Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24988

Server crash, ASAN heap-buffer-overflow in MyCTX::update, or corrupt output upon AES_ENCRYPT(virtual column)

    XMLWordPrintable

    Details

      Description

      Note: Despite the simplicity of the test case below, the ASAN failure /crash is non-deterministic. Run with --repeat=N. It fails for me on 10.2-10.4 within 10-20 attempts, but it can vary on different machines and builds. The corrupt output seems to be produced reliably at the moment, whenever the server doesn't crash, but I'm not sure whether it's always going to be so.

      Test case for 10.2-10.4

      --source include/have_innodb.inc
      --source include/have_sequence.inc
       
      SET @stats.save= @@innodb_stats_persistent;
      SET GLOBAL innodb_stats_persistent= ON;
       
      CREATE  TABLE t1 (id INT PRIMARY KEY, a VARCHAR(3000), b VARCHAR(4000) AS (a) VIRTUAL) ENGINE=InnoDB CHARACTER SET utf8;
      INSERT INTO t1 (id) SELECT seq FROM seq_1_to_1322;
      ANALYZE TABLE t1;
       
      SELECT AES_ENCRYPT(b,'secret') AS f, GROUP_CONCAT(id) FROM t1 GROUP BY f;
       
      # Cleanup
      DROP TABLE t1;
      SET GLOBAL innodb_stats_persistent= @stats.save;
      

      10.2 577c970c

      SELECT AES_ENCRYPT(b,'secret') AS f, GROUP_CONCAT(id) FROM t1 GROUP BY f;
      f	GROUP_CONCAT(id)
      �<�B�,�q�
      l��<�B�,�q�
      l��<�B�,�q�
      <...>
      l�P�jp&uw���SB	256,512,768,1024,1280,1,257,513,769,1025,1281,2,258,514,770,1026,1282,3,259,515,771,1027,1283,4,260,516,772,1028,1284,5,261,517,773,1029,1285,6,262,518,774,1030,1286,7,263,519,775,1031,1287,8,264,520,776,1032,1288,9,265,521,777,1033,1289,10,266,522,778,1034,1290,11,267,523,779,1035,1291,12,268,524,780,1036,1292,13,269,525,781,1037,1293,14,270,526,782,1038,1294,15,271,527,783,1039,1295,16,272,528,784,1040,1296,17,273,529,785,1041,1297,18,274,530,786,1042,1298,19,275,531,787,1043,1299,20,276,532,788,1044,1300,21,277,533,789,1045,1301,22,278,534,790,1046,1302,23,279,535,791,1047,1303,24,280,536,792,1048,1304,25,281,537,793,1049,1305,26,282,538,794,1050,1306,27,283,539,795,1051,1307,28,284,540,796,1052,1308,29,285,541,797,1053,1309,30,286,542,798,1054,1310,31,287,543,799,1055,1311,32,288,544,800,1056,1312,33,289,545,801,1057,1313,34,290,546,802,1058,1314,35,291,547,803,1059,1315,36,292,548,804,1060,1316,37,293,549,805,1061,1317,38,294,550,806,1062,1318,39,295,551,807,1063,1319,40,296,552,808,1064,1320,41,297,553,809,1065,1321,42,298,554,810,1066,1322,43,299,555,811,1067,44,300,556,812,1068,45,301,557,813,1069,46,302,558,814,1070,47,303,559,815,1071,48,304,560,816,1072,49,305,561,817,1073,50,306,562,818,1074,51,307,563,819,1075,52,308,564,820,1076,53,309,565,821,1077,54,310,566,822,1078,55,311,567,823,1079,56,312,568,824,1080,57,313,569,825,1081,58,314,570,826,1082,59,315,571,827,1083,60,316,572,828,1084,61,317,573,829,1085,62,318,574,830,1086,63,319,575,831,1087,64,320,576,832,1088,65,321,577,833,1089,66,322,578,834,1090,67,323,579,835,1091,68,324,580,836,1092,69,325,581,837,1093,70,326,582,838,1094,71,327,583,839,1095,72,328,584,840,1096,73,329,585,841,1097,74,330,586,842,1098,75,331,587,843,1099,76,332,588,844,1100,77,333,589,845,1101,78,334,590,846,1102,79,335,591,847,1103,80,336,592,848,1104,81,337,593,849,1105,82,338,594,850,1106,83,339,595,851,1107,84,340,596,852,1108,85,341,597,853,1109,86,342,598,854,1110,87,343,599,855,1111,88,344,600,856,1112,89,345,601,857,1113,90,346,602,858,1114,91,347,603,859,1115,92,348,604,860,1116,93,349,605,861,1117,94,350,606,862,1118,95,351,607,863,1119,96,352,608,864,1120,97,353,609,865,1121,98,354,610,866,1122,99,355,611,867,1123,100,356,612,868,1124,101,357,613,869,1125,102,358,614,870,1126,103,359,615,871,1127,104,360,616,872,1128,105,361,617,873,1129,106,362,618,874,1130,107,363,619,875,1131,108,364,620,876,1132,109,365,621,877,1133,110,366,622,878,1134,111,367,623,879,1135,112,368,624,880,1136,113,369,625,881,1137,114,370,626,882,1138,115,371,627,883,1139,116,372,628,884,1140,117,373,629,885,1141,118,374,630,886,1142,119,375,631,887,1143,120,376,632,888,1144,121,377,633,889,1145,122,378,634,890,1146,123,379,635,891,1147,124,380,636,892,1148,125,381,637,893,1149,126,382,638,894,1150,127,383,639,895,1151,128,384,640,896,1152,129,385,641,897,1153,130,386,642,898,1154,131,387,643,899,1155,132,388,644,900,1156,133,389,645,901,1157,134,390,646,902,1158,135,391,647,903,1159,136,392,648,904,1160,137,393,649,905,1161,138,394,650,906,1162,139,395,651,907,1163,140,396,652,908,1164,141,397,653,909,1165,142,398,654,910,1166,143,399,655,911,1167,144,400,656,912,1168,145,401,657,913,1169,146,402,658,914,1170,147,403,659,915,1171,148,404,660,916,1172,149,405,661,917,1173,150,406,662,918,1174,151,407,663,919,1175,152,408,664,920,1176,153,409,665,921,1177,154,410,666,922,1178,155,411,667,923,1179,156,412,668,924,1180,157,413,669,925,1181,158,414,670,926,1182,159,415,671,927,1183,160,416,672,928,1184,161,417,673,929,1185,162,418,674,930,1186,163,419,675,931,1187,164,420,676,932,1188,165,421,677,933,1189,166,422,678,934,1190,167,423,679,935,1191,168,424,680,936,1192,169,425,681,937,1193,170,426,682,938,1194,171,427,683,939,1195,172,428,684,940,1196,173,429,685,941,1197,174,430,686,942,1198,175,431,687,943,1199,176,432,688,944,1200,177,433,689,945,1201,178,434,690,946,1202,179,435,691,947,1203,180,436,692,948,1204,181,437,693,949,1205,182,438,694,950,1206,183,439,695,951,1207,184,440,696,952,1208,185,441,697,953,1209,186,442,698,954,1210,187,443,699,955,1211,188,444,700,956,1212,189,445,701,957,1213,190,446,702,958,1214,191,447,703,959,1215,192,448,704,960,1216,193,449,705,961,1217,194,450,706,962,1218,195,451,707,963,1219,196,452,708,964,1220,197,453,709,965,1221,198,454,710,966,1222,199,455,711,967,1223,200,456,712,968,1224,201,457,713,969,1225,202,458,714,970,1226,203,459,715,971,1227,204,460,716,972,1228,205,461,717,973,1229,206,462,718,974,1230,207,463,719,975,1231,208,464,720,976,1232,209,465,721,977,1233,210,466,722,978,1234,211,467,723,979,1235,212,468,724,980,1236,213,469,725,981,1237,214,470,726,982,1238,215,471,727,983,1239,216,472,728,984,1240,217,473,729,985,1241,218,474,730,986,1242,219,475,731,987,1243,220,476,732,988,1244,221,477,733,989,1245,222,478,734,990,1246,223,479,735,991,1247,224,480,736,992,1248,225,481,737,993,1249,226,482,738,994,1250,227,483,739,995,1251,228,484,740,996,1252,229,485,741,997,1253,230,486,742,998,1254,231,487,743,999,1255,232,488,744,1000,1256,233,489,745,1001,1257,234,490,746,1002,1258,235,491,747,1003,1259,236,492,748,1004,1260,237,493,749,1005,1261,238,494,750,1006,1262,239,495,751,1007,1263,240,496,752,1008,1264,241,497,753,1009,1265,242,498,754,1010,1266,243,499,755,1011,1267,244,500,756,1012,1268,245,501,757,1013,1269,246,502,758,1014,1270,247,503,759,1015,1271,248,504,760,1016,1272,249,505,761,1017,1273,250,506,762,1018,1274,251,507,763,1019,1275,252,508,764,1020,1276,253,509,765,1021,1277,254,510,766,1022,1278,255,511,767,1023,1279
      

      ==1314977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e0000ccd61 at pc 0x7f3adaea0480 bp 0x7f3ac3e08330 sp 0x7f3ac3e07ad8
      READ of size 5 at 0x62e0000ccd61 thread T27
          #0 0x7f3adaea047f  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
          #1 0x7f3adab37482  (/lib/x86_64-linux-gnu/libcrypto.so.1.1+0x16c482)
          #2 0x555fe8541f00 in MyCTX::update(unsigned char const*, unsigned int, unsigned char*, unsigned int*) /data/src/10.2/mysys_ssl/my_crypt.cc:67
          #3 0x555fe8541614 in my_aes_crypt_update /data/src/10.2/mysys_ssl/my_crypt.cc:273
          #4 0x555fe8541926 in my_aes_crypt /data/src/10.2/mysys_ssl/my_crypt.cc:292
          #5 0x555fe7597e8b in Item_aes_crypt::val_str(String*) /data/src/10.2/sql/item_strfunc.cc:336
          #6 0x555fe7490342 in Cached_item_str::cmp() /data/src/10.2/sql/item_buff.cc:84
          #7 0x555fe6efab18 in test_if_group_changed(List<Cached_item>&) /data/src/10.2/sql/sql_select.cc:23311
          #8 0x555fe6ee47c0 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20227
          #9 0x555fe6edb352 in evaluate_join_record /data/src/10.2/sql/sql_select.cc:19079
          #10 0x555fe6ed9cc4 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18859
          #11 0x555fe6ed7dad in do_select /data/src/10.2/sql/sql_select.cc:18403
          #12 0x555fe6e71f40 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3642
          #13 0x555fe6e6fa57 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3437
          #14 0x555fe6e7325f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3837
          #15 0x555fe6e4fd01 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
          #16 0x555fe6dc6bec in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
          #17 0x555fe6db3b91 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
          #18 0x555fe6dd0169 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
          #19 0x555fe6da91ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
          #20 0x555fe6da5f6d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
          #21 0x555fe712e098 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #22 0x555fe712d95b in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #23 0x555fe84ca613 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
          #24 0x7f3ada9ab608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #25 0x7f3ada585292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      Address 0x62e0000ccd61 is a wild pointer.
      SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f) 
      Shadow bytes around the buggy address:
        0x0c5c80011950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5c80011960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5c80011970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5c80011980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5c80011990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x0c5c800119a0: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
        0x0c5c800119b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5c800119c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5c800119d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5c800119e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5c800119f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      Thread T27 created by T0 here:
          #0 0x7f3adae3f805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x555fe84caa04 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
          #2 0x555fe6b4b083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
          #3 0x555fe6b62c54 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
          #4 0x555fe6b633ef in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
          #5 0x555fe6b64581 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
          #6 0x555fe6b61fa5 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
          #7 0x555fe6b4993c in main /data/src/10.2/sql/main.cc:25
          #8 0x7f3ada48a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      ==1314977==ABORTING
      

      10.5 does not fail with the test case above; but the problem is present in 10.5-10.6 as well. It can be reproduced using the attached dirty test case. It does the same as the one above, only on a random bigger data set. It fails on all of 10.2-10.6.

      10.5 e0ba68ba

      ==1315507==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62800001cfba at pc 0x7fb43402e480 bp 0x7fb42462e390 sp 0x7fb42462db38
      READ of size 14 at 0x62800001cfba thread T13
          #0 0x7fb43402e47f  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
          #1 0x7fb433d3a482  (/lib/x86_64-linux-gnu/libcrypto.so.1.1+0x16c482)
          #2 0x561f0201036c in MyCTX::update(unsigned char const*, unsigned int, unsigned char*, unsigned int*) /data/src/10.5/mysys_ssl/my_crypt.cc:87
          #3 0x561f0200f988 in my_aes_crypt_update /data/src/10.5/mysys_ssl/my_crypt.cc:296
          #4 0x561f0200fc9a in my_aes_crypt /data/src/10.5/mysys_ssl/my_crypt.cc:315
          #5 0x561f01928c0c in Item_aes_crypt::val_str(String*) /data/src/10.5/sql/item_strfunc.cc:352
          #6 0x561f017ff8f9 in Cached_item_str::cmp() /data/src/10.5/sql/item_buff.cc:84
          #7 0x561f010a95a9 in test_if_group_changed(List<Cached_item>&) /data/src/10.5/sql/sql_select.cc:25171
          #8 0x561f01092ab4 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:22079
          #9 0x561f01088f86 in evaluate_join_record /data/src/10.5/sql/sql_select.cc:20910
          #10 0x561f010878dc in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20687
          #11 0x561f01085a03 in do_select /data/src/10.5/sql/sql_select.cc:20221
          #12 0x561f010122ba in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4467
          #13 0x561f0100f8a5 in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4247
          #14 0x561f01013c79 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4720
          #15 0x561f00fe54b7 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:417
          #16 0x561f00f4ec25 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6282
          #17 0x561f00f3db20 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3978
          #18 0x561f00f59f1f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8063
          #19 0x561f00f30118 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
          #20 0x561f00f2ca41 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
          #21 0x561f0136f2dd in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
          #22 0x561f0136ec41 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
          #23 0x561f0207e59a in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #24 0x7fb433bb2608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #25 0x7fb433788292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      Address 0x62800001cfba is a wild pointer.
      SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f) 
      Shadow bytes around the buggy address:
        0x0c507fffb9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c507fffb9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c507fffb9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c507fffb9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c507fffb9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x0c507fffb9f0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
        0x0c507fffba00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c507fffba10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c507fffba20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c507fffba30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c507fffba40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      Thread T13 created by T0 here:
          #0 0x7fb433fcd805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x561f0207953e in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
          #2 0x561f0207e98d in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
          #3 0x561f00c212d2 in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
          #4 0x561f00c370c2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6012
          #5 0x561f00c37741 in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6071
          #6 0x561f00c37a9e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6136
          #7 0x561f00c386bd in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6263
          #8 0x561f00c368cf in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5658
          #9 0x561f00c1fd9c in main /data/src/10.5/sql/main.cc:25
          #10 0x7fb43368d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      ==1315507==ABORTING
      210225 20:27:49 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.5.10-MariaDB-debug-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=1
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63744 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62b00009a288
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7fb424631950 thread_stack 0x5fc00
      ??:0(__interceptor_tcgetattr)[0x7fb433fffd30]
      mysys/stacktrace.c:212(my_print_stacktrace)[0x561f02cfc6e3]
      sql/signal_handler.cc:212(handle_fatal_signal)[0x561f017372f3]
      sigaction.c:0(__restore_rt)[0x7fb433bbe3c0]
      ??:0(gsignal)[0x7fb4336ac18b]
      ??:0(abort)[0x7fb43368b859]
      ??:0(__sanitizer_set_report_fd)[0x7fb4340be6a2]
      ??:0(__sanitizer_get_module_and_offset_for_pc)[0x7fb4340c924c]
      ??:0(__sanitizer_ptr_cmp)[0x7fb4340aa8ec]
      ??:0(__asan_on_error)[0x7fb4340aa363]
      ??:0(__interceptor_getdelim)[0x7fb43402e49f]
      ??:0(EVP_CIPHER_CTX_free)[0x7fb433d3a483]
      mysys_ssl/my_crypt.cc:87(MyCTX::update(unsigned char const*, unsigned int, unsigned char*, unsigned int*))[0x561f0201036d]
      mysys_ssl/my_crypt.cc:297(my_aes_crypt_update)[0x561f0200f989]
      mysys_ssl/my_crypt.cc:315(my_aes_crypt)[0x561f0200fc9b]
      sql/item_strfunc.cc:352(Item_aes_crypt::val_str(String*))[0x561f01928c0d]
      sql/item_buff.cc:84(Cached_item_str::cmp())[0x561f017ff8fa]
      sql/sql_select.cc:25171(test_if_group_changed(List<Cached_item>&))[0x561f010a95aa]
      sql/sql_select.cc:22079(end_send_group(JOIN*, st_join_table*, bool))[0x561f01092ab5]
      sql/sql_select.cc:20910(evaluate_join_record(JOIN*, st_join_table*, int))[0x561f01088f87]
      sql/sql_select.cc:20687(sub_select(JOIN*, st_join_table*, bool))[0x561f010878dd]
      sql/sql_select.cc:20221(do_select(JOIN*, Procedure*))[0x561f01085a04]
      sql/sql_select.cc:4467(JOIN::exec_inner())[0x561f010122bb]
      sql/sql_select.cc:4248(JOIN::exec())[0x561f0100f8a6]
      sql/sql_select.cc:4722(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x561f01013c7a]
      sql/sql_select.cc:417(handle_select(THD*, LEX*, select_result*, unsigned long))[0x561f00fe54b8]
      sql/sql_parse.cc:6282(execute_sqlcom_select(THD*, TABLE_LIST*))[0x561f00f4ec26]
      sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x561f00f3db21]
      sql/sql_parse.cc:8063(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x561f00f59f20]
      sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x561f00f30119]
      sql/sql_parse.cc:1370(do_command(THD*))[0x561f00f2ca42]
      sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x561f0136f2de]
      sql/sql_connect.cc:1314(handle_one_connection)[0x561f0136ec42]
      perfschema/pfs.cc:2203(pfs_spawn_thread)[0x561f0207e59b]
      nptl/pthread_create.c:478(start_thread)[0x7fb433bb2609]
      ??:0(clone)[0x7fb433788293]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b0000a12a8): SELECT AES_ENCRYPT( vcol_varchar, 't' ) AS f, GROUP_CONCAT( id ) AS field1 FROM t5 GROUP BY f
       
      Connection ID (thread ID): 4
      Status: NOT_KILLED
       
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
       
      The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
      information that should help you find out what is causing the crash.
      Writing a core file...
      Working directory at /dev/shm/var_auto_ctmT/mysqld.1/data
      Resource Limits:
      Limit                     Soft Limit           Hard Limit           Units     
      Max cpu time              unlimited            unlimited            seconds   
      Max file size             unlimited            unlimited            bytes     
      Max data size             unlimited            unlimited            bytes     
      Max stack size            8388608              unlimited            bytes     
      Max core file size        0                    0                    bytes     
      Max resident set          unlimited            unlimited            bytes     
      Max processes             385874               385874               processes 
      Max open files            1024                 1024                 files     
      Max locked memory         67108864             67108864             bytes     
      Max address space         unlimited            unlimited            bytes     
      Max file locks            unlimited            unlimited            locks     
      Max pending signals       385874               385874               signals   
      Max msgqueue size         819200               819200               bytes     
      Max nice priority         0                    0                    
      Max realtime priority     0                    0                    
      Max realtime timeout      unlimited            unlimited            us        
      Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E
      

        Attachments

          Activity

            People

            Assignee:
            sanja Oleksandr Byelkin
            Reporter:
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Git Integration