Details
Description
--source include/have_innodb.inc
|
set join_cache_level=3; |
set optimizer_use_condition_selectivity=2; |
|
|
CREATE TABLE t1 (c1 int, c2 int, c3 int, c4 int, c5 int, c6 int, c7 int, c8 int, c9 int, c10 int, c11 int, c12 int, c13 int, c14 int, c15 int, c16 int, c17 int, c18 int, c19 int, c20 int, c21 int, c22 int, c23 int, c24 int, c25 int, c26 int, c27 int, c28 int, c29 int, c30 int, c31 int, c32 int, c33 int, c34 int) ENGINE=InnoDB; |
|
|
SELECT * FROM t1 WHERE (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25, c26, c27, c28, c29, c30, c31, c32, c33, c34) IN (SELECT * FROM t1) ; |
|
|
#cleanup
|
drop table t1; |
built as
cmake . -DCMAKE_BUILD_TYPE=Debug -DWITHOUT_TOKUDB=1 -DWITH_SSL=bundled -DCONC_WITH_{UNITTEST,SSL}=OFF -DWITH_ASAN=ON
|
|
10.0 d0d0f88f2cd4da23c2c |
Version: '10.0.38-MariaDB-debug' socket: '/git/10.0/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==25866==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f643c86816e at pc 0x00000072319b bp 0x7f643c868050 sp 0x7f643c868040
|
WRITE of size 2 at 0x7f643c86816e thread T21
|
#0 0x72319a in table_cond_selectivity /git/10.0/sql/sql_select.cc:7521
|
#1 0x73f40c in best_extension_by_limited_search /git/10.0/sql/sql_select.cc:7824
|
#2 0x73f515 in best_extension_by_limited_search /git/10.0/sql/sql_select.cc:7831
|
#3 0x7405ee in greedy_search /git/10.0/sql/sql_select.cc:6994
|
#4 0x7405ee in choose_plan(JOIN*, unsigned long long) /git/10.0/sql/sql_select.cc:6571
|
#5 0x7a1432 in make_join_statistics /git/10.0/sql/sql_select.cc:4078
|
#6 0x7a1432 in JOIN::optimize_inner() /git/10.0/sql/sql_select.cc:1372
|
#7 0x7a7233 in JOIN::optimize() /git/10.0/sql/sql_select.cc:1041
|
#8 0x7a90b9 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.0/sql/sql_select.cc:3334
|
#9 0x7a98ad in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.0/sql/sql_select.cc:377
|
#10 0x698ae8 in execute_sqlcom_select /git/10.0/sql/sql_parse.cc:5308
|
#11 0x6afa53 in mysql_execute_command(THD*) /git/10.0/sql/sql_parse.cc:2558
|
#12 0x6c5317 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /git/10.0/sql/sql_parse.cc:6644
|
#13 0x6c8998 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /git/10.0/sql/sql_parse.cc:1301
|
#14 0x6cd1b2 in do_command(THD*) /git/10.0/sql/sql_parse.cc:1003
|
#15 0x9351c7 in do_handle_one_connection(THD*) /git/10.0/sql/sql_connect.cc:1377
|
#16 0x935436 in handle_one_connection /git/10.0/sql/sql_connect.cc:1292
|
#17 0x16945b5 in pfs_spawn_thread /git/10.0/storage/perfschema/pfs.cc:1861
|
#18 0x7f644f9576b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
#19 0x7f644f00241c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
|
|
|
Address 0x7f643c86816e is located in stack of thread T21 at offset 94 in frame
|
#0 0x72289a in table_cond_selectivity /git/10.0/sql/sql_select.cc:7387
|
|
|
This frame has 1 object(s):
|
[32, 94) 'ref_keyuse_steps' <== Memory access at offset 94 overflows this variable
|
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
|
(longjmp and C++ exceptions *are* supported)
|
Thread T21 created by T0 here:
|
#0 0x7f64503fb253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
|
#1 0x169f01a in spawn_thread_v1 /git/10.0/storage/perfschema/pfs.cc:1911
|
|
|
SUMMARY: AddressSanitizer: stack-buffer-overflow /git/10.0/sql/sql_select.cc:7521 table_cond_selectivity
|
Shadow bytes around the buggy address:
|
0x0fed07904fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07904fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07904ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07905000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07905010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0fed07905020: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00[06]f3 f3
|
0x0fed07905030: f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
|
0x0fed07905040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fed07905050: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
|
0x0fed07905060: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2
|
0x0fed07905070: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
==25866==ABORTING
|
----------SERVER LOG END-------------
|
Attachments
Issue Links
- blocks
-
MDEV-23937 SIGSEGV in looped best_extension_by_limited_search from greedy_search on NATURAL JOIN | SIGSEGV in restore_prev_nj_state
-
- Closed
-
- relates to
-
-
- Stalled
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-