Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Won't Fix
-
10.2, 10.3
Description
Set to Minor, as it has been fixed in 10.4+, and the test case is not of a particular importance.
CREATE TABLE t1 (a INT); |
INSERT INTO t1 VALUES (1),(2); |
PREPARE stmt FROM "SELECT DISTINCT @x := UUID() AS f FROM t1 GROUP BY a HAVING f != 'foo'"; |
EXECUTE stmt; |
EXECUTE stmt; |
|
|
# Cleanup
|
DROP TABLE t1; |
|
10.2 a4d4836f ASAN |
==694087==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000877c7 at pc 0x7fa9a8500480 bp 0x7fa99d2a4c40 sp 0x7fa99d2a43e8
|
READ of size 36 at 0x6190000877c7 thread T5
|
#0 0x7fa9a850047f (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
|
#1 0x55c17ea3c005 in String::realloc_raw(unsigned long) /data/src/10.2/sql/sql_string.cc:110
|
#2 0x55c17e601498 in String::realloc(unsigned long) /data/src/10.2/sql/sql_string.h:367
|
#3 0x55c17f04f1c5 in Item_func_uuid::val_str(String*) /data/src/10.2/sql/item_strfunc.cc:4287
|
#4 0x55c17efdf717 in Item_func_set_user_var::check(bool) /data/src/10.2/sql/item_func.cc:5089
|
#5 0x55c17efe1680 in Item_func_set_user_var::save_in_field(Field*, bool, bool) /data/src/10.2/sql/item_func.cc:5379
|
#6 0x55c17eff6073 in Item_func_set_user_var::save_in_field(Field*, bool) /data/src/10.2/sql/item_func.h:1988
|
#7 0x55c17e7455b0 in Item_result_field::save_in_result_field(bool) /data/src/10.2/sql/item.h:2546
|
#8 0x55c17e99052c in copy_funcs(Item**, THD const*) /data/src/10.2/sql/sql_select.cc:23907
|
#9 0x55c17e975e74 in end_write /data/src/10.2/sql/sql_select.cc:20262
|
#10 0x55c17e9a6b9e in AGGR_OP::put_record(bool) /data/src/10.2/sql/sql_select.cc:26803
|
#11 0x55c17e9b4f1c in AGGR_OP::put_record() (/data/bld/10.2-asan-nightly/bin/mysqld+0xfb3f1c)
|
#12 0x55c17e969ba9 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18579
|
#13 0x55c17e96c2ca in evaluate_join_record /data/src/10.2/sql/sql_select.cc:19078
|
#14 0x55c17e96ac3c in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18858
|
#15 0x55c17e968d25 in do_select /data/src/10.2/sql/sql_select.cc:18402
|
#16 0x55c17e902ed4 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3641
|
#17 0x55c17e9009eb in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3436
|
#18 0x55c17e9041f3 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3836
|
#19 0x55c17e8e0c95 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#20 0x55c17e857b80 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
|
#21 0x55c17e844b25 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
|
#22 0x55c17e8b14cc in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:5037
|
#23 0x55c17e8aca98 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4466
|
#24 0x55c17e8a6f6d in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3574
|
#25 0x55c17e844b6a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3575
|
#26 0x55c17e8610fd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#27 0x55c17e83a142 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#28 0x55c17e836f01 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#29 0x55c17ebbf430 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#30 0x55c17ebbecf3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#31 0x55c17ff5b2bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#32 0x7fa9a800b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
#33 0x7fa9a7be5292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
|
0x6190000877c7 is located 583 bytes inside of 1100-byte region [0x619000087580,0x6190000879cc)
|
freed by thread T5 here:
|
#0 0x7fa9a85727cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
|
#1 0x55c180078f54 in free_memory /data/src/10.2/mysys/safemalloc.c:279
|
#2 0x55c1800784a0 in sf_free /data/src/10.2/mysys/safemalloc.c:197
|
#3 0x55c1800447e8 in my_free /data/src/10.2/mysys/my_malloc.c:218
|
#4 0x55c18002264c in free_root /data/src/10.2/mysys/my_alloc.c:401
|
#5 0x55c17e967634 in free_tmp_table(THD*, TABLE*) /data/src/10.2/sql/sql_select.cc:18186
|
#6 0x55c17e94087e in JOIN::cleanup(bool) /data/src/10.2/sql/sql_select.cc:12379
|
#7 0x55c17e9032e5 in JOIN::destroy() /data/src/10.2/sql/sql_select.cc:3667
|
#8 0x55c17eac2547 in st_select_lex::cleanup() /data/src/10.2/sql/sql_union.cc:1579
|
#9 0x55c17e9043a8 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3848
|
#10 0x55c17e8e0c95 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#11 0x55c17e857b80 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
|
#12 0x55c17e844b25 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
|
#13 0x55c17e8b14cc in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:5037
|
#14 0x55c17e8aca98 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4466
|
#15 0x55c17e8a6f6d in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3574
|
#16 0x55c17e844b6a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3575
|
#17 0x55c17e8610fd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#18 0x55c17e83a142 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#19 0x55c17e836f01 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#20 0x55c17ebbf430 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#21 0x55c17ebbecf3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#22 0x55c17ff5b2bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#23 0x7fa9a800b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
|
|
previously allocated by thread T5 here:
|
#0 0x7fa9a8572bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x55c180077e12 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
|
#2 0x55c180043d77 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#3 0x55c1800213e9 in alloc_root /data/src/10.2/mysys/my_alloc.c:243
|
#4 0x55c180022e1f in memdup_root /data/src/10.2/mysys/my_alloc.c:464
|
#5 0x55c17edfb7e3 in Field::make_new_field(st_mem_root*, TABLE*, bool) /data/src/10.2/sql/field.cc:2387
|
#6 0x55c17e95694f in create_tmp_field_from_field(THD*, Field*, char const*, TABLE*, Item_field*) /data/src/10.2/sql/sql_select.cc:16268
|
#7 0x55c17e95848d in create_tmp_field(THD*, TABLE*, Item*, Item::Type, Item***, Field**, Field**, bool, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:16524
|
#8 0x55c17e95b906 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:16972
|
#9 0x55c17e8fc2e4 in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:2973
|
#10 0x55c17e8f81d3 in JOIN::make_aggr_tables_info() /data/src/10.2/sql/sql_select.cc:2578
|
#11 0x55c17e8f413b in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:2249
|
#12 0x55c17e8e897b in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1117
|
#13 0x55c17e904007 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3822
|
#14 0x55c17e8e0c95 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#15 0x55c17e857b80 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
|
#16 0x55c17e844b25 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
|
#17 0x55c17e8b14cc in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:5037
|
#18 0x55c17e8aca98 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4466
|
#19 0x55c17e8a6f6d in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3574
|
#20 0x55c17e844b6a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3575
|
#21 0x55c17e8610fd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#22 0x55c17e83a142 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#23 0x55c17e836f01 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#24 0x55c17ebbf430 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#25 0x55c17ebbecf3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#26 0x55c17ff5b2bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#27 0x7fa9a800b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fa9a849f805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x55c17ff5b6b0 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x55c17e5dc083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x55c17e5f3c54 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
|
#4 0x55c17e5f43ef in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
|
#5 0x55c17e5f5581 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
|
#6 0x55c17e5f2fa5 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
|
#7 0x55c17e5da93c in main /data/src/10.2/sql/main.cc:25
|
#8 0x7fa9a7aea0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
|
Shadow bytes around the buggy address:
|
0x0c3280008ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008eb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008ec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008ed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008ee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c3280008ef0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
|
0x0c3280008f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008f30: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
0x0c3280008f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==694087==ABORTING
|
Reproducible on 10.2-10.3.
No obvious immediate problem on a non-ASAN build, although there can be delayed ones.
In 10.4+ the failure stopped happening after this commit:
commit a9ca819897f5c82582bfd3fedb09c78131cf8e00
|
Author: Monty
|
Date: Thu Jul 12 18:12:20 2018 +0300
|
|
|
Call alloc() instead of realloc()
|