Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16614

signal 7 after calling stored procedure, that uses regexp

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.2(EOL), 10.3(EOL)
    • 10.2.17, 10.3.9
    • Optimizer
    • None

    Description

      DELIMITER $$;
      		 
      CREATE PROCEDURE p1(m1 varchar(5), m2 varchar(5))
      		 
      BEGIN
      		 
      SELECT a FROM
      		 
      	(SELECT "aa" a) t
      		 
      	JOIN (SELECT "aa" b) t1 on t.a=t1.b
      		 
      WHERE t.a regexp m1 and t1.b regexp m2
      		 
      GROUP BY a;
      		 
      END$$
      		 
      DELIMITER ;$$
      		 
       
      		 
      CALL p1('a','a');


      main.1_my                                [ fail ]  Found warnings/errors in server log file!
      		 
              Test ended at 2018-06-28 14:48:30
      		 
      line
      		 
      Error: Freeing overrun buffer  mysys/safemalloc.c:194, mysys/my_malloc.c:219, sql/item_cmpfunc.h:2092, sql/item_cmpfunc.h:2113, sql/item.h:1842, sql/sql_class.cc:3457, sql/sql_class.cc:2079, sql/sp_head.cc:1345
      		 
      Error: Freeing overrun buffer  mysys/safemalloc.c:194, mysys/my_malloc.c:219, sql/item_cmpfunc.h:2092, sql/item_cmpfunc.h:2113, sql/item.h:1842, sql/sql_class.cc:3457, sql/sql_class.cc:2079, sql/sp_head.cc:1345
      		 
      ^ Found warnings in /home/alice/git/10.2/mysql-test/var/log/mysqld.1.err


      180628 14:27:36 [ERROR] mysqld got signal 7 ;
      		 
      Server version: 10.3.7-MariaDB
      		 
      key_buffer_size=134217728
      		 
      read_buffer_size=131072
      		 
      max_used_connections=1
      		 
      max_threads=153
      		 
      thread_count=7
      		 
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467389 K  bytes of memory
      		 
      Hope that's ok; if not, decrease some variables in the equation.
      		 
       
      		 
      Thread pointer: 0x7f7c600009a8
      		 
      Attempting backtrace. You can use the following information to find out
      		 
      where mysqld died. If you see no messages after this, something went
      		 
      terribly wrong...
      		 
      stack_bottom = 0x7f7ccc247ec0 thread_stack 0x49000

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16611 Crash on Stored Procedure calling View in Join

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15585 signal 11 in cleanup phase

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova added a comment -

            ASAN:

            10.2 10d09a57f8

            		 
            =================================================================
            		 
            ==7542==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100000a598 at pc 0x557b20cef86e bp 0x7fd0fcefc140 sp 0x7fd0fcefc138
            		 
            READ of size 4 at 0x61100000a598 thread T5
            		 
                #0 0x557b20cef86d in sf_malloc_usable_size /data/src/10.2/mysys/safemalloc.c:215
            		 
                #1 0x557b20cbe9dc in my_free /data/src/10.2/mysys/my_malloc.c:215
            		 
                #2 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091
            		 
                #3 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112
            		 
                #4 0x557b1f5ffb93 in Item::delete_self() /data/src/10.2/sql/item.h:1835
            		 
                #5 0x557b1f5ea4fc in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3559
            		 
                #6 0x557b1f5ddb00 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2174
            		 
                #7 0x557b20014302 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1344
            		 
                #8 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115
            		 
                #9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
            		 
                #10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
            		 
                #11 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999
            		 
                #12 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
            		 
                #13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
            		 
                #14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
            		 
                #15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
            		 
                #16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
            		 
                #17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
            		 
                #18 0x7fd10776793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
            		 
             
            		 
            0x61100000a598 is located 88 bytes inside of 196-byte region [0x61100000a540,0x61100000a604)
            		 
            freed by thread T5 here:
            		 
                #0 0x7fd1095eb527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
            		 
                #1 0x557b20cf016b in free_memory /data/src/10.2/mysys/safemalloc.c:279
            		 
                #2 0x557b20cef771 in sf_free /data/src/10.2/mysys/safemalloc.c:197
            		 
                #3 0x557b20cbea12 in my_free /data/src/10.2/mysys/my_malloc.c:217
            		 
                #4 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091
            		 
                #5 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112
            		 
                #6 0x557b1f681255 in cleanup_items(Item*) /data/src/10.2/sql/sql_parse.cc:1132
            		 
                #7 0x557b2001420d in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1331
            		 
                #8 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115
            		 
                #9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
            		 
                #10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
            		 
                #11 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999
            		 
                #12 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
            		 
                #13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
            		 
                #14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
            		 
                #15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
            		 
                #16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
            		 
                #17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
            		 
             
            		 
            previously allocated by thread T5 here:
            		 
                #0 0x7fd1095eb73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
            		 
                #1 0x557b20ceeee1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
            		 
                #2 0x557b20cbe14a in my_malloc /data/src/10.2/mysys/my_malloc.c:101
            		 
                #3 0x557b1f48c124 in my_str_malloc_mysqld /data/src/10.2/sql/mysqld.cc:3657
            		 
                #4 0x557b20df77b9 in pcre_compile2 /data/src/10.2/pcre/pcre_compile.c:9410
            		 
                #5 0x557b20df5c3b in pcre_compile /data/src/10.2/pcre/pcre_compile.c:9039
            		 
                #6 0x557b1fd3de89 in Regexp_processor_pcre::compile(String*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5458
            		 
                #7 0x557b1fd3e19b in Regexp_processor_pcre::compile(Item*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5479
            		 
                #8 0x557b1fd3efa8 in Regexp_processor_pcre::fix_owner(Item_func*, Item*, Item*) /data/src/10.2/sql/item_cmpfunc.cc:5657
            		 
                #9 0x557b1fd3f289 in Item_func_regex::fix_length_and_dec() /data/src/10.2/sql/item_cmpfunc.cc:5684
            		 
                #10 0x557b1fd86a96 in Item_func::fix_fields(THD*, Item**) /data/src/10.2/sql/item_func.cc:240
            		 
                #11 0x557b1fd3f10c in Item_func_regex::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:5673
            		 
                #12 0x557b1fd36249 in Item_cond::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:4588
            		 
                #13 0x557b1f5993ce in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.2/sql/sql_base.cc:7827
            		 
                #14 0x557b1f720c36 in setup_without_group /data/src/10.2/sql/sql_select.cc:640
            		 
                #15 0x557b1f722c55 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:825
            		 
                #16 0x557b1f73f629 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3760
            		 
                #17 0x557b1f71ef66 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
            		 
                #18 0x557b1f6a20d5 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6474
            		 
                #19 0x557b1f68ee78 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3480
            		 
                #20 0x557b2001ef2d in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3244
            		 
                #21 0x557b2001db78 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3007
            		 
                #22 0x557b2001e7f7 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3160
            		 
                #23 0x557b20014178 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1326
            		 
                #24 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115
            		 
                #25 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
            		 
                #26 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
            		 
                #27 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999
            		 
                #28 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
            		 
                #29 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
            		 
             
            		 
            Thread T5 created by T0 here:
            		 
                #0 0x7fd1095babba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
            		 
                #1 0x557b203d0ec7 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
            		 
                #2 0x557b1f47f91e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
            		 
                #3 0x557b1f494809 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451
            		 
                #4 0x557b1f494f0e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521
            		 
                #5 0x557b1f495f1f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796
            		 
                #6 0x557b1f493d5e in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070
            		 
                #7 0x557b1f47dcbf in main /data/src/10.2/sql/main.cc:25
            		 
                #8 0x7fd10769f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
            		 
             
            		 
            SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/mysys/safemalloc.c:215 sf_malloc_usable_size
            		 
            Shadow bytes around the buggy address:
            		 
              0x0c227fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c227fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c227fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c227fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c227fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            		 
            =>0x0c227fff94b0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
            		 
              0x0c227fff94c0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c227fff94d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            		 
              0x0c227fff94e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
            		 
              0x0c227fff94f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            		 
              0x0c227fff9500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            		 
            Shadow byte legend (one shadow byte represents 8 application bytes):
            		 
              Addressable:           00
            		 
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
            		 
              Heap right redzone:      fb
            		 
              Freed heap region:       fd
            		 
              Stack left redzone:      f1
            		 
              Stack mid redzone:       f2
            		 
              Stack right redzone:     f3
            		 
              Stack partial redzone:   f4
            		 
              Stack after return:      f5
            		 
              Stack use after scope:   f8
            		 
              Global redzone:          f9
            		 
              Global init order:       f6
            		 
              Poisoned by user:        f7
            		 
              Contiguous container OOB:fc
            		 
              ASan internal:           fe
            		 
            ==7542==ABORTING

            elenst Elena Stepanova added a comment - ASAN: 10.2 10d09a57f8 ================================================================= ==7542==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100000a598 at pc 0x557b20cef86e bp 0x7fd0fcefc140 sp 0x7fd0fcefc138 READ of size 4 at 0x61100000a598 thread T5 #0 0x557b20cef86d in sf_malloc_usable_size /data/src/10.2/mysys/safemalloc.c:215 #1 0x557b20cbe9dc in my_free /data/src/10.2/mysys/my_malloc.c:215 #2 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091 #3 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112 #4 0x557b1f5ffb93 in Item::delete_self() /data/src/10.2/sql/item.h:1835 #5 0x557b1f5ea4fc in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3559 #6 0x557b1f5ddb00 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2174 #7 0x557b20014302 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1344 #8 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115 #9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909 #10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822 #11 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999 #12 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821 #13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375 #14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335 #15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241 #16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862 #17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) #18 0x7fd10776793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)   0x61100000a598 is located 88 bytes inside of 196-byte region [0x61100000a540,0x61100000a604) freed by thread T5 here: #0 0x7fd1095eb527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x557b20cf016b in free_memory /data/src/10.2/mysys/safemalloc.c:279 #2 0x557b20cef771 in sf_free /data/src/10.2/mysys/safemalloc.c:197 #3 0x557b20cbea12 in my_free /data/src/10.2/mysys/my_malloc.c:217 #4 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091 #5 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112 #6 0x557b1f681255 in cleanup_items(Item*) /data/src/10.2/sql/sql_parse.cc:1132 #7 0x557b2001420d in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1331 #8 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115 #9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909 #10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822 #11 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999 #12 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821 #13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375 #14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335 #15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241 #16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862 #17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)   previously allocated by thread T5 here: #0 0x7fd1095eb73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x557b20ceeee1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118 #2 0x557b20cbe14a in my_malloc /data/src/10.2/mysys/my_malloc.c:101 #3 0x557b1f48c124 in my_str_malloc_mysqld /data/src/10.2/sql/mysqld.cc:3657 #4 0x557b20df77b9 in pcre_compile2 /data/src/10.2/pcre/pcre_compile.c:9410 #5 0x557b20df5c3b in pcre_compile /data/src/10.2/pcre/pcre_compile.c:9039 #6 0x557b1fd3de89 in Regexp_processor_pcre::compile(String*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5458 #7 0x557b1fd3e19b in Regexp_processor_pcre::compile(Item*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5479 #8 0x557b1fd3efa8 in Regexp_processor_pcre::fix_owner(Item_func*, Item*, Item*) /data/src/10.2/sql/item_cmpfunc.cc:5657 #9 0x557b1fd3f289 in Item_func_regex::fix_length_and_dec() /data/src/10.2/sql/item_cmpfunc.cc:5684 #10 0x557b1fd86a96 in Item_func::fix_fields(THD*, Item**) /data/src/10.2/sql/item_func.cc:240 #11 0x557b1fd3f10c in Item_func_regex::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:5673 #12 0x557b1fd36249 in Item_cond::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:4588 #13 0x557b1f5993ce in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.2/sql/sql_base.cc:7827 #14 0x557b1f720c36 in setup_without_group /data/src/10.2/sql/sql_select.cc:640 #15 0x557b1f722c55 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:825 #16 0x557b1f73f629 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3760 #17 0x557b1f71ef66 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376 #18 0x557b1f6a20d5 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6474 #19 0x557b1f68ee78 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3480 #20 0x557b2001ef2d in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3244 #21 0x557b2001db78 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3007 #22 0x557b2001e7f7 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3160 #23 0x557b20014178 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1326 #24 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115 #25 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909 #26 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822 #27 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999 #28 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821 #29 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375   Thread T5 created by T0 here: #0 0x7fd1095babba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0x557b203d0ec7 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912 #2 0x557b1f47f91e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239 #3 0x557b1f494809 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451 #4 0x557b1f494f0e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521 #5 0x557b1f495f1f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796 #6 0x557b1f493d5e in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070 #7 0x557b1f47dcbf in main /data/src/10.2/sql/main.cc:25 #8 0x7fd10769f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)   SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/mysys/safemalloc.c:215 sf_malloc_usable_size Shadow bytes around the buggy address: 0x0c227fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c227fff94b0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff94c0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff94d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff94e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c227fff94f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff9500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==7542==ABORTING
            h.rojahn Holger Rojahn added a comment -

            Replaced RegEx in 16611 to Likes an it won't crash..

            h.rojahn Holger Rojahn added a comment - Replaced RegEx in 16611 to Likes an it won't crash..
            bar Alexander Barkov added a comment -

            The problem is repeatable with a simplified test:

            DELIMITER $$;
            		 
            CREATE PROCEDURE p1(m1 varchar(5))
            		 
            BEGIN
            		 
              SELECT a FROM (SELECT "aa" a) t WHERE t.a regexp m1;
            		 
            END$$
            		 
            DELIMITER ;$$
            		 
            CALL p1('a');

            bar Alexander Barkov added a comment - The problem is repeatable with a simplified test: DELIMITER $$; CREATE PROCEDURE p1(m1 varchar (5)) BEGIN SELECT a FROM ( SELECT "aa" a) t WHERE t.a regexp m1; END $$ DELIMITER ;$$ CALL p1( 'a' );
            bar Alexander Barkov added a comment -

            A similar problem is repeatable if I use a stored function instead of the REGEXP operator:

            DELIMITER $$;
            		 
            CREATE OR REPLACE FUNCTION f1(a VARCHAR(10), b VARCHAR(10)) RETURNS INT
            		 
            BEGIN
            		 
              RETURN 1;
            		 
            END;$$
            		 
            CREATE OR REPLACE PROCEDURE p1(m1 varchar(5))
            		 
            BEGIN
            		 
              SELECT a FROM (SELECT "aa" a) t WHERE f1(t.a, m1);
            		 
            END$$
            		 
            DELIMITER ;$$
            		 
            CALL p1('a');

            Stack trace:

            ==19487==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x560c6f43577a bp 0x7f08dda18b40 sp 0x7f08dda18b30 T5)
            		 
            ==19487==The signal is caused by a READ memory access.
            		 
            ==19487==Hint: address points to the zero page.
            		 
                #0 0x560c6f435779 in Item_func_sp::cleanup() /home/bar/maria-git/server.10.2.asan/sql/item_func.cc:6502
            		 
                #1 0x560c6ebcd245 in Item::delete_self() /home/bar/maria-git/server.10.2.asan/sql/item.h:1841
            		 
                #2 0x560c6ebb717f in Query_arena::free_items() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:3462
            		 
                #3 0x560c6eba9d5a in THD::cleanup_after_query() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:2077
            		 
                #4 0x560c6f6bcbc8 in sp_head::execute(THD*, bool) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:1345
            		 
                #5 0x560c6f6c12d8 in sp_head::execute_procedure(THD*, List<Item>*) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:2116
            		 
                #6 0x560c6ec67825 in do_execute_sp /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:2909
            		 
                #7 0x560c6ec7d11a in mysql_execute_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:5822
            		 
                #8 0x560c6ec8c2ec in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.
            		 
                #9 0x560c6ec61150 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/bar/maria-git/server.10.2.asan/sql
            		 
                #10 0x560c6ec5d924 in do_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:1374
            		 
                #11 0x560c6effdc89 in do_handle_one_connection(CONNECT*) /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1335
            		 
                #12 0x560c6effd584 in handle_one_connection /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1241
            		 
                #13 0x560c70590fed in pfs_spawn_thread /home/bar/maria-git/server.10.2.asan/storage/perfschema/pfs.cc:1862
            		 
                #14 0x7f08e915136c in start_thread (/lib64/libpthread.so.0+0x736c)
            		 
                #15 0x7f08e7d10b9e in clone (/lib64/libc.so.6+0x110b9e)

            bar Alexander Barkov added a comment - A similar problem is repeatable if I use a stored function instead of the REGEXP operator: DELIMITER $$; CREATE OR REPLACE FUNCTION f1(a VARCHAR (10), b VARCHAR (10)) RETURNS INT BEGIN RETURN 1; END ;$$ CREATE OR REPLACE PROCEDURE p1(m1 varchar (5)) BEGIN SELECT a FROM ( SELECT "aa" a) t WHERE f1(t.a, m1); END $$ DELIMITER ;$$ CALL p1( 'a' ); Stack trace: ==19487==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x560c6f43577a bp 0x7f08dda18b40 sp 0x7f08dda18b30 T5) ==19487==The signal is caused by a READ memory access. ==19487==Hint: address points to the zero page. #0 0x560c6f435779 in Item_func_sp::cleanup() /home/bar/maria-git/server.10.2.asan/sql/item_func.cc:6502 #1 0x560c6ebcd245 in Item::delete_self() /home/bar/maria-git/server.10.2.asan/sql/item.h:1841 #2 0x560c6ebb717f in Query_arena::free_items() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:3462 #3 0x560c6eba9d5a in THD::cleanup_after_query() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:2077 #4 0x560c6f6bcbc8 in sp_head::execute(THD*, bool) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:1345 #5 0x560c6f6c12d8 in sp_head::execute_procedure(THD*, List<Item>*) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:2116 #6 0x560c6ec67825 in do_execute_sp /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:2909 #7 0x560c6ec7d11a in mysql_execute_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:5822 #8 0x560c6ec8c2ec in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/bar/maria-git/server.10.2.asan/sql/sql_parse. #9 0x560c6ec61150 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/bar/maria-git/server.10.2.asan/sql #10 0x560c6ec5d924 in do_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:1374 #11 0x560c6effdc89 in do_handle_one_connection(CONNECT*) /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1335 #12 0x560c6effd584 in handle_one_connection /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1241 #13 0x560c70590fed in pfs_spawn_thread /home/bar/maria-git/server.10.2.asan/storage/perfschema/pfs.cc:1862 #14 0x7f08e915136c in start_thread (/lib64/libpthread.so.0+0x736c) #15 0x7f08e7d10b9e in clone (/lib64/libc.so.6+0x110b9e)
            bar Alexander Barkov added a comment -

            The same problem is repeatable in this script:

            DELIMITER $$;
            		 
            CREATE OR REPLACE FUNCTION f1(a VARCHAR(10), b VARCHAR(10)) RETURNS INT
            		 
            BEGIN
            		 
              RETURN 1;
            		 
            END;$$
            		 
            DELIMITER ;$$
            		 
            SELECT a FROM (SELECT "aa" a) t WHERE f1(t.a, (SELECT MAX('aa') FROM DUAL LIMIT 1));

            bar Alexander Barkov added a comment - The same problem is repeatable in this script: DELIMITER $$; CREATE OR REPLACE FUNCTION f1(a VARCHAR (10), b VARCHAR (10)) RETURNS INT BEGIN RETURN 1; END ;$$ DELIMITER ;$$ SELECT a FROM ( SELECT "aa" a) t WHERE f1(t.a, ( SELECT MAX ( 'aa' ) FROM DUAL LIMIT 1));
            bar Alexander Barkov added a comment -

            The same problem is repeatable in this script:

            SELECT a FROM (SELECT "aa" a) t WHERE REGEXP_INSTR(t.a, (SELECT MAX('aa') FROM DUAL LIMIT 1));

            bar Alexander Barkov added a comment - The same problem is repeatable in this script: SELECT a FROM ( SELECT "aa" a) t WHERE REGEXP_INSTR(t.a, ( SELECT MAX ( 'aa' ) FROM DUAL LIMIT 1));

            People

              bar Alexander Barkov
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.