Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
Description
test case from main.view +ps-protocol
|
create table t1 (s1 int); |
prepare stmt from "create view v1 as select 's1', s1, 1 as My_exp_s1 from t1;"; |
execute stmt; |
prepare stmt from "select * from v1;"; |
execute stmt; |
10.3 08b0b70daa43a539d91 |
Version: '10.3.28-MariaDB-debug-log' socket: '/git/10.3/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==56422==ERROR: AddressSanitizer: use-after-poison on address 0x62b000000b98 at pc 0x7fd1bfe6d550 bp 0x7fd1b54b73f0 sp 0x7fd1b54b6ba0
|
READ of size 10 at 0x62b000000b98 thread T5
|
#0 0x7fd1bfe6d54f (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xa854f)
|
#1 0x561328021f6c in Item_basic_constant::cleanup() /git/10.3/sql/item.h:2493
|
#2 0x5613281dbd9b in Item::delete_self() /git/10.3/sql/item.h:2008
|
#3 0x5613281c1ef6 in Query_arena::free_items() /git/10.3/sql/sql_class.cc:3724
|
#4 0x56132832ae6d in Prepared_statement::~Prepared_statement() /git/10.3/sql/sql_prepare.cc:4038
|
#5 0x56132832b1ed in Prepared_statement::~Prepared_statement() /git/10.3/sql/sql_prepare.cc:4047
|
#6 0x5613281c3500 in delete_statement_as_hash_key /git/10.3/sql/sql_class.cc:3864
|
#7 0x561329f8640e in my_hash_delete /git/10.3/mysys/hash.c:632
|
#8 0x5613281c3ad6 in Statement_map::erase(Statement*) /git/10.3/sql/sql_class.cc:3979
|
#9 0x561328333e5f in Prepared_statement::deallocate() /git/10.3/sql/sql_prepare.cc:5146
|
#10 0x5613283242f0 in mysql_sql_stmt_prepare(THD*) /git/10.3/sql/sql_prepare.cc:2867
|
#11 0x5613282c2792 in mysql_execute_command(THD*) /git/10.3/sql/sql_parse.cc:3858
|
#12 0x5613282ded30 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.3/sql/sql_parse.cc:7839
|
#13 0x5613282b53cf in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.3/sql/sql_parse.cc:1852
|
#14 0x5613282b1b0a in do_command(THD*) /git/10.3/sql/sql_parse.cc:1398
|
#15 0x5613286a1c6c in do_handle_one_connection(CONNECT*) /git/10.3/sql/sql_connect.cc:1403
|
#16 0x5613286a1524 in handle_one_connection /git/10.3/sql/sql_connect.cc:1308
|
#17 0x561329e03f92 in pfs_spawn_thread /git/10.3/storage/perfschema/pfs.cc:1869
|
#18 0x7fd1bfdabfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
#19 0x7fd1bf72f4ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
|
|
0x62b000000b98 is located 2456 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
|
allocated by thread T5 here:
|
#0 0x7fd1bfeae330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
|
#1 0x56132a018396 in sf_malloc /git/10.3/mysys/safemalloc.c:118
|
#2 0x561329fe78d0 in my_malloc /git/10.3/mysys/my_malloc.c:101
|
#3 0x561329fc3e56 in reset_root_defaults /git/10.3/mysys/my_alloc.c:152
|
#4 0x5613281ad619 in THD::init_for_queries() /git/10.3/sql/sql_class.cc:1340
|
#5 0x5613286a0e5d in prepare_new_connection_state(THD*) /git/10.3/sql/sql_connect.cc:1239
|
#6 0x5613286a156a in thd_prepare_connection(THD*) /git/10.3/sql/sql_connect.cc:1323
|
#7 0x5613286a1b97 in do_handle_one_connection(CONNECT*) /git/10.3/sql/sql_connect.cc:1393
|
#8 0x5613286a1524 in handle_one_connection /git/10.3/sql/sql_connect.cc:1308
|
#9 0x561329e03f92 in pfs_spawn_thread /git/10.3/storage/perfschema/pfs.cc:1869
|
#10 0x7fd1bfdabfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
|
Thread T5 created by T0 here:
|
#0 0x7fd1bfe15db0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
|
#1 0x561329e043ce in spawn_thread_v1 /git/10.3/storage/perfschema/pfs.cc:1919
|
#2 0x561327fc56f4 in inline_mysql_thread_create /git/10.3/include/mysql/psi/mysql_thread.h:1275
|
#3 0x561327fdeba8 in create_thread_to_handle_connection(CONNECT*) /git/10.3/sql/mysqld.cc:6658
|
#4 0x561327fdf2fd in create_new_thread /git/10.3/sql/mysqld.cc:6728
|
#5 0x561327fe047e in handle_connections_sockets() /git/10.3/sql/mysqld.cc:6986
|
#6 0x561327fddf1c in mysqld_main(int, char**) /git/10.3/sql/mysqld.cc:6280
|
#7 0x561327fc3df4 in main /git/10.3/sql/main.cc:25
|
#8 0x7fd1bf65a09a in __libc_start_main ../csu/libc-start.c:308
|
|
SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xa854f)
|
Shadow bytes around the buggy address:
|
0x0c567fff8120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8130: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c567fff8170: f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff8190: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff81a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff81b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567fff81c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==56422==ABORTING
|
----------SERVER LOG END-------------
|
10.4 7effcb8ed6a9fd75452 |
Version: '10.4.18-MariaDB-debug-log' socket: '/git/10.4/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
|
=================================================================
|
==58044==ERROR: AddressSanitizer: use-after-poison on address 0x62b000062b88 at pc 0x7f1151601550 bp 0x7f1147ac4500 sp 0x7f1147ac3cb0
|
READ of size 10 at 0x62b000062b88 thread T5
|
#0 0x7f115160154f (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xa854f)
|
#1 0x5633a668cf3c in Item::cleanup() /git/10.4/sql/item.cc:548
|
#2 0x5633a5d7f381 in Item::delete_self() /git/10.4/sql/item.h:2214
|
#3 0x5633a5d647f8 in Query_arena::free_items() /git/10.4/sql/sql_class.cc:3793
|
#4 0x5633a5ed50e9 in Prepared_statement::~Prepared_statement() /git/10.4/sql/sql_prepare.cc:4061
|
#5 0x5633a5ed5469 in Prepared_statement::~Prepared_statement() /git/10.4/sql/sql_prepare.cc:4070
|
#6 0x5633a5d65e02 in delete_statement_as_hash_key /git/10.4/sql/sql_class.cc:3933
|
#7 0x5633a792e302 in my_hash_delete /git/10.4/mysys/hash.c:632
|
#8 0x5633a5d663d8 in Statement_map::erase(Statement*) /git/10.4/sql/sql_class.cc:4048
|
#9 0x5633a5edd9e5 in Prepared_statement::deallocate() /git/10.4/sql/sql_prepare.cc:5119
|
#10 0x5633a5ece7f5 in mysql_sql_stmt_prepare(THD*) /git/10.4/sql/sql_prepare.cc:2886
|
#11 0x5633a5e6fd8e in mysql_execute_command(THD*) /git/10.4/sql/sql_parse.cc:3936
|
#12 0x5633a5e8b5a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.4/sql/sql_parse.cc:7938
|
#13 0x5633a5e62812 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.4/sql/sql_parse.cc:1839
|
#14 0x5633a5e5f291 in do_command(THD*) /git/10.4/sql/sql_parse.cc:1357
|
#15 0x5633a623e32a in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1412
|
#16 0x5633a623dbcc in handle_one_connection /git/10.4/sql/sql_connect.cc:1316
|
#17 0x5633a787a4d0 in pfs_spawn_thread /git/10.4/storage/perfschema/pfs.cc:1869
|
#18 0x7f115153ffa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
#19 0x7f1150b464ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
|
|
0x62b000062b88 is located 2440 bytes inside of 24716-byte region [0x62b000062200,0x62b00006828c)
|
allocated by thread T5 here:
|
#0 0x7f1151642330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
|
#1 0x5633a79c0ac4 in sf_malloc /git/10.4/mysys/safemalloc.c:118
|
#2 0x5633a798ffd6 in my_malloc /git/10.4/mysys/my_malloc.c:101
|
#3 0x5633a796bfd7 in reset_root_defaults /git/10.4/mysys/my_alloc.c:152
|
#4 0x5633a5d4fdb9 in THD::init_for_queries() /git/10.4/sql/sql_class.cc:1392
|
#5 0x5633a623d56c in prepare_new_connection_state(THD*) /git/10.4/sql/sql_connect.cc:1247
|
#6 0x5633a623dc12 in thd_prepare_connection(THD*) /git/10.4/sql/sql_connect.cc:1331
|
#7 0x5633a623e255 in do_handle_one_connection(CONNECT*) /git/10.4/sql/sql_connect.cc:1402
|
#8 0x5633a623dbcc in handle_one_connection /git/10.4/sql/sql_connect.cc:1316
|
#9 0x5633a787a4d0 in pfs_spawn_thread /git/10.4/storage/perfschema/pfs.cc:1869
|
#10 0x7f115153ffa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
|
|
Thread T5 created by T0 here:
|
#0 0x7f11515a9db0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
|
#1 0x5633a787a8bd in spawn_thread_v1 /git/10.4/storage/perfschema/pfs.cc:1919
|
#2 0x5633a5b7c7b5 in inline_mysql_thread_create /git/10.4/include/mysql/psi/mysql_thread.h:1275
|
#3 0x5633a5b93b10 in create_thread_to_handle_connection(CONNECT*) /git/10.4/sql/mysqld.cc:6259
|
#4 0x5633a5b94265 in create_new_thread(CONNECT*) /git/10.4/sql/mysqld.cc:6329
|
#5 0x5633a5b9473f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /git/10.4/sql/mysqld.cc:6427
|
#6 0x5633a5b955ec in handle_connections_sockets() /git/10.4/sql/mysqld.cc:6585
|
#7 0x5633a5b93274 in mysqld_main(int, char**) /git/10.4/sql/mysqld.cc:5917
|
#8 0x5633a5b7a684 in main /git/10.4/sql/main.cc:25
|
#9 0x7f1150a7109a in __libc_start_main ../csu/libc-start.c:308
|
|
SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xa854f)
|
Shadow bytes around the buggy address:
|
0x0c5680004520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004530: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004540: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004550: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004560: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c5680004570: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5680004590: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c56800045a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c56800045b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c56800045c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==58044==ABORTING
|
----------SERVER LOG END-------------
|
|