Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.3
-
None
Description
CREATE OR REPLACE TABLE t1 (i INT) WITH SYSTEM VERSIONING; |
CREATE OR REPLACE PROCEDURE p() SELECT * FROM t1; |
|
|
--connect (con1,localhost,root,,)
|
CALL p;
|
--connection default
|
FLUSH TABLES;
|
|
|
--connection con1
|
CALL p;
|
|
|
# Cleanup
|
--disconnect con1
|
--connection default
|
DROP PROCEDURE p; |
DROP TABLE t1; |
|
10.3 non-debug or standard debug d71a8855ee |
mysqltest: At line 10: query 'CALL p' failed: 1054: Unknown column 'test.t1.' in 'where clause'
|
|
10.3 ASAN d71a8855eef3 |
==4504==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000ad3a5 at pc 0x55fc54eeae03 bp 0x7fa79c6f36c0 sp 0x7fa79c6f36b8
|
READ of size 1 at 0x6190000ad3a5 thread T6
|
#0 0x55fc54eeae02 in Item_ident::print(String*, enum_query_type) /data/src/10.3/sql/item.cc:3371
|
#1 0x55fc54f0cc05 in Item_field::print(String*, enum_query_type) /data/src/10.3/sql/item.cc:7821
|
#2 0x55fc54ed4538 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.3/sql/item.cc:568
|
#3 0x55fc54fc0400 in Item_func::print_op(String*, enum_query_type) /data/src/10.3/sql/item_func.cc:619
|
#4 0x55fc54f7aefe in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.3/sql/item_cmpfunc.h:510
|
#5 0x55fc54f27578 in dbug_print_item(Item*) /data/src/10.3/sql/item.cc:10690
|
#6 0x55fc54848536 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:990
|
#7 0x55fc54867319 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4130
|
#8 0x55fc54842a9d in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:382
|
#9 0x55fc547c5894 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6539
|
#10 0x55fc547b3d0a in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3768
|
#11 0x55fc545ceb77 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3595
|
#12 0x55fc545cd3b7 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3311
|
#13 0x55fc545ce2c4 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3498
|
#14 0x55fc545c1525 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1349
|
#15 0x55fc545c67dd in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2287
|
#16 0x55fc547ae4ab in do_execute_sp /data/src/10.3/sql/sql_parse.cc:2944
|
#17 0x55fc547aff01 in Sql_cmd_call::execute(THD*) /data/src/10.3/sql/sql_parse.cc:3186
|
#18 0x55fc547c38b3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6282
|
#19 0x55fc547cde22 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
|
#20 0x55fc547a86c8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
|
#21 0x55fc547a575f in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
|
#22 0x55fc54b0e18a in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#23 0x55fc54b0db9f in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#24 0x55fc55611d8d in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#25 0x7fa7a919b493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#26 0x7fa7a758193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
Variation of the test case which causes a different ASAN stack trace (same non-debug error, though):
CREATE TABLE t1 (i INT) WITH SYSTEM VERSIONING; |
CREATE PROCEDURE p() SELECT i FROM t1 GROUP BY unknown_column; |
|
|
--connect (con1,localhost,root,,test)
|
--error ER_BAD_FIELD_ERROR
|
CALL p;
|
|
|
--connection default
|
SELECT * FROM t1; |
FLUSH TABLES;
|
|
|
--connection con1
|
CALL p;
|
|
|
# Cleanup
|
--disconnect con1
|
--connection default
|
DROP PROCEDURE p; |
DROP TABLE t1; |
|
10.3 ASAN d71a8855eef |
==8568==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000ad3a5 at pc 0x56522d830dff bp 0x7f0569098bb0 sp 0x7f0569098ba8
|
READ of size 1 at 0x6190000ad3a5 thread T6
|
#0 0x56522d830dfe in my_strcasecmp_utf8 /data/src/10.3/strings/ctype-utf8.c:5302
|
#1 0x56522be3cb5c in find_field_in_table(THD*, TABLE*, char const*, unsigned long, bool, unsigned int*) /data/src/10.3/sql/sql_base.cc:5666
|
#2 0x56522be3eb65 in find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool) /data/src/10.3/sql/sql_base.cc:6040
|
#3 0x56522c6c677a in Item_field::fix_fields(THD*, Item**) /data/src/10.3/sql/item.cc:6180
|
#4 0x56522c784431 in Item_func::fix_fields(THD*, Item**) /data/src/10.3/sql/item_func.cc:362
|
#5 0x56522be4a0c8 in setup_on_expr(THD*, TABLE_LIST*, bool) /data/src/10.3/sql/sql_base.cc:7951
|
#6 0x56522be4af1f in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.3/sql/sql_base.cc:8069
|
#7 0x56522c00a80d in setup_without_group /data/src/10.3/sql/sql_select.cc:646
|
#8 0x56522c00f7eb in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:1103
|
#9 0x56522c02d319 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4130
|
#10 0x56522c008a9d in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:382
|
#11 0x56522bf8b894 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6539
|
#12 0x56522bf79d0a in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3768
|
#13 0x56522bd94b77 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3595
|
#14 0x56522bd933b7 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3311
|
#15 0x56522bd942c4 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3498
|
#16 0x56522bd87525 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1349
|
#17 0x56522bd8c7dd in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2287
|
#18 0x56522bf744ab in do_execute_sp /data/src/10.3/sql/sql_parse.cc:2944
|
#19 0x56522bf75f01 in Sql_cmd_call::execute(THD*) /data/src/10.3/sql/sql_parse.cc:3186
|
#20 0x56522bf898b3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6282
|
#21 0x56522bf93e22 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8001
|
#22 0x56522bf6e6c8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1846
|
#23 0x56522bf6b75f in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1391
|
#24 0x56522c2d418a in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#25 0x56522c2d3b9f in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#26 0x56522cdd7d8d in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#27 0x7f0575b41493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#28 0x7f0573f2793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
Under unfortunate circumstances, test cases based on these cause different buffer errors:
Error: Freeing overrun buffer 0x7f48bc200e80 at mysys/safemalloc.c:194, mysys/my_malloc.c:224, mysys/my_alloc.c:412, sql/sp_head.cc:1375, sql/sp_head.cc:2287, sql/sql_parse.cc:2944, sql/sql_parse.cc:3186, sql/sql_parse.cc:6282
|
Allocated at mysys/my_alloc.c:249, sql/sql_class.h:1028, sql/sql_parse.cc:2678, sql/sp_head.cc:3485, sql/sp_head.cc:1349, sql/sp_head.cc:2287, sql/sql_parse.cc:2944, sql/sql_parse.cc:3186
|
180420 4:01:16 [ERROR] mysqld got signal 7 ;
|
Error: Freeing overrun buffer 0x7fb94c0a4d40 at 2018-04-20 12:23:53 13 [Warning] Aborted connection 13 to db: 'test' user: 'rqg' host: 'localhost' (Got an error writing communication packets)
|
mysys/safemalloc.c:194, mysys/my_malloc.c:224, mysys/my_alloc.c:421, sql/sp_head.cc:1375, sql/sp_head.cc:2287, sql/sql_parse.cc:2944, sql/sql_parse.cc:3186, sql/sql_parse.cc:6282
|
Allocated at mysys/my_alloc.c:249, sql/sql_class.h:1028, sql/sql_parse.cc:2678, sql/sp_head.cc:3485, sql/sp_head.cc:1349, sql/sp_head.cc:2287, sql/sql_parse.cc:2944, sql/sql_parse.cc:3186
|
2018-04-20 12:23:53 12 [Warning] Aborted connection 12 to db: 'test' user: 'rqg' host: 'localhost' (Unknown column 'test.DD.' in 'where clause')
|
Error: <8F><8F><8F><8F><8F><8F><8F><8F><8F><8F><C1> unallocated data or underrun buffer 0x56090c42300d at mysys/safemalloc.c:194, mysys/my_malloc.c:224, mysys/array.c:304, sql/sql_array.h:241, sql/sp_pcontext.cc:116, sql/sp_head.cc:824, sql/sp_head.cc:848, sql/sp_cache.cc:287
|
180420 12:23:53 [ERROR] mysqld got signal 6 ;
|