Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24176

Server crashes after insert in the table with virtual column generated using date_format() and if()

Details

    Description

      CREATE TABLE t1 (d1 date NOT NULL, d2 date NOT NULL,
      gd text as (concat(d1,if(d1 <> d2, date_format(d2, 'to %Y-%m-%d '), ''))) );
       
      insert into t1(d1,d2) values 
        ('2020-09-01','2020-09-01'),('2020-05-01','2020-09-01');
       
      --exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1
      insert  into t1 values ('2020-09-01','2020-09-01');
      

      10.2 c048053c8af5083d35f764

      Version: '10.2.36-MariaDB-debug-log'  socket: '/git/10.2/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
      =================================================================
      ==43634==ERROR: AddressSanitizer: use-after-poison on address 0x62b000001288 at pc 0x55c9eb51b0d4 bp 0x7febf2c80cd0 sp 0x7febf2c80cc8
      READ of size 8 at 0x62b000001288 thread T6
          #0 0x55c9eb51b0d3 in Item::val_temporal_packed(enum_field_types) /git/10.2/sql/item.h:1525
          #1 0x55c9eb533dd7 in Arg_comparator::compare_temporal(enum_field_types) /git/10.2/sql/item_cmpfunc.cc:792
          #2 0x55c9eabd087a in Arg_comparator::compare_datetime() /git/10.2/sql/item_cmpfunc.h:105
          #3 0x55c9eb57279f in Arg_comparator::compare() /git/10.2/sql/item_cmpfunc.h:87
          #4 0x55c9eb5402d7 in Item_func_ne::val_int() /git/10.2/sql/item_cmpfunc.cc:1824
          #5 0x55c9eb4bfdc3 in Item::val_bool() /git/10.2/sql/item.cc:112
          #6 0x55c9eb5496fc in Item_func_if::str_op(String*) /git/10.2/sql/item_cmpfunc.cc:2533
          #7 0x55c9eb5fa020 in Item_func_hybrid_field_type::str_op_with_null_check(String*) /git/10.2/sql/item_func.h:467
          #8 0x55c9eb5b7d4d in Item_func_hybrid_field_type::val_str(String*) /git/10.2/sql/item_func.cc:881
          #9 0x55c9eb632ee3 in Item_func_concat::val_str(String*) /git/10.2/sql/item_strfunc.cc:611
          #10 0x55c9eb4efc69 in Item::save_in_field(Field*, bool) /git/10.2/sql/item.cc:6387
          #11 0x55c9eb11e6ce in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /git/10.2/sql/table.cc:7759
          #12 0x55c9eb49940a in handler::ha_rnd_next(unsigned char*) /git/10.2/sql/handler.cc:2674
          #13 0x55c9eb85ae15 in rr_sequential(READ_RECORD*) /git/10.2/sql/records.cc:492
          #14 0x55c9eaf59251 in join_init_read_record(st_join_table*) /git/10.2/sql/sql_select.cc:19785
          #15 0x55c9eaf51e3e in sub_select(JOIN*, st_join_table*, bool) /git/10.2/sql/sql_select.cc:18856
          #16 0x55c9eaf4fb0c in do_select /git/10.2/sql/sql_select.cc:18403
          #17 0x55c9eaee6c63 in JOIN::exec_inner() /git/10.2/sql/sql_select.cc:3641
          #18 0x55c9eaee47d5 in JOIN::exec() /git/10.2/sql/sql_select.cc:3436
          #19 0x55c9eaee7e35 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.2/sql/sql_select.cc:3836
          #20 0x55c9eaec49a9 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.2/sql/sql_select.cc:361
          #21 0x55c9eae38bb6 in execute_sqlcom_select /git/10.2/sql/sql_parse.cc:6249
          #22 0x55c9eae23ef0 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:3558
          #23 0x55c9eae41ee7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:7761
          #24 0x55c9eae18cd3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1827
          #25 0x55c9eae156f8 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1381
          #26 0x55c9eb1bc9b2 in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1336
          #27 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
          #28 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
          #29 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
          #30 0x7febfd1044ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
       
      0x62b000001288 is located 4232 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
      allocated by thread T5 here:
          #0 0x7febfd883330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
          #1 0x55c9ec83aac1 in sf_malloc /git/10.2/mysys/safemalloc.c:118
          #2 0x55c9ec8080a9 in my_malloc /git/10.2/mysys/my_malloc.c:101
          #3 0x55c9ec7e5c56 in reset_root_defaults /git/10.2/mysys/my_alloc.c:147
          #4 0x55c9ead5d05b in THD::init_for_queries() /git/10.2/sql/sql_class.cc:1313
          #5 0x55c9eb1bbbb5 in prepare_new_connection_state(THD*) /git/10.2/sql/sql_connect.cc:1172
          #6 0x55c9eb1bc2b9 in thd_prepare_connection(THD*) /git/10.2/sql/sql_connect.cc:1256
          #7 0x55c9eb1bc8dd in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1326
          #8 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
          #9 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
          #10 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
       
      Thread T6 created by T0 here:
          #0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
          #1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
          #2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
          #3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
          #4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
          #5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
          #6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
          #7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
          #8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308
       
      Thread T5 created by T0 here:
          #0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
          #1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
          #2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
          #3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
          #4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
          #5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
          #6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
          #7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
          #8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: use-after-poison /git/10.2/sql/item.h:1525 in Item::val_temporal_packed(enum_field_types)
      Shadow bytes around the buggy address:
        0x0c567fff8200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c567fff8250: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff8290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567fff82a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==43634==ABORTING
      ----------SERVER LOG END-------------
      mysqltest failed but provided no output
      
      

      Reproducible with InnoDb/MyIsam, non-debug build crashing similarly

      10.5 f424eb974d2cf5fe875

      201109 17:04:20 [ERROR] mysqld got signal 11 ;
       
      Server version: 10.5.8-MariaDB-debug-log
       
      ??:0(__restore_rt)[0x7f684602d730]
      sql/item.h:2584(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x55ebabb11c48]
      sql/item.h:5222(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x55ebabb12335]
      sql/item.h:2584(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x55ebabb11c5d]
      sql/item.h:5222(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x55ebabb12335]
      sql/table.cc:3522(fix_session_vcol_expr(THD*, Virtual_column_info*))[0x55ebabce8e3c]
      sql/sql_base.cc:5357(TABLE::fix_vcol_exprs(THD*))[0x55ebabb05d97]
      sql/sql_base.cc:5393(fix_all_session_vcol_exprs(THD*, TABLE_LIST*))[0x55ebabb05fc6]
      sql/sql_base.cc:5576(lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int))[0x55ebabb066b7]
      sql/sql_base.cc:5188(open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*))[0x55ebabb057d2]
      sql/sql_base.h:507(open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int))[0x55ebababcdf7]
      sql/sql_insert.cc:756(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x55ebabb57a01]
      sql/sql_parse.cc:4587(mysql_execute_command(THD*))[0x55ebabbaa59e]
      sql/sql_parse.cc:8044(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55ebabbb601d]
      sql/sql_parse.cc:1875(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55ebabba22d8]
      sql/sql_parse.cc:1353(do_command(THD*))[0x55ebabba0a0e]
      sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55ebabd47441]
      sql/sql_connect.cc:1314(handle_one_connection)[0x55ebabd471aa]
      perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55ebac284a4b]
      nptl/pthread_create.c:487(start_thread)[0x7f6846022fa3]
      x86_64/clone.S:97(clone)[0x7f684562b4cf]
       
      Query (0x7f6824013ee0): insert  into t1 values ('2020-09-01','2020-09-01')
      
      

      A shorter version of the test case, but it is crashing only 10.3-10.5, not 10.2

      create table t1 (d1 date, gd text as (if(d1='',date_format(d1,'%y-%m-%d'),'')));
      --exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1
      insert into t1 values ();
      

      Attachments

        Issue Links

          Activity

            nikitamalyavin Nikita Malyavin added a comment - - edited

            Raising to blocker, since it has a duplicating blocker MDEV-25772

            nikitamalyavin Nikita Malyavin added a comment - - edited Raising to blocker, since it has a duplicating blocker MDEV-25772
            nikitamalyavin Nikita Malyavin added a comment - - edited

            midenok I have collected the meaningfully distinguishable tests, so you can add them to your patch:

            --echo # MDEV-25772 (duplicate)
             
            create table t1 (d1 datetime , v_d1 tinyint(1) as (d1 < curdate()));
            insert into t1 (d1) values ('2021-09-11 08:38:23'), ('2021-09-01 08:38:23');
             
            select * from t1 where v_d1=1;
            select * from t1;
             
            drop table t1;
             
            --echo # MDEV-26432 (duplicate)
             
            create table t1 (v2 int, v1 int as ((user() like 'x'))) ;
            select 1 from t1 where v1=1 ;
            select * from t1;
             
            drop table t1;
             
            create table t1 (v2 int as ( user () like 'x'));
            select 1 from t1 order by v2 ;
            alter table t1 add i int;
            drop table t1;
             
            --echo # MDEV-26437 (duplicate)
             
            create table v0 (v2 int not null,
                             v1 bigint as (case 'x' when current_user() then v2 end));
             
            select v2 as v3 from v0 where v1 like 'x' escape 'x';
            insert into v0 (v2) values (-128);
             
            drop table v0;
             
            create table t1 (vi int as (case 'x' when current_user() then 1 end));
            select 1 from t1 where vi=1;
            show create table t1;
             
            drop table t1;
             
            create table t1 (vi int as (case 'x' when current_user() then 1 end));
            select 1 from t1 where vi=1;
            select 1 from t1 where vi=1;
             
            drop table t1;
            

            nikitamalyavin Nikita Malyavin added a comment - - edited midenok I have collected the meaningfully distinguishable tests, so you can add them to your patch: --echo # MDEV-25772 (duplicate)   create table t1 (d1 datetime , v_d1 tinyint(1) as (d1 < curdate())); insert into t1 (d1) values ( '2021-09-11 08:38:23' ), ( '2021-09-01 08:38:23' );   select * from t1 where v_d1=1; select * from t1;   drop table t1;   --echo # MDEV-26432 (duplicate)   create table t1 (v2 int , v1 int as (( user () like 'x' ))) ; select 1 from t1 where v1=1 ; select * from t1;   drop table t1;   create table t1 (v2 int as ( user () like 'x' )); select 1 from t1 order by v2 ; alter table t1 add i int ; drop table t1;   --echo # MDEV-26437 (duplicate)   create table v0 (v2 int not null , v1 bigint as ( case 'x' when current_user () then v2 end ));   select v2 as v3 from v0 where v1 like 'x' escape 'x' ; insert into v0 (v2) values (-128);   drop table v0;   create table t1 (vi int as ( case 'x' when current_user () then 1 end )); select 1 from t1 where vi=1; show create table t1;   drop table t1;   create table t1 (vi int as ( case 'x' when current_user () then 1 end )); select 1 from t1 where vi=1; select 1 from t1 where vi=1;   drop table t1;

            nikitamalyavin Thanks! I have added them.

            midenok Aleksey Midenkov added a comment - nikitamalyavin Thanks! I have added them.

            Please review bb-10.2-midenok

            midenok Aleksey Midenkov added a comment - Please review bb-10.2-midenok
            alice Alice Sherepa added a comment -

            test from MDEV-28092:

            CREATE TABLE t1 (b TIMESTAMP, a int AS (1 IN (dayofmonth (b BETWEEN 'x' AND CURRENT_USER) = b)));
            INSERT INTO t1(b) VALUES ('2022-03-17 14:55:37');
             
            SELECT 1 FROM t1 x NATURAL JOIN t1;
            

            alice Alice Sherepa added a comment - test from MDEV-28092 : CREATE TABLE t1 (b TIMESTAMP , a int AS (1 IN (dayofmonth (b BETWEEN 'x' AND CURRENT_USER ) = b))); INSERT INTO t1(b) VALUES ( '2022-03-17 14:55:37' );   SELECT 1 FROM t1 x NATURAL JOIN t1;
            alice Alice Sherepa added a comment - - edited

            test from MDEV-28089:

            CREATE TABLE v0 ( v3 DATE , v2 INT , v1 DATE GENERATED ALWAYS AS ( UNIX_TIMESTAMP ( INET_ATON ( 87 ) ) IN ( 'x' , ASCII ( DATABASE ( ) = 'x' IS NULL ) ) ) ) engine=innodb;
             SELECT v1 , '' , v2 FROM v0 INTO OUTFILE 'x' ;
             SELECT v2 FROM v0 ORDER BY 'x' = ( SELECT v1 WHERE v2 ) ;
            

            10.7 bf8dc0be9e4bc26a57223ea1

            Version: '10.7.4-MariaDB-debug-log'  
            220321 15:24:19 [ERROR] mysqld got signal 11 ;
             
            Server version: 10.7.4-MariaDB-debug-log
             
            sql/signal_handler.cc:226(handle_fatal_signal)[0x556378121e5f]
            sigaction.c:0(__restore_rt)[0x7ff4f3dfe3c0]
            mysys/my_malloc.c:198(my_free)[0x5563795dc9fc]
            sql/keycaches.cc:52(NAMED_ILINK::~NAMED_ILINK())[0x5563774f1ff4]
            sql/item.h:5311(Used_tables_and_const_cache::used_tables_and_const_cache_join(Item const*))[0x55637756cf66]
            sql/item_func.cc:354(Item_func::fix_fields(THD*, Item**))[0x556378275310]
            sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1]
            sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x5563782751ee]
            sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1]
            sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x5563782751ee]
            sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1]
            sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x5563782751ee]
            sql/item_cmpfunc.cc:4328(Item_func_in::fix_fields(THD*, Item**))[0x556378217ebd]
            sql/table.cc:3596(fix_vcol_expr(THD*, Virtual_column_info*))[0x556377c29fc6]
            sql/table.cc:3624(fix_session_vcol_expr(THD*, Virtual_column_info*))[0x556377c2a5e7]
            sql/table.cc:3643(fix_session_vcol_expr_for_read(THD*, Field*, Virtual_column_info*))[0x556377c2a913]
            sql/item.cc:6175(Item_field::fix_fields(THD*, Item**))[0x5563781ad897]
            sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1]
            sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x5563775c57fb]
            sql/sql_base.cc:7722(setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool))[0x5563776eb9a6]
            sql/sql_select.cc:1397(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x5563779730dd]
            sql/item_subselect.cc:3900(subselect_single_select_engine::prepare(THD*))[0x5563783cfc74]
            sql/item_subselect.cc:295(Item_subselect::fix_fields(THD*, Item**))[0x5563783aa316]
            sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1]
            sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x5563782751ee]
            sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1]
            sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x5563775c57fb]
            sql/item.h:1157(Item::fix_fields_if_needed_for_order_by(THD*, Item**))[0x556377a5726d]
            sql/sql_select.cc:25013(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x556377a2b363]
            sql/sql_select.cc:25060(setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool))[0x556377a2b923]
            sql/sql_select.cc:849(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x55637796c1fd]
            sql/sql_select.cc:1403(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x5563779734b2]
            sql/sql_select.cc:4984(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5563779999b3]
            sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x556377969ef5]
            sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x556377890990]
            sql/sql_parse.cc:3943(mysql_execute_command(THD*, bool))[0x55637787f55f]
            sql/sql_parse.cc:8027(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55637789bc2f]
            sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x556377871e66]
            sql/sql_parse.cc:1402(do_command(THD*, bool))[0x55637786eb8a]
            sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x556377d10b07]
            sql/sql_connect.cc:1314(handle_one_connection)[0x556377d10393]
            perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5563789badfc]
            nptl/pthread_create.c:478(start_thread)[0x7ff4f3df2609]
            ??:0(clone)[0x7ff4f39c3163]
             
            Query (0x6290001092a8): SELECT v2 FROM v0 ORDER BY 'x' = ( SELECT v1 WHERE v2 )
            

            CREATE TABLE t1 (a INT , b DATE AS (1 IN ('x' ,(DATABASE () = 'x' IS NULL) ))) ;
             SELECT b FROM t1;
             SELECT a FROM t1 ORDER BY 'x' = b ;
            

            10.2 421153848f0002c9e9b5e204d4c6

            Version: '10.2.44-MariaDB-debug-log'  
            220321 15:09:43 [ERROR] mysqld got signal 11 ;
             
             
            Server version: 10.2.44-MariaDB-debug-log
             
            sigaction.c:0(__restore_rt)[0x7fde57ed53c0]
            sql/item.h:4134(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x5561a73b5ff3]
            sql/item.h:4420(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x5561a73b6b7c]
            sql/item.h:4134(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x5561a73b6021]
            sql/item.h:4420(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x5561a73b6b7c]
            sql/table.cc:6843(TABLE::mark_virtual_col(Field*))[0x5561a7797e97]
            sql/sql_base.cc:5315(update_field_dependencies(THD*, Field*, TABLE*))[0x5561a739ca42]
            sql/sql_base.cc:5652(find_field_in_table(THD*, TABLE*, char const*, unsigned int, bool, unsigned int*))[0x5561a739f56b]
            sql/sql_base.cc:5765(find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**))[0x5561a739ffc8]
            sql/sql_base.cc:6058(find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool))[0x5561a73a18b1]
            sql/item.cc:5505(Item_field::fix_fields(THD*, Item**))[0x5561a7b5aa51]
            sql/item_func.cc:201(Item_func::fix_fields(THD*, Item**))[0x5561a7c24103]
            sql/sql_select.cc:22736(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x5561a75fa69b]
            sql/sql_select.cc:22784(setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool))[0x5561a75facc8]
            sql/sql_select.cc:665(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x5561a7556519]
            sql/sql_select.cc:812(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x5561a75581ab]
            sql/sql_select.cc:3827(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5561a7577592]
            sql/sql_select.cc:361(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5561a7554184]
            sql/sql_parse.cc:6271(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5561a74ca7ef]
            sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x5561a74b7b78]
            sql/sql_parse.cc:7793(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5561a74d3d04]
            sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5561a74acf09]
            sql/sql_parse.cc:1381(do_command(THD*))[0x5561a74a9cd4]
            sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x5561a783640a]
            sql/sql_connect.cc:1242(handle_one_connection)[0x5561a7835ccd]
            perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5561a8bd6b6a]
            nptl/pthread_create.c:478(start_thread)[0x7fde57ec9609]
            /lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fde57637163]
             
            Query (0x62b000000290): SELECT a FROM t1 ORDER BY 'x'= b
            
            

            on 10.6+

            Version: '10.6.8-MariaDB-debug-log'  
            mariadbd: 10.6/src/sql/table.cc:3608: bool fix_session_vcol_expr(THD*, Virtual_column_info*): Assertion `!vcol->expr->fixed()' failed.
            220321 15:07:00 [ERROR] mysqld got signal 6 ;
             
            Server version: 10.6.8-MariaDB-debug-log
             
            ??:0(__assert_fail)[0x7f219147a006]
            sql/table.cc:3609(fix_session_vcol_expr(THD*, Virtual_column_info*))[0x55c13ce0ed75]
            sql/table.cc:3628(fix_session_vcol_expr_for_read(THD*, Field*, Virtual_column_info*))[0x55c13ce0f0ff]
            sql/item.cc:6175(Item_field::fix_fields(THD*, Item**))[0x55c13d39246d]
            sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x55c13c7ee1f9]
            sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x55c13d45cbda]
            sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x55c13c7ee1f9]
            sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55c13c7ee233]
            sql/item.h:1157(Item::fix_fields_if_needed_for_order_by(THD*, Item**))[0x55c13cc39855]
            sql/sql_select.cc:25015(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x55c13cc0c677]
            sql/sql_select.cc:25062(setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool))[0x55c13cc0cc37]
            sql/sql_select.cc:849(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x55c13cb4d5cd]
            sql/sql_select.cc:1403(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55c13cb54882]
            sql/sql_select.cc:4986(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55c13cb7ad0f]
            sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55c13cb4b2c5]
            sql/sql_parse.cc:6255(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55c13cab02d1]
            sql/sql_parse.cc:3945(mysql_execute_command(THD*, bool))[0x55c13ca9ee77]
            sql/sql_parse.cc:8029(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55c13cabb594]
            sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55c13ca9177d]
            sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55c13ca8e4a1]
            sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55c13cef629d]
            sql/sql_connect.cc:1314(handle_one_connection)[0x55c13cef5b29]
            perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55c13dc1bfc2]
            nptl/pthread_create.c:478(start_thread)[0x7f2191994609]
            ??:0(clone)[0x7f2191565163]
             
            Query (0x62b0000c42a8): SELECT a FROM t1 ORDER BY 'x'= b
            

            CREATE TABLE t1 (a INT , b DATE AS (1 IN ('x' ,(DATABASE ()) ))) ;
             SELECT b FROM t1;
             SELECT a FROM t1 ORDER BY 'x' = b ;
             

            Version: '10.6.8-MariaDB-debug-log' 
            =================================================================
            ==216379==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000c60a0 at pc 0x5577a2c31f8b bp 0x7ff1edfafcd0 sp 0x7ff1edfafcc0
            WRITE of size 4 at 0x62b0000c60a0 thread T11
                #0 0x5577a2c31f8a in base_list::empty() 10.6/src/sql/sql_list.h:159
                #1 0x5577a30539a1 in JOIN::cleanup(bool) 10.6/src/sql/sql_select.cc:14318
                #2 0x5577a305298a in JOIN::join_free() 10.6/src/sql/sql_select.cc:14172
                #3 0x5577a30571cb in return_zero_rows 10.6/src/sql/sql_select.cc:14839
                #4 0x5577a300d83a in JOIN::exec_inner() 10.6/src/sql/sql_select.cc:4674
                #5 0x5577a300ba29 in JOIN::exec() 10.6/src/sql/sql_select.cc:4531
                #6 0x5577a300ff7c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) 10.6/src/sql/sql_select.cc:5010
                #7 0x5577a2fe02c4 in handle_select(THD*, LEX*, select_result*, unsigned long) 10.6/src/sql/sql_select.cc:545
                #8 0x5577a2f452d0 in execute_sqlcom_select 10.6/src/sql/sql_parse.cc:6255
                #9 0x5577a2f33e76 in mysql_execute_command(THD*, bool) 10.6/src/sql/sql_parse.cc:3945
                #10 0x5577a2f50593 in mysql_parse(THD*, char*, unsigned int, Parser_state*) 10.6/src/sql/sql_parse.cc:8029
                #11 0x5577a2f2677c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) 10.6/src/sql/sql_parse.cc:1896
                #12 0x5577a2f234a0 in do_command(THD*, bool) 10.6/src/sql/sql_parse.cc:1404
                #13 0x5577a338b29c in do_handle_one_connection(CONNECT*, bool) 10.6/src/sql/sql_connect.cc:1418
                #14 0x5577a338ab28 in handle_one_connection 10.6/src/sql/sql_connect.cc:1312
                #15 0x5577a40b0fc1 in pfs_spawn_thread 10.6/src/storage/perfschema/pfs.cc:2201
                #16 0x7ff1fce3c608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
                #17 0x7ff1fca0d162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
             
            0x62b0000c60a0 is located 7840 bytes inside of 24740-byte region [0x62b0000c4200,0x62b0000ca2a4)
            allocated by thread T11 here:
                #0 0x7ff1fd3c7808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
                #1 0x5577a4cfa827 in sf_malloc 10.6/src/mysys/safemalloc.c:126
                #2 0x5577a4cc7a4e in my_malloc 10.6/src/mysys/my_malloc.c:90
                #3 0x5577a4ca30fb in reset_root_defaults 10.6/src/mysys/my_alloc.c:148
                #4 0x5577a2df8b38 in THD::init_for_queries() 10.6/src/sql/sql_class.cc:1406
                #5 0x5577a338a45d in prepare_new_connection_state(THD*) 10.6/src/sql/sql_connect.cc:1240
                #6 0x5577a338aba7 in thd_prepare_connection(THD*) 10.6/src/sql/sql_connect.cc:1333
                #7 0x5577a338b1c2 in do_handle_one_connection(CONNECT*, bool) 10.6/src/sql/sql_connect.cc:1408
                #8 0x5577a338ab28 in handle_one_connection 10.6/src/sql/sql_connect.cc:1312
                #9 0x5577a40b0fc1 in pfs_spawn_thread 10.6/src/storage/perfschema/pfs.cc:2201
                #10 0x7ff1fce3c608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
             
            Thread T11 created by T0 here:
                #0 0x7ff1fd2f4815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
                #1 0x5577a40acba8 in my_thread_create 10.6/src/storage/perfschema/my_thread.h:52
                #2 0x5577a40b13b4 in pfs_spawn_thread_v1 10.6/src/storage/perfschema/pfs.cc:2252
                #3 0x5577a2c0ec18 in inline_mysql_thread_create 10.6/src/include/mysql/psi/mysql_thread.h:1139
                #4 0x5577a2c264c9 in create_thread_to_handle_connection(CONNECT*) 10.6/src/sql/mysqld.cc:5934
                #5 0x5577a2c26b45 in create_new_thread(CONNECT*) 10.6/src/sql/mysqld.cc:5993
                #6 0x5577a2c26eb2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) 10.6/src/sql/mysqld.cc:6055
                #7 0x5577a2c2789f in handle_connections_sockets() 10.6/src/sql/mysqld.cc:6179
                #8 0x5577a2c25cd6 in mysqld_main(int, char**) 10.6/src/sql/mysqld.cc:5829
                #9 0x5577a2c0df3c in main 10.6/src/sql/main.cc:34
                #10 0x7ff1fc9120b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
             
            SUMMARY: AddressSanitizer: use-after-poison 10.6/src/sql/sql_list.h:159 in base_list::empty()
            Shadow bytes around the buggy address:
              0x0c5680010bc0: 00 00 00 00 00 00 f7 00 00 00 00 00 f7 00 00 00
              0x0c5680010bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0c5680010be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0c5680010bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0c5680010c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            =>0x0c5680010c10: 00 f7 f7 f7[f7]f7 f7 f7 00 00 00 00 00 00 00 00
              0x0c5680010c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0c5680010c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0c5680010c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0c5680010c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0c5680010c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable:           00
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
              Freed heap region:       fd
              Stack left redzone:      f1
              Stack mid redzone:       f2
              Stack right redzone:     f3
              Stack after return:      f5
              Stack use after scope:   f8
              Global redzone:          f9
              Global init order:       f6
              Poisoned by user:        f7
              Container overflow:      fc
              Array cookie:            ac
              Intra object redzone:    bb
              ASan internal:           fe
              Left alloca redzone:     ca
              Right alloca redzone:    cb
              Shadow gap:              cc
            ==216379==ABORTING
            

            alice Alice Sherepa added a comment - - edited test from MDEV-28089 : CREATE TABLE v0 ( v3 DATE , v2 INT , v1 DATE GENERATED ALWAYS AS ( UNIX_TIMESTAMP ( INET_ATON ( 87 ) ) IN ( 'x' , ASCII ( DATABASE ( ) = 'x' IS NULL ) ) ) ) engine=innodb; SELECT v1 , '' , v2 FROM v0 INTO OUTFILE 'x' ; SELECT v2 FROM v0 ORDER BY 'x' = ( SELECT v1 WHERE v2 ) ; 10.7 bf8dc0be9e4bc26a57223ea1 Version: '10.7.4-MariaDB-debug-log' 220321 15:24:19 [ERROR] mysqld got signal 11 ;   Server version: 10.7.4-MariaDB-debug-log   sql/signal_handler.cc:226(handle_fatal_signal)[0x556378121e5f] sigaction.c:0(__restore_rt)[0x7ff4f3dfe3c0] mysys/my_malloc.c:198(my_free)[0x5563795dc9fc] sql/keycaches.cc:52(NAMED_ILINK::~NAMED_ILINK())[0x5563774f1ff4] sql/item.h:5311(Used_tables_and_const_cache::used_tables_and_const_cache_join(Item const*))[0x55637756cf66] sql/item_func.cc:354(Item_func::fix_fields(THD*, Item**))[0x556378275310] sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1] sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x5563782751ee] sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1] sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x5563782751ee] sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1] sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x5563782751ee] sql/item_cmpfunc.cc:4328(Item_func_in::fix_fields(THD*, Item**))[0x556378217ebd] sql/table.cc:3596(fix_vcol_expr(THD*, Virtual_column_info*))[0x556377c29fc6] sql/table.cc:3624(fix_session_vcol_expr(THD*, Virtual_column_info*))[0x556377c2a5e7] sql/table.cc:3643(fix_session_vcol_expr_for_read(THD*, Field*, Virtual_column_info*))[0x556377c2a913] sql/item.cc:6175(Item_field::fix_fields(THD*, Item**))[0x5563781ad897] sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1] sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x5563775c57fb] sql/sql_base.cc:7722(setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool))[0x5563776eb9a6] sql/sql_select.cc:1397(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x5563779730dd] sql/item_subselect.cc:3900(subselect_single_select_engine::prepare(THD*))[0x5563783cfc74] sql/item_subselect.cc:295(Item_subselect::fix_fields(THD*, Item**))[0x5563783aa316] sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1] sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x5563782751ee] sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x5563775c57c1] sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x5563775c57fb] sql/item.h:1157(Item::fix_fields_if_needed_for_order_by(THD*, Item**))[0x556377a5726d] sql/sql_select.cc:25013(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x556377a2b363] sql/sql_select.cc:25060(setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool))[0x556377a2b923] sql/sql_select.cc:849(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x55637796c1fd] sql/sql_select.cc:1403(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x5563779734b2] sql/sql_select.cc:4984(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5563779999b3] sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x556377969ef5] sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x556377890990] sql/sql_parse.cc:3943(mysql_execute_command(THD*, bool))[0x55637787f55f] sql/sql_parse.cc:8027(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55637789bc2f] sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x556377871e66] sql/sql_parse.cc:1402(do_command(THD*, bool))[0x55637786eb8a] sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x556377d10b07] sql/sql_connect.cc:1314(handle_one_connection)[0x556377d10393] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5563789badfc] nptl/pthread_create.c:478(start_thread)[0x7ff4f3df2609] ??:0(clone)[0x7ff4f39c3163]   Query (0x6290001092a8): SELECT v2 FROM v0 ORDER BY 'x' = ( SELECT v1 WHERE v2 ) CREATE TABLE t1 (a INT , b DATE AS (1 IN ( 'x' ,( DATABASE () = 'x' IS NULL ) ))) ; SELECT b FROM t1; SELECT a FROM t1 ORDER BY 'x' = b ; 10.2 421153848f0002c9e9b5e204d4c6 Version: '10.2.44-MariaDB-debug-log' 220321 15:09:43 [ERROR] mysqld got signal 11 ;     Server version: 10.2.44-MariaDB-debug-log   sigaction.c:0(__restore_rt)[0x7fde57ed53c0] sql/item.h:4134(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x5561a73b5ff3] sql/item.h:4420(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x5561a73b6b7c] sql/item.h:4134(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x5561a73b6021] sql/item.h:4420(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x5561a73b6b7c] sql/table.cc:6843(TABLE::mark_virtual_col(Field*))[0x5561a7797e97] sql/sql_base.cc:5315(update_field_dependencies(THD*, Field*, TABLE*))[0x5561a739ca42] sql/sql_base.cc:5652(find_field_in_table(THD*, TABLE*, char const*, unsigned int, bool, unsigned int*))[0x5561a739f56b] sql/sql_base.cc:5765(find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item**, bool, bool, unsigned int*, bool, TABLE_LIST**))[0x5561a739ffc8] sql/sql_base.cc:6058(find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool))[0x5561a73a18b1] sql/item.cc:5505(Item_field::fix_fields(THD*, Item**))[0x5561a7b5aa51] sql/item_func.cc:201(Item_func::fix_fields(THD*, Item**))[0x5561a7c24103] sql/sql_select.cc:22736(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x5561a75fa69b] sql/sql_select.cc:22784(setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool))[0x5561a75facc8] sql/sql_select.cc:665(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x5561a7556519] sql/sql_select.cc:812(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x5561a75581ab] sql/sql_select.cc:3827(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5561a7577592] sql/sql_select.cc:361(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5561a7554184] sql/sql_parse.cc:6271(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5561a74ca7ef] sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x5561a74b7b78] sql/sql_parse.cc:7793(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5561a74d3d04] sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5561a74acf09] sql/sql_parse.cc:1381(do_command(THD*))[0x5561a74a9cd4] sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x5561a783640a] sql/sql_connect.cc:1242(handle_one_connection)[0x5561a7835ccd] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5561a8bd6b6a] nptl/pthread_create.c:478(start_thread)[0x7fde57ec9609] /lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fde57637163]   Query (0x62b000000290): SELECT a FROM t1 ORDER BY 'x'= b on 10.6+ Version: '10.6.8-MariaDB-debug-log' mariadbd: 10.6/src/sql/table.cc:3608: bool fix_session_vcol_expr(THD*, Virtual_column_info*): Assertion `!vcol->expr->fixed()' failed. 220321 15:07:00 [ERROR] mysqld got signal 6 ;   Server version: 10.6.8-MariaDB-debug-log   ??:0(__assert_fail)[0x7f219147a006] sql/table.cc:3609(fix_session_vcol_expr(THD*, Virtual_column_info*))[0x55c13ce0ed75] sql/table.cc:3628(fix_session_vcol_expr_for_read(THD*, Field*, Virtual_column_info*))[0x55c13ce0f0ff] sql/item.cc:6175(Item_field::fix_fields(THD*, Item**))[0x55c13d39246d] sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x55c13c7ee1f9] sql/item_func.cc:347(Item_func::fix_fields(THD*, Item**))[0x55c13d45cbda] sql/item.h:1144(Item::fix_fields_if_needed(THD*, Item**))[0x55c13c7ee1f9] sql/item.h:1148(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55c13c7ee233] sql/item.h:1157(Item::fix_fields_if_needed_for_order_by(THD*, Item**))[0x55c13cc39855] sql/sql_select.cc:25015(find_order_in_list(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, st_order*, List<Item>&, List<Item>&, bool, bool, bool))[0x55c13cc0c677] sql/sql_select.cc:25062(setup_order(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<Item>&, List<Item>&, st_order*, bool))[0x55c13cc0cc37] sql/sql_select.cc:849(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x55c13cb4d5cd] sql/sql_select.cc:1403(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55c13cb54882] sql/sql_select.cc:4986(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55c13cb7ad0f] sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55c13cb4b2c5] sql/sql_parse.cc:6255(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55c13cab02d1] sql/sql_parse.cc:3945(mysql_execute_command(THD*, bool))[0x55c13ca9ee77] sql/sql_parse.cc:8029(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55c13cabb594] sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55c13ca9177d] sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55c13ca8e4a1] sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55c13cef629d] sql/sql_connect.cc:1314(handle_one_connection)[0x55c13cef5b29] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55c13dc1bfc2] nptl/pthread_create.c:478(start_thread)[0x7f2191994609] ??:0(clone)[0x7f2191565163]   Query (0x62b0000c42a8): SELECT a FROM t1 ORDER BY 'x'= b CREATE TABLE t1 (a INT , b DATE AS (1 IN ( 'x' ,( DATABASE ()) ))) ; SELECT b FROM t1; SELECT a FROM t1 ORDER BY 'x' = b ; Version: '10.6.8-MariaDB-debug-log' ================================================================= ==216379==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000c60a0 at pc 0x5577a2c31f8b bp 0x7ff1edfafcd0 sp 0x7ff1edfafcc0 WRITE of size 4 at 0x62b0000c60a0 thread T11 #0 0x5577a2c31f8a in base_list::empty() 10.6/src/sql/sql_list.h:159 #1 0x5577a30539a1 in JOIN::cleanup(bool) 10.6/src/sql/sql_select.cc:14318 #2 0x5577a305298a in JOIN::join_free() 10.6/src/sql/sql_select.cc:14172 #3 0x5577a30571cb in return_zero_rows 10.6/src/sql/sql_select.cc:14839 #4 0x5577a300d83a in JOIN::exec_inner() 10.6/src/sql/sql_select.cc:4674 #5 0x5577a300ba29 in JOIN::exec() 10.6/src/sql/sql_select.cc:4531 #6 0x5577a300ff7c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) 10.6/src/sql/sql_select.cc:5010 #7 0x5577a2fe02c4 in handle_select(THD*, LEX*, select_result*, unsigned long) 10.6/src/sql/sql_select.cc:545 #8 0x5577a2f452d0 in execute_sqlcom_select 10.6/src/sql/sql_parse.cc:6255 #9 0x5577a2f33e76 in mysql_execute_command(THD*, bool) 10.6/src/sql/sql_parse.cc:3945 #10 0x5577a2f50593 in mysql_parse(THD*, char*, unsigned int, Parser_state*) 10.6/src/sql/sql_parse.cc:8029 #11 0x5577a2f2677c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) 10.6/src/sql/sql_parse.cc:1896 #12 0x5577a2f234a0 in do_command(THD*, bool) 10.6/src/sql/sql_parse.cc:1404 #13 0x5577a338b29c in do_handle_one_connection(CONNECT*, bool) 10.6/src/sql/sql_connect.cc:1418 #14 0x5577a338ab28 in handle_one_connection 10.6/src/sql/sql_connect.cc:1312 #15 0x5577a40b0fc1 in pfs_spawn_thread 10.6/src/storage/perfschema/pfs.cc:2201 #16 0x7ff1fce3c608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 #17 0x7ff1fca0d162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)   0x62b0000c60a0 is located 7840 bytes inside of 24740-byte region [0x62b0000c4200,0x62b0000ca2a4) allocated by thread T11 here: #0 0x7ff1fd3c7808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x5577a4cfa827 in sf_malloc 10.6/src/mysys/safemalloc.c:126 #2 0x5577a4cc7a4e in my_malloc 10.6/src/mysys/my_malloc.c:90 #3 0x5577a4ca30fb in reset_root_defaults 10.6/src/mysys/my_alloc.c:148 #4 0x5577a2df8b38 in THD::init_for_queries() 10.6/src/sql/sql_class.cc:1406 #5 0x5577a338a45d in prepare_new_connection_state(THD*) 10.6/src/sql/sql_connect.cc:1240 #6 0x5577a338aba7 in thd_prepare_connection(THD*) 10.6/src/sql/sql_connect.cc:1333 #7 0x5577a338b1c2 in do_handle_one_connection(CONNECT*, bool) 10.6/src/sql/sql_connect.cc:1408 #8 0x5577a338ab28 in handle_one_connection 10.6/src/sql/sql_connect.cc:1312 #9 0x5577a40b0fc1 in pfs_spawn_thread 10.6/src/storage/perfschema/pfs.cc:2201 #10 0x7ff1fce3c608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477   Thread T11 created by T0 here: #0 0x7ff1fd2f4815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x5577a40acba8 in my_thread_create 10.6/src/storage/perfschema/my_thread.h:52 #2 0x5577a40b13b4 in pfs_spawn_thread_v1 10.6/src/storage/perfschema/pfs.cc:2252 #3 0x5577a2c0ec18 in inline_mysql_thread_create 10.6/src/include/mysql/psi/mysql_thread.h:1139 #4 0x5577a2c264c9 in create_thread_to_handle_connection(CONNECT*) 10.6/src/sql/mysqld.cc:5934 #5 0x5577a2c26b45 in create_new_thread(CONNECT*) 10.6/src/sql/mysqld.cc:5993 #6 0x5577a2c26eb2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) 10.6/src/sql/mysqld.cc:6055 #7 0x5577a2c2789f in handle_connections_sockets() 10.6/src/sql/mysqld.cc:6179 #8 0x5577a2c25cd6 in mysqld_main(int, char**) 10.6/src/sql/mysqld.cc:5829 #9 0x5577a2c0df3c in main 10.6/src/sql/main.cc:34 #10 0x7ff1fc9120b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)   SUMMARY: AddressSanitizer: use-after-poison 10.6/src/sql/sql_list.h:159 in base_list::empty() Shadow bytes around the buggy address: 0x0c5680010bc0: 00 00 00 00 00 00 f7 00 00 00 00 00 f7 00 00 00 0x0c5680010bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680010be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680010bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680010c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c5680010c10: 00 f7 f7 f7[f7]f7 f7 f7 00 00 00 00 00 00 00 00 0x0c5680010c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680010c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680010c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680010c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5680010c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==216379==ABORTING
            midenok Aleksey Midenkov added a comment - Please review bb-10.3-midenok-MDEV-24176

            People

              midenok Aleksey Midenkov
              alice Alice Sherepa
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.