Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
-
None
Description
--source include/have_innodb.inc
|
|
CREATE TEMPORARY TABLE t1 (h POINT DEFAULT ST_GEOMFROMTEXT('Point(1 1)')) ENGINE=InnoDB; |
INSERT INTO t1 () VALUES (),(); |
ALTER TABLE t1 FORCE; |
SELECT DEFAULT(h) FROM t1; |
INSERT INTO t1 () VALUES (); |
10.2 3f12a596 ASAN |
==14343==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000096c30 at pc 0x7f70cfd98f7f bp 0x7f70b7eb51e0 sp 0x7f70b7eb4990
|
READ of size 25 at 0x60e000096c30 thread T27
|
#0 0x7f70cfd98f7e (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
|
#1 0x55bfa65879d9 in rec_convert_dtuple_to_rec_comp /data/src/10.2/storage/innobase/rem/rem0rec.cc:1310
|
#2 0x55bfa6587c52 in rec_convert_dtuple_to_rec_new /data/src/10.2/storage/innobase/rem/rem0rec.cc:1339
|
#3 0x55bfa6587ee0 in rec_convert_dtuple_to_rec(unsigned char*, dict_index_t const*, dtuple_t const*, unsigned long) /data/src/10.2/storage/innobase/rem/rem0rec.cc:1370
|
#4 0x55bfa67dd250 in page_cur_tuple_insert /data/src/10.2/storage/innobase/include/page0cur.ic:280
|
#5 0x55bfa67ebf90 in btr_cur_optimistic_insert(unsigned long, btr_cur_t*, unsigned short**, mem_block_info_t**, dtuple_t*, unsigned char**, big_rec_t**, unsigned long, que_thr_t*, mtr_t*) /data/src/10.2/storage/innobase/btr/btr0cur.cc:3211
|
#6 0x55bfa65d0592 in row_ins_clust_index_entry_low(unsigned long, unsigned long, dict_index_t*, unsigned long, dtuple_t*, unsigned long, que_thr_t*) /data/src/10.2/storage/innobase/row/row0ins.cc:2703
|
#7 0x55bfa65d239d in row_ins_clust_index_entry(dict_index_t*, dtuple_t*, que_thr_t*, unsigned long) /data/src/10.2/storage/innobase/row/row0ins.cc:3155
|
#8 0x55bfa65d2bcb in row_ins_index_entry /data/src/10.2/storage/innobase/row/row0ins.cc:3274
|
#9 0x55bfa65d37d6 in row_ins_index_entry_step /data/src/10.2/storage/innobase/row/row0ins.cc:3425
|
#10 0x55bfa65d406d in row_ins /data/src/10.2/storage/innobase/row/row0ins.cc:3562
|
#11 0x55bfa65d49c4 in row_ins_step(que_thr_t*) /data/src/10.2/storage/innobase/row/row0ins.cc:3682
|
#12 0x55bfa660efd5 in row_insert_for_mysql(unsigned char const*, row_prebuilt_t*) /data/src/10.2/storage/innobase/row/row0mysql.cc:1414
|
#13 0x55bfa63944f8 in ha_innobase::write_row(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8177
|
#14 0x55bfa5ede0d3 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:6095
|
#15 0x55bfa588e3ea in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1941
|
#16 0x55bfa5888816 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:1066
|
#17 0x55bfa58e846f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4167
|
#18 0x55bfa58ff9af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7740
|
#19 0x55bfa58dbb08 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
|
#20 0x55bfa58d8bad in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1385
|
#21 0x55bfa5c11e31 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#22 0x55bfa5c11801 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#23 0x55bfa6e17aec in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#24 0x7f70cfb264a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#25 0x7f70cdc5ad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
|
0x60e000096c30 is located 112 bytes inside of 148-byte region [0x60e000096bc0,0x60e000096c54)
|
freed by thread T27 here:
|
#0 0x7f70cfdfda10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
|
#1 0x55bfa6f1dc4f in free_memory /data/src/10.2/mysys/safemalloc.c:279
|
#2 0x55bfa6f1d2c9 in sf_free /data/src/10.2/mysys/safemalloc.c:197
|
#3 0x55bfa6eedde3 in my_free /data/src/10.2/mysys/my_malloc.c:218
|
#4 0x55bfa56d8c87 in String::free() /data/src/10.2/sql/sql_string.h:351
|
#5 0x55bfa56d8a6f in String::~String() /data/src/10.2/sql/sql_string.h:187
|
#6 0x55bfa5e99ee2 in Field_blob::~Field_blob() /data/src/10.2/sql/field.h:3299
|
#7 0x55bfa5e9d786 in Field_geom::~Field_geom() /data/src/10.2/sql/field.h:3523
|
#8 0x55bfa5e9d7a1 in Field_geom::~Field_geom() /data/src/10.2/sql/field.h:3523
|
#9 0x55bfa5f2fe7b in Item_default_value::cleanup() /data/src/10.2/sql/item.cc:9004
|
#10 0x55bfa58563f7 in Item::delete_self() /data/src/10.2/sql/item.h:1931
|
#11 0x55bfa58411a9 in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3499
|
#12 0x55bfa5834e30 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2095
|
#13 0x55bfa58ffc66 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7761
|
#14 0x55bfa58dbb08 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
|
#15 0x55bfa58d8bad in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1385
|
#16 0x55bfa5c11e31 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#17 0x55bfa5c11801 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#18 0x55bfa6e17aec in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#19 0x7f70cfb264a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
previously allocated by thread T27 here:
|
#0 0x7f70cfdfdd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x55bfa6f1cca0 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
|
#2 0x55bfa6eed546 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#3 0x55bfa5ab53dc in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:45
|
#4 0x55bfa56f9dbb in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
|
#5 0x55bfa5ab6123 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:188
|
#6 0x55bfa5e7f9dd in Field_geom::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:8880
|
#7 0x55bfa5f18bc6 in Item::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6420
|
#8 0x55bfa5e3abf7 in Field::set_default() /data/src/10.2/sql/field.cc:2457
|
#9 0x55bfa5f300c6 in Item_default_value::calculate() /data/src/10.2/sql/item.cc:9030
|
#10 0x55bfa5f302b1 in Item_default_value::send(Protocol*, String*) /data/src/10.2/sql/item.cc:9066
|
#11 0x55bfa56f3a52 in Protocol::send_result_set_row(List<Item>*) /data/src/10.2/sql/protocol.cc:990
|
#12 0x55bfa58397b9 in select_send::send_data(List<Item>&) /data/src/10.2/sql/sql_class.cc:2731
|
#13 0x55bfa59f9c42 in end_send /data/src/10.2/sql/sql_select.cc:20039
|
#14 0x55bfa59f2a16 in evaluate_join_record /data/src/10.2/sql/sql_select.cc:19087
|
#15 0x55bfa59f15bd in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18867
|
#16 0x55bfa59ef9d7 in do_select /data/src/10.2/sql/sql_select.cc:18411
|
#17 0x55bfa5990368 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3633
|
#18 0x55bfa598e135 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3428
|
#19 0x55bfa59913ab in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3828
|
#20 0x55bfa597061b in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#21 0x55bfa58f7055 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6225
|
#22 0x55bfa58e5337 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3532
|
#23 0x55bfa58ff9af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7740
|
#24 0x55bfa58dbb08 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
|
#25 0x55bfa58d8bad in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1385
|
#26 0x55bfa5c11e31 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#27 0x55bfa5c11801 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#28 0x55bfa6e17aec in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#29 0x7f70cfb264a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
Thread T27 created by T0 here:
|
#0 0x7f70cfd6cf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x55bfa6e17f28 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x55bfa56b7492 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x55bfa56cbc78 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6515
|
#4 0x55bfa56cc35b in create_new_thread /data/src/10.2/sql/mysqld.cc:6585
|
#5 0x55bfa56cd373 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6860
|
#6 0x55bfa56cb1b7 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6134
|
#7 0x55bfa56b5e1f in main /data/src/10.2/sql/main.cc:25
|
#8 0x7f70cdb922e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
|
Shadow bytes around the buggy address:
|
0x0c1c8000ad30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1c8000ad40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1c8000ad50: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
|
0x0c1c8000ad60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
|
0x0c1c8000ad70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
=>0x0c1c8000ad80: fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa fa
|
0x0c1c8000ad90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c1c8000ada0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
|
0x0c1c8000adb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c1c8000adc0: 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 00 00
|
0x0c1c8000add0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==14343==ABORTING
|
or variation with REDUNDANT:
--source include/have_innodb.inc
|
|
CREATE TEMPORARY TABLE t1 (h POINT DEFAULT ST_GEOMFROMTEXT('Point(1 1)')) ENGINE=InnoDB ROW_FORMAT=REDUNDANT; |
INSERT INTO t1 () VALUES (),(); |
ALTER TABLE t1 FORCE; |
SELECT DEFAULT(h) FROM t1; |
INSERT INTO t1 () VALUES (); |
==14461==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000097090 at pc 0x7fd3c5517f7f bp 0x7fd3ad634350 sp 0x7fd3ad633b00
|
READ of size 25 at 0x60e000097090 thread T27
|
#0 0x7fd3c5517f7e (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
|
#1 0x5630c6ea0870 in rec_convert_dtuple_to_rec_old /data/src/10.2/storage/innobase/rem/rem0rec.cc:1107
|
#2 0x5630c6ea1f06 in rec_convert_dtuple_to_rec(unsigned char*, dict_index_t const*, dtuple_t const*, unsigned long) /data/src/10.2/storage/innobase/rem/rem0rec.cc:1372
|
#3 0x5630c70f7250 in page_cur_tuple_insert /data/src/10.2/storage/innobase/include/page0cur.ic:280
|
#4 0x5630c7105f90 in btr_cur_optimistic_insert(unsigned long, btr_cur_t*, unsigned short**, mem_block_info_t**, dtuple_t*, unsigned char**, big_rec_t**, unsigned long, que_thr_t*, mtr_t*) /data/src/10.2/storage/innobase/btr/btr0cur.cc:3211
|
#5 0x5630c6eea592 in row_ins_clust_index_entry_low(unsigned long, unsigned long, dict_index_t*, unsigned long, dtuple_t*, unsigned long, que_thr_t*) /data/src/10.2/storage/innobase/row/row0ins.cc:2703
|
#6 0x5630c6eec39d in row_ins_clust_index_entry(dict_index_t*, dtuple_t*, que_thr_t*, unsigned long) /data/src/10.2/storage/innobase/row/row0ins.cc:3155
|
#7 0x5630c6eecbcb in row_ins_index_entry /data/src/10.2/storage/innobase/row/row0ins.cc:3274
|
#8 0x5630c6eed7d6 in row_ins_index_entry_step /data/src/10.2/storage/innobase/row/row0ins.cc:3425
|
#9 0x5630c6eee06d in row_ins /data/src/10.2/storage/innobase/row/row0ins.cc:3562
|
#10 0x5630c6eee9c4 in row_ins_step(que_thr_t*) /data/src/10.2/storage/innobase/row/row0ins.cc:3682
|
#11 0x5630c6f28fd5 in row_insert_for_mysql(unsigned char const*, row_prebuilt_t*) /data/src/10.2/storage/innobase/row/row0mysql.cc:1414
|
#12 0x5630c6cae4f8 in ha_innobase::write_row(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8177
|
#13 0x5630c67f80d3 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:6095
|
#14 0x5630c61a83ea in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1941
|
#15 0x5630c61a2816 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:1066
|
#16 0x5630c620246f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4167
|
#17 0x5630c62199af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7740
|
#18 0x5630c61f5b08 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
|
#19 0x5630c61f2bad in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1385
|
#20 0x5630c652be31 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#21 0x5630c652b801 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#22 0x5630c7731aec in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#23 0x7fd3c52a54a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#24 0x7fd3c33d9d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
|
0x60e000097090 is located 112 bytes inside of 148-byte region [0x60e000097020,0x60e0000970b4)
|
freed by thread T27 here:
|
#0 0x7fd3c557ca10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
|
#1 0x5630c7837c4f in free_memory /data/src/10.2/mysys/safemalloc.c:279
|
#2 0x5630c78372c9 in sf_free /data/src/10.2/mysys/safemalloc.c:197
|
#3 0x5630c7807de3 in my_free /data/src/10.2/mysys/my_malloc.c:218
|
#4 0x5630c5ff2c87 in String::free() /data/src/10.2/sql/sql_string.h:351
|
#5 0x5630c5ff2a6f in String::~String() /data/src/10.2/sql/sql_string.h:187
|
#6 0x5630c67b3ee2 in Field_blob::~Field_blob() /data/src/10.2/sql/field.h:3299
|
#7 0x5630c67b7786 in Field_geom::~Field_geom() /data/src/10.2/sql/field.h:3523
|
#8 0x5630c67b77a1 in Field_geom::~Field_geom() /data/src/10.2/sql/field.h:3523
|
#9 0x5630c6849e7b in Item_default_value::cleanup() /data/src/10.2/sql/item.cc:9004
|
#10 0x5630c61703f7 in Item::delete_self() /data/src/10.2/sql/item.h:1931
|
#11 0x5630c615b1a9 in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3499
|
#12 0x5630c614ee30 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2095
|
#13 0x5630c6219c66 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7761
|
#14 0x5630c61f5b08 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
|
#15 0x5630c61f2bad in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1385
|
#16 0x5630c652be31 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#17 0x5630c652b801 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#18 0x5630c7731aec in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#19 0x7fd3c52a54a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
previously allocated by thread T27 here:
|
#0 0x7fd3c557cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x5630c7836ca0 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
|
#2 0x5630c7807546 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#3 0x5630c63cf3dc in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:45
|
#4 0x5630c6013dbb in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
|
#5 0x5630c63d0123 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:188
|
#6 0x5630c67999dd in Field_geom::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:8880
|
#7 0x5630c6832bc6 in Item::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6420
|
#8 0x5630c6754bf7 in Field::set_default() /data/src/10.2/sql/field.cc:2457
|
#9 0x5630c684a0c6 in Item_default_value::calculate() /data/src/10.2/sql/item.cc:9030
|
#10 0x5630c684a2b1 in Item_default_value::send(Protocol*, String*) /data/src/10.2/sql/item.cc:9066
|
#11 0x5630c600da52 in Protocol::send_result_set_row(List<Item>*) /data/src/10.2/sql/protocol.cc:990
|
#12 0x5630c61537b9 in select_send::send_data(List<Item>&) /data/src/10.2/sql/sql_class.cc:2731
|
#13 0x5630c6313c42 in end_send /data/src/10.2/sql/sql_select.cc:20039
|
#14 0x5630c630ca16 in evaluate_join_record /data/src/10.2/sql/sql_select.cc:19087
|
#15 0x5630c630b5bd in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18867
|
#16 0x5630c63099d7 in do_select /data/src/10.2/sql/sql_select.cc:18411
|
#17 0x5630c62aa368 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3633
|
#18 0x5630c62a8135 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3428
|
#19 0x5630c62ab3ab in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3828
|
#20 0x5630c628a61b in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#21 0x5630c6211055 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6225
|
#22 0x5630c61ff337 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3532
|
#23 0x5630c62199af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7740
|
#24 0x5630c61f5b08 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1832
|
#25 0x5630c61f2bad in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1385
|
#26 0x5630c652be31 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#27 0x5630c652b801 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#28 0x5630c7731aec in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#29 0x7fd3c52a54a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
|
Thread T27 created by T0 here:
|
#0 0x7fd3c54ebf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x5630c7731f28 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x5630c5fd1492 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x5630c5fe5c78 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6515
|
#4 0x5630c5fe635b in create_new_thread /data/src/10.2/sql/mysqld.cc:6585
|
#5 0x5630c5fe7373 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6860
|
#6 0x5630c5fe51b7 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6134
|
#7 0x5630c5fcfe1f in main /data/src/10.2/sql/main.cc:25
|
#8 0x7fd3c33112e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
|
Shadow bytes around the buggy address:
|
0x0c1c8000adc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1c8000add0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1c8000ade0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c1c8000adf0: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
|
0x0c1c8000ae00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c1c8000ae10: fd fd[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa
|
0x0c1c8000ae20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c1c8000ae30: 00 00 00 04 fa fa fa fa fa fa fa fa 00 00 00 00
|
0x0c1c8000ae40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
|
0x0c1c8000ae50: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c1c8000ae60: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==14461==ABORTING
|
Reproducible on 10.2-10.5.
Reproducible both on debug+ASAN and release+ASAN.
The test case is not applicable to 10.1.
No obvious problem on a non-ASAN build.
Attachments
Issue Links
- relates to
-
MDEV-24942 Server crashes in _ma_rec_pack / _ma_write_blob_record with DEFAULT() on BLOB
-
- Closed
-
-
MDEV-24958 Server crashes in my_strtod / Value_source::Converter_strntod::Converter_strntod with DEFAULT(blob)
-
- Closed
-
-
MDEV-25627 Unexpected warning ER_TRUNCATED_WRONG_VALUE or server crash in get_prefix upon using DEFAULT() on blob
-
- Open
-
The memory was freed in the SQL layer during the execution of the penultimate statement (SELECT), and subsequently the pointer to the freed memory is being passed to the ultimate statement (INSERT).
sanja, please reassign this to the appropriate developer. I think that this should affect all storage engines and could result in garbage being inserted:
10.2 f3160ee44f8f3ae4e5eeea768e289ec40253f35e
==40602==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400002b2d8 at pc 0x000000632e9a bp 0x7fbe38e76490 sp 0x7fbe38e75c58
READ of size 25 at 0x60400002b2d8 thread T27
#0 0x632e99 in __asan_memcpy (/dev/shm/10.2o/sql/mysqld+0x632e99)
…
SUMMARY: AddressSanitizer: heap-use-after-free (/dev/shm/10.2o/sql/mysqld+0x632e99) in __asan_memcpy
Shadow bytes around the buggy address:
…
=>0x0c087fffd650: fa fa 00 00 00 00 00 00 fa fa fd[fd]fd fd fd fa
…
Thread 3 hit Hardware access (read/write) watchpoint 1: *(char*)0x0c087fffd65b
Old value = 0 '\000'
New value = -3 '\375'
__memset_avx2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:273
273 in ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S
(rr) when
Current event: 119649
(rr) bt
#0 __memset_avx2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:273
#1 0x00000000005c0ea2 in __asan::Allocator::QuarantineChunk(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) ()
#2 0x0000000000633852 in free ()
#3 0x000000000228be81 in my_free (ptr=<optimized out>) at /mariadb/10.2o/mysys/my_malloc.c:218
#4 0x0000000000ead1d2 in String::free (this=0x62b000001408) at /mariadb/10.2o/sql/sql_string.h:351
#5 String::~String (this=0x62b000001408) at /mariadb/10.2o/sql/sql_string.h:187
#6 Field_blob::~Field_blob (this=0x62b000001330) at /mariadb/10.2o/sql/field.h:3307
#7 Field_geom::~Field_geom (this=0x62b000001330) at /mariadb/10.2o/sql/field.h:3530
#8 0x0000000000f5760c in Item_default_value::cleanup (this=0x62b000000400) at /mariadb/10.2o/sql/item.cc:8983
#9 0x000000000080af48 in Item::delete_self (this=0x62b000000400) at /mariadb/10.2o/sql/item.h:1938
#10 Query_arena::free_items (this=<optimized out>) at /mariadb/10.2o/sql/sql_class.cc:3498
#11 0x000000000080a95b in THD::cleanup_after_query (this=<optimized out>) at /mariadb/10.2o/sql/sql_class.cc:2095
#12 0x00000000008c4b88 in mysql_parse (thd=<optimized out>, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>)
at /mariadb/10.2o/sql/sql_parse.cc:7755
#13 0x00000000008b72eb in dispatch_command (command=<optimized out>, thd=0x62a0000ba208, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>)
at /mariadb/10.2o/sql/sql_parse.cc:1823
#14 0x00000000008bfb8d in do_command (thd=0x62a0000ba208) at /mariadb/10.2o/sql/sql_parse.cc:1377
#15 0x0000000000c1d584 in do_handle_one_connection (connect=0x802c18 <THD::cleanup()+1704>) at /mariadb/10.2o/sql/sql_connect.cc:1336
#16 0x0000000000c1ccc4 in handle_one_connection (arg=0x608000001128) at /mariadb/10.2o/sql/sql_connect.cc:1241
#17 0x000000000217a5e6 in pfs_spawn_thread (arg=0x615000008008) at /mariadb/10.2o/storage/perfschema/pfs.cc:1869
#18 0x00007fbe54cceea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
#19 0x00007fbe5431feaf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(rr) frame 14
#14 0x00000000008bfb8d in do_command (thd=0x62a0000ba208) at /mariadb/10.2o/sql/sql_parse.cc:1377
1377 return_value= dispatch_command(command, thd, packet+1,
(rr) p thd->query_string
$2 = {string = {str = 0x62b000000228 "SELECT DEFAULT(h) FROM t1", length = 25}, cs = 0x366a740 <my_charset_latin1>}
(rr) c
…
(rr) c
Continuing.
Thread 3 hit Hardware access (read/write) watchpoint 1: *(char*)0x0c087fffd65b
Value = -3 '\375'
0x0000000000636159 in __asan_region_is_poisoned ()
(rr) bt
#0 0x0000000000636159 in __asan_region_is_poisoned ()
#1 0x0000000000632e8d in __asan_memcpy ()
#2 0x000000000174eb72 in rec_convert_dtuple_to_rec_comp (rec=0x61100005b622 '\276' <repeats 54 times>, index=<optimized out>, fields=0x616000054a40, n_fields=4, status=<optimized out>, temp=<optimized out>)
at /mariadb/10.2o/storage/innobase/rem/rem0rec.cc:1310
#3 0x000000000174c9ba in rec_convert_dtuple_to_rec_new (buf=0x61100005b608 "\031", index=0x617000043388, dtuple=<optimized out>) at /mariadb/10.2o/storage/innobase/rem/rem0rec.cc:1338
#4 rec_convert_dtuple_to_rec (buf=<optimized out>, index=<optimized out>, dtuple=<optimized out>, n_ext=<optimized out>) at /mariadb/10.2o/storage/innobase/rem/rem0rec.cc:1370
#5 0x0000000001ab7391 in page_cur_tuple_insert (cursor=0x7fbe38e77a08, tuple=<optimized out>, index=0x617000043388, offsets=0x7fbe38e783b0, heap=0x7fbe38e780b0, n_ext=0, mtr=0x7fbe38e77b60,
use_cache=<optimized out>) at /mariadb/10.2o/storage/innobase/include/page0cur.ic:280
#6 0x0000000001ab368a in btr_cur_optimistic_insert (flags=<optimized out>, cursor=<optimized out>, offsets=<optimized out>, heap=<optimized out>, entry=<optimized out>, rec=<optimized out>,
big_rec=<optimized out>, n_ext=0, thr=<optimized out>, mtr=<optimized out>) at /mariadb/10.2o/storage/innobase/btr/btr0cur.cc:3237
#7 0x000000000179c4a2 in row_ins_clust_index_entry_low (flags=<optimized out>, mode=2, index=<optimized out>, n_uniq=<optimized out>, entry=<optimized out>, n_ext=<optimized out>, thr=<optimized out>)
at /mariadb/10.2o/storage/innobase/row/row0ins.cc:2692
#8 0x00000000017a6d20 in row_ins_clust_index_entry (index=<optimized out>, entry=<optimized out>, thr=<optimized out>, n_ext=<optimized out>) at /mariadb/10.2o/storage/innobase/row/row0ins.cc:3144
#9 0x00000000017aa32c in row_ins_index_entry (index=0x617000043388, entry=0x616000054a08, thr=0x620000012888) at /mariadb/10.2o/storage/innobase/row/row0ins.cc:3263
#10 row_ins_index_entry_step (node=0x620000012628, thr=0x620000012888) at /mariadb/10.2o/storage/innobase/row/row0ins.cc:3414
#11 row_ins (node=0x620000012628, thr=0x620000012888) at /mariadb/10.2o/storage/innobase/row/row0ins.cc:3551
#12 row_ins_step (thr=0x620000012888) at /mariadb/10.2o/storage/innobase/row/row0ins.cc:3671
#13 0x00000000017ed0a2 in row_insert_for_mysql (mysql_rec=<optimized out>, prebuilt=<optimized out>) at /mariadb/10.2o/storage/innobase/row/row0mysql.cc:1411
#14 0x00000000014e5f05 in ha_innobase::write_row (this=<optimized out>, record=<optimized out>) at /mariadb/10.2o/storage/innobase/handler/ha_innodb.cc:8161
#15 0x0000000000ef6ad6 in handler::ha_write_row (this=0x61c0000610a8, buf=<optimized out>) at /mariadb/10.2o/sql/handler.cc:6108
#16 0x000000000086a337 in write_record (thd=<optimized out>, table=0x61e00003cc88, info=<optimized out>) at /mariadb/10.2o/sql/sql_insert.cc:1941
#17 0x00000000008613fa in mysql_insert (thd=<optimized out>, table_list=0x62b000000340, fields=<optimized out>, values_list=<optimized out>, update_fields=<optimized out>, update_values=<optimized out>,
duplic=<optimized out>, ignore=<optimized out>) at /mariadb/10.2o/sql/sql_insert.cc:1066
#18 0x00000000008d00b3 in mysql_execute_command (thd=0x62a0000ba208) at /mariadb/10.2o/sql/sql_parse.cc:4159
#19 0x00000000008c49c6 in mysql_parse (thd=<optimized out>, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>)
at /mariadb/10.2o/sql/sql_parse.cc:7733
#20 0x00000000008b72eb in dispatch_command (command=<optimized out>, thd=0x62a0000ba208, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>)
at /mariadb/10.2o/sql/sql_parse.cc:1823
#21 0x00000000008bfb8d in do_command (thd=0x62a0000ba208) at /mariadb/10.2o/sql/sql_parse.cc:1377
#22 0x0000000000c1d584 in do_handle_one_connection (connect=0x802c18 <THD::cleanup()+1704>) at /mariadb/10.2o/sql/sql_connect.cc:1336
#23 0x0000000000c1ccc4 in handle_one_connection (arg=0x608000001128) at /mariadb/10.2o/sql/sql_connect.cc:1241
#24 0x000000000217a5e6 in pfs_spawn_thread (arg=0x615000008008) at /mariadb/10.2o/storage/perfschema/pfs.cc:1869
#25 0x00007fbe54cceea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
#26 0x00007fbe5431feaf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(rr) frame 18
#18 0x00000000008d00b3 in mysql_execute_command (thd=0x62a0000ba208) at /mariadb/10.2o/sql/sql_parse.cc:4159
4159 res= mysql_insert(thd, all_tables, lex->field_list, lex->many_values,
(rr) p thd->query_string
$3 = {string = {str = 0x62b000000228 "INSERT INTO t1 () VALUES ()", length = 27}, cs = 0x366a740 <my_charset_latin1>}