Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29124

ASAN errors in st_select_lex::print / With_element::print with optimizer trace on 2nd execution of PS

    XMLWordPrintable

    Details

      Description

      CREATE TABLE t (a INT);
      INSERT INTO t VALUES (1),(2);
       
      SET SESSION optimizer_trace = 'enabled=on';
       
      PREPARE stmt FROM 'EXPLAIN EXTENDED WITH cte AS (SELECT CASE a WHEN 2 THEN 0 END AS f FROM t) SELECT * FROM cte';
      EXECUTE stmt;
      EXECUTE stmt;
       
      # Cleanup
      DROP TABLE t;
      

      10.7 c3ddffe2

      ==1813883==ERROR: AddressSanitizer: use-after-poison on address 0x629000097340 at pc 0x562c3c9225b8 bp 0x7fbc220054c0 sp 0x7fbc220054b8
      READ of size 8 at 0x629000097340 thread T5
          #0 0x562c3c9225b7 in st_select_lex::print(THD*, String*, enum_query_type) /data/src/10.7/sql/sql_select.cc:28482
          #1 0x562c3c71aade in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.7/sql/sql_lex.cc:3729
          #2 0x562c3cd644e5 in With_element::print(THD*, String*, enum_query_type) /data/src/10.7/sql/sql_cte.cc:1701
          #3 0x562c3cd64b18 in With_clause::print(THD*, String*, enum_query_type) /data/src/10.7/sql/sql_cte.cc:1657
          #4 0x562c3c71aa3c in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.7/sql/sql_lex.cc:3704
          #5 0x562c3c78c7d2 in execute_sqlcom_select /data/src/10.7/sql/sql_parse.cc:6218
          #6 0x562c3c7b444a in mysql_execute_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:3943
          #7 0x562c3c825ad9 in Prepared_statement::execute(String*, bool) /data/src/10.7/sql/sql_prepare.cc:5221
          #8 0x562c3c82634e in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.7/sql/sql_prepare.cc:4644
          #9 0x562c3c827071 in mysql_sql_stmt_execute(THD*) /data/src/10.7/sql/sql_prepare.cc:3688
          #10 0x562c3c7b1475 in mysql_execute_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:3959
          #11 0x562c3c7b925a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.7/sql/sql_parse.cc:8027
          #12 0x562c3c7be8c4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.7/sql/sql_parse.cc:1894
          #13 0x562c3c7c42c5 in do_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:1407
          #14 0x562c3cb7b0cd in do_handle_one_connection(CONNECT*, bool) /data/src/10.7/sql/sql_connect.cc:1418
          #15 0x562c3cb7b60c in handle_one_connection /data/src/10.7/sql/sql_connect.cc:1312
          #16 0x562c3d64ad4b in pfs_spawn_thread /data/src/10.7/storage/perfschema/pfs.cc:2201
          #17 0x7fbc2b39dea6 in start_thread nptl/pthread_create.c:477
          #18 0x7fbc2af9cdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
       
      0x629000097340 is located 4416 bytes inside of 16400-byte region [0x629000096200,0x62900009a210)
      allocated by thread T5 here:
          #0 0x7fbc2b8a3e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
          #1 0x562c3df3f238 in my_malloc /data/src/10.7/mysys/my_malloc.c:90
          #2 0x562c3df2bdeb in reset_root_defaults /data/src/10.7/mysys/my_alloc.c:243
          #3 0x562c3c66e673 in THD::init_for_queries() /data/src/10.7/sql/sql_class.cc:1387
          #4 0x562c3cb79092 in prepare_new_connection_state(THD*) /data/src/10.7/sql/sql_connect.cc:1240
          #5 0x562c3cb79947 in thd_prepare_connection(THD*) /data/src/10.7/sql/sql_connect.cc:1333
          #6 0x562c3cb79947 in thd_prepare_connection(THD*) /data/src/10.7/sql/sql_connect.cc:1322
          #7 0x562c3cb7b079 in do_handle_one_connection(CONNECT*, bool) /data/src/10.7/sql/sql_connect.cc:1408
          #8 0x562c3cb7b60c in handle_one_connection /data/src/10.7/sql/sql_connect.cc:1312
          #9 0x562c3d64ad4b in pfs_spawn_thread /data/src/10.7/storage/perfschema/pfs.cc:2201
          #10 0x7fbc2b39dea6 in start_thread nptl/pthread_create.c:477
       
      Thread T5 created by T0 here:
          #0 0x7fbc2b84f2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
          #1 0x562c3d64afc9 in my_thread_create /data/src/10.7/storage/perfschema/my_thread.h:52
          #2 0x562c3d64afc9 in pfs_spawn_thread_v1 /data/src/10.7/storage/perfschema/pfs.cc:2252
          #3 0x562c3c48a47d in inline_mysql_thread_create /data/src/10.7/include/mysql/psi/mysql_thread.h:1139
          #4 0x562c3c48a47d in create_thread_to_handle_connection(CONNECT*) /data/src/10.7/sql/mysqld.cc:6008
          #5 0x562c3c496227 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.7/sql/mysqld.cc:6129
          #6 0x562c3c496d9f in handle_connections_sockets() /data/src/10.7/sql/mysqld.cc:6253
          #7 0x562c3c4986b0 in mysqld_main(int, char**) /data/src/10.7/sql/mysqld.cc:5903
          #8 0x7fbc2aec5d09 in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/10.7/sql/sql_select.cc:28482 in st_select_lex::print(THD*, String*, enum_query_type)
      Shadow bytes around the buggy address:
        0x0c528000ae10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000ae20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000ae30: 00 00 00 00 00 f7 00 00 f7 00 00 00 00 f7 00 f7
        0x0c528000ae40: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000ae50: 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00
      =>0x0c528000ae60: 00 00 00 00 00 00 00 00[f7]00 00 00 00 00 00 00
        0x0c528000ae70: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
        0x0c528000ae80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000ae90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000aea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000aeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==1813883==ABORTING
      

      The failure started happening on 10.7 after this commit:

      commit 401ff6994d842a4072b7b155e5a958e178e6497a
      Author: Eric Herman
      Date:   Fri Sep 3 06:38:54 2021 +0200
       
          MDEV-26221: DYNAMIC_ARRAY use size_t for sizes
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              psergei Sergei Petrunia
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.