Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
-
None
Description
CREATE TABLE t (a INT); |
INSERT INTO t VALUES (1),(2); |
|
|
SET SESSION optimizer_trace = 'enabled=on'; |
|
|
PREPARE stmt FROM 'EXPLAIN EXTENDED WITH cte AS (SELECT CASE a WHEN 2 THEN 0 END AS f FROM t) SELECT * FROM cte'; |
EXECUTE stmt; |
EXECUTE stmt; |
|
|
# Cleanup
|
DROP TABLE t; |
|
10.7 c3ddffe2 |
==1813883==ERROR: AddressSanitizer: use-after-poison on address 0x629000097340 at pc 0x562c3c9225b8 bp 0x7fbc220054c0 sp 0x7fbc220054b8
|
READ of size 8 at 0x629000097340 thread T5
|
#0 0x562c3c9225b7 in st_select_lex::print(THD*, String*, enum_query_type) /data/src/10.7/sql/sql_select.cc:28482
|
#1 0x562c3c71aade in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.7/sql/sql_lex.cc:3729
|
#2 0x562c3cd644e5 in With_element::print(THD*, String*, enum_query_type) /data/src/10.7/sql/sql_cte.cc:1701
|
#3 0x562c3cd64b18 in With_clause::print(THD*, String*, enum_query_type) /data/src/10.7/sql/sql_cte.cc:1657
|
#4 0x562c3c71aa3c in st_select_lex_unit::print(String*, enum_query_type) /data/src/10.7/sql/sql_lex.cc:3704
|
#5 0x562c3c78c7d2 in execute_sqlcom_select /data/src/10.7/sql/sql_parse.cc:6218
|
#6 0x562c3c7b444a in mysql_execute_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:3943
|
#7 0x562c3c825ad9 in Prepared_statement::execute(String*, bool) /data/src/10.7/sql/sql_prepare.cc:5221
|
#8 0x562c3c82634e in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.7/sql/sql_prepare.cc:4644
|
#9 0x562c3c827071 in mysql_sql_stmt_execute(THD*) /data/src/10.7/sql/sql_prepare.cc:3688
|
#10 0x562c3c7b1475 in mysql_execute_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:3959
|
#11 0x562c3c7b925a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.7/sql/sql_parse.cc:8027
|
#12 0x562c3c7be8c4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.7/sql/sql_parse.cc:1894
|
#13 0x562c3c7c42c5 in do_command(THD*, bool) /data/src/10.7/sql/sql_parse.cc:1407
|
#14 0x562c3cb7b0cd in do_handle_one_connection(CONNECT*, bool) /data/src/10.7/sql/sql_connect.cc:1418
|
#15 0x562c3cb7b60c in handle_one_connection /data/src/10.7/sql/sql_connect.cc:1312
|
#16 0x562c3d64ad4b in pfs_spawn_thread /data/src/10.7/storage/perfschema/pfs.cc:2201
|
#17 0x7fbc2b39dea6 in start_thread nptl/pthread_create.c:477
|
#18 0x7fbc2af9cdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
|
|
|
0x629000097340 is located 4416 bytes inside of 16400-byte region [0x629000096200,0x62900009a210)
|
allocated by thread T5 here:
|
#0 0x7fbc2b8a3e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
|
#1 0x562c3df3f238 in my_malloc /data/src/10.7/mysys/my_malloc.c:90
|
#2 0x562c3df2bdeb in reset_root_defaults /data/src/10.7/mysys/my_alloc.c:243
|
#3 0x562c3c66e673 in THD::init_for_queries() /data/src/10.7/sql/sql_class.cc:1387
|
#4 0x562c3cb79092 in prepare_new_connection_state(THD*) /data/src/10.7/sql/sql_connect.cc:1240
|
#5 0x562c3cb79947 in thd_prepare_connection(THD*) /data/src/10.7/sql/sql_connect.cc:1333
|
#6 0x562c3cb79947 in thd_prepare_connection(THD*) /data/src/10.7/sql/sql_connect.cc:1322
|
#7 0x562c3cb7b079 in do_handle_one_connection(CONNECT*, bool) /data/src/10.7/sql/sql_connect.cc:1408
|
#8 0x562c3cb7b60c in handle_one_connection /data/src/10.7/sql/sql_connect.cc:1312
|
#9 0x562c3d64ad4b in pfs_spawn_thread /data/src/10.7/storage/perfschema/pfs.cc:2201
|
#10 0x7fbc2b39dea6 in start_thread nptl/pthread_create.c:477
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fbc2b84f2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
|
#1 0x562c3d64afc9 in my_thread_create /data/src/10.7/storage/perfschema/my_thread.h:52
|
#2 0x562c3d64afc9 in pfs_spawn_thread_v1 /data/src/10.7/storage/perfschema/pfs.cc:2252
|
#3 0x562c3c48a47d in inline_mysql_thread_create /data/src/10.7/include/mysql/psi/mysql_thread.h:1139
|
#4 0x562c3c48a47d in create_thread_to_handle_connection(CONNECT*) /data/src/10.7/sql/mysqld.cc:6008
|
#5 0x562c3c496227 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.7/sql/mysqld.cc:6129
|
#6 0x562c3c496d9f in handle_connections_sockets() /data/src/10.7/sql/mysqld.cc:6253
|
#7 0x562c3c4986b0 in mysqld_main(int, char**) /data/src/10.7/sql/mysqld.cc:5903
|
#8 0x7fbc2aec5d09 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.7/sql/sql_select.cc:28482 in st_select_lex::print(THD*, String*, enum_query_type)
|
Shadow bytes around the buggy address:
|
0x0c528000ae10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000ae20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000ae30: 00 00 00 00 00 f7 00 00 f7 00 00 00 00 f7 00 f7
|
0x0c528000ae40: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000ae50: 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00
|
=>0x0c528000ae60: 00 00 00 00 00 00 00 00[f7]00 00 00 00 00 00 00
|
0x0c528000ae70: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
|
0x0c528000ae80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000ae90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000aea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c528000aeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==1813883==ABORTING
|
The failure started happening on 10.7 after this commit:
commit 401ff6994d842a4072b7b155e5a958e178e6497a
|
Author: Eric Herman
|
Date: Fri Sep 3 06:38:54 2021 +0200
|
|
|
MDEV-26221: DYNAMIC_ARRAY use size_t for sizes
|
Attachments
Issue Links
- is caused by
-
MDEV-26221 my_sys DYNAMIC_ARRAY and DYNAMIC_STRING inconsistancy
-
- Closed
-