Details
Blocker Description
On one hand, it's a non-debug crash of a bad kind (usually when similar stack traces come from the real world, they are poorly resolved and the failures are not easily reproducible). On the other hand, the test case is very unrealistic. So, I don't expect it to be fixed soon, but it's good to have it filed, so that we can match similar observations with it.
UPD: The test case in the description is for 10.2 only. See comments for a test case for higher versions.
CREATE TABLE t1 (a INT); |
INSERT INTO t1 VALUES (1),(2); |
SELECT DISTINCT CASE CONVERT(EXPORT_SET(0, COLLATION(BENCHMARK(1, BIT_OR(0))),0),TIME) WHEN a THEN 1 END AS f FROM t1; |
 |
# Cleanup
|
DROP TABLE t1; |
|
10.2 debug 7c5519c1 |
#3 <signal handler called>
|
#4 0x0000563edc4a97a2 in JOIN_CACHE::free (this=0x8f8f8f8f8f8f8f8f) at /data/src/10.2/sql/sql_join_cache.h:673
|
#5 0x0000563edc47dd4c in st_join_table::cleanup (this=0x7f14100159a8) at /data/src/10.2/sql/sql_select.cc:11943
|
#6 0x0000563edc47ed5a in JOIN::cleanup (this=0x7f1410013d28, full=true) at /data/src/10.2/sql/sql_select.cc:12364
|
#7 0x0000563edc467c2d in JOIN::destroy (this=0x7f1410013d28) at /data/src/10.2/sql/sql_select.cc:3664
|
#8 0x0000563edc50ec7e in st_select_lex::cleanup (this=0x7f14100050c8) at /data/src/10.2/sql/sql_union.cc:1558
|
#9 0x0000563edc468201 in mysql_select (thd=0x7f1410000d90, tables=0x7f1410013610, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f1410013d08, unit=0x7f1410004988, select_lex=0x7f14100050c8) at /data/src/10.2/sql/sql_select.cc:3845
|
#10 0x0000563edc45c31a in handle_select (thd=0x7f1410000d90, lex=0x7f14100048c8, result=0x7f1410013d08, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
|
#11 0x0000563edc426eb8 in execute_sqlcom_select (thd=0x7f1410000d90, all_tables=0x7f1410013610) at /data/src/10.2/sql/sql_parse.cc:6218
|
#12 0x0000563edc41d77a in mysql_execute_command (thd=0x7f1410000d90) at /data/src/10.2/sql/sql_parse.cc:3524
|
#13 0x0000563edc42ac47 in mysql_parse (thd=0x7f1410000d90, rawbuf=0x7f14100126f8 "SELECT DISTINCT CASE CONVERT(EXPORT_SET(0, COLLATION(BENCHMARK(1, BIT_OR(0))),0),TIME) WHEN a THEN 1 END AS f FROM t1", length=117, parser_state=0x7f1421eb75f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7733
|
#14 0x0000563edc418f56 in dispatch_command (command=COM_QUERY, thd=0x7f1410000d90, packet=0x7f1410008b51 "", packet_length=117, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1823
|
#15 0x0000563edc417a51 in do_command (thd=0x7f1410000d90) at /data/src/10.2/sql/sql_parse.cc:1377
|
#16 0x0000563edc571695 in do_handle_one_connection (connect=0x563edfffc9d0) at /data/src/10.2/sql/sql_connect.cc:1336
|
#17 0x0000563edc5713fa in handle_one_connection (arg=0x563edfffc9d0) at /data/src/10.2/sql/sql_connect.cc:1241
|
#18 0x0000563edcd95a6c in pfs_spawn_thread (arg=0x563ee00055a0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#19 0x00007f142826e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#20 0x00007f1427e48103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.2 ASAN 7c5519c1 |
==1843582==ERROR: AddressSanitizer: use-after-poison on address 0x62b000003760 at pc 0x7f0f4aba4f2d bp 0x7f0f3fce6b80 sp 0x7f0f3fce6328
|
WRITE of size 944 at 0x62b000003760 thread T5
|
#0 0x7f0f4aba4f2c (/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c)
|
#1 0x5644d9edf101 in JOIN::make_aggr_tables_info() /data/src/10.2/sql/sql_select.cc:2680
|
#2 0x5644d9ed9e5b in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:2246
|
#3 0x5644d9ece69b in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1114
|
#4 0x5644d9ee9cb1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3819
|
#5 0x5644d9ec6aa1 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#6 0x5644d9e3ecaf in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6218
|
#7 0x5644d9e2bab7 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3524
|
#8 0x5644d9e48165 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
|
#9 0x5644d9e21460 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1823
|
#10 0x5644d9e1e23c in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1377
|
#11 0x5644da1a1e99 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#12 0x5644da1a175c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#13 0x5644db521b3b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#14 0x7f0f4aa4c608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
|
#15 0x7f0f4a628102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)
|
 |
0x62b000003760 is located 13664 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
|
allocated by thread T5 here:
|
#0 0x7f0f4ac4abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x5644db704ce9 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
|
#2 0x5644db6d109e in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#3 0x5644db6ae139 in reset_root_defaults /data/src/10.2/mysys/my_alloc.c:147
|
#4 0x5644d9d68c27 in THD::init_for_queries() /data/src/10.2/sql/sql_class.cc:1313
|
#5 0x5644da1a10da in prepare_new_connection_state(THD*) /data/src/10.2/sql/sql_connect.cc:1172
|
#6 0x5644da1a17a6 in thd_prepare_connection(THD*) /data/src/10.2/sql/sql_connect.cc:1256
|
#7 0x5644da1a1dc4 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1326
|
#8 0x5644da1a175c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#9 0x5644db521b3b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#10 0x7f0f4aa4c608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
|
 |
Thread T5 created by T0 here:
|
#0 0x7f0f4ab77805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x5644db521f2c in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x5644d9bc6177 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x5644d9bddb07 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6518
|
#4 0x5644d9bde298 in create_new_thread /data/src/10.2/sql/mysqld.cc:6588
|
#5 0x5644d9bdf423 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6846
|
#6 0x5644d9bdce79 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6137
|
#7 0x5644d9bc4a5c in main /data/src/10.2/sql/main.cc:25
|
#8 0x7f0f4a52d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
 |
SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c)
|
Shadow bytes around the buggy address:
|
0x0c567fff8690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567fff86a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567fff86b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567fff86c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c567fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00[f7]00 00 f7
|
0x0c567fff86f0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c567fff8720: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
|
0x0c567fff8730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1843582==ABORTING
|
|
10.2 rel 7c5519c1 |
#5 <signal handler called>
|
#6 0x0000000000000002 in ?? ()
|
#7 0x00005653f7c1cf0e in copy_fields (param=0x7f90080128c0) at /data/src/10.2/sql/sql_select.cc:23502
|
#8 0x00005653f7c1d492 in end_write (join=0x7f9008010980, join_tab=0x7f9008012250, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:20259
|
#9 0x00005653f7c2b59a in AGGR_OP::put_record (this=<optimized out>) at /data/src/10.2/sql/sql_select.h:973
|
#10 sub_select_postjoin_aggr (join=0x7f9008010980, join_tab=<optimized out>, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:18577
|
#11 0x00005653f7bfddaf in evaluate_join_record (join=join@entry=0x7f9008010980, join_tab=join_tab@entry=0x7f9008011ea0, error=<optimized out>) at /data/src/10.2/sql/sql_select.cc:19076
|
#12 0x00005653f7c07b23 in sub_select (end_of_records=false, join_tab=0x7f9008011ea0, join=0x7f9008010980) at /data/src/10.2/sql/sql_select.cc:18856
|
#13 sub_select (join=0x7f9008010980, join_tab=0x7f9008011ea0, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:18791
|
#14 0x00005653f7c30757 in do_select (procedure=<optimized out>, join=0x7f9008010980) at /data/src/10.2/sql/sql_select.cc:18400
|
#15 JOIN::exec_inner (this=this@entry=0x7f9008010980) at /data/src/10.2/sql/sql_select.cc:3638
|
#16 0x00005653f7c309f7 in JOIN::exec (this=this@entry=0x7f9008010980) at /data/src/10.2/sql/sql_select.cc:3433
|
#17 0x00005653f7c30b3a in mysql_select (thd=0x7f9008000c48, tables=0x7f9008010268, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f9008010960, unit=0x7f9008004680, select_lex=0x7f9008004dc0) at /data/src/10.2/sql/sql_select.cc:3833
|
#18 0x00005653f7c314af in handle_select (thd=thd@entry=0x7f9008000c48, lex=lex@entry=0x7f90080045c0, result=result@entry=0x7f9008010960, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.2/sql/sql_select.cc:361
|
#19 0x00005653f7bc6b91 in execute_sqlcom_select (thd=0x7f9008000c48, all_tables=0x7f9008010268) at /data/src/10.2/sql/sql_parse.cc:6218
|
#20 0x00005653f7bd41f2 in mysql_execute_command (thd=0x7f9008000c48) at /data/src/10.2/sql/sql_parse.cc:3524
|
#21 0x00005653f7bd70eb in mysql_parse (thd=thd@entry=0x7f9008000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f9019ffb5b0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.2/sql/sql_parse.cc:7733
|
#22 0x00005653f7bda39d in dispatch_command (command=COM_QUERY, thd=0x7f9008000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.2/sql/sql_class.h:1095
|
#23 0x00005653f7bdb527 in do_command (thd=0x7f9008000c48) at /data/src/10.2/sql/sql_parse.cc:1377
|
#24 0x00005653f7cb3876 in do_handle_one_connection (connect=connect@entry=0x5653f96996f8) at /data/src/10.2/sql/sql_connect.cc:1336
|
#25 0x00005653f7cb39ef in handle_one_connection (arg=arg@entry=0x5653f96996f8) at /data/src/10.2/sql/sql_connect.cc:1241
|
#26 0x00005653f824a9b6 in pfs_spawn_thread (arg=0x5653f96a4e38) at /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#27 0x00007f90203b3609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#28 0x00007f901ffa8103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Reproducible with at least MyISAM, InnoDB, Aria, on release, debug and ASAN builds as shown above.
Not reproducible on 10.1 or 10.3+.
Attachments
Issue Links
- is duplicated by
-
MDEV-26431 MariaDB Server use-after-poison
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Open
-
-
-
- Open
-