Details
Major Description
--source include/have_innodb.inc
|
|
|
CREATE TABLE t1 (v1 varchar(1024) CHARACTER SET utf8, KEY v1 (v1)) ENGINE=InnoDB; |
INSERT INTO t1 VALUES ('king'), ('bad'); |
|
|
SELECT MIN(x.v1) FROM (SELECT t1.* FROM t1 WHERE t1.v1 >= 'p') x; |
10.2 abcd09c95a49d02bf136a21d62d38a2, built with -DWITH_ASAN=ON -DCMAKE_BUILD_TYPE=Debug
=================================================================
|
==4403==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f3a57c21060 at pc 0x7f3a70602bec bp 0x7f3a57c1fe30 sp 0x7f3a57c1f5d8
|
WRITE of size 3071 at 0x7f3a57c21060 thread T27
|
#0 0x7f3a70602beb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)
|
#1 0x564bf59ffda9 in Field_varstring::get_key_image(unsigned char*, unsigned int, Field::imagetype) /git/10.2/sql/field.cc:7812
|
#2 0x564bf5daaa2c in matching_cond /git/10.2/sql/opt_sum.cc:828
|
#3 0x564bf5dab6cb in find_key_for_maxmin /git/10.2/sql/opt_sum.cc:947
|
#4 0x564bf5da805b in opt_sum_query(THD*, List<TABLE_LIST>&, List<Item>&, Item*) /git/10.2/sql/opt_sum.cc:395
|
#5 0x564bf5521512 in JOIN::optimize_inner() /git/10.2/sql/sql_select.cc:1495
|
#6 0x564bf551d94e in JOIN::optimize() /git/10.2/sql/sql_select.cc:1115
|
#7 0x564bf5536c24 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.2/sql/sql_select.cc:3790
|
#8 0x564bf55167e6 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.2/sql/sql_select.cc:376
|
#9 0x564bf549d5a1 in execute_sqlcom_select /git/10.2/sql/sql_parse.cc:6477
|
#10 0x564bf548a5b1 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:3484
|
#11 0x564bf54a5d06 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:8011
|
#12 0x564bf5481255 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1824
|
#13 0x564bf547e409 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1378
|
#14 0x564bf57a3671 in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1335
|
#15 0x564bf57a3079 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
|
#16 0x564bf694835d in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1862
|
#17 0x7f3a6f20a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
#18 0x7f3a6e69f41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
|
|
|
Address 0x7f3a57c21060 is located in stack of thread T27 at offset 3584 in frame
|
#0 0x564bf5da7050 in opt_sum_query(THD*, List<TABLE_LIST>&, List<Item>&, Item*) /git/10.2/sql/opt_sum.cc:243
|
|
|
This frame has 7 object(s):
|
[32, 36) 'range_fl'
|
[96, 100) 'prefix_len'
|
[160, 192) 'it'
|
[224, 256) 'ti'
|
[288, 320) '_db_stack_frame_'
|
[352, 464) 'ref'
|
[512, 3584) 'key_buff' <== Memory access at offset 3584 overflows this variable
|
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
|
(longjmp and C++ exceptions *are* supported)
|
Thread T27 created by T0 here:
|
#0 0x7f3a705ac253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
|
#1 0x564bf694874a in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1912
|
#2 0x564bf528ddc6 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1239
|
#3 0x564bf52a1fec in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6454
|
#4 0x564bf52a26ec in create_new_thread /git/10.2/sql/mysqld.cc:6524
|
#5 0x564bf52a372f in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6799
|
#6 0x564bf52a153c in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6073
|
#7 0x564bf528c75f in main /git/10.2/sql/main.cc:25
|
#8 0x7f3a6e5b882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
|
|
|
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __asan_memset
|
Shadow bytes around the buggy address:
|
0x0fe7caf7c1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe7caf7c1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe7caf7c1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe7caf7c1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe7caf7c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0fe7caf7c200: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
|
0x0fe7caf7c210: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe7caf7c220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe7caf7c230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
|
0x0fe7caf7c240: f1 f1 01 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2
|
0x0fe7caf7c250: f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
==4403==ABORTING
|
----------SERVER LOG END-------------
|
|