Details
Description
--source include/have_innodb.inc
|
set join_cache_level=3; |
set optimizer_use_condition_selectivity=2; |
|
|
CREATE TABLE t1 (c1 int, c2 int, c3 int, c4 int, c5 int, c6 int, c7 int, c8 int, c9 int, c10 int, c11 int, c12 int, c13 int, c14 int, c15 int, c16 int, c17 int, c18 int, c19 int, c20 int, c21 int, c22 int, c23 int, c24 int, c25 int, c26 int, c27 int, c28 int, c29 int, c30 int, c31 int, c32 int, c33 int, c34 int) ENGINE=InnoDB; |
|
|
SELECT * FROM t1 WHERE (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25, c26, c27, c28, c29, c30, c31, c32, c33, c34) IN (SELECT * FROM t1) ; |
|
|
#cleanup
|
drop table t1; |
built as
cmake . -DCMAKE_BUILD_TYPE=Debug -DWITHOUT_TOKUDB=1 -DWITH_SSL=bundled -DCONC_WITH_{UNITTEST,SSL}=OFF -DWITH_ASAN=ON
|
|
10.0 d0d0f88f2cd4da23c2c |
Version: '10.0.38-MariaDB-debug' socket: '/git/10.0/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==25866==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f643c86816e at pc 0x00000072319b bp 0x7f643c868050 sp 0x7f643c868040
|
WRITE of size 2 at 0x7f643c86816e thread T21
|
#0 0x72319a in table_cond_selectivity /git/10.0/sql/sql_select.cc:7521
|
#1 0x73f40c in best_extension_by_limited_search /git/10.0/sql/sql_select.cc:7824
|
#2 0x73f515 in best_extension_by_limited_search /git/10.0/sql/sql_select.cc:7831
|
#3 0x7405ee in greedy_search /git/10.0/sql/sql_select.cc:6994
|
#4 0x7405ee in choose_plan(JOIN*, unsigned long long) /git/10.0/sql/sql_select.cc:6571
|
#5 0x7a1432 in make_join_statistics /git/10.0/sql/sql_select.cc:4078
|
#6 0x7a1432 in JOIN::optimize_inner() /git/10.0/sql/sql_select.cc:1372
|
#7 0x7a7233 in JOIN::optimize() /git/10.0/sql/sql_select.cc:1041
|
#8 0x7a90b9 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.0/sql/sql_select.cc:3334
|
#9 0x7a98ad in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.0/sql/sql_select.cc:377
|
#10 0x698ae8 in execute_sqlcom_select /git/10.0/sql/sql_parse.cc:5308
|
#11 0x6afa53 in mysql_execute_command(THD*) /git/10.0/sql/sql_parse.cc:2558
|
#12 0x6c5317 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /git/10.0/sql/sql_parse.cc:6644
|
#13 0x6c8998 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /git/10.0/sql/sql_parse.cc:1301
|
#14 0x6cd1b2 in do_command(THD*) /git/10.0/sql/sql_parse.cc:1003
|
#15 0x9351c7 in do_handle_one_connection(THD*) /git/10.0/sql/sql_connect.cc:1377
|
#16 0x935436 in handle_one_connection /git/10.0/sql/sql_connect.cc:1292
|
#17 0x16945b5 in pfs_spawn_thread /git/10.0/storage/perfschema/pfs.cc:1861
|
#18 0x7f644f9576b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
#19 0x7f644f00241c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
|
|
|
Address 0x7f643c86816e is located in stack of thread T21 at offset 94 in frame
|
#0 0x72289a in table_cond_selectivity /git/10.0/sql/sql_select.cc:7387
|
|
|
This frame has 1 object(s):
|
[32, 94) 'ref_keyuse_steps' <== Memory access at offset 94 overflows this variable
|
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
|
(longjmp and C++ exceptions *are* supported)
|
Thread T21 created by T0 here:
|
#0 0x7f64503fb253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
|
#1 0x169f01a in spawn_thread_v1 /git/10.0/storage/perfschema/pfs.cc:1911
|
|
|
SUMMARY: AddressSanitizer: stack-buffer-overflow /git/10.0/sql/sql_select.cc:7521 table_cond_selectivity
|
Shadow bytes around the buggy address:
|
0x0fed07904fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07904fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07904ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07905000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07905010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0fed07905020: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00[06]f3 f3
|
0x0fed07905030: f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
|
0x0fed07905040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07905050: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
|
0x0fed07905060: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2
|
0x0fed07905070: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
==25866==ABORTING
|
----------SERVER LOG END-------------
|
Attachments
Issue Links
- blocks
-
MDEV-23937 SIGSEGV in looped best_extension_by_limited_search from greedy_search on NATURAL JOIN | SIGSEGV in restore_prev_nj_state
-
- Closed
-
- relates to
-
-
- Stalled
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
Activity
Please make sure to test the testcase in MDEV-23937 too (preferably add it to the test suite too)
A more "conservative" fix that touches only table_cond_selectivity(): http://lists.askmonty.org/pipermail/commits/2021-May/014624.html
The fix also fixes MDEV-23937, commit adding the testcase: http://lists.askmonty.org/pipermail/commits/2021-May/014625.html
Here is also another test case which causes the same ASAN failure on 10.4+, and a very different but equally ugly stack trace on a non-ASAN debug build.
f1 tinytext,f2 mediumint,f4 tinytext,f8 mediumtext,f9 mediumtext,f12 datetime,f15 mediumint unsigned,f16 mediumtext,f18 longtext,f22 longtext,f24 tinytext,f25 longtext,f26 tinyint,f31 text,f39 text,) ENGINE=MyISAM;f1 tinytext,f2 mediumint,f4 tinytext,f8 mediumtext,f9 mediumtext,f12 datetime,f15 mediumint unsigned,f16 mediumtext,f18 longtext,f22 longtext,f24 tinytext,f25 longtext,f26 tinyint,f31 text,f39 text,) ENGINE=MyISAM;10.4 de208723
#5 <signal handler called>#6 0x0000562c0fa3133e in table_cond_selectivity (join=0x7f4fd4015698, idx=1, s=0x0, rem_tables=0) at /data/src/10.4/sql/sql_select.cc:9306#7 0x0001000100010001 in ?? ()#8 0x0001000100010001 in ?? ()#9 0x4000000000000000 in ?? ()#10 0x0000000100000004 in ?? ()#11 0x4003573333333333 in ?? ()#12 0x4000000000000000 in ?? ()#13 0x000000010000003d in ?? ()#14 0x0000000000000002 in ?? ()#15 0x00007f4fd4015698 in ?? ()#16 0x00000000d41b9e98 in ?? ()#17 0x4010000000000000 in ?? ()#18 0x4014f0cccccccccc in ?? ()#19 0x4010000000000000 in ?? ()#20 0x4014f0cccccccccc in ?? ()#21 0xffffffffffffffff in ?? ()#22 0x00007f4fd41bb8f0 in ?? ()#23 0x3ff0000000000000 in ?? ()#24 0x00007f4fd4000af0 in ?? ()#25 0x00007f4fd41bb358 in ?? ()#26 0x0000000000000002 in ?? ()#27 0x00007f4fd41bba50 in ?? ()#28 0x0000000000000000 in ?? ()