Elena Stepanova added a comment - 2019-10-28 17:10 Thanks for the report. Same test case, only formatted for MTR: --delimiter $   CREATE FUNCTION if_column_exists_normal_and_backup(tableNameToSearch TINYTEXT, columnNameToSearch TINYTEXT) RETURNS BOOLEAN LANGUAGE SQL BEGIN SET @original = tableNameToSearch; SET @backup = CONCAT(tableNameToSearch, '_backup' ); RETURN ( exists( SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @original AND COLUMN_NAME = `columnnametosearch` ) AND exists( SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @backup AND COLUMN_NAME = `columnnametosearch` ) ); END $   --delimiter ;   select if_column_exists_normal_and_backup( 't1' , 'c' ); select if_column_exists_normal_and_backup( 't1' , 'c' );   # Cleanup DROP FUNCTION if_column_exists_normal_and_backup; 10.4 debug 9afbb106 mysqld: /data/src/10.4/sql/sql_prepare.cc:2998: void reinit_stmt_before_use(THD*, LEX*): Assertion `sl->join == 0' failed. 191028 19:06:44 [ERROR] mysqld got signal 6 ;   #7 0x00007fa0865def12 in __GI___assert_fail (assertion=0x560b1226b456 "sl->join == 0", file=0x560b1226ad70 "/data/src/10.4/sql/sql_prepare.cc", line=2998, function=0x560b1226c2a0 <reinit_stmt_before_use(THD*, LEX*)::__PRETTY_FUNCTION__> "void reinit_stmt_before_use(THD*, LEX*)") at assert.c:101 #8 0x0000560b1159672f in reinit_stmt_before_use (thd=0x7fa070000b00, lex=0x7fa070183e38) at /data/src/10.4/sql/sql_prepare.cc:2998 #9 0x0000560b1147e632 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7fa07013f818, thd=0x7fa070000b00, nextp=0x7fa0807adcf4, open_tables=true, instr=0x7fa07013f7d0) at /data/src/10.4/sql/sp_head.cc:3371 #10 0x0000560b1148079d in sp_instr_freturn::execute (this=0x7fa07013f7d0, thd=0x7fa070000b00, nextp=0x7fa0807adcf4) at /data/src/10.4/sql/sp_head.cc:4040 #11 0x0000560b114786b9 in sp_head::execute (this=0x7fa070132268, thd=0x7fa070000b00, merge_da_on_success=true) at /data/src/10.4/sql/sp_head.cc:1346 #12 0x0000560b1147a612 in sp_head::execute_function (this=0x7fa070132268, thd=0x7fa070000b00, argp=0x7fa070013ac0, argcount=2, return_value_fld=0x7fa070015ec0, func_ctx=0x7fa070013b50, call_arena=0x7fa070014f08) at /data/src/10.4/sql/sp_head.cc:2068 #13 0x0000560b118ed517 in Item_sp::execute_impl (this=0x7fa070013af0, thd=0x7fa070000b00, args=0x7fa070013ac0, arg_count=2) at /data/src/10.4/sql/item.cc:2780 #14 0x0000560b118ed0c9 in Item_sp::execute (this=0x7fa070013af0, thd=0x7fa070000b00, null_value=0x7fa070013aa6, args=0x7fa070013ac0, arg_count=2) at /data/src/10.4/sql/item.cc:2693 #15 0x0000560b11968334 in Item_func_sp::execute (this=0x7fa070013a30) at /data/src/10.4/sql/item_func.cc:6331 #16 0x0000560b1196f05e in Item_func_sp::val_int (this=0x7fa070013a30) at /data/src/10.4/sql/item_func.h:3210 #17 0x0000560b1178fdf1 in Type_handler::Item_send_tiny (this=0x560b12d08b78 <type_handler_tiny>, item=0x7fa070013a30, protocol=0x7fa0700010c8, buf=0x7fa0807aead0) at /data/src/10.4/sql/sql_type.cc:6729 #18 0x0000560b1179c854 in Type_handler_tiny::Item_send (this=0x560b12d08b78 <type_handler_tiny>, item=0x7fa070013a30, protocol=0x7fa0700010c8, buf=0x7fa0807aead0) at /data/src/10.4/sql/sql_type.h:4786 #19 0x0000560b1144aa3a in Item::send (this=0x7fa070013a30, protocol=0x7fa0700010c8, buffer=0x7fa0807aead0) at /data/src/10.4/sql/item.h:1034 #20 0x0000560b11444b85 in Protocol::send_result_set_row (this=0x7fa0700010c8, row_items=0x7fa070013360) at /data/src/10.4/sql/protocol.cc:1035 #21 0x0000560b114f97a4 in select_send::send_data (this=0x7fa070015878, items=...) at /data/src/10.4/sql/sql_class.cc:3002 #22 0x0000560b115c00a7 in JOIN::exec_inner (this=0x7fa0700158a0) at /data/src/10.4/sql/sql_select.cc:4254 #23 0x0000560b115bf952 in JOIN::exec (this=0x7fa0700158a0) at /data/src/10.4/sql/sql_select.cc:4168 #24 0x0000560b115c1067 in mysql_select (thd=0x7fa070000b00, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fa070015878, unit=0x7fa070004a30, select_lex=0x7fa070013218) at /data/src/10.4/sql/sql_select.cc:4600 #25 0x0000560b115b0fd8 in handle_select (thd=0x7fa070000b00, lex=0x7fa070004968, result=0x7fa070015878, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:420 #26 0x0000560b115779a7 in execute_sqlcom_select (thd=0x7fa070000b00, all_tables=0x0) at /data/src/10.4/sql/sql_parse.cc:6352 #27 0x0000560b1156d08e in mysql_execute_command (thd=0x7fa070000b00) at /data/src/10.4/sql/sql_parse.cc:3894 #28 0x0000560b1157bac5 in mysql_parse (thd=0x7fa070000b00, rawbuf=0x7fa070013148 "select if_column_exists_normal_and_backup('t1','c')", length=51, parser_state=0x7fa0807b0170, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7912 #29 0x0000560b11566d58 in dispatch_command (command=COM_QUERY, thd=0x7fa070000b00, packet=0x7fa070008351 "", packet_length=51, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1841 #30 0x0000560b115653e5 in do_command (thd=0x7fa070000b00) at /data/src/10.4/sql/sql_parse.cc:1359 #31 0x0000560b116ece17 in do_handle_one_connection (connect=0x560b149a2e60) at /data/src/10.4/sql/sql_connect.cc:1412 #32 0x0000560b116ecb66 in handle_one_connection (arg=0x560b149a2e60) at /data/src/10.4/sql/sql_connect.cc:1316 #33 0x0000560b120efaa5 in pfs_spawn_thread (arg=0x560b148c76c0) at /data/src/10.4/storage/perfschema/pfs.cc:1862 #34 0x00007fa0881544a4 in start_thread (arg=0x7fa0807b1700) at pthread_create.c:456 #35 0x00007fa08669bd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97 It doesn't crash for me on a non-debug build, but it's just the matter of luck, because it fails on a non-debug build with ASAN: 10.4 non-debug ASAN 9afbb106 ==6201==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000172460 at pc 0x561b4c9d996d bp 0x7f2086d21770 sp 0x7f2086d21768 READ of size 8 at 0x625000172460 thread T5 #0 0x561b4c9d996c in JOIN::destroy() /data/src/10.4/sql/sql_select.cc:4407 #1 0x561b4caf6ac2 in st_select_lex::cleanup() /data/src/10.4/sql/sql_union.cc:2058 #2 0x561b4d0a6830 in subselect_single_select_engine::prepare(THD*) /data/src/10.4/sql/item_subselect.cc:3711 #3 0x561b4d0a51fc in Item_subselect::fix_fields(THD*, Item**) /data/src/10.4/sql/item_subselect.cc:283 #4 0x561b4cf482fc in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.4/sql/item.h:956 #5 0x561b4cf482fc in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /data/src/10.4/sql/item.h:960 #6 0x561b4cf482fc in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/10.4/sql/item.h:964 #7 0x561b4cf482fc in Item_cond::fix_fields(THD*, Item**) /data/src/10.4/sql/item_cmpfunc.cc:4845 #8 0x561b4c7857bd in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.4/sql/item.h:956 #9 0x561b4c7857bd in THD::sp_fix_func_item(Item**) /data/src/10.4/sql/sp_head.cc:356 #10 0x561b4c78583c in THD::sp_prepare_func_item(Item**, unsigned int) /data/src/10.4/sql/sp_head.cc:342 #11 0x561b4ce3d3ff in Field::sp_prepare_and_store_item(THD*, Item**) /data/src/10.4/sql/field.cc:1353 #12 0x561b4c785af8 in THD::sp_eval_expr(Field*, Item**) /data/src/10.4/sql/sp_head.cc:390 #13 0x561b4c780949 in sp_instr_freturn::exec_core(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:4083 #14 0x561b4c796912 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3398 #15 0x561b4c78a9ff in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1346 #16 0x561b4c78f2f6 in sp_head::execute_function(THD*, Item**, unsigned int, Field*, sp_rcontext**, Query_arena*) /data/src/10.4/sql/sp_head.cc:2068 #17 0x561b4cef5443 in Item_sp::execute_impl(THD*, Item**, unsigned int) /data/src/10.4/sql/item.cc:2780 #18 0x561b4cef59ca in Item_sp::execute(THD*, bool*, Item**, unsigned int) /data/src/10.4/sql/item.cc:2693 #19 0x561b4d0045c8 in Item_func_sp::val_int() /data/src/10.4/sql/item_func.h:3210 #20 0x561b4ccd1206 in Type_handler::Item_send_tiny(Item*, Protocol*, st_value*) const /data/src/10.4/sql/sql_type.cc:6729 #21 0x561b4c7410b4 in Protocol::send_result_set_row(List<Item>*) /data/src/10.4/sql/protocol.cc:1035 #22 0x561b4c84f35a in select_send::send_data(List<Item>&) /data/src/10.4/sql/sql_class.cc:3002 #23 0x561b4ca2ea50 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4254 #24 0x561b4ca2fb9f in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4168 #25 0x561b4ca294a2 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4600 #26 0x561b4ca2ba2f in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:420 #27 0x561b4c69f500 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6352 #28 0x561b4c92df33 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3894 #29 0x561b4c940678 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7912 #30 0x561b4c945f14 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1841 #31 0x561b4c949e17 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1359 #32 0x561b4cbb7bd7 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412 #33 0x561b4cbb7dfa in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #34 0x561b4dbb94a3 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862 #35 0x7f209137f4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3) #36 0x7f208f8c6d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)   0x625000172460 is located 864 bytes inside of 8160-byte region [0x625000172100,0x6250001740e0) freed by thread T5 here: #0 0x7f2091656a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) #1 0x561b4dc5f8f4 in free_root /data/src/10.4/mysys/my_alloc.c:420   previously allocated by thread T5 here: #0 0x7f2091656d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x561b4dc7151c in my_malloc /data/src/10.4/mysys/my_malloc.c:101   Thread T5 created by T0 here: #0 0x7f20915c5f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59) #1 0x561b4dbc1722 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912   SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/sql_select.cc:4407 in JOIN::destroy() Shadow bytes around the buggy address: 0x0c4a80026430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80026440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80026450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80026460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80026470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c4a80026480: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c4a80026490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a800264a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a800264b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a800264c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a800264d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6201==ABORTING So, it is the same failure as MDEV-20803 , which, in turn, is apparently the same problem as MDEV-20290 . I will link them all together, and will leave it to sanja to close all as fixed or duplicate, but only after he checks that all variations have been fixed by the same patch.

Oleksandr Byelkin added a comment - 2020-10-08 09:37 Duplicate of MDEV-23094