[MDEV-18624] ASAN heap-use-after-free in mysql_derived_prepare upon attempt to UPDATE view through the 3rd execution of SP - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Cannot Reproduce
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: N/A
Component/s: N/A
Labels:
None

Description

Reproducible on 10.2-10.4 with MyIsam/Innodb

CREATE TABLE t1 ( f1 int, f2 int, f3 int, f4 int);

CREATE TABLE t2 ( f1 int, f2 int, f3 int, f4 int);

CREATE VIEW v1 AS SELECT dt1.* FROM (SELECT t2.* FROM t2) dt1 WHERE dt1.f3 <9;

CREATE VIEW v2 AS SELECT dt1.*

    FROM (SELECT t1.f1, t1.f2, v1.f3, v1.f4  FROM (v1 JOIN t1 on(v1.f2 = t1.f1))) dt1;

CREATE  PROCEDURE sp() UPDATE v2 SET f2 = 211, f4 = 1;

--error ER_NON_UPDATABLE_TABLE

CALL sp;

--error ER_NON_UPDATABLE_TABLE

CALL sp;

 --error ER_NON_UPDATABLE_TABLE

CALL sp;

# Cleanup

DROP PROCEDURE sp;

DROP VIEW v1,v2;

DROP TABLE t1, t2;

10.2 40b4f9c907e58a4b6567
=================================================================
==9915==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000109188 at pc 0x563ce8f9fc3b bp 0x7f4995d34790 sp 0x7f4995d34780
READ of size 8 at 0x625000109188 thread T27
#0 0x563ce8f9fc3a in mysql_derived_prepare(THD, LEX, TABLE_LIST*) /10.2/sql/sql_derived.cc:843
#1 0x563ce8f9c1a3 in mysql_handle_derived(LEX*, unsigned int) /10.2/sql/sql_derived.cc:121
#2 0x563ce9255b57 in mysql_multi_update_prepare(THD*) /10.2/sql/sql_update.cc:1394
#3 0x563ce9015de3 in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:4316
#4 0x563ce996db3b in sp_instr_stmt::exec_core(THD, unsigned int) /10.2/sql/sp_head.cc:3246
#5 0x563ce996c7be in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /10.2/sql/sp_head.cc:3009
#6 0x563ce996d418 in sp_instr_stmt::execute(THD, unsigned int) /10.2/sql/sp_head.cc:3162
#7 0x563ce9962db9 in sp_head::execute(THD*, bool) /10.2/sql/sp_head.cc:1327
#8 0x563ce9966c10 in sp_head::execute_procedure(THD, List<Item>) /10.2/sql/sp_head.cc:2116
#9 0x563ce900e398 in do_execute_sp /10.2/sql/sql_parse.cc:2918
#10 0x563ce902014d in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:5831
#11 0x563ce902d430 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:8018
#12 0x563ce900891c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1829
#13 0x563ce9005a4b in do_command(THD*) /10.2/sql/sql_parse.cc:1379
#14 0x563ce932df36 in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
#15 0x563ce932d93e in handle_one_connection /10.2/sql/sql_connect.cc:1242
#16 0x563cea4dcf87 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1862
#17 0x7f49ad30e6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#18 0x7f49ac7a341c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Attachments

Issue Links

relates to

MDEV-16940 Server crashes in unsafe_key_update upon attempt to update view through 2nd execution of SP

Closed

Activity

People

Assignee:: Dmitry Shulga

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019-02-18 12:06

Updated:: 2022-11-10 13:14

Resolved:: 2022-11-10 13:14