Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL)
-
None
Description
--source include/have_innodb.inc
|
set join_cache_level=4; |
|
|
CREATE TABLE t1 ( i1 int, v1 varchar(1)) ENGINE=InnoDB; |
INSERT INTO t1 VALUES (7,'x'); |
|
|
CREATE TABLE t2 (i1 int, v1 varchar(1), KEY v1 (v1,i1)) ENGINE=InnoDB; |
|
|
INSERT INTO t2 VALUES (NULL,'x'),(1,'x'),(3,'x'),(5,'x'),(8,'x'),(48,'x'),(228,'x'),(3,'y'),(1,'z'),(9,'z'); |
|
|
CREATE TABLE temp |
SELECT t1.i1 AS f1, t1.v1 AS f2 FROM (t2 JOIN t1 ON (t1.v1 = t2.v1)); |
|
|
SELECT * FROM temp |
WHERE (f1,f2) IN (SELECT t1.i1, t1.v1 FROM (t2 JOIN t1 ON (t1.v1 = t2.v1))); |
Version: '5.5.61-MariaDB-debug' socket: '/home/alice/git/5.5/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==26480==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500021b943 at pc 0x00000085deca bp 0x7f2cf8aa4910 sp 0x7f2cf8aa4900
|
WRITE of size 1 at 0x62500021b943 thread T15
|
#0 0x85dec9 in TABLE::create_key_part_by_field(st_key_part_info*, Field*, unsigned int) /home/alice/git/5.5/sql/table.cc:5992
|
#1 0x6f8d5c in create_hj_key_for_table /home/alice/git/5.5/sql/sql_select.cc:8065
|
#2 0x6f8d5c in create_ref_for_key /home/alice/git/5.5/sql/sql_select.cc:8130
|
#3 0x6fed1c in get_best_combination(JOIN*) /home/alice/git/5.5/sql/sql_select.cc:7936
|
#4 0x7576ae in make_join_statistics /home/alice/git/5.5/sql/sql_select.cc:3864
|
#5 0x760a64 in JOIN::optimize() /home/alice/git/5.5/sql/sql_select.cc:1255
|
#6 0x76a843 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/5.5/sql/sql_select.cc:3112
|
#7 0x76b0b5 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/5.5/sql/sql_select.cc:323
|
#8 0x66d7dc in execute_sqlcom_select /home/alice/git/5.5/sql/sql_parse.cc:4678
|
#9 0x68351e in mysql_execute_command(THD*) /home/alice/git/5.5/sql/sql_parse.cc:2224
|
#10 0x695202 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/alice/git/5.5/sql/sql_parse.cc:5923
|
#11 0x6985ff in dispatch_command(enum_server_command, THD*, char*, unsigned int) /home/alice/git/5.5/sql/sql_parse.cc:1066
|
#12 0x69c6dd in do_command(THD*) /home/alice/git/5.5/sql/sql_parse.cc:793
|
#13 0x8ce433 in do_handle_one_connection(THD*) /home/alice/git/5.5/sql/sql_connect.cc:1268
|
#14 0x8ce6ac in handle_one_connection /home/alice/git/5.5/sql/sql_connect.cc:1184
|
#15 0x144278f in pfs_spawn_thread /home/alice/git/5.5/storage/perfschema/pfs.cc:1015
|
#16 0x7f2d06de26b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
#17 0x7f2d0648d41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
|
|
|
0x62500021b943 is located 7 bytes to the right of 8252-byte region [0x625000219900,0x62500021b93c)
|
allocated by thread T15 here:
|
#0 0x7f2d078e8602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
|
#1 0x1508d94 in sf_malloc /home/alice/git/5.5/mysys/safemalloc.c:105
|
|
|
Thread T15 created by T0 here:
|
#0 0x7f2d07886253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
|
#1 0x1445d59 in spawn_thread_v1 /home/alice/git/5.5/storage/perfschema/pfs.cc:1038
|
|
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/alice/git/5.5/sql/table.cc:5992 TABLE::create_key_part_by_field(st_key_part_info*, Field*, unsigned int)
|
Shadow bytes around the buggy address:
|
0x0c4a8003b6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a8003b6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a8003b6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a8003b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c4a8003b710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c4a8003b720: 00 00 00 00 00 f7 f7 04[fa]fa fa fa fa fa fa fa
|
0x0c4a8003b730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8003b740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8003b750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8003b760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c4a8003b770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Server version: 10.1.35-MariaDB-debug
|
Thread pointer: 0x7f9338741008
|
stack_bottom = 0x7f93436d5230 thread_stack 0x48400
|
mysys/stacktrace.c:267(my_print_stacktrace)[0x564abc0767e9]
|
sql/signal_handler.cc:168(handle_fatal_signal)[0x564abb9b8363]
|
/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7f93428db390]
|
sql/sql_select.cc:9132(create_ref_for_key(JOIN*, st_join_table*, keyuse_t*, bool, unsigned long long))[0x564abb7c2240]
|
sql/sql_select.cc:8836(get_best_combination(JOIN*))[0x564abb7c13df]
|
sql/sql_select.cc:4264(make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*))[0x564abb7b629d]
|
sql/sql_select.cc:1388(JOIN::optimize_inner())[0x564abb7abb5e]
|
sql/sql_select.cc:1058(JOIN::optimize())[0x564abb7aa96a]
|
sql/sql_select.cc:3470(mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x564abb7b3303]
|
sql/sql_select.cc:388(handle_select(THD*, LEX*, select_result*, unsigned long))[0x564abb7a8a41]
|
sql/sql_parse.cc:5944(execute_sqlcom_select(THD*, TABLE_LIST*))[0x564abb77785f]
|
sql/sql_parse.cc:2990(mysql_execute_command(THD*))[0x564abb76da07]
|
sql/sql_parse.cc:7449(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x564abb77b397]
|
sql/sql_parse.cc:1494(dispatch_command(enum_server_command, THD*, char*, unsigned int))[0x564abb769aa4]
|
sql/sql_parse.cc:1121(do_command(THD*))[0x564abb768822]
|
sql/sql_connect.cc:1330(do_handle_one_connection(THD*))[0x564abb8a856f]
|
sql/sql_connect.cc:1243(handle_one_connection)[0x564abb8a82be]
|
perfschema/pfs.cc:1863(pfs_spawn_thread)[0x564abc00829c]
|
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f93428d16ba]
|
x86_64/clone.S:111(clone)[0x7f9341f7c41d]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x7f932bdb9420): SELECT * FROM temp WHERE (f1,f2) IN (SELECT t1.i1, t1.v1 FROM (t2 JOIN t1 ON (t1.v1 = t2.v1)))
|
Connection ID (thread ID): 3
|
Status: NOT_KILLED
|
Server version: 10.3.8-MariaDB-debug-log
|
Thread pointer: 0x7f16c8000b00
|
stack_bottom = 0x7f171c31be70 thread_stack 0x49000
|
mysys/stacktrace.c:269(my_print_stacktrace)[0x557e7670d783]
|
sql/signal_handler.cc:168(handle_fatal_signal)[0x557e75f5304e]
|
/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7f17222bf390]
|
sql/key.cc:158(key_copy(unsigned char*, unsigned char const*, st_key*, unsigned int, bool))[0x557e7605dc57]
|
sql/sql_join_cache.cc:3656(JOIN_CACHE_BNLH::get_matching_chain_by_join_key())[0x557e75e0ec85]
|
sql/sql_join_cache.cc:3691(JOIN_CACHE_BNLH::prepare_look_for_matches(bool))[0x557e75e0ed16]
|
sql/sql_join_cache.cc:2273(JOIN_CACHE::join_matching_records(bool))[0x557e75e0cc10]
|
sql/sql_join_cache.cc:2088(JOIN_CACHE::join_records(bool))[0x557e75e0c660]
|
sql/sql_select.cc:19039(sub_select_cache(JOIN*, st_join_table*, bool))[0x557e75cdbdfc]
|
sql/sql_select.cc:19210(sub_select(JOIN*, st_join_table*, bool))[0x557e75cdc007]
|
sql/sql_select.cc:18801(do_select(JOIN*, Procedure*))[0x557e75cdb7d1]
|
sql/sql_select.cc:4011(JOIN::exec_inner())[0x557e75cb4bb1]
|
sql/sql_select.cc:3806(JOIN::exec())[0x557e75cb4024]
|
sql/sql_select.cc:4212(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x557e75cb528b]
|
sql/sql_select.cc:382(handle_select(THD*, LEX*, select_result*, unsigned long))[0x557e75ca7436]
|
sql/sql_parse.cc:6541(execute_sqlcom_select(THD*, TABLE_LIST*))[0x557e75c71db6]
|
sql/sql_parse.cc:3764(mysql_execute_command(THD*))[0x557e75c6820f]
|
sql/sql_parse.cc:8076(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x557e75c75cfc]
|
sql/sql_parse.cc:1849(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x557e75c62ce4]
|
sql/sql_parse.cc:1392(do_command(THD*))[0x557e75c61701]
|
sql/sql_connect.cc:1402(do_handle_one_connection(CONNECT*))[0x557e75dc6a4d]
|
sql/sql_connect.cc:1309(handle_one_connection)[0x557e75dc679e]
|
perfschema/pfs.cc:1864(pfs_spawn_thread)[0x557e7669ddf4]
|
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f17222b56ba]
|
x86_64/clone.S:111(clone)[0x7f172174a41d]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x7f16c8014cd8): SELECT * FROM temp WHERE (f1,f2) IN (SELECT t1.i1, t1.v1 FROM (t2 JOIN t1 ON (t1.v1 = t2.v1)))
|
Connection ID (thread ID): 9
|
Status: NOT_KILLED
|
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-