[MDEV-28345] ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), (14)
10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3, 11.5.2, 11.6.0
Component/s: Data types
Labels:

Description

Possibly related to ~~MDEV-18414~~ or ~~MDEV-25439~~ though there are significant differences.

CREATE TABLE t (c BLOB) ENGINE=InnoDB;

INSERT INTO t VALUES ('0.0e'),('0.0e+0');

SELECT * FROM t WHERE COALESCE(c)=0.0;

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

==2353529==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a528e at pc 0x557084c2e7f0 bp 0x145fcffbb450 sp 0x145fcffbb440

SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1476 in my_strtod_int

Full stack from error log:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)
==2353506==ERROR: AddressSanitizer: use-after-poison on address 0x6290001272a6 at pc 0x55bd77a308d6 bp 0x14a6d6226560 sp 0x14a6d6226550
READ of size 1 at 0x6290001272a6 thread T14
#0 0x55bd77a308d5 in my_strtod_int /test/10.9_dbg_san/strings/dtoa.c:1476
#1 0x55bd77a308d5 in my_strtod /test/10.9_dbg_san/strings/dtoa.c:469
#2 0x55bd7792e0b8 in my_strntod_8bit /test/10.9_dbg_san/strings/ctype-simple.c:801
#3 0x55bd74f792df in charset_info_st::strntod(char, unsigned long, char, int) const /test/10.9_dbg_san/include/m_ctype.h:788
#4 0x55bd74f792df in Value_source::Converter_strntod::Converter_strntod(charset_info_st const, char const, unsigned long) /test/10.9_dbg_san/sql/field.h:210
#5 0x55bd74f792df in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD, Value_source::Warn_filter, charset_info_st const, char const*, unsigned long) /test/10.9_dbg_san/sql/field.h:281
#6 0x55bd74f792df in Value_source::double_from_string_with_check(charset_info_st const, char const, char const*) const /test/10.9_dbg_san/sql/field.h:350
#7 0x55bd74f792df in Value_source::double_from_string_with_check(String const*) const /test/10.9_dbg_san/sql/field.h:381
#8 0x55bd74f792df in Item_func_hybrid_field_type::val_real_from_str_op() /test/10.9_dbg_san/sql/item_func.cc:939
#9 0x55bd7401b82d in Type_handler_string_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/10.9_dbg_san/sql/sql_type.cc:5628
#10 0x55bd72fbf76c in Item_func_hybrid_field_type::val_real() /test/10.9_dbg_san/sql/item_func.h:899
#11 0x55bd74bd9843 in Arg_comparator::compare_real() /test/10.9_dbg_san/sql/item_cmpfunc.cc:831
#12 0x55bd74bd30f3 in Arg_comparator::compare() /test/10.9_dbg_san/sql/item_cmpfunc.h:103
#13 0x55bd74bd30f3 in Item_func_eq::val_int() /test/10.9_dbg_san/sql/item_cmpfunc.cc:1762
#14 0x55bd73286d23 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21193
#15 0x55bd7332b7dc in sub_select(JOIN, st_join_table, bool) /test/10.9_dbg_san/sql/sql_select.cc:21134
#16 0x55bd734fd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
#17 0x55bd734fd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
#18 0x55bd734fec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
#19 0x55bd734ee58b in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:5007
#20 0x55bd734efef0 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
#21 0x55bd7305cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
#22 0x55bd730c2216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
#23 0x55bd73024728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#24 0x55bd7309a44e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#25 0x55bd730b0fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#26 0x55bd73b7dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#27 0x55bd73b80ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#28 0x55bd760d9c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#29 0x14a6f9450608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#30 0x14a6f86c5162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

0x6290001272a6 is located 166 bytes inside of 16536-byte region [0x629000127200,0x62900012b298)
allocated by thread T14 here:
#0 0x55bd72636248 in malloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x849e248)
#1 0x55bd76995aa8 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /test/10.9_dbg_san/storage/innobase/include/ut0new.h:375
#2 0x55bd76995aa8 in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /test/10.9_dbg_san/storage/innobase/mem/mem0mem.cc:277
#3 0x55bd76d14f74 in mem_heap_create_func /test/10.9_dbg_san/storage/innobase/include/mem0mem.inl:377
#4 0x55bd76d2cb8c in row_sel_store_mysql_field /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:3050
#5 0x55bd76d2e719 in row_sel_store_mysql_rec /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:3196
#6 0x55bd76d5e20e in row_search_mvcc(unsigned char, page_cur_mode_t, row_prebuilt_t, unsigned long, unsigned long) /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:5653
#7 0x55bd76594ba9 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /test/10.9_dbg_san/storage/innobase/handler/ha_innodb.cc:9273
#8 0x55bd765dede6 in ha_innobase::rnd_next(unsigned char*) /test/10.9_dbg_san/storage/innobase/handler/ha_innodb.cc:9477
#9 0x55bd7491fa88 in handler::ha_rnd_next(unsigned char*) /test/10.9_dbg_san/sql/handler.cc:3414
#10 0x55bd7289b95c in rr_sequential(READ_RECORD*) /test/10.9_dbg_san/sql/records.cc:519
#11 0x55bd7332b8c9 in READ_RECORD::read_record() /test/10.9_dbg_san/sql/records.h:81
#12 0x55bd7332b8c9 in sub_select(JOIN, st_join_table, bool) /test/10.9_dbg_san/sql/sql_select.cc:21114
#13 0x55bd734fd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
#14 0x55bd734fd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
#15 0x55bd734fec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
#16 0x55bd734ee58b in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:5007
#17 0x55bd734efef0 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
#18 0x55bd7305cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
#19 0x55bd730c2216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
#20 0x55bd73024728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#21 0x55bd7309a44e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#22 0x55bd730b0fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#23 0x55bd73b7dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#24 0x55bd73b80ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#25 0x55bd760d9c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#26 0x14a6f9450608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477

Thread T14 created by T0 here:
#0 0x55bd72563285 in __interceptor_pthread_create (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x83cb285)
#1 0x55bd760e918c in my_thread_create /test/10.9_dbg_san/storage/perfschema/my_thread.h:52
#2 0x55bd760e918c in pfs_spawn_thread_v1 /test/10.9_dbg_san/storage/perfschema/pfs.cc:2252
#3 0x55bd7268f8ac in inline_mysql_thread_create /test/10.9_dbg_san/include/mysql/psi/mysql_thread.h:1139
#4 0x55bd7268f8ac in create_thread_to_handle_connection(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:5980
#5 0x55bd726a4d86 in create_new_thread(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:6039
#6 0x55bd726a5561 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.9_dbg_san/sql/mysqld.cc:6101
#7 0x55bd726a7146 in handle_connections_sockets() /test/10.9_dbg_san/sql/mysqld.cc:6225
#8 0x55bd726ad29c in mysqld_main(int, char**) /test/10.9_dbg_san/sql/mysqld.cc:5875
#9 0x55bd7267780a in main /test/10.9_dbg_san/sql/main.cc:34
#10 0x14a6f85ca0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: use-after-poison /test/10.9_dbg_san/strings/dtoa.c:1476 in my_strtod_int
Shadow bytes around the buggy address:
0x0c528001ce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528001ce10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528001ce20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528001ce30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528001ce40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c528001ce50: 00 00 00 f7[06]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001ce60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001ce70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001ce80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001ce90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528001cea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2353506==ABORTING
220419 16:09:52 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.9.0-MariaDB-debug
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468120 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00015e288
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x14a6d622bc90 thread_stack 0x100000
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(+0x83fd7b0)[0x55bd725957b0]
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(my_print_stacktrace+0xfb)[0x55bd7784d6ee]
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(handle_fatal_signal+0xc2d)[0x55bd748e685b]
sigaction.c:0(__restore_rt)[0x14a6f945c3c0]
linux/raise.c:51(__GI_raise)[0x14a6f85e903b]
stdlib/abort.c:81(__GI_abort)[0x14a6f85c8859]
:0(__sanitizer::Abort())[0x55bd72653d32]
:0(__sanitizer::Die())[0x55bd7265e8dc]
:0(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x55bd7263ff6c]
:0(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x55bd7263f9e3]
??:0(__asan_report_load1)[0x55bd726404cb]
strings/dtoa.c:1476(my_strtod_int)[0x55bd77a308d6]
strings/ctype-simple.c:802(my_strntod_8bit)[0x55bd7792e0b9]
sql/field.h:210(Value_source::Converter_strntod::Converter_strntod(charset_info_st const, char const, unsigned long))[0x55bd74f792e0]
sql/sql_type.cc:5629(Type_handler_string_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const)[0x55bd7401b82e]
sql/item_func.h:900(Item_func_hybrid_field_type::val_real())[0x55bd72fbf76d]
sql/item_cmpfunc.cc:831(Arg_comparator::compare_real())[0x55bd74bd9844]
sql/item_cmpfunc.cc:1763(Item_func_eq::val_int())[0x55bd74bd30f4]
sql/sql_select.cc:21193(evaluate_join_record(JOIN, st_join_table, int))[0x55bd73286d24]
sql/sql_select.cc:21103(sub_select(JOIN, st_join_table, bool))[0x55bd7332b7dd]
sql/sql_select.cc:20640(JOIN::exec_inner())[0x55bd734fd363]
sql/sql_select.cc:4528(JOIN::exec())[0x55bd734fec95]
sql/sql_select.cc:5007(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55bd734ee58c]
sql/sql_select.cc:543(handle_select(THD, LEX, select_result*, unsigned long))[0x55bd734efef1]
sql/sql_parse.cc:6268(execute_sqlcom_select(THD, TABLE_LIST))[0x55bd7305cfc3]
sql/sql_parse.cc:3959(mysql_execute_command(THD*, bool))[0x55bd730c2217]
sql/sql_parse.cc:8043(mysql_parse(THD, char, unsigned int, Parser_state*))[0x55bd73024729]
sql/sql_parse.cc:1910(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x55bd7309a44f]
sql/sql_parse.cc:1407(do_command(THD*, bool))[0x55bd730b0faa]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55bd73b7dc4c]
sql/sql_connect.cc:1312(handle_one_connection)[0x55bd73b80ae6]
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55bd760d9c63]
nptl/pthread_create.c:478(start_thread)[0x14a6f9450609]
x86_64/clone.S:97(__GI___clone)[0x14a6f86c5163]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x6290000e62a8): SELECT * FROM t WHERE COALESCE(c)=0.0

Connection ID (thread ID): 4
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size unlimited unlimited bytes
Max core file size 0 0 bytes
Max resident set unlimited unlimited bytes
Max processes unlimited unlimited processes
Max open files 1048576 1048576 files
Max locked memory unlimited unlimited bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals unlimited unlimited signals
Max msgqueue size unlimited unlimited bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: core

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Note, MyISAM is not affected.

The problem is also repeatable with this script, without COALESCE:

DROP TABLE t;

CREATE TABLE t (c BLOB) ENGINE=InnoDB;

INSERT INTO t VALUES ('0.0e'),('0.0e+0');

SELECT * FROM t WHERE c=0.0;

Attachments

Issue Links

relates to

MDEV-28374 UBSAN: runtime error: signed integer overflow: 10000000000000 * 10000000000000 cannot be represented in type 'long long int' in sql/sql_analyse.cc

Confirmed

MDEV-29473 UBSAN: Signed integer overflow: X * Y cannot be represented in type 'int' in strings/dtoa.c

Closed

MDEV-32759 Heap-Use-After-Free at /mariadb-11.3.0/strings/dtoa.c:1378

Stalled

split to

MDEV-34616 ASAN: heap-use-after-free in my_strtod_int

Open

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar created issue - 2022-04-19 06:23

Roel Van de Paar made changes - 2022-04-19 06:25

Field	Original Value	New Value
Description	Possibly related to ~~MDEV-18414~~ or ~~MDEV-25439~~ though there are significant differences. {code:sql} CREATE TABLE t (c BLOB) ENGINE=InnoDB; INSERT INTO t VALUES ('0.0e'),('0.0e+0'); SELECT * FROM t WHERE COALESCE(c)=0.0; {code} Leads to: {noformat:title=10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)} ==2353529==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a528e at pc 0x557084c2e7f0 bp 0x145fcffbb450 sp 0x145fcffbb440 SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1476 in my_strtod_int {noformat} Setup: {noformat} Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON Set before execution: export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1 {noformat} Bug confirmed present in: MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)	Possibly related to ~~MDEV-18414~~ or ~~MDEV-25439~~ though there are significant differences. {code:sql} CREATE TABLE t (c BLOB) ENGINE=InnoDB; INSERT INTO t VALUES ('0.0e'),('0.0e+0'); SELECT * FROM t WHERE COALESCE(c)=0.0; {code} Leads to: {noformat:title=10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)} ==2353529==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a528e at pc 0x557084c2e7f0 bp 0x145fcffbb450 sp 0x145fcffbb440 SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1476 in my_strtod_int {noformat} Setup: {noformat} Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON Set before execution: export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1 {noformat} Bug confirmed present in: MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Roel Van de Paar made changes - 2022-04-19 06:26

Summary

AddressSanitizer: use-after-poison in my_strtod_int in strings/dtoa.c

ASAN: use-after-poison in my_strtod_int in strings/dtoa.c

Roel Van de Paar added a comment - 2022-04-19 06:30 - edited

A variety of issues are observed with this testcase run across various server versions. UniqueID's(/stacks):

ASAN|use-after-poison|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn

ASAN|use-after-poison|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod

ASAN|use-after-poison|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod

ASAN|use-after-poison|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod

Roel Van de Paar made changes - 2022-04-19 06:36

Summary

ASAN: use-after-poison in my_strtod_int in strings/dtoa.c

ASAN: use-after-poison in my_strtod_int in strings/dtoa.c from charset_info_st::strntod

Roel Van de Paar added a comment - 2022-04-19 06:41

Additional testcase with a different stack but similar testcase.

CREATE TABLE t (c BLOB) ENGINE=InnoDB;

INSERT INTO t VALUES (1.3),(1.1);

SELECT * FROM t PROCEDURE ANALYSE();

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

==2692135==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a028b at pc 0x56381851de94 bp 0x152b2838ded0 sp 0x152b2838dec0

SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1430 in my_strtod_int

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1

Full stack:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)
==2692135==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a028b at pc 0x56381851de94 bp 0x152b2838ded0 sp 0x152b2838dec0
READ of size 1 at 0x6290000a028b thread T16
#0 0x56381851de93 in my_strtod_int /test/10.9_opt_san/strings/dtoa.c:1430
#1 0x56381851de93 in my_strtod /test/10.9_opt_san/strings/dtoa.c:469
#2 0x563818525a7d in my_atof /test/10.9_opt_san/strings/dtoa.c:478
#3 0x56381647e49a in test_if_number(st_number_info, char const, unsigned int) /test/10.9_opt_san/sql/sql_analyse.cc:261
#4 0x5638164863fc in field_str::add() /test/10.9_opt_san/sql/sql_analyse.cc:329
#5 0x56381645d23d in analyse::send_row(List<Item>&) /test/10.9_opt_san/sql/sql_analyse.cc:673
#6 0x56381439702f in end_send /test/10.9_opt_san/sql/sql_select.cc:22310
#7 0x5638142a9ca9 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21325
#8 0x5638142f6933 in sub_select(JOIN, st_join_table, bool) /test/10.9_opt_san/sql/sql_select.cc:21095
#9 0x5638144a2123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
#10 0x5638144a2123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
#11 0x5638144a69f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
#12 0x563814494b61 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_opt_san/sql/sql_select.cc:5007
#13 0x563814498a73 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
#14 0x5638140afcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
#15 0x5638140ef88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
#16 0x56381407f0a8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
#17 0x5638140d5439 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
#18 0x5638140e0c92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
#19 0x5638149cbd3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
#20 0x5638149ce834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
#21 0x563816acc1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
#22 0x152b4b6af608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#23 0x152b4a924162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

0x6290000a028b is located 139 bytes inside of 16512-byte region [0x6290000a0200,0x6290000a4280)
allocated by thread T16 here:
#0 0x563813842528 in malloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mariadbd+0x8062528)
#1 0x563817330048 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /test/10.9_opt_san/storage/innobase/include/ut0new.h:375
#2 0x563817330048 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /test/10.9_opt_san/storage/innobase/mem/mem0mem.cc:277
#3 0x56381769bb50 in mem_heap_create_func /test/10.9_opt_san/storage/innobase/include/mem0mem.inl:377
#4 0x56381769bb50 in row_sel_store_mysql_field /test/10.9_opt_san/storage/innobase/row/row0sel.cc:3050
#5 0x56381769e22b in row_sel_store_mysql_rec /test/10.9_opt_san/storage/innobase/row/row0sel.cc:3196
#6 0x5638176bc007 in row_search_mvcc(unsigned char, page_cur_mode_t, row_prebuilt_t, unsigned long, unsigned long) /test/10.9_opt_san/storage/innobase/row/row0sel.cc:5653
#7 0x56381705d198 in ha_innobase::index_read(unsigned char, unsigned char const, unsigned int, ha_rkey_function) /test/10.9_opt_san/storage/innobase/handler/ha_innodb.cc:9007
#8 0x56381705faae in ha_innobase::index_first(unsigned char*) /test/10.9_opt_san/storage/innobase/handler/ha_innodb.cc:9376
#9 0x56381705faae in ha_innobase::rnd_next(unsigned char*) /test/10.9_opt_san/storage/innobase/handler/ha_innodb.cc:9469
#10 0x5638155a0b2f in handler::ha_rnd_next(unsigned char*) /test/10.9_opt_san/sql/handler.cc:3414
#11 0x563813a48858 in rr_sequential(READ_RECORD*) /test/10.9_opt_san/sql/records.cc:519
#12 0x5638142f67a5 in sub_select(JOIN, st_join_table, bool) /test/10.9_opt_san/sql/sql_select.cc:21092
#13 0x5638144a2123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
#14 0x5638144a2123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
#15 0x5638144a69f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
#16 0x563814494b61 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_opt_san/sql/sql_select.cc:5007
#17 0x563814498a73 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
#18 0x5638140afcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
#19 0x5638140ef88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
#20 0x56381407f0a8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
#21 0x5638140d5439 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
#22 0x5638140e0c92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
#23 0x5638149cbd3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
#24 0x5638149ce834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
#25 0x563816acc1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
#26 0x152b4b6af608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477

Thread T16 created by T0 here:
#0 0x56381376f565 in __interceptor_pthread_create (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mariadbd+0x7f8f565)
#1 0x563816ad566a in my_thread_create /test/10.9_opt_san/storage/perfschema/my_thread.h:52
#2 0x563816ad566a in pfs_spawn_thread_v1 /test/10.9_opt_san/storage/perfschema/pfs.cc:2252
#3 0x5638138962a5 in inline_mysql_thread_create /test/10.9_opt_san/include/mysql/psi/mysql_thread.h:1139
#4 0x5638138962a5 in create_thread_to_handle_connection(CONNECT*) /test/10.9_opt_san/sql/mysqld.cc:5980
#5 0x5638138aa0c0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.9_opt_san/sql/mysqld.cc:6101
#6 0x5638138ab423 in handle_connections_sockets() /test/10.9_opt_san/sql/mysqld.cc:6225
#7 0x5638138af069 in mysqld_main(int, char**) /test/10.9_opt_san/sql/mysqld.cc:5875
#8 0x152b4a8290b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1430 in my_strtod_int
Shadow bytes around the buggy address:
0x0c528000c000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528000c010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528000c020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528000c030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c528000c040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c528000c050: f7[03]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528000c060: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528000c070: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528000c080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528000c090: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c528000c0a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2692135==ABORTING
220419 16:40:04 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.9.0-MariaDB
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467995 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00015e218
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x152b283928b0 thread_stack 0x5fc00
asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x5638137a1a90]
mysys/stacktrace.c:213(my_print_stacktrace)[0x563818280a99]
sql/signal_handler.cc:226(handle_fatal_signal)[0x563815575a82]
sigaction.c:0(__restore_rt)[0x152b4b6bb3c0]
linux/raise.c:51(__GI_raise)[0x152b4a84803b]
stdlib/abort.c:81(__GI_abort)[0x152b4a827859]
:0(__sanitizer::Abort())[0x563813860012]
:0(__sanitizer::Die())[0x56381386abbc]
:0(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x56381384c24c]
:0(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x56381384bcc3]
??:0(__asan_report_load1)[0x56381384c7ab]
strings/dtoa.c:1430(my_strtod_int)[0x56381851de94]
strings/dtoa.c:475(my_atof)[0x563818525a7e]
sql/sql_analyse.cc:261(test_if_number(st_number_info, char const, unsigned int))[0x56381647e49b]
sql/sql_analyse.cc:329(field_str::add())[0x5638164863fd]
sql/sql_analyse.cc:671(analyse::send_row(List<Item>&))[0x56381645d23e]
sql/sql_select.cc:22310(end_send(JOIN, st_join_table, bool))[0x563814397030]
sql/sql_select.cc:21326(evaluate_join_record(JOIN, st_join_table, int))[0x5638142a9caa]
sql/sql_select.cc:21103(sub_select(JOIN, st_join_table, bool))[0x5638142f6934]
sql/sql_select.cc:20640(JOIN::exec_inner())[0x5638144a2124]
sql/sql_select.cc:4528(JOIN::exec())[0x5638144a69fa]
sql/sql_select.cc:5009(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x563814494b62]
sql/sql_select.cc:543(handle_select(THD, LEX, select_result*, unsigned long))[0x563814498a74]
sql/sql_parse.cc:6268(execute_sqlcom_select(THD, TABLE_LIST))[0x5638140afce0]
sql/sql_parse.cc:3959(mysql_execute_command(THD*, bool))[0x5638140ef88c]
sql/sql_parse.cc:8060(mysql_parse(THD, char, unsigned int, Parser_state*))[0x56381407f0a9]
sql/sql_parse.cc:1912(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x5638140d543a]
sql/sql_parse.cc:1409(do_command(THD*, bool))[0x5638140e0c93]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x5638149cbd3e]
sql/sql_connect.cc:1312(handle_one_connection)[0x5638149ce835]
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x563816acc1fa]
nptl/pthread_create.c:478(start_thread)[0x152b4b6af609]
x86_64/clone.S:97(__GI___clone)[0x152b4a924163]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x629000087238): SELECT * FROM t PROCEDURE ANALYSE()

Connection ID (thread ID): 4
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size unlimited unlimited bytes
Max core file size 0 0 bytes
Max resident set unlimited unlimited bytes
Max processes unlimited unlimited processes
Max open files 1048576 1048576 files
Max locked memory unlimited unlimited bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals unlimited unlimited signals
Max msgqueue size unlimited unlimited bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: core

Roel Van de Paar added a comment - 2022-04-19 06:41 Additional testcase with a different stack but similar testcase. CREATE TABLE t (c BLOB) ENGINE=InnoDB; INSERT INTO t VALUES (1.3),(1.1); SELECT * FROM t PROCEDURE ANALYSE(); Leads to: 10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized) ==2692135==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a028b at pc 0x56381851de94 bp 0x152b2838ded0 sp 0x152b2838dec0 SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1430 in my_strtod_int Setup: Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON Set before execution: export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1 Full stack: 10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized) ==2692135==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a028b at pc 0x56381851de94 bp 0x152b2838ded0 sp 0x152b2838dec0 READ of size 1 at 0x6290000a028b thread T16 #0 0x56381851de93 in my_strtod_int /test/10.9_opt_san/strings/dtoa.c:1430 #1 0x56381851de93 in my_strtod /test/10.9_opt_san/strings/dtoa.c:469 #2 0x563818525a7d in my_atof /test/10.9_opt_san/strings/dtoa.c:478 #3 0x56381647e49a in test_if_number(st_number_info*, char const*, unsigned int) /test/10.9_opt_san/sql/sql_analyse.cc:261 #4 0x5638164863fc in field_str::add() /test/10.9_opt_san/sql/sql_analyse.cc:329 #5 0x56381645d23d in analyse::send_row(List<Item>&) /test/10.9_opt_san/sql/sql_analyse.cc:673 #6 0x56381439702f in end_send /test/10.9_opt_san/sql/sql_select.cc:22310 #7 0x5638142a9ca9 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21325 #8 0x5638142f6933 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21095 #9 0x5638144a2123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640 #10 0x5638144a2123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749 #11 0x5638144a69f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527 #12 0x563814494b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007 #13 0x563814498a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543 #14 0x5638140afcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268 #15 0x5638140ef88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959 #16 0x56381407f0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043 #17 0x5638140d5439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910 #18 0x5638140e0c92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407 #19 0x5638149cbd3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418 #20 0x5638149ce834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312 #21 0x563816acc1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201 #22 0x152b4b6af608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 #23 0x152b4a924162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162) 0x6290000a028b is located 139 bytes inside of 16512-byte region [0x6290000a0200,0x6290000a4280) allocated by thread T16 here: #0 0x563813842528 in malloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mariadbd+0x8062528) #1 0x563817330048 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /test/10.9_opt_san/storage/innobase/include/ut0new.h:375 #2 0x563817330048 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /test/10.9_opt_san/storage/innobase/mem/mem0mem.cc:277 #3 0x56381769bb50 in mem_heap_create_func /test/10.9_opt_san/storage/innobase/include/mem0mem.inl:377 #4 0x56381769bb50 in row_sel_store_mysql_field /test/10.9_opt_san/storage/innobase/row/row0sel.cc:3050 #5 0x56381769e22b in row_sel_store_mysql_rec /test/10.9_opt_san/storage/innobase/row/row0sel.cc:3196 #6 0x5638176bc007 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /test/10.9_opt_san/storage/innobase/row/row0sel.cc:5653 #7 0x56381705d198 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /test/10.9_opt_san/storage/innobase/handler/ha_innodb.cc:9007 #8 0x56381705faae in ha_innobase::index_first(unsigned char*) /test/10.9_opt_san/storage/innobase/handler/ha_innodb.cc:9376 #9 0x56381705faae in ha_innobase::rnd_next(unsigned char*) /test/10.9_opt_san/storage/innobase/handler/ha_innodb.cc:9469 #10 0x5638155a0b2f in handler::ha_rnd_next(unsigned char*) /test/10.9_opt_san/sql/handler.cc:3414 #11 0x563813a48858 in rr_sequential(READ_RECORD*) /test/10.9_opt_san/sql/records.cc:519 #12 0x5638142f67a5 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21092 #13 0x5638144a2123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640 #14 0x5638144a2123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749 #15 0x5638144a69f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527 #16 0x563814494b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007 #17 0x563814498a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543 #18 0x5638140afcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268 #19 0x5638140ef88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959 #20 0x56381407f0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043 #21 0x5638140d5439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910 #22 0x5638140e0c92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407 #23 0x5638149cbd3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418 #24 0x5638149ce834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312 #25 0x563816acc1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201 #26 0x152b4b6af608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 Thread T16 created by T0 here: #0 0x56381376f565 in __interceptor_pthread_create (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mariadbd+0x7f8f565) #1 0x563816ad566a in my_thread_create /test/10.9_opt_san/storage/perfschema/my_thread.h:52 #2 0x563816ad566a in pfs_spawn_thread_v1 /test/10.9_opt_san/storage/perfschema/pfs.cc:2252 #3 0x5638138962a5 in inline_mysql_thread_create /test/10.9_opt_san/include/mysql/psi/mysql_thread.h:1139 #4 0x5638138962a5 in create_thread_to_handle_connection(CONNECT*) /test/10.9_opt_san/sql/mysqld.cc:5980 #5 0x5638138aa0c0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.9_opt_san/sql/mysqld.cc:6101 #6 0x5638138ab423 in handle_connections_sockets() /test/10.9_opt_san/sql/mysqld.cc:6225 #7 0x5638138af069 in mysqld_main(int, char**) /test/10.9_opt_san/sql/mysqld.cc:5875 #8 0x152b4a8290b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1430 in my_strtod_int Shadow bytes around the buggy address: 0x0c528000c000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528000c010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528000c020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528000c030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528000c040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c528000c050: f7[03]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c528000c060: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c528000c070: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c528000c080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c528000c090: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c528000c0a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2692135==ABORTING 220419 16:40:04 [ERROR] mysqld got signal 6 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. To report this bug, see https://mariadb.com/kb/en/reporting-bugs We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. Server version: 10.9.0-MariaDB key_buffer_size=134217728 read_buffer_size=131072 max_used_connections=1 max_threads=153 thread_count=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467995 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. Thread pointer: 0x62b00015e218 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0x152b283928b0 thread_stack 0x5fc00 asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x5638137a1a90] mysys/stacktrace.c:213(my_print_stacktrace)[0x563818280a99] sql/signal_handler.cc:226(handle_fatal_signal)[0x563815575a82] sigaction.c:0(__restore_rt)[0x152b4b6bb3c0] linux/raise.c:51(__GI_raise)[0x152b4a84803b] stdlib/abort.c:81(__GI_abort)[0x152b4a827859] :0(__sanitizer::Abort())[0x563813860012] :0(__sanitizer::Die())[0x56381386abbc] :0(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x56381384c24c] :0(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x56381384bcc3] ??:0(__asan_report_load1)[0x56381384c7ab] strings/dtoa.c:1430(my_strtod_int)[0x56381851de94] strings/dtoa.c:475(my_atof)[0x563818525a7e] sql/sql_analyse.cc:261(test_if_number(st_number_info*, char const*, unsigned int))[0x56381647e49b] sql/sql_analyse.cc:329(field_str::add())[0x5638164863fd] sql/sql_analyse.cc:671(analyse::send_row(List<Item>&))[0x56381645d23e] sql/sql_select.cc:22310(end_send(JOIN*, st_join_table*, bool))[0x563814397030] sql/sql_select.cc:21326(evaluate_join_record(JOIN*, st_join_table*, int))[0x5638142a9caa] sql/sql_select.cc:21103(sub_select(JOIN*, st_join_table*, bool))[0x5638142f6934] sql/sql_select.cc:20640(JOIN::exec_inner())[0x5638144a2124] sql/sql_select.cc:4528(JOIN::exec())[0x5638144a69fa] sql/sql_select.cc:5009(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x563814494b62] sql/sql_select.cc:543(handle_select(THD*, LEX*, select_result*, unsigned long))[0x563814498a74] sql/sql_parse.cc:6268(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5638140afce0] sql/sql_parse.cc:3959(mysql_execute_command(THD*, bool))[0x5638140ef88c] sql/sql_parse.cc:8060(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x56381407f0a9] sql/sql_parse.cc:1912(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5638140d543a] sql/sql_parse.cc:1409(do_command(THD*, bool))[0x5638140e0c93] sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x5638149cbd3e] sql/sql_connect.cc:1312(handle_one_connection)[0x5638149ce835] perfschema/pfs.cc:2204(pfs_spawn_thread)[0x563816acc1fa] nptl/pthread_create.c:478(start_thread)[0x152b4b6af609] x86_64/clone.S:97(__GI___clone)[0x152b4a924163] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query (0x629000087238): SELECT * FROM t PROCEDURE ANALYSE() Connection ID (thread ID): 4 Status: NOT_KILLED Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains information that should help you find out what is causing the crash. Writing a core file... Working directory at /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/data Resource Limits: Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size unlimited unlimited bytes Max core file size 0 0 bytes Max resident set unlimited unlimited bytes Max processes unlimited unlimited processes Max open files 1048576 1048576 files Max locked memory unlimited unlimited bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals unlimited unlimited signals Max msgqueue size unlimited unlimited bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us Core pattern: core Bug confirmed present in: MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Roel Van de Paar added a comment - 2022-04-19 06:42

On all versions the second testcase (previous comment) produces this UniqueID(/stack):

ASAN|use-after-poison|strings/dtoa.c|my_strtod_int|my_strtod|my_atof|test_if_number

Roel Van de Paar made changes - 2022-04-19 06:43

Summary

ASAN: use-after-poison in my_strtod_int in strings/dtoa.c from charset_info_st::strntod

ASAN: use-after-poison in my_strtod_int in strings/dtoa.c from charset_info_st::strntod or test_if_number

Roel Van de Paar made changes - 2022-04-19 06:43

Summary

ASAN: use-after-poison in my_strtod_int in strings/dtoa.c from charset_info_st::strntod or test_if_number

ASAN: use-after-poison in my_strtod_int, from charset_info_st::strntod or test_if_number

Roel Van de Paar made changes - 2022-04-19 06:43

Summary

ASAN: use-after-poison in my_strtod_int, from charset_info_st::strntod or test_if_number

ASAN: use-after-poison in my_strtod_int from charset_info_st::strntod or test_if_number

Ralf Gebhardt made changes - 2022-08-04 08:41

Fix Version/s

10.2 [ 14601 ]

Julien Fritsch made changes - 2023-03-03 17:26

Fix Version/s

10.7 [ 24805 ]

Julien Fritsch made changes - 2023-04-27 13:50

Fix Version/s

10.3 [ 22126 ]

Roel Van de Paar made changes - 2023-05-09 04:33

Summary

ASAN: use-after-poison in my_strtod_int from charset_info_st::strntod or test_if_number

ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number

Roel Van de Paar added a comment - 2023-05-09 04:33 - edited

The following testcase:

SET sql_mode='';

CREATE TABLE t (c CHAR(10) KEY);

INSERT INTO t VALUES (1.755555555);

SELECT * FROM t PROCEDURE ANALYSE();

Leads to an ASAN unknown-crash in my_strtod_int:

11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Debug)
==1748305==ERROR: AddressSanitizer: unknown-crash on address 0x619000072bd3 at pc 0x55779f73fddb bp 0x153979372090 sp 0x153979372080
READ of size 1 at 0x619000072bd3 thread T34
#0 0x55779f73fdda in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1430
#1 0x55779f73fdda in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469
#2 0x55779f7438a7 in my_atof /test/11.0_dbg_san/strings/dtoa.c:478
#3 0x55779dee8585 in test_if_number(st_number_info, char const, unsigned int) /test/11.0_dbg_san/sql/sql_analyse.cc:261
#4 0x55779deed819 in field_str::add() /test/11.0_dbg_san/sql/sql_analyse.cc:329
#5 0x55779dec4ef5 in analyse::send_row(List<Item>&) /test/11.0_dbg_san/sql/sql_analyse.cc:669
#6 0x55779bb0af80 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24281
#7 0x55779bc0514e in do_select /test/11.0_dbg_san/sql/sql_select.cc:22496
#8 0x55779bc0514e in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4895
#9 0x55779bc07a3c in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
#10 0x55779bbf61fa in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.0_dbg_san/sql/sql_select.cc:5153
#11 0x55779bbfa655 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:611
#12 0x55779b779e35 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6267
#13 0x55779b7db190 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
#14 0x55779b80aaa8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
#15 0x55779b81a83c in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
#16 0x55779b828641 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
#17 0x55779c1ec91b in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
#18 0x55779c1ede36 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
#19 0x15399e294b42 in start_thread nptl/pthread_create.c:442
#20 0x15399e3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x619000072bd3 is located 83 bytes inside of 1040-byte region [0x619000072b80,0x619000072f90)
allocated by thread T34 here:
#0 0x55779ae90337 in __interceptor_malloc (/test/UBASAN_MD070423-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7936337)
#1 0x55779f579598 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91
#2 0x55779f557db7 in root_alloc /test/11.0_dbg_san/mysys/my_alloc.c:71
#3 0x55779f559207 in alloc_root /test/11.0_dbg_san/mysys/my_alloc.c:337
#4 0x55779f55ac21 in strmake_root /test/11.0_dbg_san/mysys/my_alloc.c:596
#5 0x55779c030fef in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.0_dbg_san/sql/table.cc:4265
#6 0x55779b391f01 in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.0_dbg_san/sql/sql_base.cc:2178
#7 0x55779b3a9a32 in open_and_process_table /test/11.0_dbg_san/sql/sql_base.cc:4108
#8 0x55779b3a9a32 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.0_dbg_san/sql/sql_base.cc:4595
#9 0x55779b3b08dc in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/11.0_dbg_san/sql/sql_base.cc:5570
#10 0x55779b5cd4b6 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/11.0_dbg_san/sql/sql_base.h:510
#11 0x55779b5cd4b6 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.0_dbg_san/sql/sql_insert.cc:767
#12 0x55779b7e5286 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:4569
#13 0x55779b80aaa8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
#14 0x55779b81a83c in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
#15 0x55779b828641 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
#16 0x55779c1ec91b in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
#17 0x55779c1ede36 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
#18 0x15399e294b42 in start_thread nptl/pthread_create.c:442

Thread T34 created by T0 here:
#0 0x55779ae34175 in __interceptor_pthread_create (/test/UBASAN_MD070423-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x78da175)
#1 0x55779aeea723 in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6126
#2 0x55779aef7d3c in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6188
#3 0x55779aef85bc in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6250
#4 0x55779aef960d in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6374
#5 0x55779af00d91 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6021
#6 0x55779aed5eca in main /test/11.0_dbg_san/sql/main.cc:34
#7 0x15399e229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: unknown-crash /test/11.0_dbg_san/strings/dtoa.c:1430 in my_strtod_int
Shadow bytes around the buggy address:
0x0c3280006520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280006530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280006540: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c3280006550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280006560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3280006570: 00 00 00 00 00 00 f7 02 f7 00[03]00 03 f7 00 00
0x0c3280006580: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280006590: f7 00 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32800065a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32800065b0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32800065c0: 00 00 00 00 00 00 00 00 f7 00 00 00 00 f7 f7 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1748305==ABORTING

Present in all versions 10.4+, in both debug and optimized.

Roel Van de Paar added a comment - 2023-05-09 04:33 - edited The following testcase: SET sql_mode= '' ; CREATE TABLE t (c CHAR (10) KEY ); INSERT INTO t VALUES (1.755555555); SELECT * FROM t PROCEDURE ANALYSE(); Leads to an ASAN unknown-crash in my_strtod_int: 11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Debug) ==1748305==ERROR: AddressSanitizer: unknown-crash on address 0x619000072bd3 at pc 0x55779f73fddb bp 0x153979372090 sp 0x153979372080 READ of size 1 at 0x619000072bd3 thread T34 #0 0x55779f73fdda in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1430 #1 0x55779f73fdda in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55779f7438a7 in my_atof /test/11.0_dbg_san/strings/dtoa.c:478 #3 0x55779dee8585 in test_if_number(st_number_info*, char const*, unsigned int) /test/11.0_dbg_san/sql/sql_analyse.cc:261 #4 0x55779deed819 in field_str::add() /test/11.0_dbg_san/sql/sql_analyse.cc:329 #5 0x55779dec4ef5 in analyse::send_row(List<Item>&) /test/11.0_dbg_san/sql/sql_analyse.cc:669 #6 0x55779bb0af80 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24281 #7 0x55779bc0514e in do_select /test/11.0_dbg_san/sql/sql_select.cc:22496 #8 0x55779bc0514e in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4895 #9 0x55779bc07a3c in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672 #10 0x55779bbf61fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5153 #11 0x55779bbfa655 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:611 #12 0x55779b779e35 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6267 #13 0x55779b7db190 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #14 0x55779b80aaa8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999 #15 0x55779b81a83c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #16 0x55779b828641 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #17 0x55779c1ec91b in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #18 0x55779c1ede36 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #19 0x15399e294b42 in start_thread nptl/pthread_create.c:442 #20 0x15399e3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x619000072bd3 is located 83 bytes inside of 1040-byte region [0x619000072b80,0x619000072f90) allocated by thread T34 here: #0 0x55779ae90337 in __interceptor_malloc (/test/UBASAN_MD070423-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7936337) #1 0x55779f579598 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x55779f557db7 in root_alloc /test/11.0_dbg_san/mysys/my_alloc.c:71 #3 0x55779f559207 in alloc_root /test/11.0_dbg_san/mysys/my_alloc.c:337 #4 0x55779f55ac21 in strmake_root /test/11.0_dbg_san/mysys/my_alloc.c:596 #5 0x55779c030fef in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/11.0_dbg_san/sql/table.cc:4265 #6 0x55779b391f01 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.0_dbg_san/sql/sql_base.cc:2178 #7 0x55779b3a9a32 in open_and_process_table /test/11.0_dbg_san/sql/sql_base.cc:4108 #8 0x55779b3a9a32 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.0_dbg_san/sql/sql_base.cc:4595 #9 0x55779b3b08dc in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/11.0_dbg_san/sql/sql_base.cc:5570 #10 0x55779b5cd4b6 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/11.0_dbg_san/sql/sql_base.h:510 #11 0x55779b5cd4b6 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.0_dbg_san/sql/sql_insert.cc:767 #12 0x55779b7e5286 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:4569 #13 0x55779b80aaa8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999 #14 0x55779b81a83c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #15 0x55779b828641 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #16 0x55779c1ec91b in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #17 0x55779c1ede36 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #18 0x15399e294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55779ae34175 in __interceptor_pthread_create (/test/UBASAN_MD070423-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x78da175) #1 0x55779aeea723 in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6126 #2 0x55779aef7d3c in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6188 #3 0x55779aef85bc in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6250 #4 0x55779aef960d in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6374 #5 0x55779af00d91 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6021 #6 0x55779aed5eca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x15399e229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: unknown-crash /test/11.0_dbg_san/strings/dtoa.c:1430 in my_strtod_int Shadow bytes around the buggy address: 0x0c3280006520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280006530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280006540: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c3280006550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280006560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3280006570: 00 00 00 00 00 00 f7 02 f7 00[03]00 03 f7 00 00 0x0c3280006580: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280006590: f7 00 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00 0x0c32800065a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c32800065b0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c32800065c0: 00 00 00 00 00 00 00 00 f7 00 00 00 00 f7 f7 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1748305==ABORTING Present in all versions 10.4+, in both debug and optimized.

Roel Van de Paar made changes - 2023-05-09 06:05

Labels

ASAN

ASAN UBSAN

Roel Van de Paar made changes - 2023-05-09 06:05

Affects Version/s		10.10 [ 27530 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.0 [ 28320 ]
Affects Version/s		11.1 [ 28549 ]

Roel Van de Paar made changes - 2023-05-09 06:05

Fix Version/s		10.9 [ 26905 ]
Fix Version/s		10.10 [ 27530 ]
Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.0 [ 28320 ]
Fix Version/s		11.1 [ 28549 ]

Roel Van de Paar made changes - 2023-05-09 06:05

Status

Open [ 1 ]

Confirmed [ 10101 ]

Roel Van de Paar made changes - 2023-05-09 06:06

Summary

ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number

ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number, UBSAN: signed integer overflow: X * Y cannot be represented in type 'long long int' in sql/sql_analyse.cc

Roel Van de Paar made changes - 2023-05-09 06:06

Summary

ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number, and UBSAN: signed integer overflow: X * Y cannot be represented in type 'long long int' in sql/sql_analyse.cc

Roel Van de Paar made changes - 2023-08-09 03:36

Link

This issue relates to MDEV-28374 [ MDEV-28374 ]

Roel Van de Paar made changes - 2023-08-09 03:56

Labels

ASAN UBSAN

ASAN UBSAN unknown-crash

Roel Van de Paar made changes - 2023-08-09 03:58

Affects Version/s

11.2 [ 28603 ]

Roel Van de Paar made changes - 2023-08-09 03:58

Fix Version/s

11.2 [ 28603 ]

Alice Sherepa made changes - 2023-11-10 11:59

Link

This issue relates to MDEV-32759 [ MDEV-32759 ]

Alice Sherepa made changes - 2023-11-22 13:56

Link

This issue is duplicated by MDEV-32759 [ MDEV-32759 ]

Alice Sherepa made changes - 2023-11-22 13:56

Link

This issue relates to MDEV-32759 [ MDEV-32759 ]

Julien Fritsch made changes - 2023-11-28 10:23

Fix Version/s

10.9 [ 26905 ]

Julien Fritsch made changes - 2023-11-28 10:28

Fix Version/s

10.10 [ 27530 ]

Julien Fritsch made changes - 2024-05-03 14:41

Fix Version/s

11.0 [ 28320 ]

Roel Van de Paar added a comment - 2024-05-30 23:33

Another testcase to check

CREATE TABLE t1 (c1 MEDIUMBLOB NOT NULL);

INSERT INTO t1 VALUES ('1e+');

SELECT AVG(c1) AS VALUE FROM t1 WHERE c1 <> 0;

Given the variety of scenario's this is seen in, perhaps the prio needs upgrading?

Roel Van de Paar added a comment - 2024-05-30 23:33 Another testcase to check CREATE TABLE t1 (c1 MEDIUMBLOB NOT NULL ); INSERT INTO t1 VALUES ( '1e+' ); SELECT AVG (c1) AS VALUE FROM t1 WHERE c1 <> 0; Given the variety of scenario's this is seen in, perhaps the prio needs upgrading?

Roel Van de Paar made changes - 2024-05-30 23:33

Labels

ASAN UBSAN unknown-crash

ASAN UBSAN affects-tests unknown-crash

Roel Van de Paar made changes - 2024-05-30 23:33

Fix Version/s		11.4 [ 29301 ]
Fix Version/s		11.5 [ 29506 ]
Affects Version/s		11.4 [ 29301 ]
Affects Version/s		11.5 [ 29506 ]

Alexander Barkov made changes - 2024-07-16 08:09

Link

This issue relates to MDEV-32759 [ MDEV-32759 ]

Alexander Barkov made changes - 2024-07-16 08:09

Link

This issue is duplicated by MDEV-32759 [ MDEV-32759 ]

Alice Sherepa made changes - 2024-07-16 08:20

Comment

[ please check also the test case from MDEV-32759:
{code:sql}
CREATE TABLE t0 ( c8 INT , CONSTRAINT cc0 UNIQUE i0 ( c8 ) ) ;
INSERT INTO t0 VALUES ( ) , ( ) ;
ALTER TABLE t0 ADD COLUMN c59 TEXT NOT NULL AFTER c8 ;
INSERT INTO t0 VALUES ( -95 , 86 ) , ( -58 , -36 ) ;
SELECT t1 . c41 AS c18 FROM ( SELECT c59 AS c41 FROM t0 ) AS t1 JOIN t0 ON c8 IN ( SELECT c8 AS c45 FROM t0 GROUP BY c59 , c8 HAVING c59 = AVG ( ( SELECT c8 AS c30 FROM t0 HAVING ATAN ( ROUND ( -588949354837696189 , IF ( 6068938522839077129 , -1 BETWEEN 79 AND 49 , 21 ) ) , RAND ( ) ) = t0 . c59 LIMIT 1 ) ) ) ;
{code} ]

Alexander Barkov made changes - 2024-07-17 04:18

Summary

ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number

Alexander Barkov made changes - 2024-07-17 04:25

Description

Alexander Barkov made changes - 2024-07-17 09:09

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Roel Van de Paar made changes - 2024-07-17 19:56

Comment

[ [~bar] Please let me know if you think the last testcase above is a separate issue and I will split it off. ]

Roel Van de Paar made changes - 2024-07-17 19:59

Comment

[ This similar testcase:
{code:sql}
CREATE TABLE t (c BIGINT);
INSERT INTO t VALUES (1000000000000000);
SELECT * FROM t PROCEDURE ANALYSE(0,0);
{code}
Produces an UBSAN stack:
{noformat:title=11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Debug, UBASAN)}
/test/11.0_dbg_san/sql/sql_analyse.cc:642:19: runtime error: signed integer overflow: 1000000000000000 * 1000000000000000 cannot be represented in type 'long long int'
{noformat}
{noformat:title=11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Debug, UBASAN)}
    #0 0x55eca41215df in field_ulonglong::add() /test/11.0_dbg_san/sql/sql_analyse.cc:642
    #1 0x55eca40f9ef5 in analyse::send_row(List<Item>&) /test/11.0_dbg_san/sql/sql_analyse.cc:669
    #2 0x55eca1d3ff80 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24281
    #3 0x55eca1bd1f15 in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23269
    #4 0x55eca1c78d01 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23036
    #5 0x55eca1e3b2a0 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22568
    #6 0x55eca1e3b2a0 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4895
    #7 0x55eca1e3ca3c in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
    #8 0x55eca1e2b1fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5153
    #9 0x55eca1e2f655 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:611
    #10 0x55eca19aee35 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6267
    #11 0x55eca1a10190 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
    #12 0x55eca1a3faa8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
    #13 0x55eca1a4f83c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
    #14 0x55eca1a5d641 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
    #15 0x55eca242191b in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
    #16 0x55eca2422e36 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
    #17 0x14be34c94b42 in start_thread nptl/pthread_create.c:442
    #18 0x14be34d269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
{noformat}
]

Roel Van de Paar made changes - 2024-07-17 20:04

Comment

[ An additional Spider-based testcase which leads to a similar but not identical {{heap-use-after-free}}.
{code:sql}
SET sql_buffer_result=1;
INSTALL PLUGIN Spider SONAME 'ha_spider.so';
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"';
CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"';
INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0);
SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt));
{code}
Leads to:
{noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)}
==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410
READ of size 1 at 0x60800000d8e2 thread T34
    #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378
    #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469
    #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800
    #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929
    #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210
    #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281
    #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743
    #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354
    #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103
    #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853
    #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458
    #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899
    #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792
    #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396
    #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549
    #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727
    #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571
    #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452
    #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582
    #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741
    #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485
    #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252
    #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780
    #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
    #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
    #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157
    #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812
    #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441
    #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792
    #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396
    #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923
    #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949
    #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951
    #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630
    #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770
    #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019
    #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152
    #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953
    #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485
    #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252
    #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780
    #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
    #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
    #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157
    #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812
    #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484
    #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794
    #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520
    #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923
    #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031
    #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773
    #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103
    #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776
    #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493
    #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485
    #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100
    #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947
    #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186
    #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782
    #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
    #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
    #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
    #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
    #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
    #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
    #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
    #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
    #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
    #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
    #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
    #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442
    #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900)
freed by thread T34 here:
    #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7)
    #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213
    #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183
    #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377
    #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380
    #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783
    #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994
    #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905
    #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944
    #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603
    #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514
    #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81
    #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269
    #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780
    #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
    #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
    #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
    #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
    #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
    #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
    #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
    #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
    #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
    #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
    #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
    #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442

previously allocated by thread T34 here:
    #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337)
    #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91
    #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231
    #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547
    #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378
    #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851
    #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944
    #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603
    #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514
    #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81
    #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276
    #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249
    #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780
    #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
    #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
    #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
    #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
    #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
    #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
    #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
    #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
    #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
    #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
    #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
    #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442

Thread T34 created by T0 here:
    #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175)
    #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129
    #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191
    #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253
    #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377
    #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024
    #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34
    #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int
Shadow bytes around the buggy address:
  0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==2542380==ABORTING
{noformat}
This testcase produces the following UniqueID's/stacks across versions and build types (all are new):
{noformat}
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
{noformat}
This issue does not readily reproduce in MTR; I can test this testcase against when a patch is ready to see if it is resolved also. ]

Roel Van de Paar made changes - 2024-07-17 20:04

Description

Possibly related to ~~MDEV-18414~~ or ~~MDEV-25439~~ though there are significant differences.
{code:sql}
CREATE TABLE t (c BLOB) ENGINE=InnoDB;
INSERT INTO t VALUES ('0.0e'),('0.0e+0');
SELECT * FROM t WHERE COALESCE(c)=0.0;
{code}

Leads to:

{noformat:title=10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)}
==2353529==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a528e at pc 0x557084c2e7f0 bp 0x145fcffbb450 sp 0x145fcffbb440
SUMMARY: AddressSanitizer: use-after-poison /test/10.9_opt_san/strings/dtoa.c:1476 in my_strtod_int
{noformat}
Full stack from error log:
{noformat:title=10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)}
==2353506==ERROR: AddressSanitizer: use-after-poison on address 0x6290001272a6 at pc 0x55bd77a308d6 bp 0x14a6d6226560 sp 0x14a6d6226550
READ of size 1 at 0x6290001272a6 thread T14
    #0 0x55bd77a308d5 in my_strtod_int /test/10.9_dbg_san/strings/dtoa.c:1476
    #1 0x55bd77a308d5 in my_strtod /test/10.9_dbg_san/strings/dtoa.c:469
    #2 0x55bd7792e0b8 in my_strntod_8bit /test/10.9_dbg_san/strings/ctype-simple.c:801
    #3 0x55bd74f792df in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/10.9_dbg_san/include/m_ctype.h:788
    #4 0x55bd74f792df in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/10.9_dbg_san/sql/field.h:210
    #5 0x55bd74f792df in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/10.9_dbg_san/sql/field.h:281
    #6 0x55bd74f792df in Value_source::double_from_string_with_check(charset_info_st const*, char const*, char const*) const /test/10.9_dbg_san/sql/field.h:350
    #7 0x55bd74f792df in Value_source::double_from_string_with_check(String const*) const /test/10.9_dbg_san/sql/field.h:381
    #8 0x55bd74f792df in Item_func_hybrid_field_type::val_real_from_str_op() /test/10.9_dbg_san/sql/item_func.cc:939
    #9 0x55bd7401b82d in Type_handler_string_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/10.9_dbg_san/sql/sql_type.cc:5628
    #10 0x55bd72fbf76c in Item_func_hybrid_field_type::val_real() /test/10.9_dbg_san/sql/item_func.h:899
    #11 0x55bd74bd9843 in Arg_comparator::compare_real() /test/10.9_dbg_san/sql/item_cmpfunc.cc:831
    #12 0x55bd74bd30f3 in Arg_comparator::compare() /test/10.9_dbg_san/sql/item_cmpfunc.h:103
    #13 0x55bd74bd30f3 in Item_func_eq::val_int() /test/10.9_dbg_san/sql/item_cmpfunc.cc:1762
    #14 0x55bd73286d23 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21193
    #15 0x55bd7332b7dc in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21134
    #16 0x55bd734fd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
    #17 0x55bd734fd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
    #18 0x55bd734fec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
    #19 0x55bd734ee58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
    #20 0x55bd734efef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
    #21 0x55bd7305cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
    #22 0x55bd730c2216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
    #23 0x55bd73024728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
    #24 0x55bd7309a44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
    #25 0x55bd730b0fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
    #26 0x55bd73b7dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
    #27 0x55bd73b80ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
    #28 0x55bd760d9c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
    #29 0x14a6f9450608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
    #30 0x14a6f86c5162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

0x6290001272a6 is located 166 bytes inside of 16536-byte region [0x629000127200,0x62900012b298)
allocated by thread T14 here:
    #0 0x55bd72636248 in malloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x849e248)
    #1 0x55bd76995aa8 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /test/10.9_dbg_san/storage/innobase/include/ut0new.h:375
    #2 0x55bd76995aa8 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /test/10.9_dbg_san/storage/innobase/mem/mem0mem.cc:277
    #3 0x55bd76d14f74 in mem_heap_create_func /test/10.9_dbg_san/storage/innobase/include/mem0mem.inl:377
    #4 0x55bd76d2cb8c in row_sel_store_mysql_field /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:3050
    #5 0x55bd76d2e719 in row_sel_store_mysql_rec /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:3196
    #6 0x55bd76d5e20e in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:5653
    #7 0x55bd76594ba9 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /test/10.9_dbg_san/storage/innobase/handler/ha_innodb.cc:9273
    #8 0x55bd765dede6 in ha_innobase::rnd_next(unsigned char*) /test/10.9_dbg_san/storage/innobase/handler/ha_innodb.cc:9477
    #9 0x55bd7491fa88 in handler::ha_rnd_next(unsigned char*) /test/10.9_dbg_san/sql/handler.cc:3414
    #10 0x55bd7289b95c in rr_sequential(READ_RECORD*) /test/10.9_dbg_san/sql/records.cc:519
    #11 0x55bd7332b8c9 in READ_RECORD::read_record() /test/10.9_dbg_san/sql/records.h:81
    #12 0x55bd7332b8c9 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21114
    #13 0x55bd734fd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
    #14 0x55bd734fd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
    #15 0x55bd734fec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
    #16 0x55bd734ee58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
    #17 0x55bd734efef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
    #18 0x55bd7305cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
    #19 0x55bd730c2216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
    #20 0x55bd73024728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
    #21 0x55bd7309a44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
    #22 0x55bd730b0fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
    #23 0x55bd73b7dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
    #24 0x55bd73b80ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
    #25 0x55bd760d9c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
    #26 0x14a6f9450608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477

Thread T14 created by T0 here:
    #0 0x55bd72563285 in __interceptor_pthread_create (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x83cb285)
    #1 0x55bd760e918c in my_thread_create /test/10.9_dbg_san/storage/perfschema/my_thread.h:52
    #2 0x55bd760e918c in pfs_spawn_thread_v1 /test/10.9_dbg_san/storage/perfschema/pfs.cc:2252
    #3 0x55bd7268f8ac in inline_mysql_thread_create /test/10.9_dbg_san/include/mysql/psi/mysql_thread.h:1139
    #4 0x55bd7268f8ac in create_thread_to_handle_connection(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:5980
    #5 0x55bd726a4d86 in create_new_thread(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:6039
    #6 0x55bd726a5561 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.9_dbg_san/sql/mysqld.cc:6101
    #7 0x55bd726a7146 in handle_connections_sockets() /test/10.9_dbg_san/sql/mysqld.cc:6225
    #8 0x55bd726ad29c in mysqld_main(int, char**) /test/10.9_dbg_san/sql/mysqld.cc:5875
    #9 0x55bd7267780a in main /test/10.9_dbg_san/sql/main.cc:34
    #10 0x14a6f85ca0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: use-after-poison /test/10.9_dbg_san/strings/dtoa.c:1476 in my_strtod_int
Shadow bytes around the buggy address:
  0x0c528001ce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528001ce10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528001ce20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528001ce30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528001ce40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c528001ce50: 00 00 00 f7[06]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001ce60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001ce70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001ce80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001ce90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001cea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==2353506==ABORTING
220419 16:09:52 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.9.0-MariaDB-debug
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468120 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00015e288
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x14a6d622bc90 thread_stack 0x100000
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(+0x83fd7b0)[0x55bd725957b0]
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(my_print_stacktrace+0xfb)[0x55bd7784d6ee]
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(handle_fatal_signal+0xc2d)[0x55bd748e685b]
sigaction.c:0(__restore_rt)[0x14a6f945c3c0]
linux/raise.c:51(__GI_raise)[0x14a6f85e903b]
stdlib/abort.c:81(__GI_abort)[0x14a6f85c8859]
:0(__sanitizer::Abort())[0x55bd72653d32]
:0(__sanitizer::Die())[0x55bd7265e8dc]
:0(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x55bd7263ff6c]
:0(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x55bd7263f9e3]
??:0(__asan_report_load1)[0x55bd726404cb]
strings/dtoa.c:1476(my_strtod_int)[0x55bd77a308d6]
strings/ctype-simple.c:802(my_strntod_8bit)[0x55bd7792e0b9]
sql/field.h:210(Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long))[0x55bd74f792e0]
sql/sql_type.cc:5629(Type_handler_string_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const)[0x55bd7401b82e]
sql/item_func.h:900(Item_func_hybrid_field_type::val_real())[0x55bd72fbf76d]
sql/item_cmpfunc.cc:831(Arg_comparator::compare_real())[0x55bd74bd9844]
sql/item_cmpfunc.cc:1763(Item_func_eq::val_int())[0x55bd74bd30f4]
sql/sql_select.cc:21193(evaluate_join_record(JOIN*, st_join_table*, int))[0x55bd73286d24]
sql/sql_select.cc:21103(sub_select(JOIN*, st_join_table*, bool))[0x55bd7332b7dd]
sql/sql_select.cc:20640(JOIN::exec_inner())[0x55bd734fd363]
sql/sql_select.cc:4528(JOIN::exec())[0x55bd734fec95]
sql/sql_select.cc:5007(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55bd734ee58c]
sql/sql_select.cc:543(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55bd734efef1]
sql/sql_parse.cc:6268(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55bd7305cfc3]
sql/sql_parse.cc:3959(mysql_execute_command(THD*, bool))[0x55bd730c2217]
sql/sql_parse.cc:8043(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55bd73024729]
sql/sql_parse.cc:1910(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55bd7309a44f]
sql/sql_parse.cc:1407(do_command(THD*, bool))[0x55bd730b0faa]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55bd73b7dc4c]
sql/sql_connect.cc:1312(handle_one_connection)[0x55bd73b80ae6]
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55bd760d9c63]
nptl/pthread_create.c:478(start_thread)[0x14a6f9450609]
x86_64/clone.S:97(__GI___clone)[0x14a6f86c5163]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x6290000e62a8): SELECT * FROM t WHERE COALESCE(c)=0.0

Connection ID (thread ID): 4
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size unlimited unlimited bytes
Max core file size 0 0 bytes
Max resident set unlimited unlimited bytes
Max processes unlimited unlimited processes
Max open files 1048576 1048576 files
Max locked memory unlimited unlimited bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals unlimited unlimited signals
Max msgqueue size unlimited unlimited bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: core
{noformat}

Setup:

{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
Set before execution:
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1
{noformat}

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Note, MyISAM is not affected.

The problem is also repeatable with this script, without COALESCE:
{code:sql}
DROP TABLE t;
CREATE TABLE t (c BLOB) ENGINE=InnoDB;
INSERT INTO t VALUES ('0.0e'),('0.0e+0');
SELECT * FROM t WHERE c=0.0;
{code}

Roel Van de Paar made changes - 2024-07-17 20:05

Comment

[ Full stack from error log
{noformat:title=10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)}
==2353506==ERROR: AddressSanitizer: use-after-poison on address 0x6290001272a6 at pc 0x55bd77a308d6 bp 0x14a6d6226560 sp 0x14a6d6226550
READ of size 1 at 0x6290001272a6 thread T14
    #0 0x55bd77a308d5 in my_strtod_int /test/10.9_dbg_san/strings/dtoa.c:1476
    #1 0x55bd77a308d5 in my_strtod /test/10.9_dbg_san/strings/dtoa.c:469
    #2 0x55bd7792e0b8 in my_strntod_8bit /test/10.9_dbg_san/strings/ctype-simple.c:801
    #3 0x55bd74f792df in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/10.9_dbg_san/include/m_ctype.h:788
    #4 0x55bd74f792df in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/10.9_dbg_san/sql/field.h:210
    #5 0x55bd74f792df in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/10.9_dbg_san/sql/field.h:281
    #6 0x55bd74f792df in Value_source::double_from_string_with_check(charset_info_st const*, char const*, char const*) const /test/10.9_dbg_san/sql/field.h:350
    #7 0x55bd74f792df in Value_source::double_from_string_with_check(String const*) const /test/10.9_dbg_san/sql/field.h:381
    #8 0x55bd74f792df in Item_func_hybrid_field_type::val_real_from_str_op() /test/10.9_dbg_san/sql/item_func.cc:939
    #9 0x55bd7401b82d in Type_handler_string_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/10.9_dbg_san/sql/sql_type.cc:5628
    #10 0x55bd72fbf76c in Item_func_hybrid_field_type::val_real() /test/10.9_dbg_san/sql/item_func.h:899
    #11 0x55bd74bd9843 in Arg_comparator::compare_real() /test/10.9_dbg_san/sql/item_cmpfunc.cc:831
    #12 0x55bd74bd30f3 in Arg_comparator::compare() /test/10.9_dbg_san/sql/item_cmpfunc.h:103
    #13 0x55bd74bd30f3 in Item_func_eq::val_int() /test/10.9_dbg_san/sql/item_cmpfunc.cc:1762
    #14 0x55bd73286d23 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21193
    #15 0x55bd7332b7dc in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21134
    #16 0x55bd734fd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
    #17 0x55bd734fd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
    #18 0x55bd734fec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
    #19 0x55bd734ee58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
    #20 0x55bd734efef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
    #21 0x55bd7305cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
    #22 0x55bd730c2216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
    #23 0x55bd73024728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
    #24 0x55bd7309a44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
    #25 0x55bd730b0fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
    #26 0x55bd73b7dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
    #27 0x55bd73b80ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
    #28 0x55bd760d9c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
    #29 0x14a6f9450608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
    #30 0x14a6f86c5162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

0x6290001272a6 is located 166 bytes inside of 16536-byte region [0x629000127200,0x62900012b298)
allocated by thread T14 here:
    #0 0x55bd72636248 in malloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x849e248)
    #1 0x55bd76995aa8 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /test/10.9_dbg_san/storage/innobase/include/ut0new.h:375
    #2 0x55bd76995aa8 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /test/10.9_dbg_san/storage/innobase/mem/mem0mem.cc:277
    #3 0x55bd76d14f74 in mem_heap_create_func /test/10.9_dbg_san/storage/innobase/include/mem0mem.inl:377
    #4 0x55bd76d2cb8c in row_sel_store_mysql_field /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:3050
    #5 0x55bd76d2e719 in row_sel_store_mysql_rec /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:3196
    #6 0x55bd76d5e20e in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /test/10.9_dbg_san/storage/innobase/row/row0sel.cc:5653
    #7 0x55bd76594ba9 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /test/10.9_dbg_san/storage/innobase/handler/ha_innodb.cc:9273
    #8 0x55bd765dede6 in ha_innobase::rnd_next(unsigned char*) /test/10.9_dbg_san/storage/innobase/handler/ha_innodb.cc:9477
    #9 0x55bd7491fa88 in handler::ha_rnd_next(unsigned char*) /test/10.9_dbg_san/sql/handler.cc:3414
    #10 0x55bd7289b95c in rr_sequential(READ_RECORD*) /test/10.9_dbg_san/sql/records.cc:519
    #11 0x55bd7332b8c9 in READ_RECORD::read_record() /test/10.9_dbg_san/sql/records.h:81
    #12 0x55bd7332b8c9 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21114
    #13 0x55bd734fd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
    #14 0x55bd734fd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
    #15 0x55bd734fec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
    #16 0x55bd734ee58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
    #17 0x55bd734efef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
    #18 0x55bd7305cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
    #19 0x55bd730c2216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
    #20 0x55bd73024728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
    #21 0x55bd7309a44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
    #22 0x55bd730b0fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
    #23 0x55bd73b7dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
    #24 0x55bd73b80ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
    #25 0x55bd760d9c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
    #26 0x14a6f9450608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477

Thread T14 created by T0 here:
    #0 0x55bd72563285 in __interceptor_pthread_create (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x83cb285)
    #1 0x55bd760e918c in my_thread_create /test/10.9_dbg_san/storage/perfschema/my_thread.h:52
    #2 0x55bd760e918c in pfs_spawn_thread_v1 /test/10.9_dbg_san/storage/perfschema/pfs.cc:2252
    #3 0x55bd7268f8ac in inline_mysql_thread_create /test/10.9_dbg_san/include/mysql/psi/mysql_thread.h:1139
    #4 0x55bd7268f8ac in create_thread_to_handle_connection(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:5980
    #5 0x55bd726a4d86 in create_new_thread(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:6039
    #6 0x55bd726a5561 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.9_dbg_san/sql/mysqld.cc:6101
    #7 0x55bd726a7146 in handle_connections_sockets() /test/10.9_dbg_san/sql/mysqld.cc:6225
    #8 0x55bd726ad29c in mysqld_main(int, char**) /test/10.9_dbg_san/sql/mysqld.cc:5875
    #9 0x55bd7267780a in main /test/10.9_dbg_san/sql/main.cc:34
    #10 0x14a6f85ca0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: use-after-poison /test/10.9_dbg_san/strings/dtoa.c:1476 in my_strtod_int
Shadow bytes around the buggy address:
  0x0c528001ce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528001ce10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528001ce20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528001ce30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528001ce40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c528001ce50: 00 00 00 f7[06]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001ce60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001ce70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001ce80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001ce90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c528001cea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==2353506==ABORTING
220419 16:09:52 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.9.0-MariaDB-debug
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468120 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00015e288
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x14a6d622bc90 thread_stack 0x100000
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(+0x83fd7b0)[0x55bd725957b0]
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(my_print_stacktrace+0xfb)[0x55bd7784d6ee]
/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld(handle_fatal_signal+0xc2d)[0x55bd748e685b]
sigaction.c:0(__restore_rt)[0x14a6f945c3c0]
linux/raise.c:51(__GI_raise)[0x14a6f85e903b]
stdlib/abort.c:81(__GI_abort)[0x14a6f85c8859]
:0(__sanitizer::Abort())[0x55bd72653d32]
:0(__sanitizer::Die())[0x55bd7265e8dc]
:0(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x55bd7263ff6c]
:0(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x55bd7263f9e3]
??:0(__asan_report_load1)[0x55bd726404cb]
strings/dtoa.c:1476(my_strtod_int)[0x55bd77a308d6]
strings/ctype-simple.c:802(my_strntod_8bit)[0x55bd7792e0b9]
sql/field.h:210(Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long))[0x55bd74f792e0]
sql/sql_type.cc:5629(Type_handler_string_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const)[0x55bd7401b82e]
sql/item_func.h:900(Item_func_hybrid_field_type::val_real())[0x55bd72fbf76d]
sql/item_cmpfunc.cc:831(Arg_comparator::compare_real())[0x55bd74bd9844]
sql/item_cmpfunc.cc:1763(Item_func_eq::val_int())[0x55bd74bd30f4]
sql/sql_select.cc:21193(evaluate_join_record(JOIN*, st_join_table*, int))[0x55bd73286d24]
sql/sql_select.cc:21103(sub_select(JOIN*, st_join_table*, bool))[0x55bd7332b7dd]
sql/sql_select.cc:20640(JOIN::exec_inner())[0x55bd734fd363]
sql/sql_select.cc:4528(JOIN::exec())[0x55bd734fec95]
sql/sql_select.cc:5007(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55bd734ee58c]
sql/sql_select.cc:543(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55bd734efef1]
sql/sql_parse.cc:6268(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55bd7305cfc3]
sql/sql_parse.cc:3959(mysql_execute_command(THD*, bool))[0x55bd730c2217]
sql/sql_parse.cc:8043(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55bd73024729]
sql/sql_parse.cc:1910(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55bd7309a44f]
sql/sql_parse.cc:1407(do_command(THD*, bool))[0x55bd730b0faa]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55bd73b7dc4c]
sql/sql_connect.cc:1312(handle_one_connection)[0x55bd73b80ae6]
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55bd760d9c63]
nptl/pthread_create.c:478(start_thread)[0x14a6f9450609]
x86_64/clone.S:97(__GI___clone)[0x14a6f86c5163]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x6290000e62a8): SELECT * FROM t WHERE COALESCE(c)=0.0

Connection ID (thread ID): 4
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size unlimited unlimited bytes
Max core file size 0 0 bytes
Max resident set unlimited unlimited bytes
Max processes unlimited unlimited processes
Max open files 1048576 1048576 files
Max locked memory unlimited unlimited bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals unlimited unlimited signals
Max msgqueue size unlimited unlimited bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: core
{noformat}
]

Roel Van de Paar made changes - 2024-07-17 20:28

Link

This issue split to MDEV-34616 [ MDEV-34616 ]

Alexander Barkov made changes - 2024-07-18 03:59

Link

This issue relates to ~~MDEV-29473~~ [ ~~MDEV-29473~~ ]

Alexander Barkov made changes - 2024-07-18 05:39

issue.field.resolutiondate

2024-07-18 05:39:58.0

2024-07-18 05:39:58.13

Alexander Barkov made changes - 2024-07-18 05:39

Component/s		Data types [ 13906 ]
Fix Version/s		10.5.26 [ 29832 ]
Fix Version/s		10.6.19 [ 29833 ]
Fix Version/s		10.11.9 [ 29834 ]
Fix Version/s		11.1.6 [ 29835 ]
Fix Version/s		11.2.5 [ 29836 ]
Fix Version/s		11.4.3 [ 29837 ]
Fix Version/s		11.5.2 [ 29838 ]
Fix Version/s		11.6.0 [ 29839 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Fix Version/s	10.11 [ 27614 ]
Fix Version/s	11.1 [ 28549 ]
Fix Version/s	11.2 [ 28603 ]
Fix Version/s	11.4 [ 29301 ]
Fix Version/s	11.5 [ 29506 ]
Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022-04-19 06:23

Updated:: 2024-07-18 05:39

Resolved:: 2024-07-18 05:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration