Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.2, 10.3
Description
The test case can hardly count as critical, but it being a recent regression in the last 10.2 release before EOL raise the stakes. Still, if you find out that the problem is really limited to this, feel free to demote.
CREATE TABLE t (a INT, KEY (a)); |
INSERT INTO t VALUES (1),(2); |
SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP; |
|
|
# Cleanup
|
DROP TABLE t; |
|
10.2 a7923b37 ASAN RelWithDebInfo |
==3035773==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000085eb9 at pc 0x7f38d3398983 bp 0x7f38c8285ac0 sp 0x7f38c8285270
|
READ of size 4 at 0x619000085eb9 thread T5
|
#0 0x7f38d3398982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
|
#1 0x562a29386243 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:17263
|
#2 0x562a293b70b8 in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:2983
|
#3 0x562a293bd0c7 in JOIN::make_aggr_tables_info() /data/src/10.2/sql/sql_select.cc:2709
|
#4 0x562a293e38ea in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:2259
|
#5 0x562a293e5b25 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1127
|
#6 0x562a293e5b25 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1119
|
#7 0x562a293edd0f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3835
|
#8 0x562a293eea7a in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#9 0x562a292949a7 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
|
#10 0x562a292baee1 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
|
#11 0x562a292c3747 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
|
#12 0x562a292c9b8e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#13 0x562a292cda2d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#14 0x562a295b09f6 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#15 0x562a295b112a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#16 0x562a2a742324 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#17 0x7f38d2e91ea6 in start_thread nptl/pthread_create.c:477
|
#18 0x7f38d2a96dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
|
|
|
0x619000085eb9 is located 569 bytes inside of 936-byte region [0x619000085c80,0x619000086028)
|
freed by thread T5 here:
|
#0 0x7f38d3408b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
|
#1 0x562a2951fd83 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.2/sql/table.cc:675
|
#2 0x562a29729390 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
|
#3 0x562a291b2fc6 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
|
#4 0x562a291bdf11 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3589
|
#5 0x562a291bdf11 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4062
|
#6 0x562a291bf3ee in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4862
|
#7 0x562a2925d373 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:508
|
#8 0x562a2925d373 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
|
#9 0x562a292b364c in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4217
|
#10 0x562a292c3747 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
|
#11 0x562a292c9b8e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#12 0x562a292cda2d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#13 0x562a295b09f6 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#14 0x562a295b112a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#15 0x562a2a742324 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#16 0x7f38d2e91ea6 in start_thread nptl/pthread_create.c:477
|
|
|
previously allocated by thread T5 here:
|
#0 0x7f38d3408e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
|
#1 0x562a2a7fa9a2 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#2 0x562a2951f914 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.2/sql/table.cc:656
|
#3 0x562a29729390 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
|
#4 0x562a291b2fc6 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
|
#5 0x562a291bdf11 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3589
|
#6 0x562a291bdf11 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4062
|
#7 0x562a291bf3ee in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4862
|
#8 0x562a2925d373 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:508
|
#9 0x562a2925d373 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
|
#10 0x562a292b364c in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4217
|
#11 0x562a292c3747 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
|
#12 0x562a292c9b8e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#13 0x562a292cda2d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#14 0x562a295b09f6 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#15 0x562a295b112a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#16 0x562a2a742324 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#17 0x7f38d2e91ea6 in start_thread nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f38d33b42a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x562a2a7475aa in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x562a290beecf in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x562a290beecf in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6580
|
#4 0x562a290cf26c in create_new_thread /data/src/10.2/sql/mysqld.cc:6650
|
#5 0x562a290cf26c in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6908
|
#6 0x562a290d179f in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6199
|
#7 0x7f38d29bfd09 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
|
Shadow bytes around the buggy address:
|
0x0c3280008b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c3280008bd0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
|
0x0c3280008be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008bf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008c00: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3035773==ABORTING
|
|
10.2 a7923b37 ASAN debug |
mysqld: /data/src/10.2/sql/field.h:976: const uchar *Field::ptr_in_record(const uchar *) const: Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0' failed.
|
220424 2:59:18 [ERROR] mysqld got signal 6 ;
|
|
|
#7 0x00007f9a4bc83662 in __GI___assert_fail (assertion=0x2da6f60 <str> "l_offset >= 0 && table->s->rec_buff_length - l_offset > 0", file=0x2da6c60 <str> "/data/src/10.2/sql/field.h", line=976, function=0x2da6fc0 <__PRETTY_FUNCTION__._ZNK5Field13ptr_in_recordEPKh> "const uchar *Field::ptr_in_record(const uchar *) const") at assert.c:101
|
#8 0x0000000000c60c01 in Field::ptr_in_record (this=0x62b000001cc0, record=0x619000087220 "\377") at /data/src/10.2/sql/field.h:976
|
#9 0x0000000000b9fa84 in create_tmp_table (thd=0x62a000060270, param=0x62b000004238, fields=..., group=0x0, distinct=false, save_sum_fields=true, select_options=2147748609, rows_limit=18446744073709551615, table_alias=0x2d9f420 <str> "", do_not_open=true, keep_row_order=false) at /data/src/10.2/sql/sql_select.cc:17264
|
#10 0x0000000000baad2c in JOIN::create_postjoin_aggr_table (this=0x62b0000014e8, tab=0x62b0000034f0, table_fields=0x62b000001820, table_group=0x0, save_sum_fields=true, distinct=false, keep_row_order=false) at /data/src/10.2/sql/sql_select.cc:2983
|
#11 0x0000000000b93183 in JOIN::make_aggr_tables_info (this=0x62b0000014e8) at /data/src/10.2/sql/sql_select.cc:2709
|
#12 0x0000000000b5b517 in JOIN::optimize_inner (this=0x62b0000014e8) at /data/src/10.2/sql/sql_select.cc:2259
|
#13 0x0000000000b4ae8d in JOIN::optimize (this=0x62b0000014e8) at /data/src/10.2/sql/sql_select.cc:1127
|
#14 0x0000000000b39f22 in mysql_select (thd=0x62a000060270, tables=0x62b000000c18, wild_num=0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x62b000001380, having=0x0, proc_param=0x0, select_options=2147748609, result=0x62b0000014c0, unit=0x62a000063e68, select_lex=0x62a0000645b8) at /data/src/10.2/sql/sql_select.cc:3835
|
#15 0x0000000000b38e65 in handle_select (thd=0x62a000060270, lex=0x62a000063da8, result=0x62b0000014c0, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
|
#16 0x0000000000a7c45a in execute_sqlcom_select (thd=0x62a000060270, all_tables=0x62b000000c18) at /data/src/10.2/sql/sql_parse.cc:6271
|
#17 0x0000000000a5d53d in mysql_execute_command (thd=0x62a000060270) at /data/src/10.2/sql/sql_parse.cc:3582
|
#18 0x0000000000a50b5d in mysql_parse (thd=0x62a000060270, rawbuf=0x62b000000290 "SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP", length=89, parser_state=0x7f9a41471d00, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7793
|
#19 0x0000000000a432ca in dispatch_command (command=COM_QUERY, thd=0x62a000060270, packet=0x6290000eb271 "SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP", packet_length=89, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
|
#20 0x0000000000a4bfcb in do_command (thd=0x62a000060270) at /data/src/10.2/sql/sql_parse.cc:1381
|
#21 0x0000000000f39c97 in do_handle_one_connection (connect=0x6110000050b0) at /data/src/10.2/sql/sql_connect.cc:1336
|
#22 0x0000000000f39364 in handle_one_connection (arg=0x6110000050b0) at /data/src/10.2/sql/sql_connect.cc:1241
|
#23 0x0000000002a08ce2 in pfs_spawn_thread (arg=0x616000009ff0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#24 0x00007f9a4c641ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#25 0x00007f9a4bd4cdef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
10.3 9286c9e6 non-debug ASAN |
==3036791==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000827b9 at pc 0x7f230392b983 bp 0x7f22f86d85e0 sp 0x7f22f86d7d90
|
READ of size 4 at 0x6190000827b9 thread T5
|
#0 0x7f230392b982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
|
#1 0x55d79f5f2fca in field_conv_memcpy /data/src/10.3/sql/field_conv.cc:818
|
#2 0x55d79f5f2fca in field_conv(Field*, Field*) /data/src/10.3/sql/field_conv.cc:848
|
#3 0x55d79f0a1ddf in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.3/sql/sql_select.cc:18127
|
#4 0x55d79f0d15c4 in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /data/src/10.3/sql/sql_select.cc:3458
|
#5 0x55d79f0d60a9 in JOIN::make_aggr_tables_info() /data/src/10.3/sql/sql_select.cc:3179
|
#6 0x55d79f0f6191 in JOIN::optimize_stage2() /data/src/10.3/sql/sql_select.cc:2697
|
#7 0x55d79f0ffffa in JOIN::optimize_inner() /data/src/10.3/sql/sql_select.cc:2003
|
#8 0x55d79f106f61 in JOIN::optimize() /data/src/10.3/sql/sql_select.cc:1519
|
#9 0x55d79f10f378 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4340
|
#10 0x55d79f10fe1f in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:372
|
#11 0x55d79efa07cf in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6339
|
#12 0x55d79efc5898 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3870
|
#13 0x55d79efcdd37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7870
|
#14 0x55d79efd2879 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
|
#15 0x55d79efd861d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
|
#16 0x55d79f2f5af6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#17 0x55d79f2f635a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#18 0x55d7a053b5d4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#19 0x7f23030f9ea6 in start_thread nptl/pthread_create.c:477
|
#20 0x7f2303029dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
|
|
|
0x6190000827b9 is located 569 bytes inside of 936-byte region [0x619000082580,0x619000082928)
|
freed by thread T5 here:
|
#0 0x7f230399bb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
|
#1 0x55d79f254f88 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:680
|
#2 0x55d79f4b7f7a in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
|
#3 0x55d79ee752f6 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1852
|
#4 0x55d79ee7f979 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3724
|
#5 0x55d79ee7f979 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4199
|
#6 0x55d79ee8165e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5139
|
#7 0x55d79ef24f72 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:503
|
#8 0x55d79ef24f72 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760
|
#9 0x55d79efbe94e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4504
|
#10 0x55d79efcdd37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7870
|
#11 0x55d79efd2879 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
|
#12 0x55d79efd861d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
|
#13 0x55d79f2f5af6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#14 0x55d79f2f635a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#15 0x55d7a053b5d4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#16 0x7f23030f9ea6 in start_thread nptl/pthread_create.c:477
|
|
|
previously allocated by thread T5 here:
|
#0 0x7f230399be8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
|
#1 0x55d7a060c4b2 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
|
#2 0x55d79f254b0c in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:657
|
#3 0x55d79f4b7f7a in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
|
#4 0x55d79ee752f6 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1852
|
#5 0x55d79ee7f979 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3724
|
#6 0x55d79ee7f979 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4199
|
#7 0x55d79ee8165e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5139
|
#8 0x55d79ef24f72 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:503
|
#9 0x55d79ef24f72 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760
|
#10 0x55d79efbe94e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4504
|
#11 0x55d79efcdd37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7870
|
#12 0x55d79efd2879 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
|
#13 0x55d79efd861d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
|
#14 0x55d79f2f5af6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
|
#15 0x55d79f2f635a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
|
#16 0x55d7a053b5d4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
|
#17 0x7f23030f9ea6 in start_thread nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f23039472a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x55d7a053fc2a in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
|
#2 0x55d79ed65f9b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
|
#3 0x55d79ed65f9b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
|
#4 0x55d79ed762ad in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
|
#5 0x55d79ed762ad in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
|
#6 0x55d79ed78255 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
|
#7 0x7f2302f52d09 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
|
Shadow bytes around the buggy address:
|
0x0c32800084a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c32800084b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c32800084c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c32800084d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c32800084e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c32800084f0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
|
0x0c3280008500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280008520: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3036791==ABORTING
|
CREATE TABLE t (a INT, KEY (a)); |
INSERT INTO t VALUES (1),(2); |
CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t; |
SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM v GROUP BY a WITH ROLLUP; |
|
10.2 a7923b37 |
==4036181==ERROR: AddressSanitizer: use-after-poison on address 0x6190000876b8 at pc 0x55ed74db2399 bp 0x7fe73f9f2ac0 sp 0x7fe73f9f2ab8
|
READ of size 1 at 0x6190000876b8 thread T5
|
#0 0x55ed74db2398 in Field::is_null_in_record(unsigned char const*) const /data/src/10.2/sql/field.h:1146
|
#1 0x55ed74db2398 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:17258
|
#2 0x55ed74de00b8 in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:2983
|
#3 0x55ed74de60c7 in JOIN::make_aggr_tables_info() /data/src/10.2/sql/sql_select.cc:2709
|
#4 0x55ed74e0c8ea in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:2259
|
#5 0x55ed74e0eb25 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1127
|
#6 0x55ed74e0eb25 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1119
|
#7 0x55ed74e16d0f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3835
|
#8 0x55ed74e17a7a in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#9 0x55ed74cbd9a7 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
|
#10 0x55ed74ce3ee1 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
|
#11 0x55ed74cec747 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
|
#12 0x55ed74cf2b8e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#13 0x55ed74cf6a2d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#14 0x55ed74fd99f6 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#15 0x55ed74fda12a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#16 0x55ed7616b324 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#17 0x7fe74a5fdea6 in start_thread nptl/pthread_create.c:477
|
#18 0x7fe74a202dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
|
|
|
0x6190000876b8 is located 312 bytes inside of 992-byte region [0x619000087580,0x619000087960)
|
allocated by thread T5 here:
|
#0 0x7fe74ab74e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
|
#1 0x55ed762239a2 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
|
#2 0x55ed7620f823 in alloc_root /data/src/10.2/mysys/my_alloc.c:243
|
#3 0x55ed76210645 in memdup_root /data/src/10.2/mysys/my_alloc.c:464
|
#4 0x55ed751ec3bd in Field::make_new_field(st_mem_root*, TABLE*, bool) /data/src/10.2/sql/field.cc:2387
|
#5 0x55ed74d9d70e in create_tmp_field_from_field(THD*, Field*, char const*, TABLE*, Item_field*) /data/src/10.2/sql/sql_select.cc:16318
|
#6 0x55ed74d9e938 in create_tmp_field(THD*, TABLE*, Item*, Item::Type, Item***, Field**, Field**, bool, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:16575
|
#7 0x55ed74dad797 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:17023
|
#8 0x55ed74eface3 in select_union::create_result_table(THD*, List<Item>*, bool, unsigned long long, char const*, bool, bool, bool) /data/src/10.2/sql/sql_union.cc:181
|
#9 0x55ed74c53689 in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.2/sql/sql_derived.cc:793
|
#10 0x55ed74c5455b in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.2/sql/sql_derived.cc:192
|
#11 0x55ed74cad0a5 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.2/sql/sql_lex.h:3223
|
#12 0x55ed74cad0a5 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.2/sql/sql_lex.cc:3940
|
#13 0x55ed74dd8b8d in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:725
|
#14 0x55ed74e16cf8 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3827
|
#15 0x55ed74e17a7a in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
|
#16 0x55ed74cbd9a7 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
|
#17 0x55ed74ce3ee1 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
|
#18 0x55ed74cec747 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
|
#19 0x55ed74cf2b8e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
|
#20 0x55ed74cf6a2d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
|
#21 0x55ed74fd99f6 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
|
#22 0x55ed74fda12a in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
|
#23 0x55ed7616b324 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
|
#24 0x7fe74a5fdea6 in start_thread nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fe74ab202a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x55ed761705aa in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
|
#2 0x55ed74ae7ecf in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
|
#3 0x55ed74ae7ecf in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6580
|
#4 0x55ed74af826c in create_new_thread /data/src/10.2/sql/mysqld.cc:6650
|
#5 0x55ed74af826c in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6908
|
#6 0x55ed74afa79f in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6199
|
#7 0x7fe74a12bd09 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/field.h:1146 in Field::is_null_in_record(unsigned char const*) const
|
Shadow bytes around the buggy address:
|
0x0c3280008e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
|
0x0c3280008e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280008eb0: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
|
0x0c3280008ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
|
=>0x0c3280008ed0: 00 00 00 00 00 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c3280008ee0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c3280008ef0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c3280008f00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c3280008f10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c3280008f20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==4036181==ABORTING
|
The failures started happening on 10.2 after this commit:
commit e4e25d2bacc067417c35750f5f6c44cad10c81de
|
Author: Oleksandr Byelkin
|
Date: Thu Apr 14 13:51:46 2022 +0200
|
|
|
MDEV-26423 MariaDB server crash in Create_tmp_table::finalize
|
Currently reproducible on 10.2-10.3, the patch hasn't been merged up into 10.4+ yet.