Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.6
Description
CREATE TABLE t1 (a DECIMAL(15,11) ZEROFILL); |
INSERT INTO t1 (a) VALUES (0.1),(0.2); |
SELECT ENCRYPT(a) AS f, COUNT(*) FROM t1 GROUP BY f; |
|
# Cleanup
|
DROP TABLE t1; |
'SELECT ENCRYPT(a) AS f, COUNT(*) FROM t1 GROUP BY f' failed: <Unknown> (5): Out of memory (Needed 24 bytes)
|
10.6 71e1ddda debug |
Error: Reallocating overrun buffer 0x60e00002c570 at mysys/safemalloc.c:352, mysys/safemalloc.c:185, mysys/my_malloc.c:151, sql/sql_string.cc:98, sql/sql_string.h:703, sql/sql_string.h:669, sql/item_strfunc.cc:2281, sql/item.cc:6663
|
Allocated at mysys/my_malloc.c:90, sql/sql_string.cc:104, sql/sql_string.h:703, sql/sql_string.cc:229, sql/sql_string.h:879, sql/item_strfunc.cc:2290, sql/item.cc:6663, sql/sql_type.cc:4324
|
Error: Freeing overrun buffer 0x60e00002c570 at mysys/safemalloc.c:352, mysys/safemalloc.c:200, mysys/my_malloc.c:212, sql/sql_string.h:228, sql/sql_string.h:459, sql/sql_string.h:467, sql/sql_string.h:819, sql/item_strfunc.cc:2289
|
Allocated at mysys/my_malloc.c:90, sql/sql_string.cc:104, sql/sql_string.h:703, sql/sql_string.cc:229, sql/sql_string.h:879, sql/item_strfunc.cc:2290, sql/item.cc:6663, sql/sql_type.cc:4324
|
10.6 71e1ddda valgrind |
==1788135== Invalid write of size 1
|
==1788135== at 0x17C4DFB: decimal2string (decimal.c:395)
|
==1788135== by 0xF7063B: my_decimal::to_string_native(String*, unsigned int, unsigned int, char, unsigned int) const (my_decimal.cc:120)
|
==1788135== by 0x9078FE: my_decimal::to_string(String*, unsigned int, unsigned int, char) const (my_decimal.h:218)
|
==1788135== by 0xBE0280: Field_new_decimal::val_str(String*, String*) (field.h:2403)
|
==1788135== by 0xDFE677: Item_field::val_str(String*) (item.cc:3277)
|
==1788135== by 0xEAC112: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2259)
|
==1788135== by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
|
==1788135== by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
|
==1788135== by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
|
==1788135== by 0x9A43FD: Item_result_field::save_in_result_field(bool) (item.h:3406)
|
==1788135== by 0xAD627C: copy_funcs(Item**, THD const*) (sql_select.cc:26168)
|
==1788135== by 0xACCDA0: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22562)
|
==1788135== by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
|
==1788135== by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
|
==1788135== by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
|
==1788135== by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
|
==1788135== Address 0xc3ec408 is 0 bytes after a block of size 40 alloc'd
|
==1788135== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1788135== by 0x1754683: my_malloc (my_malloc.c:90)
|
==1788135== by 0xB2D224: Binary_string::realloc_raw(unsigned long) (sql_string.cc:104)
|
==1788135== by 0x8F55C0: Binary_string::realloc(unsigned long) (sql_string.h:703)
|
==1788135== by 0xB2D911: Binary_string::copy() (sql_string.cc:229)
|
==1788135== by 0xCCF261: String::copy() (sql_string.h:878)
|
==1788135== by 0xEAC395: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2289)
|
==1788135== by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
|
==1788135== by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
|
==1788135== by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
|
==1788135== by 0x90AF4B: Item::save_org_in_field(Field*, int (*)(Field*, Field*)) (item.h:1198)
|
==1788135== by 0xACCC26: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22540)
|
==1788135== by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
|
==1788135== by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
|
==1788135== by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
|
==1788135== by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
|
==1788135== Conditional jump or move depends on uninitialised value(s)
|
==1788135== at 0x483EF58: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1788135== by 0x48794BE: ??? (in /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0)
|
==1788135== by 0x48796E0: crypt_r (in /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0)
|
==1788135== by 0xEAC329: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2281)
|
==1788135== by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
|
==1788135== by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
|
==1788135== by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
|
==1788135== by 0x9A43FD: Item_result_field::save_in_result_field(bool) (item.h:3406)
|
==1788135== by 0xAD627C: copy_funcs(Item**, THD const*) (sql_select.cc:26168)
|
==1788135== by 0xACCDA0: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22562)
|
==1788135== by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
|
==1788135== by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
|
==1788135== by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
|
==1788135== by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
|
==1788135== by 0xAC89B8: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:20994)
|
==1788135== by 0xAC7DD9: do_select(JOIN*, Procedure*) (sql_select.cc:20541)
|
10.6 71e1ddda non-debug |
double free or corruption (out)
|
210526 13:53:09 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
Server version: 10.6.2-MariaDB-log
|
key_buffer_size=1048576
|
read_buffer_size=131072
|
max_used_connections=1
|
max_threads=153
|
thread_count=1
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63732 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
Thread pointer: 0x7f1c24000c58
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7f1c4036fd98 thread_stack 0x49000
|
(Non-debug server hangs after this).
The failure started happening in 10.6 after this commit:
commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
|
Author: Monty
|
Date: Wed Sep 16 11:23:50 2020 +0300
|
|
Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()
|
Attachments
Issue Links
- relates to
-
MDEV-25754 ASAN: stack-buffer-overflow in Field_newdate::val_str upon GROUP_WS
- Closed