Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 11.2(EOL), 11.4, 11.6(EOL), 11.7(EOL)
Description
CREATE TABLE t1 (a INT, b VARCHAR(1), KEY(b,a)) ENGINE=MyISAM; |
INSERT INTO t1 VALUES (8,'o'),(5,'g'),(8,'f'),(3,'g'),(4,'j'),(NULL,'j'),(0,'i'),(124,'j'),(6,'l'),(5,'f'); |
|
|
SELECT MIN(a), b FROM t1 WHERE a IS NULL GROUP BY b; |
|
|
# Cleanup
|
DROP TABLE t1; |
|
10.2 067465cd |
==3283520==ERROR: AddressSanitizer: unknown-crash on address 0x619000087627 at pc 0x7f150ee52480 bp 0x7f1503bfc9e0 sp 0x7f1503bfc188
|
READ of size 8 at 0x619000087627 thread T5
|
#0 0x7f150ee5247f (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
|
#1 0x56481f1abd7e in QUICK_GROUP_MIN_MAX_SELECT::next_min_in_range() /data/src/10.2/sql/opt_range.cc:14496
|
#2 0x56481f1a9ce3 in QUICK_GROUP_MIN_MAX_SELECT::next_min() /data/src/10.2/sql/opt_range.cc:14172
|
#3 0x56481f1a94fa in QUICK_GROUP_MIN_MAX_SELECT::get_next() /data/src/10.2/sql/opt_range.cc:14105
|
#4 0x56481f1c8397 in rr_quick /data/src/10.2/sql/records.cc:373
|
#5 0x56481e8fc633 in join_init_read_record(st_join_table*) /data/src/10.2/sql/sql_select.cc:19785
|
#6 0x56481e8f5b08 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18856
|
#7 0x56481e8f3dad in do_select /data/src/10.2/sql/sql_select.cc:18403
|
#8 0x56481e88df40 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3642
|
#9 0x56481e88ba57 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3437
|
#10 0x56481e88f25f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3837
|
#11 0x56481e86bd01 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#12 0x56481e7e2bec in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
|
#13 0x56481e7cfb91 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
|
#14 0x56481e7ec169 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#15 0x56481e7c51ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#16 0x56481e7c1f6d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#17 0x56481eb4a924 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#18 0x56481eb4a1e7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#19 0x56481fee6aab in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#20 0x7f150e95d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#21 0x7f150e537292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
|
0x619000087627 is located 167 bytes inside of 1100-byte region [0x619000087580,0x6190000879cc)
|
allocated by thread T5 here:
|
#0 0x7f150eec4bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x564820003606 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
|
#2 0x56481ffcf56b in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#3 0x56481ffacbdd in alloc_root /data/src/10.2/mysys/my_alloc.c:243
|
#4 0x56481ffae576 in strmake_root /data/src/10.2/mysys/my_alloc.c:451
|
#5 0x56481ea90e57 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3103
|
#6 0x56481e6a6cfd in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1934
|
#7 0x56481e6aec82 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
|
#8 0x56481e6b105c in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
|
#9 0x56481e6b4be2 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
|
#10 0x56481e62bdb1 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
|
#11 0x56481e76aabd in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
|
#12 0x56481e7d350f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
|
#13 0x56481e7ec169 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
|
#14 0x56481e7c51ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#15 0x56481e7c1f6d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#16 0x56481eb4a924 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#17 0x56481eb4a1e7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#18 0x56481fee6aab in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#19 0x7f150e95d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f150edf1805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x56481fee6e9c in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x56481e567083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x56481e57ec54 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
|
#4 0x56481e57f3ef in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
|
#5 0x56481e580581 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
|
#6 0x56481e57dfa5 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
|
#7 0x56481e56593c in main /data/src/10.2/sql/main.cc:25
|
#8 0x7f150e43c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
SUMMARY: AddressSanitizer: unknown-crash (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
|
Shadow bytes around the buggy address:
|
0x0c3280008e70: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
|
0x0c3280008e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280008e90: 00 00 f7 00 02 f7 04 f7 f7 04 fa fa fa fa fa fa
|
0x0c3280008ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c3280008ec0: 00 f7 03 f7[07]07 f7 00 00 00 f7 00 00 00 00 00
|
0x0c3280008ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280008ee0: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280008ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280008f00: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280008f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3283520==ABORTING
|
Reproducible on 10.2-10.6 with MyISAM and Aria, couldn't reproduce with InnoDB which runs with a different plan.
|
plan with MyISAM (failing) |
id select_type table type possible_keys key key_len ref rows filtered Extra |
1 SIMPLE t1 range NULL b 9 NULL 6 100.00 Using where; Using index for group-by |
Warnings:
|
Note 1003 select min(`test`.`t1`.`a`) AS `MIN(a)`,`test`.`t1`.`b` AS `b` from `test`.`t1` where `test`.`t1`.`a` is null group by `test`.`t1`.`b` |
|
plan with InnoDB (not failing) |
id select_type table type possible_keys key key_len ref rows filtered Extra |
1 SIMPLE t1 index NULL b 9 NULL 10 100.00 Using where; Using index |
Warnings:
|
Note 1003 select min(`test`.`t1`.`a`) AS `MIN(a)`,`test`.`t1`.`b` AS `b` from `test`.`t1` where `test`.`t1`.`a` is null group by `test`.`t1`.`b` |
Non-ASAN build doesn't fail for me, but given that non-debug ASAN crashes the same way, I suppose for release builds it's just the matter of luck.
Attachments
Activity
The following testcase gives a slightly different stack.
It produces lightly sporadically on 11.2+ and more pronounced sporadically (execute it a few times in a row in the same session to trigger the bug) on 10.5 etc.
CREATE TABLE t (c INT,c2 INT,c3 INT,UNIQUE(c,c2,c3)); |
INSERT INTO t(c) VALUES (NULL),(0); |
SELECT MIN(c2) FROM t GROUP BY c; |
# Cleanup
|
DROP TABLE t; |
Leads to:
|
CS 11.2.6 66b8d32b7514f46b1467d404d3f9ad688bbfeb4f (Optimized, UBASAN) |
==2595748==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x1479e54fcd4a at pc 0x56255bbd1b1a bp 0x1479e54fcc70 sp 0x1479e54fcc60
|
READ of size 1 at 0x1479e54fcd4a thread T12
|
#0 0x56255bbd1b19 in key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int) /test/11.2_opt_san/sql/key.cc:199
|
#1 0x562558f5c877 in QUICK_GROUP_MIN_MAX_SELECT::next_min() /test/11.2_opt_san/sql/opt_range.cc:16145
|
#2 0x562558f60ab7 in QUICK_GROUP_MIN_MAX_SELECT::get_next() /test/11.2_opt_san/sql/opt_range.cc:16036
|
#3 0x562558fd4be6 in rr_quick /test/11.2_opt_san/sql/records.cc:402
|
#4 0x56255999a37c in sub_select(JOIN*, st_join_table*, bool) /test/11.2_opt_san/sql/sql_select.cc:24047
|
#5 0x562559b6c29e in do_select /test/11.2_opt_san/sql/sql_select.cc:23561
|
#6 0x562559b6c29e in JOIN::exec_inner() /test/11.2_opt_san/sql/sql_select.cc:5043
|
#7 0x562559b71483 in JOIN::exec() /test/11.2_opt_san/sql/sql_select.cc:4820
|
#8 0x562559b5e94d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.2_opt_san/sql/sql_select.cc:5358
|
#9 0x562559b62550 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.2_opt_san/sql/sql_select.cc:642
|
#10 0x562559697450 in execute_sqlcom_select /test/11.2_opt_san/sql/sql_parse.cc:6177
|
#11 0x56255970775f in mysql_execute_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:3984
|
#12 0x562559718482 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.2_opt_san/sql/sql_parse.cc:7938
|
#13 0x56255972a0da in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.2_opt_san/sql/sql_parse.cc:1894
|
#14 0x56255973a486 in do_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:1407
|
#15 0x56255a10defc in do_handle_one_connection(CONNECT*, bool) /test/11.2_opt_san/sql/sql_connect.cc:1439
|
#16 0x56255a11052c in handle_one_connection /test/11.2_opt_san/sql/sql_connect.cc:1341
|
#17 0x147a09c9ca93 in start_thread nptl/pthread_create.c:447
|
#18 0x147a09d29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
Address 0x1479e54fcd4a is located in stack of thread T12
|
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /test/11.2_opt_san/sql/key.cc:199 in key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int)
|
Shadow bytes around the buggy address:
|
0x028fbca97950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x028fbca97960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x028fbca97970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x028fbca97980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x028fbca97990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x028fbca979a0: 00 00 00 00 ca ca ca ca 00[02]cb cb cb cb cb cb
|
0x028fbca979b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x028fbca979c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x028fbca979d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x028fbca979e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x028fbca979f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
Thread T12 created by T0 here:
|
#0 0x562558d19f35 in pthread_create (/test/UBASAN_MD171024-mariadb-11.2.6-linux-x86_64-opt/bin/mariadbd+0x830df35)
|
#1 0x562558dcf99e in create_thread_to_handle_connection(CONNECT*) /test/11.2_opt_san/sql/mysqld.cc:6241
|
#2 0x562558de352f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.2_opt_san/sql/mysqld.cc:6365
|
#3 0x562558de4487 in handle_connections_sockets() /test/11.2_opt_san/sql/mysqld.cc:6489
|
#4 0x562558de749c in mysqld_main(int, char**) /test/11.2_opt_san/sql/mysqld.cc:6136
|
#5 0x147a09c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
#6 0x147a09c2a28a in __libc_start_main_impl ../csu/libc-start.c:360
|
#7 0x562558ce6cf4 in _start (/test/UBASAN_MD171024-mariadb-11.2.6-linux-x86_64-opt/bin/mariadbd+0x82dacf4)
|
|
|
==2595748==ABORTING
|
241121 7:26:55 [ERROR] mysqld got signal 6 ;
|
|
CS 11.2.6 66b8d32b7514f46b1467d404d3f9ad688bbfeb4f (Debug, UBASAN) |
==1848041==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x148b18efd7aa at pc 0x5647ae73197a bp 0x148b18efd6d0 sp 0x148b18efd6c0
|
READ of size 1 at 0x148b18efd7aa thread T13
|
#0 0x5647ae731979 in key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int) /test/11.2_dbg_san/sql/key.cc:199
|
#1 0x5647ab909f74 in QUICK_GROUP_MIN_MAX_SELECT::next_min() /test/11.2_dbg_san/sql/opt_range.cc:16145
|
#2 0x5647ab90cb1c in QUICK_GROUP_MIN_MAX_SELECT::get_next() /test/11.2_dbg_san/sql/opt_range.cc:16036
|
#3 0x5647ab9c0e07 in rr_quick /test/11.2_dbg_san/sql/records.cc:402
|
#4 0x5647ac424cbf in READ_RECORD::read_record() /test/11.2_dbg_san/sql/records.h:81
|
#5 0x5647ac424cbf in join_init_read_record(st_join_table*) /test/11.2_dbg_san/sql/sql_select.cc:25115
|
#6 0x5647ac3564f6 in sub_select(JOIN*, st_join_table*, bool) /test/11.2_dbg_san/sql/sql_select.cc:24047
|
#7 0x5647ac50b46b in do_select /test/11.2_dbg_san/sql/sql_select.cc:23561
|
#8 0x5647ac50b46b in JOIN::exec_inner() /test/11.2_dbg_san/sql/sql_select.cc:5043
|
#9 0x5647ac50cbd6 in JOIN::exec() /test/11.2_dbg_san/sql/sql_select.cc:4820
|
#10 0x5647ac4fadc3 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.2_dbg_san/sql/sql_select.cc:5358
|
#11 0x5647ac4ff2d4 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.2_dbg_san/sql/sql_select.cc:642
|
#12 0x5647ac052dd9 in execute_sqlcom_select /test/11.2_dbg_san/sql/sql_parse.cc:6177
|
#13 0x5647ac0b78fc in mysql_execute_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:3984
|
#14 0x5647ac0e2351 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.2_dbg_san/sql/sql_parse.cc:7938
|
#15 0x5647ac0f229b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1894
|
#16 0x5647ac100b06 in do_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1407
|
#17 0x5647acb28791 in do_handle_one_connection(CONNECT*, bool) /test/11.2_dbg_san/sql/sql_connect.cc:1439
|
#18 0x5647acb29cb3 in handle_one_connection /test/11.2_dbg_san/sql/sql_connect.cc:1341
|
#19 0x148b3dc9ca93 in start_thread nptl/pthread_create.c:447
|
#20 0x148b3dd29c3b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
Address 0x148b18efd7aa is located in stack of thread T13
|
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /test/11.2_dbg_san/sql/key.cc:199 in key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int)
|
Shadow bytes around the buggy address:
|
0x0291e31d7aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0291e31d7ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0291e31d7ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0291e31d7ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0291e31d7ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0291e31d7af0: ca ca ca ca 00[02]cb cb cb cb cb cb 00 00 00 00
|
0x0291e31d7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0291e31d7b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0291e31d7b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0291e31d7b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0291e31d7b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
Thread T13 created by T0 here:
|
#0 0x5647ab6dd915 in __interceptor_pthread_create (/test/UBASAN_MD171024-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd+0x8858915)
|
#1 0x5647ab792dd5 in create_thread_to_handle_connection(CONNECT*) /test/11.2_dbg_san/sql/mysqld.cc:6241
|
#2 0x5647ab7a6c6e in create_new_thread(CONNECT*) /test/11.2_dbg_san/sql/mysqld.cc:6303
|
#3 0x5647ab7a74ee in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.2_dbg_san/sql/mysqld.cc:6365
|
#4 0x5647ab7a8535 in handle_connections_sockets() /test/11.2_dbg_san/sql/mysqld.cc:6489
|
#5 0x5647ab7ad053 in mysqld_main(int, char**) /test/11.2_dbg_san/sql/mysqld.cc:6136
|
#6 0x5647ab77f60a in main /test/11.2_dbg_san/sql/main.cc:34
|
#7 0x148b3dc2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
#8 0x148b3dc2a28a in __libc_start_main_impl ../csu/libc-start.c:360
|
#9 0x5647ab6aa6d4 in _start (/test/UBASAN_MD171024-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd+0x88256d4)
|
|
|
==1848041==ABORTING
|
241121 7:03:20 [ERROR] mysqld got signal 6 ;
|
Setup:
Compiled with a recent version of GCC (I used GCC 11.4.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
Bug confirmed present in 10.5-11.7 opt+dbg
A variation with a different ASAN error and a slightly different stack trace:
# Cleanup10.2 545cba13
==2120108==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fd6461d0c0f at pc 0x55b74f153c16 bp 0x7fd6461d0b40 sp 0x7fd6461d0b30READ of size 1 at 0x7fd6461d0c0f thread T5#0 0x55b74f153c15 in key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int) /data/src/10.2/sql/key.cc:198#1 0x55b74f278d3d in QUICK_GROUP_MIN_MAX_SELECT::next_min() /data/src/10.2/sql/opt_range.cc:14215#2 0x55b74f277ece in QUICK_GROUP_MIN_MAX_SELECT::get_next() /data/src/10.2/sql/opt_range.cc:14105#3 0x55b74f296d6b in rr_quick /data/src/10.2/sql/records.cc:373#4 0x55b74e9cb89f in join_init_read_record(st_join_table*) /data/src/10.2/sql/sql_select.cc:19789#5 0x55b74e9c4d74 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18860#6 0x55b74e9c3019 in do_select /data/src/10.2/sql/sql_select.cc:18407#7 0x55b74e95d0c2 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3642#8 0x55b74e95abd9 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3437#9 0x55b74e95e45c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3840#10 0x55b74e93ae83 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361#11 0x55b74e8b1c9b in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6275#12 0x55b74e89f03a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3586#13 0x55b74e8bb217 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7790#14 0x55b74e89430e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827#15 0x55b74e8910cd in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381#16 0x55b74ec19304 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336#17 0x55b74ec18bc7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241#18 0x55b74ffb7437 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869#19 0x7fd650f30608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477#20 0x7fd650b0c292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)Address 0x7fd6461d0c0f is located in stack of thread T5SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /data/src/10.2/sql/key.cc:198 in key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int)Shadow bytes around the buggy address:0x0ffb48c32130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0ffb48c32140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0ffb48c32150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0ffb48c32160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0ffb48c32170: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca=>0x0ffb48c32180: 00[07]cb cb cb cb cb cb 00 00 00 00 00 00 f1 f10x0ffb48c32190: f1 f1 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 000x0ffb48c321a0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 000x0ffb48c321b0: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 000x0ffb48c321c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0ffb48c321d0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: ccThread T5 created by T0 here:#0 0x7fd651428805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)#1 0x55b74ffb7828 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919#2 0x55b74e6361e3 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246#3 0x55b74e64ddb4 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573#4 0x55b74e64e54f in create_new_thread /data/src/10.2/sql/mysqld.cc:6643#5 0x55b74e64f6e1 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901#6 0x55b74e64d105 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192#7 0x55b74e634a9c in main /data/src/10.2/sql/main.cc:25#8 0x7fd650a110b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)==2120108==ABORTING210310 17:55:51 [ERROR] mysqld got signal 6 ;This could be because you hit a bug. It is also possible that this binaryor one of the libraries it was linked against is corrupt, improperly built,or misconfigured. This error can also be caused by malfunctioning hardware.To report this bug, see https://mariadb.com/kb/en/reporting-bugsWe will try our best to scrape up some info that will hopefully helpdiagnose the problem, but since we have already crashed,something is definitely wrong and this may fail.Server version: 10.2.38-MariaDB-debug-logkey_buffer_size=1048576read_buffer_size=131072max_used_connections=1max_threads=153thread_count=1It is possible that mysqld could use up tokey_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63104 K bytes of memoryHope that's ok; if not, decrease some variables in the equation.Thread pointer: 0x62a000060270Attempting backtrace. You can use the following information to find outwhere mysqld died. If you see no messages after this, something wentterribly wrong...stack_bottom = 0x7fd6461d3d90 thread_stack 0x5b000/lib/x86_64-linux-gnu/libasan.so.5(+0x6cd30)[0x7fd65145ad30]mysys/stacktrace.c:172(my_print_stacktrace)[0x55b7500b1925]sql/signal_handler.cc:209(handle_fatal_signal)[0x55b74eed6917]sigaction.c:0(__restore_rt)[0x7fd650f3c3c0]/lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcb)[0x7fd650a3018b]/lib/x86_64-linux-gnu/libc.so.6(abort+0x12b)[0x7fd650a0f859]/lib/x86_64-linux-gnu/libasan.so.5(+0x12b6a2)[0x7fd6515196a2]/lib/x86_64-linux-gnu/libasan.so.5(+0x13624c)[0x7fd65152424c]/lib/x86_64-linux-gnu/libasan.so.5(+0x1178ec)[0x7fd6515058ec]/lib/x86_64-linux-gnu/libasan.so.5(+0x117363)[0x7fd651505363]/lib/x86_64-linux-gnu/libasan.so.5(__asan_report_load1+0x3b)[0x7fd651505e4b]sql/key.cc:198(key_restore(unsigned char*, unsigned char const*, st_key*, unsigned int))[0x55b74f153c16]sql/opt_range.cc:14215(QUICK_GROUP_MIN_MAX_SELECT::next_min())[0x55b74f278d3e]sql/opt_range.cc:14105(QUICK_GROUP_MIN_MAX_SELECT::get_next())[0x55b74f277ecf]sql/records.cc:373(rr_quick(READ_RECORD*))[0x55b74f296d6c]sql/sql_select.cc:19789(join_init_read_record(st_join_table*))[0x55b74e9cb8a0]sql/sql_select.cc:18860(sub_select(JOIN*, st_join_table*, bool))[0x55b74e9c4d75]sql/sql_select.cc:18407(do_select(JOIN*, Procedure*))[0x55b74e9c301a]sql/sql_select.cc:3642(JOIN::exec_inner())[0x55b74e95d0c3]sql/sql_select.cc:3438(JOIN::exec())[0x55b74e95abda]sql/sql_select.cc:3842(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55b74e95e45d]sql/sql_select.cc:361(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55b74e93ae84]sql/sql_parse.cc:6275(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55b74e8b1c9c]sql/sql_parse.cc:3586(mysql_execute_command(THD*))[0x55b74e89f03b]sql/sql_parse.cc:7790(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55b74e8bb218]sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55b74e89430f]sql/sql_parse.cc:1381(do_command(THD*))[0x55b74e8910ce]sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55b74ec19305]sql/sql_connect.cc:1242(handle_one_connection)[0x55b74ec18bc8]perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55b74ffb7438]nptl/pthread_create.c:478(start_thread)[0x7fd650f30609]/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fd650b0c293]Trying to get some variables.Some pointers may be invalid and cause the dump to abort.Query (0x62b000000290): SELECT MIN(c), d, a FROM t1 GROUP BY d, aConnection ID (thread ID): 4Status: NOT_KILLEDOptimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=onThe manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ containsinformation that should help you find out what is causing the crash.Writing a core file...Working directory at /dev/shm/var_auto_EYV6/mysqld.1/dataResource Limits:Limit Soft Limit Hard Limit UnitsMax cpu time unlimited unlimited secondsMax file size unlimited unlimited bytesMax data size unlimited unlimited bytesMax stack size 8388608 unlimited bytesMax core file size unlimited unlimited bytesMax resident set unlimited unlimited bytesMax processes 385874 385874 processesMax open files 1024 1024 filesMax locked memory 67108864 67108864 bytesMax address space unlimited unlimited bytesMax file locks unlimited unlimited locksMax pending signals 385874 385874 signalsMax msgqueue size 819200 819200 bytesMax nice priority 0 0Max realtime priority 0 0Max realtime timeout unlimited unlimited usCore pattern: |/usr/share/apport/apport %p %s %c %d %P %E