Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21414

ASAN heap-use-after-free in my_strnncollsp_simple / myrocks::ha_rocksdb::find_icp_matching_index_rec

    XMLWordPrintable

    Details

      Description

      INSTALL SONAME 'ha_rocksdb';
       
      CREATE TABLE t1 (
          f1 BLOB,
          f2 CHAR(1) CHARACTER SET latin1 NOT NULL,
          f3 TEXT NOT NULL,
          f4 TIMESTAMP,
          UNIQUE(f2,f4),
          KEY(f3(8))
      ) ENGINE=RocksDB;
       
      INSERT INTO t1 VALUES  ('', 'a', 'foo', '2018-01-01 00:00:00') ,  ('bar', 'b', '', '2019-01-01 00:00:00');
      SELECT * FROM t1 WHERE f4 = '2020-01-01 00:00:00' AND f3 < 'qux' ORDER BY f1;
      

      10.2 ASAN 4a012ce2

      ==10332==ERROR: AddressSanitizer: heap-use-after-free on address 0x6210000ade22 at pc 0x5614112d3ea0 bp 0x7f636fc3cb30 sp 0x7f636fc3cb28
      READ of size 1 at 0x6210000ade22 thread T5
          #0 0x5614112d3e9f in my_strnncollsp_simple /data/src/10.2/strings/ctype-simple.c:182
          #1 0x5614101b77e4 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /data/src/10.2/sql/field.cc:8365
          #2 0x5614101b8b8d in Field_blob::key_cmp(unsigned char const*, unsigned int) /data/src/10.2/sql/field.cc:8478
          #3 0x56141044e200 in key_cmp(st_key_part_info*, unsigned char const*, unsigned int) /data/src/10.2/sql/key.cc:515
          #4 0x561410216772 in handler::compare_key2(st_key_range*) const /data/src/10.2/sql/handler.cc:5576
          #5 0x5614102168c0 in handler_index_cond_check /data/src/10.2/sql/handler.cc:5597
          #6 0x7f636e949ae1 in myrocks::ha_rocksdb::find_icp_matching_index_rec(bool, unsigned char*) /data/src/10.2/storage/rocksdb/ha_rocksdb.cc:8652
          #7 0x7f636e94d2a4 in myrocks::ha_rocksdb::index_next_with_direction(unsigned char*, bool) /data/src/10.2/storage/rocksdb/ha_rocksdb.cc:9081
          #8 0x7f636e94ddf4 in myrocks::ha_rocksdb::index_first_intern(unsigned char*) /data/src/10.2/storage/rocksdb/ha_rocksdb.cc:9188
          #9 0x7f636e94d5be in myrocks::ha_rocksdb::index_first(unsigned char*) /data/src/10.2/storage/rocksdb/ha_rocksdb.cc:9102
          #10 0x5614102067a3 in handler::ha_index_first(unsigned char*) /data/src/10.2/sql/handler.cc:2802
          #11 0x7f636e9473a8 in myrocks::ha_rocksdb::read_range_first(st_key_range const*, st_key_range const*, bool, bool) /data/src/10.2/storage/rocksdb/ha_rocksdb.cc:8306
          #12 0x56140ffe0222 in handler::multi_range_read_next(void**) /data/src/10.2/sql/multi_range_read.cc:298
          #13 0x561410549e83 in QUICK_RANGE_SELECT::get_next() /data/src/10.2/sql/opt_range.cc:11473
          #14 0x5614101e7ab4 in find_all_keys /data/src/10.2/sql/filesort.cc:782
          #15 0x5614101e452a in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/src/10.2/sql/filesort.cc:274
          #16 0x56140fd3a971 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/src/10.2/sql/sql_select.cc:22060
          #17 0x56140fd2b70c in st_join_table::sort_table() /data/src/10.2/sql/sql_select.cc:19825
          #18 0x56140fd2ad2f in join_init_read_record(st_join_table*) /data/src/10.2/sql/sql_select.cc:19766
          #19 0x56140fd249dc in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18857
          #20 0x56140fd22faf in do_select /data/src/10.2/sql/sql_select.cc:18404
          #21 0x56140fcc3950 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3629
          #22 0x56140fcc171d in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3424
          #23 0x56140fcc4993 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3824
          #24 0x56140fca3c8d in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
          #25 0x56140fc2946e in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6225
          #26 0x56140fc177c3 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3532
          #27 0x56140fc31ef0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7740
          #28 0x56140fc0dfae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1831
          #29 0x56140fc0afc4 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1384
          #30 0x56140ff45f9f in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #31 0x56140ff4596f in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #32 0x561411175ddc in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #33 0x7f637b9354a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
          #34 0x7f6379a69d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
       
      0x6210000ade22 is located 290 bytes inside of 4172-byte region [0x6210000add00,0x6210000aed4c)
      freed by thread T5 here:
          #0 0x7f637bc0ca10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
          #1 0x56141127bc3f in free_memory /data/src/10.2/mysys/safemalloc.c:279
          #2 0x56141127b2b9 in sf_free /data/src/10.2/mysys/safemalloc.c:197
          #3 0x56141124c0c5 in my_free /data/src/10.2/mysys/my_malloc.c:218
          #4 0x56141122e253 in free_root /data/src/10.2/mysys/my_alloc.c:400
          #5 0x5614105159d2 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool) /data/src/10.2/sql/opt_range.cc:2692
          #6 0x56140fcc4e89 in get_quick_record_count /data/src/10.2/sql/sql_select.cc:3861
          #7 0x56140fcca77c in make_join_statistics /data/src/10.2/sql/sql_select.cc:4483
          #8 0x56140fcaf86f in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:1584
          #9 0x56140fcab008 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1113
          #10 0x56140fcc47ae in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3810
          #11 0x56140fca3c8d in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
          #12 0x56140fc2946e in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6225
          #13 0x56140fc177c3 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3532
          #14 0x56140fc31ef0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7740
          #15 0x56140fc0dfae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1831
          #16 0x56140fc0afc4 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1384
          #17 0x56140ff45f9f in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #18 0x56140ff4596f in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #19 0x561411175ddc in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #20 0x7f637b9354a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
       
      previously allocated by thread T5 here:
          #0 0x7f637bc0cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
          #1 0x56141127ac90 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
          #2 0x56141124b828 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
          #3 0x56141122d379 in alloc_root /data/src/10.2/mysys/my_alloc.c:242
          #4 0x561410513f93 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool) /data/src/10.2/sql/opt_range.cc:2462
          #5 0x56140fcc4e89 in get_quick_record_count /data/src/10.2/sql/sql_select.cc:3861
          #6 0x56140fcca77c in make_join_statistics /data/src/10.2/sql/sql_select.cc:4483
          #7 0x56140fcaf86f in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:1584
          #8 0x56140fcab008 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1113
          #9 0x56140fcc47ae in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3810
          #10 0x56140fca3c8d in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
          #11 0x56140fc2946e in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6225
          #12 0x56140fc177c3 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3532
          #13 0x56140fc31ef0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7740
          #14 0x56140fc0dfae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1831
          #15 0x56140fc0afc4 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1384
          #16 0x56140ff45f9f in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #17 0x56140ff4596f in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #18 0x561411175ddc in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #19 0x7f637b9354a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
       
      Thread T5 created by T0 here:
          #0 0x7f637bb7bf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
          #1 0x561411176218 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
          #2 0x56140fa12212 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
          #3 0x56140fa2680c in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6506
          #4 0x56140fa26eef in create_new_thread /data/src/10.2/sql/mysqld.cc:6576
          #5 0x56140fa27f07 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6851
          #6 0x56140fa25d77 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6125
          #7 0x56140fa10b9f in main /data/src/10.2/sql/main.cc:25
          #8 0x7f63799a12e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/strings/ctype-simple.c:182 in my_strnncollsp_simple
      Shadow bytes around the buggy address:
        0x0c428000db70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428000db80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428000db90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428000dba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000dbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c428000dbc0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000dbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000dbe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000dbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000dc00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000dc10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==10332==ABORTING
      

      Reproducible on 10.2-10.5.
      No obvious problem on a non-ASAN build, but it can be a matter of luck.

      The test case is derived from one which uses system versioning instead of the explicit TIMESTAMP field. It looks simpler, but it isn't applicable to 10.2.

      INSTALL SONAME 'ha_rocksdb';
       
      CREATE TABLE t1 (
          f1 BLOB,
          f2 CHAR(1) CHARACTER SET latin1 NOT NULL,
          f3 TEXT NOT NULL,
          UNIQUE(f2),
          KEY(f3(8))
      ) ENGINE=RocksDB WITH SYSTEM VERSIONING;
       
      INSERT INTO t1 VALUES  ('', 'a', 'foo') ,  ('bar', 'b', '');
      SELECT * FROM t1 WHERE f3 < 'qux' ORDER BY f1;
      

      10.3 ASAN 02e30069

      ==10527==ERROR: AddressSanitizer: heap-use-after-free on address 0x6210000b9222 at pc 0x55fca6af9e25 bp 0x7f6c69a67660 sp 0x7f6c69a67658
      READ of size 1 at 0x6210000b9222 thread T5
          #0 0x55fca6af9e24 in my_strnncollsp_simple /data/src/10.3/strings/ctype-simple.c:182
          #1 0x55fca5844e6e in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /data/src/10.3/sql/field.cc:8474
          #2 0x55fca5846261 in Field_blob::key_cmp(unsigned char const*, unsigned int) /data/src/10.3/sql/field.cc:8587
          #3 0x55fca5b2f558 in key_cmp(st_key_part_info*, unsigned char const*, unsigned int) /data/src/10.3/sql/key.cc:517
          #4 0x55fca58b81d8 in handler::compare_key2(st_key_range*) const /data/src/10.3/sql/handler.cc:5935
          #5 0x55fca58b8326 in handler_index_cond_check /data/src/10.3/sql/handler.cc:5956
          #6 0x7f6c688b9d63 in myrocks::ha_rocksdb::find_icp_matching_index_rec(bool, unsigned char*) /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:8683
          #7 0x7f6c688bd978 in myrocks::ha_rocksdb::index_next_with_direction(unsigned char*, bool) /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:9112
          #8 0x7f6c688be556 in myrocks::ha_rocksdb::index_first_intern(unsigned char*) /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:9219
          #9 0x7f6c688bdc92 in myrocks::ha_rocksdb::index_first(unsigned char*) /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:9133
          #10 0x55fca58a44f9 in handler::ha_index_first(unsigned char*) /data/src/10.3/sql/handler.cc:2989
          #11 0x7f6c688b75f0 in myrocks::ha_rocksdb::read_range_first(st_key_range const*, st_key_range const*, bool, bool) /data/src/10.3/storage/rocksdb/ha_rocksdb.cc:8337
          #12 0x55fca55a495c in handler::multi_range_read_next(void**) /data/src/10.3/sql/multi_range_read.cc:299
          #13 0x55fca5c3ac81 in QUICK_RANGE_SELECT::get_next() /data/src/10.3/sql/opt_range.cc:11498
          #14 0x55fca588205d in find_all_keys /data/src/10.3/sql/filesort.cc:772
          #15 0x55fca587e926 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/src/10.3/sql/filesort.cc:268
          #16 0x55fca52ce9c3 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/src/10.3/sql/sql_select.cc:22794
          #17 0x55fca52bf0ea in st_join_table::sort_table() /data/src/10.3/sql/sql_select.cc:20560
          #18 0x55fca52be5f7 in join_init_read_record(st_join_table*) /data/src/10.3/sql/sql_select.cc:20501
          #19 0x55fca52b7e8f in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19582
          #20 0x55fca52b6392 in do_select /data/src/10.3/sql/sql_select.cc:19125
          #21 0x55fca5251f1c in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4098
          #22 0x55fca524fb4f in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3892
          #23 0x55fca525302e in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4297
          #24 0x55fca522d065 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
          #25 0x55fca51aeda4 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6294
          #26 0x55fca519e5a9 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3821
          #27 0x55fca51b7de0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
          #28 0x55fca5192acc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
          #29 0x55fca518f9ab in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
          #30 0x55fca5505ae4 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #31 0x55fca55054ab in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #32 0x55fca696f1f3 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #33 0x7f6c758c34a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
          #34 0x7f6c739f7d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
       
      0x6210000b9222 is located 290 bytes inside of 4172-byte region [0x6210000b9100,0x6210000ba14c)
      freed by thread T5 here:
          #0 0x7f6c75b9aa10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
          #1 0x55fca6a9fe9a in free_memory /data/src/10.3/mysys/safemalloc.c:279
          #2 0x55fca6a9f583 in sf_free /data/src/10.3/mysys/safemalloc.c:197
          #3 0x55fca6a71715 in my_free /data/src/10.3/mysys/my_malloc.c:223
          #4 0x55fca6a523ca in free_root /data/src/10.3/mysys/my_alloc.c:429
          #5 0x55fca5c061cb in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool) /data/src/10.3/sql/opt_range.cc:2699
          #6 0x55fca5253529 in get_quick_record_count /data/src/10.3/sql/sql_select.cc:4334
          #7 0x55fca525941a in make_join_statistics /data/src/10.3/sql/sql_select.cc:5040
          #8 0x55fca523c7ae in JOIN::optimize_inner() /data/src/10.3/sql/sql_select.cc:1942
          #9 0x55fca523820b in JOIN::optimize() /data/src/10.3/sql/sql_select.cc:1488
          #10 0x55fca5252e44 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4283
          #11 0x55fca522d065 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
          #12 0x55fca51aeda4 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6294
          #13 0x55fca519e5a9 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3821
          #14 0x55fca51b7de0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
          #15 0x55fca5192acc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
          #16 0x55fca518f9ab in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
          #17 0x55fca5505ae4 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #18 0x55fca55054ab in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #19 0x55fca696f1f3 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #20 0x7f6c758c34a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
       
      previously allocated by thread T5 here:
          #0 0x7f6c75b9ad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
          #1 0x55fca6a9ef9b in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x55fca6a70e24 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x55fca6a51555 in alloc_root /data/src/10.3/mysys/my_alloc.c:250
          #4 0x55fca5c0478c in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool) /data/src/10.3/sql/opt_range.cc:2469
          #5 0x55fca5253529 in get_quick_record_count /data/src/10.3/sql/sql_select.cc:4334
          #6 0x55fca525941a in make_join_statistics /data/src/10.3/sql/sql_select.cc:5040
          #7 0x55fca523c7ae in JOIN::optimize_inner() /data/src/10.3/sql/sql_select.cc:1942
          #8 0x55fca523820b in JOIN::optimize() /data/src/10.3/sql/sql_select.cc:1488
          #9 0x55fca5252e44 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4283
          #10 0x55fca522d065 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
          #11 0x55fca51aeda4 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6294
          #12 0x55fca519e5a9 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3821
          #13 0x55fca51b7de0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
          #14 0x55fca5192acc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
          #15 0x55fca518f9ab in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
          #16 0x55fca5505ae4 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #17 0x55fca55054ab in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
          #18 0x55fca696f1f3 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #19 0x7f6c758c34a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
       
      Thread T5 created by T0 here:
          #0 0x7f6c75b09f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
          #1 0x55fca696f62f in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x55fca4efcb50 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x55fca4f11e5c in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6600
          #4 0x55fca4f1253f in create_new_thread /data/src/10.3/sql/mysqld.cc:6670
          #5 0x55fca4f13557 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6945
          #6 0x55fca4f1132c in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6222
          #7 0x55fca4efb26f in main /data/src/10.3/sql/main.cc:25
          #8 0x7f6c7392f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/strings/ctype-simple.c:182 in my_strnncollsp_simple
      Shadow bytes around the buggy address:
        0x0c428000f1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428000f200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428000f210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428000f220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000f230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c428000f240: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000f250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000f260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000f270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000f280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428000f290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==10527==ABORTING
      

        Attachments

          Activity

            People

            Assignee:
            psergey Sergei Petrunia
            Reporter:
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: