[MDEV-16614] signal 7 after calling stored procedure, that uses regexp - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL)
Fix Version/s: 10.2.17, 10.3.9
Component/s: Optimizer
Labels:
None

Description

DELIMITER $$;

CREATE PROCEDURE p1(m1 varchar(5), m2 varchar(5))

BEGIN

SELECT a FROM

	(SELECT "aa" a) t

	JOIN (SELECT "aa" b) t1 on t.a=t1.b

WHERE t.a regexp m1 and t1.b regexp m2

GROUP BY a;

END$$

DELIMITER ;$$

CALL p1('a','a');

main.1_my                                [ fail ]  Found warnings/errors in server log file!

        Test ended at 2018-06-28 14:48:30

line

Error: Freeing overrun buffer  mysys/safemalloc.c:194, mysys/my_malloc.c:219, sql/item_cmpfunc.h:2092, sql/item_cmpfunc.h:2113, sql/item.h:1842, sql/sql_class.cc:3457, sql/sql_class.cc:2079, sql/sp_head.cc:1345

Error: Freeing overrun buffer  mysys/safemalloc.c:194, mysys/my_malloc.c:219, sql/item_cmpfunc.h:2092, sql/item_cmpfunc.h:2113, sql/item.h:1842, sql/sql_class.cc:3457, sql/sql_class.cc:2079, sql/sp_head.cc:1345

^ Found warnings in /home/alice/git/10.2/mysql-test/var/log/mysqld.1.err

180628 14:27:36 [ERROR] mysqld got signal 7 ;

Server version: 10.3.7-MariaDB

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=1

max_threads=153

thread_count=7

It is possible that mysqld could use up to

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467389 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x7f7c600009a8

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f7ccc247ec0 thread_stack 0x49000

Attachments

Issue Links

relates to

MDEV-16611 Crash on Stored Procedure calling View in Join

Closed

MDEV-15585 signal 11 in cleanup phase

Closed

Activity

Descending order - Click to sort in ascending order

Alexander Barkov added a comment - 2018-07-25 14:36

The same problem is repeatable in this script:

SELECT a FROM (SELECT "aa" a) t WHERE REGEXP_INSTR(t.a, (SELECT MAX('aa') FROM DUAL LIMIT 1));

Alexander Barkov added a comment - 2018-07-25 14:36 The same problem is repeatable in this script: SELECT a FROM ( SELECT "aa" a) t WHERE REGEXP_INSTR(t.a, ( SELECT MAX ( 'aa' ) FROM DUAL LIMIT 1));

Alexander Barkov added a comment - 2018-07-25 13:39

The same problem is repeatable in this script:

DELIMITER $$;

CREATE OR REPLACE FUNCTION f1(a VARCHAR(10), b VARCHAR(10)) RETURNS INT

BEGIN

  RETURN 1;

END;$$

DELIMITER ;$$

SELECT a FROM (SELECT "aa" a) t WHERE f1(t.a, (SELECT MAX('aa') FROM DUAL LIMIT 1));

Alexander Barkov added a comment - 2018-07-25 13:39 The same problem is repeatable in this script: DELIMITER $$; CREATE OR REPLACE FUNCTION f1(a VARCHAR (10), b VARCHAR (10)) RETURNS INT BEGIN RETURN 1; END ;$$ DELIMITER ;$$ SELECT a FROM ( SELECT "aa" a) t WHERE f1(t.a, ( SELECT MAX ( 'aa' ) FROM DUAL LIMIT 1));

Alexander Barkov added a comment - 2018-07-25 12:53

A similar problem is repeatable if I use a stored function instead of the REGEXP operator:

DELIMITER $$;

CREATE OR REPLACE FUNCTION f1(a VARCHAR(10), b VARCHAR(10)) RETURNS INT

BEGIN

  RETURN 1;

END;$$

CREATE OR REPLACE PROCEDURE p1(m1 varchar(5))

BEGIN

  SELECT a FROM (SELECT "aa" a) t WHERE f1(t.a, m1);

END$$

DELIMITER ;$$

CALL p1('a');

Stack trace:

==19487==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x560c6f43577a bp 0x7f08dda18b40 sp 0x7f08dda18b30 T5)

==19487==The signal is caused by a READ memory access.

==19487==Hint: address points to the zero page.

    #0 0x560c6f435779 in Item_func_sp::cleanup() /home/bar/maria-git/server.10.2.asan/sql/item_func.cc:6502

    #1 0x560c6ebcd245 in Item::delete_self() /home/bar/maria-git/server.10.2.asan/sql/item.h:1841

    #2 0x560c6ebb717f in Query_arena::free_items() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:3462

    #3 0x560c6eba9d5a in THD::cleanup_after_query() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:2077

    #4 0x560c6f6bcbc8 in sp_head::execute(THD*, bool) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:1345

    #5 0x560c6f6c12d8 in sp_head::execute_procedure(THD*, List<Item>*) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:2116

    #6 0x560c6ec67825 in do_execute_sp /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:2909

    #7 0x560c6ec7d11a in mysql_execute_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:5822

    #8 0x560c6ec8c2ec in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.

    #9 0x560c6ec61150 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/bar/maria-git/server.10.2.asan/sql

    #10 0x560c6ec5d924 in do_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:1374

    #11 0x560c6effdc89 in do_handle_one_connection(CONNECT*) /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1335

    #12 0x560c6effd584 in handle_one_connection /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1241

    #13 0x560c70590fed in pfs_spawn_thread /home/bar/maria-git/server.10.2.asan/storage/perfschema/pfs.cc:1862

    #14 0x7f08e915136c in start_thread (/lib64/libpthread.so.0+0x736c)

    #15 0x7f08e7d10b9e in clone (/lib64/libc.so.6+0x110b9e)

Alexander Barkov added a comment - 2018-07-25 12:53 A similar problem is repeatable if I use a stored function instead of the REGEXP operator: DELIMITER $$; CREATE OR REPLACE FUNCTION f1(a VARCHAR (10), b VARCHAR (10)) RETURNS INT BEGIN RETURN 1; END ;$$ CREATE OR REPLACE PROCEDURE p1(m1 varchar (5)) BEGIN SELECT a FROM ( SELECT "aa" a) t WHERE f1(t.a, m1); END $$ DELIMITER ;$$ CALL p1( 'a' ); Stack trace: ==19487==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x560c6f43577a bp 0x7f08dda18b40 sp 0x7f08dda18b30 T5) ==19487==The signal is caused by a READ memory access. ==19487==Hint: address points to the zero page. #0 0x560c6f435779 in Item_func_sp::cleanup() /home/bar/maria-git/server.10.2.asan/sql/item_func.cc:6502 #1 0x560c6ebcd245 in Item::delete_self() /home/bar/maria-git/server.10.2.asan/sql/item.h:1841 #2 0x560c6ebb717f in Query_arena::free_items() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:3462 #3 0x560c6eba9d5a in THD::cleanup_after_query() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:2077 #4 0x560c6f6bcbc8 in sp_head::execute(THD*, bool) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:1345 #5 0x560c6f6c12d8 in sp_head::execute_procedure(THD*, List<Item>*) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:2116 #6 0x560c6ec67825 in do_execute_sp /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:2909 #7 0x560c6ec7d11a in mysql_execute_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:5822 #8 0x560c6ec8c2ec in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/bar/maria-git/server.10.2.asan/sql/sql_parse. #9 0x560c6ec61150 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/bar/maria-git/server.10.2.asan/sql #10 0x560c6ec5d924 in do_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:1374 #11 0x560c6effdc89 in do_handle_one_connection(CONNECT*) /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1335 #12 0x560c6effd584 in handle_one_connection /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1241 #13 0x560c70590fed in pfs_spawn_thread /home/bar/maria-git/server.10.2.asan/storage/perfschema/pfs.cc:1862 #14 0x7f08e915136c in start_thread (/lib64/libpthread.so.0+0x736c) #15 0x7f08e7d10b9e in clone (/lib64/libc.so.6+0x110b9e)

Alexander Barkov added a comment - 2018-07-25 11:09

The problem is repeatable with a simplified test:

DELIMITER $$;

CREATE PROCEDURE p1(m1 varchar(5))

BEGIN

  SELECT a FROM (SELECT "aa" a) t WHERE t.a regexp m1;

END$$

DELIMITER ;$$

CALL p1('a');

Alexander Barkov added a comment - 2018-07-25 11:09 The problem is repeatable with a simplified test: DELIMITER $$; CREATE PROCEDURE p1(m1 varchar (5)) BEGIN SELECT a FROM ( SELECT "aa" a) t WHERE t.a regexp m1; END $$ DELIMITER ;$$ CALL p1( 'a' );

Holger Rojahn added a comment - 2018-06-28 13:51

Replaced RegEx in 16611 to Likes an it won't crash..

Holger Rojahn added a comment - 2018-06-28 13:51 Replaced RegEx in 16611 to Likes an it won't crash..

Elena Stepanova added a comment - 2018-06-28 13:06

ASAN:

10.2 10d09a57f8
=================================================================
==7542==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100000a598 at pc 0x557b20cef86e bp 0x7fd0fcefc140 sp 0x7fd0fcefc138
READ of size 4 at 0x61100000a598 thread T5
#0 0x557b20cef86d in sf_malloc_usable_size /data/src/10.2/mysys/safemalloc.c:215
#1 0x557b20cbe9dc in my_free /data/src/10.2/mysys/my_malloc.c:215
#2 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091
#3 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112
#4 0x557b1f5ffb93 in Item::delete_self() /data/src/10.2/sql/item.h:1835
#5 0x557b1f5ea4fc in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3559
#6 0x557b1f5ddb00 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2174
#7 0x557b20014302 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1344
#8 0x557b20017f65 in sp_head::execute_procedure(THD, List<Item>) /data/src/10.2/sql/sp_head.cc:2115
#9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
#10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
#11 0x557b1f6aad4e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999
#12 0x557b1f6858be in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
#13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
#14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#18 0x7fd10776793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x61100000a598 is located 88 bytes inside of 196-byte region [0x61100000a540,0x61100000a604)
freed by thread T5 here:
#0 0x7fd1095eb527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
#1 0x557b20cf016b in free_memory /data/src/10.2/mysys/safemalloc.c:279
#2 0x557b20cef771 in sf_free /data/src/10.2/mysys/safemalloc.c:197
#3 0x557b20cbea12 in my_free /data/src/10.2/mysys/my_malloc.c:217
#4 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091
#5 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112
#6 0x557b1f681255 in cleanup_items(Item*) /data/src/10.2/sql/sql_parse.cc:1132
#7 0x557b2001420d in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1331
#8 0x557b20017f65 in sp_head::execute_procedure(THD, List<Item>) /data/src/10.2/sql/sp_head.cc:2115
#9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
#10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
#11 0x557b1f6aad4e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999
#12 0x557b1f6858be in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
#13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
#14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T5 here:
#0 0x7fd1095eb73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x557b20ceeee1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
#2 0x557b20cbe14a in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#3 0x557b1f48c124 in my_str_malloc_mysqld /data/src/10.2/sql/mysqld.cc:3657
#4 0x557b20df77b9 in pcre_compile2 /data/src/10.2/pcre/pcre_compile.c:9410
#5 0x557b20df5c3b in pcre_compile /data/src/10.2/pcre/pcre_compile.c:9039
#6 0x557b1fd3de89 in Regexp_processor_pcre::compile(String*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5458
#7 0x557b1fd3e19b in Regexp_processor_pcre::compile(Item*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5479
#8 0x557b1fd3efa8 in Regexp_processor_pcre::fix_owner(Item_func, Item, Item*) /data/src/10.2/sql/item_cmpfunc.cc:5657
#9 0x557b1fd3f289 in Item_func_regex::fix_length_and_dec() /data/src/10.2/sql/item_cmpfunc.cc:5684
#10 0x557b1fd86a96 in Item_func::fix_fields(THD, Item*) /data/src/10.2/sql/item_func.cc:240
#11 0x557b1fd3f10c in Item_func_regex::fix_fields(THD, Item*) /data/src/10.2/sql/item_cmpfunc.cc:5673
#12 0x557b1fd36249 in Item_cond::fix_fields(THD, Item*) /data/src/10.2/sql/item_cmpfunc.cc:4588
#13 0x557b1f5993ce in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /data/src/10.2/sql/sql_base.cc:7827
#14 0x557b1f720c36 in setup_without_group /data/src/10.2/sql/sql_select.cc:640
#15 0x557b1f722c55 in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.2/sql/sql_select.cc:825
#16 0x557b1f73f629 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3760
#17 0x557b1f71ef66 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
#18 0x557b1f6a20d5 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6474
#19 0x557b1f68ee78 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3480
#20 0x557b2001ef2d in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.2/sql/sp_head.cc:3244
#21 0x557b2001db78 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3007
#22 0x557b2001e7f7 in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.2/sql/sp_head.cc:3160
#23 0x557b20014178 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1326
#24 0x557b20017f65 in sp_head::execute_procedure(THD, List<Item>) /data/src/10.2/sql/sp_head.cc:2115
#25 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
#26 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
#27 0x557b1f6aad4e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999
#28 0x557b1f6858be in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
#29 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375

Thread T5 created by T0 here:
#0 0x7fd1095babba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x557b203d0ec7 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
#2 0x557b1f47f91e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
#3 0x557b1f494809 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451
#4 0x557b1f494f0e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521
#5 0x557b1f495f1f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796
#6 0x557b1f493d5e in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070
#7 0x557b1f47dcbf in main /data/src/10.2/sql/main.cc:25
#8 0x7fd10769f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/mysys/safemalloc.c:215 sf_malloc_usable_size
Shadow bytes around the buggy address:
0x0c227fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c227fff94b0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff94c0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff94d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff94e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c227fff94f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fff9500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==7542==ABORTING

Elena Stepanova added a comment - 2018-06-28 13:06 ASAN: 10.2 10d09a57f8 ================================================================= ==7542==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100000a598 at pc 0x557b20cef86e bp 0x7fd0fcefc140 sp 0x7fd0fcefc138 READ of size 4 at 0x61100000a598 thread T5 #0 0x557b20cef86d in sf_malloc_usable_size /data/src/10.2/mysys/safemalloc.c:215 #1 0x557b20cbe9dc in my_free /data/src/10.2/mysys/my_malloc.c:215 #2 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091 #3 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112 #4 0x557b1f5ffb93 in Item::delete_self() /data/src/10.2/sql/item.h:1835 #5 0x557b1f5ea4fc in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3559 #6 0x557b1f5ddb00 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2174 #7 0x557b20014302 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1344 #8 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115 #9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909 #10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822 #11 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999 #12 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821 #13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375 #14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335 #15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241 #16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862 #17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) #18 0x7fd10776793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e) 0x61100000a598 is located 88 bytes inside of 196-byte region [0x61100000a540,0x61100000a604) freed by thread T5 here: #0 0x7fd1095eb527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x557b20cf016b in free_memory /data/src/10.2/mysys/safemalloc.c:279 #2 0x557b20cef771 in sf_free /data/src/10.2/mysys/safemalloc.c:197 #3 0x557b20cbea12 in my_free /data/src/10.2/mysys/my_malloc.c:217 #4 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091 #5 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112 #6 0x557b1f681255 in cleanup_items(Item*) /data/src/10.2/sql/sql_parse.cc:1132 #7 0x557b2001420d in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1331 #8 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115 #9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909 #10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822 #11 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999 #12 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821 #13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375 #14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335 #15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241 #16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862 #17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) previously allocated by thread T5 here: #0 0x7fd1095eb73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x557b20ceeee1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118 #2 0x557b20cbe14a in my_malloc /data/src/10.2/mysys/my_malloc.c:101 #3 0x557b1f48c124 in my_str_malloc_mysqld /data/src/10.2/sql/mysqld.cc:3657 #4 0x557b20df77b9 in pcre_compile2 /data/src/10.2/pcre/pcre_compile.c:9410 #5 0x557b20df5c3b in pcre_compile /data/src/10.2/pcre/pcre_compile.c:9039 #6 0x557b1fd3de89 in Regexp_processor_pcre::compile(String*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5458 #7 0x557b1fd3e19b in Regexp_processor_pcre::compile(Item*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5479 #8 0x557b1fd3efa8 in Regexp_processor_pcre::fix_owner(Item_func*, Item*, Item*) /data/src/10.2/sql/item_cmpfunc.cc:5657 #9 0x557b1fd3f289 in Item_func_regex::fix_length_and_dec() /data/src/10.2/sql/item_cmpfunc.cc:5684 #10 0x557b1fd86a96 in Item_func::fix_fields(THD*, Item**) /data/src/10.2/sql/item_func.cc:240 #11 0x557b1fd3f10c in Item_func_regex::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:5673 #12 0x557b1fd36249 in Item_cond::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:4588 #13 0x557b1f5993ce in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.2/sql/sql_base.cc:7827 #14 0x557b1f720c36 in setup_without_group /data/src/10.2/sql/sql_select.cc:640 #15 0x557b1f722c55 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:825 #16 0x557b1f73f629 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3760 #17 0x557b1f71ef66 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376 #18 0x557b1f6a20d5 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6474 #19 0x557b1f68ee78 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3480 #20 0x557b2001ef2d in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3244 #21 0x557b2001db78 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3007 #22 0x557b2001e7f7 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3160 #23 0x557b20014178 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1326 #24 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115 #25 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909 #26 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822 #27 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999 #28 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821 #29 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375 Thread T5 created by T0 here: #0 0x7fd1095babba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0x557b203d0ec7 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912 #2 0x557b1f47f91e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239 #3 0x557b1f494809 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451 #4 0x557b1f494f0e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521 #5 0x557b1f495f1f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796 #6 0x557b1f493d5e in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070 #7 0x557b1f47dcbf in main /data/src/10.2/sql/main.cc:25 #8 0x7fd10769f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/mysys/safemalloc.c:215 sf_malloc_usable_size Shadow bytes around the buggy address: 0x0c227fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c227fff94b0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff94c0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff94d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff94e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c227fff94f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff9500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==7542==ABORTING

People

Assignee:: Alexander Barkov

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018-06-28 12:51

Updated:: 2021-06-20 11:15

Resolved:: 2018-07-26 09:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server