[MDEV-20410] Pure virtual method called in Item_ref::set_properties, SIGSEGV or ASAN heap-use-after-free in create_view_field - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Cannot Reproduce
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: N/A
Component/s: Locking, Stored routines, Views
Labels:
- ASAN
- memory_not_freed

Description

Unlike MDEV-14557 or MDEV-19178, this one doesn't have an (obvious) invalidation.

CREATE FUNCTION f (i INT) RETURNS INT RETURN 3;

CREATE TABLE t1 (a INT);

CREATE TABLE t2 (b INT);

CREATE VIEW v AS WITH cte AS ( SELECT * FROM t1 ) SELECT * FROM cte;

CREATE PROCEDURE p () SELECT 1 FROM v WHERE f(a) < 9;

LOCK TABLE t2 WRITE;

--error ER_TABLE_NOT_LOCKED

CALL p();

UNLOCK TABLES;

CALL p();

CALL p();

# Cleanup

DROP PROCEDURE p;

DROP FUNCTION f;

DROP VIEW v;

DROP TABLE t1, t2;

10.4 release c5bc0ced
pure virtual method called
terminate called without an active exception
190823 2:36:53 [ERROR] mysqld got signal 6 ;

#5 0x00007fa82534542a in __GI_abort () at abort.c:89
#6 0x00007fa825c5c0ad in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x00007fa825c5a066 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x00007fa825c5a0b1 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#9 0x00007fa825c5ab8f in __cxa_pure_virtual () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x0000561392ee1891 in Item_ref::set_properties (this=this@entry=0x7fa8040d4b10) at /data/src/10.4/sql/item.cc:7928
#11 0x0000561392ee1937 in Item_ref::Item_ref (this=0x7fa8040d4b10, thd=<optimized out>, context_arg=<optimized out>, item=0x7fa804035768, table_name_arg=<optimized out>, field_name_arg=<optimized out>, alias_name_used_arg=false) at /data/src/10.4/sql/item.cc:7567
#12 0x0000561392d7bac9 in Item_direct_ref::Item_direct_ref (alias_name_used_arg=false, field_name_arg=0x7fa804035770, table_name_arg=<optimized out>, item=0x7fa804035768, context_arg=0x7fa804036718, thd=0x7fa8040009a8, this=0x7fa8040d4b10) at /data/src/10.4/sql/item.h:5377
#13 Item_direct_view_ref::Item_direct_view_ref (view_arg=0x7fa8040d7710, field_name_arg=0x7fa804035770, table_name_arg=<optimized out>, item=0x7fa804035768, context_arg=0x7fa804036718, thd=0x7fa8040009a8, this=0x7fa8040d4b10) at /data/src/10.4/sql/item.h:5619
#14 create_view_field (thd=thd@entry=0x7fa8040009a8, view=0x7fa8040d7710, field_ref=0x7fa804035768, name=0x7fa804035770) at /data/src/10.4/sql/table.cc:6405
#15 0x0000561392d7bd17 in Field_iterator_view::create_item (this=this@entry=0x7fa81b4f59a0, thd=thd@entry=0x7fa8040009a8) at /data/src/10.4/sql/table.cc:6363
#16 0x0000561392c73b15 in find_field_in_view (length=1, item_name=<optimized out>, register_tree_change=true, ref=0x7fa8040d81b0, name=0x7fa8040d7de8 "a", table_list=0x7fa8040d7710, thd=0x7fa8040009a8) at /data/src/10.4/sql/sql_base.cc:5779
#17 find_field_in_table_ref (thd=thd@entry=0x7fa8040009a8, table_list=table_list@entry=0x7fa8040d7710, name=name@entry=0x7fa8040d7de8 "a", length=length@entry=1, item_name=<optimized out>, db_name=<optimized out>, db_name@entry=0x0, table_name=0x0, ref=0x7fa8040d81b0, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7fa8040d7ec4, register_tree_change=true, actual_table=0x7fa81b4f5ac8) at /data/src/10.4/sql/sql_base.cc:6118
#18 0x0000561392c74323 in find_field_in_tables (thd=thd@entry=0x7fa8040009a8, item=item@entry=0x7fa8040d7df0, first_table=0x7fa8040d7710, last_table=0x0, ref=ref@entry=0x7fa8040d81b0, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:6356
#19 0x0000561392ee2c00 in Item_field::fix_fields (this=0x7fa8040d7df0, thd=0x7fa8040009a8, reference=0x7fa8040d81b0) at /data/src/10.4/sql/item.cc:5718
#20 0x0000561392f1bae3 in Item::fix_fields_if_needed (ref=0x7fa8040d81b0, thd=0x7fa8040009a8, this=0x7fa8040d7df0) at /data/src/10.4/sql/item.h:956
#21 Item_func::fix_fields (this=0x7fa8040d8120, thd=0x7fa8040009a8, ref=<optimized out>) at /data/src/10.4/sql/item_func.cc:351
#22 0x0000561392f26752 in Item_func_sp::fix_fields (this=0x7fa8040d8120, thd=0x7fa8040009a8, ref=0x7fa8040da4d8) at /data/src/10.4/sql/item_func.cc:6397
#23 0x0000561392f1bae3 in Item::fix_fields_if_needed (ref=0x7fa8040da4d8, thd=0x7fa8040009a8, this=0x7fa8040d8120) at /data/src/10.4/sql/item.h:956
#24 Item_func::fix_fields (this=0x7fa8040da448, thd=0x7fa8040009a8, ref=<optimized out>) at /data/src/10.4/sql/item_func.cc:351
#25 0x0000561392c7696f in Item::fix_fields_if_needed (ref=0x7fa8040d48b8, thd=0x7fa8040009a8, this=0x7fa8040da448) at /data/src/10.4/sql/item.h:956
#26 Item::fix_fields_if_needed_for_scalar (ref=0x7fa8040d48b8, thd=0x7fa8040009a8, this=0x7fa8040da448) at /data/src/10.4/sql/item.h:960
#27 Item::fix_fields_if_needed_for_bool (ref=0x7fa8040d48b8, thd=0x7fa8040009a8, this=0x7fa8040da448) at /data/src/10.4/sql/item.h:964
#28 setup_conds (thd=thd@entry=0x7fa8040009a8, tables=tables@entry=0x7fa8040d7710, leaves=..., conds=conds@entry=0x7fa8040d48b8) at /data/src/10.4/sql/sql_base.cc:8372
#29 0x0000561392d12b23 in setup_without_group (reserved=0x7fa8040d74c4, hidden_group_fields=0x7fa8040d4797, win_funcs=..., win_specs=..., group=0x0, order=0x0, conds=0x7fa8040d48b8, all_fields=..., fields=..., leaves=..., tables=0x7fa8040d7710, ref_pointer_array=..., thd=0x7fa8040009a8) at /data/src/10.4/sql/sql_select.cc:689
#30 JOIN::prepare (this=this@entry=0x7fa8040d44b0, tables_init=tables_init@entry=0x7fa8040d7710, wild_num=wild_num@entry=0, conds_init=conds_init@entry=0x7fa8040da448, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fa8040d71c0, unit_arg=0x7fa8040d89f8) at /data/src/10.4/sql/sql_select.cc:1231
#31 0x0000561392d21df2 in mysql_select (thd=thd@entry=0x7fa8040009a8, tables=0x7fa8040d7710, wild_num=0, fields=..., conds=0x7fa8040da448, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147749632, result=0x7fa8040d4488, unit=0x7fa8040d89f8, select_lex=0x7fa8040d71c0) at /data/src/10.4/sql/sql_select.cc:4596
#32 0x0000561392d21f4e in handle_select (thd=thd@entry=0x7fa8040009a8, lex=lex@entry=0x7fa8040d8930, result=result@entry=0x7fa8040d4488, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.4/sql/sql_select.cc:425
#33 0x0000561392be4bb2 in execute_sqlcom_select (thd=thd@entry=0x7fa8040009a8, all_tables=0x7fa8040d7710) at /data/src/10.4/sql/sql_parse.cc:6356
#34 0x0000561392ccbc70 in mysql_execute_command (thd=thd@entry=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:3898
#35 0x0000561392c3ec33 in sp_instr_stmt::exec_core (this=0x7fa8040d8360, thd=0x7fa8040009a8, nextp=0x7fa81b4f9cc4) at /data/src/10.4/sql/sp_head.cc:3607
#36 0x0000561392c451c8 in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x7fa8040d83a8, thd=thd@entry=0x7fa8040009a8, nextp=nextp@entry=0x7fa81b4f9cc4, open_tables=open_tables@entry=false, instr=instr@entry=0x7fa8040d8360) at /data/src/10.4/sql/sp_head.cc:3335
#37 0x0000561392c45be4 in sp_instr_stmt::execute (this=0x7fa8040d8360, thd=0x7fa8040009a8, nextp=0x7fa81b4f9cc4) at /data/src/10.4/sql/sp_head.cc:3513
#38 0x0000561392c413e2 in sp_head::execute (this=this@entry=0x7fa8040d6540, thd=thd@entry=0x7fa8040009a8, merge_da_on_success=merge_da_on_success@entry=true) at /data/src/10.4/sql/sp_head.cc:1346
#39 0x0000561392c4258c in sp_head::execute_procedure (this=0x7fa8040d6540, thd=thd@entry=0x7fa8040009a8, args=0x7fa8040055d0) at /data/src/10.4/sql/sp_head.cc:2288
#40 0x0000561392cc357f in do_execute_sp (thd=0x7fa8040009a8, sp=<optimized out>) at /data/src/10.4/sql/sql_parse.cc:3019
#41 0x0000561392cc4956 in Sql_cmd_call::execute (this=this@entry=0x7fa80400fdf0, thd=thd@entry=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:3261
#42 0x0000561392cc51fa in Sql_cmd_call::execute (this=0x7fa80400fdf0, thd=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:3215
#43 0x0000561392ccbcd0 in mysql_execute_command (thd=thd@entry=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:6098
#44 0x0000561392cd2e79 in mysql_parse (thd=thd@entry=0x7fa8040009a8, rawbuf=<optimized out>, length=8, parser_state=parser_state@entry=0x7fa81b4fd1b0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:7908
#45 0x0000561392cd5208 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fa8040009a8, packet=packet@entry=0x7fa804007999 "CALL p()", packet_length=packet_length@entry=8, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:1843
#46 0x0000561392cd6959 in do_command (thd=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:1360
#47 0x0000561392da523e in do_handle_one_connection (connect=connect@entry=0x5613958fbe98) at /data/src/10.4/sql/sql_connect.cc:1404
#48 0x0000561392da5354 in handle_one_connection (arg=arg@entry=0x5613958fbe98) at /data/src/10.4/sql/sql_connect.cc:1306
#49 0x000056139334e3f4 in pfs_spawn_thread (arg=0x5613958926b8) at /data/src/10.4/storage/perfschema/pfs.cc:1862
#50 0x00007fa826eb14a4 in start_thread (arg=0x7fa81b4fe700) at pthread_create.c:456
#51 0x00007fa8253f9d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.4 debug c5bc0ced
#3 <signal handler called>
#4 0x00005618aef14269 in create_view_field (thd=0x7fc664000b00, view=0x7fc664145748, field_ref=0x7fc6640523b0, name=0x7fc6640523b8) at /data/src/10.4/sql/table.cc:6386
#5 0x00005618aef14117 in Field_iterator_view::create_item (this=0x7fc6742b7030, thd=0x7fc664000b00) at /data/src/10.4/sql/table.cc:6363
#6 0x00005618aed53b47 in find_field_in_view (thd=0x7fc664000b00, table_list=0x7fc664145748, name=0x7fc664145e20 "a", length=1, item_name=0x7fc664145e20 "a", ref=0x7fc6641461e8, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:5779
#7 0x00005618aed549bc in find_field_in_table_ref (thd=0x7fc664000b00, table_list=0x7fc664145748, name=0x7fc664145e20 "a", length=1, item_name=0x7fc664145e20 "a", db_name=0x0, table_name=0x0, ref=0x7fc6641461e8, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7fc664145efc, register_tree_change=true, actual_table=0x7fc6742b7220) at /data/src/10.4/sql/sql_base.cc:6118
#8 0x00005618aed552d6 in find_field_in_tables (thd=0x7fc664000b00, item=0x7fc664145e28, first_table=0x7fc664145748, last_table=0x0, ref=0x7fc6641461e8, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:6356
#9 0x00005618af15143a in Item_field::fix_fields (this=0x7fc664145e28, thd=0x7fc664000b00, reference=0x7fc6641461e8) at /data/src/10.4/sql/item.cc:5718
#10 0x00005618aecdf057 in Item::fix_fields_if_needed (this=0x7fc664145e28, thd=0x7fc664000b00, ref=0x7fc6641461e8) at /data/src/10.4/sql/item.h:956
#11 0x00005618af1a8e80 in Item_func::fix_fields (this=0x7fc664146158, thd=0x7fc664000b00, ref=0x7fc664042c30) at /data/src/10.4/sql/item_func.cc:351
#12 0x00005618af1be3c3 in Item_func_sp::fix_fields (this=0x7fc664146158, thd=0x7fc664000b00, ref=0x7fc664042c30) at /data/src/10.4/sql/item_func.cc:6397
#13 0x00005618aecdf057 in Item::fix_fields_if_needed (this=0x7fc664146158, thd=0x7fc664000b00, ref=0x7fc664042c30) at /data/src/10.4/sql/item.h:956
#14 0x00005618af1a8e80 in Item_func::fix_fields (this=0x7fc664042ba0, thd=0x7fc664000b00, ref=0x7fc66404c0c0) at /data/src/10.4/sql/item_func.cc:351
#15 0x00005618aecdf057 in Item::fix_fields_if_needed (this=0x7fc664042ba0, thd=0x7fc664000b00, ref=0x7fc66404c0c0) at /data/src/10.4/sql/item.h:956
#16 0x00005618aecdf085 in Item::fix_fields_if_needed_for_scalar (this=0x7fc664042ba0, thd=0x7fc664000b00, ref=0x7fc66404c0c0) at /data/src/10.4/sql/item.h:960
#17 0x00005618aed5debf in Item::fix_fields_if_needed_for_bool (this=0x7fc664042ba0, thd=0x7fc664000b00, ref=0x7fc66404c0c0) at /data/src/10.4/sql/item.h:964
#18 0x00005618aed5a707 in setup_conds (thd=0x7fc664000b00, tables=0x7fc664145748, leaves=..., conds=0x7fc66404c0c0) at /data/src/10.4/sql/sql_base.cc:8372
#19 0x00005618aee2b8df in setup_without_group (thd=0x7fc664000b00, ref_pointer_array=..., tables=0x7fc664145748, leaves=..., fields=..., all_fields=..., conds=0x7fc66404c0c0, order=0x0, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=0x7fc66404bf9f, reserved=0x7fc6641454fc) at /data/src/10.4/sql/sql_select.cc:689
#20 0x00005618aee2e507 in JOIN::prepare (this=0x7fc66404bcb8, tables_init=0x7fc664145748, wild_num=0, conds_init=0x7fc664042ba0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fc6641451f8, unit_arg=0x7fc664041150) at /data/src/10.4/sql/sql_select.cc:1231
#21 0x00005618aee3a9a5 in mysql_select (thd=0x7fc664000b00, tables=0x7fc664145748, wild_num=0, fields=..., conds=0x7fc664042ba0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147749632, result=0x7fc66404bc90, unit=0x7fc664041150, select_lex=0x7fc6641451f8) at /data/src/10.4/sql/sql_select.cc:4596
#22 0x00005618aee2af2a in handle_select (thd=0x7fc664000b00, lex=0x7fc664041088, result=0x7fc66404bc90, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:425
#23 0x00005618aedf4549 in execute_sqlcom_select (thd=0x7fc664000b00, all_tables=0x7fc664145748) at /data/src/10.4/sql/sql_parse.cc:6356
#24 0x00005618aedea390 in mysql_execute_command (thd=0x7fc664000b00) at /data/src/10.4/sql/sql_parse.cc:3898
#25 0x00005618aed053d5 in sp_instr_stmt::exec_core (this=0x7fc664146398, thd=0x7fc664000b00, nextp=0x7fc6742b96b4) at /data/src/10.4/sql/sp_head.cc:3607
#26 0x00005618aed04732 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7fc6641463e0, thd=0x7fc664000b00, nextp=0x7fc6742b96b4, open_tables=false, instr=0x7fc664146398) at /data/src/10.4/sql/sp_head.cc:3335
#27 0x00005618aed04f7a in sp_instr_stmt::execute (this=0x7fc664146398, thd=0x7fc664000b00, nextp=0x7fc6742b96b4) at /data/src/10.4/sql/sp_head.cc:3513
#28 0x00005618aecfeb9a in sp_head::execute (this=0x7fc664144578, thd=0x7fc664000b00, merge_da_on_success=true) at /data/src/10.4/sql/sp_head.cc:1346
#29 0x00005618aed01511 in sp_head::execute_procedure (this=0x7fc664144578, thd=0x7fc664000b00, args=0x7fc6640058e8) at /data/src/10.4/sql/sp_head.cc:2288
#30 0x00005618aede798b in do_execute_sp (thd=0x7fc664000b00, sp=0x7fc664144578) at /data/src/10.4/sql/sql_parse.cc:3019
#31 0x00005618aede857e in Sql_cmd_call::execute (this=0x7fc6640131d8, thd=0x7fc664000b00) at /data/src/10.4/sql/sql_parse.cc:3261
#32 0x00005618aedf306d in mysql_execute_command (thd=0x7fc664000b00) at /data/src/10.4/sql/sql_parse.cc:6098
#33 0x00005618aedf82dd in mysql_parse (thd=0x7fc664000b00, rawbuf=0x7fc664013128 "CALL p()", length=8, parser_state=0x7fc6742bb170, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7908
#34 0x00005618aede4586 in dispatch_command (command=COM_QUERY, thd=0x7fc664000b00, packet=0x7fc664008331 "CALL p()", packet_length=8, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1843
#35 0x00005618aede2ccc in do_command (thd=0x7fc664000b00) at /data/src/10.4/sql/sql_parse.cc:1360
#36 0x00005618aef5ce00 in do_handle_one_connection (connect=0x5618b2d38040) at /data/src/10.4/sql/sql_connect.cc:1404
#37 0x00005618aef5cb4f in handle_one_connection (arg=0x5618b2d38040) at /data/src/10.4/sql/sql_connect.cc:1306
#38 0x00005618af888f65 in pfs_spawn_thread (arg=0x5618b2d6d430) at /data/src/10.4/storage/perfschema/pfs.cc:1862
#39 0x00007fc67bc5e4a4 in start_thread (arg=0x7fc6742bc700) at pthread_create.c:456
#40 0x00007fc67a1a6d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.4 ASAN c5bc0ced
==18836==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000117218 at pc 0x55650977f22e bp 0x7fd5632b8e90 sp 0x7fd5632b8e88
READ of size 8 at 0x625000117218 thread T5
#0 0x55650977f22d in create_view_field(THD, TABLE_LIST, Item*, st_mysql_const_lex_string) /data/src/10.4/sql/table.cc:6386
#1 0x55650977ee3b in Field_iterator_view::create_item(THD*) /data/src/10.4/sql/table.cc:6363
#2 0x556509366c44 in find_field_in_view /data/src/10.4/sql/sql_base.cc:5779
#3 0x556509368f59 in find_field_in_table_ref(THD, TABLE_LIST, char const, unsigned long, char const, char const, char const, Item*, bool, bool, unsigned int, bool, TABLE_LIST**) /data/src/10.4/sql/sql_base.cc:6118
#4 0x55650936a238 in find_field_in_tables(THD, Item_ident, TABLE_LIST, TABLE_LIST, Item**, find_item_error_report_type, bool, bool) /data/src/10.4/sql/sql_base.cc:6356
#5 0x556509c61fc5 in Item_field::fix_fields(THD, Item*) /data/src/10.4/sql/item.cc:5718
#6 0x556509272840 in Item::fix_fields_if_needed(THD, Item*) /data/src/10.4/sql/item.h:956
#7 0x556509d229e4 in Item_func::fix_fields(THD, Item*) /data/src/10.4/sql/item_func.cc:351
#8 0x556509d5f4a6 in Item_func_sp::fix_fields(THD, Item*) /data/src/10.4/sql/item_func.cc:6397
#9 0x556509272840 in Item::fix_fields_if_needed(THD, Item*) /data/src/10.4/sql/item.h:956
#10 0x556509d229e4 in Item_func::fix_fields(THD, Item*) /data/src/10.4/sql/item_func.cc:351
#11 0x556509272840 in Item::fix_fields_if_needed(THD, Item*) /data/src/10.4/sql/item.h:956
#12 0x55650927286e in Item::fix_fields_if_needed_for_scalar(THD, Item*) /data/src/10.4/sql/item.h:960
#13 0x55650937dcf4 in Item::fix_fields_if_needed_for_bool(THD, Item*) /data/src/10.4/sql/item.h:964
#14 0x556509375c47 in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /data/src/10.4/sql/sql_base.cc:8372
#15 0x55650954a040 in setup_without_group /data/src/10.4/sql/sql_select.cc:689
#16 0x556509550744 in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.4/sql/sql_select.cc:1231
#17 0x5565095719c0 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4596
#18 0x556509548490 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:425
#19 0x5565094ce0b5 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6356
#20 0x5565094bc5ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3898
#21 0x5565092bcf91 in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3607
#22 0x5565092bb776 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3335
#23 0x5565092bc6d9 in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3513
#24 0x5565092af958 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1346
#25 0x5565092b4b5e in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2288
#26 0x5565094b6bad in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3019
#27 0x5565094b84ee in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3261
#28 0x5565094cbde4 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6098
#29 0x5565094d6269 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7908
#30 0x5565094b079d in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1843
#31 0x5565094ad6ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
#32 0x55650982298e in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1404
#33 0x556509822342 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1306
#34 0x55650aba2a7d in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#35 0x7fd56dac24a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#36 0x7fd56c00ad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

0x625000117218 is located 6424 bytes inside of 8268-byte region [0x625000115900,0x62500011794c)
freed by thread T5 here:
#0 0x7fd56dd99a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x55650acccc00 in free_memory /data/src/10.4/mysys/safemalloc.c:279
#2 0x55650accc2e9 in sf_free /data/src/10.4/mysys/safemalloc.c:197
#3 0x55650ac9e8b5 in my_free /data/src/10.4/mysys/my_malloc.c:222
#4 0x55650ac7f7fa in free_root /data/src/10.4/mysys/my_alloc.c:429
#5 0x5565092afae6 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1365
#6 0x5565092b4b5e in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2288
#7 0x5565094b6bad in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3019
#8 0x5565094b84ee in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3261
#9 0x5565094cbde4 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6098
#10 0x5565094d6269 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7908
#11 0x5565094b079d in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1843
#12 0x5565094ad6ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
#13 0x55650982298e in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1404
#14 0x556509822342 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1306
#15 0x55650aba2a7d in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#16 0x7fd56dac24a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

previously allocated by thread T5 here:
#0 0x7fd56dd99d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55650accbd01 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
#2 0x55650ac9e014 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#3 0x55650ac7e985 in alloc_root /data/src/10.4/mysys/my_alloc.c:250
#4 0x5565094e5371 in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned long) /data/src/10.4/sql/sql_class.h:1065
#5 0x5565094b54fd in alloc_query(THD, char const, unsigned long) /data/src/10.4/sql/sql_parse.cc:2754
#6 0x5565092bc5b6 in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3500
#7 0x5565092af958 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1346
#8 0x5565092b4b5e in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2288
#9 0x5565094b6bad in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3019
#10 0x5565094b84ee in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3261
#11 0x5565094cbde4 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6098
#12 0x5565094d6269 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7908
#13 0x5565094b079d in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1843
#14 0x5565094ad6ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
#15 0x55650982298e in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1404
#16 0x556509822342 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1306
#17 0x55650aba2a7d in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#18 0x7fd56dac24a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

Thread T5 created by T0 here:
#0 0x7fd56dd08f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x55650aba2e6a in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
#2 0x556509214d88 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
#3 0x556509228eba in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6238
#4 0x55650922959d in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6308
#5 0x556509229928 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6406
#6 0x55650922a57a in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6564
#7 0x55650922873b in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5896
#8 0x556509212c6f in main /data/src/10.4/sql/main.cc:25
#9 0x7fd56bf422e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/table.cc:6386 in create_view_field(THD, TABLE_LIST, Item*, st_mysql_const_lex_string)
Shadow bytes around the buggy address:
0x0c4a8001adf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a8001ae40: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18836==ABORTING

Attachments

Issue Links

relates to

MDEV-14557 Assertion `m_sp == __null' failed in Item_func_sp::init_result_field upon 2nd execution of SP

Stalled

MDEV-19014 pure virtual method called, SIGSEGV, ASAN heap-use-after-free in Item_direct_view_ref::fix_fields

Closed

MDEV-19178 Server crash in create_view_field or Assertion `m_sp == __null' failed in Item_func_sp::fix_fields after invalidating view by dropping function

Confirmed

MDEV-21630 Server crashes in mysql_derived_prepare on 2nd execution of SP with views, ASAN: heap-use-after-free in mysql_derived_prepare

Confirmed

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019-08-22 23:38

Updated:: 2023-07-28 13:14

Resolved:: 2023-07-28 13:14

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.