Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.7.0
-
None
-
Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64
Description
step to reproduce:
CREATE TABLE v0 ( v2 BIGINT , v1 BIGINT ) ENGINE = MEMORY ROW_FORMAT = COMPRESSED AS SELECT 59218101.000000 AS v3 UNION SELECT FALSE ; |
START TRANSACTION ; |
SELECT instr ( v1 , DES_ENCRYPT ( 'x' REGEXP 'x' , 'x' ) ) BETWEEN v3 AND -1 FROM v0 ; |
SELECT DISTINCT v2 IN ( COLLATION ( AVG ( 'x' ) ) + -128 , 'x' , 'x' ) FROM v0 WHERE v2 IS NOT NULL ; |
UPDATE v0 SET v2 = v3 + 69 ; |
INSERT INTO v0 ( ) SELECT v1 , v1 FROM v0 ; |
asan report:
=================================================================
|
==2933067==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a6080 at pc 0x7fb1687ce7b7 bp 0x7fb1435a5730 sp 0x7fb1435a4ed8
|
WRITE of size 944 at 0x6290000a6080 thread T14
|
#0 0x7fb1687ce7b6 in __interceptor_memset /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
|
#1 0x55c6bfcc41e9 in JOIN::make_aggr_tables_info() /experiment/mariadb-server/sql/sql_select.cc:3694
|
#2 0x55c6bfcf2e71 in JOIN::optimize_stage2() /experiment/mariadb-server/sql/sql_select.cc:3225
|
#3 0x55c6bfcfcd06 in JOIN::optimize_inner() /experiment/mariadb-server/sql/sql_select.cc:2479
|
#4 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql_select.cc:1809
|
#5 0x55c6bfcfea0d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /experiment/mariadb-server/sql/sql_select.cc:4977
|
#6 0x55c6bfd00654 in handle_select(THD*, LEX*, select_result*, unsigned long) /experiment/mariadb-server/sql/sql_select.cc:545
|
#7 0x55c6bfb43d7c in execute_sqlcom_select /experiment/mariadb-server/sql/sql_parse.cc:6256
|
#8 0x55c6bfb6d420 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:3946
|
#9 0x55c6bfb725a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
|
#10 0x55c6bfb7860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
|
#11 0x55c6bfb7d73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
|
#12 0x55c6bff38e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
|
#13 0x55c6bff3933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
|
#14 0x55c6c09c9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
|
#15 0x7fb1681ba258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
|
#16 0x7fb167d655e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
|
|
|
0x6290000a6080 is located 3712 bytes inside of 16400-byte region [0x6290000a5200,0x6290000a9210)
|
allocated by thread T14 here:
|
#0 0x7fb16884c279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
|
#1 0x55c6c12fc9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
|
#2 0x55c6c12e9414 in alloc_root /experiment/mariadb-server/mysys/my_alloc.c:332
|
#3 0x55c6bfc3d047 in Query_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql_class.h:1206
|
#4 0x55c6bfc3d047 in update_ref_and_keys /experiment/mariadb-server/sql/sql_select.cc:7110
|
#5 0x55c6bfce537e in make_join_statistics /experiment/mariadb-server/sql/sql_select.cc:5377
|
#6 0x55c6bfcfc73b in JOIN::optimize_inner() /experiment/mariadb-server/sql/sql_select.cc:2453
|
#7 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql_select.cc:1809
|
#8 0x55c6bfcfea0d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /experiment/mariadb-server/sql/sql_select.cc:4977
|
#9 0x55c6bfd00654 in handle_select(THD*, LEX*, select_result*, unsigned long) /experiment/mariadb-server/sql/sql_select.cc:545
|
#10 0x55c6bfb43d7c in execute_sqlcom_select /experiment/mariadb-server/sql/sql_parse.cc:6256
|
#11 0x55c6bfb6d420 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:3946
|
#12 0x55c6bfb725a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
|
#13 0x55c6bfb7860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
|
#14 0x55c6bfb7d73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
|
#15 0x55c6bff38e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
|
#16 0x55c6bff3933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
|
#17 0x55c6c09c9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
|
#18 0x7fb1681ba258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
|
|
|
Thread T14 created by T0 here:
|
#0 0x7fb1687edfa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
|
#1 0x55c6c09c9ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
|
#2 0x55c6c09c9ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
|
#3 0x55c6bf83ab3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
|
#4 0x55c6bf83ab3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
|
#5 0x55c6bf8467b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
|
#6 0x55c6bf84736f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
|
#7 0x55c6bf84aa52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
|
#8 0x7fb167c8eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset
|
Shadow bytes around the buggy address:
|
0x0c528000cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c528000cc10:[f7]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000cc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000cc30: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c528000cc40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c528000cc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c528000cc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2933067==ABORTING
|
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- links to