[MDEV-28346] UBSAN: runtime error: downcast of address X which does not point to an object of type 'Item_row' in Item_func_in::get_func_row_mm_tree and load of value X, which is not a valid value for type 'geometry_type' on SELECT - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
Fix Version/s: 10.5, 10.6
Component/s: Optimizer
Labels:
- range-optimizer
- regression

Description

SET sql_select_limit=1;

CREATE TABLE t (c1 INT,c2 INT,KEY(c2)) ENGINE=InnoDB;

INSERT INTO t VALUES (0,0),(0,1);

SELECT c2 FROM t WHERE (0,c2) in ((0,1),(0,1),(0,2));

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)
/test/10.9_opt_san/sql/opt_range.cc:8144:44: runtime error: downcast of address 0x629000096d00 which does not point to an object of type 'Item_row'

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1

    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt)

Attachments

Issue Links

relates to

MDEV-24066 ASAN unknown-crash in hp_rec_hashnr after replace into partition +invisible columns and runtime error: load of value 25264, which is not a valid value for type 'geometry_type' in make_empty_rec

Closed

MDEV-27259 Query with self join and sets of foreign keys crashes server: SIGSEGV and Assertion `key_col_info.comparator' failed, both in Item_func_in::get_func_row_mm_tree

Confirmed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2022-04-19 07:26

Full stack from error log

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized, UBASAN)
/test/10.9_opt_san/sql/opt_range.cc:8144:44: runtime error: downcast of address 0x629000096d00 which does not point to an object of type 'Item_row'
0x629000096d00: note: object is of type 'Item_cache_row'
be be be be f8 2c 10 5b 5e 55 00 00 00 00 00 00 00 00 00 be 20 ec e1 62 5e 55 00 00 04 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_cache_row'
#0 0x555e554e615b in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM, Item_row) /test/10.9_opt_san/sql/opt_range.cc:8144
#1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886
#2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093
#3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755
#4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492
#5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808
#6 0x555e55fb188a in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_opt_san/sql/sql_select.cc:4993
#7 0x555e55fb5a73 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
#8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
#9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
#10 0x555e55b9c0a8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
#11 0x555e55bf2439 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
#12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
#13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
#14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
#15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
#16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

/test/10.9_opt_san/sql/opt_range.cc:8154:50: runtime error: member call on address 0x629000096d00 which does not point to an object of type 'Item_row'
0x629000096d00: note: object is of type 'Item_cache_row'
be be be be f8 2c 10 5b 5e 55 00 00 00 00 00 00 00 00 00 be 20 ec e1 62 5e 55 00 00 04 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_cache_row'
#0 0x555e554e4e3d in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM, Item_row) /test/10.9_opt_san/sql/opt_range.cc:8154
#1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886
#2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093
#3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755
#4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492
#5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808
#6 0x555e55fb188a in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_opt_san/sql/sql_select.cc:4993
#7 0x555e55fb5a73 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
#8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
#9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
#10 0x555e55b9c0a8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
#11 0x555e55bf2439 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
#12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
#13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
#14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
#15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
#16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

/test/10.9_opt_san/sql/opt_range.cc:8171:40: runtime error: member call on address 0x629000096d00 which does not point to an object of type 'Item_row'
0x629000096d00: note: object is of type 'Item_cache_row'
be be be be f8 2c 10 5b 5e 55 00 00 00 00 00 00 00 00 00 be 20 ec e1 62 5e 55 00 00 04 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_cache_row'
#0 0x555e554e5b58 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM, Item_row) /test/10.9_opt_san/sql/opt_range.cc:8171
#1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886
#2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093
#3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755
#4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492
#5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808
#6 0x555e55fb188a in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_opt_san/sql/sql_select.cc:4993
#7 0x555e55fb5a73 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
#8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
#9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
#10 0x555e55b9c0a8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
#11 0x555e55bf2439 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
#12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
#13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
#14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
#15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
#16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

2022-04-19 17:00:01 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld (initiated by: root[root] @ localhost []): Normal shutdown
2022-04-19 17:00:01 0 [Note] InnoDB: FTS optimize thread exiting.
2022-04-19 17:00:01 0 [Note] InnoDB: Starting shutdown...
2022-04-19 17:00:01 0 [Note] InnoDB: Dumping buffer pool(s) to /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/data/ib_buffer_pool
2022-04-19 17:00:01 0 [Note] InnoDB: Buffer pool(s) dump completed at 220419 17:00:01
2022-04-19 17:00:01 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
2022-04-19 17:00:01 0 [Note] InnoDB: Shutdown completed; log sequence number 51522; transaction id 24
2022-04-19 17:00:01 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld: Shutdown complete


=================================================================
==2004915==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 6 object(s) allocated from:
#0 0x555e5535f95e in realloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mariadbd+0x806295e)
#1 0x153cd1cf19b2 (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xac9b2)

SUMMARY: AddressSanitizer: 96 byte(s) leaked in 6 allocation(s).
220419 17:00:01 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.9.0-MariaDB
read_buffer_size=131072
max_used_connections=1
thread_count=0
Thread pointer: 0x0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x0 thread_stack 0x5fc00
asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x555e552bea90]
mysys/stacktrace.c:213(my_print_stacktrace)[0x555e59d9da99]
sql/signal_handler.cc:226(handle_fatal_signal)[0x555e57092a82]
sigaction.c:0(__restore_rt)[0x153cd1e413c0]

Roel Van de Paar added a comment - 2022-04-19 07:26 Full stack from error log 10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized, UBASAN) /test/10.9_opt_san/sql/opt_range.cc:8144:44: runtime error: downcast of address 0x629000096d00 which does not point to an object of type 'Item_row' 0x629000096d00: note: object is of type 'Item_cache_row' be be be be f8 2c 10 5b 5e 55 00 00 00 00 00 00 00 00 00 be 20 ec e1 62 5e 55 00 00 04 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'Item_cache_row' #0 0x555e554e615b in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_opt_san/sql/opt_range.cc:8144 #1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886 #2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093 #3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755 #4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492 #5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808 #6 0x555e55fb188a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:4993 #7 0x555e55fb5a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543 #8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268 #9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959 #10 0x555e55b9c0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043 #11 0x555e55bf2439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910 #12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407 #13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418 #14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312 #15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201 #16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 #17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162) /test/10.9_opt_san/sql/opt_range.cc:8154:50: runtime error: member call on address 0x629000096d00 which does not point to an object of type 'Item_row' 0x629000096d00: note: object is of type 'Item_cache_row' be be be be f8 2c 10 5b 5e 55 00 00 00 00 00 00 00 00 00 be 20 ec e1 62 5e 55 00 00 04 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'Item_cache_row' #0 0x555e554e4e3d in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_opt_san/sql/opt_range.cc:8154 #1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886 #2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093 #3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755 #4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492 #5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808 #6 0x555e55fb188a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:4993 #7 0x555e55fb5a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543 #8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268 #9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959 #10 0x555e55b9c0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043 #11 0x555e55bf2439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910 #12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407 #13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418 #14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312 #15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201 #16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 #17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162) /test/10.9_opt_san/sql/opt_range.cc:8171:40: runtime error: member call on address 0x629000096d00 which does not point to an object of type 'Item_row' 0x629000096d00: note: object is of type 'Item_cache_row' be be be be f8 2c 10 5b 5e 55 00 00 00 00 00 00 00 00 00 be 20 ec e1 62 5e 55 00 00 04 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'Item_cache_row' #0 0x555e554e5b58 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_opt_san/sql/opt_range.cc:8171 #1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886 #2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093 #3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755 #4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492 #5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808 #6 0x555e55fb188a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:4993 #7 0x555e55fb5a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543 #8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268 #9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959 #10 0x555e55b9c0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043 #11 0x555e55bf2439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910 #12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407 #13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418 #14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312 #15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201 #16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 #17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162) 2022-04-19 17:00:01 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld (initiated by: root[root] @ localhost []): Normal shutdown 2022-04-19 17:00:01 0 [Note] InnoDB: FTS optimize thread exiting. 2022-04-19 17:00:01 0 [Note] InnoDB: Starting shutdown... 2022-04-19 17:00:01 0 [Note] InnoDB: Dumping buffer pool(s) to /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/data/ib_buffer_pool 2022-04-19 17:00:01 0 [Note] InnoDB: Buffer pool(s) dump completed at 220419 17:00:01 2022-04-19 17:00:01 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1" 2022-04-19 17:00:01 0 [Note] InnoDB: Shutdown completed; log sequence number 51522; transaction id 24 2022-04-19 17:00:01 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld: Shutdown complete ================================================================= ==2004915==ERROR: LeakSanitizer: detected memory leaks Direct leak of 96 byte(s) in 6 object(s) allocated from: #0 0x555e5535f95e in realloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mariadbd+0x806295e) #1 0x153cd1cf19b2 (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xac9b2) SUMMARY: AddressSanitizer: 96 byte(s) leaked in 6 allocation(s). 220419 17:00:01 [ERROR] mysqld got signal 6 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. To report this bug, see https://mariadb.com/kb/en/reporting-bugs We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. Server version: 10.9.0-MariaDB read_buffer_size=131072 max_used_connections=1 thread_count=0 Thread pointer: 0x0 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0x0 thread_stack 0x5fc00 asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x555e552bea90] mysys/stacktrace.c:213(my_print_stacktrace)[0x555e59d9da99] sql/signal_handler.cc:226(handle_fatal_signal)[0x555e57092a82] sigaction.c:0(__restore_rt)[0x153cd1e413c0]

Roel Van de Paar added a comment - 2022-04-19 07:32 - edited

Two issues are observed with this testcase run across opt/dbg builds. UniqueID's(/stacks):

UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|SQL_SELECT::test_quick_select|make_join_select|JOIN::optimize_stage2

UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|Item_func_in::get_mm_tree|SQL_SELECT::test_quick_select|make_join_select

The first one (optimized builds) has it's full stack listed in the comment above. The second one (debug builds) in the comment below this one.

Roel Van de Paar added a comment - 2022-04-19 07:32 - edited Two issues are observed with this testcase run across opt/dbg builds. UniqueID's(/stacks): UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|SQL_SELECT::test_quick_select|make_join_select|JOIN::optimize_stage2 UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|Item_func_in::get_mm_tree|SQL_SELECT::test_quick_select|make_join_select The first one (optimized builds) has it's full stack listed in the comment above. The second one (debug builds) in the comment below this one.

Roel Van de Paar added a comment - 2022-04-19 07:36

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)
/test/10.9_dbg_san/sql/opt_range.cc:8144:44: runtime error: downcast of address 0x629000122e70 which does not point to an object of type 'Item_row'
0x629000122e70: note: object is of type 'Item_cache_row'
be be be be 98 b5 d4 ca 2a 56 00 00 00 00 00 00 00 00 00 be e0 61 37 d3 2a 56 00 00 04 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_cache_row'
#0 0x562ac4697329 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM, Item_row) /test/10.9_dbg_san/sql/opt_range.cc:8144
#1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM, Item*) /test/10.9_dbg_san/sql/opt_range.cc:8533
#2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886
#3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093
#4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755
#5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492
#6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
#7 0x562ac53a3260 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:4993
#8 0x562ac53a4ef0 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
#9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
#10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
#11 0x562ac4ed9728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

/test/10.9_dbg_san/sql/opt_range.cc:8154:50: runtime error: member call on address 0x629000122e70 which does not point to an object of type 'Item_row'
0x629000122e70: note: object is of type 'Item_cache_row'
be be be be 98 b5 d4 ca 2a 56 00 00 00 00 00 00 00 00 00 be e0 61 37 d3 2a 56 00 00 04 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_cache_row'
#0 0x562ac46974dc in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM, Item_row) /test/10.9_dbg_san/sql/opt_range.cc:8154
#1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM, Item*) /test/10.9_dbg_san/sql/opt_range.cc:8533
#2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886
#3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093
#4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755
#5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492
#6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
#7 0x562ac53a3260 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:4993
#8 0x562ac53a4ef0 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
#9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
#10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
#11 0x562ac4ed9728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

/test/10.9_dbg_san/sql/opt_range.cc:8171:40: runtime error: member call on address 0x629000122e70 which does not point to an object of type 'Item_row'
0x629000122e70: note: object is of type 'Item_cache_row'
be be be be 98 b5 d4 ca 2a 56 00 00 00 00 00 00 00 00 00 be e0 61 37 d3 2a 56 00 00 04 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_cache_row'
#0 0x562ac4697bf1 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM, Item_row) /test/10.9_dbg_san/sql/opt_range.cc:8171
#1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM, Item*) /test/10.9_dbg_san/sql/opt_range.cc:8533
#2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886
#3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093
#4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755
#5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492
#6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
#7 0x562ac53a3260 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:4993
#8 0x562ac53a4ef0 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
#9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
#10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
#11 0x562ac4ed9728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

2022-04-19 17:31:07 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld (initiated by: root[root] @ localhost []): Normal shutdown
2022-04-19 17:31:07 0 [Note] InnoDB: FTS optimize thread exiting.
2022-04-19 17:31:07 0 [Note] InnoDB: Starting shutdown...
2022-04-19 17:31:07 0 [Note] InnoDB: Dumping buffer pool(s) to /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/data/ib_buffer_pool
2022-04-19 17:31:07 0 [Note] InnoDB: Buffer pool(s) dump completed at 220419 17:31:07
2022-04-19 17:31:07 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
2022-04-19 17:31:07 0 [Note] InnoDB: Shutdown completed; log sequence number 51948; transaction id 24
2022-04-19 17:31:07 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld: Shutdown complete


=================================================================
==1961114==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 6 object(s) allocated from:
#0 0x562ac44eb67e in __interceptor_realloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x849e67e)
#1 0x14a3ab2b39b2 (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xac9b2)

SUMMARY: AddressSanitizer: 96 byte(s) leaked in 6 allocation(s).
220419 17:31:09 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.9.0-MariaDB-debug
read_buffer_size=131072
max_used_connections=1
thread_count=0
Thread pointer: 0x0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x0 thread_stack 0x100000

Roel Van de Paar added a comment - 2022-04-19 07:36 10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN) /test/10.9_dbg_san/sql/opt_range.cc:8144:44: runtime error: downcast of address 0x629000122e70 which does not point to an object of type 'Item_row' 0x629000122e70: note: object is of type 'Item_cache_row' be be be be 98 b5 d4 ca 2a 56 00 00 00 00 00 00 00 00 00 be e0 61 37 d3 2a 56 00 00 04 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'Item_cache_row' #0 0x562ac4697329 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_dbg_san/sql/opt_range.cc:8144 #1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM*, Item**) /test/10.9_dbg_san/sql/opt_range.cc:8533 #2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886 #3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093 #4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755 #5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492 #6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808 #7 0x562ac53a3260 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:4993 #8 0x562ac53a4ef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543 #9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268 #10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959 #11 0x562ac4ed9728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043 #12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910 #13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407 #14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418 #15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312 #16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201 #17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 #18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162) /test/10.9_dbg_san/sql/opt_range.cc:8154:50: runtime error: member call on address 0x629000122e70 which does not point to an object of type 'Item_row' 0x629000122e70: note: object is of type 'Item_cache_row' be be be be 98 b5 d4 ca 2a 56 00 00 00 00 00 00 00 00 00 be e0 61 37 d3 2a 56 00 00 04 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'Item_cache_row' #0 0x562ac46974dc in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_dbg_san/sql/opt_range.cc:8154 #1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM*, Item**) /test/10.9_dbg_san/sql/opt_range.cc:8533 #2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886 #3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093 #4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755 #5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492 #6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808 #7 0x562ac53a3260 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:4993 #8 0x562ac53a4ef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543 #9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268 #10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959 #11 0x562ac4ed9728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043 #12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910 #13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407 #14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418 #15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312 #16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201 #17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 #18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162) /test/10.9_dbg_san/sql/opt_range.cc:8171:40: runtime error: member call on address 0x629000122e70 which does not point to an object of type 'Item_row' 0x629000122e70: note: object is of type 'Item_cache_row' be be be be 98 b5 d4 ca 2a 56 00 00 00 00 00 00 00 00 00 be e0 61 37 d3 2a 56 00 00 04 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'Item_cache_row' #0 0x562ac4697bf1 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_dbg_san/sql/opt_range.cc:8171 #1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM*, Item**) /test/10.9_dbg_san/sql/opt_range.cc:8533 #2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886 #3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093 #4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755 #5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492 #6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808 #7 0x562ac53a3260 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:4993 #8 0x562ac53a4ef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543 #9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268 #10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959 #11 0x562ac4ed9728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043 #12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910 #13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407 #14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418 #15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312 #16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201 #17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477 #18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162) 2022-04-19 17:31:07 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld (initiated by: root[root] @ localhost []): Normal shutdown 2022-04-19 17:31:07 0 [Note] InnoDB: FTS optimize thread exiting. 2022-04-19 17:31:07 0 [Note] InnoDB: Starting shutdown... 2022-04-19 17:31:07 0 [Note] InnoDB: Dumping buffer pool(s) to /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/data/ib_buffer_pool 2022-04-19 17:31:07 0 [Note] InnoDB: Buffer pool(s) dump completed at 220419 17:31:07 2022-04-19 17:31:07 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1" 2022-04-19 17:31:07 0 [Note] InnoDB: Shutdown completed; log sequence number 51948; transaction id 24 2022-04-19 17:31:07 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld: Shutdown complete ================================================================= ==1961114==ERROR: LeakSanitizer: detected memory leaks Direct leak of 96 byte(s) in 6 object(s) allocated from: #0 0x562ac44eb67e in __interceptor_realloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x849e67e) #1 0x14a3ab2b39b2 (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xac9b2) SUMMARY: AddressSanitizer: 96 byte(s) leaked in 6 allocation(s). 220419 17:31:09 [ERROR] mysqld got signal 6 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. To report this bug, see https://mariadb.com/kb/en/reporting-bugs We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. Server version: 10.9.0-MariaDB-debug read_buffer_size=131072 max_used_connections=1 thread_count=0 Thread pointer: 0x0 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0x0 thread_stack 0x100000

Roel Van de Paar added a comment - 2022-09-14 05:34 - edited

This testcase:

CREATE TABLE t (a INT PRIMARY KEY, b INT) ENGINE=InnoDB;

INSERT INTO t VALUES (0,0),(1,1),(2,2);

SET SESSION sql_select_limit=2;

ALTER TABLE t CHANGE COLUMN a a BINARY (216);

SELECT * FROM t x WHERE (a, b) IN ((0, 0),(1,0));

Will show the following issues accross versions:

UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|Item_func_in::get_mm_tree|SQL_SELECT::test_quick_select|make_join_select

UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|SQL_SELECT::test_quick_select|make_join_select|JOIN::optimize_stage2

UBSAN|load of value X, which is not a valid value for type 'geometry_type'|sql/unireg.cc|make_empty_rec|build_frm_image|mysql_create_frm_image|create_table_impl

10.3.37 57739ae94a4af580c62bbc87d364fa002c5dbe04 (Optimized, UBASAN)
2022-09-14 15:31:17 0 [Note] /test/UBASAN_MD010922-mariadb-10.3.37-linux-x86_64-opt/bin/mysqld: ready for connections.
Version: '10.3.37-MariaDB' socket: '/test/UBASAN_MD010922-mariadb-10.3.37-linux-x86_64-opt/socket.sock' port: 10355 MariaDB Server
/test/10.3_opt_san/sql/unireg.cc:1067:32: runtime error: load of value 25264, which is not a valid value for type 'geometry_type'
#0 0x558923e57d43 in make_empty_rec /test/10.3_opt_san/sql/unireg.cc:1067
#1 0x558923e57d43 in build_frm_image(THD, st_mysql_const_lex_string const, HA_CREATE_INFO, List<Create_field>&, unsigned int, st_key, handler*) /test/10.3_opt_san/sql/unireg.cc:394
#2 0x558924944ec5 in mysql_create_frm_image(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, Alter_info, int, st_key, unsigned int, st_mysql_const_unsigned_lex_string*) /test/10.3_opt_san/sql/sql_table.cc:4868
#3 0x55892496d185 in create_table_impl /test/10.3_opt_san/sql/sql_table.cc:5110
#4 0x558924981fc7 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /test/10.3_opt_san/sql/sql_table.cc:9982
#5 0x558924b74d77 in Sql_cmd_alter_table::execute(THD*) /test/10.3_opt_san/sql/sql_alter.cc:512
#6 0x5589245cd9b1 in mysql_execute_command(THD*) /test/10.3_opt_san/sql/sql_parse.cc:6076
#7 0x5589245e7984 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.3_opt_san/sql/sql_parse.cc:7871
#8 0x5589245ee119 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.3_opt_san/sql/sql_parse.cc:1852
#9 0x5589245f65e3 in do_command(THD*) /test/10.3_opt_san/sql/sql_parse.cc:1398
#10 0x558924b638d6 in do_handle_one_connection(CONNECT*) /test/10.3_opt_san/sql/sql_connect.cc:1403
#11 0x558924b6421c in handle_one_connection /test/10.3_opt_san/sql/sql_connect.cc:1308
#12 0x15511bfdb608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#13 0x15511b593132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Roel Van de Paar added a comment - 2022-09-14 05:34 - edited This testcase: CREATE TABLE t (a INT PRIMARY KEY , b INT ) ENGINE=InnoDB; INSERT INTO t VALUES (0,0),(1,1),(2,2); SET SESSION sql_select_limit=2; ALTER TABLE t CHANGE COLUMN a a BINARY (216); SELECT * FROM t x WHERE (a, b) IN ((0, 0),(1,0)); Will show the following issues accross versions: UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|Item_func_in::get_mm_tree|SQL_SELECT::test_quick_select|make_join_select UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|SQL_SELECT::test_quick_select|make_join_select|JOIN::optimize_stage2 UBSAN|load of value X, which is not a valid value for type 'geometry_type'|sql/unireg.cc|make_empty_rec|build_frm_image|mysql_create_frm_image|create_table_impl 10.3.37 57739ae94a4af580c62bbc87d364fa002c5dbe04 (Optimized, UBASAN) 2022-09-14 15:31:17 0 [Note] /test/UBASAN_MD010922-mariadb-10.3.37-linux-x86_64-opt/bin/mysqld: ready for connections. Version: '10.3.37-MariaDB' socket: '/test/UBASAN_MD010922-mariadb-10.3.37-linux-x86_64-opt/socket.sock' port: 10355 MariaDB Server /test/10.3_opt_san/sql/unireg.cc:1067:32: runtime error: load of value 25264, which is not a valid value for type 'geometry_type' #0 0x558923e57d43 in make_empty_rec /test/10.3_opt_san/sql/unireg.cc:1067 #1 0x558923e57d43 in build_frm_image(THD*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/10.3_opt_san/sql/unireg.cc:394 #2 0x558924944ec5 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/10.3_opt_san/sql/sql_table.cc:4868 #3 0x55892496d185 in create_table_impl /test/10.3_opt_san/sql/sql_table.cc:5110 #4 0x558924981fc7 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /test/10.3_opt_san/sql/sql_table.cc:9982 #5 0x558924b74d77 in Sql_cmd_alter_table::execute(THD*) /test/10.3_opt_san/sql/sql_alter.cc:512 #6 0x5589245cd9b1 in mysql_execute_command(THD*) /test/10.3_opt_san/sql/sql_parse.cc:6076 #7 0x5589245e7984 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.3_opt_san/sql/sql_parse.cc:7871 #8 0x5589245ee119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.3_opt_san/sql/sql_parse.cc:1852 #9 0x5589245f65e3 in do_command(THD*) /test/10.3_opt_san/sql/sql_parse.cc:1398 #10 0x558924b638d6 in do_handle_one_connection(CONNECT*) /test/10.3_opt_san/sql/sql_connect.cc:1403 #11 0x558924b6421c in handle_one_connection /test/10.3_opt_san/sql/sql_connect.cc:1308 #12 0x15511bfdb608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477 #13 0x15511b593132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

People

Assignee:: Sergei Petrunia

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2022-04-19 07:04

Updated:: 2024-09-10 14:59

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.