[MDEV-14041] Server crashes in String::length on queries with functions and ROLLUP - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.24, 10.1.39, 10.3.15, 10.4.5
Component/s: Server
Labels:
None

Description

Note: This report has two separate test cases, one only fails on 5.5 and another one only fails on 10.2/10.3, don't know if there are cases where 10.0 and 10.1 would fail, so far it hasn't happened in my tests.

Test case for 5.5
CREATE TABLE t1 (i INT);
INSERT INTO t1 VALUES (1),(2);
SELECT GET_LOCK( 'foo', 0 );
SELECT HEX( RELEASE_LOCK( 'foo' ) ) AS f FROM t1 GROUP BY f WITH ROLLUP;

# Cleanup
DROP TABLE t1;

5.5 8539e4b1b609f80
#3 <signal handler called>
#4 0x000000000056443a in String::length (this=0x0) at /data/src/5.5/sql/sql_string.h:114
#5 0x00000000006901f7 in sortcmp (s=0x7fcba0149ed0, t=0x0, cs=0x1403d00 <my_charset_latin1>) at /data/src/5.5/sql/sql_string.cc:736
#6 0x00000000007dd420 in Cached_item_str::cmp (this=0x7fcba0149eb0) at /data/src/5.5/sql/item_buff.cc:94
#7 0x000000000066348c in test_if_group_changed (list=...) at /data/src/5.5/sql/sql_select.cc:21373
#8 0x000000000065c4d6 in end_send_group (join=0x7fcba0148d20, join_tab=0x7fcba0180398, end_of_records=false) at /data/src/5.5/sql/sql_select.cc:18370
#9 0x00000000006599e8 in evaluate_join_record (join=0x7fcba0148d20, join_tab=0x7fcba0180078, error=0) at /data/src/5.5/sql/sql_select.cc:17301
#10 0x000000000065932a in sub_select (join=0x7fcba0148d20, join_tab=0x7fcba0180078, end_of_records=false) at /data/src/5.5/sql/sql_select.cc:17084
#11 0x0000000000658b96 in do_select (join=0x7fcba0148d20, fields=0x7fcba0149100, table=0x0, procedure=0x0) at /data/src/5.5/sql/sql_select.cc:16746
#12 0x000000000063702e in JOIN::exec (this=0x7fcba0148d20) at /data/src/5.5/sql/sql_select.cc:2894
#13 0x000000000063780a in mysql_select (thd=0x7fcba1264060, rref_pointer_array=0x7fcba1267d08, tables=0x7fcba0148528, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7fcba0148c20, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fcba0148d00, unit=0x7fcba1267388, select_lex=0x7fcba1267a68) at /data/src/5.5/sql/sql_select.cc:3115
#14 0x000000000062dfc8 in handle_select (thd=0x7fcba1264060, lex=0x7fcba12672d8, result=0x7fcba0148d00, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:323
#15 0x000000000060745e in execute_sqlcom_select (thd=0x7fcba1264060, all_tables=0x7fcba0148528) at /data/src/5.5/sql/sql_parse.cc:4678
#16 0x00000000006007df in mysql_execute_command (thd=0x7fcba1264060) at /data/src/5.5/sql/sql_parse.cc:2224
#17 0x000000000060a02a in mysql_parse (thd=0x7fcba1264060, rawbuf=0x7fcba0148078 "SELECT HEX( RELEASE_LOCK( 'foo' ) ) AS f FROM t1 GROUP BY f WITH ROLLUP", length=71, parser_state=0x7fcba6f1e640) at /data/src/5.5/sql/sql_parse.cc:5923
#18 0x00000000005fdd3f in dispatch_command (command=COM_QUERY, thd=0x7fcba1264060, packet=0x7fcba4f5b061 "", packet_length=71) at /data/src/5.5/sql/sql_parse.cc:1066
#19 0x00000000005fcf31 in do_command (thd=0x7fcba1264060) at /data/src/5.5/sql/sql_parse.cc:793
#20 0x000000000070003b in do_handle_one_connection (thd_arg=0x7fcba1264060) at /data/src/5.5/sql/sql_connect.cc:1268
#21 0x00000000006ffdc8 in handle_one_connection (arg=0x7fcba1264060) at /data/src/5.5/sql/sql_connect.cc:1184
#22 0x0000000000a0dbbb in pfs_spawn_thread (arg=0x7fcba1f76fc0) at /data/src/5.5/storage/perfschema/pfs.cc:1015
#23 0x00007fcba6b51494 in start_thread (arg=0x7fcba6f1f700) at pthread_create.c:333
#24 0x00007fcba556793f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Test case for 10.2 / 10.3
CREATE TABLE t1 (i INT);
INSERT INTO t1 VALUES (1),(2);

SELECT i FROM t1 GROUP BY i WITH ROLLUP
UNION ALL
SELECT ELT( FOUND_ROWS(), 1 ) f FROM t1 GROUP BY f WITH ROLLUP
;

# Cleanup
DROP TABLE t1;

10.2 95f393394442437eea4
#3 <signal handler called>
#4 0x000055b4381e33a6 in String::length (this=0x0) at /data/src/10.2/sql/sql_string.h:203
#5 0x000055b438368553 in sortcmp (s=0x7f19c80183a0, t=0x0, cs=0x55b439726b00 <my_charset_latin1>) at /data/src/10.2/sql/sql_string.cc:776
#6 0x000055b43855b2ca in Cached_item_str::cmp (this=0x7f19c8018380) at /data/src/10.2/sql/item_buff.cc:95
#7 0x000055b4383280f4 in test_if_group_changed (list=...) at /data/src/10.2/sql/sql_select.cc:23004
#8 0x000055b438320fa1 in end_send_group (join=0x7f19c8014b60, join_tab=0x7f19c8110c38, end_of_records=false) at /data/src/10.2/sql/sql_select.cc:20028
#9 0x000055b43831e154 in evaluate_join_record (join=0x7f19c8014b60, join_tab=0x7f19c8110888, error=0) at /data/src/10.2/sql/sql_select.cc:18884
#10 0x000055b43831da64 in sub_select (join=0x7f19c8014b60, join_tab=0x7f19c8110888, end_of_records=false) at /data/src/10.2/sql/sql_select.cc:18664
#11 0x000055b43831cffd in do_select (join=0x7f19c8014b60, procedure=0x0) at /data/src/10.2/sql/sql_select.cc:18208
#12 0x000055b4382f7703 in JOIN::exec_inner (this=0x7f19c8014b60) at /data/src/10.2/sql/sql_select.cc:3540
#13 0x000055b4382f6bb2 in JOIN::exec (this=0x7f19c8014b60) at /data/src/10.2/sql/sql_select.cc:3335
#14 0x000055b438394e7a in st_select_lex_unit::exec (this=0x7f19c80046a0) at /data/src/10.2/sql/sql_union.cc:1005
#15 0x000055b438391934 in mysql_union (thd=0x7f19c8000b00, lex=0x7f19c80045d8, result=0x7f19c8014240, unit=0x7f19c80046a0, setup_tables_done_option=0) at /data/src/10.2/sql/sql_union.cc:41
#16 0x000055b4382ec436 in handle_select (thd=0x7f19c8000b00, lex=0x7f19c80045d8, result=0x7f19c8014240, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:351
#17 0x000055b4382b8305 in execute_sqlcom_select (thd=0x7f19c8000b00, all_tables=0x7f19c8012788) at /data/src/10.2/sql/sql_parse.cc:6456
#18 0x000055b4382ae38c in mysql_execute_command (thd=0x7f19c8000b00) at /data/src/10.2/sql/sql_parse.cc:3467
#19 0x000055b4382bbcc3 in mysql_parse (thd=0x7f19c8000b00, rawbuf=0x7f19c80124e8 "SELECT i FROM t1 GROUP BY i WITH ROLLUP\nUNION ALL\nSELECT ELT( FOUND_ROWS(), 1 ) f FROM t1 GROUP BY f WITH ROLLUP", length=112, parser_state=0x7f19daba2200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7898
#20 0x000055b4382a9c5d in dispatch_command (command=COM_QUERY, thd=0x7f19c8000b00, packet=0x7f19c8170451 "", packet_length=113, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1806
#21 0x000055b4382a85c0 in do_command (thd=0x7f19c8000b00) at /data/src/10.2/sql/sql_parse.cc:1360
#22 0x000055b4383f67b6 in do_handle_one_connection (connect=0x55b43bd6c110) at /data/src/10.2/sql/sql_connect.cc:1335
#23 0x000055b4383f6543 in handle_one_connection (arg=0x55b43bd6c110) at /data/src/10.2/sql/sql_connect.cc:1241
#24 0x000055b438815898 in pfs_spawn_thread (arg=0x55b43bccb000) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#25 0x00007f19e259d494 in start_thread (arg=0x7f19daba3700) at pthread_create.c:333
#26 0x00007f19e098393f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

master.err.gz
30 kB
2017-10-10 20:18
master.log.gz
4.05 MB
2017-10-10 20:18
threads1
35 kB
2017-10-10 20:17
threads1_full
128 kB
2017-10-10 20:17

Issue Links

relates to

MDEV-19299 ASAN: heap-use-after-free upon LEAST(..CHARSET(..),..)

Confirmed

Activity

Ascending order - Click to sort in descending order

Elena Stepanova added a comment - 2017-12-17 11:48

Fresh occurrence:
http://buildbot.askmonty.org/buildbot/builders/qa-win-debug/builds/938/steps/crash_tests/logs/stdio

Elena Stepanova added a comment - 2017-12-17 11:48 Fresh occurrence: http://buildbot.askmonty.org/buildbot/builders/qa-win-debug/builds/938/steps/crash_tests/logs/stdio

Elena Stepanova added a comment - 2018-07-13 12:03

Test case for 10.0 and 10.1 (and 5.5):

CREATE TABLE t1 (a INT);

INSERT INTO t1 VALUES (1),(2);

SELECT a FROM t1 GROUP BY NULLIF( CONVERT('', DATE), '2015-10-15' ) WITH ROLLUP;

# Cleanup

DROP TABLE t1;

10.0 a2c0376e0
#3 <signal handler called>
#4 0x00000000005a20f8 in String::length (this=0x0) at /data/src/10.0/sql/sql_string.h:130
#5 0x00000000006ef5dd in sortcmp (s=0x7f1ecc7b6bc8, t=0x0, cs=0x16c9fc0 <my_charset_latin1>) at /data/src/10.0/sql/sql_string.cc:762
#6 0x000000000086d56e in Cached_item_str::cmp (this=0x7f1ecc7b6ba8) at /data/src/10.0/sql/item_buff.cc:95
#7 0x00000000006b7ddc in test_if_group_changed (list=...) at /data/src/10.0/sql/sql_select.cc:22223
#8 0x00000000006b0cdc in end_send_group (join=0x7f1ecc4fae40, join_tab=0x7f1ecc7b63b0, end_of_records=false) at /data/src/10.0/sql/sql_select.cc:19294
#9 0x00000000006ae134 in evaluate_join_record (join=0x7f1ecc4fae40, join_tab=0x7f1ecc7b6088, error=0) at /data/src/10.0/sql/sql_select.cc:18204
#10 0x00000000006ada31 in sub_select (join=0x7f1ecc4fae40, join_tab=0x7f1ecc7b6088, end_of_records=false) at /data/src/10.0/sql/sql_select.cc:17984
#11 0x00000000006ad2a4 in do_select (join=0x7f1ecc4fae40, fields=0x7f1ecc4fb228, table=0x0, procedure=0x0) at /data/src/10.0/sql/sql_select.cc:17646
#12 0x000000000068a01d in JOIN::exec_inner (this=0x7f1ecc4fae40) at /data/src/10.0/sql/sql_select.cc:3116
#13 0x00000000006874da in JOIN::exec (this=0x7f1ecc4fae40) at /data/src/10.0/sql/sql_select.cc:2402
#14 0x000000000068a87c in mysql_select (thd=0x7f1ecdea2070, rref_pointer_array=0x7f1ecdea63a0, tables=0x7f1ecc4fa2f0, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f1ecc4fad30, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f1ecc4fae20, unit=0x7f1ecdea5a08, select_lex=0x7f1ecdea60f8) at /data/src/10.0/sql/sql_select.cc:3341
#15 0x0000000000680a86 in handle_select (thd=0x7f1ecdea2070, lex=0x7f1ecdea5940, result=0x7f1ecc4fae20, setup_tables_done_option=0) at /data/src/10.0/sql/sql_select.cc:377
#16 0x0000000000654f79 in execute_sqlcom_select (thd=0x7f1ecdea2070, all_tables=0x7f1ecc4fa2f0) at /data/src/10.0/sql/sql_parse.cc:5298
#17 0x000000000064d4cf in mysql_execute_command (thd=0x7f1ecdea2070) at /data/src/10.0/sql/sql_parse.cc:2554
#18 0x0000000000657dd6 in mysql_parse (thd=0x7f1ecdea2070, rawbuf=0x7f1ecc4fa088 "SELECT a FROM t1 GROUP BY NULLIF( CONVERT('', DATE), '2015-10-15' ) WITH ROLLUP", length=79, parser_state=0x7f1ed6033640) at /data/src/10.0/sql/sql_parse.cc:6634
#19 0x000000000064a6f6 in dispatch_command (command=COM_QUERY, thd=0x7f1ecdea2070, packet=0x7f1ecf3e5071 "", packet_length=79) at /data/src/10.0/sql/sql_parse.cc:1297
#20 0x00000000006499f6 in do_command (thd=0x7f1ecdea2070) at /data/src/10.0/sql/sql_parse.cc:1000
#21 0x000000000076a872 in do_handle_one_connection (thd_arg=0x7f1ecdea2070) at /data/src/10.0/sql/sql_connect.cc:1377
#22 0x000000000076a5e4 in handle_one_connection (arg=0x7f1ecdea2070) at /data/src/10.0/sql/sql_connect.cc:1292
#23 0x0000000000acc722 in pfs_spawn_thread (arg=0x7f1ecdda2370) at /data/src/10.0/storage/perfschema/pfs.cc:1861
#24 0x00007f1ed5c67494 in start_thread (arg=0x7f1ed6034700) at pthread_create.c:333
#25 0x00007f1ed402093f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Elena Stepanova added a comment - 2018-07-13 12:03 Test case for 10.0 and 10.1 (and 5.5): CREATE TABLE t1 (a INT ); INSERT INTO t1 VALUES (1),(2); SELECT a FROM t1 GROUP BY NULLIF ( CONVERT ( '' , DATE ), '2015-10-15' ) WITH ROLLUP ; # Cleanup DROP TABLE t1; 10.0 a2c0376e0 #3 <signal handler called> #4 0x00000000005a20f8 in String::length (this=0x0) at /data/src/10.0/sql/sql_string.h:130 #5 0x00000000006ef5dd in sortcmp (s=0x7f1ecc7b6bc8, t=0x0, cs=0x16c9fc0 <my_charset_latin1>) at /data/src/10.0/sql/sql_string.cc:762 #6 0x000000000086d56e in Cached_item_str::cmp (this=0x7f1ecc7b6ba8) at /data/src/10.0/sql/item_buff.cc:95 #7 0x00000000006b7ddc in test_if_group_changed (list=...) at /data/src/10.0/sql/sql_select.cc:22223 #8 0x00000000006b0cdc in end_send_group (join=0x7f1ecc4fae40, join_tab=0x7f1ecc7b63b0, end_of_records=false) at /data/src/10.0/sql/sql_select.cc:19294 #9 0x00000000006ae134 in evaluate_join_record (join=0x7f1ecc4fae40, join_tab=0x7f1ecc7b6088, error=0) at /data/src/10.0/sql/sql_select.cc:18204 #10 0x00000000006ada31 in sub_select (join=0x7f1ecc4fae40, join_tab=0x7f1ecc7b6088, end_of_records=false) at /data/src/10.0/sql/sql_select.cc:17984 #11 0x00000000006ad2a4 in do_select (join=0x7f1ecc4fae40, fields=0x7f1ecc4fb228, table=0x0, procedure=0x0) at /data/src/10.0/sql/sql_select.cc:17646 #12 0x000000000068a01d in JOIN::exec_inner (this=0x7f1ecc4fae40) at /data/src/10.0/sql/sql_select.cc:3116 #13 0x00000000006874da in JOIN::exec (this=0x7f1ecc4fae40) at /data/src/10.0/sql/sql_select.cc:2402 #14 0x000000000068a87c in mysql_select (thd=0x7f1ecdea2070, rref_pointer_array=0x7f1ecdea63a0, tables=0x7f1ecc4fa2f0, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f1ecc4fad30, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f1ecc4fae20, unit=0x7f1ecdea5a08, select_lex=0x7f1ecdea60f8) at /data/src/10.0/sql/sql_select.cc:3341 #15 0x0000000000680a86 in handle_select (thd=0x7f1ecdea2070, lex=0x7f1ecdea5940, result=0x7f1ecc4fae20, setup_tables_done_option=0) at /data/src/10.0/sql/sql_select.cc:377 #16 0x0000000000654f79 in execute_sqlcom_select (thd=0x7f1ecdea2070, all_tables=0x7f1ecc4fa2f0) at /data/src/10.0/sql/sql_parse.cc:5298 #17 0x000000000064d4cf in mysql_execute_command (thd=0x7f1ecdea2070) at /data/src/10.0/sql/sql_parse.cc:2554 #18 0x0000000000657dd6 in mysql_parse (thd=0x7f1ecdea2070, rawbuf=0x7f1ecc4fa088 "SELECT a FROM t1 GROUP BY NULLIF( CONVERT('', DATE), '2015-10-15' ) WITH ROLLUP", length=79, parser_state=0x7f1ed6033640) at /data/src/10.0/sql/sql_parse.cc:6634 #19 0x000000000064a6f6 in dispatch_command (command=COM_QUERY, thd=0x7f1ecdea2070, packet=0x7f1ecf3e5071 "", packet_length=79) at /data/src/10.0/sql/sql_parse.cc:1297 #20 0x00000000006499f6 in do_command (thd=0x7f1ecdea2070) at /data/src/10.0/sql/sql_parse.cc:1000 #21 0x000000000076a872 in do_handle_one_connection (thd_arg=0x7f1ecdea2070) at /data/src/10.0/sql/sql_connect.cc:1377 #22 0x000000000076a5e4 in handle_one_connection (arg=0x7f1ecdea2070) at /data/src/10.0/sql/sql_connect.cc:1292 #23 0x0000000000acc722 in pfs_spawn_thread (arg=0x7f1ecdda2370) at /data/src/10.0/storage/perfschema/pfs.cc:1861 #24 0x00007f1ed5c67494 in start_thread (arg=0x7f1ed6034700) at pthread_create.c:333 #25 0x00007f1ed402093f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Elena Stepanova added a comment - 2019-03-15 15:10

Another test case, another stack trace:

CREATE TABLE t1 (a DATE, b TIME);

INSERT INTO t1 VALUES ('2014-04-07','11:35:28');

SELECT * FROM t1 GROUP BY GREATEST( TRIM(LEADING '02:18:28' FROM CHARSET(a)), UPPER(b) ) WITH ROLLUP;

# Cleanup

DROP TABLE t1;

10.4 7b33a6a1 ASAN
==23264==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000047cc0 at pc 0x55df6365aa61 bp 0x7fda286d69f0 sp 0x7fda286d69e8
READ of size 1 at 0x60d000047cc0 thread T5
#0 0x55df6365aa60 in my_scan_weight_utf8_general_ci /data/src/10.4/strings/strcoll.ic:98
#1 0x55df6365b2d6 in my_strnncollsp_utf8_general_ci /data/src/10.4/strings/strcoll.ic:254
#2 0x55df61ead092 in sortcmp(String const, String const, charset_info_st const*) /data/src/10.4/sql/sql_string.cc:803
#3 0x55df6259794a in Item_func_min_max::val_str_native(String*) /data/src/10.4/sql/item_func.cc:2679
#4 0x55df62181568 in Type_handler_string_result::Item_func_min_max_val_str(Item_func_min_max, String) const /data/src/10.4/sql/sql_type.cc:5189
#5 0x55df62560ec4 in Item_func_min_max::val_str(String*) /data/src/10.4/sql/item_func.h:1798
#6 0x55df624ee7b6 in Cached_item_str::cmp() /data/src/10.4/sql/item_buff.cc:84
#7 0x55df61df3a0a in test_if_group_changed(List<Cached_item>&) /data/src/10.4/sql/sql_select.cc:24413
#8 0x55df61ddf82e in end_send_group(JOIN, st_join_table, bool) /data/src/10.4/sql/sql_select.cc:21403
#9 0x55df61dd2562 in do_select /data/src/10.4/sql/sql_select.cc:19513
#10 0x55df61d6be3c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4371
#11 0x55df61d69737 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4153
#12 0x55df61d6d214 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4585
#13 0x55df61d437fa in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424
#14 0x55df61cc4537 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6652
#15 0x55df61cb10fe in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3889
#16 0x55df61cccdda in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8205
#17 0x55df61ca4ce5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
#18 0x55df61ca1b36 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
#19 0x55df620358a5 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
#20 0x55df6203529e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
#21 0x55df62bfcbe2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#22 0x7fda33a86493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#23 0x7fda31e6c93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x60d000047cc0 is located 112 bytes inside of 140-byte region [0x60d000047c50,0x60d000047cdc)
freed by thread T5 here:
#0 0x7fda33cf0527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
#1 0x55df635ae2e1 in free_memory /data/src/10.4/mysys/safemalloc.c:279
#2 0x55df635ad8e7 in sf_free /data/src/10.4/mysys/safemalloc.c:197
#3 0x55df6357e330 in my_free /data/src/10.4/mysys/my_malloc.c:222
#4 0x55df61a0f733 in Binary_string::free() /data/src/10.4/sql/sql_string.h:604
#5 0x55df61ea7d7a in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:43
#6 0x55df61a2f575 in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:613
#7 0x55df624dfd8b in String::copy(charset_info_st const, charset_info_st const, char const, unsigned long, unsigned long, String_copier) /data/src/10.4/sql/sql_string.h:847
#8 0x55df624bb433 in String_copier_for_item::copy_with_warn(charset_info_st const, String, charset_info_st const, char const, unsigned int, unsigned int) /data/src/10.4/sql/item.cc:6214
#9 0x55df6261816c in Item_func_conv_charset::val_str(String*) /data/src/10.4/sql/item_strfunc.cc:3446
#10 0x55df625978fb in Item_func_min_max::val_str_native(String*) /data/src/10.4/sql/item_func.cc:2676
#11 0x55df62181568 in Type_handler_string_result::Item_func_min_max_val_str(Item_func_min_max, String) const /data/src/10.4/sql/sql_type.cc:5189
#12 0x55df62560ec4 in Item_func_min_max::val_str(String*) /data/src/10.4/sql/item_func.h:1798
#13 0x55df624ee7b6 in Cached_item_str::cmp() /data/src/10.4/sql/item_buff.cc:84
#14 0x55df61df3a0a in test_if_group_changed(List<Cached_item>&) /data/src/10.4/sql/sql_select.cc:24413
#15 0x55df61ddf82e in end_send_group(JOIN, st_join_table, bool) /data/src/10.4/sql/sql_select.cc:21403
#16 0x55df61dd2562 in do_select /data/src/10.4/sql/sql_select.cc:19513
#17 0x55df61d6be3c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4371
#18 0x55df61d69737 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4153
#19 0x55df61d6d214 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4585
#20 0x55df61d437fa in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424
#21 0x55df61cc4537 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6652
#22 0x55df61cb10fe in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3889
#23 0x55df61cccdda in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8205
#24 0x55df61ca4ce5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
#25 0x55df61ca1b36 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
#26 0x55df620358a5 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
#27 0x55df6203529e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
#28 0x55df62bfcbe2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#29 0x7fda33a86493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T5 here:
#0 0x7fda33cf073f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x55df635ad057 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
#2 0x55df6357d952 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#3 0x55df61ea7dd9 in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:46
#4 0x55df61a2f575 in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:613
#5 0x55df61eaa299 in String::copy(char const, unsigned long, charset_info_st const, charset_info_st const, unsigned int) /data/src/10.4/sql/sql_string.cc:443
#6 0x55df626190de in Item_func_charset::val_str(String*) /data/src/10.4/sql/item_strfunc.cc:3513
#7 0x55df62608d13 in Item_func_ltrim::val_str(String*) /data/src/10.4/sql/item_strfunc.cc:1938
#8 0x55df62597791 in Item_func_min_max::val_str_native(String*) /data/src/10.4/sql/item_func.cc:2672
#9 0x55df62181568 in Type_handler_string_result::Item_func_min_max_val_str(Item_func_min_max, String) const /data/src/10.4/sql/sql_type.cc:5189
#10 0x55df62560ec4 in Item_func_min_max::val_str(String*) /data/src/10.4/sql/item_func.h:1798
#11 0x55df624ee7b6 in Cached_item_str::cmp() /data/src/10.4/sql/item_buff.cc:84
#12 0x55df61df3a0a in test_if_group_changed(List<Cached_item>&) /data/src/10.4/sql/sql_select.cc:24413
#13 0x55df61ddf82e in end_send_group(JOIN, st_join_table, bool) /data/src/10.4/sql/sql_select.cc:21403
#14 0x55df61dd2562 in do_select /data/src/10.4/sql/sql_select.cc:19513
#15 0x55df61d6be3c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4371
#16 0x55df61d69737 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4153
#17 0x55df61d6d214 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4585
#18 0x55df61d437fa in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424
#19 0x55df61cc4537 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6652
#20 0x55df61cb10fe in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3889
#21 0x55df61cccdda in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8205
#22 0x55df61ca4ce5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
#23 0x55df61ca1b36 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
#24 0x55df620358a5 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
#25 0x55df6203529e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
#26 0x55df62bfcbe2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#27 0x7fda33a86493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

Thread T5 created by T0 here:
#0 0x7fda33cbfbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x55df62bfd1aa in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
#2 0x55df619ec846 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
#7 0x55df61a01973 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5876
#8 0x55df619ea6cf in main /data/src/10.4/sql/main.cc:25
#9 0x7fda31da42b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/strings/strcoll.ic:98 my_scan_weight_utf8_general_ci
Shadow bytes around the buggy address:
0x0c1a80000f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a80000f50: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c1a80000f60: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
0x0c1a80000f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a80000f80: 04 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
=>0x0c1a80000f90: fd fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa
0x0c1a80000fa0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a80000fb0: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa 00 00
0x0c1a80000fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c1a80000fd0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1a80000fe0: 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==23264==ABORTING

5.5 8024f8c6 ASAN
==24172==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000012d60 at pc 0x1697c49 bp 0x7fa810ad8d30 sp 0x7fa810ad8d28
READ of size 1 at 0x60c000012d60 thread T5
#0 0x1697c48 in my_utf8_uni /data/src/5.5/strings/ctype-utf8.c:2316
#1 0x169b915 in my_strnncollsp_utf8 /data/src/5.5/strings/ctype-utf8.c:2761
#2 0x809302 in sortcmp(String const, String const, charset_info_st const*) /data/src/5.5/sql/sql_string.cc:736
#3 0xbc9d8a in Item_func_min_max::val_str(String*) /data/src/5.5/sql/item_func.cc:3000
#4 0xb387ac in Cached_item_str::cmp() /data/src/5.5/sql/item_buff.cc:83
#5 0x70ac75 in test_if_group_changed /data/src/5.5/sql/sql_select.cc:21404
#6 0x788554 in end_send_group(JOIN, st_join_table, bool) /data/src/5.5/sql/sql_select.cc:18401
#7 0x770d89 in do_select /data/src/5.5/sql/sql_select.cc:16742
#8 0x7b0f3d in JOIN::exec() /data/src/5.5/sql/sql_select.cc:2912
#9 0x79d8ac in mysql_select(THD, Item*, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/5.5/sql/sql_select.cc:3133
#10 0x79df58 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/5.5/sql/sql_select.cc:323
#11 0x690312 in execute_sqlcom_select /data/src/5.5/sql/sql_parse.cc:4679
#12 0x6a70bb in mysql_execute_command(THD*) /data/src/5.5/sql/sql_parse.cc:2225
#13 0x6bac31 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/5.5/sql/sql_parse.cc:5924
#14 0x6be7ac in dispatch_command(enum_server_command, THD, char, unsigned int) /data/src/5.5/sql/sql_parse.cc:1067
#15 0x6c29f4 in do_command(THD*) /data/src/5.5/sql/sql_parse.cc:793
#16 0x91bf7a in do_handle_one_connection(THD*) /data/src/5.5/sql/sql_connect.cc:1268
#17 0x91c1eb in handle_one_connection /data/src/5.5/sql/sql_connect.cc:1184
#18 0x10ab47f in pfs_spawn_thread /data/src/5.5/storage/perfschema/pfs.cc:1015
freed by thread T5 here:
#0 0x7fa81878e527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
#1 0x1658faa in free_memory /data/src/5.5/mysys/safemalloc.c:205

previously allocated by thread T5 here:
#0 0x7fa81878e73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x165908f in sf_malloc /data/src/5.5/mysys/safemalloc.c:105

Thread T5 created by T0 here:
#0 0x7fa81875dbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x10aeff4 in spawn_thread_v1 /data/src/5.5/storage/perfschema/pfs.cc:1038

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/5.5/strings/ctype-utf8.c:2316 my_utf8_uni
Shadow bytes around the buggy address:
0x0c187fffa550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffa560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffa570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffa580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffa590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fffa5a0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c187fffa5b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fffa5c0: 00 00 00 00 00 00 07 fa fa fa fa fa fa fa fa fa
0x0c187fffa5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 fa
0x0c187fffa5e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fffa5f0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==24172==ABORTING

Elena Stepanova added a comment - 2019-03-15 15:10 Another test case, another stack trace: CREATE TABLE t1 (a DATE , b TIME ); INSERT INTO t1 VALUES ( '2014-04-07' , '11:35:28' ); SELECT * FROM t1 GROUP BY GREATEST( TRIM(LEADING '02:18:28' FROM CHARSET(a)), UPPER (b) ) WITH ROLLUP ; # Cleanup DROP TABLE t1; 10.4 7b33a6a1 ASAN ==23264==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000047cc0 at pc 0x55df6365aa61 bp 0x7fda286d69f0 sp 0x7fda286d69e8 READ of size 1 at 0x60d000047cc0 thread T5 #0 0x55df6365aa60 in my_scan_weight_utf8_general_ci /data/src/10.4/strings/strcoll.ic:98 #1 0x55df6365b2d6 in my_strnncollsp_utf8_general_ci /data/src/10.4/strings/strcoll.ic:254 #2 0x55df61ead092 in sortcmp(String const*, String const*, charset_info_st const*) /data/src/10.4/sql/sql_string.cc:803 #3 0x55df6259794a in Item_func_min_max::val_str_native(String*) /data/src/10.4/sql/item_func.cc:2679 #4 0x55df62181568 in Type_handler_string_result::Item_func_min_max_val_str(Item_func_min_max*, String*) const /data/src/10.4/sql/sql_type.cc:5189 #5 0x55df62560ec4 in Item_func_min_max::val_str(String*) /data/src/10.4/sql/item_func.h:1798 #6 0x55df624ee7b6 in Cached_item_str::cmp() /data/src/10.4/sql/item_buff.cc:84 #7 0x55df61df3a0a in test_if_group_changed(List<Cached_item>&) /data/src/10.4/sql/sql_select.cc:24413 #8 0x55df61ddf82e in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:21403 #9 0x55df61dd2562 in do_select /data/src/10.4/sql/sql_select.cc:19513 #10 0x55df61d6be3c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4371 #11 0x55df61d69737 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4153 #12 0x55df61d6d214 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4585 #13 0x55df61d437fa in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424 #14 0x55df61cc4537 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6652 #15 0x55df61cb10fe in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3889 #16 0x55df61cccdda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8205 #17 0x55df61ca4ce5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829 #18 0x55df61ca1b36 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358 #19 0x55df620358a5 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399 #20 0x55df6203529e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302 #21 0x55df62bfcbe2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862 #22 0x7fda33a86493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) #23 0x7fda31e6c93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e) 0x60d000047cc0 is located 112 bytes inside of 140-byte region [0x60d000047c50,0x60d000047cdc) freed by thread T5 here: #0 0x7fda33cf0527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x55df635ae2e1 in free_memory /data/src/10.4/mysys/safemalloc.c:279 #2 0x55df635ad8e7 in sf_free /data/src/10.4/mysys/safemalloc.c:197 #3 0x55df6357e330 in my_free /data/src/10.4/mysys/my_malloc.c:222 #4 0x55df61a0f733 in Binary_string::free() /data/src/10.4/sql/sql_string.h:604 #5 0x55df61ea7d7a in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:43 #6 0x55df61a2f575 in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:613 #7 0x55df624dfd8b in String::copy(charset_info_st const*, charset_info_st const*, char const*, unsigned long, unsigned long, String_copier*) /data/src/10.4/sql/sql_string.h:847 #8 0x55df624bb433 in String_copier_for_item::copy_with_warn(charset_info_st const*, String*, charset_info_st const*, char const*, unsigned int, unsigned int) /data/src/10.4/sql/item.cc:6214 #9 0x55df6261816c in Item_func_conv_charset::val_str(String*) /data/src/10.4/sql/item_strfunc.cc:3446 #10 0x55df625978fb in Item_func_min_max::val_str_native(String*) /data/src/10.4/sql/item_func.cc:2676 #11 0x55df62181568 in Type_handler_string_result::Item_func_min_max_val_str(Item_func_min_max*, String*) const /data/src/10.4/sql/sql_type.cc:5189 #12 0x55df62560ec4 in Item_func_min_max::val_str(String*) /data/src/10.4/sql/item_func.h:1798 #13 0x55df624ee7b6 in Cached_item_str::cmp() /data/src/10.4/sql/item_buff.cc:84 #14 0x55df61df3a0a in test_if_group_changed(List<Cached_item>&) /data/src/10.4/sql/sql_select.cc:24413 #15 0x55df61ddf82e in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:21403 #16 0x55df61dd2562 in do_select /data/src/10.4/sql/sql_select.cc:19513 #17 0x55df61d6be3c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4371 #18 0x55df61d69737 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4153 #19 0x55df61d6d214 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4585 #20 0x55df61d437fa in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424 #21 0x55df61cc4537 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6652 #22 0x55df61cb10fe in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3889 #23 0x55df61cccdda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8205 #24 0x55df61ca4ce5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829 #25 0x55df61ca1b36 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358 #26 0x55df620358a5 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399 #27 0x55df6203529e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302 #28 0x55df62bfcbe2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862 #29 0x7fda33a86493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) previously allocated by thread T5 here: #0 0x7fda33cf073f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x55df635ad057 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118 #2 0x55df6357d952 in my_malloc /data/src/10.4/mysys/my_malloc.c:101 #3 0x55df61ea7dd9 in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:46 #4 0x55df61a2f575 in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:613 #5 0x55df61eaa299 in String::copy(char const*, unsigned long, charset_info_st const*, charset_info_st const*, unsigned int*) /data/src/10.4/sql/sql_string.cc:443 #6 0x55df626190de in Item_func_charset::val_str(String*) /data/src/10.4/sql/item_strfunc.cc:3513 #7 0x55df62608d13 in Item_func_ltrim::val_str(String*) /data/src/10.4/sql/item_strfunc.cc:1938 #8 0x55df62597791 in Item_func_min_max::val_str_native(String*) /data/src/10.4/sql/item_func.cc:2672 #9 0x55df62181568 in Type_handler_string_result::Item_func_min_max_val_str(Item_func_min_max*, String*) const /data/src/10.4/sql/sql_type.cc:5189 #10 0x55df62560ec4 in Item_func_min_max::val_str(String*) /data/src/10.4/sql/item_func.h:1798 #11 0x55df624ee7b6 in Cached_item_str::cmp() /data/src/10.4/sql/item_buff.cc:84 #12 0x55df61df3a0a in test_if_group_changed(List<Cached_item>&) /data/src/10.4/sql/sql_select.cc:24413 #13 0x55df61ddf82e in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:21403 #14 0x55df61dd2562 in do_select /data/src/10.4/sql/sql_select.cc:19513 #15 0x55df61d6be3c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4371 #16 0x55df61d69737 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4153 #17 0x55df61d6d214 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4585 #18 0x55df61d437fa in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424 #19 0x55df61cc4537 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6652 #20 0x55df61cb10fe in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3889 #21 0x55df61cccdda in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8205 #22 0x55df61ca4ce5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829 #23 0x55df61ca1b36 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358 #24 0x55df620358a5 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399 #25 0x55df6203529e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302 #26 0x55df62bfcbe2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862 #27 0x7fda33a86493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) Thread T5 created by T0 here: #0 0x7fda33cbfbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0x55df62bfd1aa in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912 #2 0x55df619ec846 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268 #7 0x55df61a01973 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5876 #8 0x55df619ea6cf in main /data/src/10.4/sql/main.cc:25 #9 0x7fda31da42b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/strings/strcoll.ic:98 my_scan_weight_utf8_general_ci Shadow bytes around the buggy address: 0x0c1a80000f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a80000f50: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c1a80000f60: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa 0x0c1a80000f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a80000f80: 04 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd =>0x0c1a80000f90: fd fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa 0x0c1a80000fa0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a80000fb0: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 0x0c1a80000fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 0x0c1a80000fd0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1a80000fe0: 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==23264==ABORTING 5.5 8024f8c6 ASAN ==24172==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000012d60 at pc 0x1697c49 bp 0x7fa810ad8d30 sp 0x7fa810ad8d28 READ of size 1 at 0x60c000012d60 thread T5 #0 0x1697c48 in my_utf8_uni /data/src/5.5/strings/ctype-utf8.c:2316 #1 0x169b915 in my_strnncollsp_utf8 /data/src/5.5/strings/ctype-utf8.c:2761 #2 0x809302 in sortcmp(String const*, String const*, charset_info_st const*) /data/src/5.5/sql/sql_string.cc:736 #3 0xbc9d8a in Item_func_min_max::val_str(String*) /data/src/5.5/sql/item_func.cc:3000 #4 0xb387ac in Cached_item_str::cmp() /data/src/5.5/sql/item_buff.cc:83 #5 0x70ac75 in test_if_group_changed /data/src/5.5/sql/sql_select.cc:21404 #6 0x788554 in end_send_group(JOIN*, st_join_table*, bool) /data/src/5.5/sql/sql_select.cc:18401 #7 0x770d89 in do_select /data/src/5.5/sql/sql_select.cc:16742 #8 0x7b0f3d in JOIN::exec() /data/src/5.5/sql/sql_select.cc:2912 #9 0x79d8ac in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/5.5/sql/sql_select.cc:3133 #10 0x79df58 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/5.5/sql/sql_select.cc:323 #11 0x690312 in execute_sqlcom_select /data/src/5.5/sql/sql_parse.cc:4679 #12 0x6a70bb in mysql_execute_command(THD*) /data/src/5.5/sql/sql_parse.cc:2225 #13 0x6bac31 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/5.5/sql/sql_parse.cc:5924 #14 0x6be7ac in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/5.5/sql/sql_parse.cc:1067 #15 0x6c29f4 in do_command(THD*) /data/src/5.5/sql/sql_parse.cc:793 #16 0x91bf7a in do_handle_one_connection(THD*) /data/src/5.5/sql/sql_connect.cc:1268 #17 0x91c1eb in handle_one_connection /data/src/5.5/sql/sql_connect.cc:1184 #18 0x10ab47f in pfs_spawn_thread /data/src/5.5/storage/perfschema/pfs.cc:1015 freed by thread T5 here: #0 0x7fa81878e527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x1658faa in free_memory /data/src/5.5/mysys/safemalloc.c:205 previously allocated by thread T5 here: #0 0x7fa81878e73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x165908f in sf_malloc /data/src/5.5/mysys/safemalloc.c:105 Thread T5 created by T0 here: #0 0x7fa81875dbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0x10aeff4 in spawn_thread_v1 /data/src/5.5/storage/perfschema/pfs.cc:1038 SUMMARY: AddressSanitizer: heap-use-after-free /data/src/5.5/strings/ctype-utf8.c:2316 my_utf8_uni Shadow bytes around the buggy address: 0x0c187fffa550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffa560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffa570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffa580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffa590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c187fffa5a0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c187fffa5b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fffa5c0: 00 00 00 00 00 00 07 fa fa fa fa fa fa fa fa fa 0x0c187fffa5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 fa 0x0c187fffa5e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c187fffa5f0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==24172==ABORTING

Alexander Barkov added a comment - 2019-04-22 09:41

The last problem with heap-use-after-free seems to be a different issue than non-ASAN crashes above.
Reported the ASAN problem as a separate issue MDEV-19299.

Alexander Barkov added a comment - 2019-04-22 09:41 The last problem with heap-use-after-free seems to be a different issue than non-ASAN crashes above. Reported the ASAN problem as a separate issue MDEV-19299 .

People

Assignee:: Alexander Barkov

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2017-10-10 20:18

Updated:: 2019-04-22 10:02

Resolved:: 2019-04-22 10:02

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration