[MDEV-24349] ASAN use-after-poison in require_quotes or Item::print_item_w_name or Assertion `name.length == strlen(name.str)' failed - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Cannot Reproduce
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
Fix Version/s: 10.11.12
Component/s: Optimizer
Labels:
- regression

Description

Note: There is ~~MDEV-22380~~ about the assertion failure mentioned below, but the situation seems to be different here. First, the failures described here started happening recently (see details below); and secondly, the test cases from ~~MDEV-22380~~ don't seem to cause ASAN errors, while the one in this report does.

CREATE TABLE t (f INT);

INSERT INTO t VALUES (1),(2);

CREATE VIEW v1 AS SELECT * FROM t WHERE f IS NULL;

CREATE VIEW v2 AS SELECT * FROM v1 UNION SELECT * FROM t;

PREPARE stmt FROM "SELECT * FROM v2 WHERE f <= 1 OR f > 9";

SET optimizer_trace= 'enabled=on';

EXECUTE stmt;

EXECUTE stmt;

# Cleanup

DROP VIEW v2;

DROP VIEW v1;

DROP TABLE t;

10.4 a50cb486 non-debug ASAN
==2312009==ERROR: AddressSanitizer: use-after-poison on address 0x62b000063a00 at pc 0x5644bc7b5a99 bp 0x7f9d25e52280 sp 0x7f9d25e52270
READ of size 1 at 0x62b000063a00 thread T5
#0 0x5644bc7b5a98 in require_quotes /data/src/10.4/sql/sql_show.cc:1616
#1 0x5644bc7b5a98 in get_quote_char_for_identifier(THD, char const, unsigned long) /data/src/10.4/sql/sql_show.cc:1726
#2 0x5644bc7b5b74 in append_identifier(THD, String, char const*, unsigned long) /data/src/10.4/sql/sql_show.cc:1647
#3 0x5644bc776114 in st_select_lex::print(THD, String, enum_query_type) /data/src/10.4/sql/sql_select.cc:27501
#4 0x5644bcb740d1 in opt_trace_print_expanded_query(THD, st_select_lex, Json_writer_object*) /data/src/10.4/sql/opt_trace.cc:115
#5 0x5644bc7555d4 in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.4/sql/sql_select.cc:1495
#6 0x5644bc8a4cfc in st_select_lex_unit::prepare_join(THD, st_select_lex, select_result*, unsigned long, bool) /data/src/10.4/sql/sql_union.cc:655
#7 0x5644bc8b2af3 in st_select_lex_unit::prepare(TABLE_LIST, select_result, unsigned long) /data/src/10.4/sql/sql_union.cc:1082
#8 0x5644bc53c98f in mysql_derived_prepare /data/src/10.4/sql/sql_derived.cc:816
#9 0x5644bc538eef in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /data/src/10.4/sql/sql_derived.cc:206
#10 0x5644bc59f155 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.4/sql/sql_lex.h:4339
#11 0x5644bc59f155 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.4/sql/sql_lex.cc:4275
#12 0x5644bc7513c6 in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.4/sql/sql_select.cc:1152
#13 0x5644bc79966f in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4662
#14 0x5644bc79a554 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410
#15 0x5644bc5f9c12 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6398
#16 0x5644bc62a062 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3925
#17 0x5644bc676818 in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:4970
#18 0x5644bc6770d7 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4439
#19 0x5644bc677dd6 in mysql_sql_stmt_execute(THD*) /data/src/10.4/sql/sql_prepare.cc:3556
#20 0x5644bc61db96 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3941
#21 0x5644bc63460f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7936
#22 0x5644bc63d24f in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1839
#23 0x5644bc64306a in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1357
#24 0x5644bc9ab0a6 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#25 0x5644bc9ab62e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#26 0x5644bde12228 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#27 0x7f9d2fcdd608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#28 0x7f9d2f546292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x62b000063a00 is located 6144 bytes inside of 24608-byte region [0x62b000062200,0x62b000068220)
allocated by thread T5 here:
#0 0x7f9d2fed3bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5644bdee34a6 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#2 0x5644bdecec9c in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:152
#3 0x5644bc4fe699 in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1392
#4 0x5644bc9a95b6 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247
#5 0x5644bc9aa097 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331
#6 0x5644bc9aa097 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1320
#7 0x5644bc9ab056 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
#8 0x5644bc9ab62e in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#9 0x5644bde12228 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#10 0x7f9d2fcdd608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f9d2fe00805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x5644bde19d7e in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x5644bc3968ae in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x5644bc3968ae in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259
#4 0x5644bc3a2c82 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329
#5 0x5644bc3a32a2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427
#6 0x5644bc3a43bd in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585
#7 0x5644bc3a5e2c in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917
#8 0x7f9d2f44b0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/sql_show.cc:1616 in require_quotes
Shadow bytes around the buggy address:
0x0c56800046f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680004700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680004710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680004720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680004730: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7
=>0x0c5680004740:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004750: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004760: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004770: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004780: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004790: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2312009==ABORTING

10.4 a50cb486 debug ASAN
==2312133==ERROR: AddressSanitizer: use-after-poison on address 0x62b000063a68 at pc 0x7faac7326a6d bp 0x7faabd198d30 sp 0x7faabd1984d8
READ of size 2 at 0x62b000063a68 thread T5
#0 0x7faac7326a6c (/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
#1 0x5633155cf97f in Item::print_item_w_name(String*, enum_query_type) /data/src/10.4/sql/item.cc:505
#2 0x563314f00684 in st_select_lex::print(THD, String, enum_query_type) /data/src/10.4/sql/sql_select.cc:27501
#3 0x56331534f666 in opt_trace_print_expanded_query(THD, st_select_lex, Json_writer_object*) /data/src/10.4/sql/opt_trace.cc:115
#4 0x563314e35b1a in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.4/sql/sql_select.cc:1495
#5 0x5633150332eb in st_select_lex_unit::prepare_join(THD, st_select_lex, select_result*, unsigned long, bool) /data/src/10.4/sql/sql_union.cc:655
#6 0x563315037672 in st_select_lex_unit::prepare(TABLE_LIST, select_result, unsigned long) /data/src/10.4/sql/sql_union.cc:1082
#7 0x563314cb07fc in mysql_derived_prepare /data/src/10.4/sql/sql_derived.cc:816
#8 0x563314caca12 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /data/src/10.4/sql/sql_derived.cc:206
#9 0x5633150bea04 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.4/sql/table.cc:8844
#10 0x563314cf4023 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.4/sql/sql_lex.h:4339
#11 0x563314d15a40 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.4/sql/sql_lex.cc:4275
#12 0x563314e3143d in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.4/sql/sql_select.cc:1152
#13 0x563314e57d53 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4662
#14 0x563314e2978b in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410
#15 0x563314d99307 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6398
#16 0x563314d86b5f in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3925
#17 0x563314df5cf6 in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:4970
#18 0x563314df11b6 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4439
#19 0x563314deb199 in mysql_sql_stmt_execute(THD*) /data/src/10.4/sql/sql_prepare.cc:3556
#20 0x563314d86ba4 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3941
#21 0x563314da2758 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7936
#22 0x563314d79445 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1839
#23 0x563314d75ef4 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1357
#24 0x5633151674ef in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#25 0x563315166d93 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#26 0x56331681cb6c in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#27 0x7faac71d6608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#28 0x7faac6a3f292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x62b000063a68 is located 6248 bytes inside of 24716-byte region [0x62b000062200,0x62b00006828c)
allocated by thread T5 here:
#0 0x7faac73ccbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x56331696b256 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
#2 0x563316939096 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#3 0x5633169142b3 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:152
#4 0x563314c60425 in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1392
#5 0x5633151666fd in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247
#6 0x563315166ddd in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331
#7 0x56331516741a in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
#8 0x563315166d93 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#9 0x56331681cb6c in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#10 0x7faac71d6608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7faac72f9805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x56331681cf5d in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x563314a7fc78 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x563314a9784c in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259
#4 0x563314a97fe7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329
#5 0x563314a984cd in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427
#6 0x563314a99366 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585
#7 0x563314a96f51 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917
#8 0x563314a7dbec in main /data/src/10.4/sql/main.cc:25
#9 0x7faac69440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
Shadow bytes around the buggy address:
0x0c56800046f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680004700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680004710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680004720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680004730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5680004740: 00 00 00 00 00 00 00 00 00 f7 00 00 f7[f7]f7 f7
0x0c5680004750: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004760: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004770: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004780: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004790: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2312133==ABORTING

10.4 a50cb486 non-ASAN debug
mysqld: /data/src/10.4/sql/item.cc:505: void Item::print_item_w_name(String*, enum_query_type): Assertion `name.length == strlen(name.str)' failed.
201204 15:48:04 [ERROR] mysqld got signal 6 ;

#7 0x00007f39c058ef36 in __GI___assert_fail (assertion=0x5624fc826dc0 "name.length == strlen(name.str)", file=0x5624fc826d04 "/data/src/10.4/sql/item.cc", line=505, function=0x5624fc826de0 "void Item::print_item_w_name(String*, enum_query_type)") at assert.c:101
#8 0x00005624fbd0ad57 in Item::print_item_w_name (this=0x7f39a806b730, str=0x7f39ba55aed0, query_type=1037) at /data/src/10.4/sql/item.cc:505
#9 0x00005624fba17140 in st_select_lex::print (this=0x7f39a8061870, thd=0x7f39a8000d90, str=0x7f39ba55aed0, query_type=1037) at /data/src/10.4/sql/sql_select.cc:27501
#10 0x00005624fbbdfdbd in opt_trace_print_expanded_query (thd=0x7f39a8000d90, select_lex=0x7f39a8061870, writer=0x7f39ba55b470) at /data/src/10.4/sql/opt_trace.cc:115
#11 0x00005624fb9cc365 in JOIN::prepare (this=0x7f39a80145e8, tables_init=0x7f39a8061cc8, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=true, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f39a8061870, unit_arg=0x7f39a80695d8) at /data/src/10.4/sql/sql_select.cc:1495
#12 0x00005624fba8ee5e in st_select_lex_unit::prepare_join (this=0x7f39a80695d8, thd_arg=0x7f39a8000d90, sl=0x7f39a8061870, tmp_result=0x7f39a8013e10, additional_options=0, is_union_select=true) at /data/src/10.4/sql/sql_union.cc:655
#13 0x00005624fba90a7c in st_select_lex_unit::prepare (this=0x7f39a80695d8, derived_arg=0x7f39a8067bc0, sel_result=0x7f39a8013d28, additional_options=0) at /data/src/10.4/sql/sql_union.cc:1082
#14 0x00005624fb92979a in mysql_derived_prepare (thd=0x7f39a8000d90, lex=0x7f39a8065a10, derived=0x7f39a8067bc0) at /data/src/10.4/sql/sql_derived.cc:816
#15 0x00005624fb927dcc in mysql_handle_single_derived (lex=0x7f39a8065a10, derived=0x7f39a8067bc0, phases=2) at /data/src/10.4/sql/sql_derived.cc:206
#16 0x00005624fbac4062 in TABLE_LIST::handle_derived (this=0x7f39a8067bc0, lex=0x7f39a8065a10, phases=2) at /data/src/10.4/sql/table.cc:8844
#17 0x00005624fb943898 in LEX::handle_list_of_derived (this=0x7f39a8065a10, table_list=0x7f39a8067bc0, phases=2) at /data/src/10.4/sql/sql_lex.h:4339
#18 0x00005624fb950184 in st_select_lex::handle_derived (this=0x7f39a8067600, lex=0x7f39a8065a10, phases=2) at /data/src/10.4/sql/sql_lex.cc:4275
#19 0x00005624fb9cab6f in JOIN::prepare (this=0x7f39a80137b8, tables_init=0x7f39a8067bc0, wild_num=0, conds_init=0x7f39a8013590, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f39a8067600, unit_arg=0x7f39a8065ad0) at /data/src/10.4/sql/sql_select.cc:1152
#20 0x00005624fb9d7ead in mysql_select (thd=0x7f39a8000d90, tables=0x7f39a8067bc0, wild_num=0, fields=..., conds=0x7f39a8013590, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f39a8069390, unit=0x7f39a8065ad0, select_lex=0x7f39a8067600) at /data/src/10.4/sql/sql_select.cc:4662
#21 0x00005624fb9c7a0d in handle_select (thd=0x7f39a8000d90, lex=0x7f39a8065a10, result=0x7f39a8069390, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:410
#22 0x00005624fb98cb46 in execute_sqlcom_select (thd=0x7f39a8000d90, all_tables=0x7f39a8067bc0) at /data/src/10.4/sql/sql_parse.cc:6398
#23 0x00005624fb983113 in mysql_execute_command (thd=0x7f39a8000d90) at /data/src/10.4/sql/sql_parse.cc:3925
#24 0x00005624fb9b1a42 in Prepared_statement::execute (this=0x7f39a8064f20, expanded_query=0x7f39ba55db30, open_cursor=false) at /data/src/10.4/sql/sql_prepare.cc:4970
#25 0x00005624fb9afd4d in Prepared_statement::execute_loop (this=0x7f39a8064f20, expanded_query=0x7f39ba55db30, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.4/sql/sql_prepare.cc:4439
#26 0x00005624fb9ad760 in mysql_sql_stmt_execute (thd=0x7f39a8000d90) at /data/src/10.4/sql/sql_prepare.cc:3556
#27 0x00005624fb983158 in mysql_execute_command (thd=0x7f39a8000d90) at /data/src/10.4/sql/sql_parse.cc:3941
#28 0x00005624fb990b51 in mysql_parse (thd=0x7f39a8000d90, rawbuf=0x7f39a8013458 "EXECUTE stmt", length=12, parser_state=0x7f39ba55e550, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7936
#29 0x00005624fb97ced5 in dispatch_command (command=COM_QUERY, thd=0x7f39a8000d90, packet=0x7f39a80087b1 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1839
#30 0x00005624fb97b73d in do_command (thd=0x7f39a8000d90) at /data/src/10.4/sql/sql_parse.cc:1357
#31 0x00005624fbb0a631 in do_handle_one_connection (connect=0x5624fdf300b0) at /data/src/10.4/sql/sql_connect.cc:1412
#32 0x00005624fbb0a37a in handle_one_connection (arg=0x5624fdf300b0) at /data/src/10.4/sql/sql_connect.cc:1316
#33 0x00005624fc529e30 in pfs_spawn_thread (arg=0x5624fde7d8e0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
#34 0x00007f39c0e0f609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#35 0x00007f39c067a293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible on 10.4+ with at least MyISAM and InnoDB.
The test case is not applicable to earlier versions due to the use of optimizer trace, and I wasn't able to convert the test case below into a non-optimizer-trace variation the same way as ~~MDEV-22380~~ suggests. However, the failure started happening in 10.4 after the merge below, so it's possible that the root cause is also present in earlier versions.

commit 589cf8dbf3accf57673d7e2f7a4435f7eaf33565

Merge: a3531775b1e e30a05f4540

Author: Marko Mäkelä <marko.makela@mariadb.com>

Date:   Tue Dec 1 19:51:14 2020 +0200

    Merge 10.3 into 10.4

Attachments

Issue Links

relates to

MDEV-25399 Assertion `name.length == strlen(name.str)' failed in Item_func_sp::make_send_field

Closed

MDEV-22380 Assertion `name.length == strlen(name.str)' failed in Item::print_item_w_name on SELECT w/ optimizer_trace enabled

Closed

Activity

Ascending order - Click to sort in descending order

Elena Stepanova added a comment - 2021-03-24 22:46

A variation of apparently the same problem:

SET optimizer_trace= 'enabled=on';

PREPARE stmt FROM 'SELECT tbl.x509_subject AS fld FROM mysql.user AS tbl GROUP BY fld HAVING 0 AND fld != 1';

EXECUTE stmt;

EXECUTE stmt;

10.4 2eae1376
==3144494==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000652e0 at pc 0x564cf30f57b0 bp 0x7f085f258a10 sp 0x7f085f258a00
READ of size 1 at 0x62b0000652e0 thread T5
#0 0x564cf30f57af in get_hash_symbol /dev/shm/tmp_build/sql/lex_hash.h:7870
#1 0x564cf30faf2c in is_keyword(char const*, unsigned int) /data/src/10.4/sql/sql_lex.cc:921
#2 0x564cf332df50 in get_quote_char_for_identifier(THD, char const, unsigned long) /data/src/10.4/sql/sql_show.cc:1725
#3 0x564cf332db0b in append_identifier(THD, String, char const*, unsigned long) /data/src/10.4/sql/sql_show.cc:1647
#4 0x564cf39c6fab in append_identifier /data/src/10.4/sql/sql_show.h:88
#5 0x564cf3a0b2df in Item_ref::print(String*, enum_query_type) /data/src/10.4/sql/item.cc:8098
#6 0x564cf39cae46 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.4/sql/item.cc:487
#7 0x564cf3ad01b5 in Item_func::print_op(String*, enum_query_type) /data/src/10.4/sql/item_func.cc:619
#8 0x564cf3a863be in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.4/sql/item_cmpfunc.h:521
#9 0x564cf39cae46 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.4/sql/item.cc:487
#10 0x564cf3a6f41a in Item_cond::print(String*, enum_query_type) /data/src/10.4/sql/item_cmpfunc.cc:5170
#11 0x564cf32f8aca in st_select_lex::print(THD, String, enum_query_type) /data/src/10.4/sql/sql_select.cc:27658
#12 0x564cf37496b8 in opt_trace_print_expanded_query(THD, st_select_lex, Json_writer_object*) /data/src/10.4/sql/opt_trace.cc:115
#13 0x564cf322d23e in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.4/sql/sql_select.cc:1496
#14 0x564cf324f5dc in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4670
#15 0x564cf3220eaf in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410
#16 0x564cf3190996 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6443
#17 0x564cf317e6a0 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3962
#18 0x564cf31ed226 in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:4996
#19 0x564cf31e86e6 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4465
#20 0x564cf31e25f5 in mysql_sql_stmt_execute(THD*) /data/src/10.4/sql/sql_prepare.cc:3566
#21 0x564cf317e6e5 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3978
#22 0x564cf3199e42 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7989
#23 0x564cf3170a15 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
#24 0x564cf316d4c4 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
#25 0x564cf35605ec in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#26 0x564cf355fe90 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#27 0x564cf4c25d74 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#28 0x7f086928d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#29 0x7f0868af8292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x62b0000652e0 is located 12512 bytes inside of 24716-byte region [0x62b000062200,0x62b00006828c)
allocated by thread T5 here:
#0 0x7f08694e7bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x564cf4d74314 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
#2 0x564cf4d42178 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#3 0x564cf4d1d395 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:152
#4 0x564cf3057873 in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1395
#5 0x564cf355f7fa in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247
#6 0x564cf355feda in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331
#7 0x564cf3560517 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402
#8 0x564cf355fe90 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#9 0x564cf4c25d74 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#10 0x7f086928d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f0869414805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x564cf4c26165 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x564cf2e76b1f in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x564cf2e8e843 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6243
#4 0x564cf2e8efde in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6313
#5 0x564cf2e8f4c4 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6411
#6 0x564cf2e9035d in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6569
#7 0x564cf2e8df48 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5901
#8 0x564cf2e74d6c in main /data/src/10.4/sql/main.cc:25
#9 0x7f08689fd0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /dev/shm/tmp_build/sql/lex_hash.h:7870 in get_hash_symbol
Shadow bytes around the buggy address:
0x0c5680004a00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004a10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004a20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004a30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004a40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c5680004a50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7
0x0c5680004a60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004a70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004a80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004a90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004aa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3144494==ABORTING
210325 0:45:13 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.4.19-MariaDB-debug-log
key_buffer_size=1048576
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63647 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00005b270
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7f085f25e990 thread_stack 0x5fc00
/lib/x86_64-linux-gnu/libasan.so.5(+0x6cd30)[0x7f0869446d30]
mysys/stacktrace.c:174(my_print_stacktrace)[0x564cf4d5201a]
sql/signal_handler.cc:210(handle_fatal_signal)[0x564cf3978cab]
sigaction.c:0(__restore_rt)[0x7f08692993c0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcb)[0x7f0868a1c18b]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x12b)[0x7f08689fb859]
/lib/x86_64-linux-gnu/libasan.so.5(+0x12b6a2)[0x7f08695056a2]
/lib/x86_64-linux-gnu/libasan.so.5(+0x13624c)[0x7f086951024c]
/lib/x86_64-linux-gnu/libasan.so.5(+0x1178ec)[0x7f08694f18ec]
/lib/x86_64-linux-gnu/libasan.so.5(+0x117363)[0x7f08694f1363]
/lib/x86_64-linux-gnu/libasan.so.5(__asan_report_load1+0x3b)[0x7f08694f1e4b]
sql/lex_hash.h:7870(get_hash_symbol(char const*, unsigned int, bool))[0x564cf30f57b0]
sql/sql_lex.cc:921(is_keyword(char const*, unsigned int))[0x564cf30faf2d]
sql/sql_show.cc:1725(get_quote_char_for_identifier(THD, char const, unsigned long))[0x564cf332df51]
sql/sql_show.cc:1647(append_identifier(THD, String, char const*, unsigned long))[0x564cf332db0c]
sql/sql_show.h:89(append_identifier(THD, String, st_mysql_const_lex_string const*))[0x564cf39c6fac]
sql/item.cc:8105(Item_ref::print(String*, enum_query_type))[0x564cf3a0b2e0]
sql/item.cc:488(Item::print_parenthesised(String*, enum_query_type, precedence))[0x564cf39cae47]
sql/item_func.cc:620(Item_func::print_op(String*, enum_query_type))[0x564cf3ad01b6]
sql/item_cmpfunc.h:522(Item_bool_rowready_func2::print(String*, enum_query_type))[0x564cf3a863bf]
sql/item.cc:488(Item::print_parenthesised(String*, enum_query_type, precedence))[0x564cf39cae47]
sql/item_cmpfunc.cc:5165(Item_cond::print(String*, enum_query_type))[0x564cf3a6f41b]
sql/sql_select.cc:27658(st_select_lex::print(THD, String, enum_query_type))[0x564cf32f8acb]
sql/opt_trace.cc:120(opt_trace_print_expanded_query(THD, st_select_lex, Json_writer_object*))[0x564cf37496b9]
sql/sql_select.cc:1495(JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit))[0x564cf322d23f]
sql/sql_select.cc:4670(mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x564cf324f5dd]
sql/sql_select.cc:410(handle_select(THD, LEX, select_result*, unsigned long))[0x564cf3220eb0]
sql/sql_parse.cc:6443(execute_sqlcom_select(THD, TABLE_LIST))[0x564cf3190997]
sql/sql_parse.cc:3962(mysql_execute_command(THD*))[0x564cf317e6a1]
sql/sql_prepare.cc:4996(Prepared_statement::execute(String*, bool))[0x564cf31ed227]
sql/sql_prepare.cc:4465(Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*))[0x564cf31e86e7]
sql/sql_prepare.cc:3567(mysql_sql_stmt_execute(THD*))[0x564cf31e25f6]
sql/sql_parse.cc:3979(mysql_execute_command(THD*))[0x564cf317e6e6]
sql/sql_parse.cc:7989(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x564cf3199e43]
sql/sql_parse.cc:1858(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x564cf3170a16]
sql/sql_parse.cc:1373(do_command(THD*))[0x564cf316d4c5]
sql/sql_connect.cc:1412(do_handle_one_connection(CONNECT*))[0x564cf35605ed]
sql/sql_connect.cc:1317(handle_one_connection)[0x564cf355fe91]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x564cf4c25d75]
nptl/pthread_create.c:478(start_thread)[0x7f086928d609]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f0868af8293]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x62b000062328): SELECT tbl.x509_subject AS fld FROM mysql.user AS tbl GROUP BY fld HAVING 0 AND fld != 1

Connection ID (thread ID): 4
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /dev/shm/var_auto_hdYz/mysqld.1/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 8388608 unlimited bytes
Max core file size unlimited unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 385874 385874 processes
Max open files 1024 1024 files
Max locked memory 67108864 67108864 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 385874 385874 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: \|/usr/share/apport/apport %p %s %c %d %P %E

----------SERVER LOG END-------------


- found 'core' (0/5)

Trying 'dbx' to get a backtrace

Trying 'gdb' to get a backtrace from coredump /mnt-hd8t/bld/10.4-asan-nightly/mysql-test/var/log/bug.hash2/mysqld.1/data/core
Core generated by '/mnt-hd8t/bld/10.4-asan-nightly/bin/mysqld'
Output from gdb follows. The first stack trace is from the failing thread.
The following stack traces are from all threads (so the failing one is
duplicated).
--------------------------
[New LWP 3144501]
[New LWP 3144494]
[New LWP 3144495]
[New LWP 3144498]
[New LWP 3144496]
[New LWP 3144497]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/mnt-hd8t/bld/10.4-asan-nightly/bin/mysqld --defaults-group-suffix=.1 --default'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
56 ../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
[Current thread is 1 (Thread 0x7f085f25f300 (LWP 3144501))]
#0 __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x0000564cf4d5219c in my_write_core (sig=6) at /data/src/10.4/mysys/stacktrace.c:386
#2 0x0000564cf39792a2 in handle_fatal_signal (sig=6) at /data/src/10.4/sql/signal_handler.cc:344
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#5 0x00007f08689fb859 in __GI_abort () at abort.c:79
#6 0x00007f08695056a2 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#7 0x00007f086951024c in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#8 0x00007f08694f18ec in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#9 0x00007f08694f1363 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#10 0x00007f08694f1e4b in __asan_report_load1 () from /lib/x86_64-linux-gnu/libasan.so.5
#11 0x0000564cf30f57b0 in get_hash_symbol (s=0x62b0000652e0 "fld", len=3, function=false) at /dev/shm/tmp_build/sql/lex_hash.h:7870
#12 0x0000564cf30faf2d in is_keyword (name=0x62b0000652e0 "fld", len=3) at /data/src/10.4/sql/sql_lex.cc:921
#13 0x0000564cf332df51 in get_quote_char_for_identifier (thd=0x62b00005b270, name=0x62b0000652e0 "fld", length=3) at /data/src/10.4/sql/sql_show.cc:1725
#14 0x0000564cf332db0c in append_identifier (thd=0x62b00005b270, packet=0x7f085f258f30, name=0x62b0000652e0 "fld", length=3) at /data/src/10.4/sql/sql_show.cc:1647
#15 0x0000564cf39c6fac in append_identifier (thd=0x62b00005b270, packet=0x7f085f258f30, name=0x62d0001af670) at /data/src/10.4/sql/sql_show.h:88
#16 0x0000564cf3a0b2e0 in Item_ref::print (this=0x62b00008eed8, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item.cc:8098
#17 0x0000564cf39cae47 in Item::print_parenthesised (this=0x62b00008eed8, str=0x7f085f258f30, query_type=1037, parent_prec=CMP_PRECEDENCE) at /data/src/10.4/sql/item.cc:487
#18 0x0000564cf3ad01b6 in Item_func::print_op (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_func.cc:619
#19 0x0000564cf3a863bf in Item_bool_rowready_func2::print (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_cmpfunc.h:521
#20 0x0000564cf39cae47 in Item::print_parenthesised (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037, parent_prec=AND_PRECEDENCE) at /data/src/10.4/sql/item.cc:487
#21 0x0000564cf3a6f41b in Item_cond::print (this=0x62b0000623e0, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_cmpfunc.cc:5170
#22 0x0000564cf32f8acb in st_select_lex::print (this=0x62b00008df30, thd=0x62b00005b270, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/sql_select.cc:27658
#23 0x0000564cf37496b9 in opt_trace_print_expanded_query (thd=0x62b00005b270, select_lex=0x62b00008df30, writer=0x7f085f259650) at /data/src/10.4/sql/opt_trace.cc:115
#24 0x0000564cf322d23f in JOIN::prepare (this=0x62b000062648, tables_init=0x62b00008e5b8, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x62b00008edc0, having_init=0x62b0000623e0, proc_param_init=0x0, select_lex_arg=0x62b00008df30, unit_arg=0x62b00008c360) at /data/src/10.4/sql/sql_select.cc:1496
#25 0x0000564cf324f5dd in mysql_select (thd=0x62b00005b270, tables=0x62b00008e5b8, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x62b00008edc0, having=0x62b0000623e0, proc_param=0x0, select_options=2416184064, result=0x62b00008fc48, unit=0x62b00008c360, select_lex=0x62b00008df30) at /data/src/10.4/sql/sql_select.cc:4670
#26 0x0000564cf3220eb0 in handle_select (thd=0x62b00005b270, lex=0x62b00008c2a0, result=0x62b00008fc48, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:410
#27 0x0000564cf3190997 in execute_sqlcom_select (thd=0x62b00005b270, all_tables=0x62b00008e5b8) at /data/src/10.4/sql/sql_parse.cc:6443
#28 0x0000564cf317e6a1 in mysql_execute_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:3962
#29 0x0000564cf31ed227 in Prepared_statement::execute (this=0x61900008a2f0, expanded_query=0x7f085f25bbe0, open_cursor=false) at /data/src/10.4/sql/sql_prepare.cc:4996
#30 0x0000564cf31e86e7 in Prepared_statement::execute_loop (this=0x61900008a2f0, expanded_query=0x7f085f25bbe0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.4/sql/sql_prepare.cc:4465
#31 0x0000564cf31e25f6 in mysql_sql_stmt_execute (thd=0x62b00005b270) at /data/src/10.4/sql/sql_prepare.cc:3566
#32 0x0000564cf317e6e6 in mysql_execute_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:3978
#33 0x0000564cf3199e43 in mysql_parse (thd=0x62b00005b270, rawbuf=0x62b000062290 "EXECUTE stmt", length=12, parser_state=0x7f085f25d810, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7989
#34 0x0000564cf3170a16 in dispatch_command (command=COM_QUERY, thd=0x62b00005b270, packet=0x62900023f271 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1855
#35 0x0000564cf316d4c5 in do_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:1373
#36 0x0000564cf35605ed in do_handle_one_connection (connect=0x6110000087b0) at /data/src/10.4/sql/sql_connect.cc:1412
#37 0x0000564cf355fe91 in handle_one_connection (arg=0x6110000087b0) at /data/src/10.4/sql/sql_connect.cc:1316
#38 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x61600000b7f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
#39 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#40 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 6 (Thread 0x7f085f36f300 (LWP 3144497)):
#0 0x00007f0868a1d322 in __GI___sigtimedwait (set=0x7f085f36e930, info=0x7f085f36e760, timeout=0x0) at ../sysdeps/unix/sysv/linux/sigtimedwait.c:29
#1 0x00007f0869461111 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#2 0x0000564cf2e74e69 in my_sigwait (set=0x7f085f36e930, sig=0x7f085f36e8a0, code=0x7f085f36e8b0) at /data/src/10.4/include/my_pthread.h:196
#3 0x0000564cf2e84ac8 in signal_hand (arg=0x0) at /data/src/10.4/sql/mysqld.cc:3224
#4 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x6160000087f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
#5 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#6 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 5 (Thread 0x7f085fb96700 (LWP 3144496)):
#0 futex_abstimed_wait_cancelable (private=<optimized out>, abstime=0x7f085fb95c80, clockid=<optimized out>, expected=0, futex_word=0x564cf707dac8 <COND_checkpoint+40>) at ../sysdeps/nptl/futex-internal.h:320
#1 __pthread_cond_wait_common (abstime=0x7f085fb95c80, clockid=<optimized out>, mutex=0x564cf707d9e8 <LOCK_checkpoint+40>, cond=0x564cf707daa0 <COND_checkpoint>) at pthread_cond_wait.c:520
#2 __pthread_cond_timedwait (cond=0x564cf707daa0 <COND_checkpoint>, mutex=0x564cf707d9e8 <LOCK_checkpoint+40>, abstime=0x7f085fb95c80) at pthread_cond_wait.c:656
#3 0x0000564cf4d60c9c in safe_cond_timedwait (cond=0x564cf707daa0 <COND_checkpoint>, mp=0x564cf707d9c0 <LOCK_checkpoint>, abstime=0x7f085fb95c80, file=0x564cf5846120 "/data/src/10.4/include/mysql/psi/mysql_thread.h", line=1211) at /data/src/10.4/mysys/thr_mutex.c:546
#4 0x0000564cf48d0933 in inline_mysql_cond_timedwait (that=0x564cf707daa0 <COND_checkpoint>, mutex=0x564cf707d9c0 <LOCK_checkpoint>, abstime=0x7f085fb95c80, src_file=0x564cf58461a0 "/data/src/10.4/storage/maria/ma_servicethread.c", src_line=115) at /data/src/10.4/include/mysql/psi/mysql_thread.h:1211
#5 0x0000564cf48d180e in my_service_thread_sleep (control=0x564cf64c2e20 <checkpoint_control>, sleep_time=29000000000) at /data/src/10.4/storage/maria/ma_servicethread.c:115
#6 0x0000564cf48b32f2 in ma_checkpoint_background (arg=0x1e) at /data/src/10.4/storage/maria/ma_checkpoint.c:707
#7 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x6160000066f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
#8 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#9 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 4 (Thread 0x7f085f2d7300 (LWP 3144498)):
#0 futex_wait_cancelable (private=<optimized out>, expected=0, futex_word=0x564cf67ae348 <COND_manager+40>) at ../sysdeps/nptl/futex-internal.h:183
#1 __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x564cf67ae268 <LOCK_manager+40>, cond=0x564cf67ae320 <COND_manager>) at pthread_cond_wait.c:508
#2 __pthread_cond_wait (cond=0x564cf67ae320 <COND_manager>, mutex=0x564cf67ae268 <LOCK_manager+40>) at pthread_cond_wait.c:638
#3 0x0000564cf4d60363 in safe_cond_wait (cond=0x564cf67ae320 <COND_manager>, mp=0x564cf67ae240 <LOCK_manager>, file=0x564cf4fb25a0 "/data/src/10.4/include/mysql/psi/mysql_thread.h", line=1174) at /data/src/10.4/mysys/thr_mutex.c:492
#4 0x0000564cf3162532 in inline_mysql_cond_wait (that=0x564cf67ae320 <COND_manager>, mutex=0x564cf67ae240 <LOCK_manager>, src_file=0x564cf4fb2fe0 "/data/src/10.4/sql/sql_manager.cc", src_line=102) at /data/src/10.4/include/mysql/psi/mysql_thread.h:1174
#5 0x0000564cf3163018 in handle_manager (arg=0x0) at /data/src/10.4/sql/sql_manager.cc:102
#6 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x616000009ff0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
#7 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#8 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 3 (Thread 0x7f08612b0700 (LWP 3144495)):
#0 futex_abstimed_wait_cancelable (private=<optimized out>, abstime=0x7f08612afdd0, clockid=<optimized out>, expected=0, futex_word=0x564cf70a43c8 <COND_timer+40>) at ../sysdeps/nptl/futex-internal.h:320
#1 __pthread_cond_wait_common (abstime=0x7f08612afdd0, clockid=<optimized out>, mutex=0x564cf70a42e8 <LOCK_timer+40>, cond=0x564cf70a43a0 <COND_timer>) at pthread_cond_wait.c:520
#2 __pthread_cond_timedwait (cond=0x564cf70a43a0 <COND_timer>, mutex=0x564cf70a42e8 <LOCK_timer+40>, abstime=0x7f08612afdd0) at pthread_cond_wait.c:656
#3 0x0000564cf4d60c9c in safe_cond_timedwait (cond=0x564cf70a43a0 <COND_timer>, mp=0x564cf70a42c0 <LOCK_timer>, abstime=0x7f08612afdd0, file=0x564cf5940520 "/data/src/10.4/include/mysql/psi/mysql_thread.h", line=1211) at /data/src/10.4/mysys/thr_mutex.c:546
#4 0x0000564cf4d63ae9 in inline_mysql_cond_timedwait (that=0x564cf70a43a0 <COND_timer>, mutex=0x564cf70a42c0 <LOCK_timer>, abstime=0x7f08612afdd0, src_file=0x564cf59405c0 "/data/src/10.4/mysys/thr_timer.c", src_line=292) at /data/src/10.4/include/mysql/psi/mysql_thread.h:1211
#5 0x0000564cf4d65a6d in timer_handler (arg=0x0) at /data/src/10.4/mysys/thr_timer.c:292
#6 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x616000001ef0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
#7 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#8 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 2 (Thread 0x7f08689c8480 (LWP 3144494)):
#0 0x00007f0868aebaff in __GI___poll (fds=0x7ffc109a6030, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
#1 0x00007f08694165ba in poll () from /lib/x86_64-linux-gnu/libasan.so.5
#2 0x0000564cf2e8fc1e in handle_connections_sockets () at /data/src/10.4/sql/mysqld.cc:6465
#3 0x0000564cf2e8df49 in mysqld_main (argc=<error reading variable: Cannot access memory at address 0x3d60>, argv=<error reading variable: Cannot access memory at address 0x3d70>) at /data/src/10.4/sql/mysqld.cc:5901
#4 0x0000564cf2e74d6d in main (argc=6, argv=0x7ffc109a6478) at /data/src/10.4/sql/main.cc:25

Thread 1 (Thread 0x7f085f25f300 (LWP 3144501)):
#0 __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x0000564cf4d5219c in my_write_core (sig=6) at /data/src/10.4/mysys/stacktrace.c:386
#2 0x0000564cf39792a2 in handle_fatal_signal (sig=6) at /data/src/10.4/sql/signal_handler.cc:344
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#5 0x00007f08689fb859 in __GI_abort () at abort.c:79
#6 0x00007f08695056a2 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#7 0x00007f086951024c in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#8 0x00007f08694f18ec in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#9 0x00007f08694f1363 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5
#10 0x00007f08694f1e4b in __asan_report_load1 () from /lib/x86_64-linux-gnu/libasan.so.5
#11 0x0000564cf30f57b0 in get_hash_symbol (s=0x62b0000652e0 "fld", len=3, function=false) at /dev/shm/tmp_build/sql/lex_hash.h:7870
#12 0x0000564cf30faf2d in is_keyword (name=0x62b0000652e0 "fld", len=3) at /data/src/10.4/sql/sql_lex.cc:921
#13 0x0000564cf332df51 in get_quote_char_for_identifier (thd=0x62b00005b270, name=0x62b0000652e0 "fld", length=3) at /data/src/10.4/sql/sql_show.cc:1725
#14 0x0000564cf332db0c in append_identifier (thd=0x62b00005b270, packet=0x7f085f258f30, name=0x62b0000652e0 "fld", length=3) at /data/src/10.4/sql/sql_show.cc:1647
#15 0x0000564cf39c6fac in append_identifier (thd=0x62b00005b270, packet=0x7f085f258f30, name=0x62d0001af670) at /data/src/10.4/sql/sql_show.h:88
#16 0x0000564cf3a0b2e0 in Item_ref::print (this=0x62b00008eed8, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item.cc:8098
#17 0x0000564cf39cae47 in Item::print_parenthesised (this=0x62b00008eed8, str=0x7f085f258f30, query_type=1037, parent_prec=CMP_PRECEDENCE) at /data/src/10.4/sql/item.cc:487
#18 0x0000564cf3ad01b6 in Item_func::print_op (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_func.cc:619
#19 0x0000564cf3a863bf in Item_bool_rowready_func2::print (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_cmpfunc.h:521
#20 0x0000564cf39cae47 in Item::print_parenthesised (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037, parent_prec=AND_PRECEDENCE) at /data/src/10.4/sql/item.cc:487
#21 0x0000564cf3a6f41b in Item_cond::print (this=0x62b0000623e0, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_cmpfunc.cc:5170
#22 0x0000564cf32f8acb in st_select_lex::print (this=0x62b00008df30, thd=0x62b00005b270, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/sql_select.cc:27658
#23 0x0000564cf37496b9 in opt_trace_print_expanded_query (thd=0x62b00005b270, select_lex=0x62b00008df30, writer=0x7f085f259650) at /data/src/10.4/sql/opt_trace.cc:115
#24 0x0000564cf322d23f in JOIN::prepare (this=0x62b000062648, tables_init=0x62b00008e5b8, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x62b00008edc0, having_init=0x62b0000623e0, proc_param_init=0x0, select_lex_arg=0x62b00008df30, unit_arg=0x62b00008c360) at /data/src/10.4/sql/sql_select.cc:1496
#25 0x0000564cf324f5dd in mysql_select (thd=0x62b00005b270, tables=0x62b00008e5b8, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x62b00008edc0, having=0x62b0000623e0, proc_param=0x0, select_options=2416184064, result=0x62b00008fc48, unit=0x62b00008c360, select_lex=0x62b00008df30) at /data/src/10.4/sql/sql_select.cc:4670
#26 0x0000564cf3220eb0 in handle_select (thd=0x62b00005b270, lex=0x62b00008c2a0, result=0x62b00008fc48, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:410
#27 0x0000564cf3190997 in execute_sqlcom_select (thd=0x62b00005b270, all_tables=0x62b00008e5b8) at /data/src/10.4/sql/sql_parse.cc:6443
#28 0x0000564cf317e6a1 in mysql_execute_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:3962
#29 0x0000564cf31ed227 in Prepared_statement::execute (this=0x61900008a2f0, expanded_query=0x7f085f25bbe0, open_cursor=false) at /data/src/10.4/sql/sql_prepare.cc:4996
#30 0x0000564cf31e86e7 in Prepared_statement::execute_loop (this=0x61900008a2f0, expanded_query=0x7f085f25bbe0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.4/sql/sql_prepare.cc:4465
#31 0x0000564cf31e25f6 in mysql_sql_stmt_execute (thd=0x62b00005b270) at /data/src/10.4/sql/sql_prepare.cc:3566
#32 0x0000564cf317e6e6 in mysql_execute_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:3978
#33 0x0000564cf3199e43 in mysql_parse (thd=0x62b00005b270, rawbuf=0x62b000062290 "EXECUTE stmt", length=12, parser_state=0x7f085f25d810, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7989
#34 0x0000564cf3170a16 in dispatch_command (command=COM_QUERY, thd=0x62b00005b270, packet=0x62900023f271 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1855
#35 0x0000564cf316d4c5 in do_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:1373
#36 0x0000564cf35605ed in do_handle_one_connection (connect=0x6110000087b0) at /data/src/10.4/sql/sql_connect.cc:1412
#37 0x0000564cf355fe91 in handle_one_connection (arg=0x6110000087b0) at /data/src/10.4/sql/sql_connect.cc:1316
#38 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x61600000b7f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869
#39 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#40 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Elena Stepanova added a comment - 2021-03-24 22:46 A variation of apparently the same problem: SET optimizer_trace= 'enabled=on' ; PREPARE stmt FROM 'SELECT tbl.x509_subject AS fld FROM mysql.user AS tbl GROUP BY fld HAVING 0 AND fld != 1' ; EXECUTE stmt; EXECUTE stmt; 10.4 2eae1376 ==3144494==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000652e0 at pc 0x564cf30f57b0 bp 0x7f085f258a10 sp 0x7f085f258a00 READ of size 1 at 0x62b0000652e0 thread T5 #0 0x564cf30f57af in get_hash_symbol /dev/shm/tmp_build/sql/lex_hash.h:7870 #1 0x564cf30faf2c in is_keyword(char const*, unsigned int) /data/src/10.4/sql/sql_lex.cc:921 #2 0x564cf332df50 in get_quote_char_for_identifier(THD*, char const*, unsigned long) /data/src/10.4/sql/sql_show.cc:1725 #3 0x564cf332db0b in append_identifier(THD*, String*, char const*, unsigned long) /data/src/10.4/sql/sql_show.cc:1647 #4 0x564cf39c6fab in append_identifier /data/src/10.4/sql/sql_show.h:88 #5 0x564cf3a0b2df in Item_ref::print(String*, enum_query_type) /data/src/10.4/sql/item.cc:8098 #6 0x564cf39cae46 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.4/sql/item.cc:487 #7 0x564cf3ad01b5 in Item_func::print_op(String*, enum_query_type) /data/src/10.4/sql/item_func.cc:619 #8 0x564cf3a863be in Item_bool_rowready_func2::print(String*, enum_query_type) /data/src/10.4/sql/item_cmpfunc.h:521 #9 0x564cf39cae46 in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.4/sql/item.cc:487 #10 0x564cf3a6f41a in Item_cond::print(String*, enum_query_type) /data/src/10.4/sql/item_cmpfunc.cc:5170 #11 0x564cf32f8aca in st_select_lex::print(THD*, String*, enum_query_type) /data/src/10.4/sql/sql_select.cc:27658 #12 0x564cf37496b8 in opt_trace_print_expanded_query(THD*, st_select_lex*, Json_writer_object*) /data/src/10.4/sql/opt_trace.cc:115 #13 0x564cf322d23e in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1496 #14 0x564cf324f5dc in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4670 #15 0x564cf3220eaf in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410 #16 0x564cf3190996 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6443 #17 0x564cf317e6a0 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3962 #18 0x564cf31ed226 in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:4996 #19 0x564cf31e86e6 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4465 #20 0x564cf31e25f5 in mysql_sql_stmt_execute(THD*) /data/src/10.4/sql/sql_prepare.cc:3566 #21 0x564cf317e6e5 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3978 #22 0x564cf3199e42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7989 #23 0x564cf3170a15 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855 #24 0x564cf316d4c4 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373 #25 0x564cf35605ec in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412 #26 0x564cf355fe90 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #27 0x564cf4c25d74 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #28 0x7f086928d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #29 0x7f0868af8292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 0x62b0000652e0 is located 12512 bytes inside of 24716-byte region [0x62b000062200,0x62b00006828c) allocated by thread T5 here: #0 0x7f08694e7bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0x564cf4d74314 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118 #2 0x564cf4d42178 in my_malloc /data/src/10.4/mysys/my_malloc.c:101 #3 0x564cf4d1d395 in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:152 #4 0x564cf3057873 in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1395 #5 0x564cf355f7fa in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247 #6 0x564cf355feda in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331 #7 0x564cf3560517 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1402 #8 0x564cf355fe90 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #9 0x564cf4c25d74 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #10 0x7f086928d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 Thread T5 created by T0 here: #0 0x7f0869414805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x564cf4c26165 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919 #2 0x564cf2e76b1f in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275 #3 0x564cf2e8e843 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6243 #4 0x564cf2e8efde in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6313 #5 0x564cf2e8f4c4 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6411 #6 0x564cf2e9035d in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6569 #7 0x564cf2e8df48 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5901 #8 0x564cf2e74d6c in main /data/src/10.4/sql/main.cc:25 #9 0x7f08689fd0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: use-after-poison /dev/shm/tmp_build/sql/lex_hash.h:7870 in get_hash_symbol Shadow bytes around the buggy address: 0x0c5680004a00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004a10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004a20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004a30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004a40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c5680004a50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 0x0c5680004a60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004a70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004a80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004a90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004aa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3144494==ABORTING 210325 0:45:13 [ERROR] mysqld got signal 6 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. To report this bug, see https://mariadb.com/kb/en/reporting-bugs We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. Server version: 10.4.19-MariaDB-debug-log key_buffer_size=1048576 read_buffer_size=131072 max_used_connections=1 max_threads=153 thread_count=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63647 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. Thread pointer: 0x62b00005b270 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0x7f085f25e990 thread_stack 0x5fc00 /lib/x86_64-linux-gnu/libasan.so.5(+0x6cd30)[0x7f0869446d30] mysys/stacktrace.c:174(my_print_stacktrace)[0x564cf4d5201a] sql/signal_handler.cc:210(handle_fatal_signal)[0x564cf3978cab] sigaction.c:0(__restore_rt)[0x7f08692993c0] /lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcb)[0x7f0868a1c18b] /lib/x86_64-linux-gnu/libc.so.6(abort+0x12b)[0x7f08689fb859] /lib/x86_64-linux-gnu/libasan.so.5(+0x12b6a2)[0x7f08695056a2] /lib/x86_64-linux-gnu/libasan.so.5(+0x13624c)[0x7f086951024c] /lib/x86_64-linux-gnu/libasan.so.5(+0x1178ec)[0x7f08694f18ec] /lib/x86_64-linux-gnu/libasan.so.5(+0x117363)[0x7f08694f1363] /lib/x86_64-linux-gnu/libasan.so.5(__asan_report_load1+0x3b)[0x7f08694f1e4b] sql/lex_hash.h:7870(get_hash_symbol(char const*, unsigned int, bool))[0x564cf30f57b0] sql/sql_lex.cc:921(is_keyword(char const*, unsigned int))[0x564cf30faf2d] sql/sql_show.cc:1725(get_quote_char_for_identifier(THD*, char const*, unsigned long))[0x564cf332df51] sql/sql_show.cc:1647(append_identifier(THD*, String*, char const*, unsigned long))[0x564cf332db0c] sql/sql_show.h:89(append_identifier(THD*, String*, st_mysql_const_lex_string const*))[0x564cf39c6fac] sql/item.cc:8105(Item_ref::print(String*, enum_query_type))[0x564cf3a0b2e0] sql/item.cc:488(Item::print_parenthesised(String*, enum_query_type, precedence))[0x564cf39cae47] sql/item_func.cc:620(Item_func::print_op(String*, enum_query_type))[0x564cf3ad01b6] sql/item_cmpfunc.h:522(Item_bool_rowready_func2::print(String*, enum_query_type))[0x564cf3a863bf] sql/item.cc:488(Item::print_parenthesised(String*, enum_query_type, precedence))[0x564cf39cae47] sql/item_cmpfunc.cc:5165(Item_cond::print(String*, enum_query_type))[0x564cf3a6f41b] sql/sql_select.cc:27658(st_select_lex::print(THD*, String*, enum_query_type))[0x564cf32f8acb] sql/opt_trace.cc:120(opt_trace_print_expanded_query(THD*, st_select_lex*, Json_writer_object*))[0x564cf37496b9] sql/sql_select.cc:1495(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x564cf322d23f] sql/sql_select.cc:4670(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x564cf324f5dd] sql/sql_select.cc:410(handle_select(THD*, LEX*, select_result*, unsigned long))[0x564cf3220eb0] sql/sql_parse.cc:6443(execute_sqlcom_select(THD*, TABLE_LIST*))[0x564cf3190997] sql/sql_parse.cc:3962(mysql_execute_command(THD*))[0x564cf317e6a1] sql/sql_prepare.cc:4996(Prepared_statement::execute(String*, bool))[0x564cf31ed227] sql/sql_prepare.cc:4465(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x564cf31e86e7] sql/sql_prepare.cc:3567(mysql_sql_stmt_execute(THD*))[0x564cf31e25f6] sql/sql_parse.cc:3979(mysql_execute_command(THD*))[0x564cf317e6e6] sql/sql_parse.cc:7989(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x564cf3199e43] sql/sql_parse.cc:1858(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x564cf3170a16] sql/sql_parse.cc:1373(do_command(THD*))[0x564cf316d4c5] sql/sql_connect.cc:1412(do_handle_one_connection(CONNECT*))[0x564cf35605ed] sql/sql_connect.cc:1317(handle_one_connection)[0x564cf355fe91] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x564cf4c25d75] nptl/pthread_create.c:478(start_thread)[0x7f086928d609] /lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f0868af8293] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query (0x62b000062328): SELECT tbl.x509_subject AS fld FROM mysql.user AS tbl GROUP BY fld HAVING 0 AND fld != 1 Connection ID (thread ID): 4 Status: NOT_KILLED Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains information that should help you find out what is causing the crash. Writing a core file... Working directory at /dev/shm/var_auto_hdYz/mysqld.1/data Resource Limits: Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size unlimited unlimited bytes Max resident set unlimited unlimited bytes Max processes 385874 385874 processes Max open files 1024 1024 files Max locked memory 67108864 67108864 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 385874 385874 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E ----------SERVER LOG END------------- - found 'core' (0/5) Trying 'dbx' to get a backtrace Trying 'gdb' to get a backtrace from coredump /mnt-hd8t/bld/10.4-asan-nightly/mysql-test/var/log/bug.hash2/mysqld.1/data/core Core generated by '/mnt-hd8t/bld/10.4-asan-nightly/bin/mysqld' Output from gdb follows. The first stack trace is from the failing thread. The following stack traces are from all threads (so the failing one is duplicated). -------------------------- [New LWP 3144501] [New LWP 3144494] [New LWP 3144495] [New LWP 3144498] [New LWP 3144496] [New LWP 3144497] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/mnt-hd8t/bld/10.4-asan-nightly/bin/mysqld --defaults-group-suffix=.1 --default'. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 56 ../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory. [Current thread is 1 (Thread 0x7f085f25f300 (LWP 3144501))] #0 __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x0000564cf4d5219c in my_write_core (sig=6) at /data/src/10.4/mysys/stacktrace.c:386 #2 0x0000564cf39792a2 in handle_fatal_signal (sig=6) at /data/src/10.4/sql/signal_handler.cc:344 #3 <signal handler called> #4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #5 0x00007f08689fb859 in __GI_abort () at abort.c:79 #6 0x00007f08695056a2 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #7 0x00007f086951024c in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #8 0x00007f08694f18ec in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #9 0x00007f08694f1363 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #10 0x00007f08694f1e4b in __asan_report_load1 () from /lib/x86_64-linux-gnu/libasan.so.5 #11 0x0000564cf30f57b0 in get_hash_symbol (s=0x62b0000652e0 "fld", len=3, function=false) at /dev/shm/tmp_build/sql/lex_hash.h:7870 #12 0x0000564cf30faf2d in is_keyword (name=0x62b0000652e0 "fld", len=3) at /data/src/10.4/sql/sql_lex.cc:921 #13 0x0000564cf332df51 in get_quote_char_for_identifier (thd=0x62b00005b270, name=0x62b0000652e0 "fld", length=3) at /data/src/10.4/sql/sql_show.cc:1725 #14 0x0000564cf332db0c in append_identifier (thd=0x62b00005b270, packet=0x7f085f258f30, name=0x62b0000652e0 "fld", length=3) at /data/src/10.4/sql/sql_show.cc:1647 #15 0x0000564cf39c6fac in append_identifier (thd=0x62b00005b270, packet=0x7f085f258f30, name=0x62d0001af670) at /data/src/10.4/sql/sql_show.h:88 #16 0x0000564cf3a0b2e0 in Item_ref::print (this=0x62b00008eed8, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item.cc:8098 #17 0x0000564cf39cae47 in Item::print_parenthesised (this=0x62b00008eed8, str=0x7f085f258f30, query_type=1037, parent_prec=CMP_PRECEDENCE) at /data/src/10.4/sql/item.cc:487 #18 0x0000564cf3ad01b6 in Item_func::print_op (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_func.cc:619 #19 0x0000564cf3a863bf in Item_bool_rowready_func2::print (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_cmpfunc.h:521 #20 0x0000564cf39cae47 in Item::print_parenthesised (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037, parent_prec=AND_PRECEDENCE) at /data/src/10.4/sql/item.cc:487 #21 0x0000564cf3a6f41b in Item_cond::print (this=0x62b0000623e0, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_cmpfunc.cc:5170 #22 0x0000564cf32f8acb in st_select_lex::print (this=0x62b00008df30, thd=0x62b00005b270, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/sql_select.cc:27658 #23 0x0000564cf37496b9 in opt_trace_print_expanded_query (thd=0x62b00005b270, select_lex=0x62b00008df30, writer=0x7f085f259650) at /data/src/10.4/sql/opt_trace.cc:115 #24 0x0000564cf322d23f in JOIN::prepare (this=0x62b000062648, tables_init=0x62b00008e5b8, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x62b00008edc0, having_init=0x62b0000623e0, proc_param_init=0x0, select_lex_arg=0x62b00008df30, unit_arg=0x62b00008c360) at /data/src/10.4/sql/sql_select.cc:1496 #25 0x0000564cf324f5dd in mysql_select (thd=0x62b00005b270, tables=0x62b00008e5b8, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x62b00008edc0, having=0x62b0000623e0, proc_param=0x0, select_options=2416184064, result=0x62b00008fc48, unit=0x62b00008c360, select_lex=0x62b00008df30) at /data/src/10.4/sql/sql_select.cc:4670 #26 0x0000564cf3220eb0 in handle_select (thd=0x62b00005b270, lex=0x62b00008c2a0, result=0x62b00008fc48, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:410 #27 0x0000564cf3190997 in execute_sqlcom_select (thd=0x62b00005b270, all_tables=0x62b00008e5b8) at /data/src/10.4/sql/sql_parse.cc:6443 #28 0x0000564cf317e6a1 in mysql_execute_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:3962 #29 0x0000564cf31ed227 in Prepared_statement::execute (this=0x61900008a2f0, expanded_query=0x7f085f25bbe0, open_cursor=false) at /data/src/10.4/sql/sql_prepare.cc:4996 #30 0x0000564cf31e86e7 in Prepared_statement::execute_loop (this=0x61900008a2f0, expanded_query=0x7f085f25bbe0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.4/sql/sql_prepare.cc:4465 #31 0x0000564cf31e25f6 in mysql_sql_stmt_execute (thd=0x62b00005b270) at /data/src/10.4/sql/sql_prepare.cc:3566 #32 0x0000564cf317e6e6 in mysql_execute_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:3978 #33 0x0000564cf3199e43 in mysql_parse (thd=0x62b00005b270, rawbuf=0x62b000062290 "EXECUTE stmt", length=12, parser_state=0x7f085f25d810, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7989 #34 0x0000564cf3170a16 in dispatch_command (command=COM_QUERY, thd=0x62b00005b270, packet=0x62900023f271 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1855 #35 0x0000564cf316d4c5 in do_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:1373 #36 0x0000564cf35605ed in do_handle_one_connection (connect=0x6110000087b0) at /data/src/10.4/sql/sql_connect.cc:1412 #37 0x0000564cf355fe91 in handle_one_connection (arg=0x6110000087b0) at /data/src/10.4/sql/sql_connect.cc:1316 #38 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x61600000b7f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869 #39 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #40 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 6 (Thread 0x7f085f36f300 (LWP 3144497)): #0 0x00007f0868a1d322 in __GI___sigtimedwait (set=0x7f085f36e930, info=0x7f085f36e760, timeout=0x0) at ../sysdeps/unix/sysv/linux/sigtimedwait.c:29 #1 0x00007f0869461111 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #2 0x0000564cf2e74e69 in my_sigwait (set=0x7f085f36e930, sig=0x7f085f36e8a0, code=0x7f085f36e8b0) at /data/src/10.4/include/my_pthread.h:196 #3 0x0000564cf2e84ac8 in signal_hand (arg=0x0) at /data/src/10.4/sql/mysqld.cc:3224 #4 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x6160000087f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869 #5 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #6 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 5 (Thread 0x7f085fb96700 (LWP 3144496)): #0 futex_abstimed_wait_cancelable (private=<optimized out>, abstime=0x7f085fb95c80, clockid=<optimized out>, expected=0, futex_word=0x564cf707dac8 <COND_checkpoint+40>) at ../sysdeps/nptl/futex-internal.h:320 #1 __pthread_cond_wait_common (abstime=0x7f085fb95c80, clockid=<optimized out>, mutex=0x564cf707d9e8 <LOCK_checkpoint+40>, cond=0x564cf707daa0 <COND_checkpoint>) at pthread_cond_wait.c:520 #2 __pthread_cond_timedwait (cond=0x564cf707daa0 <COND_checkpoint>, mutex=0x564cf707d9e8 <LOCK_checkpoint+40>, abstime=0x7f085fb95c80) at pthread_cond_wait.c:656 #3 0x0000564cf4d60c9c in safe_cond_timedwait (cond=0x564cf707daa0 <COND_checkpoint>, mp=0x564cf707d9c0 <LOCK_checkpoint>, abstime=0x7f085fb95c80, file=0x564cf5846120 "/data/src/10.4/include/mysql/psi/mysql_thread.h", line=1211) at /data/src/10.4/mysys/thr_mutex.c:546 #4 0x0000564cf48d0933 in inline_mysql_cond_timedwait (that=0x564cf707daa0 <COND_checkpoint>, mutex=0x564cf707d9c0 <LOCK_checkpoint>, abstime=0x7f085fb95c80, src_file=0x564cf58461a0 "/data/src/10.4/storage/maria/ma_servicethread.c", src_line=115) at /data/src/10.4/include/mysql/psi/mysql_thread.h:1211 #5 0x0000564cf48d180e in my_service_thread_sleep (control=0x564cf64c2e20 <checkpoint_control>, sleep_time=29000000000) at /data/src/10.4/storage/maria/ma_servicethread.c:115 #6 0x0000564cf48b32f2 in ma_checkpoint_background (arg=0x1e) at /data/src/10.4/storage/maria/ma_checkpoint.c:707 #7 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x6160000066f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869 #8 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #9 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 4 (Thread 0x7f085f2d7300 (LWP 3144498)): #0 futex_wait_cancelable (private=<optimized out>, expected=0, futex_word=0x564cf67ae348 <COND_manager+40>) at ../sysdeps/nptl/futex-internal.h:183 #1 __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x564cf67ae268 <LOCK_manager+40>, cond=0x564cf67ae320 <COND_manager>) at pthread_cond_wait.c:508 #2 __pthread_cond_wait (cond=0x564cf67ae320 <COND_manager>, mutex=0x564cf67ae268 <LOCK_manager+40>) at pthread_cond_wait.c:638 #3 0x0000564cf4d60363 in safe_cond_wait (cond=0x564cf67ae320 <COND_manager>, mp=0x564cf67ae240 <LOCK_manager>, file=0x564cf4fb25a0 "/data/src/10.4/include/mysql/psi/mysql_thread.h", line=1174) at /data/src/10.4/mysys/thr_mutex.c:492 #4 0x0000564cf3162532 in inline_mysql_cond_wait (that=0x564cf67ae320 <COND_manager>, mutex=0x564cf67ae240 <LOCK_manager>, src_file=0x564cf4fb2fe0 "/data/src/10.4/sql/sql_manager.cc", src_line=102) at /data/src/10.4/include/mysql/psi/mysql_thread.h:1174 #5 0x0000564cf3163018 in handle_manager (arg=0x0) at /data/src/10.4/sql/sql_manager.cc:102 #6 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x616000009ff0) at /data/src/10.4/storage/perfschema/pfs.cc:1869 #7 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #8 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 3 (Thread 0x7f08612b0700 (LWP 3144495)): #0 futex_abstimed_wait_cancelable (private=<optimized out>, abstime=0x7f08612afdd0, clockid=<optimized out>, expected=0, futex_word=0x564cf70a43c8 <COND_timer+40>) at ../sysdeps/nptl/futex-internal.h:320 #1 __pthread_cond_wait_common (abstime=0x7f08612afdd0, clockid=<optimized out>, mutex=0x564cf70a42e8 <LOCK_timer+40>, cond=0x564cf70a43a0 <COND_timer>) at pthread_cond_wait.c:520 #2 __pthread_cond_timedwait (cond=0x564cf70a43a0 <COND_timer>, mutex=0x564cf70a42e8 <LOCK_timer+40>, abstime=0x7f08612afdd0) at pthread_cond_wait.c:656 #3 0x0000564cf4d60c9c in safe_cond_timedwait (cond=0x564cf70a43a0 <COND_timer>, mp=0x564cf70a42c0 <LOCK_timer>, abstime=0x7f08612afdd0, file=0x564cf5940520 "/data/src/10.4/include/mysql/psi/mysql_thread.h", line=1211) at /data/src/10.4/mysys/thr_mutex.c:546 #4 0x0000564cf4d63ae9 in inline_mysql_cond_timedwait (that=0x564cf70a43a0 <COND_timer>, mutex=0x564cf70a42c0 <LOCK_timer>, abstime=0x7f08612afdd0, src_file=0x564cf59405c0 "/data/src/10.4/mysys/thr_timer.c", src_line=292) at /data/src/10.4/include/mysql/psi/mysql_thread.h:1211 #5 0x0000564cf4d65a6d in timer_handler (arg=0x0) at /data/src/10.4/mysys/thr_timer.c:292 #6 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x616000001ef0) at /data/src/10.4/storage/perfschema/pfs.cc:1869 #7 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #8 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Thread 2 (Thread 0x7f08689c8480 (LWP 3144494)): #0 0x00007f0868aebaff in __GI___poll (fds=0x7ffc109a6030, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29 #1 0x00007f08694165ba in poll () from /lib/x86_64-linux-gnu/libasan.so.5 #2 0x0000564cf2e8fc1e in handle_connections_sockets () at /data/src/10.4/sql/mysqld.cc:6465 #3 0x0000564cf2e8df49 in mysqld_main (argc=<error reading variable: Cannot access memory at address 0x3d60>, argv=<error reading variable: Cannot access memory at address 0x3d70>) at /data/src/10.4/sql/mysqld.cc:5901 #4 0x0000564cf2e74d6d in main (argc=6, argv=0x7ffc109a6478) at /data/src/10.4/sql/main.cc:25 Thread 1 (Thread 0x7f085f25f300 (LWP 3144501)): #0 __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x0000564cf4d5219c in my_write_core (sig=6) at /data/src/10.4/mysys/stacktrace.c:386 #2 0x0000564cf39792a2 in handle_fatal_signal (sig=6) at /data/src/10.4/sql/signal_handler.cc:344 #3 <signal handler called> #4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #5 0x00007f08689fb859 in __GI_abort () at abort.c:79 #6 0x00007f08695056a2 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #7 0x00007f086951024c in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #8 0x00007f08694f18ec in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #9 0x00007f08694f1363 in ?? () from /lib/x86_64-linux-gnu/libasan.so.5 #10 0x00007f08694f1e4b in __asan_report_load1 () from /lib/x86_64-linux-gnu/libasan.so.5 #11 0x0000564cf30f57b0 in get_hash_symbol (s=0x62b0000652e0 "fld", len=3, function=false) at /dev/shm/tmp_build/sql/lex_hash.h:7870 #12 0x0000564cf30faf2d in is_keyword (name=0x62b0000652e0 "fld", len=3) at /data/src/10.4/sql/sql_lex.cc:921 #13 0x0000564cf332df51 in get_quote_char_for_identifier (thd=0x62b00005b270, name=0x62b0000652e0 "fld", length=3) at /data/src/10.4/sql/sql_show.cc:1725 #14 0x0000564cf332db0c in append_identifier (thd=0x62b00005b270, packet=0x7f085f258f30, name=0x62b0000652e0 "fld", length=3) at /data/src/10.4/sql/sql_show.cc:1647 #15 0x0000564cf39c6fac in append_identifier (thd=0x62b00005b270, packet=0x7f085f258f30, name=0x62d0001af670) at /data/src/10.4/sql/sql_show.h:88 #16 0x0000564cf3a0b2e0 in Item_ref::print (this=0x62b00008eed8, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item.cc:8098 #17 0x0000564cf39cae47 in Item::print_parenthesised (this=0x62b00008eed8, str=0x7f085f258f30, query_type=1037, parent_prec=CMP_PRECEDENCE) at /data/src/10.4/sql/item.cc:487 #18 0x0000564cf3ad01b6 in Item_func::print_op (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_func.cc:619 #19 0x0000564cf3a863bf in Item_bool_rowready_func2::print (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_cmpfunc.h:521 #20 0x0000564cf39cae47 in Item::print_parenthesised (this=0x62b00008f088, str=0x7f085f258f30, query_type=1037, parent_prec=AND_PRECEDENCE) at /data/src/10.4/sql/item.cc:487 #21 0x0000564cf3a6f41b in Item_cond::print (this=0x62b0000623e0, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/item_cmpfunc.cc:5170 #22 0x0000564cf32f8acb in st_select_lex::print (this=0x62b00008df30, thd=0x62b00005b270, str=0x7f085f258f30, query_type=1037) at /data/src/10.4/sql/sql_select.cc:27658 #23 0x0000564cf37496b9 in opt_trace_print_expanded_query (thd=0x62b00005b270, select_lex=0x62b00008df30, writer=0x7f085f259650) at /data/src/10.4/sql/opt_trace.cc:115 #24 0x0000564cf322d23f in JOIN::prepare (this=0x62b000062648, tables_init=0x62b00008e5b8, wild_num=0, conds_init=0x0, og_num=1, order_init=0x0, skip_order_by=false, group_init=0x62b00008edc0, having_init=0x62b0000623e0, proc_param_init=0x0, select_lex_arg=0x62b00008df30, unit_arg=0x62b00008c360) at /data/src/10.4/sql/sql_select.cc:1496 #25 0x0000564cf324f5dd in mysql_select (thd=0x62b00005b270, tables=0x62b00008e5b8, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x62b00008edc0, having=0x62b0000623e0, proc_param=0x0, select_options=2416184064, result=0x62b00008fc48, unit=0x62b00008c360, select_lex=0x62b00008df30) at /data/src/10.4/sql/sql_select.cc:4670 #26 0x0000564cf3220eb0 in handle_select (thd=0x62b00005b270, lex=0x62b00008c2a0, result=0x62b00008fc48, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:410 #27 0x0000564cf3190997 in execute_sqlcom_select (thd=0x62b00005b270, all_tables=0x62b00008e5b8) at /data/src/10.4/sql/sql_parse.cc:6443 #28 0x0000564cf317e6a1 in mysql_execute_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:3962 #29 0x0000564cf31ed227 in Prepared_statement::execute (this=0x61900008a2f0, expanded_query=0x7f085f25bbe0, open_cursor=false) at /data/src/10.4/sql/sql_prepare.cc:4996 #30 0x0000564cf31e86e7 in Prepared_statement::execute_loop (this=0x61900008a2f0, expanded_query=0x7f085f25bbe0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.4/sql/sql_prepare.cc:4465 #31 0x0000564cf31e25f6 in mysql_sql_stmt_execute (thd=0x62b00005b270) at /data/src/10.4/sql/sql_prepare.cc:3566 #32 0x0000564cf317e6e6 in mysql_execute_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:3978 #33 0x0000564cf3199e43 in mysql_parse (thd=0x62b00005b270, rawbuf=0x62b000062290 "EXECUTE stmt", length=12, parser_state=0x7f085f25d810, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7989 #34 0x0000564cf3170a16 in dispatch_command (command=COM_QUERY, thd=0x62b00005b270, packet=0x62900023f271 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1855 #35 0x0000564cf316d4c5 in do_command (thd=0x62b00005b270) at /data/src/10.4/sql/sql_parse.cc:1373 #36 0x0000564cf35605ed in do_handle_one_connection (connect=0x6110000087b0) at /data/src/10.4/sql/sql_connect.cc:1412 #37 0x0000564cf355fe91 in handle_one_connection (arg=0x6110000087b0) at /data/src/10.4/sql/sql_connect.cc:1316 #38 0x0000564cf4c25d75 in pfs_spawn_thread (arg=0x61600000b7f0) at /data/src/10.4/storage/perfschema/pfs.cc:1869 #39 0x00007f086928d609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #40 0x00007f0868af8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Elena Stepanova added a comment - 2021-10-29 14:50

Yet another one, started happening recently on 10.5+, before that it looked more like the previous comment

CREATE TABLE t (f INT);

SET optimizer_trace = 'enabled=on';

CREATE ALGORITHM = MERGE VIEW v1 AS SELECT f FROM t;

CREATE VIEW v2 AS (SELECT f FROM v1) UNION (SELECT f FROM t);

PREPARE stmt FROM "SELECT f FROM v2 WHERE f <> 'v'";

EXECUTE stmt;

EXECUTE stmt;

10.5 a8ded395
==1939161==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000399a8 at pc 0x55f56a743604 bp 0x7f845c67a210 sp 0x7f845c67a200
READ of size 1 at 0x62b0000399a8 thread T5
#0 0x55f56a743603 in check_column_name(char const*) /data/src/10.5/sql/table.cc:4981
#1 0x55f56a569f81 in st_select_lex::print(THD, String, enum_query_type) /data/src/10.5/sql/sql_select.cc:28007
#2 0x55f56aa320a5 in opt_trace_print_expanded_query(THD, st_select_lex, Json_writer_object*) /data/src/10.5/sql/opt_trace.cc:118
#3 0x55f56a49b76d in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.5/sql/sql_select.cc:1540
#4 0x55f56a6d4e2c in st_select_lex_unit::prepare_join(THD, st_select_lex, select_result*, unsigned long long, bool) /data/src/10.5/sql/sql_union.cc:1089
#5 0x55f56a6d9640 in st_select_lex_unit::prepare(TABLE_LIST, select_result, unsigned long long) /data/src/10.5/sql/sql_union.cc:1562
#6 0x55f56a301e6a in mysql_derived_prepare /data/src/10.5/sql/sql_derived.cc:839
#7 0x55f56a2fdf7a in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /data/src/10.5/sql/sql_derived.cc:200
#8 0x55f56a764ce8 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.5/sql/table.cc:9167
#9 0x55f56a347ab5 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.5/sql/sql_lex.h:4440
#10 0x55f56a36dfa0 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.5/sql/sql_lex.cc:4932
#11 0x55f56a49705c in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.5/sql/sql_select.cc:1197
#12 0x55f56a4bd9e8 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.5/sql/sql_select.cc:4749
#13 0x55f56a48f15e in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:444
#14 0x55f56a3f74cc in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6314
#15 0x55f56a3e646d in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4005
#16 0x55f56a45749d in Prepared_statement::execute(String*, bool) /data/src/10.5/sql/sql_prepare.cc:5065
#17 0x55f56a4527b6 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.5/sql/sql_prepare.cc:4509
#18 0x55f56a44c16d in mysql_sql_stmt_execute(THD*) /data/src/10.5/sql/sql_prepare.cc:3580
#19 0x55f56a3e64b2 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4021
#20 0x55f56a402825 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8100
#21 0x55f56a3d86e6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891
#22 0x55f56a3d5025 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
#23 0x55f56a81f526 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1418
#24 0x55f56a81ed3f in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
#25 0x55f56b48a3b0 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#26 0x7f8465fdd608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#27 0x7f8465bb0292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x62b0000399a8 is located 6056 bytes inside of 24740-byte region [0x62b000038200,0x62b00003e2a4)
allocated by thread T5 here:
#0 0x7f84666a6bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55f56c14092d in sf_malloc /data/src/10.5/mysys/safemalloc.c:121
#2 0x55f56c10e13d in my_malloc /data/src/10.5/mysys/my_malloc.c:90
#3 0x55f56c0e9699 in reset_root_defaults /data/src/10.5/mysys/my_alloc.c:148
#4 0x55f56a2af118 in THD::init_for_queries() /data/src/10.5/sql/sql_class.cc:1401
#5 0x55f56a81e674 in prepare_new_connection_state(THD*) /data/src/10.5/sql/sql_connect.cc:1240
#6 0x55f56a81edbe in thd_prepare_connection(THD*) /data/src/10.5/sql/sql_connect.cc:1333
#7 0x55f56a81f451 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1408
#8 0x55f56a81ed3f in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
#9 0x55f56b48a3b0 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
#10 0x7f8465fdd608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f84665d3805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55f56b48535e in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:48
#2 0x55f56b48a7a3 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
#3 0x55f56a0c5652 in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
#4 0x55f56a0db991 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6010
#5 0x55f56a0dc010 in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6069
#6 0x55f56a0dc36d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6134
#7 0x55f56a0dcfbf in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6261
#8 0x55f56a0db18d in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5656
#9 0x55f56a0c411c in main /data/src/10.5/sql/main.cc:25
#10 0x7f8465ab50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/sql/table.cc:4981 in check_column_name(char const*)
Shadow bytes around the buggy address:
0x0c567ffff2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567ffff2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567ffff300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567ffff310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567ffff320: 00 00 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c567ffff330: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567ffff340: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567ffff350: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567ffff360: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567ffff370: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c567ffff380: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1939161==ABORTING

Elena Stepanova added a comment - 2021-10-29 14:50 Yet another one, started happening recently on 10.5+, before that it looked more like the previous comment CREATE TABLE t (f INT ); SET optimizer_trace = 'enabled=on' ; CREATE ALGORITHM = MERGE VIEW v1 AS SELECT f FROM t; CREATE VIEW v2 AS ( SELECT f FROM v1) UNION ( SELECT f FROM t); PREPARE stmt FROM "SELECT f FROM v2 WHERE f <> 'v'" ; EXECUTE stmt; EXECUTE stmt; 10.5 a8ded395 ==1939161==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000399a8 at pc 0x55f56a743604 bp 0x7f845c67a210 sp 0x7f845c67a200 READ of size 1 at 0x62b0000399a8 thread T5 #0 0x55f56a743603 in check_column_name(char const*) /data/src/10.5/sql/table.cc:4981 #1 0x55f56a569f81 in st_select_lex::print(THD*, String*, enum_query_type) /data/src/10.5/sql/sql_select.cc:28007 #2 0x55f56aa320a5 in opt_trace_print_expanded_query(THD*, st_select_lex*, Json_writer_object*) /data/src/10.5/sql/opt_trace.cc:118 #3 0x55f56a49b76d in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.5/sql/sql_select.cc:1540 #4 0x55f56a6d4e2c in st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long long, bool) /data/src/10.5/sql/sql_union.cc:1089 #5 0x55f56a6d9640 in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /data/src/10.5/sql/sql_union.cc:1562 #6 0x55f56a301e6a in mysql_derived_prepare /data/src/10.5/sql/sql_derived.cc:839 #7 0x55f56a2fdf7a in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.5/sql/sql_derived.cc:200 #8 0x55f56a764ce8 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.5/sql/table.cc:9167 #9 0x55f56a347ab5 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.5/sql/sql_lex.h:4440 #10 0x55f56a36dfa0 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.5/sql/sql_lex.cc:4932 #11 0x55f56a49705c in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.5/sql/sql_select.cc:1197 #12 0x55f56a4bd9e8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4749 #13 0x55f56a48f15e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:444 #14 0x55f56a3f74cc in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6314 #15 0x55f56a3e646d in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4005 #16 0x55f56a45749d in Prepared_statement::execute(String*, bool) /data/src/10.5/sql/sql_prepare.cc:5065 #17 0x55f56a4527b6 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.5/sql/sql_prepare.cc:4509 #18 0x55f56a44c16d in mysql_sql_stmt_execute(THD*) /data/src/10.5/sql/sql_prepare.cc:3580 #19 0x55f56a3e64b2 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4021 #20 0x55f56a402825 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8100 #21 0x55f56a3d86e6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1891 #22 0x55f56a3d5025 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370 #23 0x55f56a81f526 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1418 #24 0x55f56a81ed3f in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312 #25 0x55f56b48a3b0 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201 #26 0x7f8465fdd608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #27 0x7f8465bb0292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 0x62b0000399a8 is located 6056 bytes inside of 24740-byte region [0x62b000038200,0x62b00003e2a4) allocated by thread T5 here: #0 0x7f84666a6bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0x55f56c14092d in sf_malloc /data/src/10.5/mysys/safemalloc.c:121 #2 0x55f56c10e13d in my_malloc /data/src/10.5/mysys/my_malloc.c:90 #3 0x55f56c0e9699 in reset_root_defaults /data/src/10.5/mysys/my_alloc.c:148 #4 0x55f56a2af118 in THD::init_for_queries() /data/src/10.5/sql/sql_class.cc:1401 #5 0x55f56a81e674 in prepare_new_connection_state(THD*) /data/src/10.5/sql/sql_connect.cc:1240 #6 0x55f56a81edbe in thd_prepare_connection(THD*) /data/src/10.5/sql/sql_connect.cc:1333 #7 0x55f56a81f451 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1408 #8 0x55f56a81ed3f in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312 #9 0x55f56b48a3b0 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201 #10 0x7f8465fdd608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 Thread T5 created by T0 here: #0 0x7f84665d3805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x55f56b48535e in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:48 #2 0x55f56b48a7a3 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252 #3 0x55f56a0c5652 in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323 #4 0x55f56a0db991 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6010 #5 0x55f56a0dc010 in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6069 #6 0x55f56a0dc36d in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6134 #7 0x55f56a0dcfbf in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6261 #8 0x55f56a0db18d in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5656 #9 0x55f56a0c411c in main /data/src/10.5/sql/main.cc:25 #10 0x7f8465ab50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/sql/table.cc:4981 in check_column_name(char const*) Shadow bytes around the buggy address: 0x0c567ffff2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567ffff2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567ffff300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567ffff310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567ffff320: 00 00 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c567ffff330: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c567ffff340: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c567ffff350: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c567ffff360: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c567ffff370: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c567ffff380: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1939161==ABORTING

Elena Stepanova added a comment - 2022-07-10 11:49

One with CTE and corresponding differences in the stack trace:

CREATE TABLE t (a INT);

SET SESSION optimizer_trace = 'enabled=on';

PREPARE stmt FROM 'SELECT STRAIGHT_JOIN * FROM t WHERE a IN (WITH cte AS (SELECT a FROM t) SELECT * FROM cte)';

EXECUTE stmt;

EXECUTE stmt;

# Cleanup

DROP TABLE t;

10.4 9a0cbd31
==1133266==ERROR: AddressSanitizer: use-after-poison on address 0x62b000063428 at pc 0x55662c4c2dfe bp 0x7fe5598e7cd0 sp 0x7fe5598e7cc8
READ of size 1 at 0x62b000063428 thread T5
#0 0x55662c4c2dfd in st_select_lex::print(THD, String, enum_query_type) /data/src/10.4/sql/sql_select.cc:27719
#1 0x55662c2f79a6 in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.4/sql/sql_lex.cc:3064
#2 0x55662c88dd16 in With_element::print(String*, enum_query_type) /data/src/10.4/sql/sql_cte.cc:1656
#3 0x55662c88e855 in With_clause::print(String*, enum_query_type) /data/src/10.4/sql/sql_cte.cc:1618
#4 0x55662ccd7717 in subselect_single_select_engine::print(String*, enum_query_type) /data/src/10.4/sql/item_subselect.cc:4566
#5 0x55662ccdc682 in Item_subselect::print(String*, enum_query_type) /data/src/10.4/sql/item_subselect.cc:1057
#6 0x55662cbb788f in Item_func::print_args(String*, unsigned int, enum_query_type) /data/src/10.4/sql/item_func.cc:610
#7 0x55662cbb7b51 in Item_func::print(String*, enum_query_type) /data/src/10.4/sql/item_func.cc:599
#8 0x55662c4c1db4 in st_select_lex::print(THD, String, enum_query_type) /data/src/10.4/sql/sql_select.cc:27831
#9 0x55662c8b314c in opt_trace_print_expanded_query(THD, st_select_lex, Json_writer_object*) /data/src/10.4/sql/opt_trace.cc:115
#10 0x55662c4a3456 in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.4/sql/sql_select.cc:1536
#11 0x55662c4e448a in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4729
#12 0x55662c4e5328 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:436
#13 0x55662c362f5f in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6449
#14 0x55662c389195 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3963
#15 0x55662c3d1b48 in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:5024
#16 0x55662c3d228e in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4493
#17 0x55662c3d2f36 in mysql_sql_stmt_execute(THD*) /data/src/10.4/sql/sql_prepare.cc:3577
#18 0x55662c383526 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3979
#19 0x55662c3915ee in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7995
#20 0x55662c3985ba in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#21 0x55662c39d248 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#22 0x55662c6ec918 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#23 0x55662c6ecdda in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#24 0x55662d25bc64 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#25 0x7fe5633acea6 in start_thread nptl/pthread_create.c:477
#26 0x7fe562fa9dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

0x62b000063428 is located 4648 bytes inside of 24608-byte region [0x62b000062200,0x62b000068220)
allocated by thread T5 here:
#0 0x7fe56391be8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55662dad9d72 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#2 0x55662dac5f1c in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:152
#3 0x55662c264ce3 in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1382
#4 0x55662c6eaf13 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247
#5 0x55662c6eb977 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331
#6 0x55662c6eb977 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1320
#7 0x55662c6ec8ca in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1410
#8 0x55662c6ecdda in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#9 0x55662d25bc64 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#10 0x7fe5633acea6 in start_thread nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7fe5638c72a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x55662d2602ba in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x55662c10618b in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x55662c10618b in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6282
#4 0x55662c1123af in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6352
#5 0x55662c1129ea in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6450
#6 0x55662c113af9 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6608
#7 0x55662c115562 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5940
#8 0x7fe562ed2d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/sql_select.cc:27719 in st_select_lex::print(THD, String, enum_query_type)
Shadow bytes around the buggy address:
0x0c5680004630: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004640: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004650: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004660: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004670: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c5680004680: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680004690: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800046a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800046b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800046c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800046d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1133266==ABORTING

Elena Stepanova added a comment - 2022-07-10 11:49 One with CTE and corresponding differences in the stack trace: CREATE TABLE t (a INT ); SET SESSION optimizer_trace = 'enabled=on' ; PREPARE stmt FROM 'SELECT STRAIGHT_JOIN * FROM t WHERE a IN (WITH cte AS (SELECT a FROM t) SELECT * FROM cte)' ; EXECUTE stmt; EXECUTE stmt; # Cleanup DROP TABLE t; 10.4 9a0cbd31 ==1133266==ERROR: AddressSanitizer: use-after-poison on address 0x62b000063428 at pc 0x55662c4c2dfe bp 0x7fe5598e7cd0 sp 0x7fe5598e7cc8 READ of size 1 at 0x62b000063428 thread T5 #0 0x55662c4c2dfd in st_select_lex::print(THD*, String*, enum_query_type) /data/src/10.4/sql/sql_select.cc:27719 #1 0x55662c2f79a6 in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.4/sql/sql_lex.cc:3064 #2 0x55662c88dd16 in With_element::print(String*, enum_query_type) /data/src/10.4/sql/sql_cte.cc:1656 #3 0x55662c88e855 in With_clause::print(String*, enum_query_type) /data/src/10.4/sql/sql_cte.cc:1618 #4 0x55662ccd7717 in subselect_single_select_engine::print(String*, enum_query_type) /data/src/10.4/sql/item_subselect.cc:4566 #5 0x55662ccdc682 in Item_subselect::print(String*, enum_query_type) /data/src/10.4/sql/item_subselect.cc:1057 #6 0x55662cbb788f in Item_func::print_args(String*, unsigned int, enum_query_type) /data/src/10.4/sql/item_func.cc:610 #7 0x55662cbb7b51 in Item_func::print(String*, enum_query_type) /data/src/10.4/sql/item_func.cc:599 #8 0x55662c4c1db4 in st_select_lex::print(THD*, String*, enum_query_type) /data/src/10.4/sql/sql_select.cc:27831 #9 0x55662c8b314c in opt_trace_print_expanded_query(THD*, st_select_lex*, Json_writer_object*) /data/src/10.4/sql/opt_trace.cc:115 #10 0x55662c4a3456 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1536 #11 0x55662c4e448a in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4729 #12 0x55662c4e5328 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:436 #13 0x55662c362f5f in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6449 #14 0x55662c389195 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3963 #15 0x55662c3d1b48 in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:5024 #16 0x55662c3d228e in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4493 #17 0x55662c3d2f36 in mysql_sql_stmt_execute(THD*) /data/src/10.4/sql/sql_prepare.cc:3577 #18 0x55662c383526 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3979 #19 0x55662c3915ee in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7995 #20 0x55662c3985ba in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857 #21 0x55662c39d248 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378 #22 0x55662c6ec918 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420 #23 0x55662c6ecdda in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #24 0x55662d25bc64 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #25 0x7fe5633acea6 in start_thread nptl/pthread_create.c:477 #26 0x7fe562fa9dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee) 0x62b000063428 is located 4648 bytes inside of 24608-byte region [0x62b000062200,0x62b000068220) allocated by thread T5 here: #0 0x7fe56391be8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x55662dad9d72 in my_malloc /data/src/10.4/mysys/my_malloc.c:101 #2 0x55662dac5f1c in reset_root_defaults /data/src/10.4/mysys/my_alloc.c:152 #3 0x55662c264ce3 in THD::init_for_queries() /data/src/10.4/sql/sql_class.cc:1382 #4 0x55662c6eaf13 in prepare_new_connection_state(THD*) /data/src/10.4/sql/sql_connect.cc:1247 #5 0x55662c6eb977 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1331 #6 0x55662c6eb977 in thd_prepare_connection(THD*) /data/src/10.4/sql/sql_connect.cc:1320 #7 0x55662c6ec8ca in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1410 #8 0x55662c6ecdda in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316 #9 0x55662d25bc64 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #10 0x7fe5633acea6 in start_thread nptl/pthread_create.c:477 Thread T5 created by T0 here: #0 0x7fe5638c72a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214 #1 0x55662d2602ba in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919 #2 0x55662c10618b in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275 #3 0x55662c10618b in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6282 #4 0x55662c1123af in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6352 #5 0x55662c1129ea in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6450 #6 0x55662c113af9 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6608 #7 0x55662c115562 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5940 #8 0x7fe562ed2d09 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/sql_select.cc:27719 in st_select_lex::print(THD*, String*, enum_query_type) Shadow bytes around the buggy address: 0x0c5680004630: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004640: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004650: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004660: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004670: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c5680004680: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c5680004690: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c56800046a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c56800046b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c56800046c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c56800046d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1133266==ABORTING

Dave Gosselin added a comment - 2025-01-10 15:43 - edited

The condition from the description of this ticket reproduces in 10.4.34 but not in 10.5 (git sha 82fd202fa4c417a0be4f09028dfdc88f8d902130). A simple git bisect should show us where it was fixed and then we can mark this ticket closed as a duplicate.

The cases in this comment and this comment repro on 10.5. They are distinct from the present ticket and have been filed as MDEV-35815 and MDEV-35816, respectively.
The case in comment does not repro on 10.5.

Dave Gosselin added a comment - 2025-01-10 15:43 - edited The condition from the description of this ticket reproduces in 10.4.34 but not in 10.5 (git sha 82fd202fa4c417a0be4f09028dfdc88f8d902130). A simple git bisect should show us where it was fixed and then we can mark this ticket closed as a duplicate. The cases in this comment and this comment repro on 10.5. They are distinct from the present ticket and have been filed as MDEV-35815 and MDEV-35816 , respectively. The case in comment does not repro on 10.5.

Sergei Petrunia added a comment - 2025-01-14 07:56

Note that the problem happens on second execution only.
The problem is in JOIN::prepare().
Optimizer trace is only necessary to trigger this as it prints the query.

Sergei Petrunia added a comment - 2025-01-14 07:56 Note that the problem happens on second execution only. The problem is in JOIN::prepare(). Optimizer trace is only necessary to trigger this as it prints the query.

Dave Gosselin added a comment - 2025-02-20 19:04

Cannot reproduce the issue in the 'Description' field on 10.11. As mentioned in an earlier comment, I filed separate tickets for the other related issues captured as comments on this ticket.

Dave Gosselin added a comment - 2025-02-20 19:04 Cannot reproduce the issue in the 'Description' field on 10.11. As mentioned in an earlier comment, I filed separate tickets for the other related issues captured as comments on this ticket.

People

Assignee:: Dave Gosselin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2020-12-04 13:52

Updated:: 2025-02-20 19:04

Resolved:: 2025-02-20 19:04

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server