Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.5, 10.6, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.7(EOL)
-
None
Description
CREATE TABLE t1 (d1 date NOT NULL, d2 date NOT NULL, |
gd text as (concat(d1,if(d1 <> d2, date_format(d2, 'to %Y-%m-%d '), ''))) ); |
|
insert into t1(d1,d2) values |
('2020-09-01','2020-09-01'),('2020-05-01','2020-09-01'); |
|
--exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1
|
insert into t1 values ('2020-09-01','2020-09-01'); |
10.2 c048053c8af5083d35f764 |
Version: '10.2.36-MariaDB-debug-log' socket: '/git/10.2/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==43634==ERROR: AddressSanitizer: use-after-poison on address 0x62b000001288 at pc 0x55c9eb51b0d4 bp 0x7febf2c80cd0 sp 0x7febf2c80cc8
|
READ of size 8 at 0x62b000001288 thread T6
|
#0 0x55c9eb51b0d3 in Item::val_temporal_packed(enum_field_types) /git/10.2/sql/item.h:1525
|
#1 0x55c9eb533dd7 in Arg_comparator::compare_temporal(enum_field_types) /git/10.2/sql/item_cmpfunc.cc:792
|
#2 0x55c9eabd087a in Arg_comparator::compare_datetime() /git/10.2/sql/item_cmpfunc.h:105
|
#3 0x55c9eb57279f in Arg_comparator::compare() /git/10.2/sql/item_cmpfunc.h:87
|
#4 0x55c9eb5402d7 in Item_func_ne::val_int() /git/10.2/sql/item_cmpfunc.cc:1824
|
#5 0x55c9eb4bfdc3 in Item::val_bool() /git/10.2/sql/item.cc:112
|
#6 0x55c9eb5496fc in Item_func_if::str_op(String*) /git/10.2/sql/item_cmpfunc.cc:2533
|
#7 0x55c9eb5fa020 in Item_func_hybrid_field_type::str_op_with_null_check(String*) /git/10.2/sql/item_func.h:467
|
#8 0x55c9eb5b7d4d in Item_func_hybrid_field_type::val_str(String*) /git/10.2/sql/item_func.cc:881
|
#9 0x55c9eb632ee3 in Item_func_concat::val_str(String*) /git/10.2/sql/item_strfunc.cc:611
|
#10 0x55c9eb4efc69 in Item::save_in_field(Field*, bool) /git/10.2/sql/item.cc:6387
|
#11 0x55c9eb11e6ce in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /git/10.2/sql/table.cc:7759
|
#12 0x55c9eb49940a in handler::ha_rnd_next(unsigned char*) /git/10.2/sql/handler.cc:2674
|
#13 0x55c9eb85ae15 in rr_sequential(READ_RECORD*) /git/10.2/sql/records.cc:492
|
#14 0x55c9eaf59251 in join_init_read_record(st_join_table*) /git/10.2/sql/sql_select.cc:19785
|
#15 0x55c9eaf51e3e in sub_select(JOIN*, st_join_table*, bool) /git/10.2/sql/sql_select.cc:18856
|
#16 0x55c9eaf4fb0c in do_select /git/10.2/sql/sql_select.cc:18403
|
#17 0x55c9eaee6c63 in JOIN::exec_inner() /git/10.2/sql/sql_select.cc:3641
|
#18 0x55c9eaee47d5 in JOIN::exec() /git/10.2/sql/sql_select.cc:3436
|
#19 0x55c9eaee7e35 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.2/sql/sql_select.cc:3836
|
#20 0x55c9eaec49a9 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.2/sql/sql_select.cc:361
|
#21 0x55c9eae38bb6 in execute_sqlcom_select /git/10.2/sql/sql_parse.cc:6249
|
#22 0x55c9eae23ef0 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:3558
|
#23 0x55c9eae41ee7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:7761
|
#24 0x55c9eae18cd3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1827
|
#25 0x55c9eae156f8 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1381
|
#26 0x55c9eb1bc9b2 in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1336
|
#27 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
|
#28 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
|
#29 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
#30 0x7febfd1044ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
|
|
0x62b000001288 is located 4232 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
|
allocated by thread T5 here:
|
#0 0x7febfd883330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
|
#1 0x55c9ec83aac1 in sf_malloc /git/10.2/mysys/safemalloc.c:118
|
#2 0x55c9ec8080a9 in my_malloc /git/10.2/mysys/my_malloc.c:101
|
#3 0x55c9ec7e5c56 in reset_root_defaults /git/10.2/mysys/my_alloc.c:147
|
#4 0x55c9ead5d05b in THD::init_for_queries() /git/10.2/sql/sql_class.cc:1313
|
#5 0x55c9eb1bbbb5 in prepare_new_connection_state(THD*) /git/10.2/sql/sql_connect.cc:1172
|
#6 0x55c9eb1bc2b9 in thd_prepare_connection(THD*) /git/10.2/sql/sql_connect.cc:1256
|
#7 0x55c9eb1bc8dd in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1326
|
#8 0x55c9eb1bc273 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
|
#9 0x55c9ec655d23 in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1869
|
#10 0x7febfd780fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
|
Thread T6 created by T0 here:
|
#0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
|
#1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
|
#4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
|
#5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
|
#6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
|
#7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
|
#8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308
|
|
Thread T5 created by T0 here:
|
#0 0x7febfd7eadb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
|
#1 0x55c9ec65615f in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x55c9eabaa494 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x55c9eabc253e in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6567
|
#4 0x55c9eabc2c93 in create_new_thread /git/10.2/sql/mysqld.cc:6637
|
#5 0x55c9eabc3e14 in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6895
|
#6 0x55c9eabc1921 in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6186
|
#7 0x55c9eaba8de4 in main /git/10.2/sql/main.cc:25
|
#8 0x7febfd02f09a in __libc_start_main ../csu/libc-start.c:308
|
|
SUMMARY: AddressSanitizer: use-after-poison /git/10.2/sql/item.h:1525 in Item::val_temporal_packed(enum_field_types)
|
Shadow bytes around the buggy address:
|
0x0c567fff8200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c567fff8250: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff82a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==43634==ABORTING
|
----------SERVER LOG END-------------
|
mysqltest failed but provided no output
|
|
Reproducible with InnoDb/MyIsam, non-debug build crashing similarly
10.5 f424eb974d2cf5fe875 |
201109 17:04:20 [ERROR] mysqld got signal 11 ;
|
|
Server version: 10.5.8-MariaDB-debug-log
|
|
??:0(__restore_rt)[0x7f684602d730]
|
sql/item.h:2584(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x55ebabb11c48]
|
sql/item.h:5222(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x55ebabb12335]
|
sql/item.h:2584(Item_args::walk_args(bool (Item::*)(void*), bool, void*))[0x55ebabb11c5d]
|
sql/item.h:5222(Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*))[0x55ebabb12335]
|
sql/table.cc:3522(fix_session_vcol_expr(THD*, Virtual_column_info*))[0x55ebabce8e3c]
|
sql/sql_base.cc:5357(TABLE::fix_vcol_exprs(THD*))[0x55ebabb05d97]
|
sql/sql_base.cc:5393(fix_all_session_vcol_exprs(THD*, TABLE_LIST*))[0x55ebabb05fc6]
|
sql/sql_base.cc:5576(lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int))[0x55ebabb066b7]
|
sql/sql_base.cc:5188(open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*))[0x55ebabb057d2]
|
sql/sql_base.h:507(open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int))[0x55ebababcdf7]
|
sql/sql_insert.cc:756(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x55ebabb57a01]
|
sql/sql_parse.cc:4587(mysql_execute_command(THD*))[0x55ebabbaa59e]
|
sql/sql_parse.cc:8044(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55ebabbb601d]
|
sql/sql_parse.cc:1875(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55ebabba22d8]
|
sql/sql_parse.cc:1353(do_command(THD*))[0x55ebabba0a0e]
|
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55ebabd47441]
|
sql/sql_connect.cc:1314(handle_one_connection)[0x55ebabd471aa]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55ebac284a4b]
|
nptl/pthread_create.c:487(start_thread)[0x7f6846022fa3]
|
x86_64/clone.S:97(clone)[0x7f684562b4cf]
|
|
Query (0x7f6824013ee0): insert into t1 values ('2020-09-01','2020-09-01')
|
|
A shorter version of the test case, but it is crashing only 10.3-10.5, not 10.2
create table t1 (d1 date, gd text as (if(d1='',date_format(d1,'%y-%m-%d'),''))); |
--exec $MYSQL_DUMP test t1 > "$MYSQLTEST_VARDIR/tmp/1.sql" 2>&1
|
insert into t1 values (); |
Attachments
Issue Links
- blocks
-
MDEV-25794 vcol_info refix during lock_tables() leads to memory leak until table flush
- Open
- causes
-
MDEV-29357 Assertion (fixed) in Item_func_dayname on INSERT
- Closed
- duplicates
-
MDEV-25772 Virtual Column with CURDATE function cause suddenly entire MariaDB crash
- Closed
- is blocked by
-
MDEV-25638 Assertion `!result' failed in convert_const_to_int
- Closed
- is duplicated by
-
MDEV-24160 date_format() mixed with if() in a computed column causes server segfault
- Closed
-
MDEV-26281 ASAN use-after-poison when complex conversion is involved in blob
- Closed
-
MDEV-26407 Server crashes in Item_func_in::cleanup/Item::cleanup_processor
- Closed
-
MDEV-26437 Server crashes in Item_args::walk_args
- Closed
-
MDEV-26619 CURDATE() functions results in lost connection when used in a VIRTUAL column
- Closed
-
MDEV-27897 Serever crash virtual cloum with curdate()
- Closed
-
MDEV-27920 Galera node crashes when inserting rows to a virtual column created with the DAYNAME function
- Closed
-
MDEV-28085 MariaDB SEGV issue
- Closed
-
MDEV-28087 MariaDB SEGV issue
- Closed
-
MDEV-28089 MariaDB SEGV issue
- Closed
-
MDEV-28090 MariaDB SEGV issue
- Closed
-
MDEV-28092 MariaDB SEGV issue
- Closed
-
MDEV-28093 MariaDB UAP issue
- Closed
-
MDEV-28099 MariaDB UAP issue
- Closed
- relates to
-
MDEV-25672 table alias from previous statement interferes later commands
- Closed
-
MDEV-26407 Server crashes in Item_func_in::cleanup/Item::cleanup_processor
- Closed
-
MDEV-27966 Assertion `fixed()' failed and Assertion `fixed == 1' failed, both in Item_func_concat::val_str on SELECT after INSERT with collation utf32_bin on utf8_bin table
- Closed
-
MDEV-28034 SIGSEGV in Item_args::walk_args and libstdc++ __cxa_pure_virtual terminate/SIGABRT in Item::check_type_scalar
- Closed