Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL)
-
None
Description
--source include/have_innodb.inc
|
SET SESSION JOIN_CACHE_LEVEL = 3; |
|
|
CREATE TABLE t1 (pk int PRIMARY KEY, i1 int, v1 varchar(1), KEY v1 (v1,i1)) ENGINE=InnoDB ; |
INSERT INTO t1 VALUES (14,226,'m'),(3,1,'o'),(15,133,'p'); |
|
|
CREATE TABLE t2 (i2 int, v2 varchar(1)) ENGINE=InnoDB ; |
INSERT INTO t2 VALUES (3,'v'),(3,'f'),(3,'v'); |
|
|
CREATE TABLE t3 (v2 varchar(1)) ENGINE=InnoDB; |
INSERT INTO t3 VALUES ('p'); |
|
|
SELECT t1.i1, t1.v1 |
FROM t1 JOIN t2 ON (t2.i2 = t1.pk) |
WHERE (t2.v2 IN (SELECT t1.v1 FROM (t3 JOIN t1 ON (t1.v1 = t3.v2)))) AND (t1.v1 != 'a'); |
10.0
|
|
|
Version: '10.0.36-MariaDB-debug' socket: '/home/alice/git/10.0/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000458bb at pc 0x0000008cb882 bp 0x7f2af68983e0 sp 0x7f2af68983d0
|
WRITE of size 1 at 0x6060000458bb thread T21
|
#0 0x8cb881 in TABLE::create_key_part_by_field(st_key_part_info*, Field*, unsigned int) /home/alice/git/10.0/sql/table.cc:6125
|
#1 0x738d9d in create_hj_key_for_table /home/alice/git/10.0/sql/sql_select.cc:8787
|
#2 0x738d9d in create_ref_for_key /home/alice/git/10.0/sql/sql_select.cc:8852
|
#3 0x73eed3 in get_best_combination(JOIN*) /home/alice/git/10.0/sql/sql_select.cc:8656
|
#4 0x7b10c4 in make_join_statistics /home/alice/git/10.0/sql/sql_select.cc:4103
|
#5 0x7b10c4 in JOIN::optimize_inner() /home/alice/git/10.0/sql/sql_select.cc:1365
|
#6 0x7b163d in JOIN::optimize() /home/alice/git/10.0/sql/sql_select.cc:1041
|
#7 0x7b3848 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.0/sql/sql_select.cc:3327
|
#8 0x7b404d in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.0/sql/sql_select.cc:377
|
#9 0x69d8f4 in execute_sqlcom_select /home/alice/git/10.0/sql/sql_parse.cc:5298
|
#10 0x6b5d28 in mysql_execute_command(THD*) /home/alice/git/10.0/sql/sql_parse.cc:2554
|
#11 0x6cb5f2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/alice/git/10.0/sql/sql_parse.cc:6634
|
#12 0x6cec7e in dispatch_command(enum_server_command, THD*, char*, unsigned int) /home/alice/git/10.0/sql/sql_parse.cc:1297
|
#13 0x6d34ae in do_command(THD*) /home/alice/git/10.0/sql/sql_parse.cc:1000
|
#14 0x948dc3 in do_handle_one_connection(THD*) /home/alice/git/10.0/sql/sql_connect.cc:1377
|
#15 0x949032 in handle_one_connection /home/alice/git/10.0/sql/sql_connect.cc:1292
|
#16 0x173cb53 in pfs_spawn_thread /home/alice/git/10.0/storage/perfschema/pfs.cc:1861
|
#17 0x7f2b099ea6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
#18 0x7f2b0909541c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
|
|
|
0x6060000458bb is located 5 bytes to the left of 56-byte region [0x6060000458c0,0x6060000458f8)
|
allocated by thread T21 here:
|
#0 0x7f2b0a4f0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
|
#1 0x17f37fb in my_malloc /home/alice/git/10.0/mysys/my_malloc.c:100
|
#2 0x195782a (/home/alice/git/10.0/sql/mysqld+0x195782a)
|
|
|
Thread T21 created by T0 here:
|
#0 0x7f2b0a48e253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
|
#1 0x17475b8 in spawn_thread_v1 /home/alice/git/10.0/storage/perfschema/pfs.cc:1911
|
|
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/alice/git/10.0/sql/table.cc:6125 TABLE::create_key_part_by_field(st_key_part_info*, Field*, unsigned int)
|
Shadow bytes around the buggy address:
|
0x0c0c80000ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80000ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80000ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80000af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c0c80000b00: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
|
=>0x0c0c80000b10: 00 00 00 00 fa fa fa[fa]00 00 00 00 00 00 00 fa
|
0x0c0c80000b20: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
|
0x0c0c80000b30: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
|
0x0c0c80000b40: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c0c80000b50: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
|
0x0c0c80000b60: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
==581==ABORTING
|
----------SERVER LOG END-------------
|
stacktrace on 10.2 1cc1d0429da14a04
|
Thread 1 (Thread 0x7f79300fc700 (LWP 15884)):
|
#0 __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:62
|
#1 0x000055bf23650789 in my_write_core (sig=11) at /home/alice/git/10.2/mysys/stacktrace.c:477
|
#2 0x000055bf22ee8eed in handle_fatal_signal (sig=11) at /home/alice/git/10.2/sql/signal_handler.cc:305
|
#3 <signal handler called>
|
#4 0x000055bf22fe2a7b in key_copy (to_key=0x7f78e004b4b5 "", from_record=0x7f78e0130f58 "\374\003", key_info=0x7f78e0046038, key_length=4, with_zerofill=true) at /home/alice/git/10.2/sql/key.cc:158
|
#5 0x000055bf22e07707 in JOIN_CACHE_BNLH::get_matching_chain_by_join_key (this=0x7f78e004b010) at /home/alice/git/10.2/sql/sql_join_cache.cc:3645
|
#6 0x000055bf22e07798 in JOIN_CACHE_BNLH::prepare_look_for_matches (this=0x7f78e004b010, skip_last=false) at /home/alice/git/10.2/sql/sql_join_cache.cc:3682
|
#7 0x000055bf22e05748 in JOIN_CACHE::join_matching_records (this=0x7f78e004b010, skip_last=false) at /home/alice/git/10.2/sql/sql_join_cache.cc:2273
|
#8 0x000055bf22e051c2 in JOIN_CACHE::join_records (this=0x7f78e004b010, skip_last=false) at /home/alice/git/10.2/sql/sql_join_cache.cc:2087
|
#9 0x000055bf22ce55a3 in sub_select_cache (join=0x7f78e0017210, join_tab=0x7f78e0044c28, end_of_records=true) at /home/alice/git/10.2/sql/sql_select.cc:18502
|
#10 0x000055bf22ce57b3 in sub_select (join=0x7f78e0017210, join_tab=0x7f78e0044878, end_of_records=true) at /home/alice/git/10.2/sql/sql_select.cc:18674
|
#11 0x000055bf22ce55cf in sub_select_cache (join=0x7f78e0017210, join_tab=0x7f78e0044878, end_of_records=true) at /home/alice/git/10.2/sql/sql_select.cc:18505
|
#12 0x000055bf22ce57b3 in sub_select (join=0x7f78e0017210, join_tab=0x7f78e00444c8, end_of_records=true) at /home/alice/git/10.2/sql/sql_select.cc:18674
|
#13 0x000055bf22ce4fcb in do_select (join=0x7f78e0017210, procedure=0x0) at /home/alice/git/10.2/sql/sql_select.cc:18269
|
#14 0x000055bf22cbfae7 in JOIN::exec_inner (this=0x7f78e0017210) at /home/alice/git/10.2/sql/sql_select.cc:3595
|
#15 0x000055bf22cbef96 in JOIN::exec (this=0x7f78e0017210) at /home/alice/git/10.2/sql/sql_select.cc:3390
|
#16 0x000055bf22cc0158 in mysql_select (thd=0x7f78e0000b00, tables=0x7f78e0012870, wild_num=0, fields=..., conds=0x7f78e0016fd8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f78e00171f0, unit=0x7f78e00046d8, select_lex=0x7f78e0004e10) at /home/alice/git/10.2/sql/sql_select.cc:3790
|
#17 0x000055bf22cb4674 in handle_select (thd=0x7f78e0000b00, lex=0x7f78e0004610, result=0x7f78e00171f0, setup_tables_done_option=0) at /home/alice/git/10.2/sql/sql_select.cc:376
|
#18 0x000055bf22c7fe58 in execute_sqlcom_select (thd=0x7f78e0000b00, all_tables=0x7f78e0012870) at /home/alice/git/10.2/sql/sql_parse.cc:6474
|
#19 0x000055bf22c75b96 in mysql_execute_command (thd=0x7f78e0000b00) at /home/alice/git/10.2/sql/sql_parse.cc:3481
|
#20 0x000055bf22c83bc9 in mysql_parse (thd=0x7f78e0000b00, rawbuf=0x7f78e0012478 "SELECT t1.i1, t1.v1\nFROM t1 JOIN t2 ON (t2.i2 = t1.pk)\nWHERE (t2.v2 IN (SELECT t1.v1 FROM (t3 JOIN t1 ON (t1.v1 = t3.v2)))) AND (t1.v1 != 'a')", length=142, parser_state=0x7f79300fb200, is_com_multi=false, is_next_command=false) at /home/alice/git/10.2/sql/sql_parse.cc:7995
|
#21 0x000055bf22c71409 in dispatch_command (command=COM_QUERY, thd=0x7f78e0000b00, packet=0x7f78e00753d1 "", packet_length=142, is_com_multi=false, is_next_command=false) at /home/alice/git/10.2/sql/sql_parse.cc:1821
|
#22 0x000055bf22c6fd65 in do_command (thd=0x7f78e0000b00) at /home/alice/git/10.2/sql/sql_parse.cc:1375
|
#23 0x000055bf22dc0b77 in do_handle_one_connection (connect=0x55bf262fa800) at /home/alice/git/10.2/sql/sql_connect.cc:1335
|
#24 0x000055bf22dc08f7 in handle_one_connection (arg=0x55bf262fa800) at /home/alice/git/10.2/sql/sql_connect.cc:1241
|
#25 0x000055bf235ede6e in pfs_spawn_thread (arg=0x55bf2625e3c0) at /home/alice/git/10.2/storage/perfschema/pfs.cc:1862
|
#26 0x00007f79386d16ba in start_thread (arg=0x7f79300fc700) at pthread_create.c:333
|
#27 0x00007f7937b6641d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
|
Attachments
Issue Links
- duplicates
-
-
- Closed
-