85ffdd in testing::Test::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2475
    #6 0x562bad860367 in testing::TestInfo::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2656
    #7 0x562bad86069c in testing::TestCase::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2774
    #8 0x562bad8621f3 in testing::internal::UnitTestImpl::RunAllTests() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4649
    #9 0x562bad862b71 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
    #10 0x562bad862b71 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
    #11 0x562bad862b71 in testing::UnitTest::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4257
    #12 0x562bac5cda68 in RUN_ALL_TESTS() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/include/gtest/gtest.h:2233
    #13 0x562bac5cda68 in main /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/gunit_test_main_server.cc:72
    #14 0x7f5d79f243f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: new-delete-type-mismatch (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc8bf0) in operator delete(void*, unsigned long)
==358==HINT: if you don't care about these errors you may set ASAN_OPTIONS=new_delete_type_mismatch=0
==358==ABORTING

How to repeat:
-DWITH_ASAN_ON, unittest/gunit/merge_large_tests-t

Suggested fix:
This is caused by Field::table, which is of type TABLE *, being initialized with "new Fake_TABLE", and then deleted. But struct TABLE does not have a virtual destructor, thus deleting Fake_TABLE object through a TABLE pointer is undefined.

This could be fixed by either declaring a virtual destructor in struct TABLE (and losing its POD'ness, thus quite undesirable), either by casting delete arg to Fake_TABLE * in the unit test.

tags: added: asan ci upstream

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-2253

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.