Bug #89433 NULL dereference in dd::tables::DD_properties:unchecked_get
Submitted: 26 Jan 2018 9:05 Modified: 2 Feb 2018 18:27
Reporter: Laurynas Biveinis (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Dictionary Severity:S2 (Serious)
Version:8.0.4 OS:Any
Assigned to: CPU Architecture:Any
Tags: data dictionary

[26 Jan 2018 9:05] Laurynas Biveinis 
Description:
Seen on main.dd_bootstrap_debug, on ASan+debug and regular debug builds.

cmake -DWITH_DEBUG=ON -DWITH_ASAN=ON

 ./mtr --debug-server dd_bootstrap_debug --big-test
...
main.dd_bootstrap_debug                  [ fail ]
        Test ended at 2018-01-26 11:01:05

CURRENT_TEST: main.dd_bootstrap_debug
mysqltest: At line 46: command "$MYSQLD $extra_args --datadir=$DDIR" failed with wrong error: 2

In var/tmp/server.log:

ASAN:DEADLYSIGNAL
=================================================================
==5964==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010259dc4a bp 0x7000056a3ad0 sp 0x7000056a3aa0 T2)
==5964==The signal is caused by a READ memory access.
==5964==Hint: address points to the zero page.
    #0 0x10259dc49 in dd::tables::DD_properties::unchecked_get(THD*, std::__1::basic_string<char, std::__1::char_traits<char>, Stateless_allocator<char, dd::String_type_alloc, My_free_functor> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, Stateless_allocator<char, dd::String_type_alloc, My_free_functor> >*, bool*) dd_properties.cc:234
    #1 0x10259defc in dd::tables::DD_properties::get(THD*, std::__1::basic_string<char, std::__1::char_traits<char>, Stateless_allocator<char, dd::String_type_alloc, My_free_functor> > const&, unsigned int*, bool*) dd_properties.cc:270
    #2 0x10234352d in (anonymous namespace)::initialize_dd_properties(THD*) bootstrapper.cc:313
    #3 0x10234cb34 in dd::bootstrap::restart(THD*) bootstrapper.cc:2418
    #4 0x1026c8cdd in dd::upgrade_57::restart_dictionary(THD*) upgrade.cc:877
    #5 0x1026c8201 in dd::upgrade_57::do_pre_checks_and_initialize_dd(THD*) upgrade.cc:1050
    #6 0x1018d1bc0 in bootstrap::handle_bootstrap(void*) bootstrap.cc:343
    #7 0x10430cc5a in pfs_spawn_thread(void*) pfs.cc:2994
    #8 0x7fffbf48d93a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
    #9 0x7fffbf48d886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
    #10 0x7fffbf48d08c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)

==5964==Register values:
rax = 0x0000100000000000  rbx = 0x00001c2e0000013e  rcx = 0x000000000000038c  rdx = 0x000000000000038d  
rdi = 0x0000000000000000  rsi = 0x00007000056a38e0  rbp = 0x00007000056a3ad0  rsp = 0x00007000056a3aa0  
 r8 = 0x0000000000000040   r9 = 0x0000200000000000  r10 = 0x0000000000000000  r11 = 0xffffffffffffffff  
r12 = 0x00007000056a3c50  r13 = 0x0000100000000000  r14 = 0x00006170000009f0  r15 = 0x00007000056a3c60  
AddressSanitizer can not provide additional info.

How to repeat:
See above
[26 Jan 2018 13:12] MySQL Verification Team 
Thank you for the bug report.

miguel:mysql-test miguel$ ./mtr --debug-server dd_bootstrap_debug --big-test
Logging: ./mtr  --debug-server dd_bootstrap_debug --big-test
2018-01-26T13:07:34.371156Z 0 [System] [MY-010116] /Users/miguel/Downloads/mysql-8.0.4-rc/runtime_output_directory/mysqld (mysqld 8.0.4-rc-debug-log-asan) starting as process 16006 ...
MySQL Version 8.0.4
Checking supported features...
 - SSL connections supported
 - binaries are debug compiled
Collecting tests...
Removing old var directory...
Creating var directory '/Users/miguel/Downloads/mysql-8.0.4-rc/mysql-test/var'...
Installing system database...
Using parallel: 1

==============================================================================

TEST                                      RESULT   TIME (ms) or COMMENT
--------------------------------------------------------------------------

worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 13000..13009
main.dd_bootstrap_debug                  [ fail ]
        Test ended at 2018-01-26 11:09:27

CURRENT_TEST: main.dd_bootstrap_debug
[1 Feb 2018 14:25] Sivert Sørumgård 
Posted by developer:
 
This bug has already been fixed by the following commit (see second bullet in the commit message):

Author: Sivert Sorumgard <sivert.sorumgaard@oracle.com>
Date:   Mon Dec 11 13:34:10 2017 +0100

    WL#9553: Upgrading the transactional data dictionary tables.
    
    Post-push fix:
    
    - There was a small window during InnoDB initialization where the
      DDSE table definitions were initialized, but not yet added
      to the System_tables registry. If there was a failure in this
      window causing server abort, ASAN would report a memory leak.
      This patch clsoes this window.
    
    - The 'big'-test dd_bootstrap_debug failed due to a bug in the
      handling of the DD properties table in situations where the
      table contained data that could not be parsed. This patch
      implements handling of this situation.
[2 Feb 2018 18:27] Daniel Price 
Posted by developer:
 
Fixed as of the upcoming 8.0.5, 9.0.0 release, and here's the changelog entry:

A server exit during InnoDB initialization caused AddressSanitizer (ASan)
to report a memory leak. The patch also implements proper handling of the
data dictionary properties table in cases where the table contains data
that cannot be parsed.