Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25028

ASAN use-after-poison in base_list_iterator::next or Assertion `sl->join == 0' upon INSERT .. RETURNING via PS

    XMLWordPrintable

    Details

      Description

      CREATE TABLE t1 (a INT);
      INSERT INTO t1 VALUES (1),(2); # Optional, fails either way
      CREATE TABLE t2 (b INT);
      INSERT INTO t2 VALUES (3),(4); # Optional, fails either way
       
      PREPARE stmt FROM "INSERT INTO t1 SELECT * FROM t1 WHERE a IN (SELECT b FROM t2) RETURNING a";
      EXECUTE stmt;
       
      # Cleanup
      DROP TABLE t1, t2;
      

      10.5 8d714db6 ASAN non-debug

      ==2416627==ERROR: AddressSanitizer: use-after-poison on address 0x62b000039080 at pc 0x55c6982bb9ed bp 0x7f0e4d79e0b0 sp 0x7f0e4d79e0a0
      READ of size 8 at 0x62b000039080 thread T5
          #0 0x55c6982bb9ec in base_list_iterator::next() /data/src/10.5/sql/sql_list.h:431
          #1 0x55c6982bb9ec in List_iterator<TABLE_LIST>::operator++(int) /data/src/10.5/sql/sql_list.h:596
          #2 0x55c6982bb9ec in st_select_lex::cleanup() /data/src/10.5/sql/sql_union.cc:2748
          #3 0x55c698a15af0 in subselect_single_select_engine::prepare(THD*) /data/src/10.5/sql/item_subselect.cc:3791
          #4 0x55c698a13f6b in Item_subselect::fix_fields(THD*, Item**) /data/src/10.5/sql/item_subselect.cc:289
          #5 0x55c698a14fe9 in Item_in_subselect::fix_fields(THD*, Item**) /data/src/10.5/sql/item_subselect.cc:3462
          #6 0x55c697eb28dc in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.5/sql/item.h:988
          #7 0x55c697eb28dc in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.5/sql/item.h:986
          #8 0x55c697eb28dc in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /data/src/10.5/sql/item.h:992
          #9 0x55c697eb28dc in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/10.5/sql/item.h:996
          #10 0x55c697eb28dc in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.5/sql/sql_base.cc:8380
          #11 0x55c6981480c0 in setup_without_group /data/src/10.5/sql/sql_select.cc:696
          #12 0x55c6981480c0 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.5/sql/sql_select.cc:1248
          #13 0x55c698191739 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4696
          #14 0x55c6981923cf in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:417
          #15 0x55c69802c15c in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:4743
          #16 0x55c69805e824 in Prepared_statement::execute(String*, bool) /data/src/10.5/sql/sql_prepare.cc:5007
          #17 0x55c69805f077 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.5/sql/sql_prepare.cc:4470
          #18 0x55c69805fe11 in mysql_sql_stmt_execute(THD*) /data/src/10.5/sql/sql_prepare.cc:3568
          #19 0x55c698026749 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3994
          #20 0x55c697fe76ec in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8063
          #21 0x55c698013268 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
          #22 0x55c698019111 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
          #23 0x55c6983bbf6c in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
          #24 0x55c6983bcb04 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
          #25 0x55c698fafb58 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #26 0x7f0e56b9c608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #27 0x7f0e56770292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      0x62b000039080 is located 3712 bytes inside of 24624-byte region [0x62b000038200,0x62b00003e230)
      allocated by thread T5 here:
          #0 0x7f0e570ecbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
          #1 0x55c699aa5bdc in my_malloc /data/src/10.5/mysys/my_malloc.c:90
          #2 0x55c699a915e3 in reset_root_defaults /data/src/10.5/mysys/my_alloc.c:148
          #3 0x55c697edb6c9 in THD::init_for_queries() /data/src/10.5/sql/sql_class.cc:1411
          #4 0x55c6983b9c41 in prepare_new_connection_state(THD*) /data/src/10.5/sql/sql_connect.cc:1240
          #5 0x55c6983ba607 in thd_prepare_connection(THD*) /data/src/10.5/sql/sql_connect.cc:1333
          #6 0x55c6983ba607 in thd_prepare_connection(THD*) /data/src/10.5/sql/sql_connect.cc:1322
          #7 0x55c6983bbf17 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1400
          #8 0x55c6983bcb04 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
          #9 0x55c698fafb58 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
          #10 0x7f0e56b9c608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
       
      Thread T5 created by T0 here:
          #0 0x7f0e57019805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x55c698fafdf6 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
          #2 0x55c698fafdf6 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
          #3 0x55c697d70d2e in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
          #4 0x55c697d70d2e in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6012
          #5 0x55c697d7c884 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6136
          #6 0x55c697d7d2a2 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6263
          #7 0x55c697d7ef03 in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5658
          #8 0x7f0e566750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.5/sql/sql_list.h:431 in base_list_iterator::next()
      Shadow bytes around the buggy address:
        0x0c567ffff1c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff1d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff1e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff1f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c567ffff210:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff250: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c567ffff260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==2416627==ABORTING
      210302 13:17:29 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.5.10-MariaDB-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=1
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63640 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62b000069218
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f0e4d7a2800 thread_stack 0x5fc00
      ??:0(__interceptor_tcgetattr)[0x7f0e5704bd30]
      /data/bld/10.5-rel-asan-nightly/bin/mariadbd(my_print_stacktrace+0xf6)[0x55c699aaf146]
      /data/bld/10.5-rel-asan-nightly/bin/mariadbd(handle_fatal_signal+0xb44)[0x55c698715ec4]
      sigaction.c:0(__restore_rt)[0x7f0e56ba83c0]
      ??:0(gsignal)[0x7f0e5669418b]
      ??:0(abort)[0x7f0e56673859]
      ??:0(__sanitizer_set_report_fd)[0x7f0e5710a6a2]
      ??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f0e5711524c]
      ??:0(__sanitizer_ptr_cmp)[0x7f0e570f68ec]
      ??:0(__asan_on_error)[0x7f0e570f6363]
      ??:0(__asan_report_load8)[0x7f0e570f71ab]
      sql/sql_list.h:429(base_list_iterator::next())[0x55c6982bb9ed]
      sql/item_subselect.cc:3794(subselect_single_select_engine::prepare(THD*))[0x55c698a15af1]
      sql/item_subselect.cc:289(Item_subselect::fix_fields(THD*, Item**))[0x55c698a13f6c]
      sql/item_subselect.cc:3462(Item_in_subselect::fix_fields(THD*, Item**))[0x55c698a14fea]
      sql/item.h:992(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55c697eb28dd]
      sql/sql_select.cc:697(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55c6981480c1]
      sql/sql_select.cc:4696(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55c69819173a]
      sql/sql_select.cc:417(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55c6981923d0]
      sql/sql_parse.cc:4750(mysql_execute_command(THD*))[0x55c69802c15d]
      sql/sql_prepare.cc:5007(Prepared_statement::execute(String*, bool))[0x55c69805e825]
      sql/sql_prepare.cc:4470(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x55c69805f078]
      sql/sql_class.h:1474(Item_change_list_savepoint::rollback(Item_change_list*))[0x55c69805fe12]
      sql/sql_parse.cc:3994(mysql_execute_command(THD*))[0x55c69802674a]
      sql/sql_parse.cc:8080(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55c697fe76ed]
      sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55c698013269]
      sql/sql_parse.cc:1370(do_command(THD*))[0x55c698019112]
      sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55c6983bbf6d]
      sql/sql_connect.cc:1312(handle_one_connection)[0x55c6983bcb05]
      perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55c698fafb59]
      nptl/pthread_create.c:478(start_thread)[0x7f0e56b9c609]
      ??:0(clone)[0x7f0e56770293]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b0000382d0): INSERT INTO t1 SELECT * FROM t1 WHERE a IN (SELECT b FROM t2) RETURNING a
       
      Connection ID (thread ID): 4
      Status: NOT_KILLED
       
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
       
      The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
      information that should help you find out what is causing the crash.
      Writing a core file...
      Working directory at /dev/shm/var_auto_QsgJ/mysqld.1/data
      Resource Limits:
      Limit                     Soft Limit           Hard Limit           Units     
      Max cpu time              unlimited            unlimited            seconds   
      Max file size             unlimited            unlimited            bytes     
      Max data size             unlimited            unlimited            bytes     
      Max stack size            8388608              unlimited            bytes     
      Max core file size        0                    0                    bytes     
      Max resident set          unlimited            unlimited            bytes     
      Max processes             385874               385874               processes 
      Max open files            1024                 1024                 files     
      Max locked memory         67108864             67108864             bytes     
      Max address space         unlimited            unlimited            bytes     
      Max file locks            unlimited            unlimited            locks     
      Max pending signals       385874               385874               signals   
      Max msgqueue size         819200               819200               bytes     
      Max nice priority         0                    0                    
      Max realtime priority     0                    0                    
      Max realtime timeout      unlimited            unlimited            us        
      Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E
      

      10.5 8d714db6

      mariadbd: /data/src/10.5/sql/sql_prepare.cc:3074: void reinit_stmt_before_use(THD*, LEX*): Assertion `sl->join == 0' failed.
      210302 13:20:09 [ERROR] mysqld got signal 6 ;
       
      #7  0x00007fc9722f3f36 in __GI___assert_fail (assertion=0x55671033e590 "sl->join == 0", file=0x55671033dd38 "/data/src/10.5/sql/sql_prepare.cc", line=3074, function=0x55671033e568 "void reinit_stmt_before_use(THD*, LEX*)") at assert.c:101
      #8  0x000055670f587e32 in reinit_stmt_before_use (thd=0x7fc95c000db8, lex=0x7fc95c05b168) at /data/src/10.5/sql/sql_prepare.cc:3074
      #9  0x000055670f58d25f in Prepared_statement::execute (this=0x7fc95c05acf8, expanded_query=0x7fc96ccaecb0, open_cursor=false) at /data/src/10.5/sql/sql_prepare.cc:4985
      #10 0x000055670f58b635 in Prepared_statement::execute_loop (this=0x7fc95c05acf8, expanded_query=0x7fc96ccaecb0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.5/sql/sql_prepare.cc:4470
      #11 0x000055670f588fa3 in mysql_sql_stmt_execute (thd=0x7fc95c000db8) at /data/src/10.5/sql/sql_prepare.cc:3568
      #12 0x000055670f55e306 in mysql_execute_command (thd=0x7fc95c000db8) at /data/src/10.5/sql/sql_parse.cc:3994
      #13 0x000055670f56c0de in mysql_parse (thd=0x7fc95c000db8, rawbuf=0x7fc95c0152d0 "EXECUTE stmt", length=12, parser_state=0x7fc96ccaf510, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:8063
      #14 0x000055670f558043 in dispatch_command (command=COM_QUERY, thd=0x7fc95c000db8, packet=0x7fc95c00b589 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1889
      #15 0x000055670f556837 in do_command (thd=0x7fc95c000db8) at /data/src/10.5/sql/sql_parse.cc:1370
      #16 0x000055670f704a4d in do_handle_one_connection (connect=0x556713412bc8, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1410
      #17 0x000055670f7047b0 in handle_one_connection (arg=0x556713319c08) at /data/src/10.5/sql/sql_connect.cc:1312
      #18 0x000055670fc654e5 in pfs_spawn_thread (arg=0x5567134127f8) at /data/src/10.5/storage/perfschema/pfs.cc:2201
      #19 0x00007fc97280b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #20 0x00007fc9723df293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Reproducible on 10.5, 10.6.
      The test case is not applicable to 10.4 due to the use of INSERT .. RETURNING.
      Release build doesn't crash for me, but with the ASAN failure on a non-debug ASAN build a release crash is probably just the matter of luck.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rucha174 Rucha Deodhar
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.