Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
Description
Possibly (though likely not) related to MDEV-11464.
SELECT JSON_VALID ('{"开源数据库":"MariaDB"}'); |
Leads to:
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) |
/test/10.7_opt_san/strings/json_lib.c:844:25: runtime error: index 24320 out of bounds for type 'json_string_char_classes [128]'
|
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) |
#0 0x56352c145f0e in skip_key /test/10.7_opt_san/strings/json_lib.c:844
|
#1 0x56352c146c1a in json_scan_next /test/10.7_opt_san/strings/json_lib.c:974
|
#2 0x56352c151ae7 in json_valid /test/10.7_opt_san/strings/json_lib.c:2041
|
#3 0x563528966d9f in Item_func_json_valid::val_int() /test/10.7_opt_san/sql/item_jsonfunc.cc:392
|
#4 0x563528b2f280 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7488
|
#5 0x5635277a5791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
|
#6 0x563527b0d839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
|
#7 0x5635281d3b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
|
#8 0x5635281d7b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
|
#9 0x5635281c7705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
|
#10 0x5635281cb5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
|
#11 0x563527e07f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
|
#12 0x563527e47a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
|
#13 0x563527dd7fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
|
#14 0x563527e2d655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
|
#15 0x563527e38e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
|
#16 0x5635286e47bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
|
#17 0x5635286e72b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
|
#18 0x56352a6afce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
|
#19 0x1508e5149608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#20 0x1508e43bf292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
/test/10.7_opt_san/strings/json_lib.c:844:25: runtime error: load of address 0x563534f2bca0 with insufficient space for an object of type 'json_string_char_classes'
|
0x563534f2bca0: note: pointer points here
|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
^
|
#0 0x56352c146021 in skip_key /test/10.7_opt_san/strings/json_lib.c:844
|
#1 0x56352c146c1a in json_scan_next /test/10.7_opt_san/strings/json_lib.c:974
|
#2 0x56352c151ae7 in json_valid /test/10.7_opt_san/strings/json_lib.c:2041
|
#3 0x563528966d9f in Item_func_json_valid::val_int() /test/10.7_opt_san/sql/item_jsonfunc.cc:392
|
#4 0x563528b2f280 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7488
|
#5 0x5635277a5791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
|
#6 0x563527b0d839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
|
#7 0x5635281d3b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
|
#8 0x5635281d7b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
|
#9 0x5635281c7705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
|
#10 0x5635281cb5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
|
#11 0x563527e07f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
|
#12 0x563527e47a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
|
#13 0x563527dd7fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
|
#14 0x563527e2d655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
|
#15 0x563527e38e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
|
#16 0x5635286e47bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
|
#17 0x5635286e72b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
|
#18 0x56352a6afce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
|
#19 0x1508e5149608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#20 0x1508e43bf292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug) |
#0 0x56436f81f8bb in skip_key /test/10.7_dbg_san/strings/json_lib.c:844
|
#1 0x56436f82019f in json_scan_next /test/10.7_dbg_san/strings/json_lib.c:974
|
#2 0x56436f8273ae in json_valid /test/10.7_dbg_san/strings/json_lib.c:2041
|
#3 0x56436bde7c82 in Item_func_json_valid::val_int() /test/10.7_dbg_san/sql/item_jsonfunc.cc:392
|
#4 0x56436bfee4a6 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7488
|
#5 0x56436c05de78 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5681
|
#6 0x56436a69e35f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
|
#7 0x56436a8439a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
|
#8 0x56436ac8d4c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
|
#9 0x56436b46ef9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
|
#10 0x56436b46ef9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
|
#11 0x56436b4767a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
|
#12 0x56436b4670fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
|
#13 0x56436b468a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
|
#14 0x56436b002590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
|
#15 0x56436b0664ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
|
#16 0x56436afcac94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
|
#17 0x56436b03f67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
|
#18 0x56436b0560c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
|
#19 0x56436bae12aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
|
#20 0x56436bae4143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
|
#21 0x56436df044ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
|
#22 0x1553641f5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x15536346b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
/test/10.7_dbg_san/strings/json_lib.c:844:25: runtime error: load of address 0x564379283dc0 with insufficient space for an object of type 'json_string_char_classes'
|
0x564379283dc0: note: pointer points here
|
00 00 00 00 00 11 28 79 43 56 00 00 20 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 60 67 28 70
|
^
|
#0 0x56436f81f8d5 in skip_key /test/10.7_dbg_san/strings/json_lib.c:844
|
#1 0x56436f82019f in json_scan_next /test/10.7_dbg_san/strings/json_lib.c:974
|
#2 0x56436f8273ae in json_valid /test/10.7_dbg_san/strings/json_lib.c:2041
|
#3 0x56436bde7c82 in Item_func_json_valid::val_int() /test/10.7_dbg_san/sql/item_jsonfunc.cc:392
|
#4 0x56436bfee4a6 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7488
|
#5 0x56436c05de78 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5681
|
#6 0x56436a69e35f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
|
#7 0x56436a8439a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
|
#8 0x56436ac8d4c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
|
#9 0x56436b46ef9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
|
#10 0x56436b46ef9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
|
#11 0x56436b4767a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
|
#12 0x56436b4670fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
|
#13 0x56436b468a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
|
#14 0x56436b002590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
|
#15 0x56436b0664ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
|
#16 0x56436afcac94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
|
#17 0x56436b03f67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
|
#18 0x56436b0560c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
|
#19 0x56436bae12aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
|
#20 0x56436bae4143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
|
#21 0x56436df044ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
|
#22 0x1553641f5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x15536346b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1
|
export UBSAN_OPTIONS=print_stacktrace=1
|
Bug confirmed present in:
MariaDB: 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt)
Attachments
Issue Links
- relates to
-
MDEV-25454 Make MariaDB server UBSAN safe
-
- Confirmed
-
Additionally, directly related ASAN errors are observed:
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)
==3909401==ERROR: AddressSanitizer: global-buffer-overflow on address 0x563534f2bca0 at pc 0x56352c145e72 bp 0x1508c1e64030 sp 0x1508c1e64020
READ of size 4 at 0x563534f2bca0 thread T16
#0 0x56352c145e71 in skip_key /test/10.7_opt_san/strings/json_lib.c:844
#1 0x56352c146c1a in json_scan_next /test/10.7_opt_san/strings/json_lib.c:974
#2 0x56352c151ae7 in json_valid /test/10.7_opt_san/strings/json_lib.c:2041
#3 0x563528966d9f in Item_func_json_valid::val_int() /test/10.7_opt_san/sql/item_jsonfunc.cc:392
#4 0x563528b2f280 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7488
#5 0x5635277a5791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
#6 0x563527b0d839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
#7 0x5635281d3b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
#8 0x5635281d7b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
#9 0x5635281c7705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
#10 0x5635281cb5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
#11 0x563527e07f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
#12 0x563527e47a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
#13 0x563527dd7fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
#14 0x563527e2d655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
#15 0x563527e38e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
#16 0x5635286e47bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
#17 0x5635286e72b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
#18 0x56352a6afce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
#19 0x1508e5149608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#20 0x1508e43bf292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
0x563534f2bca0 is located 32 bytes to the left of global variable '*.Lubsan_data42' defined in '/test/10.7_opt_san/strings/json_normalize.c' (0x563534f2bcc0) of size 16
0x563534f2bca0 is located 16 bytes to the right of global variable '*.Lubsan_data43' defined in '/test/10.7_opt_san/strings/json_normalize.c' (0x563534f2bc80) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow /test/10.7_opt_san/strings/json_lib.c:844 in skip_key
Shadow bytes around the buggy address:
0x0ac7269dd740: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0ac7269dd750: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0ac7269dd760: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0ac7269dd770: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0ac7269dd780: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
=>0x0ac7269dd790: 00 00 f9 f9[f9]f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0ac7269dd7a0: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0ac7269dd7b0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0ac7269dd7c0: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0ac7269dd7d0: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0ac7269dd7e0: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Thread T16 created by T0 here:
#0 0x5635274f6725 in __interceptor_pthread_create (/test/UBASAN_MD300921-mariadb-10.7.1-linux-x86_64-opt/bin/mariadbd+0x7a8d725)
#1 0x56352a6c80cf in my_thread_create /test/10.7_opt_san/storage/perfschema/my_thread.h:48
#2 0x56352a6c80cf in pfs_spawn_thread_v1 /test/10.7_opt_san/storage/perfschema/pfs.cc:2252
#3 0x56352761d805 in inline_mysql_thread_create /test/10.7_opt_san/include/mysql/psi/mysql_thread.h:1139
#4 0x56352761d805 in create_thread_to_handle_connection(CONNECT*) /test/10.7_opt_san/sql/mysqld.cc:5952
#5 0x563527631510 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.7_opt_san/sql/mysqld.cc:6073
#6 0x56352763278b in handle_connections_sockets() /test/10.7_opt_san/sql/mysqld.cc:6197
#7 0x563527636409 in mysqld_main(int, char**) /test/10.7_opt_san/sql/mysqld.cc:5847
#8 0x1508e42c40b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)
==3918152==ERROR: AddressSanitizer: global-buffer-overflow on address 0x564379283dc0 at pc 0x56436f81f9b4 bp 0x15533fb5b0f0 sp 0x15533fb5b0e0
READ of size 4 at 0x564379283dc0 thread T24
#0 0x56436f81f9b3 in skip_key /test/10.7_dbg_san/strings/json_lib.c:844
#1 0x56436f82019f in json_scan_next /test/10.7_dbg_san/strings/json_lib.c:974
#2 0x56436f8273ae in json_valid /test/10.7_dbg_san/strings/json_lib.c:2041
#3 0x56436bde7c82 in Item_func_json_valid::val_int() /test/10.7_dbg_san/sql/item_jsonfunc.cc:392
#4 0x56436bfee4a6 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7488
#5 0x56436c05de78 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5681
#6 0x56436a69e35f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
#7 0x56436a8439a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
#8 0x56436ac8d4c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
#9 0x56436b46ef9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
#10 0x56436b46ef9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
#11 0x56436b4767a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
#12 0x56436b4670fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
#13 0x56436b468a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
#14 0x56436b002590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
#15 0x56436b0664ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
#16 0x56436afcac94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
#17 0x56436b03f67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
#18 0x56436b0560c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
#19 0x56436bae12aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
#20 0x56436bae4143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
#21 0x56436df044ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
#22 0x1553641f5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#23 0x15536346b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
Address 0x564379283dc0 is a wild pointer.
SUMMARY: AddressSanitizer: global-buffer-overflow /test/10.7_dbg_san/strings/json_lib.c:844 in skip_key
Shadow bytes around the buggy address:
0x0ac8ef248760: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ac8ef248770: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ac8ef248780: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ac8ef248790: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ac8ef2487a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0ac8ef2487b0: f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9
0x0ac8ef2487c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ac8ef2487d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ac8ef2487e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ac8ef2487f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ac8ef248800: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Thread T24 created by T0 here:
#0 0x56436a54f235 in pthread_create (/test/UBASAN_MD300921-mariadb-10.7.1-linux-x86_64-dbg/bin/mariadbd+0x7ea8235)
#1 0x56436df1500a in my_thread_create /test/10.7_dbg_san/storage/perfschema/my_thread.h:48
#2 0x56436df1500a in pfs_spawn_thread_v1 /test/10.7_dbg_san/storage/perfschema/pfs.cc:2252
#3 0x56436a67b5e9 in inline_mysql_thread_create /test/10.7_dbg_san/include/mysql/psi/mysql_thread.h:1139
#4 0x56436a67b5e9 in create_thread_to_handle_connection(CONNECT*) /test/10.7_dbg_san/sql/mysqld.cc:5952
#5 0x56436a69097a in create_new_thread(CONNECT*) /test/10.7_dbg_san/sql/mysqld.cc:6011
#6 0x56436a691155 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.7_dbg_san/sql/mysqld.cc:6073
#7 0x56436a692d72 in handle_connections_sockets() /test/10.7_dbg_san/sql/mysqld.cc:6197
#8 0x56436a698e82 in mysqld_main(int, char**) /test/10.7_dbg_san/sql/mysqld.cc:5847
#9 0x56436a663b7a in main /test/10.7_dbg_san/sql/main.cc:34
#10 0x1553633700b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)