Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Duplicate
-
10.5, 10.6, 10.7(EOL)
-
None
Description
CREATE TABLE t1 (a INT); |
INSERT INTO t1 VALUES (1),(2); # Optional, fails either way |
CREATE TABLE t2 (b INT); |
INSERT INTO t2 VALUES (3),(4); # Optional, fails either way |
|
|
PREPARE stmt FROM "INSERT INTO t1 SELECT * FROM t1 WHERE a IN (SELECT b FROM t2) RETURNING a"; |
EXECUTE stmt; |
|
|
# Cleanup
|
DROP TABLE t1, t2; |
|
10.5 8d714db6 ASAN non-debug |
==2416627==ERROR: AddressSanitizer: use-after-poison on address 0x62b000039080 at pc 0x55c6982bb9ed bp 0x7f0e4d79e0b0 sp 0x7f0e4d79e0a0
|
READ of size 8 at 0x62b000039080 thread T5
|
#0 0x55c6982bb9ec in base_list_iterator::next() /data/src/10.5/sql/sql_list.h:431
|
#1 0x55c6982bb9ec in List_iterator<TABLE_LIST>::operator++(int) /data/src/10.5/sql/sql_list.h:596
|
#2 0x55c6982bb9ec in st_select_lex::cleanup() /data/src/10.5/sql/sql_union.cc:2748
|
#3 0x55c698a15af0 in subselect_single_select_engine::prepare(THD*) /data/src/10.5/sql/item_subselect.cc:3791
|
#4 0x55c698a13f6b in Item_subselect::fix_fields(THD*, Item**) /data/src/10.5/sql/item_subselect.cc:289
|
#5 0x55c698a14fe9 in Item_in_subselect::fix_fields(THD*, Item**) /data/src/10.5/sql/item_subselect.cc:3462
|
#6 0x55c697eb28dc in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.5/sql/item.h:988
|
#7 0x55c697eb28dc in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.5/sql/item.h:986
|
#8 0x55c697eb28dc in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /data/src/10.5/sql/item.h:992
|
#9 0x55c697eb28dc in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/10.5/sql/item.h:996
|
#10 0x55c697eb28dc in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.5/sql/sql_base.cc:8380
|
#11 0x55c6981480c0 in setup_without_group /data/src/10.5/sql/sql_select.cc:696
|
#12 0x55c6981480c0 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.5/sql/sql_select.cc:1248
|
#13 0x55c698191739 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4696
|
#14 0x55c6981923cf in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:417
|
#15 0x55c69802c15c in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4743
|
#16 0x55c69805e824 in Prepared_statement::execute(String*, bool) /data/src/10.5/sql/sql_prepare.cc:5007
|
#17 0x55c69805f077 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.5/sql/sql_prepare.cc:4470
|
#18 0x55c69805fe11 in mysql_sql_stmt_execute(THD*) /data/src/10.5/sql/sql_prepare.cc:3568
|
#19 0x55c698026749 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3994
|
#20 0x55c697fe76ec in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8063
|
#21 0x55c698013268 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
|
#22 0x55c698019111 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
|
#23 0x55c6983bbf6c in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
|
#24 0x55c6983bcb04 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
|
#25 0x55c698fafb58 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
|
#26 0x7f0e56b9c608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#27 0x7f0e56770292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
|
0x62b000039080 is located 3712 bytes inside of 24624-byte region [0x62b000038200,0x62b00003e230)
|
allocated by thread T5 here:
|
#0 0x7f0e570ecbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x55c699aa5bdc in my_malloc /data/src/10.5/mysys/my_malloc.c:90
|
#2 0x55c699a915e3 in reset_root_defaults /data/src/10.5/mysys/my_alloc.c:148
|
#3 0x55c697edb6c9 in THD::init_for_queries() /data/src/10.5/sql/sql_class.cc:1411
|
#4 0x55c6983b9c41 in prepare_new_connection_state(THD*) /data/src/10.5/sql/sql_connect.cc:1240
|
#5 0x55c6983ba607 in thd_prepare_connection(THD*) /data/src/10.5/sql/sql_connect.cc:1333
|
#6 0x55c6983ba607 in thd_prepare_connection(THD*) /data/src/10.5/sql/sql_connect.cc:1322
|
#7 0x55c6983bbf17 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1400
|
#8 0x55c6983bcb04 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
|
#9 0x55c698fafb58 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
|
#10 0x7f0e56b9c608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f0e57019805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x55c698fafdf6 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
|
#2 0x55c698fafdf6 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
|
#3 0x55c697d70d2e in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
|
#4 0x55c697d70d2e in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6012
|
#5 0x55c697d7c884 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6136
|
#6 0x55c697d7d2a2 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6263
|
#7 0x55c697d7ef03 in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5658
|
#8 0x7f0e566750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/sql/sql_list.h:431 in base_list_iterator::next()
|
Shadow bytes around the buggy address:
|
0x0c567ffff1c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff1d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff1e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff1f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c567ffff210:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff250: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c567ffff260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2416627==ABORTING
|
210302 13:17:29 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.5.10-MariaDB-log
|
key_buffer_size=1048576
|
read_buffer_size=131072
|
max_used_connections=1
|
max_threads=153
|
thread_count=1
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63640 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
|
Thread pointer: 0x62b000069218
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7f0e4d7a2800 thread_stack 0x5fc00
|
??:0(__interceptor_tcgetattr)[0x7f0e5704bd30]
|
/data/bld/10.5-rel-asan-nightly/bin/mariadbd(my_print_stacktrace+0xf6)[0x55c699aaf146]
|
/data/bld/10.5-rel-asan-nightly/bin/mariadbd(handle_fatal_signal+0xb44)[0x55c698715ec4]
|
sigaction.c:0(__restore_rt)[0x7f0e56ba83c0]
|
??:0(gsignal)[0x7f0e5669418b]
|
??:0(abort)[0x7f0e56673859]
|
??:0(__sanitizer_set_report_fd)[0x7f0e5710a6a2]
|
??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f0e5711524c]
|
??:0(__sanitizer_ptr_cmp)[0x7f0e570f68ec]
|
??:0(__asan_on_error)[0x7f0e570f6363]
|
??:0(__asan_report_load8)[0x7f0e570f71ab]
|
sql/sql_list.h:429(base_list_iterator::next())[0x55c6982bb9ed]
|
sql/item_subselect.cc:3794(subselect_single_select_engine::prepare(THD*))[0x55c698a15af1]
|
sql/item_subselect.cc:289(Item_subselect::fix_fields(THD*, Item**))[0x55c698a13f6c]
|
sql/item_subselect.cc:3462(Item_in_subselect::fix_fields(THD*, Item**))[0x55c698a14fea]
|
sql/item.h:992(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55c697eb28dd]
|
sql/sql_select.cc:697(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55c6981480c1]
|
sql/sql_select.cc:4696(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55c69819173a]
|
sql/sql_select.cc:417(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55c6981923d0]
|
sql/sql_parse.cc:4750(mysql_execute_command(THD*))[0x55c69802c15d]
|
sql/sql_prepare.cc:5007(Prepared_statement::execute(String*, bool))[0x55c69805e825]
|
sql/sql_prepare.cc:4470(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x55c69805f078]
|
sql/sql_class.h:1474(Item_change_list_savepoint::rollback(Item_change_list*))[0x55c69805fe12]
|
sql/sql_parse.cc:3994(mysql_execute_command(THD*))[0x55c69802674a]
|
sql/sql_parse.cc:8080(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55c697fe76ed]
|
sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55c698013269]
|
sql/sql_parse.cc:1370(do_command(THD*))[0x55c698019112]
|
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55c6983bbf6d]
|
sql/sql_connect.cc:1312(handle_one_connection)[0x55c6983bcb05]
|
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55c698fafb59]
|
nptl/pthread_create.c:478(start_thread)[0x7f0e56b9c609]
|
??:0(clone)[0x7f0e56770293]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b0000382d0): INSERT INTO t1 SELECT * FROM t1 WHERE a IN (SELECT b FROM t2) RETURNING a
|
|
|
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
|
|
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
|
|
|
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
|
information that should help you find out what is causing the crash.
|
Writing a core file...
|
Working directory at /dev/shm/var_auto_QsgJ/mysqld.1/data
|
Resource Limits:
|
Limit Soft Limit Hard Limit Units
|
Max cpu time unlimited unlimited seconds
|
Max file size unlimited unlimited bytes
|
Max data size unlimited unlimited bytes
|
Max stack size 8388608 unlimited bytes
|
Max core file size 0 0 bytes
|
Max resident set unlimited unlimited bytes
|
Max processes 385874 385874 processes
|
Max open files 1024 1024 files
|
Max locked memory 67108864 67108864 bytes
|
Max address space unlimited unlimited bytes
|
Max file locks unlimited unlimited locks
|
Max pending signals 385874 385874 signals
|
Max msgqueue size 819200 819200 bytes
|
Max nice priority 0 0
|
Max realtime priority 0 0
|
Max realtime timeout unlimited unlimited us
|
Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E
|
|
10.5 8d714db6 |
mariadbd: /data/src/10.5/sql/sql_prepare.cc:3074: void reinit_stmt_before_use(THD*, LEX*): Assertion `sl->join == 0' failed.
|
210302 13:20:09 [ERROR] mysqld got signal 6 ;
|
|
|
#7 0x00007fc9722f3f36 in __GI___assert_fail (assertion=0x55671033e590 "sl->join == 0", file=0x55671033dd38 "/data/src/10.5/sql/sql_prepare.cc", line=3074, function=0x55671033e568 "void reinit_stmt_before_use(THD*, LEX*)") at assert.c:101
|
#8 0x000055670f587e32 in reinit_stmt_before_use (thd=0x7fc95c000db8, lex=0x7fc95c05b168) at /data/src/10.5/sql/sql_prepare.cc:3074
|
#9 0x000055670f58d25f in Prepared_statement::execute (this=0x7fc95c05acf8, expanded_query=0x7fc96ccaecb0, open_cursor=false) at /data/src/10.5/sql/sql_prepare.cc:4985
|
#10 0x000055670f58b635 in Prepared_statement::execute_loop (this=0x7fc95c05acf8, expanded_query=0x7fc96ccaecb0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.5/sql/sql_prepare.cc:4470
|
#11 0x000055670f588fa3 in mysql_sql_stmt_execute (thd=0x7fc95c000db8) at /data/src/10.5/sql/sql_prepare.cc:3568
|
#12 0x000055670f55e306 in mysql_execute_command (thd=0x7fc95c000db8) at /data/src/10.5/sql/sql_parse.cc:3994
|
#13 0x000055670f56c0de in mysql_parse (thd=0x7fc95c000db8, rawbuf=0x7fc95c0152d0 "EXECUTE stmt", length=12, parser_state=0x7fc96ccaf510, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:8063
|
#14 0x000055670f558043 in dispatch_command (command=COM_QUERY, thd=0x7fc95c000db8, packet=0x7fc95c00b589 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1889
|
#15 0x000055670f556837 in do_command (thd=0x7fc95c000db8) at /data/src/10.5/sql/sql_parse.cc:1370
|
#16 0x000055670f704a4d in do_handle_one_connection (connect=0x556713412bc8, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1410
|
#17 0x000055670f7047b0 in handle_one_connection (arg=0x556713319c08) at /data/src/10.5/sql/sql_connect.cc:1312
|
#18 0x000055670fc654e5 in pfs_spawn_thread (arg=0x5567134127f8) at /data/src/10.5/storage/perfschema/pfs.cc:2201
|
#19 0x00007fc97280b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#20 0x00007fc9723df293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Reproducible on 10.5, 10.6.
The test case is not applicable to 10.4 due to the use of INSERT .. RETURNING.
Release build doesn't crash for me, but with the ASAN failure on a non-debug ASAN build a release crash is probably just the matter of luck.
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- relates to
-
-
- Closed
-