[MDEV-15347] Valgrind or ASAN errors in mysql_make_view on query from information_schema - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL)
Fix Version/s: 10.1.34, 10.2.15, 10.3.7
Component/s: Admin statements, Views
Labels:
- affects-tests
- regression

Description

CREATE VIEW v AS SELECT 1;

CREATE FUNCTION f() RETURNS INT RETURN 1;

SELECT * FROM INFORMATION_SCHEMA.TABLES JOIN INFORMATION_SCHEMA.PARAMETERS

UNION

SELECT * FROM INFORMATION_SCHEMA.TABLES JOIN INFORMATION_SCHEMA.PARAMETERS;

10.1 9ea3ad6d754103 valgrind
==15592== Thread 6:
==15592== Invalid read of size 4
==15592== at 0x6C6FB7: mysql_make_view(THD, TABLE_SHARE, TABLE_LIST*, bool) (sql_view.cc:1344)
==15592== by 0x573E94: open_table(THD, TABLE_LIST, Open_table_context*) (sql_base.cc:2467)
==15592== by 0x576A4E: open_and_process_table(THD, LEX, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context) (sql_base.cc:4068)
==15592== by 0x577AC9: open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) (sql_base.cc:4579)
==15592== by 0x56F4C7: open_tables(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) (sql_base.h:252)
==15592== by 0x579007: open_normal_and_derived_tables(THD, TABLE_LIST, unsigned int, unsigned int) (sql_base.cc:5322)
==15592== by 0x67112A: fill_schema_table_by_open(THD, bool, TABLE, st_schema_table, st_mysql_lex_string, st_mysql_lex_string, Open_tables_backup, bool) (sql_show.cc:4232)
==15592== by 0x672867: get_all_tables(THD, TABLE_LIST, Item*) (sql_show.cc:4870)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)
==15592== by 0x618DBA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:366)
==15592== by 0x5E83F9: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:5926)
==15592== by 0x5DE8CD: mysql_execute_command(THD*) (sql_parse.cc:2976)
==15592== Address 0xe7a83b0 is 3,440 bytes inside a block of size 5,752 free'd
==15592== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==15592== by 0xED7A4A: my_free (my_malloc.c:217)
==15592== by 0xEC8C11: free_root (my_alloc.c:392)
==15592== by 0x979849: sp_head::operator delete(void*, unsigned long) (sp_head.cc:589)
==15592== by 0x97A7C8: sp_head::~sp_head() (sp_head.cc:852)
==15592== by 0x67799E: store_schema_params(THD, TABLE, TABLE, char const, bool, char const*) (sql_show.cc:5868)
==15592== by 0x678AF6: fill_schema_proc(THD, TABLE_LIST, Item*) (sql_show.cc:6065)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)
==15592== by 0x618DBA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:366)
==15592== by 0x5E83F9: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:5926)
==15592== by 0x5DE8CD: mysql_execute_command(THD*) (sql_parse.cc:2976)
==15592== by 0x5EBB4E: mysql_parse(THD, char, unsigned int, Parser_state*) (sql_parse.cc:7352)
==15592== Block was alloc'd at
==15592== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==15592== by 0xED7563: my_malloc (my_malloc.c:101)
==15592== by 0xEC84D7: alloc_root (my_alloc.c:188)
==15592== by 0x518C98: Sql_alloc::operator new(unsigned long, st_mem_root*) (sql_list.h:43)
==15592== by 0x97D7AE: sp_head::reset_lex(THD*) (sp_head.cc:2206)
==15592== by 0x7B7CBD: MYSQLparse(THD*) (sql_yacc.yy:3683)
==15592== by 0x5EFBC3: parse_sql(THD, Parser_state, Object_creation_ctx*, bool) (sql_parse.cc:9327)
==15592== by 0x973599: sp_compile(THD, String, unsigned long long, Stored_program_creation_ctx*) (sp.cc:754)
==15592== by 0x977BE8: sp_load_for_information_schema(THD, TABLE, String, String, unsigned long, stored_procedure_type, char const, char const, bool*) (sp.cc:2347)
==15592== by 0x6770B8: store_schema_params(THD, TABLE, TABLE, char const, bool, char const*) (sql_show.cc:5780)
==15592== by 0x678AF6: fill_schema_proc(THD, TABLE_LIST, Item*) (sql_show.cc:6065)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)
==15592== Invalid write of size 4
==15592== at 0x6C6FC0: mysql_make_view(THD, TABLE_SHARE, TABLE_LIST*, bool) (sql_view.cc:1344)
==15592== by 0x573E94: open_table(THD, TABLE_LIST, Open_table_context*) (sql_base.cc:2467)
==15592== by 0x576A4E: open_and_process_table(THD, LEX, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context) (sql_base.cc:4068)
==15592== by 0x577AC9: open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) (sql_base.cc:4579)
==15592== by 0x56F4C7: open_tables(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) (sql_base.h:252)
==15592== by 0x579007: open_normal_and_derived_tables(THD, TABLE_LIST, unsigned int, unsigned int) (sql_base.cc:5322)
==15592== by 0x67112A: fill_schema_table_by_open(THD, bool, TABLE, st_schema_table, st_mysql_lex_string, st_mysql_lex_string, Open_tables_backup, bool) (sql_show.cc:4232)
==15592== by 0x672867: get_all_tables(THD, TABLE_LIST, Item*) (sql_show.cc:4870)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)
==15592== by 0x618DBA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:366)
==15592== by 0x5E83F9: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:5926)
==15592== by 0x5DE8CD: mysql_execute_command(THD*) (sql_parse.cc:2976)
==15592== Address 0xe7a83b0 is 3,440 bytes inside a block of size 5,752 free'd
==15592== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==15592== by 0xED7A4A: my_free (my_malloc.c:217)
==15592== by 0xEC8C11: free_root (my_alloc.c:392)
==15592== by 0x979849: sp_head::operator delete(void*, unsigned long) (sp_head.cc:589)
==15592== by 0x97A7C8: sp_head::~sp_head() (sp_head.cc:852)
==15592== by 0x67799E: store_schema_params(THD, TABLE, TABLE, char const, bool, char const*) (sql_show.cc:5868)
==15592== by 0x678AF6: fill_schema_proc(THD, TABLE_LIST, Item*) (sql_show.cc:6065)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)
==15592== by 0x618DBA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:366)
==15592== by 0x5E83F9: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:5926)
==15592== by 0x5DE8CD: mysql_execute_command(THD*) (sql_parse.cc:2976)
==15592== by 0x5EBB4E: mysql_parse(THD, char, unsigned int, Parser_state*) (sql_parse.cc:7352)
==15592== Block was alloc'd at
==15592== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==15592== by 0xED7563: my_malloc (my_malloc.c:101)
==15592== by 0xEC84D7: alloc_root (my_alloc.c:188)
==15592== by 0x518C98: Sql_alloc::operator new(unsigned long, st_mem_root*) (sql_list.h:43)
==15592== by 0x97D7AE: sp_head::reset_lex(THD*) (sp_head.cc:2206)
==15592== by 0x7B7CBD: MYSQLparse(THD*) (sql_yacc.yy:3683)
==15592== by 0x5EFBC3: parse_sql(THD, Parser_state, Object_creation_ctx*, bool) (sql_parse.cc:9327)
==15592== by 0x973599: sp_compile(THD, String, unsigned long long, Stored_program_creation_ctx*) (sp.cc:754)
==15592== by 0x977BE8: sp_load_for_information_schema(THD, TABLE, String, String, unsigned long, stored_procedure_type, char const, char const, bool*) (sp.cc:2347)
==15592== by 0x6770B8: store_schema_params(THD, TABLE, TABLE, char const, bool, char const*) (sql_show.cc:5780)
==15592== by 0x678AF6: fill_schema_proc(THD, TABLE_LIST, Item*) (sql_show.cc:6065)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)
==15592== Invalid read of size 4
==15592== at 0x6C6FC6: mysql_make_view(THD, TABLE_SHARE, TABLE_LIST*, bool) (sql_view.cc:1344)
==15592== by 0x573E94: open_table(THD, TABLE_LIST, Open_table_context*) (sql_base.cc:2467)
==15592== by 0x576A4E: open_and_process_table(THD, LEX, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context) (sql_base.cc:4068)
==15592== by 0x577AC9: open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) (sql_base.cc:4579)
==15592== by 0x56F4C7: open_tables(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) (sql_base.h:252)
==15592== by 0x579007: open_normal_and_derived_tables(THD, TABLE_LIST, unsigned int, unsigned int) (sql_base.cc:5322)
==15592== by 0x67112A: fill_schema_table_by_open(THD, bool, TABLE, st_schema_table, st_mysql_lex_string, st_mysql_lex_string, Open_tables_backup, bool) (sql_show.cc:4232)
==15592== by 0x672867: get_all_tables(THD, TABLE_LIST, Item*) (sql_show.cc:4870)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)
==15592== by 0x618DBA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:366)
==15592== by 0x5E83F9: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:5926)
==15592== by 0x5DE8CD: mysql_execute_command(THD*) (sql_parse.cc:2976)
==15592== Address 0xe7a83b0 is 3,440 bytes inside a block of size 5,752 free'd
==15592== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==15592== by 0xED7A4A: my_free (my_malloc.c:217)
==15592== by 0xEC8C11: free_root (my_alloc.c:392)
==15592== by 0x979849: sp_head::operator delete(void*, unsigned long) (sp_head.cc:589)
==15592== by 0x97A7C8: sp_head::~sp_head() (sp_head.cc:852)
==15592== by 0x67799E: store_schema_params(THD, TABLE, TABLE, char const, bool, char const*) (sql_show.cc:5868)
==15592== by 0x678AF6: fill_schema_proc(THD, TABLE_LIST, Item*) (sql_show.cc:6065)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)
==15592== by 0x618DBA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:366)
==15592== by 0x5E83F9: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:5926)
==15592== by 0x5DE8CD: mysql_execute_command(THD*) (sql_parse.cc:2976)
==15592== by 0x5EBB4E: mysql_parse(THD, char, unsigned int, Parser_state*) (sql_parse.cc:7352)
==15592== Block was alloc'd at
==15592== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==15592== by 0xED7563: my_malloc (my_malloc.c:101)
==15592== by 0xEC84D7: alloc_root (my_alloc.c:188)
==15592== by 0x518C98: Sql_alloc::operator new(unsigned long, st_mem_root*) (sql_list.h:43)
==15592== by 0x97D7AE: sp_head::reset_lex(THD*) (sp_head.cc:2206)
==15592== by 0x7B7CBD: MYSQLparse(THD*) (sql_yacc.yy:3683)
==15592== by 0x5EFBC3: parse_sql(THD, Parser_state, Object_creation_ctx*, bool) (sql_parse.cc:9327)
==15592== by 0x973599: sp_compile(THD, String, unsigned long long, Stored_program_creation_ctx*) (sp.cc:754)
==15592== by 0x977BE8: sp_load_for_information_schema(THD, TABLE, String, String, unsigned long, stored_procedure_type, char const, char const, bool*) (sp.cc:2347)
==15592== by 0x6770B8: store_schema_params(THD, TABLE, TABLE, char const, bool, char const*) (sql_show.cc:5780)
==15592== by 0x678AF6: fill_schema_proc(THD, TABLE_LIST, Item*) (sql_show.cc:6065)
==15592== by 0x6817AB: get_schema_tables_result(JOIN*, enum_schema_table_state) (sql_show.cc:8227)
==15592== by 0x620A86: JOIN::exec_inner() (sql_select.cc:2691)
==15592== by 0x620120: JOIN::exec() (sql_select.cc:2539)
==15592== by 0x6B9F32: st_select_lex_unit::exec() (sql_union.cc:847)
==15592== by 0x6B744F: mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) (sql_union.cc:39)

10.1 9ea3ad6d754 ASAN
==15760==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000111648 at pc 0x564741ae41a8 bp 0x7fd07f2187b0 sp 0x7fd07f2187a8
READ of size 4 at 0x625000111648 thread T6
#0 0x564741ae41a7 in mysql_make_view(THD, TABLE_SHARE, TABLE_LIST*, bool) /data/src/10.1/sql/sql_view.cc:1344
#1 0x5647417dceed in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.1/sql/sql_base.cc:2467
#2 0x5647417e8f09 in open_and_process_table /data/src/10.1/sql/sql_base.cc:4068
#3 0x5647417e8f09 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.1/sql/sql_base.cc:4579
#4 0x5647417eb6b8 in open_tables /data/src/10.1/sql/sql_base.h:252
#5 0x5647417eb6b8 in open_normal_and_derived_tables(THD, TABLE_LIST, unsigned int, unsigned int) /data/src/10.1/sql/sql_base.cc:5322
#6 0x5647419ffa85 in fill_schema_table_by_open /data/src/10.1/sql/sql_show.cc:4232
#7 0x564741a3e914 in get_all_tables(THD, TABLE_LIST, Item*) /data/src/10.1/sql/sql_show.cc:4870
#8 0x564741a42ee3 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.1/sql/sql_show.cc:8227
#9 0x5647419e8ced in JOIN::exec_inner() /data/src/10.1/sql/sql_select.cc:2691
#10 0x5647419f133e in JOIN::exec() /data/src/10.1/sql/sql_select.cc:2539
#11 0x564741abf129 in st_select_lex_unit::exec() /data/src/10.1/sql/sql_union.cc:847
#12 0x564741acb584 in mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long) /data/src/10.1/sql/sql_union.cc:39
#13 0x5647419e60fa in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.1/sql/sql_select.cc:366
#14 0x5647418b7f1e in execute_sqlcom_select /data/src/10.1/sql/sql_parse.cc:5926
#15 0x5647418d18f3 in mysql_execute_command(THD*) /data/src/10.1/sql/sql_parse.cc:2976
#16 0x5647418e8e60 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.1/sql/sql_parse.cc:7352
#17 0x5647418ef661 in dispatch_command(enum_server_command, THD, char, unsigned int) /data/src/10.1/sql/sql_parse.cc:1477
#18 0x5647418f5c14 in do_command(THD*) /data/src/10.1/sql/sql_parse.cc:1106
#19 0x564741b994f0 in do_handle_one_connection(THD*) /data/src/10.1/sql/sql_connect.cc:1330
#20 0x564741b99a01 in handle_one_connection /data/src/10.1/sql/sql_connect.cc:1242
#21 0x5647424658ac in pfs_spawn_thread /data/src/10.1/storage/perfschema/pfs.cc:1861
#22 0x7fd08b96b493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#23 0x7fd089d2493e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

The problem appeared in 10.1 with this commit:

commit 80d3eee072025f34984e474ea160651eac9e11e5

Author: Oleksandr Byelkin

Date:   Fri Jan 26 16:59:53 2018 +0100

    MDEV-14857: problem with 10.2.11 server crashing when executing stored procedure

Attachments

Issue Links

relates to

MDEV-14857 problem with 10.2.11 server crashing when executing stored procedure

Closed

Activity

Transition	Time In Source Status	Execution Times

Oleksandr Byelkin made transition - 2018-05-04 08:59

Open

In Progress

74d 8h 17m

Oleksandr Byelkin made transition - 2018-05-09 15:56

In Progress

In Review

5d 6h 56m

Igor Babaev (Inactive) made transition - 2018-05-15 06:14

In Review

Stalled

5d 14h 18m

Oleksandr Byelkin made transition - 2018-05-15 08:53

Stalled

Closed

2h 38m

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2018-02-19 00:41

Updated:: 2018-05-15 08:53

Resolved:: 2018-05-15 08:53

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server