[MDEV-27603] ASAN heap-use-after-free in Gap_time_tracker::log_time after ER_TOO_BIG_SELECT - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.7, 10.8, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4
Fix Version/s: 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4
Component/s: Optimizer
Labels:
None

Description

CREATE TABLE t1 (a int) ENGINE=MyISAM;

INSERT INTO t1 VALUES (1),(2);

CREATE TABLE t2 (b int, key (b)) ENGINE=MyISAM;

INSERT INTO t2 VALUES (0),(1);

SET max_join_size= 2;

--error ER_TOO_BIG_SELECT

ANALYZE SELECT * FROM t1 HAVING 0 IN ( SELECT b FROM t2 );

SET max_join_size= DEFAULT;

ANALYZE SELECT * FROM t1;

DROP TABLE IF EXISTS t1, t2;

10.5 e8e755ea6
==1965717==ERROR: AddressSanitizer: heap-use-after-free on address 0x62900029ed00 at pc 0x565127daaa05 bp 0x7fd115c2a820 sp 0x7fd115c2a818
READ of size 8 at 0x62900029ed00 thread T18
#0 0x565127daaa04 in Gap_time_tracker::log_time(unsigned long long, unsigned long long) /data/src/10.5-bug/sql/sql_analyze_stmt.h:112
#1 0x565127daa80a in process_gap_time_tracker(THD*, unsigned long long) /data/src/10.5-bug/sql/sql_analyze_stmt.cc:117
#2 0x565127a630f4 in Exec_time_tracker::start_tracking(THD*) /data/src/10.5-bug/sql/sql_analyze_stmt.h:79
#3 0x5651279a8974 in JOIN::exec() /data/src/10.5-bug/sql/sql_select.cc:4317
#4 0x5651279acc73 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.5-bug/sql/sql_select.cc:4795
#5 0x56512797e73e in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.5-bug/sql/sql_select.cc:444
#6 0x5651278ea81f in execute_sqlcom_select /data/src/10.5-bug/sql/sql_parse.cc:6314
#7 0x5651278d9811 in mysql_execute_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:4005
#8 0x5651278f56d6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:8100
#9 0x5651278cbccf in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:1891
#10 0x5651278c86b1 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1370
#11 0x565127cffa89 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1418
#12 0x565127cff2db in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1312
#13 0x56512891c4e9 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201
#14 0x7fd127b06ea6 in start_thread nptl/pthread_create.c:477
#15 0x7fd127703dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

0x62900029ed00 is located 2816 bytes inside of 16484-byte region [0x62900029e200,0x6290002a2264)
freed by thread T18 here:
#0 0x7fd12809ab6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x565129568a8b in free_memory /data/src/10.5-bug/mysys/safemalloc.c:280
#2 0x5651295680a8 in sf_free /data/src/10.5-bug/mysys/safemalloc.c:198
#3 0x5651295378cf in my_free /data/src/10.5-bug/mysys/my_malloc.c:211
#4 0x5651295146cc in free_root /data/src/10.5-bug/mysys/my_alloc.c:416
#5 0x5651278cf98c in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:2515
#6 0x5651278c86b1 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1370
#7 0x565127cffa89 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1418
#8 0x565127cff2db in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1312
#9 0x56512891c4e9 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201
#10 0x7fd127b06ea6 in start_thread nptl/pthread_create.c:477

previously allocated by thread T18 here:
#0 0x7fd12809ae8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x565129567a80 in sf_malloc /data/src/10.5-bug/mysys/safemalloc.c:121
#2 0x565129536b06 in my_malloc /data/src/10.5-bug/mysys/my_malloc.c:90
#3 0x56512951369d in alloc_root /data/src/10.5-bug/mysys/my_alloc.c:244
#4 0x5651275f19af in Query_arena::alloc(unsigned long) /data/src/10.5-bug/sql/sql_class.h:1171
#5 0x5651279d53ac in JOIN::get_best_combination() /data/src/10.5-bug/sql/sql_select.cc:10516
#6 0x56512799386c in JOIN::optimize_stage2() /data/src/10.5-bug/sql/sql_select.cc:2358
#7 0x56512799331e in JOIN::optimize_inner() /data/src/10.5-bug/sql/sql_select.cc:2337
#8 0x56512798c47d in JOIN::optimize() /data/src/10.5-bug/sql/sql_select.cc:1669
#9 0x56512786429b in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.5-bug/sql/sql_lex.cc:4870
#10 0x565127e07497 in JOIN::optimize_constant_subqueries() /data/src/10.5-bug/sql/opt_subselect.cc:5609
#11 0x56512798f2c6 in JOIN::optimize_inner() /data/src/10.5-bug/sql/sql_select.cc:1976
#12 0x56512798c47d in JOIN::optimize() /data/src/10.5-bug/sql/sql_select.cc:1669
#13 0x5651279aca7e in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.5-bug/sql/sql_select.cc:4781
#14 0x56512797e73e in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.5-bug/sql/sql_select.cc:444
#15 0x5651278ea81f in execute_sqlcom_select /data/src/10.5-bug/sql/sql_parse.cc:6314
#16 0x5651278d9811 in mysql_execute_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:4005
#17 0x5651278f56d6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:8100
#18 0x5651278cbccf in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:1891
#19 0x5651278c86b1 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1370
#20 0x565127cffa89 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1418
#21 0x565127cff2db in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1312
#22 0x56512891c4e9 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201
#23 0x7fd127b06ea6 in start_thread nptl/pthread_create.c:477

Thread T18 created by T0 here:
#0 0x7fd1280462a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x565128918254 in my_thread_create /data/src/10.5-bug/storage/perfschema/my_thread.h:52
#2 0x56512891c8d8 in pfs_spawn_thread_v1 /data/src/10.5-bug/storage/perfschema/pfs.cc:2252
#3 0x5651275cdd64 in inline_mysql_thread_create /data/src/10.5-bug/include/mysql/psi/mysql_thread.h:1323
#4 0x5651275e36e3 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5-bug/sql/mysqld.cc:6013
#5 0x5651275e3d2c in create_new_thread(CONNECT*) /data/src/10.5-bug/sql/mysqld.cc:6072
#6 0x5651275e405e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5-bug/sql/mysqld.cc:6137
#7 0x5651275e4c33 in handle_connections_sockets() /data/src/10.5-bug/sql/mysqld.cc:6264
#8 0x5651275e2f52 in mysqld_main(int, char**) /data/src/10.5-bug/sql/mysqld.cc:5659
#9 0x5651275cc904 in main /data/src/10.5-bug/sql/main.cc:25
#10 0x7fd12762cd09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.5-bug/sql/sql_analyze_stmt.h:112 in Gap_time_tracker::log_time(unsigned long long, unsigned long long)
Shadow bytes around the buggy address:
0x0c528004bd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c528004bda0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bdb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bdc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bdd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bde0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c528004bdf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1965717==ABORTING

Reproducible on 10.5+.

The test case uses max_join_size=2 and MyISAM for minimization, but the issue well-scalable and is not related to extremely low values. For example, this fails the same way:

--source include/have_sequence.inc

CREATE TABLE t1 (a int);

INSERT INTO t1 SELECT seq FROM seq_1_to_100000;

CREATE TABLE t2 (b int, key (b));

INSERT INTO t2 VALUES (0),(1);

SET max_join_size= 10000;

--error ER_TOO_BIG_SELECT

ANALYZE SELECT * FROM t1 HAVING 0 IN ( SELECT b FROM t2 );

SET max_join_size= DEFAULT;

ANALYZE SELECT * FROM t1;

DROP TABLE IF EXISTS t1, t2;

Attachments

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2022-01-24 19:03

Updated:: 2024-01-09 16:24

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.