Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
Description
CREATE TABLE t1 ( pk int, v1 varchar(1)) ENGINE=MyISAM; |
INSERT INTO t1 VALUES (1,'v'),(2,'v'),(3,'c'); |
|
|
CREATE TABLE t2 ( pk int, v1 varchar(1)) ENGINE=MyISAM; |
INSERT INTO t2 VALUES (1,'x'); |
|
|
CREATE TABLE t3 ( pk int, i1 int, v1 varchar(1)) ENGINE=MyISAM; |
INSERT INTO t3 VALUES (10,8,9); |
|
|
execute immediate 'SELECT STRAIGHT_JOIN 1 FROM (t1 JOIN t2 ON (t1.v1 = t2.v1)) |
WHERE (3, 6) IN (SELECT tC.pk, t3.i1 FROM (t3 JOIN t1 AS tC ON (tC.v1 = t3.v1)) HAVING tC.pk > 1 );'; |
built as cmake . -DPLUGIN_TOKUDB=NO -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=ON :
|
10.4 17e371fffe3d0a2593 |
==2451==ERROR: AddressSanitizer: use-after-poison on address 0x62b000082e88 at pc 0x55c8f38b19d5 bp 0x7fb0a6f24090 sp 0x7fb0a6f24080
|
WRITE of size 8 at 0x62b000082e88 thread T27
|
#0 0x55c8f38b19d4 in Item_change_list::rollback_item_tree_changes() /git/10.4/sql/sql_class.cc:2824
|
#1 0x55c8f39fb580 in Prepared_statement::cleanup_stmt() /git/10.4/sql/sql_prepare.cc:3854
|
#2 0x55c8f3a02360 in Prepared_statement::execute(String*, bool) /git/10.4/sql/sql_prepare.cc:4818
|
#3 0x55c8f39fd82a in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /git/10.4/sql/sql_prepare.cc:4218
|
#4 0x55c8f3a03014 in Prepared_statement::execute_immediate(char const*, unsigned int) /git/10.4/sql/sql_prepare.cc:4914
|
#5 0x55c8f39f5c1f in mysql_sql_stmt_execute_immediate(THD*) /git/10.4/sql/sql_prepare.cc:2894
|
#6 0x55c8f39a1b50 in mysql_execute_command(THD*) /git/10.4/sql/sql_parse.cc:3780
|
#7 0x55c8f39bb97e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.4/sql/sql_parse.cc:8092
|
#8 0x55c8f399682a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.4/sql/sql_parse.cc:1851
|
#9 0x55c8f39939c2 in do_command(THD*) /git/10.4/sql/sql_parse.cc:1396
|
#10 0x55c8f3ceb128 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1402
|
#11 0x55c8f3ceab05 in handle_one_connection /git/10.4/sql/sql_connect.cc:1308
|
#12 0x55c8f5029ca5 in pfs_spawn_thread /git/10.4/storage/perfschema/pfs.cc:1862
|
#13 0x7fb0be4726b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
#14 0x7fb0bd90741c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
|
|
|
0x62b000082e88 is located 19592 bytes inside of 24716-byte region [0x62b00007e200,0x62b00008428c)
|
allocated by thread T27 here:
|
#0 0x7fb0bf6d1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
|
#1 0x55c8f5169fe5 in sf_malloc /git/10.4/mysys/safemalloc.c:118
|
#2 0x55c8f513c188 in my_malloc /git/10.4/mysys/my_malloc.c:101
|
#3 0x55c8f511c3e3 in reset_root_defaults /git/10.4/mysys/my_alloc.c:151
|
#4 0x55c8f38a6f83 in THD::init_for_queries() /git/10.4/sql/sql_class.cc:1337
|
#5 0x55c8f3cea4c2 in prepare_new_connection_state(THD*) /git/10.4/sql/sql_connect.cc:1239
|
#6 0x55c8f3ceab4b in thd_prepare_connection(THD*) /git/10.4/sql/sql_connect.cc:1323
|
#7 0x55c8f3ceb0f0 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1393
|
#8 0x55c8f3ceab05 in handle_one_connection /git/10.4/sql/sql_connect.cc:1308
|
#9 0x55c8f5029ca5 in pfs_spawn_thread /git/10.4/storage/perfschema/pfs.cc:1862
|
#10 0x7fb0be4726b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
|
|
Thread T27 created by T0 here:
|
#0 0x7fb0bf66f253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
|
#1 0x55c8f502a092 in spawn_thread_v1 /git/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x55c8f370ab14 in inline_mysql_thread_create /git/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55c8f371fcf7 in create_thread_to_handle_connection(CONNECT*) /git/10.4/sql/mysqld.cc:6330
|
#4 0x55c8f37203f7 in create_new_thread(CONNECT*) /git/10.4/sql/mysqld.cc:6400
|
#5 0x55c8f3720782 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /git/10.4/sql/mysqld.cc:6517
|
#6 0x55c8f37213ff in handle_connections_sockets() /git/10.4/sql/mysqld.cc:6682
|
#7 0x55c8f371f1b7 in mysqld_main(int, char**) /git/10.4/sql/mysqld.cc:5952
|
#8 0x55c8f370923f in main /git/10.4/sql/main.cc:25
|
#9 0x7fb0bd82082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /git/10.4/sql/sql_class.cc:2824 Item_change_list::rollback_item_tree_changes()
|
Shadow bytes around the buggy address:
|
0x0c5680008580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c5680008590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c56800085a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c56800085b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c56800085c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c56800085d0: f7[f7]00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c56800085e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c56800085f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c5680008600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c5680008610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c5680008620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
==2451==ABORTING
|
----------SERVER LOG END-------------
|
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Confirmed
-
-
-
- Closed
-
Activity
The test case from MDEV-18744 (only fails on 10.4):
CREATE TABLE t1 (a INT) ENGINE=MyISAM; |
INSERT INTO t1 VALUES (1),(2); |
|
CREATE TABLE t2 (b INT) ENGINE=MyISAM; |
INSERT INTO t2 VALUES (3); |
|
PREPARE stmt FROM "SELECT * FROM t1 JOIN t2 HAVING NOT (t1.a IS NULL AND t2.b <> 1)"; |
EXECUTE stmt; |
|
# Cleanup
|
DEALLOCATE PREPARE stmt; |
DROP TABLE t1, t2; |
./mtr main.opt_tvc --ps-protocol
|
10.5 |
|
|
CURRENT_TEST: main.opt_tvc
|
mysqltest: At line 77: query '$query' failed: 2013: Lost connection to MySQL server during query
|
|
|
The result from queries just before the failure was:
|
< snip >
|
3 DERIVED NULL NULL NULL NULL NULL NULL NULL NULL No tables used
|
Warnings:
|
Note 1003 /* select#1 */ select `test`.`t1`.`a` AS `a`,`test`.`t1`.`b` AS `b` from `test`.`t1` semi join ((values (1),(2)) `tvc_0`) where 1
|
explain extended select * from t1
|
where a in
|
(
|
select *
|
from (values (1),(2)) as tvc_0
|
);
|
id select_type table type possible_keys key key_len ref rows filtered Extra
|
1 PRIMARY t1 ALL NULL NULL NULL NULL 6 100.00
|
1 PRIMARY <subquery2> eq_ref distinct_key distinct_key 4 func 1 100.00
|
2 MATERIALIZED <derived3> ALL NULL NULL NULL NULL 2 100.00
|
3 DERIVED NULL NULL NULL NULL NULL NULL NULL NULL No tables used
|
Warnings:
|
Note 1003 /* select#1 */ select `test`.`t1`.`a` AS `a`,`test`.`t1`.`b` AS `b` from `test`.`t1` semi join ((values (1),(2)) `tvc_0`) where 1
|
# AND-condition with IN-predicates in WHERE-part
|
select * from t1
|
where a in (1,2) and
|
b in (1,5);
|
|
|
More results from queries before failure can be found in /mysql-test/var/log/opt_tvc.log
|
|
|
|
|
Server [mysqld.1 - pid: 266702, winpid: 266702, exit: 256] failed during test run
|
Server log from this test:
|
----------SERVER LOG START-----------
|
2020-11-25 14:35:29 0 [Note] /sql/mariadbd (mysqld 10.5.9-MariaDB-debug-log) starting as process 266703 ...
|
2020-11-25 14:35:29 0 [Warning] Could not increase number of max_open_files to more than 1024 (request: 32186)
|
2020-11-25 14:35:29 0 [Warning] Changed limits: max_open_files: 1024 max_connections: 151 (was 151) table_cache: 421 (was 2000)
|
2020-11-25 14:35:29 0 [Warning] setrlimit could not change the size of core files to 'infinity'; We may not be able to generate a core file on signals
|
2020-11-25 14:35:29 0 [Note] Plugin 'partition' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'CONNECT' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'InnoDB' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_DATAFILES' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_TABLESTATS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_BUFFER_PAGE' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_TRX' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_CMP_PER_INDEX' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_METRICS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_LOCK_WAITS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_CMP' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'THREAD_POOL_WAITS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_CMP_RESET' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'THREAD_POOL_QUEUES' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_FIELDS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_BUFFER_PAGE_LRU' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'FEEDBACK' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_LOCKS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_FT_INDEX_TABLE' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_CMPMEM' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'THREAD_POOL_GROUPS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_CMP_PER_INDEX_RESET' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_FOREIGN_COLS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_FT_INDEX_CACHE' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_BUFFER_POOL_STATS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_FT_BEING_DELETED' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_FOREIGN' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_CMPMEM_RESET' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_FT_DEFAULT_STOPWORD' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_TABLES' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_COLUMNS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_FT_CONFIG' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_TABLESPACES' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_VIRTUAL' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_INDEXES' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_SYS_SEMAPHORE_WAITS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_MUTEXES' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'user_variables' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_TABLESPACES_ENCRYPTION' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'INNODB_FT_DELETED' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'THREAD_POOL_STATS' is disabled.
|
2020-11-25 14:35:29 0 [Note] Plugin 'unix_socket' is disabled.
|
2020-11-25 14:35:29 0 [Warning] /sql/mariadbd: unknown option '--loose-pam-debug'
|
2020-11-25 14:35:29 0 [Warning] /sql/mariadbd: unknown option '--loose-aria'
|
2020-11-25 14:35:29 0 [Note] Server socket created on IP: '127.0.0.1'.
|
2020-11-25 14:35:29 0 [Note] Reading of all Master_info entries succeeded
|
2020-11-25 14:35:29 0 [Note] Added new Master_info '' to hash table
|
2020-11-25 14:35:29 0 [Note] /sql/mariadbd: ready for connections.
|
Version: '10.5.9-MariaDB-debug-log' socket: '/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==266703==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000383f0 at pc 0x562cfd62d214 bp 0x7f7535510c40 sp 0x7f7535510c30
|
WRITE of size 8 at 0x62b0000383f0 thread T5
|
#0 0x562cfd62d213 in Item_change_list::rollback_item_tree_changes() /src/sql/sql_class.cc:2921
|
#1 0x562cfd7be31a in Prepared_statement::cleanup_stmt() /src/sql/sql_prepare.cc:4090
|
#2 0x562cfd7c5ac7 in Prepared_statement::execute(String*, bool) /src/sql/sql_prepare.cc:5024
|
#3 0x562cfd7c0caa in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /src/sql/sql_prepare.cc:4460
|
#4 0x562cfd7ba02e in mysql_stmt_execute_common /src/sql/sql_prepare.cc:3448
|
#5 0x562cfd7b921d in mysqld_stmt_execute(THD*, char*, unsigned int) /src/sql/sql_prepare.cc:3229
|
#6 0x562cfd746fd2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /src/sql/sql_parse.cc:1796
|
#7 0x562cfd744071 in do_command(THD*) /src/sql/sql_parse.cc:1353
|
#8 0x562cfdb8559d in do_handle_one_connection(CONNECT*, bool) /src/sql/sql_connect.cc:1410
|
#9 0x562cfdb84f01 in handle_one_connection /src/sql/sql_connect.cc:1312
|
#10 0x562cfe88fbc0 in pfs_spawn_thread /src/storage/perfschema/pfs.cc:2201
|
#11 0x7f7540ab1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
#12 0x7f7540687292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
|
0x62b0000383f0 is located 496 bytes inside of 24740-byte region [0x62b000038200,0x62b00003e2a4)
|
allocated by thread T5 here:
|
#0 0x7f75415cdbc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x562cff856f97 in sf_malloc /src/mysys/safemalloc.c:118
|
#2 0x562cff82440b in my_malloc /src/mysys/my_malloc.c:88
|
#3 0x562cff7ff9b0 in reset_root_defaults /src/mysys/my_alloc.c:148
|
#4 0x562cfd620f62 in THD::init_for_queries() /src/sql/sql_class.cc:1409
|
#5 0x562cfdb84836 in prepare_new_connection_state(THD*) /src/sql/sql_connect.cc:1240
|
#6 0x562cfdb84f80 in thd_prepare_connection(THD*) /src/sql/sql_connect.cc:1333
|
#7 0x562cfdb854c8 in do_handle_one_connection(CONNECT*, bool) /src/sql/sql_connect.cc:1400
|
#8 0x562cfdb84f01 in handle_one_connection /src/sql/sql_connect.cc:1312
|
#9 0x562cfe88fbc0 in pfs_spawn_thread /src/storage/perfschema/pfs.cc:2201
|
#10 0x7f7540ab1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f75414fa805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x562cfe88ab64 in my_thread_create /src/storage/perfschema/my_thread.h:38
|
#2 0x562cfe88ffb3 in pfs_spawn_thread_v1 /src/storage/perfschema/pfs.cc:2252
|
#3 0x562cfd4393ce in inline_mysql_thread_create /src/include/mysql/psi/mysql_thread.h:1323
|
#4 0x562cfd44f3c1 in create_thread_to_handle_connection(CONNECT*) /src/sql/mysqld.cc:6022
|
#5 0x562cfd44fa40 in create_new_thread(CONNECT*) /src/sql/mysqld.cc:6081
|
#6 0x562cfd44fd9d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /src/sql/mysqld.cc:6146
|
#7 0x562cfd4509cd in handle_connections_sockets() /src/sql/mysqld.cc:6273
|
#8 0x562cfd44ebbd in mysqld_main(int, char**) /src/sql/mysqld.cc:5668
|
#9 0x562cfd437c6c in main /src/sql/main.cc:25
|
#10 0x7f754058c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /src/sql/sql_class.cc:2921 in Item_change_list::rollback_item_tree_changes()
|
Shadow bytes around the buggy address:
|
0x0c567ffff020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c567ffff030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c567ffff040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567ffff050: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567ffff060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c567ffff070: 00 00 00 00 00 00 00 00 00 f7 00 00 f7 f7[f7]f7
|
0x0c567ffff080: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00
|
0x0c567ffff090: 00 00 00 00 00 00 00 00 00 f7 00 f7 00 00 00 00
|
0x0c567ffff0a0: 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==266703==ABORTING
|
main.having_cond_pushdown +ps-protocol:
main.having_cond_pushdown [ fail ]
|
Test ended at 2020-11-25 14:00:36
|
|
|
CURRENT_TEST: main.having_cond_pushdown
|
mysqltest: At line 557: query '$query' failed: 2013: Lost connection to MySQL server during query
|
|
|
The result from queries just before the failure was:
|
< snip >
|
"rows": 5,
|
"filtered": 100,
|
"attached_condition": "(t1.a = 1 or t1.b > 10) and (t1.b < 14 or t1.b > 15)"
|
}
|
}
|
}
|
}
|
}
|
# extracted AND formula : equality in the inner AND formula
|
set statement optimizer_switch='condition_pushdown_from_having=off' for SELECT t1.a,t1.b,MAX(t1.c)
|
FROM t1
|
GROUP BY t1.a,t1.b
|
HAVING (t1.a = 1 OR t1.b > 10) AND (t1.b < 14 OR (t1.b > 15 AND t1.a = 2));
|
a b MAX(t1.c)
|
2 13 2
|
3 13 4
|
SELECT t1.a,t1.b,MAX(t1.c)
|
FROM t1
|
GROUP BY t1.a,t1.b
|
HAVING (t1.a = 1 OR t1.b > 10) AND (t1.b < 14 OR (t1.b > 15 AND t1.a = 2));
|
|
|
More results from queries before failure can be found in /git/10.5/mysql-test/var/31/log/having_cond_pushdown.log
|
|
|
|
|
Server [mysqld.1 - pid: 19135, winpid: 19135, exit: 256] failed during test run
|
Server log from this test:
|
----------SERVER LOG START-----------
|
=================================================================
|
==19140==ERROR: AddressSanitizer: use-after-poison on address 0x62b000039638 at pc 0x563b1816b31b bp 0x7f77b3d12d70 sp 0x7f77b3d12d68
|
WRITE of size 8 at 0x62b000039638 thread T5
|
#0 0x563b1816b31a in Item_change_list::rollback_item_tree_changes() /git/10.5/sql/sql_class.cc:2921
|
#1 0x563b182f3cbc in Prepared_statement::cleanup_stmt() /git/10.5/sql/sql_prepare.cc:4090
|
#2 0x563b182fb21e in Prepared_statement::execute(String*, bool) /git/10.5/sql/sql_prepare.cc:5024
|
#3 0x563b182f656b in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /git/10.5/sql/sql_prepare.cc:4460
|
#4 0x563b182efc4c in mysql_stmt_execute_common /git/10.5/sql/sql_prepare.cc:3448
|
#5 0x563b182eeeb3 in mysqld_stmt_execute(THD*, char*, unsigned int) /git/10.5/sql/sql_prepare.cc:3229
|
#6 0x563b1827f28b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.5/sql/sql_parse.cc:1796
|
#7 0x563b1827c309 in do_command(THD*) /git/10.5/sql/sql_parse.cc:1353
|
#8 0x563b186a99d9 in do_handle_one_connection(CONNECT*, bool) /git/10.5/sql/sql_connect.cc:1410
|
#9 0x563b186a9336 in handle_one_connection /git/10.5/sql/sql_connect.cc:1312
|
#10 0x563b1936b48d in pfs_spawn_thread /git/10.5/storage/perfschema/pfs.cc:2201
|
#11 0x7f77bd193fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
#12 0x7f77bc79a4ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
|
|
|
0x62b000039638 is located 5176 bytes inside of 24740-byte region [0x62b000038200,0x62b00003e2a4)
|
allocated by thread T5 here:
|
#0 0x7f77bd296330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
|
#1 0x563b19fc4ec3 in sf_malloc /git/10.5/mysys/safemalloc.c:118
|
#2 0x563b19f93a8b in my_malloc /git/10.5/mysys/my_malloc.c:88
|
#3 0x563b19f6fdc6 in reset_root_defaults /git/10.5/mysys/my_alloc.c:148
|
#4 0x563b1815f60e in THD::init_for_queries() /git/10.5/sql/sql_class.cc:1409
|
#5 0x563b186a8ca1 in prepare_new_connection_state(THD*) /git/10.5/sql/sql_connect.cc:1240
|
#6 0x563b186a93b1 in thd_prepare_connection(THD*) /git/10.5/sql/sql_connect.cc:1333
|
#7 0x563b186a9904 in do_handle_one_connection(CONNECT*, bool) /git/10.5/sql/sql_connect.cc:1400
|
#8 0x563b186a9336 in handle_one_connection /git/10.5/sql/sql_connect.cc:1312
|
#9 0x563b1936b48d in pfs_spawn_thread /git/10.5/storage/perfschema/pfs.cc:2201
|
#10 0x7f77bd193fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f77bd1fddb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
|
#1 0x563b19366384 in my_thread_create /git/10.5/storage/perfschema/my_thread.h:38
|
#2 0x563b1936b87c in pfs_spawn_thread_v1 /git/10.5/storage/perfschema/pfs.cc:2252
|
#3 0x563b17f84f94 in inline_mysql_thread_create /git/10.5/include/mysql/psi/mysql_thread.h:1323
|
#4 0x563b17f9a6a8 in create_thread_to_handle_connection(CONNECT*) /git/10.5/sql/mysqld.cc:6022
|
#5 0x563b17f9ad16 in create_new_thread(CONNECT*) /git/10.5/sql/mysqld.cc:6081
|
#6 0x563b17f9b07a in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /git/10.5/sql/mysqld.cc:6146
|
#7 0x563b17f9bcb9 in handle_connections_sockets() /git/10.5/sql/mysqld.cc:6273
|
#8 0x563b17f99f0f in mysqld_main(int, char**) /git/10.5/sql/mysqld.cc:5668
|
#9 0x563b17f83774 in main /git/10.5/sql/main.cc:25
|
#10 0x7f77bc6c509a in __libc_start_main ../csu/libc-start.c:308
|
|
Execution in PS mode of the original query listed in the bug report
SELECT STRAIGHT_JOIN 1 FROM (t1 JOIN t2 ON (t1.v1 = t2.v1)) WHERE (3, 6) IN (SELECT tC.pk, t3.i1 FROM (t3 JOIN t1 AS tC ON (tC.v1 = t3.v1)) HAVING tC.pk > 1 ) |
results in ASAN error report regardless whether the query was run using the statement
EXECUTE IMMEDIATE or as a pair of statements PREPARE FROM / EXECUTE
On executing the prepared statement, constant expressions in WHERE, HAVING, ON clauses
is cached by invoking the method JOIN::cache_const_exprs(). This method compiles items
corresponding to constant condition expressions. On compilation of Item_cond the method
THD::change_item_tree is invoked to substitute old item by a new one if requested
st_select_lex::optimize_unflattened_subqueries
|
JOIN::optimize
|
JOIN::optimize_inner <== at line ~1792
|
JOIN::cache_const_exprs
|
Item_cond::compile
|
THD::change_item_tree
|
Item_change_list::nocheck_register_item_tree_change
|
Reference to the substituted item is stored as pointer to a pointer into the class
Item_change_list. Later the method JOIN::optimize_inner invokes
Item_cond::remove_eq_conds that iterates along an arguments list, calls
item->remove_eq_conds() for every argument and remove the item in case
item->remove_eq_conds() returns nullptr. For every instance of Item class that is removed the operator delete of the class Sql_alloc is called. Implementation of the method Sql_alloc::operator delete(void *, size)
calls the macros TRASH_FREE(ptr, size) that fills the deallocated memory region with
the pattern 0x8F and calls the macros MEM_NOACCESS, that for the case when MariaDB
server built with ASAN, results in invocation of the macros ASAN_POISON_MEMORY_REGION (that is translated to the function __asan_poison_memory_region) to mark the deallocated memory as unaddressable.
st_select_lex::optimize_unflattened_subqueries
|
JOIN::optimize (sql_select.cc:1127)
|
JOIN::optimize_inner <== at line ~2078
|
Item_cond::remove_eq_conds (sql_select.cc:15800)
|
List_iterator<Item>::remove (sql_list.h:585)
|
base_list_iterator::remove (sql_list.h:511)
|
base_list::remove (sql_list.h:263)
|
Sql_alloc::operator delete (sql_list.h:46)
|
On the other hand, the pointer to a deallocated item still does exist in Item_change_list
and later when the statement
EXECUTE stmt; |
is run the second time the method Prepared_statement::cleanup_stmt() is called that invokes
the thd->rollback_item_tree_changes() and for every Item stored in the internal list
the statement
*change->place= change->old_value;
|
is executed including the item that has just been deallocated that leads to crash.
So, the main question here is who should remove a reference on the deallocated Item
from the Item_change_list.
It looks like this can fix the problem:
diff --git a/sql/item.h b/sql/item.h
|
index a6de33c0c3a..9b7551e8399 100644
|
--- a/sql/item.h
|
+++ b/sql/item.h
|
@@ -6904,6 +6904,7 @@ class Item_cache: public Item_fixed_hybrid,
|
{
|
clear();
|
Item_fixed_hybrid::cleanup();
|
+ example= 0;
|
}
|
/**
|
Check if saved item has a non-NULL value.
|
Also with sp:
call sp();10.2 945c748adc5475e59e5d224
#0 0x55ad3bf6f69c in Item_change_list::rollback_item_tree_changes() /10.2/sql/sql_class.cc:2597#1 0x55ad3c972ce1 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /10.2/sql/sp_head.cc:3063#2 0x55ad3c9734d8 in sp_instr_stmt::execute(THD*, unsigned int*) /10.2/sql/sp_head.cc:3162#3 0x55ad3c968e79 in sp_head::execute(THD*, bool) /10.2/sql/sp_head.cc:1327#4 0x55ad3c96ccd0 in sp_head::execute_procedure(THD*, List<Item>*) /10.2/sql/sp_head.cc:2116#5 0x55ad3c014458 in do_execute_sp /10.2/sql/sql_parse.cc:2918#6 0x55ad3c02620d in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:5831#7 0x55ad3c0334f0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:8018#8 0x55ad3c00e9dc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1829#9 0x55ad3c00bb0b in do_command(THD*) /10.2/sql/sql_parse.cc:1379#10 0x55ad3c333ff6 in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336#11 0x55ad3c3339fe in handle_one_connection /10.2/sql/sql_connect.cc:1242#12 0x55ad3d4e2dbd in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1862#13 0x7f20a44bf6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)#14 0x7f20a395441c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)