[MDEV-26822] ASAN heap-use-after-free / Valgrind invalid read in Binary_string::copy and __interceptor_memmove - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.4, 11.7(EOL), 11.8
Fix Version/s: 10.6, 10.11, 11.4
Component/s: Character Sets, Server
Labels:

Description

SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f;

10.6 0144d1d2 ASAN
==1375312==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000d8ab8 at pc 0x7f36c80d7f40 bp 0x7f36be0f3c10 sp 0x7f36be0f33b8
READ of size 32 at 0x60f0000d8ab8 thread T5
#0 0x7f36c80d7f3f in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f)
#1 0x55b56c134463 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:250
#2 0x55b56bdc88e5 in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
#3 0x55b56c7b092c in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4988
#4 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
#5 0x55b56c02e464 in end_send_group(JOIN, st_join_table, bool) /data/src/10.6/sql/sql_select.cc:22515
#6 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
#7 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
#8 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
#9 0x55b56bfaef36 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6/sql/sql_select.cc:4993
#10 0x55b56bf7f40c in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
#11 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
#12 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
#13 0x55b56beefac5 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
#14 0x55b56bec5b73 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
#15 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
#16 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
#17 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
#18 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
#19 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#20 0x7f36c762e292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x60f0000d8ab8 is located 136 bytes inside of 172-byte region [0x60f0000d8a30,0x60f0000d8adc)
freed by thread T5 here:
#0 0x7f36c81447cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55b56dbe9ed5 in free_memory /data/src/10.6/mysys/safemalloc.c:297
#2 0x55b56dbe9312 in sf_free /data/src/10.6/mysys/safemalloc.c:203
#3 0x55b56dbb6d1e in my_free /data/src/10.6/mysys/my_malloc.c:211
#4 0x55b56bbd4097 in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:227
#5 0x55b56c132eb3 in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:44
#6 0x55b56bbfe414 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
#7 0x55b56c134369 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:247
#8 0x55b56bdc88e5 in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
#9 0x55b56c7b092c in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4988
#10 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
#11 0x55b56c02e464 in end_send_group(JOIN, st_join_table, bool) /data/src/10.6/sql/sql_select.cc:22515
#12 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
#13 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
#14 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
#15 0x55b56bfaef36 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6/sql/sql_select.cc:4993
#16 0x55b56bf7f40c in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
#17 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
#18 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
#19 0x55b56beefac5 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
#20 0x55b56bec5b73 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
#21 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
#22 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
#23 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
#24 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
#25 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T5 here:
#0 0x7f36c8144bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55b56dbe8cc6 in sf_malloc /data/src/10.6/mysys/safemalloc.c:126
#2 0x55b56dbb5ef8 in my_malloc /data/src/10.6/mysys/my_malloc.c:90
#3 0x55b56c132f57 in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:45
#4 0x55b56bbfe414 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
#5 0x55b56be90eea in Datetime::to_string(String*, unsigned int) const /data/src/10.6/sql/sql_type.h:2583
#6 0x55b56be9993e in Item_datetimefunc::val_str(String*) /data/src/10.6/sql/item_timefunc.h:704
#7 0x55b56c91926c in Item_func_md5::val_str_ascii(String*) /data/src/10.6/sql/item_strfunc.cc:163
#8 0x55b56c918570 in Item_func::val_str_from_val_str_ascii(String, String) /data/src/10.6/sql/item_strfunc.cc:98
#9 0x55b56c606127 in Item_str_ascii_func::val_str(String*) /data/src/10.6/sql/item_strfunc.h:94
#10 0x55b56c9f665c in Item_char_typecast::val_str_generic(String*) /data/src/10.6/sql/item_timefunc.cc:3172
#11 0x55b56ca0e92b in Item_char_typecast_func_handler::val_str(Item_handled_func, String) const /data/src/10.6/sql/item_timefunc.cc:3275
#12 0x55b56c5094a3 in Item_handled_func::val_str(String*) /data/src/10.6/sql/item_func.h:770
#13 0x55b56c7b08fc in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4986
#14 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
#15 0x55b56c02e464 in end_send_group(JOIN, st_join_table, bool) /data/src/10.6/sql/sql_select.cc:22515
#16 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
#17 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
#18 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
#19 0x55b56bfaef36 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6/sql/sql_select.cc:4993
#20 0x55b56bf7f40c in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
#21 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
#22 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
#23 0x55b56beefac5 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
#24 0x55b56bec5b73 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
#25 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
#26 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
#27 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
#28 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
#29 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f36c8071805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55b56cf9024e in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:48
#2 0x55b56cf9568b in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
#3 0x55b56bbafd98 in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
#4 0x55b56bbc767e in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5922
#5 0x55b56bbc7cfa in create_new_thread(CONNECT*) /data/src/10.6/sql/mysqld.cc:5981
#6 0x55b56bbc8067 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6043
#7 0x55b56bbc8a65 in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6167
#8 0x55b56bbc6e7a in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5817
#9 0x55b56bbaf0bc in main /data/src/10.6/sql/main.cc:34
#10 0x7f36c75330b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f) in __interceptor_memmove
Shadow bytes around the buggy address:
0x0c1e80013100: 00 04 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c1e80013110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
0x0c1e80013120: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1e80013130: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa
0x0c1e80013140: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c1e80013150: fd fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
0x0c1e80013160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e80013170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e80013180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e80013190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e800131a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1375312==ABORTING
211014 1:29:35 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.6.5-MariaDB-debug-log
key_buffer_size=1048576
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63858 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00007e288
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7f36be0f6cd0 thread_stack 0x100000
??:0(__interceptor_tcgetattr)[0x7f36c80a3d30]
/mnt-hd8t/bld/10.6-asan-nightly/bin/mariadbd(my_print_stacktrace+0xec)[0x55b56dbc79b5]
/mnt-hd8t/bld/10.6-asan-nightly/bin/mariadbd(handle_fatal_signal+0xa22)[0x55b56c72e44f]
sigaction.c:0(__restore_rt)[0x7f36c7a673c0]
??:0(gsignal)[0x7f36c755218b]
??:0(abort)[0x7f36c7531859]
??:0(__sanitizer_set_report_fd)[0x7f36c81626a2]
??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f36c816d24c]
??:0(__sanitizer_ptr_cmp)[0x7f36c814e8ec]
??:0(__asan_on_error)[0x7f36c814e363]
??:0(memmove)[0x7f36c80d7f5f]
sql/sql_string.cc:251(Binary_string::copy(Binary_string const&))[0x55b56c134464]
sql/sql_string.h:881(String::copy(String const&))[0x55b56bdc88e6]
sql/item.cc:4989(Item_copy_string::copy())[0x55b56c7b092d]
sql/sql_select.cc:25865(copy_fields(TMP_TABLE_PARAM*))[0x55b56c046d33]
sql/sql_select.cc:22516(end_send_group(JOIN, st_join_table, bool))[0x55b56c02e465]
sql/sql_select.cc:20552(do_select(JOIN, Procedure))[0x55b56c02080b]
sql/sql_select.cc:4737(JOIN::exec_inner())[0x55b56bfad4fb]
sql/sql_select.cc:4516(JOIN::exec())[0x55b56bfaa9dc]
sql/sql_select.cc:4995(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55b56bfaef37]
sql/sql_select.cc:545(handle_select(THD, LEX, select_result*, unsigned long))[0x55b56bf7f40d]
sql/sql_parse.cc:6256(execute_sqlcom_select(THD, TABLE_LIST))[0x55b56bee4803]
sql/sql_parse.cc:3946(mysql_execute_command(THD*, bool))[0x55b56bed32bf]
sql/sql_parse.cc:8030(mysql_parse(THD, char, unsigned int, Parser_state*))[0x55b56beefac6]
sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x55b56bec5b74]
sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55b56bec2898]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55b56c328a8d]
sql/sql_connect.cc:1314(handle_one_connection)[0x55b56c328319]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55b56cf95299]
nptl/pthread_create.c:478(start_thread)[0x7f36c7a5b609]
??:0(clone)[0x7f36c762e293]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x62b0000852a8): SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f

Connection ID (thread ID): 4
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /dev/shm/var_auto_W9Up/mysqld.1/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 8388608 unlimited bytes
Max core file size unlimited unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 385736 385736 processes
Max open files 1024 1024 files
Max locked memory 67108864 67108864 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 385736 385736 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: \|/usr/share/apport/apport %p %s %c %d %P %E

10.6 0144d1d2 Valgrind
==1375468== Thread 6:
==1375468== Invalid read of size 8
==1375468== at 0x4842A7C: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
==1375468== by 0xAA31E6: mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) (sql_select.cc:4993)
==1375468== by 0xA923EA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:545)
==1375468== by 0xA522A2: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:6256)
==1375468== by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
==1375468== by 0xA570F2: mysql_parse(THD, char, unsigned int, Parser_state*) (sql_parse.cc:8030)
==1375468== by 0xA43522: dispatch_command(enum_server_command, THD, char, unsigned int, bool) (sql_parse.cc:1896)
==1375468== by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
==1375468== Address 0xc47f098 is 24 bytes inside a block of size 56 free'd
==1375468== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0x172BA65: my_free (my_malloc.c:211)
==1375468== by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
==1375468== by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
==1375468== by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
==1375468== by 0xAA31E6: mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) (sql_select.cc:4993)
==1375468== by 0xA923EA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:545)
==1375468== by 0xA522A2: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:6256)
==1375468== Block was alloc'd at
==1375468== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0x172B276: my_malloc (my_malloc.c:90)
==1375468== by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
==1375468== by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
==1375468== by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
==1375468== by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
==1375468== by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String, String) (item_strfunc.cc:98)
==1375468== by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
==1375468== by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
==1375468== by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func, String) const (item_timefunc.cc:3275)
==1375468== by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
==1375468== by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== Invalid read of size 8
==1375468== at 0x4842A87: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
==1375468== by 0xAA31E6: mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) (sql_select.cc:4993)
==1375468== by 0xA923EA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:545)
==1375468== by 0xA522A2: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:6256)
==1375468== by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
==1375468== by 0xA570F2: mysql_parse(THD, char, unsigned int, Parser_state*) (sql_parse.cc:8030)
==1375468== by 0xA43522: dispatch_command(enum_server_command, THD, char, unsigned int, bool) (sql_parse.cc:1896)
==1375468== by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
==1375468== Address 0xc47f0a0 is 32 bytes inside a block of size 56 free'd
==1375468== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0x172BA65: my_free (my_malloc.c:211)
==1375468== by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
==1375468== by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
==1375468== by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
==1375468== by 0xAA31E6: mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) (sql_select.cc:4993)
==1375468== by 0xA923EA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:545)
==1375468== by 0xA522A2: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:6256)
==1375468== Block was alloc'd at
==1375468== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0x172B276: my_malloc (my_malloc.c:90)
==1375468== by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
==1375468== by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
==1375468== by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
==1375468== by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
==1375468== by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String, String) (item_strfunc.cc:98)
==1375468== by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
==1375468== by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
==1375468== by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func, String) const (item_timefunc.cc:3275)
==1375468== by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
==1375468== by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== Invalid read of size 8
==1375468== at 0x4842A8F: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
==1375468== by 0xAA31E6: mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) (sql_select.cc:4993)
==1375468== by 0xA923EA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:545)
==1375468== by 0xA522A2: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:6256)
==1375468== by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
==1375468== by 0xA570F2: mysql_parse(THD, char, unsigned int, Parser_state*) (sql_parse.cc:8030)
==1375468== by 0xA43522: dispatch_command(enum_server_command, THD, char, unsigned int, bool) (sql_parse.cc:1896)
==1375468== by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
==1375468== Address 0xc47f0a8 is 40 bytes inside a block of size 56 free'd
==1375468== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0x172BA65: my_free (my_malloc.c:211)
==1375468== by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
==1375468== by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
==1375468== by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
==1375468== by 0xAA31E6: mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) (sql_select.cc:4993)
==1375468== by 0xA923EA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:545)
==1375468== by 0xA522A2: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:6256)
==1375468== Block was alloc'd at
==1375468== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0x172B276: my_malloc (my_malloc.c:90)
==1375468== by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
==1375468== by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
==1375468== by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
==1375468== by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
==1375468== by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String, String) (item_strfunc.cc:98)
==1375468== by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
==1375468== by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
==1375468== by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func, String) const (item_timefunc.cc:3275)
==1375468== by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
==1375468== by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== Invalid read of size 8
==1375468== at 0x4842A97: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
==1375468== by 0xAA31E6: mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) (sql_select.cc:4993)
==1375468== by 0xA923EA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:545)
==1375468== by 0xA522A2: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:6256)
==1375468== by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
==1375468== by 0xA570F2: mysql_parse(THD, char, unsigned int, Parser_state*) (sql_parse.cc:8030)
==1375468== by 0xA43522: dispatch_command(enum_server_command, THD, char, unsigned int, bool) (sql_parse.cc:1896)
==1375468== by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
==1375468== Address 0xc47f0b0 is 48 bytes inside a block of size 56 free'd
==1375468== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0x172BA65: my_free (my_malloc.c:211)
==1375468== by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
==1375468== by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
==1375468== by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
==1375468== by 0xAA31E6: mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) (sql_select.cc:4993)
==1375468== by 0xA923EA: handle_select(THD, LEX, select_result*, unsigned long) (sql_select.cc:545)
==1375468== by 0xA522A2: execute_sqlcom_select(THD, TABLE_LIST) (sql_parse.cc:6256)
==1375468== Block was alloc'd at
==1375468== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1375468== by 0x172B276: my_malloc (my_malloc.c:90)
==1375468== by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
==1375468== by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
==1375468== by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
==1375468== by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
==1375468== by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String, String) (item_strfunc.cc:98)
==1375468== by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
==1375468== by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
==1375468== by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func, String) const (item_timefunc.cc:3275)
==1375468== by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
==1375468== by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
==1375468== by 0xAD3FCD: end_send_group(JOIN, st_join_table, bool) (sql_select.cc:22515)
==1375468== by 0xACF3A8: do_select(JOIN, Procedure) (sql_select.cc:20552)

Non-instrumented builds don't crash, but a debug build returns garbage:

SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f;

f	COUNT(*)

�������������������������������	1

Reproducible on 10.6-10.7, not reproducible on 10.5.
The failure appeared in 10.6 after this commit:

commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75

Author: Monty <monty@mariadb.org>

Date:   Wed Sep 16 11:23:50 2020 +0300

    Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()

    The problem was that when one used String::alloc() to allocate a string,

Attachments

Issue Links

is duplicated by

MDEV-32679 [Draft] ASAN errors in Binary_string::copy / cmp_item_sort_string::store_value

Closed

relates to

MDEV-29462 ASAN: heap-use-after-free in Binary_string::copy on DO CONVERT

Closed

Activity

Ascending order - Click to sort in descending order

Elena Stepanova added a comment - 2022-05-12 16:12

Another one, started from the same commit

CREATE TABLE t (f VARCHAR(512) COMPRESSED);

INSERT INTO t VALUES (REPEAT('a',357)),(REPEAT('b',360));

SELECT CASE (BINARY f) WHEN 'foo' THEN 1 END AS x FROM t GROUP BY x;

# Cleanup

DROP TABLE t;

10.6 7da0f30c
==562164==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000210d8 at pc 0x7f9539576541 bp 0x7f952fc9aa80 sp 0x7f952fc9a230
READ of size 360 at 0x6130000210d8 thread T5
#0 0x7f9539576540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
#1 0x56302b4ebc03 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:250
#2 0x56302bb26b2f in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
#3 0x56302bb26b2f in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1727
#4 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068
#5 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args, unsigned int, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259
#6 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013
#7 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051
#8 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814
#9 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824
#10 0x56302b408490 in copy_funcs(Item*, THD const) /data/src/10.6/sql/sql_select.cc:26315
#11 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593
#12 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338
#13 0x56302b3b621a in sub_select(JOIN, st_join_table, bool) /data/src/10.6/sql/sql_select.cc:21147
#14 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653
#15 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755
#16 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533
#17 0x56302b451cfb in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6/sql/sql_select.cc:5012
#18 0x56302b4537d5 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
#19 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271
#20 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
#21 0x56302b2f808a in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
#22 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
#23 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
#24 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
#25 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
#26 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
#27 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477
#28 0x7f9538c4fdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

0x6130000210d8 is located 24 bytes inside of 384-byte region [0x6130000210c0,0x613000021240)
freed by thread T5 here:
#0 0x7f95395e6b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x56302b4eb12e in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:227
#2 0x56302b4eb12e in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:222
#3 0x56302b4eb12e in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:44
#4 0x56302b4ebb46 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
#5 0x56302b4ebb46 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:247
#6 0x56302bb26b2f in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
#7 0x56302bb26b2f in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1727
#8 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068
#9 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args, unsigned int, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259
#10 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013
#11 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051
#12 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814
#13 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824
#14 0x56302b408490 in copy_funcs(Item*, THD const) /data/src/10.6/sql/sql_select.cc:26315
#15 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593
#16 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338
#17 0x56302b3b621a in sub_select(JOIN, st_join_table, bool) /data/src/10.6/sql/sql_select.cc:21147
#18 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653
#19 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755
#20 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533
#21 0x56302b451cfb in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6/sql/sql_select.cc:5012
#22 0x56302b4537d5 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
#23 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271
#24 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
#25 0x56302b2f808a in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
#26 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
#27 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
#28 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
#29 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
#30 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
#31 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477

previously allocated by thread T5 here:
#0 0x7f95395e6e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x56302caaafa8 in my_malloc /data/src/10.6/mysys/my_malloc.c:90
#2 0x56302b4eb08c in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:45
#3 0x56302b9fd41a in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
#4 0x56302b9fd41a in uncompress_zlib /data/src/10.6/sql/field_comp.cc:110
#5 0x56302b9c13ef in Field_longstr::uncompress(String, String, unsigned char const*, unsigned int) const /data/src/10.6/sql/field.cc:8424
#6 0x56302bd75954 in Item_char_typecast::val_str_generic(String*) /data/src/10.6/sql/item_timefunc.cc:3172
#7 0x56302bb26a7c in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1722
#8 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068
#9 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args, unsigned int, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259
#10 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013
#11 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051
#12 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814
#13 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824
#14 0x56302b408490 in copy_funcs(Item*, THD const) /data/src/10.6/sql/sql_select.cc:26315
#15 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593
#16 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338
#17 0x56302b3b60d4 in sub_select(JOIN, st_join_table, bool) /data/src/10.6/sql/sql_select.cc:21108
#18 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653
#19 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755
#20 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533
#21 0x56302b451cfb in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6/sql/sql_select.cc:5012
#22 0x56302b4537d5 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
#23 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271
#24 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
#25 0x56302b2f808a in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
#26 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
#27 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
#28 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
#29 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
#30 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
#31 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f95395922a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x56302c1c0be9 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:52
#2 0x56302c1c0be9 in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
#3 0x56302b05dfcd in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
#4 0x56302b05dfcd in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5970
#5 0x56302b069747 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6091
#6 0x56302b06a2df in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6215
#7 0x56302b06bb69 in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5865
#8 0x7f9538b78d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
Shadow bytes around the buggy address:
0x0c267fffc1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fffc1d0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c267fffc1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fffc1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fffc200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c267fffc210: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
0x0c267fffc220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffc230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffc240: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c267fffc250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffc260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc

Elena Stepanova added a comment - 2022-05-12 16:12 Another one, started from the same commit CREATE TABLE t (f VARCHAR (512) COMPRESSED); INSERT INTO t VALUES (REPEAT( 'a' ,357)),(REPEAT( 'b' ,360)); SELECT CASE ( BINARY f) WHEN 'foo' THEN 1 END AS x FROM t GROUP BY x; # Cleanup DROP TABLE t; 10.6 7da0f30c ==562164==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000210d8 at pc 0x7f9539576541 bp 0x7f952fc9aa80 sp 0x7f952fc9a230 READ of size 360 at 0x6130000210d8 thread T5 #0 0x7f9539576540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 #1 0x56302b4ebc03 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:250 #2 0x56302bb26b2f in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880 #3 0x56302bb26b2f in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1727 #4 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068 #5 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args*, unsigned int*, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259 #6 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013 #7 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051 #8 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814 #9 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824 #10 0x56302b408490 in copy_funcs(Item**, THD const*) /data/src/10.6/sql/sql_select.cc:26315 #11 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593 #12 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338 #13 0x56302b3b621a in sub_select(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:21147 #14 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653 #15 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755 #16 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533 #17 0x56302b451cfb in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:5012 #18 0x56302b4537d5 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545 #19 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271 #20 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961 #21 0x56302b2f808a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045 #22 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912 #23 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409 #24 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418 #25 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312 #26 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201 #27 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477 #28 0x7f9538c4fdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee) 0x6130000210d8 is located 24 bytes inside of 384-byte region [0x6130000210c0,0x613000021240) freed by thread T5 here: #0 0x7f95395e6b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 #1 0x56302b4eb12e in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:227 #2 0x56302b4eb12e in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:222 #3 0x56302b4eb12e in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:44 #4 0x56302b4ebb46 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698 #5 0x56302b4ebb46 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:247 #6 0x56302bb26b2f in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880 #7 0x56302bb26b2f in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1727 #8 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068 #9 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args*, unsigned int*, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259 #10 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013 #11 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051 #12 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814 #13 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824 #14 0x56302b408490 in copy_funcs(Item**, THD const*) /data/src/10.6/sql/sql_select.cc:26315 #15 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593 #16 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338 #17 0x56302b3b621a in sub_select(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:21147 #18 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653 #19 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755 #20 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533 #21 0x56302b451cfb in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:5012 #22 0x56302b4537d5 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545 #23 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271 #24 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961 #25 0x56302b2f808a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045 #26 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912 #27 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409 #28 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418 #29 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312 #30 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201 #31 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477 previously allocated by thread T5 here: #0 0x7f95395e6e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x56302caaafa8 in my_malloc /data/src/10.6/mysys/my_malloc.c:90 #2 0x56302b4eb08c in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:45 #3 0x56302b9fd41a in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698 #4 0x56302b9fd41a in uncompress_zlib /data/src/10.6/sql/field_comp.cc:110 #5 0x56302b9c13ef in Field_longstr::uncompress(String*, String*, unsigned char const*, unsigned int) const /data/src/10.6/sql/field.cc:8424 #6 0x56302bd75954 in Item_char_typecast::val_str_generic(String*) /data/src/10.6/sql/item_timefunc.cc:3172 #7 0x56302bb26a7c in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1722 #8 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068 #9 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args*, unsigned int*, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259 #10 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013 #11 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051 #12 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814 #13 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824 #14 0x56302b408490 in copy_funcs(Item**, THD const*) /data/src/10.6/sql/sql_select.cc:26315 #15 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593 #16 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338 #17 0x56302b3b60d4 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:21108 #18 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653 #19 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755 #20 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533 #21 0x56302b451cfb in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:5012 #22 0x56302b4537d5 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545 #23 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271 #24 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961 #25 0x56302b2f808a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045 #26 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912 #27 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409 #28 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418 #29 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312 #30 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201 #31 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477 Thread T5 created by T0 here: #0 0x7f95395922a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214 #1 0x56302c1c0be9 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:52 #2 0x56302c1c0be9 in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252 #3 0x56302b05dfcd in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139 #4 0x56302b05dfcd in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5970 #5 0x56302b069747 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6091 #6 0x56302b06a2df in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6215 #7 0x56302b06bb69 in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5865 #8 0x7f9538b78d09 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove Shadow bytes around the buggy address: 0x0c267fffc1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fffc1d0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c267fffc1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fffc1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fffc200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa =>0x0c267fffc210: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd 0x0c267fffc220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fffc230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fffc240: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c267fffc250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fffc260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc

Roel Van de Paar added a comment - 2022-09-05 04:10 - edited

The original testcase

SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f;

Does not fail for me in any release.

The second testcase fails in 10.6 to 10.11.

ASAN|heap-use-after-free|sql/sql_string.cc|__interceptor_memmove|Binary_string::copy|String::copy|cmp_item_sort_string::store_value

ASAN|heap-use-after-free|sql/sql_string.cc|memmove|Binary_string::copy|String::copy|cmp_item_sort_string::store_value

Roel Van de Paar added a comment - 2023-08-04 21:51 - edited

This testcase:

SET NAMES DEFAULT;

SELECT CAST(MD5 (NOW()) AS CHAR) AS f,COUNT(*);

Currently (builds as of 1 Aug 23) produces these stacks:

ASAN|heap-use-after-free|sql/sql_string.cc|__interceptor_memmove|Binary_string::copy|String::copy|Item_copy_string::copy

ASAN|heap-use-after-free|sql/sql_string.cc|memmove|Binary_string::copy|String::copy|Item_copy_string::copy

Bug confirmed present in:
MariaDB: 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.10.6 (dbg), 10.11.5 (dbg), 11.0.3 (dbg), 11.0.3 (opt), 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt)

11.1.2 adc13e2c167c90f4b287efa7b1165c68d441be8d (Debug)
11.1.2-dbg>SET NAMES DEFAULT;
Query OK, 0 rows affected (0.000 sec)

11.1.2-dbg>SELECT CAST(MD5 (NOW()) AS CHAR) AS f,COUNT(*);
+----------------------------------+----------+
\| f \| COUNT(*) \|
+----------------------------------+----------+
\| �� \| 1 \|
+----------------------------------+----------+
1 row in set (0.000 sec)

Roel Van de Paar added a comment - 2023-08-04 21:51 - edited This testcase: SET NAMES DEFAULT ; SELECT CAST (MD5 (NOW()) AS CHAR ) AS f, COUNT (*); Currently (builds as of 1 Aug 23) produces these stacks: ASAN|heap-use-after-free|sql/sql_string.cc|__interceptor_memmove|Binary_string::copy|String::copy|Item_copy_string::copy ASAN|heap-use-after-free|sql/sql_string.cc|memmove|Binary_string::copy|String::copy|Item_copy_string::copy Bug confirmed present in: MariaDB: 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.10.6 (dbg), 10.11.5 (dbg), 11.0.3 (dbg), 11.0.3 (opt), 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt) 11.1.2 adc13e2c167c90f4b287efa7b1165c68d441be8d (Debug) 11.1.2-dbg>SET NAMES DEFAULT; Query OK, 0 rows affected (0.000 sec) 11.1.2-dbg>SELECT CAST(MD5 (NOW()) AS CHAR) AS f,COUNT(*); +----------------------------------+----------+ | f | COUNT(*) | +----------------------------------+----------+ | �� | 1 | +----------------------------------+----------+ 1 row in set (0.000 sec)

Roel Van de Paar added a comment - 2023-08-04 21:56

SELECT CAST(MD5 (NOW()) AS CHAR);

Will give

1d50fa80cfab2fe8da3b78e9e254d613

However,

SELECT '1d50fa80cfab2fe8da3b78e9e254d613' AS f,COUNT(*);

Does not produce the same heap-use-after-free.

Roel Van de Paar added a comment - 2023-08-04 21:56 SELECT CAST(MD5 (NOW()) AS CHAR); Will give 1d50fa80cfab2fe8da3b78e9e254d613 However, SELECT '1d50fa80cfab2fe8da3b78e9e254d613' AS f,COUNT(*); Does not produce the same heap-use-after-free.

Roel Van de Paar added a comment - 2025-02-03 02:18

Please also test any fixes with:

SET NAMES cp1250;

SELECT CAST(MD5 (NOW()) AS CHAR) AS f,COUNT(*);

Leads to:

CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang)
==2028175==ERROR: AddressSanitizer: heap-use-after-free on address 0x506000024278 at pc 0x55e88b405447 bp 0x14b651700010 sp 0x14b6516ff7d0
READ of size 32 at 0x506000024278 thread T12
#0 0x55e88b405446 in __asan_memmove (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24f3446) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5)
#1 0x55e88bded89a in Binary_string::copy(Binary_string const&) /test/11.8_dbg_san/sql/sql_string.cc:257:5
#2 0x55e88c95bc09 in String::copy(String const&) /test/11.8_dbg_san/sql/sql_string.h:947:27
#3 0x55e88c95bc09 in Item_copy_string::copy() /test/11.8_dbg_san/sql/item.cc:5340:15
#4 0x55e88bca52eb in copy_fields(TMP_TABLE_PARAM*) /test/11.8_dbg_san/sql/sql_select.cc:29278:11
#5 0x55e88bc95dc7 in end_send_group(JOIN, st_join_table, bool) /test/11.8_dbg_san/sql/sql_select.cc:25679:7
#6 0x55e88bbfcd27 in do_select(JOIN, Procedure) /test/11.8_dbg_san/sql/sql_select.cc:23549:14
#7 0x55e88bbf90f1 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5040:50
#8 0x55e88bbf6a12 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4823:8
#9 0x55e88bb70634 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_dbg_san/sql/sql_select.cc:5356:21
#10 0x55e88bb6ef12 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
#11 0x55e88ba44167 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
#12 0x55e88ba2fd39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12
#13 0x55e88b9ff588 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#14 0x55e88b9f364b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
#15 0x55e88ba01fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
#16 0x55e88c0c576c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#17 0x55e88c0c5027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#18 0x55e88b404b5c in asan_thread_start(void*) asan_interceptors.cpp.o
#19 0x14b68189ca93 in start_thread nptl/pthread_create.c:447:8
#20 0x14b681929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x506000024278 is located 24 bytes inside of 56-byte region [0x506000024260,0x506000024298)
freed by thread T12 here:
#0 0x55e88b406dda in free (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24f4dda) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5)
#1 0x55e88bdeb87b in Binary_string::free_buffer() /test/11.8_dbg_san/sql/sql_string.h:266:7
#2 0x55e88bdeb87b in Binary_string::real_alloc(unsigned long) /test/11.8_dbg_san/sql/sql_string.cc:40:5
#3 0x55e88bded7fe in Binary_string::alloc(unsigned long) /test/11.8_dbg_san/sql/sql_string.h:763:12
#4 0x55e88bded7fe in Binary_string::copy(Binary_string const&) /test/11.8_dbg_san/sql/sql_string.cc:254:7
#5 0x55e88c95bc09 in String::copy(String const&) /test/11.8_dbg_san/sql/sql_string.h:947:27
#6 0x55e88c95bc09 in Item_copy_string::copy() /test/11.8_dbg_san/sql/item.cc:5340:15
#7 0x55e88bca52eb in copy_fields(TMP_TABLE_PARAM*) /test/11.8_dbg_san/sql/sql_select.cc:29278:11
#8 0x55e88bc95dc7 in end_send_group(JOIN, st_join_table, bool) /test/11.8_dbg_san/sql/sql_select.cc:25679:7
#9 0x55e88bbfcd27 in do_select(JOIN, Procedure) /test/11.8_dbg_san/sql/sql_select.cc:23549:14
#10 0x55e88bbf90f1 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5040:50
#11 0x55e88bbf6a12 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4823:8
#12 0x55e88bb70634 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_dbg_san/sql/sql_select.cc:5356:21
#13 0x55e88bb6ef12 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
#14 0x55e88ba44167 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
#15 0x55e88ba2fd39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12
#16 0x55e88b9ff588 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#17 0x55e88b9f364b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
#18 0x55e88ba01fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
#19 0x55e88c0c576c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#20 0x55e88c0c5027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#21 0x55e88b404b5c in asan_thread_start(void*) asan_interceptors.cpp.o

previously allocated by thread T12 here:
#0 0x55e88b407073 in malloc (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24f5073) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5)
#1 0x55e88e1cd36d in my_malloc /test/11.8_dbg_san/mysys/my_malloc.c:93:29
#2 0x55e88bdeb8d3 in Binary_string::real_alloc(unsigned long) /test/11.8_dbg_san/sql/sql_string.cc:41:23
#3 0x55e88b9c9c8a in Binary_string::alloc(unsigned long) /test/11.8_dbg_san/sql/sql_string.h:763:12
#4 0x55e88b9c9c8a in Datetime::to_string(String*, unsigned int) const /test/11.8_dbg_san/sql/sql_type.h:2671:15
#5 0x55e88b9c9c8a in Item_timestampfunc::val_str(String*) /test/11.8_dbg_san/sql/item_timefunc.h:756:15
#6 0x55e88cc43a66 in Item_func_md5::val_str_ascii(String*) /test/11.8_dbg_san/sql/item_strfunc.cc:177:27
#7 0x55e88cc41e2a in Item_func::val_str_from_val_str_ascii(String, String) /test/11.8_dbg_san/sql/item_strfunc.cc:111:18
#8 0x55e88ce51f69 in Item_char_typecast::val_str_generic(String*) /test/11.8_dbg_san/sql/item_timefunc.cc:3203:23
#9 0x55e88c95bb45 in Item_copy_string::copy() /test/11.8_dbg_san/sql/item.cc:5338:21
#10 0x55e88bca52eb in copy_fields(TMP_TABLE_PARAM*) /test/11.8_dbg_san/sql/sql_select.cc:29278:11
#11 0x55e88bc95dc7 in end_send_group(JOIN, st_join_table, bool) /test/11.8_dbg_san/sql/sql_select.cc:25679:7
#12 0x55e88bbfcd27 in do_select(JOIN, Procedure) /test/11.8_dbg_san/sql/sql_select.cc:23549:14
#13 0x55e88bbf90f1 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5040:50
#14 0x55e88bbf6a12 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4823:8
#15 0x55e88bb70634 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_dbg_san/sql/sql_select.cc:5356:21
#16 0x55e88bb6ef12 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
#17 0x55e88ba44167 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
#18 0x55e88ba2fd39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12
#19 0x55e88b9ff588 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#20 0x55e88b9f364b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
#21 0x55e88ba01fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
#22 0x55e88c0c576c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#23 0x55e88c0c5027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#24 0x55e88b404b5c in asan_thread_start(void*) asan_interceptors.cpp.o

Thread T12 created by T0 here:
#0 0x55e88b3ec9e5 in pthread_create (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24da9e5) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5)
#1 0x55e88b458a8a in create_thread_to_handle_connection(CONNECT*) /test/11.8_dbg_san/sql/mysqld.cc:6264:19
#2 0x55e88b459a55 in handle_connections_sockets() /test/11.8_dbg_san/sql/mysqld.cc:6500:9
#3 0x55e88b457cea in run_main_loop() /test/11.8_dbg_san/sql/mysqld.cc:5742:3
#4 0x55e88b44e841 in mysqld_main(int, char**) /test/11.8_dbg_san/sql/mysqld.cc:6165:3
#5 0x14b68182a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x14b68182a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x55e88b36c224 in _start (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x245a224) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5)

SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24f3446) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5) in __asan_memmove
Shadow bytes around the buggy address:
0x506000023f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x506000024000: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x506000024080: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x506000024100: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x506000024180: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x506000024200: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd[fd]
0x506000024280: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x506000024300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x506000024380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x506000024400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x506000024480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2028175==ABORTING

Roel Van de Paar added a comment - 2025-02-03 02:18 Please also test any fixes with: SET NAMES cp1250; SELECT CAST (MD5 (NOW()) AS CHAR ) AS f, COUNT (*); Leads to: CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang) ==2028175==ERROR: AddressSanitizer: heap-use-after-free on address 0x506000024278 at pc 0x55e88b405447 bp 0x14b651700010 sp 0x14b6516ff7d0 READ of size 32 at 0x506000024278 thread T12 #0 0x55e88b405446 in __asan_memmove (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24f3446) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5) #1 0x55e88bded89a in Binary_string::copy(Binary_string const&) /test/11.8_dbg_san/sql/sql_string.cc:257:5 #2 0x55e88c95bc09 in String::copy(String const&) /test/11.8_dbg_san/sql/sql_string.h:947:27 #3 0x55e88c95bc09 in Item_copy_string::copy() /test/11.8_dbg_san/sql/item.cc:5340:15 #4 0x55e88bca52eb in copy_fields(TMP_TABLE_PARAM*) /test/11.8_dbg_san/sql/sql_select.cc:29278:11 #5 0x55e88bc95dc7 in end_send_group(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:25679:7 #6 0x55e88bbfcd27 in do_select(JOIN*, Procedure*) /test/11.8_dbg_san/sql/sql_select.cc:23549:14 #7 0x55e88bbf90f1 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5040:50 #8 0x55e88bbf6a12 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4823:8 #9 0x55e88bb70634 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5356:21 #10 0x55e88bb6ef12 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #11 0x55e88ba44167 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #12 0x55e88ba2fd39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12 #13 0x55e88b9ff588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #14 0x55e88b9f364b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #15 0x55e88ba01fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #16 0x55e88c0c576c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #17 0x55e88c0c5027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #18 0x55e88b404b5c in asan_thread_start(void*) asan_interceptors.cpp.o #19 0x14b68189ca93 in start_thread nptl/pthread_create.c:447:8 #20 0x14b681929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 0x506000024278 is located 24 bytes inside of 56-byte region [0x506000024260,0x506000024298) freed by thread T12 here: #0 0x55e88b406dda in free (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24f4dda) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5) #1 0x55e88bdeb87b in Binary_string::free_buffer() /test/11.8_dbg_san/sql/sql_string.h:266:7 #2 0x55e88bdeb87b in Binary_string::real_alloc(unsigned long) /test/11.8_dbg_san/sql/sql_string.cc:40:5 #3 0x55e88bded7fe in Binary_string::alloc(unsigned long) /test/11.8_dbg_san/sql/sql_string.h:763:12 #4 0x55e88bded7fe in Binary_string::copy(Binary_string const&) /test/11.8_dbg_san/sql/sql_string.cc:254:7 #5 0x55e88c95bc09 in String::copy(String const&) /test/11.8_dbg_san/sql/sql_string.h:947:27 #6 0x55e88c95bc09 in Item_copy_string::copy() /test/11.8_dbg_san/sql/item.cc:5340:15 #7 0x55e88bca52eb in copy_fields(TMP_TABLE_PARAM*) /test/11.8_dbg_san/sql/sql_select.cc:29278:11 #8 0x55e88bc95dc7 in end_send_group(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:25679:7 #9 0x55e88bbfcd27 in do_select(JOIN*, Procedure*) /test/11.8_dbg_san/sql/sql_select.cc:23549:14 #10 0x55e88bbf90f1 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5040:50 #11 0x55e88bbf6a12 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4823:8 #12 0x55e88bb70634 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5356:21 #13 0x55e88bb6ef12 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #14 0x55e88ba44167 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #15 0x55e88ba2fd39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12 #16 0x55e88b9ff588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #17 0x55e88b9f364b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #18 0x55e88ba01fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #19 0x55e88c0c576c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #20 0x55e88c0c5027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #21 0x55e88b404b5c in asan_thread_start(void*) asan_interceptors.cpp.o previously allocated by thread T12 here: #0 0x55e88b407073 in malloc (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24f5073) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5) #1 0x55e88e1cd36d in my_malloc /test/11.8_dbg_san/mysys/my_malloc.c:93:29 #2 0x55e88bdeb8d3 in Binary_string::real_alloc(unsigned long) /test/11.8_dbg_san/sql/sql_string.cc:41:23 #3 0x55e88b9c9c8a in Binary_string::alloc(unsigned long) /test/11.8_dbg_san/sql/sql_string.h:763:12 #4 0x55e88b9c9c8a in Datetime::to_string(String*, unsigned int) const /test/11.8_dbg_san/sql/sql_type.h:2671:15 #5 0x55e88b9c9c8a in Item_timestampfunc::val_str(String*) /test/11.8_dbg_san/sql/item_timefunc.h:756:15 #6 0x55e88cc43a66 in Item_func_md5::val_str_ascii(String*) /test/11.8_dbg_san/sql/item_strfunc.cc:177:27 #7 0x55e88cc41e2a in Item_func::val_str_from_val_str_ascii(String*, String*) /test/11.8_dbg_san/sql/item_strfunc.cc:111:18 #8 0x55e88ce51f69 in Item_char_typecast::val_str_generic(String*) /test/11.8_dbg_san/sql/item_timefunc.cc:3203:23 #9 0x55e88c95bb45 in Item_copy_string::copy() /test/11.8_dbg_san/sql/item.cc:5338:21 #10 0x55e88bca52eb in copy_fields(TMP_TABLE_PARAM*) /test/11.8_dbg_san/sql/sql_select.cc:29278:11 #11 0x55e88bc95dc7 in end_send_group(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:25679:7 #12 0x55e88bbfcd27 in do_select(JOIN*, Procedure*) /test/11.8_dbg_san/sql/sql_select.cc:23549:14 #13 0x55e88bbf90f1 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5040:50 #14 0x55e88bbf6a12 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4823:8 #15 0x55e88bb70634 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5356:21 #16 0x55e88bb6ef12 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #17 0x55e88ba44167 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #18 0x55e88ba2fd39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12 #19 0x55e88b9ff588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #20 0x55e88b9f364b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #21 0x55e88ba01fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #22 0x55e88c0c576c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #23 0x55e88c0c5027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #24 0x55e88b404b5c in asan_thread_start(void*) asan_interceptors.cpp.o Thread T12 created by T0 here: #0 0x55e88b3ec9e5 in pthread_create (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24da9e5) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5) #1 0x55e88b458a8a in create_thread_to_handle_connection(CONNECT*) /test/11.8_dbg_san/sql/mysqld.cc:6264:19 #2 0x55e88b459a55 in handle_connections_sockets() /test/11.8_dbg_san/sql/mysqld.cc:6500:9 #3 0x55e88b457cea in run_main_loop() /test/11.8_dbg_san/sql/mysqld.cc:5742:3 #4 0x55e88b44e841 in mysqld_main(int, char**) /test/11.8_dbg_san/sql/mysqld.cc:6165:3 #5 0x14b68182a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x14b68182a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #7 0x55e88b36c224 in _start (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x245a224) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5) SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd+0x24f3446) (BuildId: 46732527bc451b37e9a3dba99b5c507ce7d53cc5) in __asan_memmove Shadow bytes around the buggy address: 0x506000023f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x506000024000: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x506000024080: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x506000024100: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd 0x506000024180: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa =>0x506000024200: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd[fd] 0x506000024280: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00 0x506000024300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x506000024380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x506000024400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x506000024480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2028175==ABORTING

People

Assignee:: Michael Widenius

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021-10-13 22:34

Updated:: 2025-02-14 11:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server