Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17065

Crash on SHOW CREATE TABLE with CHECK CONSTRAINT

Details

    Description

      A mysqld instance apparently crahsed while generating output for SHOW CREATE TABLE:

      180823 21:00:02 [ERROR] mysqld got signal 11 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.2.8-MariaDB-log
      key_buffer_size=67108864
      read_buffer_size=131072
      max_used_connections=598
      max_threads=2502
      thread_count=256
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 5563268 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x7f42c816ee18
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f439824bd70 thread_stack 0x40000
      (my_addr_resolve failure: fork)
      /usr/sbin/mysqld(my_print_stacktrace+0x2e) [0x562e51a3b3fe]
      /usr/sbin/mysqld(handle_fatal_signal+0x30d) [0x562e51483e0d]
      /lib64/libpthread.so.0(+0xf5e0) [0x7f615ab605e0]
      /usr/sbin/mysqld(Item_ident::print(String*, enum_query_type)+0x50) [0x562e51498dd0]
      /usr/sbin/mysqld(Item_func::print_op(String*, enum_query_type)+0xaf) [0x562e514ece3f]
      /usr/sbin/mysqld(show_create_table(THD*, TABLE_LIST*, String*, Table_specification_st*, enum_with_db_name)+0xe79) [0x562e51328ad9]
      /usr/sbin/mysqld(mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*)+0x51c) [0x562e513296dc]
      /usr/sbin/mysqld(mysqld_show_create(THD*, TABLE_LIST*)+0xc3) [0x562e51329b23]
      /usr/sbin/mysqld(mysql_execute_command(THD*)+0x3a90) [0x562e512cd230]
      /usr/sbin/mysqld(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool)+0x372) [0x562e512d28f2]
      /usr/sbin/mysqld(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool)+0x2790) [0x562e512d5fa0]
      /usr/sbin/mysqld(do_command(THD*)+0x15d) [0x562e512d6bcd]
      /usr/sbin/mysqld(do_handle_one_connection(CONNECT*)+0x1aa) [0x562e513993ca]
      /usr/sbin/mysqld(handle_one_connection+0x3d) [0x562e513994ed]
      /lib64/libpthread.so.0(+0x7e25) [0x7f615ab58e25]
      /lib64/libc.so.6(clone+0x6d) [0x7f61591ab34d]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x7f42c851da80): show create table `bnkpendinguser`
      Connection ID (thread ID): 468047
      Status: NOT_KILLED
       
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=on,mrr_cost_based=on,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on
       
      The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
      information that should help you find out what is causing the crash.
      Writing a core file
      

      Attachments

        Issue Links

          Activity

            Note: the test case is similar to MDEV-14750, but no partitions are needed here.

            CREATE TABLE long_enough_name (
            pk int(11) NOT NULL,
            f1 int(11) DEFAULT NULL,
            f2 int(11) NOT NULL,
            f3 int(11) DEFAULT NULL,
            f4 timestamp NOT NULL DEFAULT current_timestamp(),
            f5 varchar(32) COLLATE utf8_bin NOT NULL DEFAULT 'foo',
            f6 smallint(6) NOT NULL DEFAULT 1,
            f7 int(11) DEFAULT NULL,
            PRIMARY KEY (pk),
            KEY idx1 (f7),
            KEY idx2 (f1),
            KEY idx3 (f2),
            KEY idx4 (f3),
            CONSTRAINT constr CHECK (f6 >= 0)
            );
             
            SELECT * FROM long_enough_name AS tbl;
            SHOW CREATE TABLE long_enough_name;
             
            # Cleanup
            DROP TABLE long_enough_name;
            

            10.2 ASAN 55163ba1bd

            ==15569==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000e030 at pc 0x55f0e7bf45cc bp 0x7f2134dfdc30 sp 0x7f2134dfdc28
            READ of size 1 at 0x60c00000e030 thread T5
                #0 0x55f0e7bf45cb in Item_ident::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:2708
                #1 0x55f0e7c17209 in Item_field::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:7410
                #2 0x55f0e7be4250 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.2/sql/item.cc:585
                #3 0x55f0e7cc8f72 in Item_func::print_op(String*, enum_query_type) /data/src/10.2/sql/item_func.cc:480
                #4 0x55f0e7c8bda6 in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.2/sql/item_cmpfunc.h:490
                #5 0x55f0e7be4250 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.2/sql/item.cc:585
                #6 0x55f0e778716d in Item::print_for_table_def(String*) /data/src/10.2/sql/item.h:1319
                #7 0x55f0e77879cf in Virtual_column_info::print(String*) /data/src/10.2/sql/item.h:6052
                #8 0x55f0e773d216 in show_create_table(THD*, TABLE_LIST*, String*, Table_specification_st*, enum_with_db_name) /data/src/10.2/sql/sql_show.cc:2130
                #9 0x55f0e7736b2d in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /data/src/10.2/sql/sql_show.cc:1251
                #10 0x55f0e77372cd in mysqld_show_create(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_show.cc:1324
                #11 0x55f0e75ce32e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4242
                #12 0x55f0e75e6875 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8009
                #13 0x55f0e75c1456 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
                #14 0x55f0e75be4fa in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
                #15 0x55f0e7901205 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
                #16 0x55f0e7900c1a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
                #17 0x55f0e83120e9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
                #18 0x7f2141284493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #19 0x7f213f66a93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
             
            0x60c00000e030 is located 112 bytes inside of 124-byte region [0x60c00000dfc0,0x60c00000e03c)
            freed by thread T5 here:
                #0 0x7f21414ee527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
                #1 0x55f0e8c3264d in free_memory /data/src/10.2/mysys/safemalloc.c:279
                #2 0x55f0e8c31c53 in sf_free /data/src/10.2/mysys/safemalloc.c:197
                #3 0x55f0e8c00e4c in my_free /data/src/10.2/mysys/my_malloc.c:217
                #4 0x55f0e73de23f in String::free() /data/src/10.2/sql/sql_string.h:351
                #5 0x55f0e77a19bf in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:44
                #6 0x55f0e73fff05 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
                #7 0x55f0e77a2990 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:187
                #8 0x55f0e7860375 in TABLE::init(THD*, TABLE_LIST*) /data/src/10.2/sql/table.cc:4490
                #9 0x55f0e74b6612 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1961
                #10 0x55f0e74bc866 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3445
                #11 0x55f0e74bef8e in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3964
                #12 0x55f0e7566d8b in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/src/10.2/sql/sql_base.h:471
                #13 0x55f0e77367cf in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /data/src/10.2/sql/sql_show.cc:1229
                #14 0x55f0e77372cd in mysqld_show_create(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_show.cc:1324
                #15 0x55f0e75ce32e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4242
                #16 0x55f0e75e6875 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8009
                #17 0x55f0e75c1456 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
                #18 0x55f0e75be4fa in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
                #19 0x55f0e7901205 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
                #20 0x55f0e7900c1a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
                #21 0x55f0e83120e9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
                #22 0x7f2141284493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
             
            previously allocated by thread T5 here:
                #0 0x7f21414ee73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
                #1 0x55f0e8c313c3 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
                #2 0x55f0e8c00584 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
                #3 0x55f0e77a1a1e in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:47
                #4 0x55f0e73fff05 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
                #5 0x55f0e77a2990 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:187
                #6 0x55f0e7855333 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3035
                #7 0x55f0e74b616d in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1900
                #8 0x55f0e74bc866 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3445
                #9 0x55f0e74bef8e in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3964
                #10 0x55f0e74c2c94 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4718
                #11 0x55f0e74a493e in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:502
                #12 0x55f0e75dd2be in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6398
                #13 0x55f0e75caa16 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3484
                #14 0x55f0e75e6875 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8009
                #15 0x55f0e75c1456 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
                #16 0x55f0e75be4fa in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
                #17 0x55f0e7901205 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
                #18 0x55f0e7900c1a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
                #19 0x55f0e83120e9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
                #20 0x7f2141284493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
             
            Thread T5 created by T0 here:
                #0 0x7f21414bdbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
                #1 0x55f0e83126b1 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
                #2 0x55f0e73bb90e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
                #3 0x55f0e73d086e in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6470
                #4 0x55f0e73d0f73 in create_new_thread /data/src/10.2/sql/mysqld.cc:6540
                #5 0x55f0e73d1f8a in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6815
                #6 0x55f0e73cfdc3 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6089
                #7 0x55f0e73b9caf in main /data/src/10.2/sql/main.cc:25
                #8 0x7f213f5a22b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
             
            SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/sql/item.cc:2708 Item_ident::print(String*, enum_query_type)
            Shadow bytes around the buggy address:
              0x0c187fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c187fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c187fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c187fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c187fff9bf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c187fff9c00: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
              0x0c187fff9c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c187fff9c20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
              0x0c187fff9c30: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
              0x0c187fff9c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c187fff9c50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable:           00
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
              Heap right redzone:      fb
              Freed heap region:       fd
              Stack left redzone:      f1
              Stack mid redzone:       f2
              Stack right redzone:     f3
              Stack partial redzone:   f4
              Stack after return:      f5
              Stack use after scope:   f8
              Global redzone:          f9
              Global init order:       f6
              Poisoned by user:        f7
              Contiguous container OOB:fc
              ASan internal:           fe
            ==15569==ABORTING
            

            Reproducible on current 10.2, 10.3, as well as on an old 10.2.8-based compatibility build (e.g. 15759).
            Reproducible with at least MyISAM and InnoDB.

            elenst Elena Stepanova added a comment - Note: the test case is similar to MDEV-14750 , but no partitions are needed here. CREATE TABLE long_enough_name ( pk int (11) NOT NULL , f1 int (11) DEFAULT NULL , f2 int (11) NOT NULL , f3 int (11) DEFAULT NULL , f4 timestamp NOT NULL DEFAULT current_timestamp (), f5 varchar (32) COLLATE utf8_bin NOT NULL DEFAULT 'foo' , f6 smallint (6) NOT NULL DEFAULT 1, f7 int (11) DEFAULT NULL , PRIMARY KEY (pk), KEY idx1 (f7), KEY idx2 (f1), KEY idx3 (f2), KEY idx4 (f3), CONSTRAINT constr CHECK (f6 >= 0) ); SELECT * FROM long_enough_name AS tbl; SHOW CREATE TABLE long_enough_name; # Cleanup DROP TABLE long_enough_name; 10.2 ASAN 55163ba1bd ==15569==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000e030 at pc 0x55f0e7bf45cc bp 0x7f2134dfdc30 sp 0x7f2134dfdc28 READ of size 1 at 0x60c00000e030 thread T5 #0 0x55f0e7bf45cb in Item_ident::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:2708 #1 0x55f0e7c17209 in Item_field::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:7410 #2 0x55f0e7be4250 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.2/sql/item.cc:585 #3 0x55f0e7cc8f72 in Item_func::print_op(String*, enum_query_type) /data/src/10.2/sql/item_func.cc:480 #4 0x55f0e7c8bda6 in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.2/sql/item_cmpfunc.h:490 #5 0x55f0e7be4250 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.2/sql/item.cc:585 #6 0x55f0e778716d in Item::print_for_table_def(String*) /data/src/10.2/sql/item.h:1319 #7 0x55f0e77879cf in Virtual_column_info::print(String*) /data/src/10.2/sql/item.h:6052 #8 0x55f0e773d216 in show_create_table(THD*, TABLE_LIST*, String*, Table_specification_st*, enum_with_db_name) /data/src/10.2/sql/sql_show.cc:2130 #9 0x55f0e7736b2d in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /data/src/10.2/sql/sql_show.cc:1251 #10 0x55f0e77372cd in mysqld_show_create(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_show.cc:1324 #11 0x55f0e75ce32e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4242 #12 0x55f0e75e6875 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8009 #13 0x55f0e75c1456 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824 #14 0x55f0e75be4fa in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378 #15 0x55f0e7901205 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335 #16 0x55f0e7900c1a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241 #17 0x55f0e83120e9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862 #18 0x7f2141284493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) #19 0x7f213f66a93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)   0x60c00000e030 is located 112 bytes inside of 124-byte region [0x60c00000dfc0,0x60c00000e03c) freed by thread T5 here: #0 0x7f21414ee527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x55f0e8c3264d in free_memory /data/src/10.2/mysys/safemalloc.c:279 #2 0x55f0e8c31c53 in sf_free /data/src/10.2/mysys/safemalloc.c:197 #3 0x55f0e8c00e4c in my_free /data/src/10.2/mysys/my_malloc.c:217 #4 0x55f0e73de23f in String::free() /data/src/10.2/sql/sql_string.h:351 #5 0x55f0e77a19bf in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:44 #6 0x55f0e73fff05 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361 #7 0x55f0e77a2990 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:187 #8 0x55f0e7860375 in TABLE::init(THD*, TABLE_LIST*) /data/src/10.2/sql/table.cc:4490 #9 0x55f0e74b6612 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1961 #10 0x55f0e74bc866 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3445 #11 0x55f0e74bef8e in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3964 #12 0x55f0e7566d8b in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/src/10.2/sql/sql_base.h:471 #13 0x55f0e77367cf in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /data/src/10.2/sql/sql_show.cc:1229 #14 0x55f0e77372cd in mysqld_show_create(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_show.cc:1324 #15 0x55f0e75ce32e in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4242 #16 0x55f0e75e6875 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8009 #17 0x55f0e75c1456 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824 #18 0x55f0e75be4fa in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378 #19 0x55f0e7901205 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335 #20 0x55f0e7900c1a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241 #21 0x55f0e83120e9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862 #22 0x7f2141284493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)   previously allocated by thread T5 here: #0 0x7f21414ee73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x55f0e8c313c3 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118 #2 0x55f0e8c00584 in my_malloc /data/src/10.2/mysys/my_malloc.c:101 #3 0x55f0e77a1a1e in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:47 #4 0x55f0e73fff05 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361 #5 0x55f0e77a2990 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:187 #6 0x55f0e7855333 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3035 #7 0x55f0e74b616d in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1900 #8 0x55f0e74bc866 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3445 #9 0x55f0e74bef8e in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3964 #10 0x55f0e74c2c94 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4718 #11 0x55f0e74a493e in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:502 #12 0x55f0e75dd2be in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6398 #13 0x55f0e75caa16 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3484 #14 0x55f0e75e6875 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8009 #15 0x55f0e75c1456 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824 #16 0x55f0e75be4fa in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378 #17 0x55f0e7901205 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335 #18 0x55f0e7900c1a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241 #19 0x55f0e83120e9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862 #20 0x7f2141284493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)   Thread T5 created by T0 here: #0 0x7f21414bdbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0x55f0e83126b1 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912 #2 0x55f0e73bb90e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239 #3 0x55f0e73d086e in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6470 #4 0x55f0e73d0f73 in create_new_thread /data/src/10.2/sql/mysqld.cc:6540 #5 0x55f0e73d1f8a in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6815 #6 0x55f0e73cfdc3 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6089 #7 0x55f0e73b9caf in main /data/src/10.2/sql/main.cc:25 #8 0x7f213f5a22b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)   SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/sql/item.cc:2708 Item_ident::print(String*, enum_query_type) Shadow bytes around the buggy address: 0x0c187fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fff9bf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c187fff9c00: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa 0x0c187fff9c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c187fff9c20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c187fff9c30: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa 0x0c187fff9c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c187fff9c50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==15569==ABORTING Reproducible on current 10.2, 10.3, as well as on an old 10.2.8-based compatibility build (e.g. 15759). Reproducible with at least MyISAM and InnoDB.

            Problem was that the original alias was replaced with a new allocated string, but constraint item's are still pointing to the original alias.

            Fixed by storing the original alias used when printing constraint in the tables mem_root.

            monty Michael Widenius added a comment - Problem was that the original alias was replaced with a new allocated string, but constraint item's are still pointing to the original alias. Fixed by storing the original alias used when printing constraint in the tables mem_root.

            Pushed

            monty Michael Widenius added a comment - Pushed

            People

              monty Michael Widenius
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.