Details
Critical Description
CREATE TABLE t5 ( |
i1 smallint(11) unsigned zerofill , |
e1 enum('','a') , |
b1 mediumblob /*!100301 COMPRESSED*/ , |
d2 date NOT NULL DEFAULT '1900-01-01', |
pk bigint(20) unsigned NOT NULL DEFAULT 0, |
d1 timestamp NULL , |
v1 varbinary(3362) ,
|
t1 time NOT NULL DEFAULT '00:00:00' |
);
|
|
|
INSERT INTO t5 VALUES (00000000004,'','ufhjdtv','1992-07-25',1,'2035-06-05 09:02:48','f','13:25:21'),(00000000001,'','jdt','1998-07-03',2,'1994-05-05 19:59:20','','09:09:19'),(00000000000,'','d','2007-12-05',3,'0000-00-00 00:00:00','tvs','02:51:15'); |
|
|
SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1), |
IF(t5.d1, t5.t1, t5.d1), t5.v1, |
IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1 |
ORDER BY 2,6,1,7,4,3,5 SEPARATOR ';') |
FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk)); |
10.3 commit 1748a31ae8d69e49
|
Version: '10.3.9-MariaDB-debug-log' socket: '/home/alice/git/10.3/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==22714==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000cd70 at pc 0x7f2a7f953676 bp 0x7f2a73e24900 sp 0x7f2a73e240a8
|
READ of size 2 at 0x60c00000cd70 thread T5
|
#0 0x7f2a7f953675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
|
#1 0x55ead621f4e2 in my_strnncoll_binary /home/alice/git/10.3/strings/ctype-bin.c:85
|
#2 0x55ead621f565 in my_strnncollsp_binary /home/alice/git/10.3/strings/ctype-bin.c:124
|
#3 0x55ead50bce36 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8364
|
#4 0x55ead50bd0de in Field_blob::cmp_max(unsigned char const*, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8377
|
#5 0x55ead50e0c2b in Field_blob::cmp(unsigned char const*, unsigned char const*) /home/alice/git/10.3/sql/field.h:3651
|
#6 0x55ead5340596 in group_concat_key_cmp_with_order /home/alice/git/10.3/sql/item_sum.cc:3525
|
#7 0x55ead61cf79f in tree_insert /home/alice/git/10.3/mysys/tree.c:250
|
#8 0x55ead5344292 in Item_func_group_concat::add() /home/alice/git/10.3/sql/item_sum.cc:3880
|
#9 0x55ead53480c5 in Aggregator_simple::add() /home/alice/git/10.3/sql/item_sum.h:706
|
#10 0x55ead4b92fd7 in Item_sum::aggregator_add() (/home/alice/git/10.3/sql/mysqld+0x10ecfd7)
|
#11 0x55ead4b77c97 in update_sum_func /home/alice/git/10.3/sql/sql_select.cc:24207
|
#12 0x55ead4b60650 in end_send_group(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:20664
|
#13 0x55ead4e0c908 in JOIN_CACHE::generate_full_extensions(unsigned char*) /home/alice/git/10.3/sql/sql_join_cache.cc:2400
|
#14 0x55ead4e0c223 in JOIN_CACHE::join_matching_records(bool) /home/alice/git/10.3/sql/sql_join_cache.cc:2292
|
#15 0x55ead4e0abb6 in JOIN_CACHE::join_records(bool) /home/alice/git/10.3/sql/sql_join_cache.cc:2088
|
#16 0x55ead4b55295 in sub_select_cache(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19051
|
#17 0x55ead4b55772 in sub_select(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19222
|
#18 0x55ead4b543e6 in do_select /home/alice/git/10.3/sql/sql_select.cc:18813
|
#19 0x55ead4af3c0c in JOIN::exec_inner() /home/alice/git/10.3/sql/sql_select.cc:4021
|
#20 0x55ead4af1951 in JOIN::exec() /home/alice/git/10.3/sql/sql_select.cc:3815
|
#21 0x55ead4af4d23 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4220
|
#22 0x55ead4ad0568 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382
|
#23 0x55ead4a560b9 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6542
|
#24 0x55ead4a448cc in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3765
|
#25 0x55ead4a5e9c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:8073
|
#26 0x55ead4a396ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1847
|
#27 0x55ead4a36846 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1392
|
#28 0x55ead4d85ca1 in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402
|
#29 0x55ead4d8567e in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308
|
#30 0x55ead609d1d4 in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862
|
#31 0x7f2a7e7886b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
#32 0x7f2a7dc1d41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
|
without ASAN it returns: ZLIB: Input data corrupted
CURRENT_TEST: main.1_my
|
mysqltest: At line 20: query 'SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1),
|
IF(t5.d1, t5.t1, t5.d1), t5.v1,
|
IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1
|
ORDER BY 2,6,1,7,4,3,5 SEPARATOR ';')
|
FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk))' failed: 1259: ZLIB: Input data corrupted
|
Attachments
Issue Links
- relates to
-
MDEV-14391 InnoDB crash, memory corruption
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Confirmed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Sergey Vojtovich [ svoj ] |
| Link |
This issue relates to |
| Link |
This issue relates to |
| Description |
{code:sql}
CREATE TABLE t5 ( i1 smallint(11) unsigned zerofill , e1 enum('','a') , b1 mediumblob /*!100301 COMPRESSED*/ , d2 date NOT NULL DEFAULT '1900-01-01', pk bigint(20) unsigned NOT NULL DEFAULT 0, d1 timestamp NULL , v1 varbinary(3362) , t1 time NOT NULL DEFAULT '00:00:00' ); INSERT INTO t5 VALUES (00000000004,'','ufhjdtv','1992-07-25',1,'2035-06-05 09:02:48','f','13:25:21'),(00000000001,'','jdt','1998-07-03',2,'1994-05-05 19:59:20','','09:09:19'),(00000000000,'','d','2007-12-05',3,'0000-00-00 00:00:00','tvs','02:51:15'); SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1), IF(t5.d1, t5.t1, t5.d1), t5.v1, IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1 ORDER BY 2,6,1,7,4,3,5 SEPARATOR ';') FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk)); {code} {noformat} Version: '10.3.9-MariaDB-debug-log' socket: '/home/alice/git/10.3/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution ================================================================= ==22714==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000cd70 at pc 0x7f2a7f953676 bp 0x7f2a73e24900 sp 0x7f2a73e240a8 READ of size 2 at 0x60c00000cd70 thread T5 #0 0x7f2a7f953675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675) #1 0x55ead621f4e2 in my_strnncoll_binary /home/alice/git/10.3/strings/ctype-bin.c:85 #2 0x55ead621f565 in my_strnncollsp_binary /home/alice/git/10.3/strings/ctype-bin.c:124 #3 0x55ead50bce36 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8364 #4 0x55ead50bd0de in Field_blob::cmp_max(unsigned char const*, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8377 #5 0x55ead50e0c2b in Field_blob::cmp(unsigned char const*, unsigned char const*) /home/alice/git/10.3/sql/field.h:3651 #6 0x55ead5340596 in group_concat_key_cmp_with_order /home/alice/git/10.3/sql/item_sum.cc:3525 #7 0x55ead61cf79f in tree_insert /home/alice/git/10.3/mysys/tree.c:250 #8 0x55ead5344292 in Item_func_group_concat::add() /home/alice/git/10.3/sql/item_sum.cc:3880 #9 0x55ead53480c5 in Aggregator_simple::add() /home/alice/git/10.3/sql/item_sum.h:706 #10 0x55ead4b92fd7 in Item_sum::aggregator_add() (/home/alice/git/10.3/sql/mysqld+0x10ecfd7) #11 0x55ead4b77c97 in update_sum_func /home/alice/git/10.3/sql/sql_select.cc:24207 #12 0x55ead4b60650 in end_send_group(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:20664 #13 0x55ead4e0c908 in JOIN_CACHE::generate_full_extensions(unsigned char*) /home/alice/git/10.3/sql/sql_join_cache.cc:2400 #14 0x55ead4e0c223 in JOIN_CACHE::join_matching_records(bool) /home/alice/git/10.3/sql/sql_join_cache.cc:2292 #15 0x55ead4e0abb6 in JOIN_CACHE::join_records(bool) /home/alice/git/10.3/sql/sql_join_cache.cc:2088 #16 0x55ead4b55295 in sub_select_cache(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19051 #17 0x55ead4b55772 in sub_select(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19222 #18 0x55ead4b543e6 in do_select /home/alice/git/10.3/sql/sql_select.cc:18813 #19 0x55ead4af3c0c in JOIN::exec_inner() /home/alice/git/10.3/sql/sql_select.cc:4021 #20 0x55ead4af1951 in JOIN::exec() /home/alice/git/10.3/sql/sql_select.cc:3815 #21 0x55ead4af4d23 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4220 #22 0x55ead4ad0568 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382 #23 0x55ead4a560b9 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6542 #24 0x55ead4a448cc in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3765 #25 0x55ead4a5e9c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:8073 #26 0x55ead4a396ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1847 #27 0x55ead4a36846 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1392 #28 0x55ead4d85ca1 in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402 #29 0x55ead4d8567e in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308 #30 0x55ead609d1d4 in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862 #31 0x7f2a7e7886b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #32 0x7f2a7dc1d41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c) {noformat} without ASAN it returns: ZLIB: Input data corrupted {noformat} CURRENT_TEST: main.1_my mysqltest: At line 20: query 'SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1), IF(t5.d1, t5.t1, t5.d1), t5.v1, IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1 ORDER BY 2,6,1,7,4,3,5 SEPARATOR ';') FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk))' failed: 1259: ZLIB: Input data corrupted {noformat} |
{code:sql}
CREATE TABLE t5 ( i1 smallint(11) unsigned zerofill , e1 enum('','a') , b1 mediumblob /*!100301 COMPRESSED*/ , d2 date NOT NULL DEFAULT '1900-01-01', pk bigint(20) unsigned NOT NULL DEFAULT 0, d1 timestamp NULL , v1 varbinary(3362) , t1 time NOT NULL DEFAULT '00:00:00' ); INSERT INTO t5 VALUES (00000000004,'','ufhjdtv','1992-07-25',1,'2035-06-05 09:02:48','f','13:25:21'),(00000000001,'','jdt','1998-07-03',2,'1994-05-05 19:59:20','','09:09:19'),(00000000000,'','d','2007-12-05',3,'0000-00-00 00:00:00','tvs','02:51:15'); SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1), IF(t5.d1, t5.t1, t5.d1), t5.v1, IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1 ORDER BY 2,6,1,7,4,3,5 SEPARATOR ';') FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk)); {code} {noformat} 10.3 commit 1748a31ae8d69e49 Version: '10.3.9-MariaDB-debug-log' socket: '/home/alice/git/10.3/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution ================================================================= ==22714==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000cd70 at pc 0x7f2a7f953676 bp 0x7f2a73e24900 sp 0x7f2a73e240a8 READ of size 2 at 0x60c00000cd70 thread T5 #0 0x7f2a7f953675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675) #1 0x55ead621f4e2 in my_strnncoll_binary /home/alice/git/10.3/strings/ctype-bin.c:85 #2 0x55ead621f565 in my_strnncollsp_binary /home/alice/git/10.3/strings/ctype-bin.c:124 #3 0x55ead50bce36 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8364 #4 0x55ead50bd0de in Field_blob::cmp_max(unsigned char const*, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8377 #5 0x55ead50e0c2b in Field_blob::cmp(unsigned char const*, unsigned char const*) /home/alice/git/10.3/sql/field.h:3651 #6 0x55ead5340596 in group_concat_key_cmp_with_order /home/alice/git/10.3/sql/item_sum.cc:3525 #7 0x55ead61cf79f in tree_insert /home/alice/git/10.3/mysys/tree.c:250 #8 0x55ead5344292 in Item_func_group_concat::add() /home/alice/git/10.3/sql/item_sum.cc:3880 #9 0x55ead53480c5 in Aggregator_simple::add() /home/alice/git/10.3/sql/item_sum.h:706 #10 0x55ead4b92fd7 in Item_sum::aggregator_add() (/home/alice/git/10.3/sql/mysqld+0x10ecfd7) #11 0x55ead4b77c97 in update_sum_func /home/alice/git/10.3/sql/sql_select.cc:24207 #12 0x55ead4b60650 in end_send_group(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:20664 #13 0x55ead4e0c908 in JOIN_CACHE::generate_full_extensions(unsigned char*) /home/alice/git/10.3/sql/sql_join_cache.cc:2400 #14 0x55ead4e0c223 in JOIN_CACHE::join_matching_records(bool) /home/alice/git/10.3/sql/sql_join_cache.cc:2292 #15 0x55ead4e0abb6 in JOIN_CACHE::join_records(bool) /home/alice/git/10.3/sql/sql_join_cache.cc:2088 #16 0x55ead4b55295 in sub_select_cache(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19051 #17 0x55ead4b55772 in sub_select(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19222 #18 0x55ead4b543e6 in do_select /home/alice/git/10.3/sql/sql_select.cc:18813 #19 0x55ead4af3c0c in JOIN::exec_inner() /home/alice/git/10.3/sql/sql_select.cc:4021 #20 0x55ead4af1951 in JOIN::exec() /home/alice/git/10.3/sql/sql_select.cc:3815 #21 0x55ead4af4d23 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4220 #22 0x55ead4ad0568 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382 #23 0x55ead4a560b9 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6542 #24 0x55ead4a448cc in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3765 #25 0x55ead4a5e9c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:8073 #26 0x55ead4a396ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1847 #27 0x55ead4a36846 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1392 #28 0x55ead4d85ca1 in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402 #29 0x55ead4d8567e in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308 #30 0x55ead609d1d4 in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862 #31 0x7f2a7e7886b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #32 0x7f2a7dc1d41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c) {noformat} without ASAN it returns: ZLIB: Input data corrupted {noformat} CURRENT_TEST: main.1_my mysqltest: At line 20: query 'SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1), IF(t5.d1, t5.t1, t5.d1), t5.v1, IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1 ORDER BY 2,6,1,7,4,3,5 SEPARATOR ';') FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk))' failed: 1259: ZLIB: Input data corrupted {noformat} |
| Status | Open [ 1 ] | Confirmed [ 10101 ] |
| Affects Version/s | 10.4 [ 22408 ] |
| Fix Version/s | 10.4 [ 22408 ] |
| Link |
This issue relates to |
| Summary | ASAN: heap-use-after-free with blob compressed | ASAN: heap-use-after-free in my_strnncoll_binary with blob compressed |
| Assignee | Sergey Vojtovich [ svoj ] | Oleksandr Byelkin [ sanja ] |
Another variation of the stack trace:
CREATE TABLE t1 (f TEXT COMPRESSED); |
INSERT INTO t1 VALUES ('foo'),(REPEAT('a',55000)); |
SELECT GROUP_CONCAT(f ORDER BY 1) FROM t1; |
|
|
# Cleanup
|
DROP TABLE t1; |
|
10.3 6cbbd6bd ASAN |
==2920715==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000ca70 at pc 0x5568ad2aa05a bp 0x7fbe5811d790 sp 0x7fbe5811d780
|
READ of size 1 at 0x60c00000ca70 thread T5
|
#0 0x5568ad2aa059 in my_strnncollsp_simple /data/src/10.3/strings/ctype-simple.c:182
|
#1 0x5568abd9b7ce in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /data/src/10.3/sql/field.cc:8523
|
#2 0x5568abd9bad7 in Field_blob::cmp(unsigned char const*, unsigned char const*) /data/src/10.3/sql/field.cc:8534
|
#3 0x5568ac05d242 in group_concat_key_cmp_with_order /data/src/10.3/sql/item_sum.cc:3587
|
#4 0x5568ad237714 in tree_insert /data/src/10.3/mysys/tree.c:249
|
#5 0x5568ac062265 in Item_func_group_concat::add() /data/src/10.3/sql/item_sum.cc:4021
|
#6 0x5568ac066d8b in Aggregator_simple::add() /data/src/10.3/sql/item_sum.h:707
|
#7 0x5568ab7ff789 in Item_sum::aggregator_add() (/data/bld/10.3-asan-nightly/bin/mysqld+0x11db789)
|
#8 0x5568ab7e1522 in update_sum_func /data/src/10.3/sql/sql_select.cc:24752
|
#9 0x5568ab7c6643 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:21107
|
#10 0x5568ab7bc90f in evaluate_join_record /data/src/10.3/sql/sql_select.cc:19934
|
#11 0x5568ab7bb945 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19753
|
#12 0x5568ab7b9497 in do_select /data/src/10.3/sql/sql_select.cc:19254
|
#13 0x5568ab74d216 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4116
|
#14 0x5568ab74ab93 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3910
|
#15 0x5568ab74e5de in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4315
|
#16 0x5568ab7253e4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
|
#17 0x5568ab698180 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6286
|
#18 0x5568ab685b31 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3812
|
#19 0x5568ab6a1e2c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
|
#20 0x5568ab678e98 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1847
|
#21 0x5568ab6759ec in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
|
#22 0x5568aba3b494 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#23 0x5568aba3ad4e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#24 0x5568ad034578 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#25 0x7fbe62fcf608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
#26 0x7fbe62bab292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
|
0x60c00000ca70 is located 112 bytes inside of 124-byte region [0x60c00000ca00,0x60c00000ca7c)
|
freed by thread T5 here:
|
#0 0x7fbe631cd7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
|
#1 0x5568ad245de3 in free_memory /data/src/10.3/mysys/safemalloc.c:279
|
#2 0x5568ad2453b0 in sf_free /data/src/10.3/mysys/safemalloc.c:197
|
#3 0x5568ad213aad in my_free /data/src/10.3/mysys/my_malloc.c:223
|
#4 0x5568ab3cab61 in String::free() /data/src/10.3/sql/sql_string.h:351
|
#5 0x5568ab8928ee in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:43
|
#6 0x5568ab3f5e41 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:361
|
#7 0x5568abd9ef6e in Field_blob_compressed::store(char const*, unsigned long, charset_info_st const*) /data/src/10.3/sql/field.cc:8872
|
#8 0x5568abdce7b0 in do_save_blob /data/src/10.3/sql/field_conv.cc:359
|
#9 0x5568abdcd734 in do_copy_null /data/src/10.3/sql/field_conv.cc:246
|
#10 0x5568ab7de417 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.3/sql/sql_select.cc:24370
|
#11 0x5568ac0617b1 in Item_func_group_concat::add() /data/src/10.3/sql/item_sum.cc:3977
|
#12 0x5568ac066d8b in Aggregator_simple::add() /data/src/10.3/sql/item_sum.h:707
|
#13 0x5568ab7ff789 in Item_sum::aggregator_add() (/data/bld/10.3-asan-nightly/bin/mysqld+0x11db789)
|
#14 0x5568ab7e1522 in update_sum_func /data/src/10.3/sql/sql_select.cc:24752
|
#15 0x5568ab7c6643 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:21107
|
#16 0x5568ab7bc90f in evaluate_join_record /data/src/10.3/sql/sql_select.cc:19934
|
#17 0x5568ab7bb945 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19753
|
#18 0x5568ab7b9497 in do_select /data/src/10.3/sql/sql_select.cc:19254
|
#19 0x5568ab74d216 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4116
|
#20 0x5568ab74ab93 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3910
|
#21 0x5568ab74e5de in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4315
|
#22 0x5568ab7253e4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
|
#23 0x5568ab698180 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6286
|
#24 0x5568ab685b31 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3812
|
#25 0x5568ab6a1e2c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
|
#26 0x5568ab678e98 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1847
|
#27 0x5568ab6759ec in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
|
#28 0x5568aba3b494 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#29 0x5568aba3ad4e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
|
|
previously allocated by thread T5 here:
|
#0 0x7fbe631cdbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x5568ad244d74 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
|
#2 0x5568ad212fcb in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
#3 0x5568ab89294d in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44
|
#4 0x5568ab3f5e41 in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:361
|
#5 0x5568abd9ef6e in Field_blob_compressed::store(char const*, unsigned long, charset_info_st const*) /data/src/10.3/sql/field.cc:8872
|
#6 0x5568abdce7b0 in do_save_blob /data/src/10.3/sql/field_conv.cc:359
|
#7 0x5568abdcd734 in do_copy_null /data/src/10.3/sql/field_conv.cc:246
|
#8 0x5568ab7de417 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.3/sql/sql_select.cc:24370
|
#9 0x5568ac0617b1 in Item_func_group_concat::add() /data/src/10.3/sql/item_sum.cc:3977
|
#10 0x5568ac066d8b in Aggregator_simple::add() /data/src/10.3/sql/item_sum.h:707
|
#11 0x5568ab7ff789 in Item_sum::aggregator_add() (/data/bld/10.3-asan-nightly/bin/mysqld+0x11db789)
|
#12 0x5568ab7ff3ff in Item_sum::reset_and_add() /data/src/10.3/sql/item_sum.h:441
|
#13 0x5568ab7e1467 in init_sum_functions /data/src/10.3/sql/sql_select.cc:24734
|
#14 0x5568ab7c6463 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:21099
|
#15 0x5568ab7bc90f in evaluate_join_record /data/src/10.3/sql/sql_select.cc:19934
|
#16 0x5568ab7bb2c2 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19714
|
#17 0x5568ab7b9497 in do_select /data/src/10.3/sql/sql_select.cc:19254
|
#18 0x5568ab74d216 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4116
|
#19 0x5568ab74ab93 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3910
|
#20 0x5568ab74e5de in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4315
|
#21 0x5568ab7253e4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
|
#22 0x5568ab698180 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6286
|
#23 0x5568ab685b31 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3812
|
#24 0x5568ab6a1e2c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7810
|
#25 0x5568ab678e98 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1847
|
#26 0x5568ab6759ec in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1393
|
#27 0x5568aba3b494 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#28 0x5568aba3ad4e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#29 0x5568ad034578 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fbe630fa805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x5568ad034969 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
#2 0x5568ab3a4252 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
|
#3 0x5568ab3bca32 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6609
|
#4 0x5568ab3bd1c3 in create_new_thread /data/src/10.3/sql/mysqld.cc:6679
|
#5 0x5568ab3be34e in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6937
|
#6 0x5568ab3bbd44 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6231
|
#7 0x5568ab3a2a7c in main /data/src/10.3/sql/main.cc:25
|
#8 0x7fbe62ab00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/strings/ctype-simple.c:182 in my_strnncollsp_simple
|
Shadow bytes around the buggy address:
|
0x0c187fff98f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c187fff9900: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
0x0c187fff9910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
|
0x0c187fff9920: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c187fff9930: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
=>0x0c187fff9940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
|
0x0c187fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c187fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c187fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c187fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c187fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2920715==ABORTING
|
|
10.3 6cbbd6bd non-ASAN debug |
query 'SELECT GROUP_CONCAT(f ORDER BY 1) FROM t1' failed: 1259: ZLIB: Input data corrupted
|
Reproducible on 10.3-10.5 with at least InnoDB and MyISAM.
Non-debug build doesn't complain.
| Component/s | Server [ 13907 ] |
| Fix Version/s | 10.5 [ 23123 ] | |
| Affects Version/s | 10.5 [ 23123 ] |
Very fancy-looking stack with the exact same test case, different charset/collation:
CREATE TABLE t1 (f TEXT COMPRESSED) CHARACTER SET utf8mb4 COLLATE utf8mb4_hungarian_ci; |
INSERT INTO t1 VALUES ('foo'),(REPEAT('a',55000)); |
SELECT GROUP_CONCAT(f ORDER BY 1) FROM t1; |
|
# Cleanup
|
DROP TABLE t1; |
|
10.4 542d769e |
==1957001==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000042910 at pc 0x55a829faa476 bp 0x7fd62bb9c310 sp 0x7fd62bb9c300
|
READ of size 1 at 0x60d000042910 thread T5
|
#0 0x55a829faa475 in my_uca_scanner_next_no_contractions_utf8mb4 /data/src/10.4/strings/ctype-uca.ic:60
|
#1 0x55a829fab3fa in my_uca_strnncollsp_onelevel_no_contractions_utf8mb4 /data/src/10.4/strings/ctype-uca.ic:306
|
#2 0x55a829fab619 in my_uca_strnncollsp_no_contractions_utf8mb4 /data/src/10.4/strings/ctype-uca.ic:352
|
#3 0x55a828add708 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /data/src/10.4/sql/field.cc:8632
|
#4 0x55a828adda11 in Field_blob::cmp(unsigned char const*, unsigned char const*) /data/src/10.4/sql/field.cc:8643
|
#5 0x55a828db9d98 in group_concat_key_cmp_with_order /data/src/10.4/sql/item_sum.cc:3599
|
#6 0x55a829f109a7 in tree_insert /data/src/10.4/mysys/tree.c:249
|
#7 0x55a828dbee48 in Item_func_group_concat::add() /data/src/10.4/sql/item_sum.cc:4034
|
#8 0x55a828dc3fe7 in Aggregator_simple::add() /data/src/10.4/sql/item_sum.h:716
|
#9 0x55a8284bec4d in Item_sum::aggregator_add() /data/src/10.4/sql/item_sum.h:558
|
#10 0x55a82849d3e5 in update_sum_func /data/src/10.4/sql/sql_select.cc:25468
|
#11 0x55a828481e5a in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:21807
|
#12 0x55a828477f77 in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20625
|
#13 0x55a828476fa3 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:20444
|
#14 0x55a828474ae7 in do_select /data/src/10.4/sql/sql_select.cc:19943
|
#15 0x55a82840482c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4486
|
#16 0x55a828401e39 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4268
|
#17 0x55a828405fac in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4703
|
#18 0x55a8283d7475 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410
|
#19 0x55a828346faa in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6417
|
#20 0x55a828334741 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3936
|
#21 0x55a828350442 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958
|
#22 0x55a828327033 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
|
#23 0x55a828323ae2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
|
#24 0x55a828715eb1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
|
#25 0x55a828715755 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
#26 0x55a829dcf9bc in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#27 0x7fd635bdc608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
#28 0x7fd635445292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
|
0x60d000042910 is located 112 bytes inside of 132-byte region [0x60d0000428a0,0x60d000042924)
|
freed by thread T5 here:
|
#0 0x7fd635dd27cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
|
#1 0x55a829f1f176 in free_memory /data/src/10.4/mysys/safemalloc.c:279
|
#2 0x55a829f1e732 in sf_free /data/src/10.4/mysys/safemalloc.c:197
|
#3 0x55a829eeca1d in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#4 0x55a828051933 in Binary_string::free() /data/src/10.4/sql/sql_string.h:610
|
#5 0x55a82855b2a2 in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:43
|
#6 0x55a828076a2b in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:619
|
#7 0x55a828ae0ba1 in Field_blob_compressed::store(char const*, unsigned long, charset_info_st const*) /data/src/10.4/sql/field.cc:9011
|
#8 0x55a828b12346 in do_save_blob /data/src/10.4/sql/field_conv.cc:359
|
#9 0x55a828b112ca in do_copy_null /data/src/10.4/sql/field_conv.cc:246
|
#10 0x55a82849a27b in copy_fields(TMP_TABLE_PARAM*) /data/src/10.4/sql/sql_select.cc:25086
|
#11 0x55a828dbe37d in Item_func_group_concat::add() /data/src/10.4/sql/item_sum.cc:3990
|
#12 0x55a828dc3fe7 in Aggregator_simple::add() /data/src/10.4/sql/item_sum.h:716
|
#13 0x55a8284bec4d in Item_sum::aggregator_add() /data/src/10.4/sql/item_sum.h:558
|
#14 0x55a82849d3e5 in update_sum_func /data/src/10.4/sql/sql_select.cc:25468
|
#15 0x55a828481e5a in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:21807
|
#16 0x55a828477f77 in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20625
|
#17 0x55a828476fa3 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:20444
|
#18 0x55a828474ae7 in do_select /data/src/10.4/sql/sql_select.cc:19943
|
#19 0x55a82840482c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4486
|
#20 0x55a828401e39 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4268
|
#21 0x55a828405fac in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4703
|
#22 0x55a8283d7475 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410
|
#23 0x55a828346faa in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6417
|
#24 0x55a828334741 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3936
|
#25 0x55a828350442 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958
|
#26 0x55a828327033 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
|
#27 0x55a828323ae2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
|
#28 0x55a828715eb1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
|
#29 0x55a828715755 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
|
|
previously allocated by thread T5 here:
|
#0 0x7fd635dd2bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x55a829f1e0e6 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x55a829eebf26 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x55a82855b301 in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:44
|
#4 0x55a828076a2b in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:619
|
#5 0x55a828ae0ba1 in Field_blob_compressed::store(char const*, unsigned long, charset_info_st const*) /data/src/10.4/sql/field.cc:9011
|
#6 0x55a828b12346 in do_save_blob /data/src/10.4/sql/field_conv.cc:359
|
#7 0x55a828b112ca in do_copy_null /data/src/10.4/sql/field_conv.cc:246
|
#8 0x55a82849a27b in copy_fields(TMP_TABLE_PARAM*) /data/src/10.4/sql/sql_select.cc:25086
|
#9 0x55a828dbe37d in Item_func_group_concat::add() /data/src/10.4/sql/item_sum.cc:3990
|
#10 0x55a828dc3fe7 in Aggregator_simple::add() /data/src/10.4/sql/item_sum.h:716
|
#11 0x55a8284bec4d in Item_sum::aggregator_add() /data/src/10.4/sql/item_sum.h:558
|
#12 0x55a8284be8c3 in Item_sum::reset_and_add() /data/src/10.4/sql/item_sum.h:443
|
#13 0x55a82849d32a in init_sum_functions /data/src/10.4/sql/sql_select.cc:25450
|
#14 0x55a828481c7a in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:21799
|
#15 0x55a828477f77 in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20625
|
#16 0x55a82847693d in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:20405
|
#17 0x55a828474ae7 in do_select /data/src/10.4/sql/sql_select.cc:19943
|
#18 0x55a82840482c in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4486
|
#19 0x55a828401e39 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4268
|
#20 0x55a828405fac in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4703
|
#21 0x55a8283d7475 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410
|
#22 0x55a828346faa in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6417
|
#23 0x55a828334741 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3936
|
#24 0x55a828350442 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958
|
#25 0x55a828327033 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
|
#26 0x55a828323ae2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
|
#27 0x55a828715eb1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
|
#28 0x55a828715755 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
#29 0x55a829dcf9bc in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fd635cff805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x55a829dcfdad in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
|
#2 0x55a82802cc78 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
|
#3 0x55a828044851 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259
|
#4 0x55a828044fec in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329
|
#5 0x55a8280454d2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427
|
#6 0x55a82804636b in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585
|
#7 0x55a828043f56 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917
|
#8 0x55a82802abec in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fd63534a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/strings/ctype-uca.ic:60 in my_uca_scanner_next_no_contractions_utf8mb4
|
Shadow bytes around the buggy address:
|
0x0c1a800004d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
0x0c1a800004e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c1a800004f0: 00 04 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
|
0x0c1a80000500: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
|
0x0c1a80000510: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c1a80000520: fd fd[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1a80000530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1a80000540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1a80000550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1a80000560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1a80000570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1957001==ABORTING
|
| Workflow | MariaDB v3 [ 88261 ] | MariaDB v4 [ 144055 ] |
It can also produce wrong results when it doesn't fail with ASAN or ZLIB errors right away.
|
10.8-based development branch |
MariaDB [test]> create or replace table t (a text compressed) engine=MyISAM; |
Query OK, 0 rows affected (0.027 sec) |
|
|
MariaDB [test]> insert into t values ("''"),("'coffee'"); |
Query OK, 2 rows affected (0.000 sec) |
Records: 2 Duplicates: 0 Warnings: 0
|
|
|
MariaDB [test]> select group_concat(a order by 1) from t; |
+----------------------------+ |
| group_concat(a order by 1) | |
+----------------------------+ |
| 'c,'coffee' | |
+----------------------------+ |
1 row in set (0.000 sec) |
| Fix Version/s | 10.6 [ 24028 ] | |
| Fix Version/s | 10.7 [ 24805 ] | |
| Affects Version/s | 10.6 [ 24028 ] | |
| Affects Version/s | 10.7 [ 24805 ] |
Same failure with GIS instead of a compressed blob, I guess it belongs here and doesn't need a separate JIRA item.
CREATE TABLE t (c POLYGON); |
INSERT INTO t VALUES |
(POLYGONFromText('POLYGON((1 2,1 2))')), |
(POLYGONFromText('POLYGON((0 0,1 1,0 0))')); |
|
|
SELECT GROUP_CONCAT(c, c ORDER BY 1,2) FROM t; |
|
|
# Cleanup
|
DROP TABLE t; |
|
10.2 70555454 debug ASAN |
==909916==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00001c670 at pc 0x00000066d3d6 bp 0x7f311c315a00 sp 0x7f311c3151a8
|
READ of size 49 at 0x60f00001c670 thread T5
|
#0 0x66d3d5 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/mnt8t/bld/10.2-asan/bin/mysqld+0x66d3d5)
|
#1 0x66d8ca in memcmp (/mnt8t/bld/10.2-asan/bin/mysqld+0x66d8ca)
|
#2 0x2c044ab in my_strnncoll_binary /data/src/10.2/strings/ctype-bin.c:85:12
|
#3 0x2c04537 in my_strnncollsp_binary /data/src/10.2/strings/ctype-bin.c:124:10
|
#4 0x129f461 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /data/src/10.2/sql/field.cc:8422:10
|
#5 0x129f744 in Field_blob::cmp(unsigned char const*, unsigned char const*) /data/src/10.2/sql/field.cc:8433:10
|
#6 0x15f6549 in group_concat_key_cmp_with_order /data/src/10.2/sql/item_sum.cc:3153:21
|
#7 0x2b87fe4 in tree_insert /data/src/10.2/mysys/tree.c:211:9
|
#8 0x15fcf15 in Item_func_group_concat::add() /data/src/10.2/sql/item_sum.cc:3575:9
|
#9 0x160470e in Aggregator_simple::add() /data/src/10.2/sql/item_sum.h:708:33
|
#10 0xc71d0e in Item_sum::aggregator_add() /data/src/10.2/sql/item_sum.h:553:47
|
#11 0xc14c8e in update_sum_func(Item_sum**) /data/src/10.2/sql/sql_select.cc:23957:15
|
#12 0xc088d1 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20301:7
|
#13 0xc0d5ba in evaluate_join_record(JOIN*, st_join_table*, int) /data/src/10.2/sql/sql_select.cc:19137:11
|
#14 0xc0b38d in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18949:9
|
#15 0xbbffd3 in do_select(JOIN*, Procedure*) /data/src/10.2/sql/sql_select.cc:18453:14
|
#16 0xbbc56e in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3651:10
|
#17 0xbb91fe in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3446:3
|
#18 0xb3b6fd in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3849:9
|
#19 0xb3a384 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361:10
|
#20 0xa7d979 in execute_sqlcom_select(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_parse.cc:6271:12
|
#21 0xa5ea5c in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582:12
|
#22 0xa5207c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793:18
|
#23 0xa447e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827:7
|
#24 0xa4d4ea in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381:17
|
#25 0xf3b236 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336:11
|
#26 0xf3a903 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241:3
|
#27 0x2a09c61 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869:3
|
#28 0x7f31274eeea6 in start_thread nptl/pthread_create.c:477:8
|
#29 0x7f3126bf9dee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
|
0x60f00001c670 is located 112 bytes inside of 172-byte region [0x60f00001c600,0x60f00001c6ac)
|
freed by thread T5 here:
|
#0 0x6d05ed in free (/mnt8t/bld/10.2-asan/bin/mysqld+0x6d05ed)
|
#1 0x2ba1bad in free_memory /data/src/10.2/mysys/safemalloc.c:279:3
|
#2 0x2ba1bfd in sf_free /data/src/10.2/mysys/safemalloc.c:197:3
|
#3 0x2b54b9f in my_free /data/src/10.2/mysys/my_malloc.c:218:5
|
#4 0x73a47e in String::free() /data/src/10.2/sql/sql_string.h:351:7
|
#5 0xd161a2 in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:44:5
|
#6 0x774218 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361:12
|
#7 0xd17c17 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:188:7
|
#8 0x12a4b28 in Field_geom::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:8941:13
|
#9 0x12d6364 in do_save_blob(Copy_field*) /data/src/10.2/sql/field_conv.cc:358:36
|
#10 0x12d51a4 in do_copy_null(Copy_field*) /data/src/10.2/sql/field_conv.cc:245:5
|
#11 0xc149dc in copy_fields(TMP_TABLE_PARAM*) /data/src/10.2/sql/sql_select.cc:23584:5
|
#12 0x15fbfb5 in Item_func_group_concat::add() /data/src/10.2/sql/item_sum.cc:3531:3
|
#13 0x160470e in Aggregator_simple::add() /data/src/10.2/sql/item_sum.h:708:33
|
#14 0xc71d0e in Item_sum::aggregator_add() /data/src/10.2/sql/item_sum.h:553:47
|
#15 0xc14c8e in update_sum_func(Item_sum**) /data/src/10.2/sql/sql_select.cc:23957:15
|
#16 0xc088d1 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20301:7
|
#17 0xc0d5ba in evaluate_join_record(JOIN*, st_join_table*, int) /data/src/10.2/sql/sql_select.cc:19137:11
|
#18 0xc0b38d in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18949:9
|
#19 0xbbffd3 in do_select(JOIN*, Procedure*) /data/src/10.2/sql/sql_select.cc:18453:14
|
#20 0xbbc56e in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3651:10
|
#21 0xbb91fe in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3446:3
|
#22 0xb3b6fd in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3849:9
|
#23 0xb3a384 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361:10
|
#24 0xa7d979 in execute_sqlcom_select(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_parse.cc:6271:12
|
#25 0xa5ea5c in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582:12
|
#26 0xa5207c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793:18
|
#27 0xa447e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827:7
|
#28 0xa4d4ea in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381:17
|
#29 0xf3b236 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336:11
|
|
|
previously allocated by thread T5 here:
|
#0 0x6d086d in malloc (/mnt8t/bld/10.2-asan/bin/mysqld+0x6d086d)
|
#1 0x2ba0b30 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118:28
|
#2 0x2b545ef in my_malloc /data/src/10.2/mysys/my_malloc.c:101:10
|
#3 0xd16212 in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:45:23
|
#4 0x774218 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361:12
|
#5 0xd17c17 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:188:7
|
#6 0x12a4b28 in Field_geom::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:8941:13
|
#7 0x12d6364 in do_save_blob(Copy_field*) /data/src/10.2/sql/field_conv.cc:358:36
|
#8 0x12d51a4 in do_copy_null(Copy_field*) /data/src/10.2/sql/field_conv.cc:245:5
|
#9 0xc149dc in copy_fields(TMP_TABLE_PARAM*) /data/src/10.2/sql/sql_select.cc:23584:5
|
#10 0x15fbfb5 in Item_func_group_concat::add() /data/src/10.2/sql/item_sum.cc:3531:3
|
#11 0x160470e in Aggregator_simple::add() /data/src/10.2/sql/item_sum.h:708:33
|
#12 0xc71d0e in Item_sum::aggregator_add() /data/src/10.2/sql/item_sum.h:553:47
|
#13 0xc71c64 in Item_sum::reset_and_add() /data/src/10.2/sql/item_sum.h:440:12
|
#14 0xc14b5e in init_sum_functions(Item_sum**, Item_sum**) /data/src/10.2/sql/sql_select.cc:23939:22
|
#15 0xc085fd in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20293:11
|
#16 0xc0d5ba in evaluate_join_record(JOIN*, st_join_table*, int) /data/src/10.2/sql/sql_select.cc:19137:11
|
#17 0xc0aa76 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18910:9
|
#18 0xbbffd3 in do_select(JOIN*, Procedure*) /data/src/10.2/sql/sql_select.cc:18453:14
|
#19 0xbbc56e in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3651:10
|
#20 0xbb91fe in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3446:3
|
#21 0xb3b6fd in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3849:9
|
#22 0xb3a384 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361:10
|
#23 0xa7d979 in execute_sqlcom_select(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_parse.cc:6271:12
|
#24 0xa5ea5c in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582:12
|
#25 0xa5207c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793:18
|
#26 0xa447e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827:7
|
#27 0xa4d4ea in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381:17
|
#28 0xf3b236 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336:11
|
#29 0xf3a903 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241:3
|
|
|
Thread T5 created by T0 here:
|
#0 0x6bb29a in pthread_create (/mnt8t/bld/10.2-asan/bin/mysqld+0x6bb29a)
|
#1 0x2a0f119 in spawn_thread_v1(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/10.2/storage/perfschema/pfs.cc:1919:15
|
#2 0x70b8ba in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /data/src/10.2/include/mysql/psi/mysql_thread.h:1246:11
|
#3 0x71cb43 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6580:15
|
#4 0x71e33a in create_new_thread(CONNECT*) /data/src/10.2/sql/mysqld.cc:6650:3
|
#5 0x71c0bd in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6908:9
|
#6 0x70efb7 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6199:3
|
#7 0x702e11 in main /data/src/10.2/sql/main.cc:25:10
|
#8 0x7f3126b22d09 in __libc_start_main csu/../csu/libc-start.c:308:16
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/mnt8t/bld/10.2-asan/bin/mysqld+0x66d3d5) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
|
Shadow bytes around the buggy address:
|
0x0c1e7fffb870: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
|
0x0c1e7fffb880: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c1e7fffb890: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
|
0x0c1e7fffb8a0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1e7fffb8b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
=>0x0c1e7fffb8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
|
0x0c1e7fffb8d0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
|
0x0c1e7fffb8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1e7fffb8f0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
|
0x0c1e7fffb900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1e7fffb910: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==909916==ABORTING
|
|
10.2 70555454 non-debug ASAN |
==910076==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000a048 at pc 0x7fa3454a7039 bp 0x7fa33a345450 sp 0x7fa33a344c00
|
READ of size 49 at 0x60600000a048 thread T5
|
#0 0x7fa3454a7038 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:839
|
#1 0x7fa3454a7648 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:871
|
#2 0x7fa3454a7648 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:866
|
#3 0x55d8ee5633a4 in my_strnncoll_binary /data/src/10.2/strings/ctype-bin.c:85
|
#4 0x55d8ee5633a4 in my_strnncollsp_binary /data/src/10.2/strings/ctype-bin.c:124
|
#5 0x55d8ed801937 in group_concat_key_cmp_with_order /data/src/10.2/sql/item_sum.cc:3153
|
#6 0x55d8ee534788 in tree_insert /data/src/10.2/mysys/tree.c:211
|
#7 0x55d8ed820605 in Item_func_group_concat::add() /data/src/10.2/sql/item_sum.cc:3575
|
#8 0x55d8ed04d44b in Aggregator_simple::add() /data/src/10.2/sql/item_sum.h:708
|
#9 0x55d8ed04d44b in Item_sum::aggregator_add() /data/src/10.2/sql/item_sum.h:553
|
#10 0x55d8ed04d44b in update_sum_func /data/src/10.2/sql/sql_select.cc:23957
|
#11 0x55d8ed0e2ace in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20301
|
#12 0x55d8ed0618ef in evaluate_join_record /data/src/10.2/sql/sql_select.cc:19137
|
#13 0x55d8ed0806b9 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18949
|
#14 0x55d8ed10bd84 in do_select /data/src/10.2/sql/sql_select.cc:18453
|
#15 0x55d8ed10bd84 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3651
|
#16 0x55d8ed10d179 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3446
|
#17 0x55d8ed10d573 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3849
|
#18 0x55d8ed10ff7a in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#19 0x55d8ecfb5ec7 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
|
#20 0x55d8ecfdc401 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
|
#21 0x55d8ecfe4c67 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
|
#22 0x55d8ecfeb0ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#23 0x55d8ecfeef4d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#24 0x55d8ed2d1f66 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#25 0x55d8ed2d269a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#26 0x55d8ee463874 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#27 0x7fa344f4eea6 in start_thread nptl/pthread_create.c:477
|
#28 0x7fa344b53dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
|
|
|
0x60600000a048 is located 8 bytes inside of 64-byte region [0x60600000a040,0x60600000a080)
|
freed by thread T5 here:
|
#0 0x7fa3454c5b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
|
#1 0x55d8ed1873ce in String::free() /data/src/10.2/sql/sql_string.h:351
|
#2 0x55d8ed1873ce in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:44
|
#3 0x55d8ed187c1a in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
|
#4 0x55d8ed187c1a in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:188
|
#5 0x55d8ed5046d4 in Field_geom::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:8941
|
#6 0x55d8ed530f98 in do_save_blob /data/src/10.2/sql/field_conv.cc:358
|
#7 0x55d8ed0cbeb6 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.2/sql/sql_select.cc:23584
|
#8 0x55d8ed81fe1f in Item_func_group_concat::add() /data/src/10.2/sql/item_sum.cc:3531
|
#9 0x55d8ed04d44b in Aggregator_simple::add() /data/src/10.2/sql/item_sum.h:708
|
#10 0x55d8ed04d44b in Item_sum::aggregator_add() /data/src/10.2/sql/item_sum.h:553
|
#11 0x55d8ed04d44b in update_sum_func /data/src/10.2/sql/sql_select.cc:23957
|
#12 0x55d8ed0e2ace in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20301
|
#13 0x55d8ed0618ef in evaluate_join_record /data/src/10.2/sql/sql_select.cc:19137
|
#14 0x55d8ed0806b9 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18949
|
#15 0x55d8ed10bd84 in do_select /data/src/10.2/sql/sql_select.cc:18453
|
#16 0x55d8ed10bd84 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3651
|
#17 0x55d8ed10d179 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3446
|
#18 0x55d8ed10d573 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3849
|
#19 0x55d8ed10ff7a in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#20 0x55d8ecfb5ec7 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
|
#21 0x55d8ecfdc401 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
|
#22 0x55d8ecfe4c67 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
|
#23 0x55d8ecfeb0ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#24 0x55d8ecfeef4d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#25 0x55d8ed2d1f66 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#26 0x55d8ed2d269a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#27 0x55d8ee463874 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#28 0x7fa344f4eea6 in start_thread nptl/pthread_create.c:477
|
|
|
previously allocated by thread T5 here:
|
#0 0x7fa3454c5e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
|
#1 0x55d8ee51bef2 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#2 0x55d8ed187323 in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:45
|
#3 0x55d8ed187c1a in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
|
#4 0x55d8ed187c1a in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:188
|
#5 0x55d8ed5046d4 in Field_geom::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:8941
|
#6 0x55d8ed530f98 in do_save_blob /data/src/10.2/sql/field_conv.cc:358
|
#7 0x55d8ed0cbeb6 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.2/sql/sql_select.cc:23584
|
#8 0x55d8ed81fe1f in Item_func_group_concat::add() /data/src/10.2/sql/item_sum.cc:3531
|
#9 0x55d8ed04d642 in Aggregator_simple::add() /data/src/10.2/sql/item_sum.h:708
|
#10 0x55d8ed04d642 in Item_sum::aggregator_add() /data/src/10.2/sql/item_sum.h:553
|
#11 0x55d8ed04d642 in Item_sum::reset_and_add() /data/src/10.2/sql/item_sum.h:440
|
#12 0x55d8ed04d642 in init_sum_functions /data/src/10.2/sql/sql_select.cc:23939
|
#13 0x55d8ed0e2f5f in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20293
|
#14 0x55d8ed0618ef in evaluate_join_record /data/src/10.2/sql/sql_select.cc:19137
|
#15 0x55d8ed08063d in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18910
|
#16 0x55d8ed10bd84 in do_select /data/src/10.2/sql/sql_select.cc:18453
|
#17 0x55d8ed10bd84 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3651
|
#18 0x55d8ed10d179 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3446
|
#19 0x55d8ed10d573 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3849
|
#20 0x55d8ed10ff7a in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#21 0x55d8ecfb5ec7 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
|
#22 0x55d8ecfdc401 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
|
#23 0x55d8ecfe4c67 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
|
#24 0x55d8ecfeb0ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#25 0x55d8ecfeef4d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#26 0x55d8ed2d1f66 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#27 0x55d8ed2d269a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#28 0x55d8ee463874 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#29 0x7fa344f4eea6 in start_thread nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fa3454712a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x55d8ee468afa in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x55d8ecddfeaf in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x55d8ecddfeaf in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6580
|
#4 0x55d8ecdf024c in create_new_thread /data/src/10.2/sql/mysqld.cc:6650
|
#5 0x55d8ecdf024c in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6908
|
#6 0x55d8ecdf277f in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6199
|
#7 0x7fa344a7cd09 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:839 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
|
Shadow bytes around the buggy address:
|
0x0c0c7fff93b0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
|
0x0c0c7fff93c0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
|
0x0c0c7fff93d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c0c7fff93e0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
|
0x0c0c7fff93f0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
|
=>0x0c0c7fff9400: fd fd fd fd fa fa fa fa fd[fd]fd fd fd fd fd fd
|
0x0c0c7fff9410: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
|
0x0c0c7fff9420: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
0x0c0c7fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c7fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c7fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==910076==ABORTING
|
| Affects Version/s | 10.2 [ 14601 ] | |
| Affects Version/s | 10.8 [ 26121 ] | |
| Summary | ASAN: heap-use-after-free in my_strnncoll_binary with blob compressed | ASAN: heap-use-after-free in my_strnncoll_binary with compressed or GIS columns |
| Comment |
[ The test case from the description still fails on 10.3 c168e16782fc449f61412e5af-10.5, but not on 10.6+
] |
Another one (different stack trace). Reproducible on 10.5-10.11.
CREATE TABLE t (s MULTILINESTRING, c VARBINARY(1) NOT NULL DEFAULT ''); |
|
|
INSERT INTO t VALUES |
(MULTILINESTRINGFromText('MULTILINESTRING((0.05 0.91,0.86 0.99),(0.43 0.94,0.55 0.78),(0.20 0.77,0.97 0.71),(0.67 0.12,0.40 0.43))'),'n'), |
(MULTILINESTRINGFromText('MULTILINESTRING((0.04 0.67,0.29 0.57,0.22 0.91,0.59 0.44,0.45 0.70,0.98 0.30,0.45 0.74),(0.25 0.74,0.80 0.27,0.37 0.54))'),'f'); |
|
|
SELECT GROUP_CONCAT(c,s ORDER BY 1,2) FROM t; |
|
|
# Cleanup
|
DROP TABLE t; |
|
10.5 fa0cada9 |
==3768654==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100002c798 at pc 0x7f1b635b5983 bp 0x7f1b598c78d0 sp 0x7f1b598c7080
|
READ of size 177 at 0x61100002c798 thread T5
|
#0 0x7f1b635b5982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
|
#1 0x55b67981e69b in Static_binary_string::q_append(char const*, unsigned long) /data/src/10.5/sql/sql_string.h:322
|
#2 0x55b6798a8897 in Binary_string::append(char const*, unsigned long) /data/src/10.5/sql/sql_string.h:558
|
#3 0x55b6798a88df in Binary_string::append(Binary_string const&) /data/src/10.5/sql/sql_string.h:567
|
#4 0x55b6798a89ee in String::append(String const&) /data/src/10.5/sql/sql_string.h:889
|
#5 0x55b67a561f78 in dump_leaf_key /data/src/10.5/sql/item_sum.cc:3844
|
#6 0x55b67b7729a8 in tree_walk_left_root_right /data/src/10.5/mysys/tree.c:590
|
#7 0x55b67b77281d in tree_walk /data/src/10.5/mysys/tree.c:576
|
#8 0x55b67a56948c in Item_func_group_concat::val_str(String*) /data/src/10.5/sql/item_sum.cc:4443
|
#9 0x55b67a09c6d7 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /data/src/10.5/sql/sql_type.cc:7443
|
#10 0x55b679ecb113 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /data/src/10.5/sql/sql_type.h:5451
|
#11 0x55b679826c65 in Item::send(Protocol*, st_value*) /data/src/10.5/sql/item.h:1066
|
#12 0x55b67981816d in Protocol::send_result_set_row(List<Item>*) /data/src/10.5/sql/protocol.cc:1087
|
#13 0x55b6799c23ad in select_send::send_data(List<Item>&) /data/src/10.5/sql/sql_class.cc:3128
|
#14 0x55b679c7b5a8 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/src/10.5/sql/sql_class.h:5399
|
#15 0x55b679c392cd in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:22327
|
#16 0x55b679c2de77 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20911
|
#17 0x55b679c2c755 in do_select /data/src/10.5/sql/sql_select.cc:20500
|
#18 0x55b679bb967f in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4560
|
#19 0x55b679bb6ca0 in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4340
|
#20 0x55b679bbaf93 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4817
|
#21 0x55b679b8c65e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:444
|
#22 0x55b679af843c in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6315
|
#23 0x55b679ae7436 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4006
|
#24 0x55b679b03201 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8087
|
#25 0x55b679ad98cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
|
#26 0x55b679ad62e8 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
|
#27 0x55b679f11dcc in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1416
|
#28 0x55b679f11769 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1318
|
#29 0x55b67ab3662d in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
|
#30 0x7f1b63090ea6 in start_thread nptl/pthread_create.c:477
|
#31 0x7f1b62c7daee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfcaee)
|
|
|
0x61100002c798 is located 24 bytes inside of 208-byte region [0x61100002c780,0x61100002c850)
|
freed by thread T5 here:
|
#0 0x7f1b63625b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
|
#1 0x55b67b74d821 in my_free /data/src/10.5/mysys/my_malloc.c:211
|
#2 0x55b6797f937f in Binary_string::free() /data/src/10.5/sql/sql_string.h:641
|
#3 0x55b679d3c1c8 in Binary_string::real_alloc(unsigned long) /data/src/10.5/sql/sql_string.cc:43
|
#4 0x55b67981f04d in Binary_string::alloc(unsigned long) /data/src/10.5/sql/sql_string.h:650
|
#5 0x55b679d3d81b in Binary_string::copy(char const*, unsigned long) /data/src/10.5/sql/sql_string.cc:260
|
#6 0x55b6797f952f in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.5/sql/sql_string.h:844
|
#7 0x55b67a0d8dad in Field_geom::store(char const*, unsigned long, charset_info_st const*) /data/src/10.5/sql/sql_type_geom.cc:889
|
#8 0x55b67a2aa515 in do_save_blob /data/src/10.5/sql/field_conv.cc:359
|
#9 0x55b67a2a94cf in do_copy_null /data/src/10.5/sql/field_conv.cc:246
|
#10 0x55b679c5187c in copy_fields(TMP_TABLE_PARAM*) /data/src/10.5/sql/sql_select.cc:25690
|
#11 0x55b67a56589f in Item_func_group_concat::add(bool) /data/src/10.5/sql/item_sum.cc:4142
|
#12 0x55b67a5706fe in Item_func_group_concat::add() /data/src/10.5/sql/item_sum.h:1976
|
#13 0x55b67a56b693 in Aggregator_simple::add() /data/src/10.5/sql/item_sum.h:718
|
#14 0x55b679c77865 in Item_sum::aggregator_add() (/mnt8t/bld/10.5-asan-nightly/bin/mariadbd+0x1c0d865)
|
#15 0x55b679c54706 in update_sum_func /data/src/10.5/sql/sql_select.cc:26071
|
#16 0x55b679c39b50 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:22394
|
#17 0x55b679c2fd9f in evaluate_join_record /data/src/10.5/sql/sql_select.cc:21196
|
#18 0x55b679c2ed04 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:21005
|
#19 0x55b679c2c64f in do_select /data/src/10.5/sql/sql_select.cc:20498
|
#20 0x55b679bb967f in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4560
|
#21 0x55b679bb6ca0 in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4340
|
#22 0x55b679bbaf93 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4817
|
#23 0x55b679b8c65e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:444
|
#24 0x55b679af843c in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6315
|
#25 0x55b679ae7436 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4006
|
#26 0x55b679b03201 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8087
|
#27 0x55b679ad98cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
|
#28 0x55b679ad62e8 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
|
#29 0x55b679f11dcc in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1416
|
|
|
previously allocated by thread T5 here:
|
#0 0x7f1b63625e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
|
#1 0x55b67b74ca46 in my_malloc /data/src/10.5/mysys/my_malloc.c:90
|
#2 0x55b679d3c229 in Binary_string::real_alloc(unsigned long) /data/src/10.5/sql/sql_string.cc:44
|
#3 0x55b67981f04d in Binary_string::alloc(unsigned long) /data/src/10.5/sql/sql_string.h:650
|
#4 0x55b679d3d81b in Binary_string::copy(char const*, unsigned long) /data/src/10.5/sql/sql_string.cc:260
|
#5 0x55b6797f952f in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.5/sql/sql_string.h:844
|
#6 0x55b67a0d8dad in Field_geom::store(char const*, unsigned long, charset_info_st const*) /data/src/10.5/sql/sql_type_geom.cc:889
|
#7 0x55b67a2aa515 in do_save_blob /data/src/10.5/sql/field_conv.cc:359
|
#8 0x55b67a2a94cf in do_copy_null /data/src/10.5/sql/field_conv.cc:246
|
#9 0x55b679c5187c in copy_fields(TMP_TABLE_PARAM*) /data/src/10.5/sql/sql_select.cc:25690
|
#10 0x55b67a56589f in Item_func_group_concat::add(bool) /data/src/10.5/sql/item_sum.cc:4142
|
#11 0x55b67a5706fe in Item_func_group_concat::add() /data/src/10.5/sql/item_sum.h:1976
|
#12 0x55b67a56b693 in Aggregator_simple::add() /data/src/10.5/sql/item_sum.h:718
|
#13 0x55b679c77865 in Item_sum::aggregator_add() (/mnt8t/bld/10.5-asan-nightly/bin/mariadbd+0x1c0d865)
|
#14 0x55b679c774f3 in Item_sum::reset_and_add() /data/src/10.5/sql/item_sum.h:445
|
#15 0x55b679c5464f in init_sum_functions /data/src/10.5/sql/sql_select.cc:26053
|
#16 0x55b679c3997c in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:22386
|
#17 0x55b679c2fd9f in evaluate_join_record /data/src/10.5/sql/sql_select.cc:21196
|
#18 0x55b679c2e694 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20966
|
#19 0x55b679c2c64f in do_select /data/src/10.5/sql/sql_select.cc:20498
|
#20 0x55b679bb967f in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4560
|
#21 0x55b679bb6ca0 in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4340
|
#22 0x55b679bbaf93 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4817
|
#23 0x55b679b8c65e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:444
|
#24 0x55b679af843c in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6315
|
#25 0x55b679ae7436 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4006
|
#26 0x55b679b03201 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8087
|
#27 0x55b679ad98cb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
|
#28 0x55b679ad62e8 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1375
|
#29 0x55b679f11dcc in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1416
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f1b635d12a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x55b67ab3238e in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:52
|
#2 0x55b67ab36a1c in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
|
#3 0x55b6797d6d54 in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
|
#4 0x55b6797ec965 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6058
|
#5 0x55b6797ecfae in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6117
|
#6 0x55b6797ed2e0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6182
|
#7 0x55b6797edeb5 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6309
|
#8 0x55b6797ec1d4 in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5704
|
#9 0x55b6797d58f4 in main /data/src/10.5/sql/main.cc:25
|
#10 0x7f1b62ba4d09 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
|
Shadow bytes around the buggy address:
|
0x0c227fffd8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c227fffd8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
|
0x0c227fffd8c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c227fffd8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c227fffd8e0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c227fffd8f0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c227fffd900: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
0x0c227fffd910: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c227fffd920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c227fffd930: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c227fffd940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3768654==ABORTING
|
221008 15:34:41 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.5.18-MariaDB-debug-log
|
key_buffer_size=1048576
|
read_buffer_size=131072
|
max_used_connections=1
|
max_threads=153
|
thread_count=1
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63761 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
|
Thread pointer: 0x62b000069218
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7f1b598cac70 thread_stack 0x100000
|
sanitizer_common/sanitizer_common_interceptors.inc:4101(__interceptor_backtrace.part.0)[0x7f1b635bfdf1]
|
mysys/stacktrace.c:212(my_print_stacktrace)[0x55b67b75c6c8]
|
sql/signal_handler.cc:235(handle_fatal_signal)[0x55b67a2cce22]
|
sigaction.c:0(__restore_rt)[0x7f1b6309c140]
|
linux/raise.c:51(__GI_raise)[0x7f1b62bb9ce1]
|
stdlib/abort.c:81(__GI_abort)[0x7f1b62ba3537]
|
sanitizer_common/sanitizer_posix_libcdep.cpp:149(__sanitizer::Abort())[0x7f1b6364111b]
|
sanitizer_common/sanitizer_termination.cpp:59(__sanitizer::Die())[0x7f1b6364bce8]
|
asan/asan_report.cpp:186(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7f1b6362e44c]
|
asan/asan_report.cpp:474(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7f1b6362dd47]
|
sanitizer_common/sanitizer_common_interceptors.inc:806(memcpy)[0x7f1b635b59a5]
|
sql/sql_string.h:323(Static_binary_string::q_append(char const*, unsigned long))[0x55b67981e69c]
|
sql/sql_string.h:559(Binary_string::append(char const*, unsigned long))[0x55b6798a8898]
|
sql/sql_string.h:568(Binary_string::append(Binary_string const&))[0x55b6798a88e0]
|
sql/sql_string.h:890(String::append(String const&))[0x55b6798a89ef]
|
sql/item_sum.cc:3816(dump_leaf_key)[0x55b67a561f79]
|
mysys/tree.c:590(tree_walk_left_root_right)[0x55b67b7729a9]
|
mysys/tree.c:576(tree_walk)[0x55b67b77281e]
|
sql/item_sum.cc:4443(Item_func_group_concat::val_str(String*))[0x55b67a56948d]
|
sql/sql_type.cc:7443(Type_handler::Item_send_str(Item*, Protocol*, st_value*) const)[0x55b67a09c6d8]
|
sql/sql_type.h:5452(Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const)[0x55b679ecb114]
|
sql/item.h:1067(Item::send(Protocol*, st_value*))[0x55b679826c66]
|
sql/protocol.cc:1087(Protocol::send_result_set_row(List<Item>*))[0x55b67981816e]
|
sql/sql_class.cc:3128(select_send::send_data(List<Item>&))[0x55b6799c23ae]
|
sql/sql_class.h:5399(select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long))[0x55b679c7b5a9]
|
sql/sql_select.cc:22327(end_send_group(JOIN*, st_join_table*, bool))[0x55b679c392ce]
|
sql/sql_select.cc:20911(sub_select(JOIN*, st_join_table*, bool))[0x55b679c2de78]
|
sql/sql_select.cc:20500(do_select(JOIN*, Procedure*))[0x55b679c2c756]
|
sql/sql_select.cc:4560(JOIN::exec_inner())[0x55b679bb9680]
|
sql/sql_select.cc:4341(JOIN::exec())[0x55b679bb6ca1]
|
sql/sql_select.cc:4819(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55b679bbaf94]
|
sql/sql_select.cc:444(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55b679b8c65f]
|
sql/sql_parse.cc:6315(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55b679af843d]
|
sql/sql_parse.cc:4006(mysql_execute_command(THD*))[0x55b679ae7437]
|
sql/sql_parse.cc:8087(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55b679b03202]
|
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55b679ad98cc]
|
sql/sql_parse.cc:1375(do_command(THD*))[0x55b679ad62e9]
|
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x55b679f11dcd]
|
sql/sql_connect.cc:1320(handle_one_connection)[0x55b679f1176a]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55b67ab3662e]
|
nptl/pthread_create.c:478(start_thread)[0x7f1b63090ea7]
|
x86_64/clone.S:97(__GI___clone)[0x7f1b62c7daef]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b000038238): SELECT GROUP_CONCAT(c,s ORDER BY 1,2) FROM t
|
|
|
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
|
|
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
|
|
|
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
|
information that should help you find out what is causing the crash.
|
Writing a core file...
|
Working directory at /dev/shm/var_auto_Fkm8/mysqld.1/data
|
Resource Limits:
|
Limit Soft Limit Hard Limit Units
|
Max cpu time unlimited unlimited seconds
|
Max file size unlimited unlimited bytes
|
Max data size unlimited unlimited bytes
|
Max stack size 8388608 unlimited bytes
|
Max core file size unlimited unlimited bytes
|
Max resident set unlimited unlimited bytes
|
Max processes 385880 385880 processes
|
Max open files 1024 1024 files
|
Max locked memory 12659543552 12659543552 bytes
|
Max address space unlimited unlimited bytes
|
Max file locks unlimited unlimited locks
|
Max pending signals 385880 385880 signals
|
Max msgqueue size 819200 819200 bytes
|
Max nice priority 0 0
|
Max realtime priority 0 0
|
Max realtime timeout unlimited unlimited us
|
Core pattern: core
|
|
|
Kernel version: Linux version 5.10.0-18-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.140-1 (2022-09-02)
|
| Fix Version/s | 10.8 [ 26121 ] | |
| Fix Version/s | 10.9 [ 26905 ] | |
| Fix Version/s | 10.10 [ 27530 ] | |
| Affects Version/s | 10.9 [ 26905 ] | |
| Affects Version/s | 10.10 [ 27530 ] |
| Fix Version/s | 10.7 [ 24805 ] |
| Fix Version/s | 10.3 [ 22126 ] |
| Fix Version/s | 10.8 [ 26121 ] |
| Fix Version/s | 10.9 [ 26905 ] | |
| Fix Version/s | 10.10 [ 27530 ] |
| Fix Version/s | 10.11 [ 27614 ] | |
| Fix Version/s | 11.1 [ 28549 ] | |
| Fix Version/s | 11.2 [ 28603 ] | |
| Fix Version/s | 11.3 [ 28565 ] | |
| Fix Version/s | 11.4 [ 29301 ] | |
| Fix Version/s | 11.5 [ 29506 ] | |
| Fix Version/s | 10.4 [ 22408 ] |
| Affects Version/s | 10.11 [ 27614 ] | |
| Affects Version/s | 11.0 [ 28320 ] | |
| Affects Version/s | 11.1 [ 28549 ] | |
| Affects Version/s | 11.2 [ 28603 ] | |
| Affects Version/s | 11.3 [ 28565 ] | |
| Affects Version/s | 11.4 [ 29301 ] | |
| Affects Version/s | 11.5 [ 29506 ] |
| Link | This issue relates to MDEV-31845 [ MDEV-31845 ] |
| Assignee | Oleksandr Byelkin [ sanja ] | Alexander Barkov [ bar ] |
| Fix Version/s | 11.3 [ 28565 ] |
The bug "Input data corrupted" is still present in mariaDB 10.11.9 which makes compressed columns unusable with group_concat
| Assignee | Alexander Barkov [ bar ] | Sergei Golubchik [ serg ] |
| Status | Confirmed [ 10101 ] | In Progress [ 3 ] |
| Summary | ASAN: heap-use-after-free in my_strnncoll_binary with compressed or GIS columns | heap-use-after-free in group_concat with compressed or GIS columns |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
| Assignee | Sergei Golubchik [ serg ] | Oleksandr Byelkin [ sanja ] |
| Status | Stalled [ 10000 ] | In Review [ 10002 ] |
| Fix Version/s | 11.1 [ 28549 ] |
| Fix Version/s | 11.5 [ 29506 ] |
| Priority | Major [ 3 ] | Critical [ 2 ] |
OK to push after discussed cheanges of union protection in debug build.
| Assignee | Oleksandr Byelkin [ sanja ] | Sergei Golubchik [ serg ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Fix Version/s | 10.5.27 [ 29902 ] | |
| Fix Version/s | 10.6.20 [ 29903 ] | |
| Fix Version/s | 10.11.10 [ 29904 ] | |
| Fix Version/s | 11.2.6 [ 29906 ] | |
| Fix Version/s | 11.4.4 [ 29907 ] | |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.6 [ 24028 ] | |
| Fix Version/s | 10.11 [ 27614 ] | |
| Fix Version/s | 11.2 [ 28603 ] | |
| Fix Version/s | 11.4 [ 29301 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
Also on 10.4:
10.4 c568e25379600db8
#0 0x7fae663e8675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)#1 0x557be63069d8 in my_strnncoll_binary /10.4/strings/ctype-bin.c:85#2 0x557be6306a5b in my_strnncollsp_binary /10.4/strings/ctype-bin.c:124#3 0x557be5196a20 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /10.4/sql/field.cc:8385#4 0x557be5196cc8 in Field_blob::cmp_max(unsigned char const*, unsigned char const*, unsigned int) /10.4/sql/field.cc:8398#5 0x557be51bd091 in Field_blob::cmp(unsigned char const*, unsigned char const*) /10.4/sql/field.h:3855#6 0x557be54224bc in group_concat_key_cmp_with_order /10.4/sql/item_sum.cc:3516#7 0x557be62b4dec in tree_insert /10.4/mysys/tree.c:250#8 0x557be54261ca in Item_func_group_concat::add() /10.4/sql/item_sum.cc:3871#9 0x557be542a667 in Aggregator_simple::add() /10.4/sql/item_sum.h:715#10 0x557be4bd7fcb in Item_sum::aggregator_add() /10.4/sql/item_sum.h:558#11 0x557be4bbaffc in update_sum_func /10.4/sql/sql_select.cc:24658#12 0x557be4ba37a6 in end_send_group(JOIN*, st_join_table*, bool) /10.4/sql/sql_select.cc:21096#13 0x557be4b9a2b3 in evaluate_join_record /10.4/sql/sql_select.cc:19919#14 0x557be4bd1fee in AGGR_OP::end_send() /10.4/sql/sql_select.cc:27900#15 0x557be4b98088 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/sql/sql_select.cc:19415#16 0x557be4b987e4 in sub_select(JOIN*, st_join_table*, bool) /10.4/sql/sql_select.cc:19650#17 0x557be4b98348 in sub_select_cache(JOIN*, st_join_table*, bool) /10.4/sql/sql_select.cc:19482#18 0x557be4b987e4 in sub_select(JOIN*, st_join_table*, bool) /10.4/sql/sql_select.cc:19650#19 0x557be4b97458 in do_select /10.4/sql/sql_select.cc:19241#20 0x557be4b33fe1 in JOIN::exec_inner() /10.4/sql/sql_select.cc:4169#21 0x557be4b3195b in JOIN::exec() /10.4/sql/sql_select.cc:3951#22 0x557be4b3539d in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/sql/sql_select.cc:4383#23 0x557be4b0e8a9 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/sql/sql_select.cc:424#24 0x557be4a93820 in execute_sqlcom_select /10.4/sql/sql_parse.cc:6576#25 0x557be4a80617 in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3813#26 0x557be4a9bd01 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8129#27 0x557be4a748d2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1808#28 0x557be4a71a60 in do_command(THD*) /10.4/sql/sql_parse.cc:1358#29 0x557be4dd752b in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1399#30 0x557be4dd6ef5 in handle_one_connection /10.4/sql/sql_connect.cc:1302#31 0x7fae651936b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)#32 0x7fae6442441c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)