Bug #79402 slave connecting may cause heap-use-after-free on rpl_multi_source_slave_files
Submitted: 25 Nov 2015 5:42 Modified: 24 May 2017 9:54
Reporter: Laurynas Biveinis (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S2 (Serious)
Version:5.7.9 OS:Any
Assigned to: CPU Architecture:Any
Tags: asan

[25 Nov 2015 5:42] Laurynas Biveinis 
Description:
Under ASan, rpl.rpl_multi_source_slave_files fails with the following once in a while:

ERROR: AddressSanitizer: heap-use-after-free on address 0x6080005c7ac0 at pc 0x00010a6689cd bp 0x700000bcc720 sp 0x700000bcbed8
READ of size 56 at 0x6080005c7ac0 thread T402
    #0 0x10a6689cc in wrap_strlen (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3d9cc)
    #1 0x106f52feb in my_strdup my_malloc.c:308
    #2 0x106d3f7eb in mysql_options client.c:5371
    #3 0x106ebe582 in connect_to_master(THD*, st_mysql*, Master_info*, bool, bool) rpl_slave.cc:8481
    #4 0x106ea9a4b in safe_connect(THD*, st_mysql*, Master_info*) rpl_slave.cc:8397
    #5 0x106e9cb81 in handle_slave_io rpl_slave.cc:5375
    #6 0x10765f7d0 in pfs_spawn_thread pfs.cc:2192
    #7 0x7fff8f6739b0 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x39b0)
    #8 0x7fff8f67392d in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x392d)
    #9 0x7fff8f671384 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x1384)

0x6080005c7ac0 is located 32 bytes inside of 88-byte region [0x6080005c7aa0,0x6080005c7af8)
freed by thread T399 here:
    #0 0x10a66e799 in wrap_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x43799)
    #1 0x106f52ef9 in my_raw_free my_malloc.c:290
    #2 0x106d479df in mysql_close_free_options client.c:4878
    #3 0x106d47e90 in mysql_close client.c:5035
    #4 0x106e9cdbb in handle_slave_io rpl_slave.cc:5739
    #5 0x10765f7d0 in pfs_spawn_thread pfs.cc:2192
    #6 0x7fff8f6739b0 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x39b0)
    #7 0x7fff8f67392d in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x392d)
    #8 0x7fff8f671384 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x1384)

How to repeat:
cmake -DBUILD_CONFIG=mysql_release -DWITH_DEBUG=ON -DWITH_ASAN=ON ...
...
./mtr --debug-server rpl_multi_source_slave_files --parallel=7 --repeat=30

Increase --parallel --repeat if necessary
[25 Nov 2015 10:35] MySQL Verification Team 
Thank you for the bug report. Verified as described:

=================================================================
==10613==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070004254f0 at pc 0x00010ea37f8d bp 0x700000bcc720 sp 0x700000bcbed8
READ of size 46 at 0x6070004254f0 thread T130
==10613==atos returned: An admin user name and password is required to enter Developer Mode.
2015-11-25T10:33:28.031433Z 140 [Note] Slave SQL thread for channel 'channel_1' initialized, starting replication in log 'master-bin.000001' at position 154, relay log './relaylog-msr-channel_1.000002' position: 369
    #0 0x10ea37f8c in wrap_strlen (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3cf8c)
    #1 0x10b1cd44b in my_strdup (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100f5644b)
    #2 0x10afb9d2b in mysql_options (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100d42d2b)
    #3 0x10b1389e2 in connect_to_master(THD*, st_mysql*, Master_info*, bool, bool) (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100ec19e2)
    #4 0x10b123eab in safe_connect(THD*, st_mysql*, Master_info*) (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100eaceab)
    #5 0x10b116fe1 in handle_slave_io (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100e9ffe1)
    #6 0x10b8d9c30 in pfs_spawn_thread (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x101662c30)
    #7 0x7fff933929b0 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x39b0)
    #8 0x7fff9339292d in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x392d)
    #9 0x7fff93390384 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x1384)

0x6070004254f0 is located 32 bytes inside of 78-byte region [0x6070004254d0,0x60700042551e)
freed by thread T128 here:
    #0 0x10ea3dd79 in wrap_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42d79)
    #1 0x10b1cd359 in my_raw_free (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100f56359)
    #2 0x10afc1f1f in mysql_close_free_options (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100d4af1f)
    #3 0x10afc23d0 in mysql_close (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100d4b3d0)
    #4 0x10b11721b in handle_slave_io (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x100ea021b)
    #5 0x10b8d9c30 in pfs_spawn_thread (/Users/miguel/mysql-5.7.9/sql/mysqld-debug+0x101662c30)
    #6 0x7fff933929b0 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x39b0)
    #7 0x7fff9339292d in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x392d)
    #8 0x7fff93390384 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x1384)
<CUT>
[24 May 2017 9:54] Erlend Dahl 
This has been fixed in 8.0.2.