Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
Description
create table t (a char(8), i int); |
insert into t values ('foo',1),('bar',2); |
create view v as select a, sum(i) from t group by a; |
|
SELECT * FROM v WHERE a != SFORMAT('{}', 'qux'); |
|
# Cleanup
|
drop view v; |
drop table t; |
11.0 8e55d7ea |
#3 <signal handler called>
|
#4 0x0000563a4d104360 in Binary_string::free_buffer (this=0xf1f271bed5f35828) at /data/src/11.0/sql/sql_string.h:228
|
#5 0x0000563a4d1044ea in Binary_string::free (this=0xf1f271bed5f35828) at /data/src/11.0/sql/sql_string.h:692
|
#6 0x0000563a4d10446a in Binary_string::~Binary_string (this=0xf1f271bed5f35828, __in_chrg=<optimized out>) at /data/src/11.0/sql/sql_string.h:275
|
#7 0x0000563a4d104640 in String::~String (this=0xf1f271bed5f35820, __in_chrg=<optimized out>) at /data/src/11.0/sql/sql_string.h:804
|
#8 0x0000563a4d76bdd2 in Item_func_sformat::~Item_func_sformat (this=0x7fcce40165a0, __in_chrg=<optimized out>) at /data/src/11.0/sql/item_strfunc.h:640
|
#9 0x0000563a4d76be34 in Item_func_sformat::~Item_func_sformat (this=0x7fcce40165a0, __in_chrg=<optimized out>) at /data/src/11.0/sql/item_strfunc.h:640
|
#10 0x0000563a4d2205db in Item::delete_self (this=0x7fcce40165a0) at /data/src/11.0/sql/item.h:2564
|
#11 0x0000563a4d212d84 in Query_arena::free_items (this=0x7fcce4000de0) at /data/src/11.0/sql/sql_class.cc:3909
|
#12 0x0000563a4d20cdaf in THD::cleanup_after_query (this=0x7fcce4000dc8) at /data/src/11.0/sql/sql_class.cc:2282
|
#13 0x0000563a4d2a664e in mysql_parse (thd=0x7fcce4000dc8, rawbuf=0x7fcce4015500 "SELECT * FROM v WHERE a != SFORMAT('{}', 'qux')", length=47, parser_state=0x7fccfad62370) at /data/src/11.0/sql/sql_parse.cc:8023
|
#14 0x0000563a4d2920c5 in dispatch_command (command=COM_QUERY, thd=0x7fcce4000dc8, packet=0x7fcce400ba69 "", packet_length=47, blocking=true) at /data/src/11.0/sql/sql_parse.cc:1894
|
#15 0x0000563a4d290a2c in do_command (thd=0x7fcce4000dc8, blocking=true) at /data/src/11.0/sql/sql_parse.cc:1407
|
#16 0x0000563a4d481df6 in do_handle_one_connection (connect=0x563a50b6b8a8, put_in_cache=true) at /data/src/11.0/sql/sql_connect.cc:1416
|
#17 0x0000563a4d481b6b in handle_one_connection (arg=0x563a50b5b4b8) at /data/src/11.0/sql/sql_connect.cc:1318
|
#18 0x0000563a4d99fc9e in pfs_spawn_thread (arg=0x563a50b6b418) at /data/src/11.0/storage/perfschema/pfs.cc:2201
|
#19 0x00007fcd042a7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
|
#20 0x00007fcd0432866c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
Reproducible on 10.7+.
ASAN variation:
11.0 8e55d7ea |
==593774==ERROR: AddressSanitizer: use-after-poison on address 0x6290000e7468 at pc 0x55c9edd8fe5b bp 0x7f4fca282400 sp 0x7f4fca2823f8
|
READ of size 8 at 0x6290000e7468 thread T5
|
#0 0x55c9edd8fe5a in Item_func_sformat::~Item_func_sformat() /data/src/11.0/sql/item_strfunc.h:640
|
#1 0x55c9edd8ff51 in Item_func_sformat::~Item_func_sformat() /data/src/11.0/sql/item_strfunc.h:640
|
#2 0x55c9ed18a8f8 in Item::delete_self() /data/src/11.0/sql/item.h:2564
|
#3 0x55c9ed16bc32 in Query_arena::free_items() /data/src/11.0/sql/sql_class.cc:3909
|
#4 0x55c9ed15c845 in THD::cleanup_after_query() /data/src/11.0/sql/sql_class.cc:2282
|
#5 0x55c9ed2be4c8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/11.0/sql/sql_parse.cc:8023
|
#6 0x55c9ed294294 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/11.0/sql/sql_parse.cc:1894
|
#7 0x55c9ed290fc6 in do_command(THD*, bool) /data/src/11.0/sql/sql_parse.cc:1407
|
#8 0x55c9ed74c5f9 in do_handle_one_connection(CONNECT*, bool) /data/src/11.0/sql/sql_connect.cc:1416
|
#9 0x55c9ed74bfba in handle_one_connection /data/src/11.0/sql/sql_connect.cc:1318
|
#10 0x55c9ee3238af in pfs_spawn_thread /data/src/11.0/storage/perfschema/pfs.cc:2201
|
#11 0x7f4fd1aa7fd3 in start_thread nptl/pthread_create.c:442
|
#12 0x7f4fd1b2866b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
0x6290000e7468 is located 4712 bytes inside of 16400-byte region [0x6290000e6200,0x6290000ea210)
|
allocated by thread T5 here:
|
#0 0x7f4fd26b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x55c9eef03fa1 in my_malloc /data/src/11.0/mysys/my_malloc.c:91
|
#2 0x55c9eeedf5b5 in root_alloc /data/src/11.0/mysys/my_alloc.c:71
|
#3 0x55c9eeee04aa in reset_root_defaults /data/src/11.0/mysys/my_alloc.c:248
|
#4 0x55c9ed155ee0 in THD::init_for_queries() /data/src/11.0/sql/sql_class.cc:1386
|
#5 0x55c9ed74b89e in prepare_new_connection_state(THD*) /data/src/11.0/sql/sql_connect.cc:1245
|
#6 0x55c9ed74c03b in thd_prepare_connection(THD*) /data/src/11.0/sql/sql_connect.cc:1339
|
#7 0x55c9ed74c553 in do_handle_one_connection(CONNECT*, bool) /data/src/11.0/sql/sql_connect.cc:1406
|
#8 0x55c9ed74bfba in handle_one_connection /data/src/11.0/sql/sql_connect.cc:1318
|
#9 0x55c9ee3238af in pfs_spawn_thread /data/src/11.0/storage/perfschema/pfs.cc:2201
|
#10 0x7f4fd1aa7fd3 in start_thread nptl/pthread_create.c:442
|
|
Thread T5 created by T0 here:
|
#0 0x7f4fd2649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x55c9ee31f5ea in my_thread_create /data/src/11.0/storage/perfschema/my_thread.h:52
|
#2 0x55c9ee323c9e in pfs_spawn_thread_v1 /data/src/11.0/storage/perfschema/pfs.cc:2252
|
#3 0x55c9eced878a in inline_mysql_thread_create /data/src/11.0/include/mysql/psi/mysql_thread.h:1139
|
#4 0x55c9ecef06c6 in create_thread_to_handle_connection(CONNECT*) /data/src/11.0/sql/mysqld.cc:6126
|
#5 0x55c9ecef0ceb in create_new_thread(CONNECT*) /data/src/11.0/sql/mysqld.cc:6188
|
#6 0x55c9ecef0fd6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/11.0/sql/mysqld.cc:6250
|
#7 0x55c9ecef195a in handle_connections_sockets() /data/src/11.0/sql/mysqld.cc:6374
|
#8 0x55c9eceeff43 in mysqld_main(int, char**) /data/src/11.0/sql/mysqld.cc:6021
|
#9 0x55c9eced78f8 in main /data/src/11.0/sql/main.cc:34
|
#10 0x7f4fd1a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
SUMMARY: AddressSanitizer: use-after-poison /data/src/11.0/sql/item_strfunc.h:640 in Item_func_sformat::~Item_func_sformat()
|
Shadow bytes around the buggy address:
|
0x0c5280014e30: 00 00 00 00 00 00 00 00 00 f7 00 f7 03 f7 00 00
|
0x0c5280014e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 07 f7
|
0x0c5280014e50: 00 05 f7 00 00 00 f7 00 00 f7 04 f7 00 00 00 00
|
0x0c5280014e60: 00 00 00 00 00 00 00 00 00 00 00 f7 00 02 f7 00
|
0x0c5280014e70: 00 f7 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c5280014e80: 00 00 00 00 00 00 00 00 00 00 00 00 f7[f7]f7 f7
|
0x0c5280014e90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280014ea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280014eb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280014ec0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280014ed0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==593774==ABORTING
|
Attachments
Issue Links
- relates to
-
MDEV-31860 SIGSEGV in Binary_string::free_buffer and ASAN use-after-poison in TMP_TABLE_PARAM::cleanup
- Confirmed
-
MDEV-25015 Custom formatting of strings in MariaDB queries
- Closed