Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.3(EOL), 10.4(EOL)
Description
SIGSEGV / ASAN unknown-crash in row_sel_field_store_in_mysql_format_func or create_tmp_table or my_timestamp_from_binary or Field::cmp_binary or calc_row_difference upon action on system-versioned table with SIMULTANEOUS_ASSIGNMENT.
|
With MyISAM or Aria |
CREATE TABLE t1 (a INT, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) ENGINE=MyISAM WITH SYSTEM VERSIONING; |
REPLACE INTO t1 () VALUES (),(); |
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT'); |
UPDATE IGNORE t1 SET e = 1; |
ALTER TABLE t1 FORCE; |
|
|
# Cleanup
|
DROP TABLE t1; |
|
10.3 ASAN 765ae6e8 |
==31680==ERROR: AddressSanitizer: unknown-crash on address 0x61900009e7b7 at pc 0x55b4ad0ff184 bp 0x7f6245a018a0 sp 0x7f6245a01898
|
READ of size 1 at 0x61900009e7b7 thread T5
|
#0 0x55b4ad0ff183 in my_timestamp_from_binary(timeval*, unsigned char const*, unsigned int) /data/src/10.3/sql/compat56.cc:394
|
#1 0x55b4ad144336 in Field_timestampf::get_timestamp(unsigned char const*, unsigned long*) const /data/src/10.3/sql/field.cc:5574
|
#2 0x55b4ad18ecd6 in Field_timestamp::get_timestamp(unsigned long*) const /data/src/10.3/sql/field.h:2678
|
#3 0x55b4ad14068c in Field_timestamp::get_date(st_mysql_time*, unsigned long long) /data/src/10.3/sql/field.cc:5307
|
#4 0x55b4ad13f85f in Field_timestamp::val_str(String*, String*) /data/src/10.3/sql/field.cc:5232
|
#5 0x55b4ac8463ed in Field::val_str(String*) /data/src/10.3/sql/field.h:840
|
#6 0x55b4ad18a023 in Field::val_str(String*, unsigned char const*) /data/src/10.3/sql/field.h:1328
|
#7 0x55b4ad183d7b in Column_definition::Column_definition(THD*, Field*, Field*) /data/src/10.3/sql/field.cc:11018
|
#8 0x55b4aca29c43 in Create_field::Create_field(THD*, Field*, Field*) /data/src/10.3/sql/field.h:4754
|
#9 0x55b4accbe91c in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /data/src/10.3/sql/sql_table.cc:8023
|
#10 0x55b4accc73bc in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.3/sql/sql_table.cc:9440
|
#11 0x55b4ace1441d in Sql_cmd_alter_table::execute(THD*) /data/src/10.3/sql/sql_alter.cc:494
|
#12 0x55b4acaaf84e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6285
|
#13 0x55b4acaba6dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
|
#14 0x55b4aca94805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
|
#15 0x55b4aca9185b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
|
#16 0x55b4ace054cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#17 0x55b4ace04edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#18 0x55b4ad731269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#19 0x7f6252414493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#20 0x7f62503dc93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x61900009e7b7 is located 55 bytes inside of 992-byte region [0x61900009e780,0x61900009eb60)
|
allocated by thread T5 here:
|
#0 0x7f625267e73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x55b4ae2c0046 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
#2 0x55b4ae29f89e in alloc_root /data/src/10.3/mysys/my_alloc.c:250
|
#3 0x55b4ae2a1410 in memdup_root /data/src/10.3/mysys/my_alloc.c:491
|
#4 0x55b4acd37568 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.3/sql/table.cc:1273
|
#5 0x55b4acd32d15 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:677
|
#6 0x55b4acfb7578 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
|
#7 0x55b4ac946ea2 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1831
|
#8 0x55b4ac94f2a8 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3619
|
#9 0x55b4ac951c8a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4144
|
#10 0x55b4ac9564a3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5019
|
#11 0x55b4ac8c74d6 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:502
|
#12 0x55b4aca07e2d in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760
|
#13 0x55b4acaa48e9 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4730
|
#14 0x55b4acaba6dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
|
#15 0x55b4aca94805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
|
#16 0x55b4aca9185b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
|
#17 0x55b4ace054cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#18 0x55b4ace04edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#19 0x55b4ad731269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#20 0x7f6252414493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f625264dbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x55b4ad731831 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
|
#2 0x55b4ac7fcf48 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55b4ac812801 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
|
#4 0x55b4ac812f06 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
|
#5 0x55b4ac813f1d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
|
#6 0x55b4ac811cbe in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
|
#7 0x55b4ac7fafcf in main /data/src/10.3/sql/main.cc:25
|
#8 0x7f62503142b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: unknown-crash /data/src/10.3/sql/compat56.cc:394 my_timestamp_from_binary(timeval*, unsigned char const*, unsigned int)
|
Shadow bytes around the buggy address:
|
0x0c328000bca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bcb0: 00 00 00 00 00 00 00 00 00 04 00 00 f7 f7 f7 f7
|
0x0c328000bcc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
|
0x0c328000bcd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c328000bce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c328000bcf0: 00 00 00 00 00 00[01]02 00 00 03 01 00 00 00 00
|
0x0c328000bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==31680==ABORTING
|
|
With InnoDB |
--source include/have_innodb.inc
|
|
|
CREATE TABLE t1 (a INT, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) ENGINE=InnoDB WITH SYSTEM VERSIONING; |
REPLACE INTO t1 () VALUES (),(); |
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT'); |
UPDATE IGNORE t1 SET e = 1; |
ALTER TABLE t1 FORCE; |
|
|
# Cleanup
|
DROP TABLE t1; |
|
10.3 ASAN 765ae6e8 |
==31919==ERROR: AddressSanitizer: SEGV on unknown address 0x61910010b8b4 (pc 0x7f3cc9c53a20 sp 0x7f3caf85de08 bp 0x7f3caf85de50 T27)
|
#0 0x7f3cc9c53a1f (/lib/x86_64-linux-gnu/libc.so.6+0x144a1f)
|
#1 0x7f3ccbe7f23e in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x3a23e)
|
#2 0x55dac54f2eab in calc_row_difference /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8491
|
#3 0x55dac54f4ff7 in ha_innobase::update_row(unsigned char const*, unsigned char const*) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8838
|
#4 0x55dac4f56533 in handler::ha_update_row(unsigned char const*, unsigned char const*) /data/src/10.3/sql/handler.cc:6351
|
#5 0x55dac4a8168e in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:946
|
#6 0x55dac4819d61 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4584
|
#7 0x55dac48306dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
|
#8 0x55dac480a805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
|
#9 0x55dac480785b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
|
#10 0x55dac4b7b4cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#11 0x55dac4b7aedb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#12 0x55dac54a7269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#13 0x7f3ccbc2f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#14 0x7f3cc9bf793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
AddressSanitizer can not provide additional info.
|
SUMMARY: AddressSanitizer: SEGV ??:0 ??
|
Thread T27 created by T0 here:
|
#0 0x7f3ccbe68bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x55dac54a7831 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
|
#2 0x55dac4572f48 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55dac4588801 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
|
#4 0x55dac4588f06 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
|
#5 0x55dac4589f1d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
|
#6 0x55dac4587cbe in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
|
#7 0x55dac4570fcf in main /data/src/10.3/sql/main.cc:25
|
#8 0x7f3cc9b2f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
Another one with InnoDB, DOUBLE instead of INT, different stack trace |
--source include/have_innodb.inc
|
|
|
CREATE TABLE t1 (a DOUBLE, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) ENGINE=InnoDB WITH SYSTEM VERSIONING; |
REPLACE INTO t1 () VALUES (),(); |
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT'); |
UPDATE IGNORE t1 SET e = 1; |
ALTER TABLE t1 FORCE; |
|
|
# Cleanup
|
DROP TABLE t1; |
|
10.3 ASAN 765ae6e8 |
==32361==ERROR: AddressSanitizer: unknown-crash on address 0x6190000fbea0 at pc 0x560a21e0e168 bp 0x7f0fc34f2420 sp 0x7f0fc34f2418
|
READ of size 7 at 0x6190000fbea0 thread T27
|
#0 0x560a21e0e167 in Field::cmp_binary(unsigned char const*, unsigned char const*, unsigned int) /data/src/10.3/sql/field.h:1083
|
#1 0x560a21e0e347 in Field::cmp_binary_offset(unsigned int) /data/src/10.3/sql/field.h:1087
|
#2 0x560a2198aeb5 in compare_record(TABLE const*) /data/src/10.3/sql/sql_update.cc:92
|
#3 0x560a219903e3 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:888
|
#4 0x560a21728d61 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4584
|
#5 0x560a2173f6dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
|
#6 0x560a21719805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
|
#7 0x560a2171685b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
|
#8 0x560a21a8a4cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#9 0x560a21a89edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#10 0x560a223b6269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#11 0x7f0fdf8c3493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#12 0x7f0fdd88b93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x6190000fbea0 is located 32 bytes inside of 992-byte region [0x6190000fbe80,0x6190000fc260)
|
allocated by thread T27 here:
|
#0 0x7f0fdfb2d73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x560a22f45046 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
#2 0x560a22f2489e in alloc_root /data/src/10.3/mysys/my_alloc.c:250
|
#3 0x560a22f2629a in strmake_root /data/src/10.3/mysys/my_alloc.c:479
|
#4 0x560a219ccaa0 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.3/sql/table.cc:3173
|
#5 0x560a215cc98e in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1975
|
#6 0x560a215d42a8 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3619
|
#7 0x560a215d6c8a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4144
|
#8 0x560a215db4a3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5019
|
#9 0x560a2154c4d6 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:502
|
#10 0x560a2168ce2d in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760
|
#11 0x560a217298e9 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4730
|
#12 0x560a2173f6dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
|
#13 0x560a21719805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
|
#14 0x560a2171685b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
|
#15 0x560a21a8a4cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#16 0x560a21a89edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#17 0x560a223b6269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#18 0x7f0fdf8c3493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T27 created by T0 here:
|
#0 0x7f0fdfafcbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x560a223b6831 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
|
#2 0x560a21481f48 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
|
#3 0x560a21497801 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
|
#4 0x560a21497f06 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
|
#5 0x560a21498f1d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
|
#6 0x560a21496cbe in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
|
#7 0x560a2147ffcf in main /data/src/10.3/sql/main.cc:25
|
#8 0x7f0fdd7c32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: unknown-crash /data/src/10.3/sql/field.h:1083 Field::cmp_binary(unsigned char const*, unsigned char const*, unsigned int)
|
Shadow bytes around the buggy address:
|
0x0c3280017780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280017790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c32800177a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c32800177b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c32800177c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c32800177d0: 00 00 00 00[03]00 00 07 00 00 07 00 00 07 00 00
|
0x0c32800177e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c32800177f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280017800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280017810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280017820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==32361==ABORTING
|
InnoDB variations also crash on debug and release:
|
10.3 debug 765ae6e8 |
Thread 1 (Thread 0x7fae4c58c700 (LWP 32502)):
|
#0 __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
|
#1 0x00005613e2b0127b in my_write_core (sig=11) at /data/src/10.3/mysys/stacktrace.c:481
|
#2 0x00005613e235bca0 in handle_fatal_signal (sig=11) at /data/src/10.3/sql/signal_handler.cc:305
|
#3 <signal handler called>
|
#4 0x00007fae5cee1a20 in __memcmp_sse4_1 () from /lib/x86_64-linux-gnu/libc.so.6
|
#5 0x00005613e25bd66f in calc_row_difference (uvect=0x7fae000a87b0, old_row=0x7fae0000cba8 "\377", new_row=0x7fae0000cb90 "\377", table=0x7fae000a6770, upd_buff=0x7fae000ab340 '\245' <repeats 120 times>, "h4z\025", '\217' <repeats 12 times>, "\025\001", buff_len=119, prebuilt=0x7fae000a7b58, auto_inc=@0x7fae4c589ea8: 0) at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8491
|
#6 0x00005613e25be613 in ha_innobase::update_row (this=0x7fae000a73b8, old_row=0x7fae0000cba8 "\377", new_row=0x7fae0000cb90 "\377") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:8838
|
#7 0x00005613e236cd57 in handler::ha_update_row (this=0x7fae000a73b8, old_data=0x7fae0000cba8 "\377", new_data=0x7fae0000cb90 "\377") at /data/src/10.3/sql/handler.cc:6351
|
#8 0x00005613e215e23c in mysql_update (thd=0x7fae00000b00, table_list=0x7fae00014dd0, fields=..., values=..., conds=0x0, order_num=0, order=0x0, limit=18446744073709551615, ignore=true, found_return=0x7fae4c58a700, updated_return=0x7fae4c58a7c0) at /data/src/10.3/sql/sql_update.cc:946
|
#9 0x00005613e2065480 in mysql_execute_command (thd=0x7fae00000b00) at /data/src/10.3/sql/sql_parse.cc:4584
|
#10 0x00005613e207084b in mysql_parse (thd=0x7fae00000b00, rawbuf=0x7fae00014ce8 "UPDATE IGNORE t1 SET e = 1", length=26, parser_state=0x7fae4c58b5f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8091
|
#11 0x00005613e205db1a in dispatch_command (command=COM_QUERY, thd=0x7fae00000b00, packet=0x7fae001624e1 "UPDATE IGNORE t1 SET e = 1", packet_length=26, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1857
|
#12 0x00005613e205c504 in do_command (thd=0x7fae00000b00) at /data/src/10.3/sql/sql_parse.cc:1403
|
#13 0x00005613e21c515b in do_handle_one_connection (connect=0x5613e64cdfd0) at /data/src/10.3/sql/sql_connect.cc:1402
|
#14 0x00005613e21c4edf in handle_one_connection (arg=0x5613e64cdfd0) at /data/src/10.3/sql/sql_connect.cc:1308
|
#15 0x00005613e259c04d in pfs_spawn_thread (arg=0x5613e64d66c0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#16 0x00007fae5eebd494 in start_thread (arg=0x7fae4c58c700) at pthread_create.c:333
|
#17 0x00007fae5ce8593f in clone () from /lib/x86_64-linux-gnu/libc.so.6
|
MyISAM version doesn't crash without ASAN for me, but on a debug build ALTER produces a strange failure:
mysqltest: At line 5: query 'ALTER TABLE t1 FORCE' failed: 1292: Incorrect datetime value: '2046-04-28 20:44:47.486223' for column ``.``.`e` at row 1 |
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- is caused by
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
MDEV-19597 Refactor TABLE::vers_update_fields() via stored virtual columns
-
- Stalled
-
-
-
- Closed
-
-
-
- Closed
-
(4 relates to)
Activity
More variations:
CREATE TABLE t1 (f INT, s TIMESTAMP(6) AS ROW START, e TIMESTAMP(6) AS ROW END, PERIOD FOR SYSTEM_TIME(s,e)) WITH SYSTEM VERSIONING; |
CREATE TABLE t2 (f INT); |
CREATE OR REPLACE ALGORITHM=MERGE VIEW v AS SELECT * FROM t1 NATURAL JOIN t2; |
|
|
SET SQL_MODE= CONCAT(@@sql_mode,',SIMULTANEOUS_ASSIGNMENT'); |
INSERT INTO t1 (f) VALUES (0),(1); |
|
|
--error ER_WARNING_NON_DEFAULT_VALUE_FOR_GENERATED_COLUMN
|
UPDATE t1 SET e = 5; |
|
|
--error ER_VIEW_DELETE_MERGE_VIEW
|
DELETE FROM v; |
|
|
# Cleanup
|
DROP VIEW v; |
DROP TABLE t1, t2; |
|
10.3 ASAN 765ae6e8 |
==29087==ERROR: AddressSanitizer: unknown-crash on address 0x61900009ddb4 at pc 0x557625f69b37 bp 0x7f5cb89cd700 sp 0x7f5cb89cd6f8
|
READ of size 7 at 0x61900009ddb4 thread T5
|
#0 0x557625f69b36 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.3/sql/sql_select.cc:17670
|
#1 0x5576260b12fb in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.3/sql/sql_union.cc:375
|
#2 0x557625dae2eb in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.3/sql/sql_derived.cc:773
|
#3 0x557625dab3ff in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_derived.cc:199
|
#4 0x55762612c5ce in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/table.cc:8189
|
#5 0x557625de95c0 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_lex.h:3970
|
#6 0x557626974680 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.3/sql/sql_delete.cc:339
|
#7 0x557625e6533e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4927
|
#8 0x557625e796dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
|
#9 0x557625e53805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
|
#10 0x557625e5085b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
|
#11 0x5576261c44cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#12 0x5576261c3edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#13 0x557626af0269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#14 0x7f5cc53de493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#15 0x7f5cc33a693e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x61900009ddb4 is located 52 bytes inside of 992-byte region [0x61900009dd80,0x61900009e160)
|
allocated by thread T5 here:
|
#0 0x7f5cc564873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x55762767f046 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
#2 0x55762765e89e in alloc_root /data/src/10.3/mysys/my_alloc.c:250
|
#3 0x557627660410 in memdup_root /data/src/10.3/mysys/my_alloc.c:491
|
#4 0x5576260f6568 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.3/sql/table.cc:1273
|
#5 0x5576260f1d15 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:677
|
#6 0x557626376578 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
|
#7 0x557625d05ea2 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1831
|
#8 0x557625d0e2a8 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3619
|
#9 0x557625d10c8a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4144
|
#10 0x557625d154a3 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5019
|
#11 0x557625c864d6 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:502
|
#12 0x5576260de9bd in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.3/sql/sql_view.cc:450
|
#13 0x557625e6d932 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6108
|
#14 0x557625e796dd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
|
#15 0x557625e53805 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
|
#16 0x557625e5085b in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
|
#17 0x5576261c44cf in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
|
#18 0x5576261c3edb in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#19 0x557626af0269 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
|
#20 0x7f5cc53de493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f5cc5617bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x557626af0831 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
|
#2 0x557625bbbf48 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
|
#3 0x557625bd1801 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
|
#4 0x557625bd1f06 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
|
#5 0x557625bd2f1d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
|
#6 0x557625bd0cbe in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
|
#7 0x557625bb9fcf in main /data/src/10.3/sql/main.cc:25
|
#8 0x7f5cc32de2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: unknown-crash /data/src/10.3/sql/sql_select.cc:17670 create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool)
|
Shadow bytes around the buggy address:
|
0x0c328000bb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bb70: 00 00 00 00 00 00 00 00 00 04 00 00 f7 f7 f7 f7
|
0x0c328000bb80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
|
0x0c328000bb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c328000bba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c328000bbb0: 00 00 00 00 00 00[01]02 00 00 03 01 00 00 00 00
|
0x0c328000bbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c328000bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==29087==ABORTING
|
PR commit:
https://github.com/MariaDB/server/pull/1289/commits/2a51b50db41cf09cb9b06f324637c37464635a39
More variations:
--source include/have_innodb.inc--error ER_WARNING_NON_DEFAULT_VALUE_FOR_GENERATED_COLUMN# Cleanup10.3 765ae6e8
#3 <signal handler called>#4 0x00007fa34eaffdc5 in __memmove_sse2_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6#5 0x00005563ed07266e in row_sel_field_store_in_mysql_format_func (dest=0x7fa3f000ec8d <error: Cannot access memory at address 0x7fa3f000ec8d>, templ=0x7fa2f0038010, index=0x7fa2f0072568, field_no=4, data=0x7fa33c4e4091 "\\\275\356\315\005X\245\177\377\377\377\017B?\001", len=7) at /data/src/10.3/storage/innobase/row/row0sel.cc:2907#6 0x00005563ed072ce3 in row_sel_store_mysql_field (mysql_rec=0x7fa2f000eca0 "\377", prebuilt=0x7fa2f00a6d78, rec=0x7fa33c4e407e "", index=0x7fa2f0072568, offsets=0x7fa3495ca160, field_no=4, templ=0x7fa2f0038010) at /data/src/10.3/storage/innobase/row/row0sel.cc:3047#7 0x00005563ed0732ab in row_sel_store_mysql_rec (mysql_rec=0x7fa2f000eca0 "\377", prebuilt=0x7fa2f00a6d78, rec=0x7fa33c4e407e "", vrow=0x0, rec_clust=false, index=0x7fa2f0072568, offsets=0x7fa3495ca160) at /data/src/10.3/storage/innobase/row/row0sel.cc:3184#8 0x00005563ed078f11 in row_search_mvcc (buf=0x7fa2f000eca0 "\377", mode=PAGE_CUR_G, prebuilt=0x7fa2f00a6d78, match_mode=0, direction=0) at /data/src/10.3/storage/innobase/row/row0sel.cc:5466#9 0x00005563ecee55a5 in ha_innobase::index_read (this=0x7fa2f000d408, buf=0x7fa2f000eca0 "\377", key_ptr=0x0, key_len=0, find_flag=HA_READ_AFTER_KEY) at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9332#10 0x00005563ecee63c8 in ha_innobase::index_first (this=0x7fa2f000d408, buf=0x7fa2f000eca0 "\377") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9706#11 0x00005563ecee65d3 in ha_innobase::rnd_next (this=0x7fa2f000d408, buf=0x7fa2f000eca0 "\377") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9799#12 0x00005563ecc8924d in handler::ha_rnd_next (this=0x7fa2f000d408, buf=0x7fa2f000eca0 "\377") at /data/src/10.3/sql/handler.cc:2813#13 0x00005563ece0aaf3 in rr_sequential (info=0x7fa3495cad60) at /data/src/10.3/sql/records.cc:481#14 0x00005563ec8ef6ab in READ_RECORD::read_record (this=0x7fa3495cad60) at /data/src/10.3/sql/records.h:73#15 0x00005563ece28438 in mysql_delete (thd=0x7fa2f0000b00, table_list=0x7fa2f0014db0, conds=0x0, order_list=0x7fa2f00053b0, limit=18446744073709551615, options=0, result=0x0) at /data/src/10.3/sql/sql_delete.cc:730#16 0x00005563ec98c79c in mysql_execute_command (thd=0x7fa2f0000b00) at /data/src/10.3/sql/sql_parse.cc:4927#17 0x00005563ec99684b in mysql_parse (thd=0x7fa2f0000b00, rawbuf=0x7fa2f0014ce8 "DELETE FROM t1", length=14, parser_state=0x7fa3495cc5f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8091#18 0x00005563ec983b1a in dispatch_command (command=COM_QUERY, thd=0x7fa2f0000b00, packet=0x7fa2f01622c1 "DELETE FROM t1", packet_length=14, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1857#19 0x00005563ec982504 in do_command (thd=0x7fa2f0000b00) at /data/src/10.3/sql/sql_parse.cc:1403#20 0x00005563ecaeb15b in do_handle_one_connection (connect=0x5563efdc43f0) at /data/src/10.3/sql/sql_connect.cc:1402#21 0x00005563ecaeaedf in handle_one_connection (arg=0x5563efdc43f0) at /data/src/10.3/sql/sql_connect.cc:1308#22 0x00005563ecec204d in pfs_spawn_thread (arg=0x5563efdccae0) at /data/src/10.3/storage/perfschema/pfs.cc:1862#23 0x00007fa350b9c494 in start_thread (arg=0x7fa3495cd700) at pthread_create.c:333#24 0x00007fa34eb6493f in clone () from /lib/x86_64-linux-gnu/libc.so.6All of debug, ASAN and release fail.