Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21247

ASAN use-after-poison in create_tmp_table upon SELECT from view with subquery and left join

    XMLWordPrintable

Details

    Description

      CREATE TABLE t1 (a BIGINT, b BIT(1) NOT NULL) ENGINE=MyISAM;
      CREATE VIEW v1 AS SELECT * FROM t1;
      INSERT INTO t1 VALUES (1,b'0'),(2,b'0');
       
      CREATE TABLE t2 (c INT) ENGINE=MyISAM;
      INSERT INTO t2 VALUES (3),(4);
       
      SELECT * FROM t2 LEFT JOIN ( SELECT * FROM v1 ) sq ON (c = a);
       
      # Cleanup
      DROP VIEW v1;
      DROP TABLE t1, t2;
      

      10.3 ASAN e5e58777

      ==18554==ERROR: AddressSanitizer: use-after-poison on address 0x61900008ad51 at pc 0x7f8bc12c7f7f bp 0x7f8bb561e060 sp 0x7f8bb561d810
      READ of size 1 at 0x61900008ad51 thread T5
          #0 0x7f8bc12c7f7e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
          #1 0x560146b7f5ff in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.3/sql/sql_select.cc:17852
          #2 0x560146cc66c3 in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.3/sql/sql_union.cc:372
          #3 0x5601469bf93a in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.3/sql/sql_derived.cc:799
          #4 0x5601469bc5e2 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_derived.cc:199
          #5 0x560146d42ca8 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/table.cc:8287
          #6 0x5601469fc10f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_lex.h:4019
          #7 0x560146a1bb62 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/sql_lex.cc:4132
          #8 0x560146b073a4 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:1036
          #9 0x560146b27153 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4269
          #10 0x560146b013f7 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
          #11 0x560146a83136 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6294
          #12 0x560146a7293b in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3821
          #13 0x560146a8c172 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
          #14 0x560146a66e5e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
          #15 0x560146a63d3d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
          #16 0x560146dd99fa in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #17 0x560146dd93c1 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #18 0x56014823e5ff in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #19 0x7f8bc10554a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
          #20 0x7f8bbf59cd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
       
      0x61900008ad51 is located 209 bytes inside of 1100-byte region [0x61900008ac80,0x61900008b0cc)
      allocated by thread T5 here:
          #0 0x7f8bc132cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
          #1 0x56014836e3a7 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x560148340230 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x560148320961 in alloc_root /data/src/10.3/mysys/my_alloc.c:250
          #4 0x560148321dcf in memdup_root /data/src/10.3/mysys/my_alloc.c:492
          #5 0x560146d0c22e in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.3/sql/table.cc:1286
          #6 0x560146d07648 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:677
          #7 0x560146f8f59c in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
          #8 0x560146917100 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1839
          #9 0x56014691fc7f in open_and_process_table /data/src/10.3/sql/sql_base.cc:3675
          #10 0x560146921f0a in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4144
          #11 0x560146926ce9 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5032
          #12 0x560146898a4d in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:505
          #13 0x560146cf4297 in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.3/sql/sql_view.cc:450
          #14 0x560146a7ff01 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:5852
          #15 0x560146a8c172 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
          #16 0x560146a66e5e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
          #17 0x560146a63d3d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
          #18 0x560146dd99fa in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #19 0x560146dd93c1 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #20 0x56014823e5ff in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #21 0x7f8bc10554a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
       
      Thread T5 created by T0 here:
          #0 0x7f8bc129bf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
          #1 0x56014823ea3b in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x5601467d0bb0 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x5601467e5ebc in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6600
          #4 0x5601467e659f in create_new_thread /data/src/10.3/sql/mysqld.cc:6670
          #5 0x5601467e75b7 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6945
          #6 0x5601467e538c in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6222
          #7 0x5601467cf2cf in main /data/src/10.3/sql/main.cc:25
          #8 0x7f8bbf4d42e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
       
      SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e) 
      Shadow bytes around the buggy address:
        0x0c3280009550: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c3280009560: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c3280009570: f7 f7 f7 f7 f7 f7 f7 f7 f7 04 fa fa fa fa fa fa
        0x0c3280009580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3280009590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c32800095a0: 00 f7 00 00 f7 01 f7 02 f7 00[01]f7 01 f7 00 00
        0x0c32800095b0: 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00
        0x0c32800095c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c32800095d0: 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c32800095e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c32800095f0: 00 f7 04 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==18554==ABORTING
      

      Couldn't reproduce on 10.2 or 10.4.
      No obvious immediate effect on a non-ASAN build.
      Reproducible with MyISAM and Aria, couldn't reproduce with InnoDB.
      Data in the test case is optional, reproducible with empty tables as well.

      Attachments

        Activity

          People

            Unassigned Unassigned
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.