[MDEV-29124] ASAN errors in st_select_lex::print / With_element::print with optimizer trace on 2nd execution of PS - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: Optimizer, Optimizer - CTE, Prepared Statements
Labels:
None

Description

CREATE TABLE t (a INT);

INSERT INTO t VALUES (1),(2);

SET SESSION optimizer_trace = 'enabled=on';

PREPARE stmt FROM 'EXPLAIN EXTENDED WITH cte AS (SELECT CASE a WHEN 2 THEN 0 END AS f FROM t) SELECT * FROM cte';

EXECUTE stmt;

EXECUTE stmt;

# Cleanup

DROP TABLE t;

10.7 c3ddffe2
==1813883==ERROR: AddressSanitizer: use-after-poison on address 0x629000097340 at pc 0x562c3c9225b8 bp 0x7fbc220054c0 sp 0x7fbc220054b8
READ of size 8 at 0x629000097340 thread T5
#0 0x562c3c9225b7 in st_select_lex::print(THD, String, enum_query_type) /data/src/10.7/sql/sql_select.cc:28482
#1 0x562c3c71aade in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.7/sql/sql_lex.cc:3729
#2 0x562c3cd644e5 in With_element::print(THD, String, enum_query_type) /data/src/10.7/sql/sql_cte.cc:1701
#3 0x562c3cd64b18 in With_clause::print(THD, String, enum_query_type) /data/src/10.7/sql/sql_cte.cc:1657
#4 0x562c3c71aa3c in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.7/sql/sql_lex.cc:3704
#5 0x562c3c78c7d2 in execute_sqlcom_select /data/src/10.7/sql/sql_parse.cc:6218
#6 0x562c3c7b444a in mysql_execute_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:3943
#7 0x562c3c825ad9 in Prepared_statement::execute(String*, bool) /data/src/10.7/sql/sql_prepare.cc:5221
#8 0x562c3c82634e in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.7/sql/sql_prepare.cc:4644
#9 0x562c3c827071 in mysql_sql_stmt_execute(THD*) /data/src/10.7/sql/sql_prepare.cc:3688
#10 0x562c3c7b1475 in mysql_execute_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:3959
#11 0x562c3c7b925a in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.7/sql/sql_parse.cc:8027
#12 0x562c3c7be8c4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.7/sql/sql_parse.cc:1894
#13 0x562c3c7c42c5 in do_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:1407
#14 0x562c3cb7b0cd in do_handle_one_connection(CONNECT*, bool) /data/src/10.7/sql/sql_connect.cc:1418
#15 0x562c3cb7b60c in handle_one_connection /data/src/10.7/sql/sql_connect.cc:1312
#16 0x562c3d64ad4b in pfs_spawn_thread /data/src/10.7/storage/perfschema/pfs.cc:2201
#17 0x7fbc2b39dea6 in start_thread nptl/pthread_create.c:477
#18 0x7fbc2af9cdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

0x629000097340 is located 4416 bytes inside of 16400-byte region [0x629000096200,0x62900009a210)
allocated by thread T5 here:
#0 0x7fbc2b8a3e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x562c3df3f238 in my_malloc /data/src/10.7/mysys/my_malloc.c:90
#2 0x562c3df2bdeb in reset_root_defaults /data/src/10.7/mysys/my_alloc.c:243
#3 0x562c3c66e673 in THD::init_for_queries() /data/src/10.7/sql/sql_class.cc:1387
#4 0x562c3cb79092 in prepare_new_connection_state(THD*) /data/src/10.7/sql/sql_connect.cc:1240
#5 0x562c3cb79947 in thd_prepare_connection(THD*) /data/src/10.7/sql/sql_connect.cc:1333
#6 0x562c3cb79947 in thd_prepare_connection(THD*) /data/src/10.7/sql/sql_connect.cc:1322
#7 0x562c3cb7b079 in do_handle_one_connection(CONNECT*, bool) /data/src/10.7/sql/sql_connect.cc:1408
#8 0x562c3cb7b60c in handle_one_connection /data/src/10.7/sql/sql_connect.cc:1312
#9 0x562c3d64ad4b in pfs_spawn_thread /data/src/10.7/storage/perfschema/pfs.cc:2201
#10 0x7fbc2b39dea6 in start_thread nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7fbc2b84f2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x562c3d64afc9 in my_thread_create /data/src/10.7/storage/perfschema/my_thread.h:52
#2 0x562c3d64afc9 in pfs_spawn_thread_v1 /data/src/10.7/storage/perfschema/pfs.cc:2252
#3 0x562c3c48a47d in inline_mysql_thread_create /data/src/10.7/include/mysql/psi/mysql_thread.h:1139
#4 0x562c3c48a47d in create_thread_to_handle_connection(CONNECT*) /data/src/10.7/sql/mysqld.cc:6008
#5 0x562c3c496227 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.7/sql/mysqld.cc:6129
#6 0x562c3c496d9f in handle_connections_sockets() /data/src/10.7/sql/mysqld.cc:6253
#7 0x562c3c4986b0 in mysqld_main(int, char**) /data/src/10.7/sql/mysqld.cc:5903
#8 0x7fbc2aec5d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.7/sql/sql_select.cc:28482 in st_select_lex::print(THD, String, enum_query_type)
Shadow bytes around the buggy address:
0x0c528000ae10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528000ae20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528000ae30: 00 00 00 00 00 f7 00 00 f7 00 00 00 00 f7 00 f7
0x0c528000ae40: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528000ae50: 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00
=>0x0c528000ae60: 00 00 00 00 00 00 00 00[f7]00 00 00 00 00 00 00
0x0c528000ae70: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
0x0c528000ae80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528000ae90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528000aea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c528000aeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1813883==ABORTING

The failure started happening on 10.7 after this commit:

commit 401ff6994d842a4072b7b155e5a958e178e6497a

Author: Eric Herman

Date:   Fri Sep 3 06:38:54 2021 +0200

    MDEV-26221: DYNAMIC_ARRAY use size_t for sizes

Attachments

Issue Links

is caused by

MDEV-26221 my_sys DYNAMIC_ARRAY and DYNAMIC_STRING inconsistancy

Closed

Activity

Ascending order - Click to sort in descending order

Elena Stepanova added a comment - 2022-07-30 12:31

The test case in the description fails on 10.7+ and does not fail on 10.3-10.6.
Below is a counter-part of it, which fails on 10.3-10.6 and doesn't fail on 10.7+.
It is the same test case, but it uses QUERY_PREALLOC_SIZE (and doesn't need optimizer trace). I didn't check whether it's scalable in regard to QUERY_PREALLOC_SIZE or it is limited to extremely low values – anyway, the scenario in the description, the one about 10.7+, is in no way a corner case, so whether this one is or not, doesn't matter much.

SET QUERY_PREALLOC_SIZE= 1024;

CREATE TABLE t (a INT);

INSERT INTO t VALUES (1),(2);

PREPARE stmt FROM 'EXPLAIN EXTENDED WITH cte AS (SELECT CASE a WHEN 2 THEN 0 END AS f FROM t) SELECT * FROM cte';

EXECUTE stmt;

EXECUTE stmt;

# Cleanup

DROP TABLE t;

10.3 25219920
==1730727==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000e7168 at pc 0x55ab82fd4402 bp 0x7f12ed116250 sp 0x7f12ed116248
READ of size 1 at 0x6290000e7168 thread T5
#0 0x55ab82fd4401 in st_select_lex::print(THD, String, enum_query_type) /data/src/10.3/sql/sql_select.cc:26891
#1 0x55ab82e2c396 in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.3/sql/sql_lex.cc:2978
#2 0x55ab8333e28a in With_element::print(String*, enum_query_type) /data/src/10.3/sql/sql_cte.cc:1646
#3 0x55ab8333eda5 in With_clause::print(String*, enum_query_type) /data/src/10.3/sql/sql_cte.cc:1608
#4 0x55ab82e2c2dd in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.3/sql/sql_lex.cc:2951
#5 0x55ab82e89259 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6306
#6 0x55ab82ead688 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3871
#7 0x55ab82ef3fc8 in Prepared_statement::execute(String*, bool) /data/src/10.3/sql/sql_prepare.cc:5027
#8 0x55ab82ef46a4 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.3/sql/sql_prepare.cc:4455
#9 0x55ab82ef57c0 in mysql_sql_stmt_execute(THD*) /data/src/10.3/sql/sql_prepare.cc:3545
#10 0x55ab82ea6e46 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3887
#11 0x55ab82eb5b37 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871
#12 0x55ab82eba679 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#13 0x55ab82ec041d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#14 0x55ab831de506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#15 0x55ab831ded6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#16 0x55ab844257a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#17 0x7f12f7b3aea6 in start_thread nptl/pthread_create.c:477
#18 0x7f12f7a6adee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

0x6290000e7168 is located 3944 bytes inside of 16352-byte region [0x6290000e6200,0x6290000ea1e0)
freed by thread T5 here:
#0 0x7f12f83dcb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x55ab844e382d in free_root /data/src/10.3/mysys/my_alloc.c:430
#2 0x55ab82eb9fc7 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:2449
#3 0x55ab82ec041d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#4 0x55ab831de506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#5 0x55ab831ded6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#6 0x55ab844257a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#7 0x7f12f7b3aea6 in start_thread nptl/pthread_create.c:477

previously allocated by thread T5 here:
#0 0x7f12f83dce8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55ab844f6b12 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
#2 0x55ab844e304b in alloc_root /data/src/10.3/mysys/my_alloc.c:251
#3 0x55ab82c7f657 in Item::operator new(unsigned long, st_mem_root*) /data/src/10.3/sql/item.h:649
#4 0x55ab82da4bb6 in THD::make_explain_field_list(List<Item>&, unsigned char, bool) /data/src/10.3/sql/sql_class.cc:2704
#5 0x55ab82da5be0 in THD::prepare_explain_fields(select_result, List<Item>, unsigned char, bool) /data/src/10.3/sql/sql_class.cc:2654
#6 0x55ab82da5cfa in THD::send_explain_fields(select_result*, unsigned char, bool) /data/src/10.3/sql/sql_class.cc:2666
#7 0x55ab82e88be1 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6273
#8 0x55ab82ead688 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3871
#9 0x55ab82ef3fc8 in Prepared_statement::execute(String*, bool) /data/src/10.3/sql/sql_prepare.cc:5027
#10 0x55ab82ef46a4 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.3/sql/sql_prepare.cc:4455
#11 0x55ab82ef57c0 in mysql_sql_stmt_execute(THD*) /data/src/10.3/sql/sql_prepare.cc:3545
#12 0x55ab82ea6e46 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3887
#13 0x55ab82eb5b37 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871
#14 0x55ab82eba679 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#15 0x55ab82ec041d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#16 0x55ab831de506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#17 0x55ab831ded6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#18 0x55ab844257a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#19 0x7f12f7b3aea6 in start_thread nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f12f83882a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x55ab84429dfa in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
#2 0x55ab82c4cf1b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
#3 0x55ab82c4cf1b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
#4 0x55ab82c5d22d in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
#5 0x55ab82c5d22d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
#6 0x55ab82c5f1d5 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
#7 0x7f12f7993d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/sql_select.cc:26891 in st_select_lex::print(THD, String, enum_query_type)
Shadow bytes around the buggy address:
0x0c5280014dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280014de0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280014df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280014e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280014e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5280014e20: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c5280014e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280014e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280014e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280014e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280014e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1730727==ABORTING

Elena Stepanova added a comment - 2022-07-30 12:31 The test case in the description fails on 10.7+ and does not fail on 10.3-10.6. Below is a counter-part of it, which fails on 10.3-10.6 and doesn't fail on 10.7+. It is the same test case, but it uses QUERY_PREALLOC_SIZE (and doesn't need optimizer trace). I didn't check whether it's scalable in regard to QUERY_PREALLOC_SIZE or it is limited to extremely low values – anyway, the scenario in the description, the one about 10.7+, is in no way a corner case, so whether this one is or not, doesn't matter much. SET QUERY_PREALLOC_SIZE= 1024; CREATE TABLE t (a INT ); INSERT INTO t VALUES (1),(2); PREPARE stmt FROM 'EXPLAIN EXTENDED WITH cte AS (SELECT CASE a WHEN 2 THEN 0 END AS f FROM t) SELECT * FROM cte' ; EXECUTE stmt; EXECUTE stmt; # Cleanup DROP TABLE t; 10.3 25219920 ==1730727==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000e7168 at pc 0x55ab82fd4402 bp 0x7f12ed116250 sp 0x7f12ed116248 READ of size 1 at 0x6290000e7168 thread T5 #0 0x55ab82fd4401 in st_select_lex::print(THD*, String*, enum_query_type) /data/src/10.3/sql/sql_select.cc:26891 #1 0x55ab82e2c396 in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.3/sql/sql_lex.cc:2978 #2 0x55ab8333e28a in With_element::print(String*, enum_query_type) /data/src/10.3/sql/sql_cte.cc:1646 #3 0x55ab8333eda5 in With_clause::print(String*, enum_query_type) /data/src/10.3/sql/sql_cte.cc:1608 #4 0x55ab82e2c2dd in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.3/sql/sql_lex.cc:2951 #5 0x55ab82e89259 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6306 #6 0x55ab82ead688 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3871 #7 0x55ab82ef3fc8 in Prepared_statement::execute(String*, bool) /data/src/10.3/sql/sql_prepare.cc:5027 #8 0x55ab82ef46a4 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.3/sql/sql_prepare.cc:4455 #9 0x55ab82ef57c0 in mysql_sql_stmt_execute(THD*) /data/src/10.3/sql/sql_prepare.cc:3545 #10 0x55ab82ea6e46 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3887 #11 0x55ab82eb5b37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871 #12 0x55ab82eba679 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852 #13 0x55ab82ec041d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398 #14 0x55ab831de506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403 #15 0x55ab831ded6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308 #16 0x55ab844257a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869 #17 0x7f12f7b3aea6 in start_thread nptl/pthread_create.c:477 #18 0x7f12f7a6adee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee) 0x6290000e7168 is located 3944 bytes inside of 16352-byte region [0x6290000e6200,0x6290000ea1e0) freed by thread T5 here: #0 0x7f12f83dcb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 #1 0x55ab844e382d in free_root /data/src/10.3/mysys/my_alloc.c:430 #2 0x55ab82eb9fc7 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:2449 #3 0x55ab82ec041d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398 #4 0x55ab831de506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403 #5 0x55ab831ded6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308 #6 0x55ab844257a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869 #7 0x7f12f7b3aea6 in start_thread nptl/pthread_create.c:477 previously allocated by thread T5 here: #0 0x7f12f83dce8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x55ab844f6b12 in my_malloc /data/src/10.3/mysys/my_malloc.c:101 #2 0x55ab844e304b in alloc_root /data/src/10.3/mysys/my_alloc.c:251 #3 0x55ab82c7f657 in Item::operator new(unsigned long, st_mem_root*) /data/src/10.3/sql/item.h:649 #4 0x55ab82da4bb6 in THD::make_explain_field_list(List<Item>&, unsigned char, bool) /data/src/10.3/sql/sql_class.cc:2704 #5 0x55ab82da5be0 in THD::prepare_explain_fields(select_result*, List<Item>*, unsigned char, bool) /data/src/10.3/sql/sql_class.cc:2654 #6 0x55ab82da5cfa in THD::send_explain_fields(select_result*, unsigned char, bool) /data/src/10.3/sql/sql_class.cc:2666 #7 0x55ab82e88be1 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6273 #8 0x55ab82ead688 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3871 #9 0x55ab82ef3fc8 in Prepared_statement::execute(String*, bool) /data/src/10.3/sql/sql_prepare.cc:5027 #10 0x55ab82ef46a4 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.3/sql/sql_prepare.cc:4455 #11 0x55ab82ef57c0 in mysql_sql_stmt_execute(THD*) /data/src/10.3/sql/sql_prepare.cc:3545 #12 0x55ab82ea6e46 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3887 #13 0x55ab82eb5b37 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7871 #14 0x55ab82eba679 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852 #15 0x55ab82ec041d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398 #16 0x55ab831de506 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403 #17 0x55ab831ded6a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308 #18 0x55ab844257a4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869 #19 0x7f12f7b3aea6 in start_thread nptl/pthread_create.c:477 Thread T5 created by T0 here: #0 0x7f12f83882a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214 #1 0x55ab84429dfa in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919 #2 0x55ab82c4cf1b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275 #3 0x55ab82c4cf1b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668 #4 0x55ab82c5d22d in create_new_thread /data/src/10.3/sql/mysqld.cc:6738 #5 0x55ab82c5d22d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996 #6 0x55ab82c5f1d5 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290 #7 0x7f12f7993d09 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/sql_select.cc:26891 in st_select_lex::print(THD*, String*, enum_query_type) Shadow bytes around the buggy address: 0x0c5280014dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280014de0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280014df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280014e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280014e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c5280014e20: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd 0x0c5280014e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280014e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280014e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280014e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280014e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1730727==ABORTING

Alice Sherepa added a comment - 2024-09-27 10:35 - edited

The test case below fails with SEGV on 11.2,11.4,11.6.

--source include/have_innodb.inc

CREATE TABLE t1 (a int, b int) engine=innodb;

CREATE TABLE t2 ( c int);

SET SESSION optimizer_trace = 'enabled=on';

PREPARE stmt FROM 'UPDATE (t1 LEFT JOIN t2  on t2.c <= 5)

SET t1.b = 2 where t1.a NOT in (WITH cte AS (SELECT t21.c from (t2 t21  JOIN t2 t22 on t22.c = 7 )) SELECT * FROM cte)';

EXECUTE stmt;

EXECUTE stmt;

# Cleanup

DROP TABLE t1,t2;

Version: '11.5.0-MariaDB-debug-log'

240927 12:27:37 [ERROR] mysqld got signal 11 ;

Server version: 11.5.0-MariaDB-debug-log source revision: 08bd74e8860f473896b49ad7b42f4343de8dfc82

mysys/stacktrace.c:215(my_print_stacktrace)[0x564302c3e4bf]

sql/signal_handler.cc:238(handle_fatal_signal)[0x56430182b632]

sigaction.c:0(__restore_rt)[0x7fbfd4077420]

sql/sql_select.cc:31418(st_select_lex::print(THD*, String*, enum_query_type))[0x5643010904ae]

sql/sql_lex.cc:3779(st_select_lex_unit::print(String*, enum_query_type))[0x564300e2b455]

sql/sql_cte.cc:1697(With_element::print(THD*, String*, enum_query_type))[0x564301635261]

sql/sql_cte.cc:1648(With_clause::print(THD*, String*, enum_query_type))[0x564301634e74]

sql/item_subselect.cc:4683(subselect_single_select_engine::print(String*, enum_query_type))[0x564301af3c60]

sql/item_subselect.cc:1082(Item_subselect::print(String*, enum_query_type))[0x564301acd4f5]

sql/item_subselect.cc:3544(Item_in_subselect::print(String*, enum_query_type))[0x564301ae96a8]

sql/item_func.cc:638(Item_func::print_args(String*, unsigned int, enum_query_type) const)[0x56430198deac]

sql/item_func.h:245(Item_func::print_args_parenthesized(String*, enum_query_type) const)[0x5643015a0dce]

sql/item_func.cc:632(Item_func::print(String*, enum_query_type))[0x56430198dcb8]

sql/item_cmpfunc.cc:1339(Item_in_optimizer::print(String*, enum_query_type))[0x56430190b8ee]

sql/item.cc:499(Item::print_parenthesised(String*, enum_query_type, precedence))[0x56430188a509]

sql/item_cmpfunc.cc:212(Item_func_not::print(String*, enum_query_type))[0x5643018fe00b]

sql/opt_trace.cc:747(Json_writer::add_str(Item*))[0x564301663fc3]

sql/my_json_writer.h:336(Json_value_helper::add_str(Item*))[0x564300ba2d21]

sql/my_json_writer.h:548(Json_writer_object::add(char const*, Item*))[0x564300ba2e6d]

sql/opt_trace.cc:620(trace_condition(THD*, char const*, char const*, Item*, char const*))[0x564301662ae1]

sql/sql_select.cc:2820(JOIN::optimize_stage2())[0x564300fb88fe]

sql/sql_select.cc:2683(JOIN::optimize_inner())[0x564300fb701f]

sql/sql_select.cc:1966(JOIN::optimize())[0x564300fafb6a]

sql/sql_select.cc:33637(Sql_cmd_dml::execute_inner(THD*))[0x56430109e303]

sql/sql_update.cc:3081(Sql_cmd_update::execute_inner(THD*))[0x5643012656df]

sql/sql_select.cc:33586(Sql_cmd_dml::execute(THD*))[0x56430109dfbd]

sql/sql_parse.cc:4392(mysql_execute_command(THD*, bool))[0x564300eb2e93]

sql/sql_prepare.cc:5076(Prepared_statement::execute(String*, bool))[0x564300f61343]

sql/sql_prepare.cc:4461(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x564300f5c504]

sql/sql_prepare.cc:3481(mysql_sql_stmt_execute(THD*))[0x564300f556e6]

sql/sql_parse.cc:3960(mysql_execute_command(THD*, bool))[0x564300eb05c5]

sql/sql_parse.cc:7815(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x564300ecb29b]

sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x564300ea26b1]

sql/sql_parse.cc:1406(do_command(THD*, bool))[0x564300e9f3de]

sql/sql_connect.cc:1437(do_handle_one_connection(CONNECT*, bool))[0x56430138c02e]

sql/sql_connect.cc:1341(handle_one_connection)[0x56430138b98b]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x564302013688]

Query (0x629000109340): UPDATE (t1 LEFT JOIN t2  on t2.c <= 5)

SET t1.b = 2 where t1.a NOT in (WITH cte AS (SELECT t21.c from (t2 t21  JOIN t2 t22 on t22.c = 7 )) SELECT * FROM cte)

If I simlify the test, then AddressSanitizer: global-buffer-overflow

--source include/have_innodb.inc

CREATE TABLE t1 (a int, b int) engine=innodb;

CREATE TABLE t2 ( c int);

SET SESSION optimizer_trace = 'enabled=on';

PREPARE stmt FROM 'UPDATE (t1 LEFT JOIN t2  on t2.c <= 5)

SET t1.b = 2 where t1.a NOT in (WITH cte AS (SELECT t21.c from (t2 t21  )) SELECT * FROM cte)';

EXECUTE stmt;

EXECUTE stmt;

# Cleanup

DROP TABLE t1,t2;

==626241==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5600ce19b780 at pc 0x5600c9d3be1f bp 0x7fdcf2783990 sp 0x7fdcf2783980

READ of size 8 at 0x5600ce19b780 thread T10

    #0 0x5600c9d3be1e in st_select_lex::print(THD*, String*, enum_query_type) 11.2/src/sql/sql_select.cc:32028

    #1 0x5600c9ad68de in st_select_lex_unit::print(String*, enum_query_type) 11.2/src/sql/sql_lex.cc:3779

    #2 0x5600ca2d4592 in With_element::print(THD*, String*, enum_query_type) 11.2/src/sql/sql_cte.cc:1696

    #3 0x5600ca2d41a5 in With_clause::print(THD*, String*, enum_query_type) 11.2/src/sql/sql_cte.cc:1652

    #4 0x5600ca7a13a1 in subselect_single_select_engine::print(String*, enum_query_type) 11.2/src/sql/item_subselect.cc:4711

    #5 0x5600ca77a7e6 in Item_subselect::print(String*, enum_query_type) 11.2/src/sql/item_subselect.cc:1086

    #6 0x5600ca796a45 in Item_in_subselect::print(String*, enum_query_type) 11.2/src/sql/item_subselect.cc:3550

    #7 0x5600ca6277a5 in Item_func::print_args(String*, unsigned int, enum_query_type) const 11.2/src/sql/item_func.cc:645

    #8 0x5600ca24057f in Item_func::print_args_parenthesized(String*, enum_query_type) const 11.2/src/sql/item_func.h:242

    #9 0x5600ca6275b1 in Item_func::print(String*, enum_query_type) 11.2/src/sql/item_func.cc:634

    #10 0x5600ca5a48b3 in Item_in_optimizer::print(String*, enum_query_type) 11.2/src/sql/item_cmpfunc.cc:1297

    #11 0x5600ca522240 in Item::print_parenthesised(String*, enum_query_type, precedence) 11.2/src/sql/item.cc:502

    #12 0x5600ca597514 in Item_func_not::print(String*, enum_query_type) 11.2/src/sql/item_cmpfunc.cc:211

    #13 0x5600c9d3bab3 in st_select_lex::print(THD*, String*, enum_query_type) 11.2/src/sql/sql_select.cc:31996

    #14 0x5600ca2fab77 in opt_trace_print_expanded_query(THD*, st_select_lex*, Json_writer_object*) 11.2/src/sql/opt_trace.cc:119

    #15 0x5600c9c5606f in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) 11.2/src/sql/sql_select.cc:1863

    #16 0x5600c9f0ba5f in Sql_cmd_update::prepare_inner(THD*) 11.2/src/sql/sql_update.cc:3036

    #17 0x5600c9d495da in Sql_cmd_dml::prepare(THD*) 11.2/src/sql/sql_select.cc:34150

    #18 0x5600c9d49899 in Sql_cmd_dml::execute(THD*) 11.2/src/sql/sql_select.cc:34203

    #19 0x5600c9b5d05e in mysql_execute_command(THD*, bool) 11.2/src/sql/sql_parse.cc:4433

    #20 0x5600c9c0a9ba in Prepared_statement::execute(String*, bool) 11.2/src/sql/sql_prepare.cc:5077

    #21 0x5600c9c053ea in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) 11.2/src/sql/sql_prepare.cc:4461

    #22 0x5600c9bfe473 in mysql_sql_stmt_execute(THD*) 11.2/src/sql/sql_prepare.cc:3480

    #23 0x5600c9b5a790 in mysql_execute_command(THD*, bool) 11.2/src/sql/sql_parse.cc:4000

    #24 0x5600c9b74db3 in mysql_parse(THD*, char*, unsigned int, Parser_state*) 11.2/src/sql/sql_parse.cc:7938

    #25 0x5600c9b4c911 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) 11.2/src/sql/sql_parse.cc:1894

    #26 0x5600c9b4965b in do_command(THD*, bool) 11.2/src/sql/sql_parse.cc:1407

    #27 0x5600ca034484 in do_handle_one_connection(CONNECT*, bool) 11.2/src/sql/sql_connect.cc:1439

    #28 0x5600ca033de1 in handle_one_connection 11.2/src/sql/sql_connect.cc:1341

    #29 0x5600cacc2cc9 in pfs_spawn_thread 11.2/src/storage/perfschema/pfs.cc:2201

    #30 0x7fdd02cdd608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477

    #31 0x7fdd028ae352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)

0x5600ce19b780 is located 28 bytes to the right of global variable 'TIME_INVALID_DATES' defined in '11.2/src/sql/sql_basic_types.h:320:3' (0x5600ce19b760) of size 4

0x5600ce19b780 is located 32 bytes to the left of global variable 'TIME_NO_ZEROS' defined in '11.2/src/sql/sql_basic_types.h:324:3' (0x5600ce19b7a0) of size 4

The weird thing - the test from the description fails on 11.2, but does not repeat the problem on 10.5,10.6,10.11,11.4,11.6

MariaDB 11.2.6-MariaDB-debug-log source revision f1b4d36cc39981a2abd211993fcb5cce003e6940

AddressSanitizer:DEADLYSIGNAL

=================================================================

==645913==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x55d966d23df6 bp 0x7eff29659580 sp 0x7eff296593f0 T5)

==645913==The signal is caused by a READ memory access.

==645913==Hint: address points to the zero page.

    #0 0x55d966d23df5 in st_select_lex::print(THD*, String*, enum_query_type) /11.2/src/sql/sql_select.cc:32028

    #1 0x55d966abe8de in st_select_lex_unit::print(String*, enum_query_type) /11.2/src/sql/sql_lex.cc:3779

    #2 0x55d9672bc592 in With_element::print(THD*, String*, enum_query_type) /11.2/src/sql/sql_cte.cc:1696

    #3 0x55d9672bc1a5 in With_clause::print(THD*, String*, enum_query_type) /11.2/src/sql/sql_cte.cc:1652

    #4 0x55d966abe68e in st_select_lex_unit::print(String*, enum_query_type) /11.2/src/sql/sql_lex.cc:3754

    #5 0x55d966b51b2c in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6143

    #6 0x55d966b4274b in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3984

    #7 0x55d966bf29ba in Prepared_statement::execute(String*, bool) /11.2/src/sql/sql_prepare.cc:5077

    #8 0x55d966bed3ea in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /11.2/src/sql/sql_prepare.cc:4461

    #9 0x55d966be6473 in mysql_sql_stmt_execute(THD*) /11.2/src/sql/sql_prepare.cc:3480

    #10 0x55d966b42790 in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:4000

    #11 0x55d966b5cdb3 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7938

    #12 0x55d966b34911 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1894

    #13 0x55d966b3165b in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1407

    #14 0x55d96701c484 in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1439

    #15 0x55d96701bde1 in handle_one_connection /11.2/src/sql/sql_connect.cc:1341

    #16 0x55d967caacc9 in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201

    #17 0x7eff36b84608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477

    #18 0x7eff36755352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)

AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV /11.2/src/sql/sql_select.cc:32028 in st_select_lex::print(THD*, String*, enum_query_type)

Thread T5 created by T0 here:

    #0 0x7eff37050815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208

    #1 0x55d967ca68a6 in my_thread_create /11.2/src/storage/perfschema/my_thread.h:52

    #2 0x55d967cab0bc in pfs_spawn_thread_v1 /11.2/src/storage/perfschema/pfs.cc:2252

    #3 0x55d966764183 in inline_mysql_thread_create /11.2/src/include/mysql/psi/mysql_thread.h:1139

    #4 0x55d96677d09e in create_thread_to_handle_connection(CONNECT*) /11.2/src/sql/mysqld.cc:6241

    #5 0x55d96677d72e in create_new_thread(CONNECT*) /11.2/src/sql/mysqld.cc:6303

    #6 0x55d96677da9b in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.2/src/sql/mysqld.cc:6365

    #7 0x55d96677e491 in handle_connections_sockets() /11.2/src/sql/mysqld.cc:6489

    #8 0x55d96677c8ab in mysqld_main(int, char**) /11.2/src/sql/mysqld.cc:6136

    #9 0x55d9667631ac in main /11.2/src/sql/main.cc:34

    #10 0x7eff3665a082 in __libc_start_main ../csu/libc-start.c:308

==645913==ABORTING

----------SERVER LOG END-------------

The test from the Elena's comment now fails on 10.5 (10.5.27-MariaDB-debug-log source revision: ad5b9c207c60d78a55ab0514432ef0421d017c1a),10.6, not on 10.11+

Alice Sherepa added a comment - 2024-09-27 10:35 - edited The test case below fails with SEGV on 11.2,11.4,11.6. --source include/have_innodb.inc CREATE TABLE t1 (a int , b int ) engine=innodb; CREATE TABLE t2 ( c int ); SET SESSION optimizer_trace = 'enabled=on' ; PREPARE stmt FROM 'UPDATE (t1 LEFT JOIN t2 on t2.c <= 5) SET t1.b = 2 where t1.a NOT in (WITH cte AS (SELECT t21.c from (t2 t21 JOIN t2 t22 on t22.c = 7 )) SELECT * FROM cte)' ; EXECUTE stmt; EXECUTE stmt; # Cleanup DROP TABLE t1,t2; Version: '11.5.0-MariaDB-debug-log' 240927 12:27:37 [ERROR] mysqld got signal 11 ; Server version: 11.5.0-MariaDB-debug-log source revision: 08bd74e8860f473896b49ad7b42f4343de8dfc82 mysys/stacktrace.c:215(my_print_stacktrace)[0x564302c3e4bf] sql/signal_handler.cc:238(handle_fatal_signal)[0x56430182b632] sigaction.c:0(__restore_rt)[0x7fbfd4077420] sql/sql_select.cc:31418(st_select_lex::print(THD*, String*, enum_query_type))[0x5643010904ae] sql/sql_lex.cc:3779(st_select_lex_unit::print(String*, enum_query_type))[0x564300e2b455] sql/sql_cte.cc:1697(With_element::print(THD*, String*, enum_query_type))[0x564301635261] sql/sql_cte.cc:1648(With_clause::print(THD*, String*, enum_query_type))[0x564301634e74] sql/item_subselect.cc:4683(subselect_single_select_engine::print(String*, enum_query_type))[0x564301af3c60] sql/item_subselect.cc:1082(Item_subselect::print(String*, enum_query_type))[0x564301acd4f5] sql/item_subselect.cc:3544(Item_in_subselect::print(String*, enum_query_type))[0x564301ae96a8] sql/item_func.cc:638(Item_func::print_args(String*, unsigned int, enum_query_type) const)[0x56430198deac] sql/item_func.h:245(Item_func::print_args_parenthesized(String*, enum_query_type) const)[0x5643015a0dce] sql/item_func.cc:632(Item_func::print(String*, enum_query_type))[0x56430198dcb8] sql/item_cmpfunc.cc:1339(Item_in_optimizer::print(String*, enum_query_type))[0x56430190b8ee] sql/item.cc:499(Item::print_parenthesised(String*, enum_query_type, precedence))[0x56430188a509] sql/item_cmpfunc.cc:212(Item_func_not::print(String*, enum_query_type))[0x5643018fe00b] sql/opt_trace.cc:747(Json_writer::add_str(Item*))[0x564301663fc3] sql/my_json_writer.h:336(Json_value_helper::add_str(Item*))[0x564300ba2d21] sql/my_json_writer.h:548(Json_writer_object::add(char const*, Item*))[0x564300ba2e6d] sql/opt_trace.cc:620(trace_condition(THD*, char const*, char const*, Item*, char const*))[0x564301662ae1] sql/sql_select.cc:2820(JOIN::optimize_stage2())[0x564300fb88fe] sql/sql_select.cc:2683(JOIN::optimize_inner())[0x564300fb701f] sql/sql_select.cc:1966(JOIN::optimize())[0x564300fafb6a] sql/sql_select.cc:33637(Sql_cmd_dml::execute_inner(THD*))[0x56430109e303] sql/sql_update.cc:3081(Sql_cmd_update::execute_inner(THD*))[0x5643012656df] sql/sql_select.cc:33586(Sql_cmd_dml::execute(THD*))[0x56430109dfbd] sql/sql_parse.cc:4392(mysql_execute_command(THD*, bool))[0x564300eb2e93] sql/sql_prepare.cc:5076(Prepared_statement::execute(String*, bool))[0x564300f61343] sql/sql_prepare.cc:4461(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x564300f5c504] sql/sql_prepare.cc:3481(mysql_sql_stmt_execute(THD*))[0x564300f556e6] sql/sql_parse.cc:3960(mysql_execute_command(THD*, bool))[0x564300eb05c5] sql/sql_parse.cc:7815(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x564300ecb29b] sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x564300ea26b1] sql/sql_parse.cc:1406(do_command(THD*, bool))[0x564300e9f3de] sql/sql_connect.cc:1437(do_handle_one_connection(CONNECT*, bool))[0x56430138c02e] sql/sql_connect.cc:1341(handle_one_connection)[0x56430138b98b] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x564302013688] Query (0x629000109340): UPDATE (t1 LEFT JOIN t2 on t2.c <= 5) SET t1.b = 2 where t1.a NOT in (WITH cte AS (SELECT t21.c from (t2 t21 JOIN t2 t22 on t22.c = 7 )) SELECT * FROM cte) If I simlify the test, then AddressSanitizer: global-buffer-overflow --source include/have_innodb.inc CREATE TABLE t1 (a int , b int ) engine=innodb; CREATE TABLE t2 ( c int ); SET SESSION optimizer_trace = 'enabled=on' ; PREPARE stmt FROM 'UPDATE (t1 LEFT JOIN t2 on t2.c <= 5) SET t1.b = 2 where t1.a NOT in (WITH cte AS (SELECT t21.c from (t2 t21 )) SELECT * FROM cte)' ; EXECUTE stmt; EXECUTE stmt; # Cleanup DROP TABLE t1,t2; ==626241==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5600ce19b780 at pc 0x5600c9d3be1f bp 0x7fdcf2783990 sp 0x7fdcf2783980 READ of size 8 at 0x5600ce19b780 thread T10 #0 0x5600c9d3be1e in st_select_lex::print(THD*, String*, enum_query_type) 11.2/src/sql/sql_select.cc:32028 #1 0x5600c9ad68de in st_select_lex_unit::print(String*, enum_query_type) 11.2/src/sql/sql_lex.cc:3779 #2 0x5600ca2d4592 in With_element::print(THD*, String*, enum_query_type) 11.2/src/sql/sql_cte.cc:1696 #3 0x5600ca2d41a5 in With_clause::print(THD*, String*, enum_query_type) 11.2/src/sql/sql_cte.cc:1652 #4 0x5600ca7a13a1 in subselect_single_select_engine::print(String*, enum_query_type) 11.2/src/sql/item_subselect.cc:4711 #5 0x5600ca77a7e6 in Item_subselect::print(String*, enum_query_type) 11.2/src/sql/item_subselect.cc:1086 #6 0x5600ca796a45 in Item_in_subselect::print(String*, enum_query_type) 11.2/src/sql/item_subselect.cc:3550 #7 0x5600ca6277a5 in Item_func::print_args(String*, unsigned int, enum_query_type) const 11.2/src/sql/item_func.cc:645 #8 0x5600ca24057f in Item_func::print_args_parenthesized(String*, enum_query_type) const 11.2/src/sql/item_func.h:242 #9 0x5600ca6275b1 in Item_func::print(String*, enum_query_type) 11.2/src/sql/item_func.cc:634 #10 0x5600ca5a48b3 in Item_in_optimizer::print(String*, enum_query_type) 11.2/src/sql/item_cmpfunc.cc:1297 #11 0x5600ca522240 in Item::print_parenthesised(String*, enum_query_type, precedence) 11.2/src/sql/item.cc:502 #12 0x5600ca597514 in Item_func_not::print(String*, enum_query_type) 11.2/src/sql/item_cmpfunc.cc:211 #13 0x5600c9d3bab3 in st_select_lex::print(THD*, String*, enum_query_type) 11.2/src/sql/sql_select.cc:31996 #14 0x5600ca2fab77 in opt_trace_print_expanded_query(THD*, st_select_lex*, Json_writer_object*) 11.2/src/sql/opt_trace.cc:119 #15 0x5600c9c5606f in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) 11.2/src/sql/sql_select.cc:1863 #16 0x5600c9f0ba5f in Sql_cmd_update::prepare_inner(THD*) 11.2/src/sql/sql_update.cc:3036 #17 0x5600c9d495da in Sql_cmd_dml::prepare(THD*) 11.2/src/sql/sql_select.cc:34150 #18 0x5600c9d49899 in Sql_cmd_dml::execute(THD*) 11.2/src/sql/sql_select.cc:34203 #19 0x5600c9b5d05e in mysql_execute_command(THD*, bool) 11.2/src/sql/sql_parse.cc:4433 #20 0x5600c9c0a9ba in Prepared_statement::execute(String*, bool) 11.2/src/sql/sql_prepare.cc:5077 #21 0x5600c9c053ea in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) 11.2/src/sql/sql_prepare.cc:4461 #22 0x5600c9bfe473 in mysql_sql_stmt_execute(THD*) 11.2/src/sql/sql_prepare.cc:3480 #23 0x5600c9b5a790 in mysql_execute_command(THD*, bool) 11.2/src/sql/sql_parse.cc:4000 #24 0x5600c9b74db3 in mysql_parse(THD*, char*, unsigned int, Parser_state*) 11.2/src/sql/sql_parse.cc:7938 #25 0x5600c9b4c911 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) 11.2/src/sql/sql_parse.cc:1894 #26 0x5600c9b4965b in do_command(THD*, bool) 11.2/src/sql/sql_parse.cc:1407 #27 0x5600ca034484 in do_handle_one_connection(CONNECT*, bool) 11.2/src/sql/sql_connect.cc:1439 #28 0x5600ca033de1 in handle_one_connection 11.2/src/sql/sql_connect.cc:1341 #29 0x5600cacc2cc9 in pfs_spawn_thread 11.2/src/storage/perfschema/pfs.cc:2201 #30 0x7fdd02cdd608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477 #31 0x7fdd028ae352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) 0x5600ce19b780 is located 28 bytes to the right of global variable 'TIME_INVALID_DATES' defined in '11.2/src/sql/sql_basic_types.h:320:3' (0x5600ce19b760) of size 4 0x5600ce19b780 is located 32 bytes to the left of global variable 'TIME_NO_ZEROS' defined in '11.2/src/sql/sql_basic_types.h:324:3' (0x5600ce19b7a0) of size 4 The weird thing - the test from the description fails on 11.2, but does not repeat the problem on 10.5,10.6,10.11,11.4,11.6 MariaDB 11.2.6-MariaDB-debug-log source revision f1b4d36cc39981a2abd211993fcb5cce003e6940 AddressSanitizer:DEADLYSIGNAL ================================================================= ==645913==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x55d966d23df6 bp 0x7eff29659580 sp 0x7eff296593f0 T5) ==645913==The signal is caused by a READ memory access. ==645913==Hint: address points to the zero page. #0 0x55d966d23df5 in st_select_lex::print(THD*, String*, enum_query_type) /11.2/src/sql/sql_select.cc:32028 #1 0x55d966abe8de in st_select_lex_unit::print(String*, enum_query_type) /11.2/src/sql/sql_lex.cc:3779 #2 0x55d9672bc592 in With_element::print(THD*, String*, enum_query_type) /11.2/src/sql/sql_cte.cc:1696 #3 0x55d9672bc1a5 in With_clause::print(THD*, String*, enum_query_type) /11.2/src/sql/sql_cte.cc:1652 #4 0x55d966abe68e in st_select_lex_unit::print(String*, enum_query_type) /11.2/src/sql/sql_lex.cc:3754 #5 0x55d966b51b2c in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6143 #6 0x55d966b4274b in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3984 #7 0x55d966bf29ba in Prepared_statement::execute(String*, bool) /11.2/src/sql/sql_prepare.cc:5077 #8 0x55d966bed3ea in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /11.2/src/sql/sql_prepare.cc:4461 #9 0x55d966be6473 in mysql_sql_stmt_execute(THD*) /11.2/src/sql/sql_prepare.cc:3480 #10 0x55d966b42790 in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:4000 #11 0x55d966b5cdb3 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7938 #12 0x55d966b34911 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1894 #13 0x55d966b3165b in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1407 #14 0x55d96701c484 in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1439 #15 0x55d96701bde1 in handle_one_connection /11.2/src/sql/sql_connect.cc:1341 #16 0x55d967caacc9 in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201 #17 0x7eff36b84608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477 #18 0x7eff36755352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /11.2/src/sql/sql_select.cc:32028 in st_select_lex::print(THD*, String*, enum_query_type) Thread T5 created by T0 here: #0 0x7eff37050815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x55d967ca68a6 in my_thread_create /11.2/src/storage/perfschema/my_thread.h:52 #2 0x55d967cab0bc in pfs_spawn_thread_v1 /11.2/src/storage/perfschema/pfs.cc:2252 #3 0x55d966764183 in inline_mysql_thread_create /11.2/src/include/mysql/psi/mysql_thread.h:1139 #4 0x55d96677d09e in create_thread_to_handle_connection(CONNECT*) /11.2/src/sql/mysqld.cc:6241 #5 0x55d96677d72e in create_new_thread(CONNECT*) /11.2/src/sql/mysqld.cc:6303 #6 0x55d96677da9b in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.2/src/sql/mysqld.cc:6365 #7 0x55d96677e491 in handle_connections_sockets() /11.2/src/sql/mysqld.cc:6489 #8 0x55d96677c8ab in mysqld_main(int, char**) /11.2/src/sql/mysqld.cc:6136 #9 0x55d9667631ac in main /11.2/src/sql/main.cc:34 #10 0x7eff3665a082 in __libc_start_main ../csu/libc-start.c:308 ==645913==ABORTING ----------SERVER LOG END------------- The test from the Elena's comment now fails on 10.5 (10.5.27-MariaDB-debug-log source revision: ad5b9c207c60d78a55ab0514432ef0421d017c1a),10.6, not on 10.11+

MariaDB Server

ASAN errors in st_select_lex::print / With_element::print with optimizer trace on 2nd execution of PS

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration