Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
5.5, 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8
-
None
Description
CREATE TABLE t1 (a INT, b INT NOT NULL, UNIQUE(b)); |
INSERT INTO t1 VALUES (10, 0); |
CREATE TABLE t2 (c INT); |
CREATE ALGORITHM=MERGE VIEW v AS SELECT * FROM t1 JOIN t2; |
ALTER TABLE t1 ADD d VARCHAR(16); |
INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL; |
 |
# Cleanup
|
DROP VIEW v; |
DROP TABLE t1, t2; |
10.4 631c5ab4 |
#3 <signal handler called>
|
#4 0x00005598efe91c86 in TABLE_LIST::get_tablenr (this=0xffffffffffffffff) at /data/src/10.4/sql/table.h:2178
|
#5 0x00005598efe7e259 in st_select_lex::save_leaf_tables (this=0x7facd4013a30, thd=0x7facd4000b00) at /data/src/10.4/sql/sql_lex.cc:4914
|
#6 0x00005598efe63953 in mysql_insert (thd=0x7facd4000b00, table_list=0x7facd4013250, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_UPDATE, ignore=false) at /data/src/10.4/sql/sql_insert.cc:1264
|
#7 0x00005598efeb1a13 in mysql_execute_command (thd=0x7facd4000b00) at /data/src/10.4/sql/sql_parse.cc:4524
|
#8 0x00005598efebe331 in mysql_parse (thd=0x7facd4000b00, rawbuf=0x7facd4013128 "INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL", length=61, parser_state=0x7face5d77170, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7912
|
#9 0x00005598efea9284 in dispatch_command (command=COM_QUERY, thd=0x7facd4000b00, packet=0x7facd4008331 "INSERT INTO v (b) VALUES (0) ON DUPLICATE KEY UPDATE a = NULL", packet_length=61, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1841
|
#10 0x00005598efea78e8 in do_command (thd=0x7facd4000b00) at /data/src/10.4/sql/sql_parse.cc:1359
|
#11 0x00005598f00318b9 in do_handle_one_connection (connect=0x5598f402b060) at /data/src/10.4/sql/sql_connect.cc:1412
|
#12 0x00005598f0031608 in handle_one_connection (arg=0x5598f402b060) at /data/src/10.4/sql/sql_connect.cc:1316
|
#13 0x00005598f0a6935f in pfs_spawn_thread (arg=0x5598f4060450) at /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#14 0x00007faced71a4a4 in start_thread (arg=0x7face5d78700) at pthread_create.c:456
|
#15 0x00007facebc62d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
Reproducible on all 10.x, with at least MyISAM, InnoDB, Aria.
10.4 ASAN 631c5ab4 |
==16627==ERROR: AddressSanitizer: use-after-poison on address 0x62b000068280 at pc 0x7f7069e16d7b bp 0x7f705f396690 sp 0x7f705f395e40
|
WRITE of size 26 at 0x62b000068280 thread T5
|
#0 0x7f7069e16d7a (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
|
#1 0x55e2a87b1fee in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:1814
|
#2 0x55e2a87acc9f in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1076
|
#3 0x55e2a885e76a in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4524
|
#4 0x55e2a887669a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7912
|
#5 0x55e2a884ddf1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1841
|
#6 0x55e2a884ab40 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1359
|
#7 0x55e2a8be6745 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
|
#8 0x55e2a8be60f9 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
#9 0x55e2aa1cd4db in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#10 0x7f7069ba44a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#11 0x7f70680ecd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
 |
0x62b00006828c is located 0 bytes to the right of 24716-byte region [0x62b000062200,0x62b00006828c)
|
allocated by thread T5 here:
|
#0 0x7f7069e7bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x55e2aa30f68c in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x55e2aa2e0330 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x55e2aa2beae9 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:151
|
#4 0x55e2a874578b in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1387
|
#5 0x55e2a8be5ab6 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247
|
#6 0x55e2a8be613f in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331
|
#7 0x55e2a8be66fb in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
|
#8 0x55e2a8be60f9 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
#9 0x55e2aa1cd4db in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#10 0x7f7069ba44a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
 |
Thread T5 created by T0 here:
|
#0 0x7f7069deaf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x55e2aa1cd8c8 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x55e2a858da38 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55e2a85a289f in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6240
|
#4 0x55e2a85a2f82 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6310
|
#5 0x55e2a85a330d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6408
|
#6 0x55e2a85a3f5f in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6566
|
#7 0x55e2a85a2120 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5898
|
#8 0x55e2a858b91f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7f70680242e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
 |
SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
|
Shadow bytes around the buggy address:
|
0x0c5680005000: 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7 00 00
|
0x0c5680005010: 00 00 00 00 00 00 00 00 f7 00 00 00 f7 00 00 00
|
0x0c5680005020: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
|
0x0c5680005030: 00 00 00 00 f7 02 f7 02 f7 02 f7 00 00 f7 00 00
|
0x0c5680005040: f7 00 00 f7 00 00 f7 00 00 f7 00 00 f7 00 00 00
|
=>0x0c5680005050:[f7]04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5680005060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5680005070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5680005080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5680005090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c56800050a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==16627==ABORTING
|
ASAN variation is reproducible on 10.x and 5.5.
Attachments
Issue Links
- relates to
-
MDEV-17699 AddressSanitizer: use-after-poison in base_list_iterator::next_fast
- Closed