Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Description
SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f; |
|
10.6 0144d1d2 ASAN |
==1375312==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000d8ab8 at pc 0x7f36c80d7f40 bp 0x7f36be0f3c10 sp 0x7f36be0f33b8
|
READ of size 32 at 0x60f0000d8ab8 thread T5
|
#0 0x7f36c80d7f3f in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f)
|
#1 0x55b56c134463 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:250
|
#2 0x55b56bdc88e5 in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
|
#3 0x55b56c7b092c in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4988
|
#4 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
|
#5 0x55b56c02e464 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:22515
|
#6 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
|
#7 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
|
#8 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
|
#9 0x55b56bfaef36 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:4993
|
#10 0x55b56bf7f40c in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
|
#11 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
|
#12 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
|
#13 0x55b56beefac5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
|
#14 0x55b56bec5b73 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
|
#15 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
|
#16 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
|
#17 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
|
#18 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
|
#19 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#20 0x7f36c762e292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
 |
0x60f0000d8ab8 is located 136 bytes inside of 172-byte region [0x60f0000d8a30,0x60f0000d8adc)
|
freed by thread T5 here:
|
#0 0x7f36c81447cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
|
#1 0x55b56dbe9ed5 in free_memory /data/src/10.6/mysys/safemalloc.c:297
|
#2 0x55b56dbe9312 in sf_free /data/src/10.6/mysys/safemalloc.c:203
|
#3 0x55b56dbb6d1e in my_free /data/src/10.6/mysys/my_malloc.c:211
|
#4 0x55b56bbd4097 in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:227
|
#5 0x55b56c132eb3 in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:44
|
#6 0x55b56bbfe414 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
|
#7 0x55b56c134369 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:247
|
#8 0x55b56bdc88e5 in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
|
#9 0x55b56c7b092c in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4988
|
#10 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
|
#11 0x55b56c02e464 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:22515
|
#12 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
|
#13 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
|
#14 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
|
#15 0x55b56bfaef36 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:4993
|
#16 0x55b56bf7f40c in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
|
#17 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
|
#18 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
|
#19 0x55b56beefac5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
|
#20 0x55b56bec5b73 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
|
#21 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
|
#22 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
|
#23 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
|
#24 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
|
#25 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
 |
previously allocated by thread T5 here:
|
#0 0x7f36c8144bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
|
#1 0x55b56dbe8cc6 in sf_malloc /data/src/10.6/mysys/safemalloc.c:126
|
#2 0x55b56dbb5ef8 in my_malloc /data/src/10.6/mysys/my_malloc.c:90
|
#3 0x55b56c132f57 in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:45
|
#4 0x55b56bbfe414 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
|
#5 0x55b56be90eea in Datetime::to_string(String*, unsigned int) const /data/src/10.6/sql/sql_type.h:2583
|
#6 0x55b56be9993e in Item_datetimefunc::val_str(String*) /data/src/10.6/sql/item_timefunc.h:704
|
#7 0x55b56c91926c in Item_func_md5::val_str_ascii(String*) /data/src/10.6/sql/item_strfunc.cc:163
|
#8 0x55b56c918570 in Item_func::val_str_from_val_str_ascii(String*, String*) /data/src/10.6/sql/item_strfunc.cc:98
|
#9 0x55b56c606127 in Item_str_ascii_func::val_str(String*) /data/src/10.6/sql/item_strfunc.h:94
|
#10 0x55b56c9f665c in Item_char_typecast::val_str_generic(String*) /data/src/10.6/sql/item_timefunc.cc:3172
|
#11 0x55b56ca0e92b in Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const /data/src/10.6/sql/item_timefunc.cc:3275
|
#12 0x55b56c5094a3 in Item_handled_func::val_str(String*) /data/src/10.6/sql/item_func.h:770
|
#13 0x55b56c7b08fc in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4986
|
#14 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
|
#15 0x55b56c02e464 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:22515
|
#16 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
|
#17 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
|
#18 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
|
#19 0x55b56bfaef36 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:4993
|
#20 0x55b56bf7f40c in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
|
#21 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
|
#22 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
|
#23 0x55b56beefac5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
|
#24 0x55b56bec5b73 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
|
#25 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
|
#26 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
|
#27 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
|
#28 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
|
#29 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
 |
Thread T5 created by T0 here:
|
#0 0x7f36c8071805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x55b56cf9024e in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:48
|
#2 0x55b56cf9568b in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
|
#3 0x55b56bbafd98 in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
|
#4 0x55b56bbc767e in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5922
|
#5 0x55b56bbc7cfa in create_new_thread(CONNECT*) /data/src/10.6/sql/mysqld.cc:5981
|
#6 0x55b56bbc8067 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6043
|
#7 0x55b56bbc8a65 in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6167
|
#8 0x55b56bbc6e7a in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5817
|
#9 0x55b56bbaf0bc in main /data/src/10.6/sql/main.cc:34
|
#10 0x7f36c75330b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
 |
SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f) in __interceptor_memmove
|
Shadow bytes around the buggy address:
|
0x0c1e80013100: 00 04 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
|
0x0c1e80013110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
|
0x0c1e80013120: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c1e80013130: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa
|
0x0c1e80013140: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
|
=>0x0c1e80013150: fd fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
|
0x0c1e80013160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1e80013170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1e80013180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1e80013190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c1e800131a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1375312==ABORTING
|
211014 1:29:35 [ERROR] mysqld got signal 6 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning hardware.
|
 |
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
 |
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
 |
Server version: 10.6.5-MariaDB-debug-log
|
key_buffer_size=1048576
|
read_buffer_size=131072
|
max_used_connections=1
|
max_threads=153
|
thread_count=1
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63858 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
 |
Thread pointer: 0x62b00007e288
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7f36be0f6cd0 thread_stack 0x100000
|
??:0(__interceptor_tcgetattr)[0x7f36c80a3d30]
|
/mnt-hd8t/bld/10.6-asan-nightly/bin/mariadbd(my_print_stacktrace+0xec)[0x55b56dbc79b5]
|
/mnt-hd8t/bld/10.6-asan-nightly/bin/mariadbd(handle_fatal_signal+0xa22)[0x55b56c72e44f]
|
sigaction.c:0(__restore_rt)[0x7f36c7a673c0]
|
??:0(gsignal)[0x7f36c755218b]
|
??:0(abort)[0x7f36c7531859]
|
??:0(__sanitizer_set_report_fd)[0x7f36c81626a2]
|
??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f36c816d24c]
|
??:0(__sanitizer_ptr_cmp)[0x7f36c814e8ec]
|
??:0(__asan_on_error)[0x7f36c814e363]
|
??:0(memmove)[0x7f36c80d7f5f]
|
sql/sql_string.cc:251(Binary_string::copy(Binary_string const&))[0x55b56c134464]
|
sql/sql_string.h:881(String::copy(String const&))[0x55b56bdc88e6]
|
sql/item.cc:4989(Item_copy_string::copy())[0x55b56c7b092d]
|
sql/sql_select.cc:25865(copy_fields(TMP_TABLE_PARAM*))[0x55b56c046d33]
|
sql/sql_select.cc:22516(end_send_group(JOIN*, st_join_table*, bool))[0x55b56c02e465]
|
sql/sql_select.cc:20552(do_select(JOIN*, Procedure*))[0x55b56c02080b]
|
sql/sql_select.cc:4737(JOIN::exec_inner())[0x55b56bfad4fb]
|
sql/sql_select.cc:4516(JOIN::exec())[0x55b56bfaa9dc]
|
sql/sql_select.cc:4995(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55b56bfaef37]
|
sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55b56bf7f40d]
|
sql/sql_parse.cc:6256(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55b56bee4803]
|
sql/sql_parse.cc:3946(mysql_execute_command(THD*, bool))[0x55b56bed32bf]
|
sql/sql_parse.cc:8030(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55b56beefac6]
|
sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55b56bec5b74]
|
sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55b56bec2898]
|
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55b56c328a8d]
|
sql/sql_connect.cc:1314(handle_one_connection)[0x55b56c328319]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55b56cf95299]
|
nptl/pthread_create.c:478(start_thread)[0x7f36c7a5b609]
|
??:0(clone)[0x7f36c762e293]
|
 |
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b0000852a8): SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f
|
 |
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
 |
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
|
 |
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
|
information that should help you find out what is causing the crash.
|
Writing a core file...
|
Working directory at /dev/shm/var_auto_W9Up/mysqld.1/data
|
Resource Limits:
|
Limit Soft Limit Hard Limit Units
|
Max cpu time unlimited unlimited seconds
|
Max file size unlimited unlimited bytes
|
Max data size unlimited unlimited bytes
|
Max stack size 8388608 unlimited bytes
|
Max core file size unlimited unlimited bytes
|
Max resident set unlimited unlimited bytes
|
Max processes 385736 385736 processes
|
Max open files 1024 1024 files
|
Max locked memory 67108864 67108864 bytes
|
Max address space unlimited unlimited bytes
|
Max file locks unlimited unlimited locks
|
Max pending signals 385736 385736 signals
|
Max msgqueue size 819200 819200 bytes
|
Max nice priority 0 0
|
Max realtime priority 0 0
|
Max realtime timeout unlimited unlimited us
|
Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E
|
|
10.6 0144d1d2 Valgrind |
==1375468== Thread 6:
|
==1375468== Invalid read of size 8
|
==1375468== at 0x4842A7C: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
|
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
|
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
|
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
|
==1375468== by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
|
==1375468== by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
|
==1375468== by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
|
==1375468== by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
|
==1375468== by 0xA570F2: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:8030)
|
==1375468== by 0xA43522: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1896)
|
==1375468== by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
|
==1375468== Address 0xc47f098 is 24 bytes inside a block of size 56 free'd
|
==1375468== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0x172BA65: my_free (my_malloc.c:211)
|
==1375468== by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
|
==1375468== by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
|
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
|
==1375468== by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
|
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
|
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
|
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
|
==1375468== by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
|
==1375468== by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
|
==1375468== by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
|
==1375468== Block was alloc'd at
|
==1375468== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0x172B276: my_malloc (my_malloc.c:90)
|
==1375468== by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
|
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
|
==1375468== by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
|
==1375468== by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
|
==1375468== by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
|
==1375468== by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:98)
|
==1375468== by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
|
==1375468== by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
|
==1375468== by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const (item_timefunc.cc:3275)
|
==1375468== by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
|
==1375468== by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== Invalid read of size 8
|
==1375468== at 0x4842A87: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
|
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
|
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
|
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
|
==1375468== by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
|
==1375468== by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
|
==1375468== by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
|
==1375468== by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
|
==1375468== by 0xA570F2: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:8030)
|
==1375468== by 0xA43522: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1896)
|
==1375468== by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
|
==1375468== Address 0xc47f0a0 is 32 bytes inside a block of size 56 free'd
|
==1375468== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0x172BA65: my_free (my_malloc.c:211)
|
==1375468== by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
|
==1375468== by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
|
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
|
==1375468== by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
|
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
|
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
|
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
|
==1375468== by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
|
==1375468== by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
|
==1375468== by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
|
==1375468== Block was alloc'd at
|
==1375468== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0x172B276: my_malloc (my_malloc.c:90)
|
==1375468== by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
|
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
|
==1375468== by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
|
==1375468== by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
|
==1375468== by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
|
==1375468== by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:98)
|
==1375468== by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
|
==1375468== by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
|
==1375468== by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const (item_timefunc.cc:3275)
|
==1375468== by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
|
==1375468== by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== Invalid read of size 8
|
==1375468== at 0x4842A8F: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
|
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
|
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
|
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
|
==1375468== by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
|
==1375468== by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
|
==1375468== by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
|
==1375468== by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
|
==1375468== by 0xA570F2: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:8030)
|
==1375468== by 0xA43522: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1896)
|
==1375468== by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
|
==1375468== Address 0xc47f0a8 is 40 bytes inside a block of size 56 free'd
|
==1375468== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0x172BA65: my_free (my_malloc.c:211)
|
==1375468== by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
|
==1375468== by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
|
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
|
==1375468== by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
|
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
|
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
|
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
|
==1375468== by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
|
==1375468== by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
|
==1375468== by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
|
==1375468== Block was alloc'd at
|
==1375468== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0x172B276: my_malloc (my_malloc.c:90)
|
==1375468== by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
|
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
|
==1375468== by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
|
==1375468== by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
|
==1375468== by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
|
==1375468== by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:98)
|
==1375468== by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
|
==1375468== by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
|
==1375468== by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const (item_timefunc.cc:3275)
|
==1375468== by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
|
==1375468== by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== Invalid read of size 8
|
==1375468== at 0x4842A97: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
|
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
|
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
|
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
|
==1375468== by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
|
==1375468== by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
|
==1375468== by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
|
==1375468== by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
|
==1375468== by 0xA570F2: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:8030)
|
==1375468== by 0xA43522: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1896)
|
==1375468== by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
|
==1375468== Address 0xc47f0b0 is 48 bytes inside a block of size 56 free'd
|
==1375468== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0x172BA65: my_free (my_malloc.c:211)
|
==1375468== by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
|
==1375468== by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
|
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
|
==1375468== by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
|
==1375468== by 0x9D7137: String::copy(String const&) (sql_string.h:880)
|
==1375468== by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
==1375468== by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
|
==1375468== by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
|
==1375468== by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
|
==1375468== by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
|
==1375468== by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
|
==1375468== Block was alloc'd at
|
==1375468== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
|
==1375468== by 0x172B276: my_malloc (my_malloc.c:90)
|
==1375468== by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
|
==1375468== by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
|
==1375468== by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
|
==1375468== by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
|
==1375468== by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
|
==1375468== by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:98)
|
==1375468== by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
|
==1375468== by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
|
==1375468== by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const (item_timefunc.cc:3275)
|
==1375468== by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
|
==1375468== by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
|
==1375468== by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
|
==1375468== by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
|
==1375468== by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
|
Non-instrumented builds don't crash, but a debug build returns garbage:
SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f;
|
f COUNT(*)
|
������������������������������� 1
|
Reproducible on 10.6-10.7, not reproducible on 10.5.
The failure appeared in 10.6 after this commit:
commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
|
Author: Monty <monty@mariadb.org>
|
Date: Wed Sep 16 11:23:50 2020 +0300
|
 |
Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()
|
|
The problem was that when one used String::alloc() to allocate a string,
|
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Confirmed
-