[MDEV-28618] Server crash in /sql/item_cmpfunc.cc:6847 in Item_equal::val_int() - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Won't Fix
Affects Version/s: 10.3.35, 10.3(EOL)
Fix Version/s: N/A
Component/s: Optimizer
Labels:
- fuzzer
- not-10.4
Environment:
ubuntu 18.04

Description

poc:

CREATE TABLE v917 ( v918 TEXT ( 1 ) NOT NULL ) ;

 INSERT INTO v917 ( v918 ) VALUES ( 72 ) ;

 UPDATE v917 SET v918 = 11 WHERE v918 = 52 ;

 INSERT INTO v917 ( v918 ) VALUES ( 99 ) , ( 127 ) ;

 WITH v920 AS ( SELECT v918 FROM ( SELECT v918 FROM v917 GROUP BY 'x' ) AS v919 ) SELECT v918 NOT LIKE 'x' FROM v920 WHERE v918 IN ( SELECT DISTINCT 'x' FROM ( SELECT DISTINCT v918 , ( ( TRUE , v918 ) NOT IN ( SELECT ( v918 % ( SELECT v918 FROM v917 WHERE 61243097.000000 = v918 ) <= v918 ) , -1 FROM v917 ) OR v918 > 'x' ) FROM ( SELECT v918 FROM v917 UNION SELECT v918 FROM v917 AS v921 WHERE v918 ^ v918 % -1 AND ( v918 = -2147483648 OR v918 = TRUE OR v918 = 68 ) GROUP BY v918 HAVING v918 > v918 ) AS v922 NATURAL JOIN ( SELECT DISTINCT v918 , ( v918 = 255 OR v918 > 'x' ) FROM v917 ) AS v923 NATURAL JOIN v917 GROUP BY ( v918 % v918 ) NOT LIKE 'x' ) AS v924 NATURAL JOIN v917 WHERE - 'x' >= v918 IS NOT NULL = ( 0 < v918 AND v918 < 'x' ) ) ;

output:
SUMMARY: AddressSanitizer: SEGV /sql/item_cmpfunc.cc:6847 in Item_equal::val_int()

The full error log is in the attachment.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

95_stack
7 kB
2022-05-19 02:59

Issue Links

relates to

MDEV-23983 Crash caused by query containing constant having clause

Closed

Activity

Descending order - Click to sort in ascending order

Sergei Golubchik added a comment - 2023-12-11 17:32

10.3 is EOL and 10.4 is not affected

Sergei Golubchik added a comment - 2023-12-11 17:32 10.3 is EOL and 10.4 is not affected

Alice Sherepa added a comment - 2022-05-25 13:29 - edited

reproducible on 10.3, not on 10.4+

CREATE TABLE t1 ( a text) ;

INSERT INTO t1 VALUES (1),(2),(3);

SELECT 1 FROM ( SELECT a FROM ( SELECT a FROM t1 GROUP BY 'x' ) dt2 )dt

WHERE a IN (SELECT  'x') ;

10.3 7d3d3838c1b8af98a9704
220525 15:25:55 [ERROR] mysqld got signal 11 ;

Server version: 10.3.36-MariaDB-debug-log

sql/signal_handler.cc:221(handle_fatal_signal)[0x55e9f92c3742]
sigaction.c:0(__restore_rt)[0x7f4be28c4420]
sql/item_cmpfunc.cc:6847(Item_equal::val_int())[0x55e9f93bfda2]
sql/sql_select.cc:21213(end_send_group(JOIN, st_join_table, bool))[0x55e9f8c8d9ef]
sql/sql_select.cc:19836(sub_select(JOIN, st_join_table, bool))[0x55e9f8c82746]
sql/sql_select.cc:19425(do_select(JOIN, Procedure))[0x55e9f8c80f8e]
sql/sql_select.cc:4151(JOIN::exec_inner())[0x55e9f8c13a6d]
sql/sql_select.cc:3946(JOIN::exec())[0x55e9f8c113ea]
sql/sql_select.cc:4356(mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55e9f8c14ee8]
sql/sql_derived.cc:1179(mysql_derived_fill(THD, LEX, TABLE_LIST*))[0x55e9f8a8aab8]
sql/sql_derived.cc:193(mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int))[0x55e9f8a8428d]
sql/sql_select.cc:12913(st_join_table::preread_init())[0x55e9f8c52eb6]
sql/sql_select.cc:19853(sub_select(JOIN, st_join_table, bool))[0x55e9f8c8290f]
sql/sql_select.cc:19423(do_select(JOIN, Procedure))[0x55e9f8c80e88]
sql/sql_select.cc:4151(JOIN::exec_inner())[0x55e9f8c13a6d]
sql/sql_select.cc:3946(JOIN::exec())[0x55e9f8c113ea]
sql/sql_select.cc:4356(mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x55e9f8c14ee8]
sql/sql_select.cc:372(handle_select(THD, LEX, select_result*, unsigned long))[0x55e9f8beb449]
sql/sql_parse.cc:6339(execute_sqlcom_select(THD, TABLE_LIST))[0x55e9f8b5c191]
sql/sql_parse.cc:3870(mysql_execute_command(THD*))[0x55e9f8b4a1cc]
sql/sql_parse.cc:7870(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x55e9f8b65eee]
sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x55e9f8b3cdcb]
sql/sql_parse.cc:1398(do_command(THD*))[0x55e9f8b3990e]
sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x55e9f8f0cef1]
sql/sql_connect.cc:1309(handle_one_connection)[0x55e9f8f0c7ab]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55e9fa53c209]
nptl/pthread_create.c:478(start_thread)[0x7f4be28b8609]

Query (0x62b000000290): SELECT 1 FROM ( SELECT a FROM ( SELECT a FROM t1 GROUP BY 'x' ) dt2 )dt
WHERE a IN (SELECT 'x')

10.3 7d3d3838c1b8af98a9704
=================================================================
==2762572==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d0001b6440 at pc 0x5566d81915a1 bp 0x7fdfd35167c0 sp 0x7fdfd35167b0
READ of size 8 at 0x62d0001b6440 thread T27
#0 0x5566d81915a0 in Item_equal_iterator<List_iterator_fast, Item>::get_curr_field() (/10.3/sql/mysqld+0x11e85a0)
#1 0x5566d8874d6b in Item_equal::val_int() /10.3/src/sql/item_cmpfunc.cc:6845
#2 0x5566d81429ee in end_send_group(JOIN, st_join_table, bool) /10.3/src/sql/sql_select.cc:21213
#3 0x5566d8137745 in sub_select(JOIN, st_join_table, bool) /10.3/src/sql/sql_select.cc:19836
#4 0x5566d8135f8d in do_select /10.3/src/sql/sql_select.cc:19425
#5 0x5566d80c8a6c in JOIN::exec_inner() /10.3/src/sql/sql_select.cc:4151
#6 0x5566d80c63e9 in JOIN::exec() /10.3/src/sql/sql_select.cc:3945
#7 0x5566d80c9ee7 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.3/src/sql/sql_select.cc:4354
#8 0x5566d7f3fab7 in mysql_derived_fill(THD, LEX, TABLE_LIST*) /10.3/src/sql/sql_derived.cc:1179
#9 0x5566d7f3928c in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /10.3/src/sql/sql_derived.cc:193
#10 0x5566d8107eb5 in st_join_table::preread_init() /10.3/src/sql/sql_select.cc:12914
#11 0x5566d813790e in sub_select(JOIN, st_join_table, bool) /10.3/src/sql/sql_select.cc:19853
#12 0x5566d8135e87 in do_select /10.3/src/sql/sql_select.cc:19423
#13 0x5566d80c8a6c in JOIN::exec_inner() /10.3/src/sql/sql_select.cc:4151
#14 0x5566d80c63e9 in JOIN::exec() /10.3/src/sql/sql_select.cc:3945
#15 0x5566d80c9ee7 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.3/src/sql/sql_select.cc:4354
#16 0x5566d80a0448 in handle_select(THD, LEX, select_result*, unsigned long) /10.3/src/sql/sql_select.cc:372
#17 0x5566d8011190 in execute_sqlcom_select /10.3/src/sql/sql_parse.cc:6339
#18 0x5566d7fff1cb in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:3870
#19 0x5566d801aeed in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7870
#20 0x5566d7ff1dca in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852
#21 0x5566d7fee90d in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398
#22 0x5566d83c1ef0 in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1403
#23 0x5566d83c17aa in handle_one_connection /10.3/src/sql/sql_connect.cc:1308
#24 0x5566d99f1208 in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
#25 0x7fdfe9cd8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#26 0x7fdfe9bfb132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x62d0001b6440 is located 28 bytes to the right of 32804-byte region [0x62d0001ae400,0x62d0001b6424)
allocated by thread T27 here:
#0 0x7fdfea5b5808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x5566d9b3ddf7 in sf_malloc /10.3/src/mysys/safemalloc.c:118
#2 0x5566d9b0bc77 in my_malloc /10.3/src/mysys/my_malloc.c:101
#3 0x5566d9ae7ce4 in alloc_root /10.3/src/mysys/my_alloc.c:251
#4 0x5566d7d3c707 in Query_arena::alloc(unsigned long) /10.3/src/sql/sql_class.h:1033
#5 0x5566d7eeb022 in thd_alloc /10.3/src/sql/sql_class.cc:1082
#6 0x5566d7dc132b in Sql_alloc::operator new(unsigned long) /10.3/src/sql/sql_alloc.h:30
#7 0x5566d82965f1 in st_select_lex_unit::prepare_join(THD, st_select_lex, select_result*, unsigned long, bool) /10.3/src/sql/sql_union.cc:639
#8 0x5566d829a6a2 in st_select_lex_unit::prepare(TABLE_LIST, select_result, unsigned long) /10.3/src/sql/sql_union.cc:1033
#9 0x5566d7f3c907 in mysql_derived_prepare(THD, LEX, TABLE_LIST*) /10.3/src/sql/sql_derived.cc:793
#10 0x5566d7f3928c in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /10.3/src/sql/sql_derived.cc:193
#11 0x5566d831c602 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8535
#12 0x5566d7f7e9e7 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4041
#13 0x5566d7f9f920 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4197
#14 0x5566d831c574 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8532
#15 0x5566d7f7e9e7 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4041
#16 0x5566d7f9f920 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4197
#17 0x5566d80a6fa1 in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /10.3/src/sql/sql_select.cc:1066
#18 0x5566d89b33d7 in subselect_single_select_engine::prepare(THD*) /10.3/src/sql/item_subselect.cc:3808
#19 0x5566d898d202 in Item_subselect::fix_fields(THD, Item*) /10.3/src/sql/item_subselect.cc:282
#20 0x5566d89b01ac in Item_in_subselect::fix_fields(THD, Item*) /10.3/src/sql/item_subselect.cc:3471
#21 0x5566d7d8a75a in Item::fix_fields_if_needed(THD, Item*) /10.3/src/sql/item.h:829
#22 0x5566d7d8a794 in Item::fix_fields_if_needed_for_scalar(THD, Item*) (/10.3/sql/mysqld+0xde1794)
#23 0x5566d7eb0598 in Item::fix_fields_if_needed_for_bool(THD, Item*) /10.3/src/sql/item.h:837
#24 0x5566d7ea7d6d in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /10.3/src/sql/sql_base.cc:8274
#25 0x5566d80a2343 in setup_without_group /10.3/src/sql/sql_select.cc:660
#26 0x5566d80a8393 in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /10.3/src/sql/sql_select.cc:1157
#27 0x5566d80c9ccb in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.3/src/sql/sql_select.cc:4332
#28 0x5566d80a0448 in handle_select(THD, LEX, select_result*, unsigned long) /10.3/src/sql/sql_select.cc:372
#29 0x5566d8011190 in execute_sqlcom_select /10.3/src/sql/sql_parse.cc:6339

Thread T27 created by T0 here:
#0 0x7fdfea4e2815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x5566d99f15f9 in spawn_thread_v1 /10.3/src/storage/perfschema/pfs.cc:1919
#2 0x5566d7d1436e in inline_mysql_thread_create /10.3/src/include/mysql/psi/mysql_thread.h:1275
#3 0x5566d7d2d128 in create_thread_to_handle_connection(CONNECT*) /10.3/src/sql/mysqld.cc:6668
#4 0x5566d7d2d8c3 in create_new_thread /10.3/src/sql/mysqld.cc:6738
#5 0x5566d7d2ea55 in handle_connections_sockets() /10.3/src/sql/mysqld.cc:6996
#6 0x5566d7d2c419 in mysqld_main(int, char**) /10.3/src/sql/mysqld.cc:6290
#7 0x5566d7d12b6c in main /10.3/src/sql/main.cc:25
#8 0x7fdfe9b00082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow (/10.3/sql/mysqld+0x11e85a0) in Item_equal_iterator<List_iterator_fast, Item>::get_curr_field()
Shadow bytes around the buggy address:
0x0c5a8002ec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8002ec40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8002ec50: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8002ec60: 00 00 00 00 00 f7 00 00 f7 00 00 00 00 00 00 00
0x0c5a8002ec70: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7 00
=>0x0c5a8002ec80: 00 f7 f7 f7 04 fa fa fa[fa]fa fa fa fa fa fa fa
0x0c5a8002ec90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8002eca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8002ecb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8002ecc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8002ecd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2762572==ABORTING
----------SERVER LOG END-------------

Alice Sherepa added a comment - 2022-05-25 13:29 - edited reproducible on 10.3, not on 10.4+ CREATE TABLE t1 ( a text) ; INSERT INTO t1 VALUES (1),(2),(3); SELECT 1 FROM ( SELECT a FROM ( SELECT a FROM t1 GROUP BY 'x' ) dt2 )dt WHERE a IN ( SELECT 'x' ) ; 10.3 7d3d3838c1b8af98a9704 220525 15:25:55 [ERROR] mysqld got signal 11 ; Server version: 10.3.36-MariaDB-debug-log sql/signal_handler.cc:221(handle_fatal_signal)[0x55e9f92c3742] sigaction.c:0(__restore_rt)[0x7f4be28c4420] sql/item_cmpfunc.cc:6847(Item_equal::val_int())[0x55e9f93bfda2] sql/sql_select.cc:21213(end_send_group(JOIN*, st_join_table*, bool))[0x55e9f8c8d9ef] sql/sql_select.cc:19836(sub_select(JOIN*, st_join_table*, bool))[0x55e9f8c82746] sql/sql_select.cc:19425(do_select(JOIN*, Procedure*))[0x55e9f8c80f8e] sql/sql_select.cc:4151(JOIN::exec_inner())[0x55e9f8c13a6d] sql/sql_select.cc:3946(JOIN::exec())[0x55e9f8c113ea] sql/sql_select.cc:4356(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e9f8c14ee8] sql/sql_derived.cc:1179(mysql_derived_fill(THD*, LEX*, TABLE_LIST*))[0x55e9f8a8aab8] sql/sql_derived.cc:193(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55e9f8a8428d] sql/sql_select.cc:12913(st_join_table::preread_init())[0x55e9f8c52eb6] sql/sql_select.cc:19853(sub_select(JOIN*, st_join_table*, bool))[0x55e9f8c8290f] sql/sql_select.cc:19423(do_select(JOIN*, Procedure*))[0x55e9f8c80e88] sql/sql_select.cc:4151(JOIN::exec_inner())[0x55e9f8c13a6d] sql/sql_select.cc:3946(JOIN::exec())[0x55e9f8c113ea] sql/sql_select.cc:4356(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e9f8c14ee8] sql/sql_select.cc:372(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55e9f8beb449] sql/sql_parse.cc:6339(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55e9f8b5c191] sql/sql_parse.cc:3870(mysql_execute_command(THD*))[0x55e9f8b4a1cc] sql/sql_parse.cc:7870(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55e9f8b65eee] sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55e9f8b3cdcb] sql/sql_parse.cc:1398(do_command(THD*))[0x55e9f8b3990e] sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x55e9f8f0cef1] sql/sql_connect.cc:1309(handle_one_connection)[0x55e9f8f0c7ab] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55e9fa53c209] nptl/pthread_create.c:478(start_thread)[0x7f4be28b8609] Query (0x62b000000290): SELECT 1 FROM ( SELECT a FROM ( SELECT a FROM t1 GROUP BY 'x' ) dt2 )dt WHERE a IN (SELECT 'x') 10.3 7d3d3838c1b8af98a9704 ================================================================= ==2762572==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d0001b6440 at pc 0x5566d81915a1 bp 0x7fdfd35167c0 sp 0x7fdfd35167b0 READ of size 8 at 0x62d0001b6440 thread T27 #0 0x5566d81915a0 in Item_equal_iterator<List_iterator_fast, Item>::get_curr_field() (/10.3/sql/mysqld+0x11e85a0) #1 0x5566d8874d6b in Item_equal::val_int() /10.3/src/sql/item_cmpfunc.cc:6845 #2 0x5566d81429ee in end_send_group(JOIN*, st_join_table*, bool) /10.3/src/sql/sql_select.cc:21213 #3 0x5566d8137745 in sub_select(JOIN*, st_join_table*, bool) /10.3/src/sql/sql_select.cc:19836 #4 0x5566d8135f8d in do_select /10.3/src/sql/sql_select.cc:19425 #5 0x5566d80c8a6c in JOIN::exec_inner() /10.3/src/sql/sql_select.cc:4151 #6 0x5566d80c63e9 in JOIN::exec() /10.3/src/sql/sql_select.cc:3945 #7 0x5566d80c9ee7 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.3/src/sql/sql_select.cc:4354 #8 0x5566d7f3fab7 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /10.3/src/sql/sql_derived.cc:1179 #9 0x5566d7f3928c in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.3/src/sql/sql_derived.cc:193 #10 0x5566d8107eb5 in st_join_table::preread_init() /10.3/src/sql/sql_select.cc:12914 #11 0x5566d813790e in sub_select(JOIN*, st_join_table*, bool) /10.3/src/sql/sql_select.cc:19853 #12 0x5566d8135e87 in do_select /10.3/src/sql/sql_select.cc:19423 #13 0x5566d80c8a6c in JOIN::exec_inner() /10.3/src/sql/sql_select.cc:4151 #14 0x5566d80c63e9 in JOIN::exec() /10.3/src/sql/sql_select.cc:3945 #15 0x5566d80c9ee7 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.3/src/sql/sql_select.cc:4354 #16 0x5566d80a0448 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.3/src/sql/sql_select.cc:372 #17 0x5566d8011190 in execute_sqlcom_select /10.3/src/sql/sql_parse.cc:6339 #18 0x5566d7fff1cb in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:3870 #19 0x5566d801aeed in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7870 #20 0x5566d7ff1dca in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852 #21 0x5566d7fee90d in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398 #22 0x5566d83c1ef0 in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1403 #23 0x5566d83c17aa in handle_one_connection /10.3/src/sql/sql_connect.cc:1308 #24 0x5566d99f1208 in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869 #25 0x7fdfe9cd8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477 #26 0x7fdfe9bfb132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132) 0x62d0001b6440 is located 28 bytes to the right of 32804-byte region [0x62d0001ae400,0x62d0001b6424) allocated by thread T27 here: #0 0x7fdfea5b5808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x5566d9b3ddf7 in sf_malloc /10.3/src/mysys/safemalloc.c:118 #2 0x5566d9b0bc77 in my_malloc /10.3/src/mysys/my_malloc.c:101 #3 0x5566d9ae7ce4 in alloc_root /10.3/src/mysys/my_alloc.c:251 #4 0x5566d7d3c707 in Query_arena::alloc(unsigned long) /10.3/src/sql/sql_class.h:1033 #5 0x5566d7eeb022 in thd_alloc /10.3/src/sql/sql_class.cc:1082 #6 0x5566d7dc132b in Sql_alloc::operator new(unsigned long) /10.3/src/sql/sql_alloc.h:30 #7 0x5566d82965f1 in st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long, bool) /10.3/src/sql/sql_union.cc:639 #8 0x5566d829a6a2 in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long) /10.3/src/sql/sql_union.cc:1033 #9 0x5566d7f3c907 in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /10.3/src/sql/sql_derived.cc:793 #10 0x5566d7f3928c in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.3/src/sql/sql_derived.cc:193 #11 0x5566d831c602 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8535 #12 0x5566d7f7e9e7 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4041 #13 0x5566d7f9f920 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4197 #14 0x5566d831c574 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.3/src/sql/table.cc:8532 #15 0x5566d7f7e9e7 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.3/src/sql/sql_lex.h:4041 #16 0x5566d7f9f920 in st_select_lex::handle_derived(LEX*, unsigned int) /10.3/src/sql/sql_lex.cc:4197 #17 0x5566d80a6fa1 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.3/src/sql/sql_select.cc:1066 #18 0x5566d89b33d7 in subselect_single_select_engine::prepare(THD*) /10.3/src/sql/item_subselect.cc:3808 #19 0x5566d898d202 in Item_subselect::fix_fields(THD*, Item**) /10.3/src/sql/item_subselect.cc:282 #20 0x5566d89b01ac in Item_in_subselect::fix_fields(THD*, Item**) /10.3/src/sql/item_subselect.cc:3471 #21 0x5566d7d8a75a in Item::fix_fields_if_needed(THD*, Item**) /10.3/src/sql/item.h:829 #22 0x5566d7d8a794 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) (/10.3/sql/mysqld+0xde1794) #23 0x5566d7eb0598 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /10.3/src/sql/item.h:837 #24 0x5566d7ea7d6d in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /10.3/src/sql/sql_base.cc:8274 #25 0x5566d80a2343 in setup_without_group /10.3/src/sql/sql_select.cc:660 #26 0x5566d80a8393 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.3/src/sql/sql_select.cc:1157 #27 0x5566d80c9ccb in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.3/src/sql/sql_select.cc:4332 #28 0x5566d80a0448 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.3/src/sql/sql_select.cc:372 #29 0x5566d8011190 in execute_sqlcom_select /10.3/src/sql/sql_parse.cc:6339 Thread T27 created by T0 here: #0 0x7fdfea4e2815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x5566d99f15f9 in spawn_thread_v1 /10.3/src/storage/perfschema/pfs.cc:1919 #2 0x5566d7d1436e in inline_mysql_thread_create /10.3/src/include/mysql/psi/mysql_thread.h:1275 #3 0x5566d7d2d128 in create_thread_to_handle_connection(CONNECT*) /10.3/src/sql/mysqld.cc:6668 #4 0x5566d7d2d8c3 in create_new_thread /10.3/src/sql/mysqld.cc:6738 #5 0x5566d7d2ea55 in handle_connections_sockets() /10.3/src/sql/mysqld.cc:6996 #6 0x5566d7d2c419 in mysqld_main(int, char**) /10.3/src/sql/mysqld.cc:6290 #7 0x5566d7d12b6c in main /10.3/src/sql/main.cc:25 #8 0x7fdfe9b00082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow (/10.3/sql/mysqld+0x11e85a0) in Item_equal_iterator<List_iterator_fast, Item>::get_curr_field() Shadow bytes around the buggy address: 0x0c5a8002ec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5a8002ec40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5a8002ec50: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 0x0c5a8002ec60: 00 00 00 00 00 f7 00 00 f7 00 00 00 00 00 00 00 0x0c5a8002ec70: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7 00 =>0x0c5a8002ec80: 00 f7 f7 f7 04 fa fa fa[fa]fa fa fa fa fa fa fa 0x0c5a8002ec90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a8002eca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a8002ecb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a8002ecc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a8002ecd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2762572==ABORTING ----------SERVER LOG END-------------

Daniel Black added a comment - 2022-05-19 07:18

Confirmed on 10.3.35+c9b5a05341d7342db5f369493ea200b5fb9db243 for the CTE

Daniel Black added a comment - 2022-05-19 07:18 Confirmed on 10.3.35+c9b5a05341d7342db5f369493ea200b5fb9db243 for the CTE

MariaDB Server

Server crash in /sql/item_cmpfunc.cc:6847 in Item_equal::val_int()

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration