==822389== ERROR: AddressSanitizer: heap-use-after-free on address 0x601a0000b300 at pc 0x193f58e bp 0x7f37cd573510 sp 0x7f37cd573508
READ of size 4 at 0x601a0000b300 thread T24
#0 0x193f58d in ZN12RDBSE_KEYDEFC1ERKS /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.cc:121 #1 0x1943bf6 in ZN17Table_ddl_manager4findEj /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.cc:1322 #2 0x192173d in _Z23compute_optimizer_statsv /data/users/maykov/mysql/5.6/storage/rocksdb/ha_rocksdb.cc:4820 #3 0x19245bb in _Z17background_threadPv /data/users/maykov/mysql/5.6/storage/rocksdb/ha_rocksdb.cc:5289 #4 0x7f37ea58f1e8 in _ZN6__asan10AsanThread11ThreadStartEv ??:0 #5 0x7f37e9f09fa7 in start_thread ??:0 #6 0x7f37e828d5bc in __clone /home/engshare/third-party2/glibc/2.17/src/glibc-2.17/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x601a0000b300 is located 0 bytes inside of 136-byte region [0x601a0000b300,0x601a0000b388)
freed by thread T0 here:
#0 0x7f37ea58613a in _ZdlPv ??:0 #1 0x193faaa in ~RDBSE_TABLE_DEF /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.h:470 #2 0x113d78b in my_hash_free_elements /data/users/maykov/mysql/5.6/mysys/hash.c:134 #3 0x1944a26 in _ZN17Table_ddl_manager7cleanupEv /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.cc:1477 #4 0x190adfc in _ZL17rocksdb_done_funcPv /data/users/maykov/mysql/5.6/storage/rocksdb/ha_rocksdb.cc:1722 #5 0x615fdb in _Z22ha_finalize_handlertonP13st_plugin_int /data/users/maykov/mysql/5.6/sql/handler.cc:627 #6 0xaeda2d in plugin_deinitialize /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:944 #7 0xaf2364 in _Z15plugin_shutdownv /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1725 #8 0x5ea8a7 in _ZL8clean_upb.part.181 /data/users/maykov/mysql/5.6/sql/mysqld.cc:2031 #9 0x5ef3d9 in clean_up /data/users/maykov/mysql/5.6/sql/mysqld.cc:1903 #10 0x5f0f09 in _ZL22init_server_componentsv /data/users/maykov/mysql/5.6/sql/mysqld.cc:5497 #11 0x5f9986 in _Z11mysqld_mainiPPc /data/users/maykov/mysql/5.6/sql/mysqld.cc:6246 #12 0x7f37e81abefe in __libc_start_main ??:0 #13 0x5d98e8 in _start /home/engshare/third-party2/glibc/2.17/src/glibc-2.17/csu/../sysdeps/x86_64/start.S:123
previously allocated by thread T0 here:
#0 0x7f37ea585f7a in _Znwm ??:0 #1 0x194ad04 in _ZN17Table_ddl_manager4initEP12Dict_managerP21Column_family_manager /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.cc:1275 #2 0x191e0e4 in _ZL17rocksdb_init_funcPv /data/users/maykov/mysql/5.6/storage/rocksdb/ha_rocksdb.cc:1660 #3 0x6161a9 in _Z24ha_initialize_handlertonP13st_plugin_int /data/users/maykov/mysql/5.6/sql/handler.cc:673 #4 0xade8ac in _ZL17plugin_initializeP13st_plugin_int /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1137 #5 0xaf599b in _Z11plugin_initPiPPci /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1431 #6 0x5efec1 in _ZL22init_server_componentsv /data/users/maykov/mysql/5.6/sql/mysqld.cc:5474 #7 0x5f9986 in _Z11mysqld_mainiPPc /data/users/maykov/mysql/5.6/sql/mysqld.cc:6246 #8 0x7f37e81abefe in __libc_start_main ??:0 #9 0x5d98e8 in _start /home/engshare/third-party2/glibc/2.17/src/glibc-2.17/csu/../sysdeps/x86_64/start.S:123
Thread T24 created by T0 here:
#0 0x7f37ea57f21b in pthread_create _asan_rtl #1 0x191e14c in inline_mysql_thread_create /data/users/maykov/mysql/5.6/include/mysql/psi/mysql_thread.h:1252 #2 0x6161a9 in _Z24ha_initialize_handlertonP13st_plugin_int /data/users/maykov/mysql/5.6/sql/handler.cc:673 #3 0xade8ac in _ZL17plugin_initializeP13st_plugin_int /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1137 #4 0xaf599b in _Z11plugin_initPiPPci /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1431 #5 0x5efec1 in _ZL22init_server_componentsv /data/users/maykov/mysql/5.6/sql/mysqld.cc:5474 #6 0x5f9986 in _Z11mysqld_mainiPPc /data/users/maykov/mysql/5.6/sql/mysqld.cc:6246 #7 0x7f37e81abefe in __libc_start_main ??:0 #8 0x5d98e8 in _start /home/engshare/third-party2/glibc/2.17/src/glibc-2.17/csu/../sysdeps/x86_64/start.S:123
Shadow bytes around the buggy address:
0x0c03bfff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c03bfff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c03bfff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c03bfff9640: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c03bfff9650: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
=>0x0c03bfff9660:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c03bfff9670: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c03bfff9680: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c03bfff9690: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c03bfff96a0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c03bfff96b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==822389== ABORTING
Summary:
As I discovered using ASAN and perfschema.bad_option_4 test, in case when mysqld aborts, the rocksdb_done function is called before the background_thread had a chance to start. The background_thread accesses data which has been deleted by the done function. This diff provides a more correct check for whether the background function should be aborted.
#61
Test Plan: ran perfschema.bad_option_4 test in perfschema, asan configuration, it passed
Reviewers: yoshinorim, hermanlee4
Reviewed By: hermanlee4
Differential Revision: https://reviews.facebook.net/D37797
Summary:
As I discovered using ASAN and perfschema.bad_option_4 test, in case when mysqld aborts, the rocksdb_done function is called before the background_thread had a chance to start. The background_thread accesses data which has been deleted by the done function. This diff provides a more correct check for whether the background function should be aborted.
#61
Test Plan: ran perfschema.bad_option_4 test in perfschema, asan configuration, it passed
Reviewers: yoshinorim, hermanlee4
Reviewed By: hermanlee4
Differential Revision: https://reviews.facebook.net/D37797
Summary:
As I discovered using ASAN and perfschema.bad_option_4 test, in case when mysqld aborts, the rocksdb_done function is called before the background_thread had a chance to start. The background_thread accesses data which has been deleted by the done function. This diff provides a more correct check for whether the background function should be aborted.
MySQLOnRocksDB#61
Test Plan: ran perfschema.bad_option_4 test in perfschema, asan configuration, it passed
Reviewers: yoshinorim, hermanlee4
Reviewed By: hermanlee4
Differential Revision: https://reviews.facebook.net/D37797
==822389== ERROR: AddressSanitizer: heap-use-after-free on address 0x601a0000b300 at pc 0x193f58e bp 0x7f37cd573510 sp 0x7f37cd573508
READ of size 4 at 0x601a0000b300 thread T24
#0 0x193f58d in ZN12RDBSE_KEYDEFC1ERKS /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.cc:121
#1 0x1943bf6 in ZN17Table_ddl_manager4findEj /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.cc:1322
#2 0x192173d in _Z23compute_optimizer_statsv /data/users/maykov/mysql/5.6/storage/rocksdb/ha_rocksdb.cc:4820
#3 0x19245bb in _Z17background_threadPv /data/users/maykov/mysql/5.6/storage/rocksdb/ha_rocksdb.cc:5289
#4 0x7f37ea58f1e8 in _ZN6__asan10AsanThread11ThreadStartEv ??:0
#5 0x7f37e9f09fa7 in start_thread ??:0
#6 0x7f37e828d5bc in __clone /home/engshare/third-party2/glibc/2.17/src/glibc-2.17/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x601a0000b300 is located 0 bytes inside of 136-byte region [0x601a0000b300,0x601a0000b388)
freed by thread T0 here:
#0 0x7f37ea58613a in _ZdlPv ??:0
#1 0x193faaa in ~RDBSE_TABLE_DEF /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.h:470
#2 0x113d78b in my_hash_free_elements /data/users/maykov/mysql/5.6/mysys/hash.c:134
#3 0x1944a26 in _ZN17Table_ddl_manager7cleanupEv /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.cc:1477
#4 0x190adfc in _ZL17rocksdb_done_funcPv /data/users/maykov/mysql/5.6/storage/rocksdb/ha_rocksdb.cc:1722
#5 0x615fdb in _Z22ha_finalize_handlertonP13st_plugin_int /data/users/maykov/mysql/5.6/sql/handler.cc:627
#6 0xaeda2d in plugin_deinitialize /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:944
#7 0xaf2364 in _Z15plugin_shutdownv /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1725
#8 0x5ea8a7 in _ZL8clean_upb.part.181 /data/users/maykov/mysql/5.6/sql/mysqld.cc:2031
#9 0x5ef3d9 in clean_up /data/users/maykov/mysql/5.6/sql/mysqld.cc:1903
#10 0x5f0f09 in _ZL22init_server_componentsv /data/users/maykov/mysql/5.6/sql/mysqld.cc:5497
#11 0x5f9986 in _Z11mysqld_mainiPPc /data/users/maykov/mysql/5.6/sql/mysqld.cc:6246
#12 0x7f37e81abefe in __libc_start_main ??:0
#13 0x5d98e8 in _start /home/engshare/third-party2/glibc/2.17/src/glibc-2.17/csu/../sysdeps/x86_64/start.S:123
previously allocated by thread T0 here:
#0 0x7f37ea585f7a in _Znwm ??:0
#1 0x194ad04 in _ZN17Table_ddl_manager4initEP12Dict_managerP21Column_family_manager /data/users/maykov/mysql/5.6/storage/rocksdb/rdb_datadic.cc:1275
#2 0x191e0e4 in _ZL17rocksdb_init_funcPv /data/users/maykov/mysql/5.6/storage/rocksdb/ha_rocksdb.cc:1660
#3 0x6161a9 in _Z24ha_initialize_handlertonP13st_plugin_int /data/users/maykov/mysql/5.6/sql/handler.cc:673
#4 0xade8ac in _ZL17plugin_initializeP13st_plugin_int /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1137
#5 0xaf599b in _Z11plugin_initPiPPci /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1431
#6 0x5efec1 in _ZL22init_server_componentsv /data/users/maykov/mysql/5.6/sql/mysqld.cc:5474
#7 0x5f9986 in _Z11mysqld_mainiPPc /data/users/maykov/mysql/5.6/sql/mysqld.cc:6246
#8 0x7f37e81abefe in __libc_start_main ??:0
#9 0x5d98e8 in _start /home/engshare/third-party2/glibc/2.17/src/glibc-2.17/csu/../sysdeps/x86_64/start.S:123
Thread T24 created by T0 here:
#0 0x7f37ea57f21b in pthread_create _asan_rtl
#1 0x191e14c in inline_mysql_thread_create /data/users/maykov/mysql/5.6/include/mysql/psi/mysql_thread.h:1252
#2 0x6161a9 in _Z24ha_initialize_handlertonP13st_plugin_int /data/users/maykov/mysql/5.6/sql/handler.cc:673
#3 0xade8ac in _ZL17plugin_initializeP13st_plugin_int /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1137
#4 0xaf599b in _Z11plugin_initPiPPci /data/users/maykov/mysql/5.6/sql/sql_plugin.cc:1431
#5 0x5efec1 in _ZL22init_server_componentsv /data/users/maykov/mysql/5.6/sql/mysqld.cc:5474
#6 0x5f9986 in _Z11mysqld_mainiPPc /data/users/maykov/mysql/5.6/sql/mysqld.cc:6246
#7 0x7f37e81abefe in __libc_start_main ??:0
#8 0x5d98e8 in _start /home/engshare/third-party2/glibc/2.17/src/glibc-2.17/csu/../sysdeps/x86_64/start.S:123
Shadow bytes around the buggy address:
0x0c03bfff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c03bfff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c03bfff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c03bfff9640: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c03bfff9650: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
=>0x0c03bfff9660:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c03bfff9670: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c03bfff9680: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c03bfff9690: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c03bfff96a0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c03bfff96b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==822389== ABORTING