Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24907

Server crash in Item_field::replace_equal_field, ASAN use-after-poison in base_list::head

    XMLWordPrintable

Details

    Description

      CREATE TABLE t1 (a INT, b INT) ENGINE=MyISAM;
      INSERT INTO t1 VALUES (0,0);
       
      CREATE TABLE t2 (c INT) ENGINE=MyISAM;
      INSERT INTO t2 VALUES (2),(0);
       
      CREATE TABLE t3 (d INT) ENGINE=MyISAM;
      INSERT INTO t3 VALUES (1),(3);
       
      SELECT * FROM t1 LEFT JOIN (t2 JOIN t3 ON (t3.d = t2.c)) ON (t1.b NOT IN (SELECT d FROM t3)) WHERE (t1.a, t3.d) IN (SELECT c, MAX(c) FROM t2) AND t1.a = t1.b;
       
      # Cleanup
      DROP TABLE t1, t2, t3;
      

      10.4 a5bcec72 debug

      #3  <signal handler called>
      #4  0x00005652cb931a80 in Item_field::replace_equal_field (this=0x7fd3b4015d58, thd=0x7fd3b4000d90, arg=0x7fd3c4a19220 "\240*\a\264\323\177") at /data/src/10.4/sql/item.cc:6204
      #5  0x00005652cb91f335 in Item::transform (this=0x7fd3b4015d58, thd=0x7fd3b4000d90, transformer=&virtual Item::replace_equal_field(THD*, unsigned char*), arg=0x7fd3c4a19220 "\240*\a\264\323\177") at /data/src/10.4/sql/item.cc:601
      #6  0x00005652cb94f2e0 in Item_in_optimizer::transform (this=0x7fd3b406d950, thd=0x7fd3b4000d90, transformer=&virtual table offset 1184, argument=0x7fd3c4a19220 "\240*\a\264\323\177") at /data/src/10.4/sql/item_cmpfunc.cc:1707
      #7  0x00005652cb98f857 in Item_args::transform_args (this=0x7fd3b4017600, thd=0x7fd3b4000d90, transformer=&virtual table offset 1184, arg=0x7fd3c4a19220 "\240*\a\264\323\177") at /data/src/10.4/sql/item_func.cc:462
      #8  0x00005652cb98f981 in Item_func::transform (this=0x7fd3b4017578, thd=0x7fd3b4000d90, transformer=&virtual table offset 1184, argument=0x7fd3c4a19220 "\240*\a\264\323\177") at /data/src/10.4/sql/item_func.cc:498
      #9  0x00005652cb60a1bc in substitute_for_best_equal_field (thd=0x7fd3b4000d90, context_tab=0x1, cond=0x7fd3b4017578, cond_equal=0x7fd3b406ac80, table_join_idx=0x7fd3b407bab0, do_substitution=true) at /data/src/10.4/sql/sql_select.cc:15898
      #10 0x00005652cb609d6a in substitute_for_best_equal_field (thd=0x7fd3b4000d90, context_tab=0x1, cond=0x7fd3b4072748, cond_equal=0x7fd3b4072838, table_join_idx=0x7fd3b407bab0, do_substitution=true) at /data/src/10.4/sql/sql_select.cc:15805
      #11 0x00005652cb5e32cb in JOIN::optimize_stage2 (this=0x7fd3b406b588) at /data/src/10.4/sql/sql_select.cc:2462
      #12 0x00005652cb5e27fb in JOIN::optimize_inner (this=0x7fd3b406b588) at /data/src/10.4/sql/sql_select.cc:2302
      #13 0x00005652cb5e0009 in JOIN::optimize (this=0x7fd3b406b588) at /data/src/10.4/sql/sql_select.cc:1619
      #14 0x00005652cb5eb54f in mysql_select (thd=0x7fd3b4000d90, tables=0x7fd3b4013bb0, wild_num=1, fields=..., conds=0x7fd3b406ab90, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fd3b406b560, unit=0x7fd3b4004cc0, select_lex=0x7fd3b40135f0) at /data/src/10.4/sql/sql_select.cc:4689
      #15 0x00005652cb5daf67 in handle_select (thd=0x7fd3b4000d90, lex=0x7fd3b4004c00, result=0x7fd3b406b560, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:410
      #16 0x00005652cb5a0086 in execute_sqlcom_select (thd=0x7fd3b4000d90, all_tables=0x7fd3b4013bb0) at /data/src/10.4/sql/sql_parse.cc:6417
      #17 0x00005652cb596605 in mysql_execute_command (thd=0x7fd3b4000d90) at /data/src/10.4/sql/sql_parse.cc:3936
      #18 0x00005652cb5a40ab in mysql_parse (thd=0x7fd3b4000d90, rawbuf=0x7fd3b4013458 "SELECT * FROM t1 LEFT JOIN (t2 JOIN t3 ON (t3.d = t2.c)) ON (t1.b NOT IN (SELECT d FROM t3)) WHERE (t1.a, t3.d) IN (SELECT c, MAX(c) FROM t2) AND t1.a = t1.b", length=157, parser_state=0x7fd3c4a1a550, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7958
      #19 0x00005652cb5903d3 in dispatch_command (command=COM_QUERY, thd=0x7fd3b4000d90, packet=0x7fd3b40087b1 "SELECT * FROM t1 LEFT JOIN (t2 JOIN t3 ON (t3.d = t2.c)) ON (t1.b NOT IN (SELECT d FROM t3)) WHERE (t1.a, t3.d) IN (SELECT c, MAX(c) FROM t2) AND t1.a = t1.b", packet_length=157, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1855
      #20 0x00005652cb58ec3b in do_command (thd=0x7fd3b4000d90) at /data/src/10.4/sql/sql_parse.cc:1373
      #21 0x00005652cb71e071 in do_handle_one_connection (connect=0x5652cf5b80d0) at /data/src/10.4/sql/sql_connect.cc:1412
      #22 0x00005652cb71ddba in handle_one_connection (arg=0x5652cf5b80d0) at /data/src/10.4/sql/sql_connect.cc:1316
      #23 0x00005652cc13f70a in pfs_spawn_thread (arg=0x5652cf505a30) at /data/src/10.4/storage/perfschema/pfs.cc:1869
      #24 0x00007fd3cb2cb609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #25 0x00007fd3cab36293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      10.4 a5bcec72 ASAN

      ==3309491==ERROR: AddressSanitizer: use-after-poison on address 0x629000259458 at pc 0x55dc88076499 bp 0x7fde2e3aa570 sp 0x7fde2e3aa560
      READ of size 8 at 0x629000259458 thread T5
          #0 0x55dc88076498 in base_list::head() /data/src/10.4/sql/sql_list.h:300
          #1 0x55dc881505f7 in List<Item>::head() /data/src/10.4/sql/sql_list.h:509
          #2 0x55dc88baa36d in Item_equal::get_first(st_join_table*, Item*) /data/src/10.4/sql/item_cmpfunc.cc:7230
          #3 0x55dc88b2704e in Item_field::replace_equal_field(THD*, unsigned char*) /data/src/10.4/sql/item.cc:6202
          #4 0x55dc88af6ed6 in Item::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /data/src/10.4/sql/item.cc:601
          #5 0x55dc88b775bb in Item_in_optimizer::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /data/src/10.4/sql/item_cmpfunc.cc:1707
          #6 0x55dc88bf967e in Item_args::transform_args(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /data/src/10.4/sql/item_func.cc:462
          #7 0x55dc88bf98fc in Item_func::transform(THD*, Item* (Item::*)(THD*, unsigned char*), unsigned char*) /data/src/10.4/sql/item_func.cc:498
          #8 0x55dc883cbb9c in substitute_for_best_equal_field /data/src/10.4/sql/sql_select.cc:15898
          #9 0x55dc883cb38b in substitute_for_best_equal_field /data/src/10.4/sql/sql_select.cc:15805
          #10 0x55dc8836535e in JOIN::optimize_stage2() /data/src/10.4/sql/sql_select.cc:2462
          #11 0x55dc88363574 in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2302
          #12 0x55dc8835c15b in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1619
          #13 0x55dc8837cdbb in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4689
          #14 0x55dc8834e475 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410
          #15 0x55dc882bdfaa in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6417
          #16 0x55dc882ab741 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3936
          #17 0x55dc882c7442 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958
          #18 0x55dc8829e033 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
          #19 0x55dc8829aae2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
          #20 0x55dc8868cf3d in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
          #21 0x55dc8868c7e1 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
          #22 0x55dc89d46bde in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
          #23 0x7fde383de608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #24 0x7fde37c47292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      0x629000259458 is located 4696 bytes inside of 16460-byte region [0x629000258200,0x62900025c24c)
      allocated by thread T5 here:
          #0 0x7fde385d4bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
          #1 0x55dc89e95308 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x55dc89e63148 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x55dc89e3ebf6 in alloc_root /data/src/10.4/mysys/my_alloc.c:251
          #4 0x55dc87ff4622 in Item::operator new(unsigned long, st_mem_root*) /data/src/10.4/sql/item.h:738
          #5 0x55dc88ce9d6d in Item_in_subselect::select_in_like_transformer(JOIN*) /data/src/10.4/sql/item_subselect.cc:3270
          #6 0x55dc88ce292e in Item_in_subselect::select_transformer(JOIN*) /data/src/10.4/sql/item_subselect.cc:2588
          #7 0x55dc887653cb in check_and_do_in_subquery_rewrites(JOIN*) /data/src/10.4/sql/opt_subselect.cc:733
          #8 0x55dc883588fe in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1342
          #9 0x55dc88cee5d1 in subselect_single_select_engine::prepare(THD*) /data/src/10.4/sql/item_subselect.cc:3740
          #10 0x55dc88cc9122 in Item_subselect::fix_fields(THD*, Item**) /data/src/10.4/sql/item_subselect.cc:283
          #11 0x55dc88ceb3a2 in Item_in_subselect::fix_fields(THD*, Item**) /data/src/10.4/sql/item_subselect.cc:3402
          #12 0x55dc8801357c in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.4/sql/item.h:964
          #13 0x55dc88bf8453 in Item_func::fix_fields(THD*, Item**) /data/src/10.4/sql/item_func.cc:352
          #14 0x55dc88ba4a16 in Item_func_not::fix_fields(THD*, Item**) /data/src/10.4/sql/item_cmpfunc.cc:6370
          #15 0x55dc8801357c in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.4/sql/item.h:964
          #16 0x55dc880135b6 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /data/src/10.4/sql/item.h:968
          #17 0x55dc88145caa in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/10.4/sql/item.h:972
          #18 0x55dc8813be3a in setup_on_expr(THD*, TABLE_LIST*, bool) /data/src/10.4/sql/sql_base.cc:8343
          #19 0x55dc8813c9f1 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.4/sql/sql_base.cc:8460
          #20 0x55dc88350329 in setup_without_group /data/src/10.4/sql/sql_select.cc:689
          #21 0x55dc883576cd in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1259
          #22 0x55dc8837cb2b in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4666
          #23 0x55dc8834e475 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:410
          #24 0x55dc882bdfaa in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6417
          #25 0x55dc882ab741 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3936
          #26 0x55dc882c7442 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958
          #27 0x55dc8829e033 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855
          #28 0x55dc8829aae2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373
          #29 0x55dc8868cf3d in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
       
      Thread T5 created by T0 here:
          #0 0x7fde38501805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x55dc89d46fcf in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
          #2 0x55dc87fa3c78 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
          #3 0x55dc87fbb851 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259
          #4 0x55dc87fbbfec in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329
          #5 0x55dc87fbc4d2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427
          #6 0x55dc87fbd36b in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585
          #7 0x55dc87fbaf56 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917
          #8 0x55dc87fa1bec in main /data/src/10.4/sql/main.cc:25
          #9 0x7fde37b4c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/sql_list.h:300 in base_list::head()
      Shadow bytes around the buggy address:
        0x0c5280043230: 00 f7 00 00 f7 00 00 f7 00 00 00 00 00 00 00 00
        0x0c5280043240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c5280043250: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7 00
        0x0c5280043260: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c5280043270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c5280043280: 00 00 00 00 00 00 f7 f7 f7 f7 f7[f7]f7 00 00 f7
        0x0c5280043290: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
        0x0c52800432a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c52800432b0: 00 00 00 00 00 00 00 00 00 f7 00 00 f7 00 00 f7
        0x0c52800432c0: 00 00 f7 00 00 00 00 f7 00 00 f7 00 00 f7 00 00
        0x0c52800432d0: f7 00 00 f7 00 00 f7 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==3309491==ABORTING
      

      Reproducible on 10.4-10.6, with MyISAM and Aria. Not reproducible with InnoDB.
      Couldn't reproduce on 10.3, but it is not a guarantee that the root cause doesn't exist there, as the query plan is different on 10.3 comparing to 10.4.

      Release build doesn't crash on my machine, but given SIGSEGV and the error on a non-debug ASAN build, it's likely to be just the matter of luck.
      EXPLAIN crashes where the query itself crashes. EXPLAIN from the release build:

      explain extended SELECT * FROM t1 LEFT JOIN (t2 JOIN t3 ON (t3.d = t2.c)) ON (t1.b NOT IN (SELECT d FROM t3)) WHERE (t1.a, t3.d) IN (SELECT c, MAX(c) FROM t2) AND t1.a = t1.b;
      id	select_type	table	type	possible_keys	key	key_len	ref	rows	filtered	Extra
      1	PRIMARY	t1	system	NULL	NULL	NULL	NULL	1	100.00	
      1	PRIMARY	t2	ALL	NULL	NULL	NULL	NULL	2	100.00	Using where
      1	PRIMARY	t3	ALL	NULL	NULL	NULL	NULL	2	100.00	Using where
      1	PRIMARY	<subquery3>	eq_ref	distinct_key	distinct_key	8	const,test.t3.d	1	100.00	
      3	MATERIALIZED	t2	ALL	NULL	NULL	NULL	NULL	2	100.00	
      2	DEPENDENT SUBQUERY	t3	ALL	NULL	NULL	NULL	NULL	2	100.00	Using where
      Warnings:
      Note	1003	/* select#1 */ select 0 AS `a`,0 AS `b`,`test`.`t2`.`c` AS `c`,`test`.`t3`.`d` AS `d` from  <materialize> (/* select#3 */ select `test`.`t2`.`c`,max(`test`.`t2`.`c`) from `test`.`t2`) left join (`test`.`t2` join `test`.`t3`) on(`test`.`t3`.`d` = `test`.`t2`.`c` and <cache>(!<in_optimizer>(0,<exists>(/* select#2 */ select `test`.`t3`.`d` from `test`.`t3` where trigcond(<cache>(0) = `test`.`t3`.`d` or `test`.`t3`.`d` is null) having trigcond(`test`.`t3`.`d` is null))))) where `<subquery3>`.`c` = 0 and `<subquery3>`.`MAX(c)` = `test`.`t3`.`d`
      DROP TABLE t1, t2, t3;
      

      Attachments

        Activity

          People

            psergei Sergei Petrunia
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.