[MDEV-31193] ASAN use-after-poison in base_list_iterator::next_fast / eliminate_item_equal - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL)
Fix Version/s: 10.5, 10.6, 10.11
Component/s: Optimizer
Labels:
None

Description

CREATE TABLE t1 (a INT PRIMARY KEY) ENGINE=MyISAM;

INSERT INTO t1 VALUES (1);

CREATE TABLE t2 (b INT, c INT);

INSERT INTO t2 VALUES (2,3),(4,5);

CREATE TABLE t3 (d INT);

INSERT INTO t3 VALUES (6),(7);

CREATE TABLE t4 (e INT, f INT);

INSERT INTO t4 VALUES (8,9),(0,1);

SELECT * FROM t1 JOIN t2 LEFT JOIN t3 ON (t2.b = t3.d) ON (t2.c = t1.a) WHERE (1, t2.c) IN (SELECT e, f FROM t4 HAVING e < 0);

# Cleanup

DROP TABLE t1, t2, t3, t4;

10.4 f5dceafd
==30211==ERROR: AddressSanitizer: use-after-poison on address 0x62900024bc70 at pc 0x557160cadae5 bp 0x7f76fde88970 sp 0x7f76fde88968
READ of size 8 at 0x62900024bc70 thread T5
#0 0x557160cadae4 in base_list_iterator::next_fast() /data/src/10.4/sql/sql_list.h:443
#1 0x557160cd50c0 in List_iterator_fast<Item>::operator++(int) /data/src/10.4/sql/sql_list.h:620
#2 0x557160f61313 in Item_equal_iterator<List_iterator_fast, Item>::operator++(int) /data/src/10.4/sql/item_cmpfunc.h:3318
#3 0x55716182d48e in Item_equal::contains(Field*) /data/src/10.4/sql/item_cmpfunc.cc:6738
#4 0x5571617aabe2 in Item_field::find_item_equal(COND_EQUAL*) /data/src/10.4/sql/item.cc:6205
#5 0x5571610af8c7 in eliminate_item_equal(THD, Item, COND_EQUAL, Item_equal) /data/src/10.4/sql/sql_select.cc:15977
#6 0x5571610b101a in substitute_for_best_equal_field /data/src/10.4/sql/sql_select.cc:16284
#7 0x5571610498a1 in JOIN::optimize_stage2() /data/src/10.4/sql/sql_select.cc:2554
#8 0x557161047af2 in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2394
#9 0x557161040790 in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
#10 0x557161061664 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4812
#11 0x557161032460 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
#12 0x557160fa228a in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6473
#13 0x557160f8f79f in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3976
#14 0x557160fab462 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8008
#15 0x557160f817a5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#16 0x557160f7e314 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#17 0x55716137d0b9 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#18 0x55716137c9d0 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#19 0x557161fe9aed in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#20 0x7f7705ca7fd3 in start_thread nptl/pthread_create.c:442
#21 0x7f7705d285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x62900024bc70 is located 10864 bytes inside of 16352-byte region [0x629000249200,0x62900024d1e0)
allocated by thread T5 here:
#0 0x7f77062b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x557162b30d13 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#2 0x557162b0d739 in alloc_root /data/src/10.4/mysys/my_alloc.c:251
#3 0x557160f57b39 in st_select_lex_node::operator new(unsigned long, st_mem_root*) /data/src/10.4/sql/sql_lex.h:728
#4 0x557160f26da9 in LEX::alloc_unit() /data/src/10.4/sql/sql_lex.cc:5396
#5 0x557160f27793 in LEX::create_unit(st_select_lex*) /data/src/10.4/sql/sql_lex.cc:5442
#6 0x5571615bc875 in MYSQLparse(THD*) /data/src/10.4/sql/sql_yacc.yy:9596
#7 0x557160fb9b1b in parse_sql(THD, Parser_state, Object_creation_ctx*, bool) /data/src/10.4/sql/sql_parse.cc:10358
#8 0x557160faafe7 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7960
#9 0x557160f817a5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#10 0x557160f7e314 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#11 0x55716137d0b9 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#12 0x55716137c9d0 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#13 0x557161fe9aed in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#14 0x7f7705ca7fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f7706249726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x557161fe9eda in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x557160c89f28 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x557160ca162e in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
#4 0x557160ca1d79 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
#5 0x557160ca2247 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
#6 0x557160ca30f3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
#7 0x557160ca0d91 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
#8 0x557160c880b8 in main /data/src/10.4/sql/main.cc:25
#9 0x7f7705c46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/sql_list.h:443 in base_list_iterator::next_fast()
Shadow bytes around the buggy address:
0x0c5280041730: 00 f7 00 00 f7 00 00 f7 00 00 f7 00 00 00 00 00
0x0c5280041740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280041750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
0x0c5280041760: 00 f7 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
0x0c5280041770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280041780: 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7[f7]f7
0x0c5280041790: 00 00 f7 00 00 00 00 f7 00 00 00 00 00 00 00 00
0x0c52800417a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c52800417b0: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7
0x0c52800417c0: 00 00 f7 00 00 f7 00 00 00 00 f7 00 00 00 00 00
0x0c52800417d0: f7 00 00 f7 00 00 f7 00 00 f7 00 00 f7 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30211==ABORTING

Reproducible on all existing versions, also earlier minor releases.
The constant table t1 should be MyISAM or Aria (not InnoDB that is), the rest can be anything.

Attachments

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2023-05-04 22:20

Updated:: 2024-11-22 17:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.