Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.4, 10.5
-
None
Description
CREATE TABLE t1 (a CHAR(8)) ENGINE=MyISAM; |
|
|
SET optimizer_switch='condition_pushdown_from_having=on'; |
SET character_set_connection= euckr; |
PREPARE stmt FROM "SELECT a FROM t1 GROUP BY a HAVING a = (SELECT 'baz')"; |
EXECUTE stmt; |
EXECUTE stmt; |
|
|
# Cleanup
|
DEALLOCATE PREPARE stmt; |
DROP TABLE t1; |
|
10.4 fd9ca2a7 non-debug |
#3 <signal handler called>
|
#4 0x000055bbb7e4f3bc in subselect_single_select_engine::exec (this=0x7f11300c6228) at /data/src/10.4/sql/item_subselect.cc:3851
|
#5 0x000055bbb7e4df3d in Item_subselect::exec (this=0x7f11300c60a0) at /data/src/10.4/sql/item_subselect.cc:746
|
#6 0x000055bbb7e4e5cf in Item_singlerow_subselect::val_str (this=0x7f11300c60a0, str=0x7f1130010db8) at /data/src/10.4/sql/item_subselect.cc:1356
|
#7 0x000055bbb7e35a5d in Item_func_conv_charset::val_str (this=0x7f1130010cf0, str=0x7f11412fd9e0) at /data/src/10.4/sql/item_strfunc.cc:3503
|
#8 0x000055bbb7cd7714 in Type_handler_string_result::Item_eq_value (this=<optimized out>, thd=<optimized out>, attr=0x7f11300115b8, a=<optimized out>, b=0x7f1130010cf0) at /data/src/10.4/sql/sql_type.cc:8014
|
#9 0x000055bbb7de624a in Item_equal::add_const (this=0x7f11300114f8, thd=<optimized out>, c=0x7f1130010cf0) at /data/src/10.4/sql/item_cmpfunc.cc:6627
|
#10 0x000055bbb7de655b in Item_equal::merge_with_check (this=this@entry=0x7f11300114f8, thd=thd@entry=0x7f11300009a8, item=0x7f11300114f8, save_merged=save_merged@entry=true) at /data/src/10.4/sql/item_cmpfunc.cc:6752
|
#11 0x000055bbb7bd0bb0 in propagate_new_equalities (thd=thd@entry=0x7f11300009a8, cond=cond@entry=0x7f11300114f8, new_equalities=0x7f11300116e8, inherited=inherited@entry=0x0, is_simplifiable_cond=is_simplifiable_cond@entry=0x7f11412fdcaf) at /data/src/10.4/sql/sql_select.cc:17086
|
#12 0x000055bbb7cb91e6 in and_new_conditions_to_optimized_cond (thd=0x7f11300009a8, cond=0x7f11300114f8, cond_eq=cond_eq@entry=0x7f1130010410, new_conds=..., cond_value=cond_value@entry=0x7f11300102e8) at /data/src/10.4/sql/opt_subselect.cc:5996
|
#13 0x000055bbb7bea7c5 in JOIN::optimize_inner (this=this@entry=0x7f113000ffd8) at /data/src/10.4/sql/sql_select.cc:2038
|
#14 0x000055bbb7bece83 in JOIN::optimize (this=this@entry=0x7f113000ffd8) at /data/src/10.4/sql/sql_select.cc:1610
|
#15 0x000055bbb7bed040 in mysql_select (thd=thd@entry=0x7f11300009a8, tables=0x7f11300c4a30, wild_num=0, fields=..., conds=<optimized out>, og_num=1, order=0x0, group=0x7f11300c5220, having=0x7f11300c6268, proc_param=0x0, select_options=2416184064, result=0x7f11300c6cc0, unit=0x7f11300c2918, select_lex=0x7f11300c4468) at /data/src/10.4/sql/sql_select.cc:4673
|
#16 0x000055bbb7beda36 in handle_select (thd=thd@entry=0x7f11300009a8, lex=lex@entry=0x7f11300c2858, result=result@entry=0x7f11300c6cc0, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.4/sql/sql_select.cc:422
|
#17 0x000055bbb7a97afa in execute_sqlcom_select (thd=thd@entry=0x7f11300009a8, all_tables=0x7f11300c4a30) at /data/src/10.4/sql/sql_parse.cc:6355
|
#18 0x000055bbb7b91dfd in mysql_execute_command (thd=0x7f11300009a8) at /data/src/10.4/sql/sql_parse.cc:3889
|
#19 0x000055bbb7bad32d in Prepared_statement::execute (this=this@entry=0x7f11300758f8, expanded_query=expanded_query@entry=0x7f1141300680, open_cursor=open_cursor@entry=false) at /data/src/10.4/sql/sql_prepare.cc:4765
|
#20 0x000055bbb7bad432 in Prepared_statement::execute_loop (this=0x7f11300758f8, expanded_query=0x7f1141300680, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /data/src/10.4/sql/sql_prepare.cc:4251
|
#21 0x000055bbb7bad6ef in mysql_sql_stmt_execute (thd=thd@entry=0x7f11300009a8) at /data/src/10.4/sql/sql_prepare.cc:3368
|
#22 0x000055bbb7b922fc in mysql_execute_command (thd=thd@entry=0x7f11300009a8) at /data/src/10.4/sql/sql_parse.cc:3905
|
#23 0x000055bbb7b98a8a in mysql_parse (thd=thd@entry=0x7f11300009a8, rawbuf=<optimized out>, length=12, parser_state=parser_state@entry=0x7f1141302580, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:7896
|
#24 0x000055bbb7b9ad49 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f11300009a8, packet=packet@entry=0x7f1130007a19 "EXECUTE stmt", packet_length=packet_length@entry=12, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:1835
|
#25 0x000055bbb7b9c506 in do_command (thd=0x7f11300009a8) at /data/src/10.4/sql/sql_parse.cc:1353
|
#26 0x000055bbb7c7a942 in do_handle_one_connection (connect=connect@entry=0x55bbbb7da778) at /data/src/10.4/sql/sql_connect.cc:1412
|
#27 0x000055bbb7c7a9fd in handle_one_connection (arg=arg@entry=0x55bbbb7da778) at /data/src/10.4/sql/sql_connect.cc:1316
|
#28 0x000055bbb82bb8c1 in pfs_spawn_thread (arg=0x55bbbb7da7d8) at /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#29 0x00007f11483b04a4 in start_thread (arg=0x7f1141303700) at pthread_create.c:456
|
#30 0x00007f114742ed0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
|
10.4 fd9ca2a7 debug |
mysqld: /data/src/10.4/sql/sql_union.cc:2069: bool st_select_lex::cleanup(): Assertion `(st_select_lex*)join->select_lex == this' failed.
|
200728 14:35:31 [ERROR] mysqld got signal 6 ;
|
|
|
#7 0x00007f6c54ed4f12 in __GI___assert_fail (assertion=0x55e752500698 "(st_select_lex*)join->select_lex == this", file=0x55e7525001d8 "/data/src/10.4/sql/sql_union.cc", line=2069, function=0x55e752501000 <st_select_lex::cleanup()::__PRETTY_FUNCTION__> "bool st_select_lex::cleanup()") at assert.c:101
|
#8 0x000055e7518ebde8 in st_select_lex::cleanup (this=0x7f6c34184e28) at /data/src/10.4/sql/sql_union.cc:2069
|
#9 0x000055e751c21faa in subselect_single_select_engine::prepare (this=0x7f6c34185cd0, thd=0x7f6c34000af0) at /data/src/10.4/sql/item_subselect.cc:3714
|
#10 0x000055e751c14e04 in Item_subselect::fix_fields (this=0x7f6c34185b48, thd_param=0x7f6c34000af0, ref=0x7f6c34185da8) at /data/src/10.4/sql/item_subselect.cc:283
|
#11 0x000055e7516c9897 in Item::fix_fields_if_needed (this=0x7f6c34185b48, thd=0x7f6c34000af0, ref=0x7f6c34185da8) at /data/src/10.4/sql/item.h:960
|
#12 0x000055e751bc0463 in Item_func::fix_fields (this=0x7f6c34185d10, thd=0x7f6c34000af0, ref=0x7f6c34013560) at /data/src/10.4/sql/item_func.cc:352
|
#13 0x000055e7516c9897 in Item::fix_fields_if_needed (this=0x7f6c34185d10, thd=0x7f6c34000af0, ref=0x7f6c34013560) at /data/src/10.4/sql/item.h:960
|
#14 0x000055e7516c98c5 in Item::fix_fields_if_needed_for_scalar (this=0x7f6c34185d10, thd=0x7f6c34000af0, ref=0x7f6c34013560) at /data/src/10.4/sql/item.h:964
|
#15 0x000055e75174e06d in Item::fix_fields_if_needed_for_bool (this=0x7f6c34185d10, thd=0x7f6c34000af0, ref=0x7f6c34013560) at /data/src/10.4/sql/item.h:968
|
#16 0x000055e751825f67 in JOIN::prepare (this=0x7f6c340133b0, tables_init=0x7f6c341844d8, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x7f6c34184cc8, having_init=0x7f6c34185d10, proc_param_init=0x0, select_lex_arg=0x7f6c34183f10, unit_arg=0x7f6c341823c0) at /data/src/10.4/sql/sql_select.cc:1291
|
#17 0x000055e7518327b5 in mysql_select (thd=0x7f6c34000af0, tables=0x7f6c341844d8, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7f6c34184cc8, having=0x7f6c34185d10, proc_param=0x0, select_options=2416184064, result=0x7f6c34186768, unit=0x7f6c341823c0, select_lex=0x7f6c34183f10) at /data/src/10.4/sql/sql_select.cc:4650
|
#18 0x000055e75182242c in handle_select (thd=0x7f6c34000af0, lex=0x7f6c34182300, result=0x7f6c34186768, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:422
|
#19 0x000055e7517e8ca4 in execute_sqlcom_select (thd=0x7f6c34000af0, all_tables=0x7f6c341844d8) at /data/src/10.4/sql/sql_parse.cc:6355
|
#20 0x000055e7517df2db in mysql_execute_command (thd=0x7f6c34000af0) at /data/src/10.4/sql/sql_parse.cc:3889
|
#21 0x000055e75180c9cc in Prepared_statement::execute (this=0x7f6c34132f70, expanded_query=0x7f6c4b057b50, open_cursor=false) at /data/src/10.4/sql/sql_prepare.cc:4765
|
#22 0x000055e75180ae2e in Prepared_statement::execute_loop (this=0x7f6c34132f70, expanded_query=0x7f6c4b057b50, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.4/sql/sql_prepare.cc:4251
|
#23 0x000055e751808902 in mysql_sql_stmt_execute (thd=0x7f6c34000af0) at /data/src/10.4/sql/sql_prepare.cc:3368
|
#24 0x000055e7517df320 in mysql_execute_command (thd=0x7f6c34000af0) at /data/src/10.4/sql/sql_parse.cc:3905
|
#25 0x000055e7517ecc51 in mysql_parse (thd=0x7f6c34000af0, rawbuf=0x7f6c34013198 "EXECUTE stmt", length=12, parser_state=0x7f6c4b058570, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7896
|
#26 0x000055e7517d9186 in dispatch_command (command=COM_QUERY, thd=0x7f6c34000af0, packet=0x7f6c341364f1 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1835
|
#27 0x000055e7517d7928 in do_command (thd=0x7f6c34000af0) at /data/src/10.4/sql/sql_parse.cc:1353
|
#28 0x000055e751960afe in do_handle_one_connection (connect=0x55e754490ce0) at /data/src/10.4/sql/sql_connect.cc:1412
|
#29 0x000055e75196084d in handle_one_connection (arg=0x55e754490ce0) at /data/src/10.4/sql/sql_connect.cc:1316
|
#30 0x000055e752360a0d in pfs_spawn_thread (arg=0x55e7544ac900) at /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#31 0x00007f6c56e5d4a4 in start_thread (arg=0x7f6c4b059700) at pthread_create.c:456
|
#32 0x00007f6c54f91d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
|
|
10.4 fd9ca2a7 non-debug ASAN |
==3521==ERROR: AddressSanitizer: use-after-poison on address 0x62b000062d40 at pc 0x55915fe7f22d bp 0x7fd711f10250 sp 0x7fd711f10248
|
READ of size 8 at 0x62b000062d40 thread T5
|
#0 0x55915fe7f22c in JOIN::destroy() /data/src/10.4/sql/sql_select.cc:4494
|
#1 0x55915ff9e6e2 in st_select_lex::cleanup() /data/src/10.4/sql/sql_union.cc:2070
|
#2 0x559160550d50 in subselect_single_select_engine::prepare(THD*) /data/src/10.4/sql/item_subselect.cc:3714
|
#3 0x55916054f71c in Item_subselect::fix_fields(THD*, Item**) /data/src/10.4/sql/item_subselect.cc:283
|
#4 0x559160479cbe in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.4/sql/item.h:960
|
#5 0x559160479cbe in Item_func::fix_fields(THD*, Item**) /data/src/10.4/sql/item_func.cc:352
|
#6 0x55915fdef843 in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.4/sql/item.h:960
|
#7 0x55915fdef843 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /data/src/10.4/sql/item.h:964
|
#8 0x55915fe9d14d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/10.4/sql/item.h:968
|
#9 0x55915fe9d14d in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1291
|
#10 0x55915fed12fc in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4650
|
#11 0x55915fed1b8f in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:422
|
#12 0x55915fb3d0d0 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6355
|
#13 0x55915fdcf70c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3889
|
#14 0x55915fe18ce7 in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:4765
|
#15 0x55915fe192b3 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4251
|
#16 0x55915fe19ba3 in mysql_sql_stmt_execute(THD*) /data/src/10.4/sql/sql_prepare.cc:3368
|
#17 0x55915fdd2138 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3905
|
#18 0x55915fde5118 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7896
|
#19 0x55915fdeb2ea in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1835
|
#20 0x55915fdee986 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1353
|
#21 0x5591600606e7 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
|
#22 0x55916006090a in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
|
#23 0x559161067833 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#24 0x7fd71c9b44a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
|
#25 0x7fd71aae8d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
|
|
|
0x62b000062d40 is located 2880 bytes inside of 24608-byte region [0x62b000062200,0x62b000068220)
|
allocated by thread T5 here:
|
#0 0x7fd71cc8bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
|
#1 0x559161120efc in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fd71cbfaf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
|
#1 0x55916106fab2 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/sql_select.cc:4494 in JOIN::destroy()
|
Shadow bytes around the buggy address:
|
0x0c5680004550: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004560: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004570: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004590: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c56800045a0: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
|
0x0c56800045b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c56800045c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c56800045d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c56800045e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c56800045f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==3521==ABORTING
|
Reproducible on 10.4-10.5, debug, non-debug and ASAN as shown above.
The test case is not applicable to earlier versions due to the optimizer switch.