Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18624

ASAN heap-use-after-free in mysql_derived_prepare upon attempt to UPDATE view through the 3rd execution of SP

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Confirmed (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.2, 10.3, 10.4
    • Fix Version/s: 10.2, 10.3, 10.4
    • Component/s: None
    • Labels:
      None

      Description

      Reproducible on 10.2-10.4 with MyIsam/Innodb

      CREATE TABLE t1 ( f1 int, f2 int, f3 int, f4 int);
      CREATE TABLE t2 ( f1 int, f2 int, f3 int, f4 int);
       
      CREATE VIEW v1 AS SELECT dt1.* FROM (SELECT t2.* FROM t2) dt1 WHERE dt1.f3 <9;
      CREATE VIEW v2 AS SELECT dt1.*
          FROM (SELECT t1.f1, t1.f2, v1.f3, v1.f4  FROM (v1 JOIN t1 on(v1.f2 = t1.f1))) dt1;
       
      CREATE  PROCEDURE sp() UPDATE v2 SET f2 = 211, f4 = 1; 
       
      --error ER_NON_UPDATABLE_TABLE
      CALL sp;
      --error ER_NON_UPDATABLE_TABLE
      CALL sp;
       --error ER_NON_UPDATABLE_TABLE
      CALL sp;
       
      # Cleanup
      DROP PROCEDURE sp;
      DROP VIEW v1,v2;
      DROP TABLE t1, t2;
      

      10.2 40b4f9c907e58a4b6567

      =================================================================
      ==9915==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000109188 at pc 0x563ce8f9fc3b bp 0x7f4995d34790 sp 0x7f4995d34780
      READ of size 8 at 0x625000109188 thread T27
          #0 0x563ce8f9fc3a in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /10.2/sql/sql_derived.cc:843
          #1 0x563ce8f9c1a3 in mysql_handle_derived(LEX*, unsigned int) /10.2/sql/sql_derived.cc:121
          #2 0x563ce9255b57 in mysql_multi_update_prepare(THD*) /10.2/sql/sql_update.cc:1394
          #3 0x563ce9015de3 in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:4316
          #4 0x563ce996db3b in sp_instr_stmt::exec_core(THD*, unsigned int*) /10.2/sql/sp_head.cc:3246
          #5 0x563ce996c7be in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /10.2/sql/sp_head.cc:3009
          #6 0x563ce996d418 in sp_instr_stmt::execute(THD*, unsigned int*) /10.2/sql/sp_head.cc:3162
          #7 0x563ce9962db9 in sp_head::execute(THD*, bool) /10.2/sql/sp_head.cc:1327
          #8 0x563ce9966c10 in sp_head::execute_procedure(THD*, List<Item>*) /10.2/sql/sp_head.cc:2116
          #9 0x563ce900e398 in do_execute_sp /10.2/sql/sql_parse.cc:2918
          #10 0x563ce902014d in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:5831
          #11 0x563ce902d430 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:8018
          #12 0x563ce900891c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1829
          #13 0x563ce9005a4b in do_command(THD*) /10.2/sql/sql_parse.cc:1379
          #14 0x563ce932df36 in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
          #15 0x563ce932d93e in handle_one_connection /10.2/sql/sql_connect.cc:1242
          #16 0x563cea4dcf87 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1862
          #17 0x7f49ad30e6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
          #18 0x7f49ac7a341c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sanja Oleksandr Byelkin
              Reporter:
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration