Bug #85678 field-t deletes Fake_TABLE objects through base TABLE pointer w/o virtual dtor
Submitted: 29 Mar 2017 6:50 Modified: 8 Apr 2017 14:38
Reporter: Laurynas Biveinis (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:Tests: Server Severity:S3 (Non-critical)
Version:5.6+ OS:Any
Assigned to: CPU Architecture:Any
Tags: asan, undefined behavior, unit tests

[29 Mar 2017 6:50] Laurynas Biveinis 
Description:
On Yakkety, running field-t unit test with ASan gives

./merge_large_tests

# Run 21 FieldTest.CopyFieldSet
=================================================================
==358==ERROR: AddressSanitizer: new-delete-type-mismatch on 0x61f00000ee80 in thread T0:
  object passed to delete has wrong type:
  size of the allocated type:   3400 bytes;
  size of the deallocated type: 2272 bytes.
    #0 0x7f5d7c171bf0 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc8bf0)
    #1 0x562bac66f6c4 in field_unittests::FieldTest_CopyFieldSet_Test::TestBody() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/field-t.cc:403
    #2 0x562bad87d41d in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
    #3 0x562bad87d41d in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
    #4 0x562bad85ffdd in testing::Test::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2475
    #5 0x562bad860367 in testing::TestInfo::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2656
    #6 0x562bad86069c in testing::TestCase::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2774
    #7 0x562bad8621f3 in testing::internal::UnitTestImpl::RunAllTests() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4649
    #8 0x562bad862b71 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
    #9 0x562bad862b71 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
    #10 0x562bad862b71 in testing::UnitTest::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4257
    #11 0x562bac5cda68 in RUN_ALL_TESTS() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/include/gtest/gtest.h:2233
    #12 0x562bac5cda68 in main /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/gunit_test_main_server.cc:72
    #13 0x7f5d79f243f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
    #14 0x562bac5d4c39 in _start (/mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/build/unittest/gunit/merge_large_tests-t+0x4d6c39)

0x61f00000ee80 is located 0 bytes inside of 3400-byte region [0x61f00000ee80,0x61f00000fbc8)
allocated by thread T0 here:
    #0 0x7f5d7c170ef0 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7ef0)
    #1 0x562bac66aa3a in field_unittests::FieldTest::create_field_set(st_typelib*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/field-t.cc:372
    #2 0x562bac66f2b0 in field_unittests::FieldTest_CopyFieldSet_Test::TestBody() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/field-t.cc:386
    #3 0x562bad87d41d in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
    #4 0x562bad87d41d in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
    #5 0x562bad85ffdd in testing::Test::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2475
    #6 0x562bad860367 in testing::TestInfo::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2656
    #7 0x562bad86069c in testing::TestCase::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2774
    #8 0x562bad8621f3 in testing::internal::UnitTestImpl::RunAllTests() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4649
    #9 0x562bad862b71 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
    #10 0x562bad862b71 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
    #11 0x562bad862b71 in testing::UnitTest::Run() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4257
    #12 0x562bac5cda68 in RUN_ALL_TESTS() /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/source_downloads/googletest-release-1.8.0/googletest/include/gtest/gtest.h:2233
    #13 0x562bac5cda68 in main /mnt/workspace/percona-server-5.6-asan-param/BUILD_TYPE/release-asan/Host/yakkety-64-bigram/unittest/gunit/gunit_test_main_server.cc:72
    #14 0x7f5d79f243f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: new-delete-type-mismatch (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc8bf0) in operator delete(void*, unsigned long)
==358==HINT: if you don't care about these errors you may set ASAN_OPTIONS=new_delete_type_mismatch=0
==358==ABORTING

How to repeat:
-DWITH_ASAN_ON, unittest/gunit/merge_large_tests-t

Suggested fix:
This is caused by Field::table, which is of type TABLE *, being initialized with "new Fake_TABLE", and then deleted. But struct TABLE does not have a virtual destructor, thus deleting Fake_TABLE object through a TABLE pointer is undefined.

This could be fixed by either declaring a virtual destructor in struct TABLE (and losing its POD'ness, thus quite undesirable), either by casting delete arg to Fake_TABLE * in the unit test.
[30 Mar 2017 5:07] MySQL Verification Team 
Hello Laurynas,

Thank you for the report and feedback.
Verified as described.

Thanks,
Umesh
[30 Mar 2017 5:07] MySQL Verification Team 
I'm not sure Bug #85671 fixed this issue as well which was seen while verifying Bug #85671.
[31 Mar 2017 9:21] Laurynas Biveinis 
Bug 85678 fix for 5.6.35 / 5.7.17 / 8.0.0

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug85678-5.6.patch (application/octet-stream, text), 1.36 KiB.
[3 Apr 2017 11:33] Tor Didriksen 
Posted by developer:
 
Fixed by the patch for:
    Bug#25795538 SEGFAULT-T FAILING UNDER RECENT ADDRESSSANITIZER
[8 Apr 2017 14:38] Paul DuBois 
Posted by developer:
 
Noted in 5.6.37, 5.7.19, 8.0.2 changelogs.

The field-t unit test failed to run with AddressSanitizer enabled.
Thanks to Laurynas Biveinis for the patch.