Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15011

Server crash, hang, buffer overrun, memory corruption or ASAN failure upon SELECT with a mix of data types and GROUP BY / ROLLUP

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Won't Fix
    • 5.5, 10.0, 10.1, 10.2
    • N/A
    • Server
    • None

    Description

      Note: I'm pasting all variations of crashes here so that they were searchable in JIRA.

      CREATE TABLE t1 (i INT);
      		 
      INSERT INTO t1 VALUES (1),(2);
      		 
       
      		 
      SELECT * FROM t1 
      GROUP BY - LEAST( UpdateXML('<a></a>', '/a', '<b></b>'), CAST('12:12:12' AS TIME) ) WITH ROLLUP;
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t1;

      5.5 6c60c809bb9 debug with MyISAM

      		 
      #3  <signal handler called>
      		 
      #4  0x00007f20382a3cba in __memmove_avx_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #5  0x0000000000a5c229 in _mi_read_rnd_static_record (info=0x7f2032c59460, buf=0x0, filepos=7, skip_deleted_blocks=1 '\001') at /data/src/5.5/storage/myisam/mi_statrec.c:279
      		 
      #6  0x0000000000a56041 in mi_scan (info=0x7f2032c59460, buf=0x0) at /data/src/5.5/storage/myisam/mi_scan.c:45
      		 
      #7  0x0000000000a1fb7a in ha_myisam::rnd_next (this=0x7f2032c78078, buf=0x0) at /data/src/5.5/storage/myisam/ha_myisam.cc:1792
      		 
      #8  0x000000000059abee in handler::ha_rnd_next (this=0x7f2032c78078, buf=0x0) at /data/src/5.5/sql/sql_class.h:4355
      		 
      #9  0x00000000007ab051 in find_all_keys (param=0x7f2039c19240, select=0x7f2032d80d70, sort_keys=0x7f2032d37060, sort_keys_buf=0x7f2032d370d8 "\001", buffpek_pointers=0x7f2039c19450, tempfile=0x7f2039c192c0) at /data/src/5.5/sql/filesort.cc:687
      		 
      #10 0x00000000007a9c4e in filesort (thd=0x7f2033e64060, table=0x7f2032dd9460, sortorder=0x7f2032d812d0, s_length=1, select=0x7f2032d80d70, max_rows=18446744073709551615, sort_positions=false, examined_rows=0x7f2039c196d8) at /data/src/5.5/sql/filesort.cc:250
      		 
      #11 0x00000000006605bc in create_sort_index (thd=0x7f2033e64060, join=0x7f2032d49290, order=0x7f2032d49190, filesort_limit=18446744073709551615, select_limit=18446744073709551615, is_order_by=false) at /data/src/5.5/sql/sql_select.cc:20039
      		 
      #12 0x0000000000636dc6 in JOIN::exec (this=0x7f2032d49290) at /data/src/5.5/sql/sql_select.cc:2855
      		 
      #13 0x00000000006377bc in mysql_select (thd=0x7f2033e64060, rref_pointer_array=0x7f2033e67d08, tables=0x7f2032d48320, wild_num=1, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f2032d49190, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f2032d49270, unit=0x7f2033e67388, select_lex=0x7f2033e67a68) at /data/src/5.5/sql/sql_select.cc:3106
      		 
      #14 0x000000000062dfc8 in handle_select (thd=0x7f2033e64060, lex=0x7f2033e672d8, result=0x7f2032d49270, setup_tables_done_option=0) at /data/src/5.5/sql/sql_select.cc:319
      		 
      #15 0x000000000060745e in execute_sqlcom_select (thd=0x7f2033e64060, all_tables=0x7f2032d48320) at /data/src/5.5/sql/sql_parse.cc:4678
      		 
      #16 0x00000000006007df in mysql_execute_command (thd=0x7f2033e64060) at /data/src/5.5/sql/sql_parse.cc:2224
      		 
      #17 0x000000000060a02a in mysql_parse (thd=0x7f2033e64060, rawbuf=0x7f2032d48078 "", length=113, parser_state=0x7f2039c1a640) at /data/src/5.5/sql/sql_parse.cc:5923
      		 
      #18 0x00000000005fdd3f in dispatch_command (command=COM_QUERY, thd=0x7f2033e64060, packet=0x7f2037b5b061 "SELECT * FROM t1 \nGROUP BY - LEAST( UpdateXML('<a></a>', '/a', '<b></b>'), CAST('12:12:12' AS TIME) ) WITH ROLLUP", packet_length=113) at /data/src/5.5/sql/sql_parse.cc:1066
      		 
      #19 0x00000000005fcf31 in do_command (thd=0x7f2033e64060) at /data/src/5.5/sql/sql_parse.cc:793
      		 
      #20 0x0000000000700029 in do_handle_one_connection (thd_arg=0x7f2033e64060) at /data/src/5.5/sql/sql_connect.cc:1268
      		 
      #21 0x00000000006ffdb6 in handle_one_connection (arg=0x7f2033e64060) at /data/src/5.5/sql/sql_connect.cc:1184
      		 
      #22 0x0000000000a0dba9 in pfs_spawn_thread (arg=0x7f2034b76fc0) at /data/src/5.5/storage/perfschema/pfs.cc:1015
      		 
      #23 0x00007f203984d494 in start_thread (arg=0x7f2039c1b700) at pthread_create.c:333
      		 
      #24 0x00007f203826393f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      5.5 6c60c809bb9 release with MyISAM

      		 
      #0  test_if_reopen (filename=filename@entry=0x7fa37ccab120 "/data/bld/5.5-rel/mysql-test/var/tmp/mysqld.1/#sqld63_3_0.MYI") at /data/src/5.5/storage/myisam/mi_open.c:54
      		 
      #1  0x0000000000838c93 in mi_create (name=0x7fa37ccac6d0 "/data/bld/5.5-rel/mysql-test/var/tmp/mysqld.1/#sqld63_3_0", keys=<optimized out>, keydefs=0x7fa3758844e0, columns=<optimized out>, recinfo=<optimized out>, uniques=<optimized out>, uniquedefs=0x0, ci=0x7fa37ccac690, flags=6) at /data/src/5.5/storage/myisam/mi_create.c:636
      		 
      #2  0x000000000082952f in ha_myisam::create (this=<optimized out>, name=0x7fa37ccadb40 "/data/bld/5.5-rel/mysql-test/var/tmp/mysqld.1/#sqld63_3_0", table_arg=<optimized out>, ha_create_info=<optimized out>) at /data/src/5.5/storage/myisam/ha_myisam.cc:2042
      		 
      #3  0x0000000000698dee in handler::ha_create (this=0x7fa375873d18, name=<optimized out>, form=0x7fa37ccacea0, info=0x7fa37ccaf090) at /data/src/5.5/sql/handler.cc:3755
      		 
      #4  0x00000000006996ba in ha_create_table (thd=0x0, path=0x7fa37ccab120 "/data/bld/5.5-rel/mysql-test/var/tmp/mysqld.1/#sqld63_3_0.MYI", path@entry=0x7fa37ccadb40 "/data/bld/5.5-rel/mysql-test/var/tmp/mysqld.1/#sqld63_3_0", db=0x7fa37581d7f8 "mtr", table_name=0x7fa37581d1e0 "error_log", create_info=0x7fa37ccaf090, update_create_info=true, update_create_info@entry=false) at /data/src/5.5/sql/handler.cc:4084
      		 
      #5  0x00000000006150e7 in rea_create_table (thd=0x7fa376a0f000, path=0x7fa37ccadb40 "/data/bld/5.5-rel/mysql-test/var/tmp/mysqld.1/#sqld63_3_0", db=0x7fa37581d7f8 "mtr", table_name=0x7fa37581d1e0 "error_log", create_info=0x7fa37ccaf090, create_fields=..., keys=1, key_info=0x7fa37581e960, file=0x7fa37581e2a0) at /data/src/5.5/sql/unireg.cc:527
      		 
      #6  0x00000000005e99c1 in mysql_create_table_no_lock (thd=0x7fa376a0f000, db=0x7fa37ccab120 "/data/bld/5.5-rel/mysql-test/var/tmp/mysqld.1/#sqld63_3_0.MYI", table_name=0x7fa37581d1e0 "error_log", create_info=0x7fa37ccaf090, alter_info=0x7fa37ccab15e, internal_tmp_table=true, select_field_count=0, is_trans=0x7fa37ccaea4f) at /data/src/5.5/sql/sql_table.cc:4538
      		 
      #7  0x00000000005ea211 in mysql_create_table (thd=0x7fa376a0f000, create_table=0x7fa37581d228, create_info=0x7fa37ccaf090, alter_info=0x7fa37ccaeac0) at /data/src/5.5/sql/sql_table.cc:4633
      		 
      #8  0x00000000005872cd in mysql_execute_command (thd=0x7fa376a0f000) at /data/src/5.5/sql/sql_parse.cc:2635
      		 
      #9  0x0000000000587939 in mysql_parse (thd=0x7fa376a0f000, rawbuf=<optimized out>, length=168, parser_state=0x7fa37ccaf860) at /data/src/5.5/sql/sql_parse.cc:5923
      		 
      #10 0x0000000000589343 in dispatch_command (command=COM_QUERY, thd=0x7fa376a0f000, packet=<optimized out>, packet_length=<optimized out>) at /data/src/5.5/sql/sql_parse.cc:1066
      		 
      #11 0x0000000000589bba in do_command (thd=<optimized out>) at /data/src/5.5/sql/sql_parse.cc:793
      		 
      #12 0x0000000000627644 in do_handle_one_connection (thd_arg=thd_arg@entry=0x7fa376a0f000) at /data/src/5.5/sql/sql_connect.cc:1268
      		 
      #13 0x0000000000627692 in handle_one_connection (arg=arg@entry=0x7fa376a0f000) at /data/src/5.5/sql/sql_connect.cc:1184
      		 
      #14 0x000000000081f937 in pfs_spawn_thread (arg=0x7fa37a841df0) at /data/src/5.5/storage/perfschema/pfs.cc:1015
      		 
      #15 0x00007fa37c974494 in start_thread (arg=0x7fa37ccb0700) at pthread_create.c:333
      		 
      #16 0x00007fa37b38a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      5.5 6c60c809bb9 debug with InnoDB

      		 
      Error: Freeing overrun buffer  sql/opt_range.cc:4415, sql/rpl_record.cc:218, 0x7a9f8f, 0x6605bc, 0x636dc6, 0x6377bc, 0x62dfc8, 0x60745e
      		 
      Allocated at 0x7a9af2, 0x6605bc, 0x636dc6, 0x6377bc, 0x62dfc8, 0x60745e, 0x6007df, 0x60a02a
      		 
      180120 18:05:09 [ERROR] mysqld got signal 11 ;

      Both debug and release builds with InnoDB hang/loop until gdb is run on the process, at which point they crash.

      10.0 5e87f49a99 debug with MyISAM

      		 
      #3  <signal handler called>
      		 
      #4  0x0000000000b0be47 in test_if_reopen (filename=0x7fb968418b00 "/data/bld/10.0/mysql-test/var/mysqld.1/data/mysql/table_stats.MYI") at /data/src/10.0/storage/myisam/mi_open.c:65
      		 
      #5  0x0000000000b0c0a1 in mi_open (name=0x7fb95e865788 "./mysql/table_stats", mode=2, open_flags=82) at /data/src/10.0/storage/myisam/mi_open.c:122
      		 
      #6  0x0000000000ae2165 in ha_myisam::open (this=0x7fb95e87e888, name=0x7fb95e865788 "./mysql/table_stats", mode=2, test_if_locked=18) at /data/src/10.0/storage/myisam/ha_myisam.cc:755
      		 
      #7  0x000000000083ec9a in handler::ha_open (this=0x7fb95e87e888, table_arg=0x7fb95e89f070, name=0x7fb95e865788 "./mysql/table_stats", mode=2, test_if_locked=18) at /data/src/10.0/sql/handler.cc:2550
      		 
      #8  0x000000000072b372 in open_table_from_share (thd=0x7fb9602a2070, share=0x7fb95e865188, alias=0xed9dcc "table_stats", db_stat=39, prgflag=44, ha_open_flags=18, outparam=0x7fb95e89f070, is_create_table=false) at /data/src/10.0/sql/table.cc:2865
      		 
      #9  0x00000000005ebfb4 in open_table (thd=0x7fb9602a2070, table_list=0x7fb9684199c0, mem_root=0x7fb9684194e0, ot_ctx=0x7fb9684194a0) at /data/src/10.0/sql/sql_base.cc:2516
      		 
      #10 0x00000000005ee71a in open_and_process_table (thd=0x7fb9602a2070, lex=0x7fb9602a5940, tables=0x7fb9684199c0, counter=0x7fb9684195e4, flags=2050, prelocking_strategy=0x7fb968419620, has_prelocking_list=false, ot_ctx=0x7fb9684194a0, new_frm_mem=0x7fb9684194e0) at /data/src/10.0/sql/sql_base.cc:4034
      		 
      #11 0x00000000005ef7cf in open_tables (thd=0x7fb9602a2070, start=0x7fb9684195a0, counter=0x7fb9684195e4, flags=2050, prelocking_strategy=0x7fb968419620) at /data/src/10.0/sql/sql_base.cc:4568
      		 
      #12 0x00000000005f07ef in open_and_lock_tables (thd=0x7fb9602a2070, tables=0x7fb9684199c0, derived=false, flags=2050, prelocking_strategy=0x7fb968419620) at /data/src/10.0/sql/sql_base.cc:5220
      		 
      #13 0x00000000005e4c2b in open_and_lock_tables (thd=0x7fb9602a2070, tables=0x7fb9684199c0, derived=false, flags=2050) at /data/src/10.0/sql/sql_base.h:490
      		 
      #14 0x00000000005f9735 in open_system_tables_for_read (thd=0x7fb9602a2070, table_list=0x7fb9684199c0, backup=0x7fb9684197f0) at /data/src/10.0/sql/sql_base.cc:9225
      		 
      #15 0x00000000006e4979 in open_stat_tables (thd=0x7fb9602a2070, tables=0x7fb9684199c0, backup=0x7fb9684197f0, for_write=true) at /data/src/10.0/sql/sql_statistics.cc:144
      		 
      #16 0x00000000006e71ba in delete_statistics_for_table (thd=0x7fb9602a2070, db=0x7fb96841abf0, tab=0x7fb96841abe0) at /data/src/10.0/sql/sql_statistics.cc:3158
      		 
      #17 0x00000000006f4216 in mysql_rm_table (thd=0x7fb9602a2070, tables=0x7fb95e8fa150, if_exists=0 '\000', drop_temporary=0 '\000') at /data/src/10.0/sql/sql_table.cc:2053
      		 
      #18 0x000000000064fbca in mysql_execute_command (thd=0x7fb9602a2070) at /data/src/10.0/sql/sql_parse.cc:3695
      		 
      #19 0x0000000000657476 in mysql_parse (thd=0x7fb9602a2070, rawbuf=0x7fb95e8fa088 "DROP TABLE t1", length=13, parser_state=0x7fb96841b640) at /data/src/10.0/sql/sql_parse.cc:6569
      		 
      #20 0x0000000000649fb5 in dispatch_command (command=COM_QUERY, thd=0x7fb9602a2070, packet=0x7fb9617e5071 "DROP TABLE t1", packet_length=13) at /data/src/10.0/sql/sql_parse.cc:1296
      		 
      #21 0x00000000006492b5 in do_command (thd=0x7fb9602a2070) at /data/src/10.0/sql/sql_parse.cc:999
      		 
      #22 0x0000000000769314 in do_handle_one_connection (thd_arg=0x7fb9602a2070) at /data/src/10.0/sql/sql_connect.cc:1377
      		 
      #23 0x0000000000769086 in handle_one_connection (arg=0x7fb9602a2070) at /data/src/10.0/sql/sql_connect.cc:1292
      		 
      #24 0x0000000000aca032 in pfs_spawn_thread (arg=0x7fb9601a2370) at /data/src/10.0/storage/perfschema/pfs.cc:1861
      		 
      #25 0x00007fb96804f494 in start_thread (arg=0x7fb96841c700) at pthread_create.c:333
      		 
      #26 0x00007fb96640893f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      10.0 5e87f49a99 debug with InnoDB

      		 
      #3  <signal handler called>
      		 
      #4  0x0000000000e4517e in _db_enter_ (_func_=0xf6bd27 "handler::ha_rnd_next", _file_=0xf6b071 "/data/src/10.0/sql/handler.cc", _line_=2618, _stack_frame_=0x7f648d804d40) at /data/src/10.0/dbug/dbug.c:1114
      		 
      #5  0x000000000083f0c5 in handler::ha_rnd_next (this=0x7f647747e888, buf=0x7f6477428988 "\377\217\217\217\217\245\245\245\377\245\245\245\245\245\245\245\250\211Bwd\177") at /data/src/10.0/sql/handler.cc:2618
      		 
      #6  0x0000000000835286 in find_all_keys (param=0x7f648d805000, select=0x7f6477516d00, fs_info=0x7f648d804f90, buffpek_pointers=0x7f648d805220, tempfile=0x7f648d805080, pq=0x0, found_rows=0x7f648d8054c8) at /data/src/10.0/sql/filesort.cc:754
      		 
      #7  0x0000000000833e7a in filesort (thd=0x7f648033b070, table=0x7f647749e470, sortorder=0x7f6477517618, s_length=1, select=0x7f6477516d00, max_rows=18446744073709551615, sort_positions=false, examined_rows=0x7f648d8054d0, found_rows=0x7f648d8054c8) at /data/src/10.0/sql/filesort.cc:297
      		 
      #8  0x00000000006b43f0 in create_sort_index (thd=0x7f648033b070, join=0x7f64775a52d0, order=0x7f64775a51c0, filesort_limit=18446744073709551615, select_limit=18446744073709551615, is_order_by=false) at /data/src/10.0/sql/sql_select.cc:20957
      		 
      #9  0x000000000068931c in JOIN::exec_inner (this=0x7f64775a52d0) at /data/src/10.0/sql/sql_select.cc:3063
      		 
      #10 0x00000000006869e6 in JOIN::exec (this=0x7f64775a52d0) at /data/src/10.0/sql/sql_select.cc:2379
      		 
      #11 0x0000000000689d88 in mysql_select (thd=0x7f648033b070, rref_pointer_array=0x7f648033f3a0, tables=0x7f64775a4330, wild_num=1, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f64775a51c0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f64775a52b0, unit=0x7f648033ea08, select_lex=0x7f648033f0f8) at /data/src/10.0/sql/sql_select.cc:3318
      		 
      #12 0x0000000000680056 in handle_select (thd=0x7f648033b070, lex=0x7f648033e940, result=0x7f64775a52b0, setup_tables_done_option=0) at /data/src/10.0/sql/sql_select.cc:373
      		 
      #13 0x00000000006547f5 in execute_sqlcom_select (thd=0x7f648033b070, all_tables=0x7f64775a4330) at /data/src/10.0/sql/sql_parse.cc:5293
      		 
      #14 0x000000000064cd8e in mysql_execute_command (thd=0x7f648033b070) at /data/src/10.0/sql/sql_parse.cc:2553
      		 
      #15 0x0000000000657476 in mysql_parse (thd=0x7f648033b070, rawbuf=0x7f64775a4088 "SELECT * FROM t1 \nGROUP BY - LEAST( UpdateXML('<a></a>', '/a', '<b></b>'), CAST('12:12:12' AS TIME) ) WITH ROLLUP", length=113, parser_state=0x7f648d806640) at /data/src/10.0/sql/sql_parse.cc:6569
      		 
      #16 0x0000000000649fb5 in dispatch_command (command=COM_QUERY, thd=0x7f648033b070, packet=0x7f648065d071 "SELECT * FROM t1 \nGROUP BY - LEAST( UpdateXML('<a></a>', '/a', '<b></b>'), CAST('12:12:12' AS TIME) ) WITH ROLLUP", packet_length=113) at /data/src/10.0/sql/sql_parse.cc:1296
      		 
      #17 0x00000000006492b5 in do_command (thd=0x7f648033b070) at /data/src/10.0/sql/sql_parse.cc:999
      		 
      #18 0x0000000000769314 in do_handle_one_connection (thd_arg=0x7f648033b070) at /data/src/10.0/sql/sql_connect.cc:1377
      		 
      #19 0x0000000000769086 in handle_one_connection (arg=0x7f648033b070) at /data/src/10.0/sql/sql_connect.cc:1292
      		 
      #20 0x0000000000aca032 in pfs_spawn_thread (arg=0x7f64802801f0) at /data/src/10.0/storage/perfschema/pfs.cc:1861
      		 
      #21 0x00007f648d444494 in start_thread (arg=0x7f648d807700) at pthread_create.c:333
      		 
      #22 0x00007f648b7fd93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      10.0 5e87f49a99 ASAN

      		 
      ==6271==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000003dec at pc 0x19412c5 bp 0x7f70aeed8aa0 sp 0x7f70aeed8a98
      		 
      WRITE of size 1 at 0x628000003dec thread T5
      		 
          #0 0x19412c4 in decimal2bin /data/src/10.0/strings/decimal.c:1226
      		 
          #1 0xe3473f in my_decimal2binary(unsigned int, my_decimal const*, unsigned char*, int, int) /data/src/10.0/sql/my_decimal.cc:212
      		 
          #2 0xb546c1 in make_sortkey /data/src/10.0/sql/filesort.cc:1110
      		 
          #3 0xb58718 in find_all_keys /data/src/10.0/sql/filesort.cc:829
      		 
          #4 0xb58718 in filesort(THD*, TABLE*, st_sort_field*, unsigned int, SQL_SELECT*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.0/sql/filesort.cc:297
      		 
          #5 0x79c32d in create_sort_index /data/src/10.0/sql/sql_select.cc:20957
      		 
          #6 0x7dc451 in JOIN::exec_inner() /data/src/10.0/sql/sql_select.cc:3063
      		 
          #7 0x7ddc47 in JOIN::exec() /data/src/10.0/sql/sql_select.cc:2379
      		 
          #8 0x7d2daa in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.0/sql/sql_select.cc:3318
      		 
          #9 0x7d33da in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.0/sql/sql_select.cc:373
      		 
          #10 0x6b5f70 in execute_sqlcom_select /data/src/10.0/sql/sql_parse.cc:5293
      		 
          #11 0x6cd7ac in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:2553
      		 
          #12 0x6e22fb in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.0/sql/sql_parse.cc:6569
      		 
          #13 0x6e5f1a in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.0/sql/sql_parse.cc:1296
      		 
          #14 0x6ea813 in do_command(THD*) /data/src/10.0/sql/sql_parse.cc:999
      		 
          #15 0x97664b in do_handle_one_connection(THD*) /data/src/10.0/sql/sql_connect.cc:1377
      		 
          #16 0x9768b2 in handle_one_connection /data/src/10.0/sql/sql_connect.cc:1292
      		 
          #17 0x11aa1a2 in pfs_spawn_thread /data/src/10.0/storage/perfschema/pfs.cc:1861
      		 
          #18 0x7f70b94f5493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #19 0x7f70b78ae93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      		 
       
      		 
      0x628000003dec is located 0 bytes to the right of 15596-byte region [0x628000000100,0x628000003dec)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7f70b975f73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x18e75f4 in sf_malloc /data/src/10.0/mysys/safemalloc.c:115
      		 
          #2 0x19ca28a (/data/bld/10.0-asan/bin/mysqld+0x19ca28a)
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f70b972ebba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
      		 
          #1 0x11b59f9 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.0/strings/decimal.c:1226 decimal2bin
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c507fff8760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c507fff8770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c507fff8780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c507fff8790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c507fff87a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c507fff87b0: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
      		 
        0x0c507fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c507fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c507fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c507fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c507fff8800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==6271==ABORTING

      10.0 5e87f49a99 release with MyISAM

      		 
      #2  <signal handler called>
      		 
      #3  0x00000000005efc49 in JOIN::exec_inner (this=0x7f83cba2e268) at /data/src/10.0/sql/sql_select.cc:3066
      		 
      #4  0x00000000005f1779 in JOIN::exec (this=0x7f83cba2e268) at /data/src/10.0/sql/sql_select.cc:2379
      		 
      #5  0x00000000005ee59d in mysql_select (thd=thd@entry=0x7f83cdff3008, rref_pointer_array=rref_pointer_array@entry=0x7f83cdff7200, tables=0x7f83cba2d2c8, wild_num=<optimized out>, fields=..., conds=<optimized out>, og_num=1, order=0x0, group=0x7f83cba2e158, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f83cba2e248, unit=0x7f83cdff6868, select_lex=0x7f83cdff6f58) at /data/src/10.0/sql/sql_select.cc:3318
      		 
      #6  0x00000000005eef24 in handle_select (thd=thd@entry=0x7f83cdff3008, lex=lex@entry=0x7f83cdff67a0, result=result@entry=0x7f83cba2e248, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.0/sql/sql_select.cc:373
      		 
      #7  0x000000000059dde7 in execute_sqlcom_select (thd=0x7f83cdff3008, all_tables=0x7f83cba2d2c8) at /data/src/10.0/sql/sql_parse.cc:5293
      		 
      #8  0x00000000005a90ed in mysql_execute_command (thd=0x7f83cdff3008) at /data/src/10.0/sql/sql_parse.cc:2553
      		 
      #9  0x00000000005aae08 in mysql_parse (thd=0x7f83cdff3008, rawbuf=<optimized out>, length=113, parser_state=0x7f83d5140850) at /data/src/10.0/sql/sql_parse.cc:6569
      		 
      #10 0x00000000005ac7b4 in dispatch_command (command=<optimized out>, thd=0x7f83cdff3008, packet=<optimized out>, packet_length=<optimized out>) at /data/src/10.0/sql/sql_parse.cc:1296
      		 
      #11 0x00000000005ad11f in do_command (thd=<optimized out>) at /data/src/10.0/sql/sql_parse.cc:999
      		 
      #12 0x000000000065c6d4 in do_handle_one_connection (thd_arg=thd_arg@entry=0x7f83cdff3008) at /data/src/10.0/sql/sql_connect.cc:1377
      		 
      #13 0x000000000065c718 in handle_one_connection (arg=arg@entry=0x7f83cdff3008) at /data/src/10.0/sql/sql_connect.cc:1292
      		 
      #14 0x0000000000890cd4 in pfs_spawn_thread (arg=0x7f83d283f608) at /data/src/10.0/storage/perfschema/pfs.cc:1861
      		 
      #15 0x00007f83d4d74494 in start_thread (arg=0x7f83d5141700) at pthread_create.c:333
      		 
      #16 0x00007f83d312d93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      10.1 4794e5b091 debug with MyISAM

      		 
      #3  <signal handler called>
      		 
      #4  0x00007f16c450834a in __strcmp_sse2_unaligned () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #5  0x00005646591746a9 in test_if_reopen (filename=0x7f16c65245d0 "/data/bld/10.1/mysql-test/var/mysqld.1/data/mysql/table_stats.MYI") at /data/src/10.1/storage/myisam/mi_open.c:66
      		 
      #6  0x00005646591748f5 in mi_open (name=0x7f16bb865370 "./mysql/table_stats", mode=2, open_flags=82) at /data/src/10.1/storage/myisam/mi_open.c:122
      		 
      #7  0x0000564659148747 in ha_myisam::open (this=0x7f16bb8b0888, name=0x7f16bb865370 "./mysql/table_stats", mode=2, test_if_locked=18) at /data/src/10.1/storage/myisam/ha_myisam.cc:754
      		 
      #8  0x0000564658e83048 in handler::ha_open (this=0x7f16bb8b0888, table_arg=0x7f16bb882a70, name=0x7f16bb865370 "./mysql/table_stats", mode=2, test_if_locked=18) at /data/src/10.1/sql/handler.cc:2531
      		 
      #9  0x0000564658d33386 in open_table_from_share (thd=0x7f16bd4d5070, share=0x7f16bb864e88, alias=0x5646595a68d4 "table_stats", db_stat=39, prgflag=44, ha_open_flags=18, outparam=0x7f16bb882a70, is_create_table=false) at /data/src/10.1/sql/table.cc:2966
      		 
      #10 0x0000564658bd9016 in open_table (thd=0x7f16bd4d5070, table_list=0x7f16c65267c0, ot_ctx=0x7f16c65262c0) at /data/src/10.1/sql/sql_base.cc:2553
      		 
      #11 0x0000564658bdb883 in open_and_process_table (thd=0x7f16bd4d5070, lex=0x7f16bd4d8aa8, tables=0x7f16c65267c0, counter=0x7f16c6526354, flags=2050, prelocking_strategy=0x7f16c65263d0, has_prelocking_list=false, ot_ctx=0x7f16c65262c0) at /data/src/10.1/sql/sql_base.cc:4068
      		 
      #12 0x0000564658bdc8fe in open_tables (thd=0x7f16bd4d5070, options=..., start=0x7f16c6526338, counter=0x7f16c6526354, flags=2050, prelocking_strategy=0x7f16c65263d0) at /data/src/10.1/sql/sql_base.cc:4579
      		 
      #13 0x0000564658bddc38 in open_and_lock_tables (thd=0x7f16bd4d5070, options=..., tables=0x7f16c65267c0, derived=false, flags=2050, prelocking_strategy=0x7f16c65263d0) at /data/src/10.1/sql/sql_base.cc:5259
      		 
      #14 0x0000564658bd167b in open_and_lock_tables (thd=0x7f16bd4d5070, tables=0x7f16c65267c0, derived=false, flags=2050) at /data/src/10.1/sql/sql_base.h:535
      		 
      #15 0x0000564658be7535 in open_system_tables_for_read (thd=0x7f16bd4d5070, table_list=0x7f16c65267c0, backup=0x7f16c65265f0) at /data/src/10.1/sql/sql_base.cc:9279
      		 
      #16 0x0000564658ce6cac in open_stat_tables (thd=0x7f16bd4d5070, tables=0x7f16c65267c0, backup=0x7f16c65265f0, for_write=true) at /data/src/10.1/sql/sql_statistics.cc:270
      		 
      #17 0x0000564658ce983d in delete_statistics_for_table (thd=0x7f16bd4d5070, db=0x7f16c65279f0, tab=0x7f16c6527a00) at /data/src/10.1/sql/sql_statistics.cc:3297
      		 
      #18 0x0000564658cf6fa1 in mysql_rm_table (thd=0x7f16bd4d5070, tables=0x7f16bb843150, if_exists=0 '\000', drop_temporary=0 '\000') at /data/src/10.1/sql/sql_table.cc:2031
      		 
      #19 0x0000564658c4571b in mysql_execute_command (thd=0x7f16bd4d5070) at /data/src/10.1/sql/sql_parse.cc:4239
      		 
      #20 0x0000564658c4ebf1 in mysql_parse (thd=0x7f16bd4d5070, rawbuf=0x7f16bb843088 "DROP TABLE t1", length=13, parser_state=0x7f16c65285e0) at /data/src/10.1/sql/sql_parse.cc:7347
      		 
      #21 0x0000564658c3dab6 in dispatch_command (command=COM_QUERY, thd=0x7f16bd4d5070, packet=0x7f16bfff9071 "DROP TABLE t1", packet_length=13) at /data/src/10.1/sql/sql_parse.cc:1477
      		 
      #22 0x0000564658c3c83b in do_command (thd=0x7f16bd4d5070) at /data/src/10.1/sql/sql_parse.cc:1106
      		 
      #23 0x0000564658d75393 in do_handle_one_connection (thd_arg=0x7f16bd4d5070) at /data/src/10.1/sql/sql_connect.cc:1330
      		 
      #24 0x0000564658d750f7 in handle_one_connection (arg=0x7f16bd4d5070) at /data/src/10.1/sql/sql_connect.cc:1242
      		 
      #25 0x000056465912fda6 in pfs_spawn_thread (arg=0x7f16c3c39ef0) at /data/src/10.1/storage/perfschema/pfs.cc:1861
      		 
      #26 0x00007f16c61a8494 in start_thread (arg=0x7f16c6529b00) at pthread_create.c:333
      		 
      #27 0x00007f16c456193f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      10.1 4794e5b091c release with MyISAM

      		 
      #2  <signal handler called>
      		 
      #3  push_back (a=<optimized out>, this=<optimized out>) at /data/src/10.1/sql/sql_plist.h:99
      		 
      #4  MDL_lock::Ticket_list::add_ticket (this=0x7f3be61bea28, ticket=0x7f3be60180c0) at /data/src/10.1/sql/mdl.cc:1202
      		 
      #5  0x000055b8bf5ec024 in MDL_context::try_acquire_lock_impl (this=this@entry=0x7f3bea7e9100, mdl_request=mdl_request@entry=0x7f3bf105d638, out_ticket=out_ticket@entry=0x7f3bf105c648) at /data/src/10.1/sql/mdl.cc:1912
      		 
      #6  0x000055b8bf5ec5b6 in MDL_context::acquire_lock (this=this@entry=0x7f3bea7e9100, mdl_request=mdl_request@entry=0x7f3bf105d638, lock_wait_timeout=31536000) at /data/src/10.1/sql/mdl.cc:2054
      		 
      #7  0x000055b8bf4d7f5e in open_table_get_mdl_lock (thd=0x7f3bea7e9008, ot_ctx=0x7f3bf105cf90, mdl_request=0x7f3bf105d638, flags=<optimized out>, mdl_ticket=0x7f3bf105c938) at /data/src/10.1/sql/sql_base.cc:2103
      		 
      #8  0x000055b8bf4dbdeb in open_table (thd=0x7f3bea7e9008, table_list=0x7f3bf105d210, ot_ctx=0x7f3bf105cf90) at /data/src/10.1/sql/sql_base.cc:2375
      		 
      #9  0x000055b8bf4dfe77 in open_and_process_table (ot_ctx=0x7f3bf105cf90, has_prelocking_list=false, prelocking_strategy=0x7f3bf105d060, flags=2050, counter=0x7f3bf105d02c, tables=0x7f3bf105d210, lex=0x7f3bea7ec880, thd=0x7f3bea7e9008) at /data/src/10.1/sql/sql_base.cc:4068
      		 
      #10 open_tables (thd=thd@entry=0x7f3bea7e9008, options=..., start=start@entry=0x7f3bf105d018, counter=counter@entry=0x7f3bf105d02c, flags=flags@entry=2050, prelocking_strategy=prelocking_strategy@entry=0x7f3bf105d060) at /data/src/10.1/sql/sql_base.cc:4579
      		 
      #11 0x000055b8bf4e056d in open_and_lock_tables (thd=thd@entry=0x7f3bea7e9008, options=..., tables=tables@entry=0x7f3bf105d210, derived=derived@entry=false, flags=flags@entry=2050, prelocking_strategy=prelocking_strategy@entry=0x7f3bf105d060) at /data/src/10.1/sql/sql_base.cc:5259
      		 
      #12 0x000055b8bf4e4ba6 in open_and_lock_tables (flags=2050, derived=false, tables=0x7f3bf105d210, thd=0x7f3bea7e9008) at /data/src/10.1/sql/sql_base.h:535
      		 
      #13 open_system_tables_for_read (thd=thd@entry=0x7f3bea7e9008, table_list=table_list@entry=0x7f3bf105d210, backup=backup@entry=0x7f3bf105d1c0) at /data/src/10.1/sql/sql_base.cc:9279
      		 
      #14 0x000055b8bf58e46c in open_stat_tables (for_write=true, backup=0x7f3bf105d1c0, tables=0x7f3bf105d210, thd=0x7f3bea7e9008) at /data/src/10.1/sql/sql_statistics.cc:270
      		 
      #15 delete_statistics_for_table (thd=0x7f3bea7e9008, db=0x7f3bf105f050, tab=0x7f3bf105f060) at /data/src/10.1/sql/sql_statistics.cc:3297
      		 
      #16 0x000055b8bf5990ab in mysql_rm_table (thd=0x7f3bea7e9008, tables=0x7f3be61560e8, if_exists=0 '\000', drop_temporary=0 '\000') at /data/src/10.1/sql/sql_table.cc:2031
      		 
      #17 0x000055b8bf51d3f2 in mysql_execute_command (thd=0x7f3bea7e9008) at /data/src/10.1/sql/sql_parse.cc:4239
      		 
      #18 0x000055b8bf5236d7 in mysql_parse (thd=0x7f3bea7e9008, rawbuf=<optimized out>, length=<optimized out>, parser_state=0x7f3bf1060620) at /data/src/10.1/sql/sql_parse.cc:7347
      		 
      #19 0x000055b8bf526410 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f3bea7e9008, packet=packet@entry=0x7f3be7f8c009 "DROP TABLE t1", packet_length=packet_length@entry=13) at /data/src/10.1/sql/sql_parse.cc:1477
      		 
      #20 0x000055b8bf526bf3 in do_command (thd=0x7f3bea7e9008) at /data/src/10.1/sql/sql_parse.cc:1106
      		 
      #21 0x000055b8bf5e3d5c in do_handle_one_connection (thd_arg=thd_arg@entry=0x7f3bea7e9008) at /data/src/10.1/sql/sql_connect.cc:1330
      		 
      #22 0x000055b8bf5e3f17 in handle_one_connection (arg=arg@entry=0x7f3bea7e9008) at /data/src/10.1/sql/sql_connect.cc:1242
      		 
      #23 0x000055b8bf85cc54 in pfs_spawn_thread (arg=0x7f3bee43ea08) at /data/src/10.1/storage/perfschema/pfs.cc:1861
      		 
      #24 0x00007f3bf0ce0494 in start_thread (arg=0x7f3bf1061b00) at pthread_create.c:333
      		 
      #25 0x00007f3bef09993f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      10.2 30289a2713 debug

      		 
      #7  0x000055ace3ce2053 in handle_fatal_signal (sig=11) at /data/src/10.2/sql/signal_handler.cc:166
      		 
      #8  <signal handler called>
      		 
      #9  0x000055ace449a7aa in decimal2bin (from=0x7f5fae699570, to=0x7f5f9c19d001 <error: Cannot access memory at address 0x7f5f9c19d001>, precision=16777216, frac=6) at /data/src/10.2/strings/decimal.c:1226
      		 
      #10 0x000055ace3e28445 in my_decimal2binary (mask=30, d=0x7f5fae699620, bin=0x7f5f9c10f641 "", prec=16777216, scale=6) at /data/src/10.2/sql/my_decimal.cc:215
      		 
      #11 0x000055ace3cded76 in Type_handler_decimal_result::make_sort_key (this=0x55ace502a050 <type_handler_newdecimal>, to=0x7f5f9c10f641 "", item=0x7f5f9c013520, sort_field=0x7f5f9c0163b8, param=0x7f5fae6999a0) at /data/src/10.2/sql/filesort.cc:1143
      		 
      #12 0x000055ace39adb9d in Item::make_sort_key (this=0x7f5f9c013520, to=0x7f5f9c10f640 "\001", item=0x7f5f9c013520, sort_field=0x7f5f9c0163b8, param=0x7f5fae6999a0) at /data/src/10.2/sql/item.h:881
      		 
      #13 0x000055ace3cdeed7 in make_sortkey (param=0x7f5fae6999a0, to=0x7f5f9c10f640 "\001", ref_pos=0x7f5fae699820 "") at /data/src/10.2/sql/filesort.cc:1188
      		 
      #14 0x000055ace3cde0db in find_all_keys (thd=0x7f5f9c000b00, param=0x7f5fae6999a0, select=0x7f5f9c015560, fs_info=0x7f5f9c178a10, buffpek_pointers=0x7f5fae699ba0, tempfile=0x7f5fae699a30, pq=0x0, found_rows=0x7f5f9c178bf0) at /data/src/10.2/sql/filesort.cc:862
      		 
      #15 0x000055ace3cdc3a1 in filesort (thd=0x7f5f9c000b00, table=0x7f5f9c00a2c0, filesort=0x7f5f9c015b48, tracker=0x7f5f9c016338, join=0x7f5f9c013730, first_table_bit=1) at /data/src/10.2/sql/filesort.cc:279
      		 
      #16 0x000055ace3ae8e7c in create_sort_index (thd=0x7f5f9c000b00, join=0x7f5f9c013730, tab=0x7f5f9c014c10, fsort=0x7f5f9c015b48) at /data/src/10.2/sql/sql_select.cc:21780
      		 
      #17 0x000055ace3ae3909 in st_join_table::sort_table (this=0x7f5f9c014c10) at /data/src/10.2/sql/sql_select.cc:19615
      		 
      #18 0x000055ace3ae3557 in join_init_read_record (tab=0x7f5f9c014c10) at /data/src/10.2/sql/sql_select.cc:19556
      		 
      #19 0x000055ace3ae153e in sub_select (join=0x7f5f9c013730, join_tab=0x7f5f9c014c10, end_of_records=false) at /data/src/10.2/sql/sql_select.cc:18651
      		 
      #20 0x000055ace3ae0b39 in do_select (join=0x7f5f9c013730, procedure=0x0) at /data/src/10.2/sql/sql_select.cc:18198
      		 
      #21 0x000055ace3abb23f in JOIN::exec_inner (this=0x7f5f9c013730) at /data/src/10.2/sql/sql_select.cc:3530
      		 
      #22 0x000055ace3aba6ee in JOIN::exec (this=0x7f5f9c013730) at /data/src/10.2/sql/sql_select.cc:3325
      		 
      #23 0x000055ace3abb8b7 in mysql_select (thd=0x7f5f9c000b00, tables=0x7f5f9c012780, wild_num=1, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f5f9c0135f0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f5f9c013710, unit=0x7f5f9c0046a0, select_lex=0x7f5f9c004dd8) at /data/src/10.2/sql/sql_select.cc:3725
      		 
      #24 0x000055ace3ab0064 in handle_select (thd=0x7f5f9c000b00, lex=0x7f5f9c0045d8, result=0x7f5f9c013710, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:373
      		 
      #25 0x000055ace3a7c12f in execute_sqlcom_select (thd=0x7f5f9c000b00, all_tables=0x7f5f9c012780) at /data/src/10.2/sql/sql_parse.cc:6449
      		 
      #26 0x000055ace3a721b6 in mysql_execute_command (thd=0x7f5f9c000b00) at /data/src/10.2/sql/sql_parse.cc:3460
      		 
      #27 0x000055ace3a7faed in mysql_parse (thd=0x7f5f9c000b00, rawbuf=0x7f5f9c0124e8 "SELECT * FROM t1 \nGROUP BY - LEAST( UpdateXML('<a></a>', '/a', '<b></b>'), CAST('12:12:12' AS TIME) ) WITH ROLLUP", length=113, parser_state=0x7f5fae69b200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7891
      		 
      #28 0x000055ace3a6daad in dispatch_command (command=COM_QUERY, thd=0x7f5f9c000b00, packet=0x7f5f9c170451 "", packet_length=113, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1806
      		 
      #29 0x000055ace3a6c410 in do_command (thd=0x7f5f9c000b00) at /data/src/10.2/sql/sql_parse.cc:1360
      		 
      #30 0x000055ace3bba2aa in do_handle_one_connection (connect=0x55ace65ac110) at /data/src/10.2/sql/sql_connect.cc:1335
      		 
      #31 0x000055ace3bba037 in handle_one_connection (arg=0x55ace65ac110) at /data/src/10.2/sql/sql_connect.cc:1241
      		 
      #32 0x000055ace3fd92dc in pfs_spawn_thread (arg=0x55ace650b000) at /data/src/10.2/storage/perfschema/pfs.cc:1862
      		 
      #33 0x00007f5fb6096494 in start_thread (arg=0x7f5fae69c700) at pthread_create.c:333
      		 
      #34 0x00007f5fb447c93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      10.2 30289a2713 release

      		 
      *** Error in `/data/bld/10.2-rel/bin/mysqld': malloc(): memory corruption: 0x00007f8f5c042d80 ***

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19699 Server crashes in Item_null_result::field_type upon SELECT with ROLLUP on constant table

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              psergei Sergei Petrunia
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.