Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26006

Server crash or ASAN errors in in_vector::find upon SELECT from temptable view

    XMLWordPrintable

Details

    Description

      Given that only 10.2 appears to be affected, chances are the release line will go EOL before it gets fixed

      CREATE TABLE t (id BIGINT);
      		 
      INSERT INTO t VALUES (1),(2);
      		 
      CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t;
      		 
      SELECT id FROM v WHERE id IN (SIN(1),'2');
      		 
       
      		 
      # Cleanup
      		 
      DROP VIEW v;
      		 
      DROP TABLE t;

      10.2 aaaed9ba ASAN

      		 
      READ of size 8 at 0x62b0000045b8 thread T5
      		 
          #0 0x55e93da449c2 in in_vector::find(Item*) /data/src/10.2/sql/item_cmpfunc.cc:3642
      		 
          #1 0x55e93da4b685 in Item_func_in::val_int() /data/src/10.2/sql/item_cmpfunc.cc:4444
      		 
          #2 0x55e93d462f49 in evaluate_join_record /data/src/10.2/sql/sql_select.cc:18963
      		 
          #3 0x55e93d462226 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18868
      		 
          #4 0x55e93d46030f in do_select /data/src/10.2/sql/sql_select.cc:18412
      		 
          #5 0x55e93d3fa1c6 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3651
      		 
          #6 0x55e93d3f7cdd in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3446
      		 
          #7 0x55e93d3fb560 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3849
      		 
          #8 0x55e93d3d7f3b in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
      		 
          #9 0x55e93d34eda8 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
      		 
          #10 0x55e93d33c131 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
      		 
          #11 0x55e93d3582bd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
      		 
          #12 0x55e93d3314c2 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
      		 
          #13 0x55e93d32e28d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
      		 
          #14 0x55e93d6b8021 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
      		 
          #15 0x55e93d6b78e4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
      		 
          #16 0x55e93ea5dab3 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
      		 
          #17 0x7fb0e6146608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
      		 
          #18 0x7fb0e5d21292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

      Non-ASAN debug build crashes with a similar stack trace.
      Non-debug build doesn't crash on my machine, but non-debug ASAN build produces errors similar to the above, or sometimes (with the same test case)

      ==3900675==ERROR: AddressSanitizer: use-after-poison on address 0x62b000004c10 at pc 0x56443eacb5b5 bp 0x7f22e60478c0 sp 0x7f22e60478b0
      		 
      READ of size 8 at 0x62b000004c10 thread T5
      		 
          #0 0x56443eacb5b4 in Item_func_in::cleanup() /data/src/10.2/sql/item_cmpfunc.h:1673
      		 
          #1 0x56443e01916b in Item::delete_self() /data/src/10.2/sql/item.h:1963
      		 
          #2 0x56443e01916b in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3555
      		 
          #3 0x56443e020b86 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2098
      		 
          #4 0x56443e0e90d8 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7815
      		 
          #5 0x56443e0f31a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
      		 
          #6 0x56443e0f7af5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
      		 
          #7 0x56443e3f8b66 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
      		 
          #8 0x56443e3f92ae in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
      		 
          #9 0x56443f6cdb38 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
      		 
          #10 0x7f22f0dea608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
      		 
          #11 0x7f22f09c5292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

      Reproducible on debug and non-debug 10.2 builds as described. EXPLAIN also crashes.
      Reproducible with at least MyISAM and InnoDB for the underlying table.
      Not reproducible with MERGE views.
      Not reproducible with the provided test case on 10.3+.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26281 ASAN use-after-poison when complex conversion is involved in blob

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              psergei Sergei Petrunia
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.