Details
-
Bug
-
Status: Stalled (View Workflow)
-
Critical
-
Resolution: Unresolved
-
10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.4, 11.8, 12.0
Description
MTR testcase to reprod:
|
11.1 4e5b771e980edfdad5c5414aa62c81d409d585a4 |
set optimizer_switch=default; |
CREATE TABLE t1 (a INT); |
CREATE TABLE t2 (b INT); |
PREPARE st FROM " |
SELECT * FROM t2
|
HAVING 0 IN (
|
SELECT a FROM t1
|
WHERE EXISTS (
|
SELECT a FROM t1
|
WHERE b = a
|
)
|
)
|
"; |
EXECUTE st; |
EXECUTE st; |
drop table t1, t2; |
Possibly caused by attempted reuse of items freed in query arena after the first execution. If we replace the first line with set optimizer_switch='exists_to_in=off'; then the test passes. The test also passes if we replace HAVING by WHERE.
trace:
mysys/stacktrace.c:215(my_print_stacktrace)[0x561ec390cefa]
|
sql/signal_handler.cc:238(handle_fatal_signal)[0x561ec30a10cb]
|
??:0(__restore_rt)[0x7fb3f1a26140]
|
sql/item.cc:495(Item::print_parenthesised(String*, enum_query_type, precedence))[0x561ec30c57f7]
|
sql/item_func.cc:634(Item_func::print_op(String*, enum_query_type))[0x561ec312d43e]
|
sql/item_cmpfunc.h:551(Item_bool_rowready_func2::print(String*, enum_query_type))[0x561ec2b7dc3d]
|
sql/item.cc:499(Item::print_parenthesised(String*, enum_query_type, precedence))[0x561ec30c584b]
|
sql/item_cmpfunc.cc:5385(Item_cond::print(String*, enum_query_type))[0x561ec310338e]
|
sql/item.cc:10894(dbug_print_item(Item*))[0x561ec30e6f31]
|
sql/sql_select.cc:1382(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x561ec2d2fc40]
|
sql/item_subselect.cc:3943(subselect_single_select_engine::prepare(THD*))[0x561ec31b74e7]
|
sql/item_subselect.cc:296(Item_subselect::fix_fields(THD*, Item**))[0x561ec31a941c]
|
sql/item_subselect.cc:3602(Item_in_subselect::fix_fields(THD*, Item**))[0x561ec31b63a2]
|
sql/item.h:1147(Item::fix_fields_if_needed(THD*, Item**))[0x561ec2ba1620]
|
sql/item_cmpfunc.cc:1379(Item_in_optimizer::fix_fields(THD*, Item**))[0x561ec30f59d7]
|
sql/item.h:1147(Item::fix_fields_if_needed(THD*, Item**))[0x561ec2ba1620]
|
sql/item.h:1156(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x561ec2ba1655]
|
sql/item.h:1161(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x561ec2c2a2cb]
|
sql/sql_select.cc:1552(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x561ec2d3085d]
|
sql/sql_select.cc:5132(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x561ec2d3da56]
|
sql/sql_select.cc:611(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x561ec2d2ca67]
|
sql/sql_parse.cc:6024(execute_sqlcom_select(THD*, TABLE_LIST*))[0x561ec2cd4abd]
|
sql/sql_parse.cc:3944(mysql_execute_command(THD*, bool))[0x561ec2cccd4b]
|
sql/sql_prepare.cc:4992(Prepared_statement::execute(String*, bool))[0x561ec2d12dcd]
|
sql/sql_prepare.cc:4415(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x561ec2d10f84]
|
sql/sql_prepare.cc:3457(mysql_sql_stmt_execute(THD*))[0x561ec2d0e647]
|
sql/sql_parse.cc:3961(mysql_execute_command(THD*, bool))[0x561ec2cccd90]
|
sql/sql_parse.cc:7760(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x561ec2cd96fa]
|
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x561ec2cc6db0]
|
sql/sql_parse.cc:1405(do_command(THD*, bool))[0x561ec2cc5789]
|
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x561ec2ea4fda]
|
sql/sql_connect.cc:1320(handle_one_connection)[0x561ec2ea4d45]
|
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x561ec33a8fc4]
|
??:0(start_thread)[0x7fb3f1a1aea7]
|
??:0(clone)[0x7fb3f1216a2f]
|
Attachments
Issue Links
- duplicates
-
-
- In Progress
-
Activity
We see use-after-poison in Item_func::fix_fields (opt) and in Item_func::print_op (dbg) in ASAN:
|
11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Optimized, UBASAN) |
=================================================================
|
==183036==ERROR: AddressSanitizer: use-after-poison on address 0x6290000799a8 at pc 0x55d3f6003905 bp 0x14e34ed40ac0 sp 0x14e34ed40ab0
|
READ of size 8 at 0x6290000799a8 thread T35
|
#0 0x55d3f6003904 in Item_func::fix_fields(THD*, Item**) /test/11.0_opt_san/sql/item_func.cc:350
|
#1 0x55d3f5e19149 in Item::fix_fields_if_needed(THD*, Item**) /test/11.0_opt_san/sql/item.h:1147
|
#2 0x55d3f5e19149 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.0_opt_san/sql/item.h:1156
|
#3 0x55d3f5e19149 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.0_opt_san/sql/item.h:1160
|
#4 0x55d3f5e19149 in Item_cond::fix_fields(THD*, Item**) /test/11.0_opt_san/sql/item_cmpfunc.cc:4937
|
#5 0x55d3f4255bcf in Item::fix_fields_if_needed(THD*, Item**) /test/11.0_opt_san/sql/item.h:1147
|
#6 0x55d3f4255bcf in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.0_opt_san/sql/item.h:1156
|
#7 0x55d3f4255bcf in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.0_opt_san/sql/item.h:1160
|
#8 0x55d3f4255bcf in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.0_opt_san/sql/sql_base.cc:8827
|
#9 0x55d3f496618a in setup_without_group /test/11.0_opt_san/sql/sql_select.cc:919
|
#10 0x55d3f496618a in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.0_opt_san/sql/sql_select.cc:1499
|
#11 0x55d3f651e3ef in subselect_single_select_engine::prepare(THD*) /test/11.0_opt_san/sql/item_subselect.cc:3941
|
#12 0x55d3f65170f2 in Item_subselect::fix_fields(THD*, Item**) /test/11.0_opt_san/sql/item_subselect.cc:296
|
#13 0x55d3f651a104 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.0_opt_san/sql/item_subselect.cc:3600
|
#14 0x55d3f5de858e in Item::fix_fields_if_needed(THD*, Item**) /test/11.0_opt_san/sql/item.h:1147
|
#15 0x55d3f5de858e in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.0_opt_san/sql/item_cmpfunc.cc:1379
|
#16 0x55d3f49684c1 in Item::fix_fields_if_needed(THD*, Item**) /test/11.0_opt_san/sql/item.h:1147
|
#17 0x55d3f49684c1 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.0_opt_san/sql/item.h:1156
|
#18 0x55d3f49684c1 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.0_opt_san/sql/item.h:1160
|
#19 0x55d3f49684c1 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.0_opt_san/sql/sql_select.cc:1557
|
#20 0x55d3f4a53cb8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_opt_san/sql/sql_select.cc:5133
|
#21 0x55d3f4a55d80 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:616
|
#22 0x55d3f45d6b80 in execute_sqlcom_select /test/11.0_opt_san/sql/sql_parse.cc:6279
|
#23 0x55d3f463c5f6 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3949
|
#24 0x55d3f4742f67 in Prepared_statement::execute(String*, bool) /test/11.0_opt_san/sql/sql_prepare.cc:5223
|
#25 0x55d3f4745835 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_opt_san/sql/sql_prepare.cc:4646
|
#26 0x55d3f4747994 in mysql_sql_stmt_execute(THD*) /test/11.0_opt_san/sql/sql_prepare.cc:3690
|
#27 0x55d3f463a095 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3965
|
#28 0x55d3f464d4d2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8014
|
#29 0x55d3f465af5d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
|
#30 0x55d3f4664728 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
|
#31 0x55d3f4f7380c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
|
#32 0x55d3f4f75e0c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
|
#33 0x14e373a94b42 in start_thread nptl/pthread_create.c:442
|
#34 0x14e373b269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
|
|
0x6290000799a8 is located 6056 bytes inside of 16400-byte region [0x629000078200,0x62900007c210)
|
allocated by thread T35 here:
|
#0 0x55d3f3d73b17 in malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-opt/bin/mariadbd+0x7a1eb17)
|
#1 0x55d3f817d394 in my_malloc /test/11.0_opt_san/mysys/my_malloc.c:91
|
#2 0x55d3f815826b in root_alloc /test/11.0_opt_san/mysys/my_alloc.c:71
|
#3 0x55d3f815826b in reset_root_defaults /test/11.0_opt_san/mysys/my_alloc.c:248
|
#4 0x55d3f42b8b9e in THD::init_for_queries() /test/11.0_opt_san/sql/sql_class.cc:1386
|
#5 0x55d3f4f6e33e in prepare_new_connection_state(THD*) /test/11.0_opt_san/sql/sql_connect.cc:1245
|
#6 0x55d3f4f6fc27 in thd_prepare_connection(THD*) /test/11.0_opt_san/sql/sql_connect.cc:1339
|
#7 0x55d3f4f6fc27 in thd_prepare_connection(THD*) /test/11.0_opt_san/sql/sql_connect.cc:1328
|
#8 0x55d3f4f728a7 in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1406
|
#9 0x55d3f4f75e0c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
|
#10 0x14e373a94b42 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T35 created by T0 here:
|
#0 0x55d3f3d17955 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-opt/bin/mariadbd+0x79c2955)
|
#1 0x55d3f3dcc5ee in create_thread_to_handle_connection(CONNECT*) /test/11.0_opt_san/sql/mysqld.cc:6129
|
#2 0x55d3f3ddea9f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_opt_san/sql/mysqld.cc:6253
|
#3 0x55d3f3ddfa27 in handle_connections_sockets() /test/11.0_opt_san/sql/mysqld.cc:6377
|
#4 0x55d3f3de2a8d in mysqld_main(int, char**) /test/11.0_opt_san/sql/mysqld.cc:6024
|
#5 0x14e373a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/11.0_opt_san/sql/item_func.cc:350 in Item_func::fix_fields(THD*, Item**)
|
Shadow bytes around the buggy address:
|
0x0c52800072e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c52800072f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280007300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280007310: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280007320: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c5280007330: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280007340: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280007350: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280007360: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280007370: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280007380: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==183036==ABORTING
|
230515 11:16:08 [ERROR] mysqld got signal 6 ;
|
|
11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN) |
==3605682==ERROR: AddressSanitizer: use-after-poison on address 0x6290000d89c8 at pc 0x5571104feb00 bp 0x1503ad205f30 sp 0x1503ad205f20
|
READ of size 8 at 0x6290000d89c8 thread T13
|
#0 0x5571104feaff in Item_func::print_op(String*, enum_query_type) /test/11.0_dbg_san/sql/item_func.cc:633
|
#1 0x55710e06391a in Item_bool_rowready_func2::print(String*, enum_query_type) /test/11.0_dbg_san/sql/item_cmpfunc.h:549
|
#2 0x5571100128c3 in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.0_dbg_san/sql/item.cc:498
|
#3 0x5571101c6dd4 in Item_cond::print(String*, enum_query_type) /test/11.0_dbg_san/sql/item_cmpfunc.cc:5390
|
#4 0x5571100bd724 in dbug_print_item(Item*) /test/11.0_dbg_san/sql/item.cc:10884
|
#5 0x55710eb64fca in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.0_dbg_san/sql/sql_select.cc:1384
|
#6 0x557110a4a0d1 in subselect_single_select_engine::prepare(THD*) /test/11.0_dbg_san/sql/item_subselect.cc:3941
|
#7 0x557110a41b5d in Item_subselect::fix_fields(THD*, Item**) /test/11.0_dbg_san/sql/item_subselect.cc:296
|
#8 0x557110a46939 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.0_dbg_san/sql/item_subselect.cc:3600
|
#9 0x5571102362c3 in Item::fix_fields_if_needed(THD*, Item**) /test/11.0_dbg_san/sql/item.h:1147
|
#10 0x5571102362c3 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.0_dbg_san/sql/item_cmpfunc.cc:1379
|
#11 0x55710eb6cd7a in Item::fix_fields_if_needed(THD*, Item**) /test/11.0_dbg_san/sql/item.h:1147
|
#12 0x55710eb6cd7a in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.0_dbg_san/sql/item.h:1156
|
#13 0x55710eb6cd7a in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.0_dbg_san/sql/item.h:1160
|
#14 0x55710eb6cd7a in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.0_dbg_san/sql/sql_select.cc:1557
|
#15 0x55710ec14cfc in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5133
|
#16 0x55710ec1651c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
|
#17 0x55710e788a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
|
#18 0x55710e7e9ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
|
#19 0x55710e915f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
|
#20 0x55710e919a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
|
#21 0x55710e91cc7f in mysql_sql_stmt_execute(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3690
|
#22 0x55710e7e9f90 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3965
|
#23 0x55710e819973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
|
#24 0x55710e829707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
|
#25 0x55710e837542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
|
#26 0x55710f20c8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
|
#27 0x55710f20ddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
|
#28 0x1503cf494b42 in start_thread nptl/pthread_create.c:442
|
#29 0x1503cf5269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
|
|
0x6290000d89c8 is located 6088 bytes inside of 16400-byte region [0x6290000d7200,0x6290000db210)
|
allocated by thread T13 here:
|
#0 0x55710de9e337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337)
|
#1 0x5571125b5703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91
|
#2 0x557112593f22 in root_alloc /test/11.0_dbg_san/mysys/my_alloc.c:71
|
#3 0x557112594dec in reset_root_defaults /test/11.0_dbg_san/mysys/my_alloc.c:248
|
#4 0x55710e449ec1 in THD::init_for_queries() /test/11.0_dbg_san/sql/sql_class.cc:1386
|
#5 0x55710f2085cc in prepare_new_connection_state(THD*) /test/11.0_dbg_san/sql/sql_connect.cc:1245
|
#6 0x55710f209d7a in thd_prepare_connection(THD*) /test/11.0_dbg_san/sql/sql_connect.cc:1339
|
#7 0x55710f20d134 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1406
|
#8 0x55710f20ddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
|
#9 0x1503cf494b42 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T13 created by T0 here:
|
#0 0x55710de42175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175)
|
#1 0x55710def898b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129
|
#2 0x55710df05e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191
|
#3 0x55710df066e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253
|
#4 0x55710df07738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377
|
#5 0x55710df0eee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024
|
#6 0x55710dee3eca in main /test/11.0_dbg_san/sql/main.cc:34
|
#7 0x1503cf429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/11.0_dbg_san/sql/item_func.cc:633 in Item_func::print_op(String*, enum_query_type)
|
Shadow bytes around the buggy address:
|
0x0c52800130e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c52800130f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280013100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280013110: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280013120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x0c5280013130: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
|
0x0c5280013140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280013150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280013160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280013170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280013180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3605682==ABORTING
|
230515 11:10:45 [ERROR] mysqld got signal 6 ;
|
There's also MDEV-16128 but I'm not sure if it is related e.g. whether it had a similar cause.
The time logged in that ticket and MDEV-30073 makes me wonder how long MDEV-22534 will take, as my draft patch for that ticket exhibits similar symptoms (one needs to replace EXISTS by a IN in the testcase) which I've been trying to fix for a while now. I have not looked into the issue in the present ticket so I don't know whether the MDEV-22534 problem has the same cause as this one
I have done some debugging of the issue in the present ticket and it seems the MDEV-22534 problem has the same cause as this one, see my comment in that ticket[1]. So I'm stealing this ticket - let me know if there are any problems sanja.
A PoC patch that fixes MDEV-22534 (IN subquery) version of the issue: https://github.com/MariaDB/server/commit/fe2b867b499. Will adapt it to this ticket (EXISTS subquery) later
Indeed, the above patch can be adapted to fix this bug, but with two caveats, both caused by the use of fields related to perfschema instrumentation for detection of being inside a ps execution:
1. It only works for 10.5+, as the commit introducing the field PSI_statement_locker_state_v1::m_parent_prepared_stmt (0ea717f51a152afdb3791195c4a25ee0baa2faac) is included in 10.5+ only
2. It only works for non-embedded builds, as embedded implies DISABLE_ALL_PSI which causes THD::m_statement_state to be undefined
Here's the patch:
Updated patch after discussion with sanja - now it works with 10.4 and embedded.
Simplified problem description
The problem is the interplay between Name Resolution and Permanent Transformations.
The failure scenario is:
- Name Resolution creates "transient" Items (and may other objects)
- Permanent query transformations are done.
This creates data structures that should survive until the end of statement life but alas they also contain "transient" Items. - Cleanup is performed. Transient items are cleaned/freed. Permanent rewrites remain in effect. We get invalid data structures.
Description of steps in greater detail
1. Name Resolution creates transient items.
When name resolution is performed, "transient" item objects are created: Item_ref, Item_direct_[view_]ref, etc.
(TODO: are there other transient data structures besides items? Like select lists?)
2. Permanent transformations are done
Permanent Transformation modifies query data structures.
The modification is typically hard to undo and so it should remain in force for the duration of the statement.
Examples of such transformations are:
- Merging of mergeable VIEWs
- Conversion of Item_in_subselect predicates into semi-join join operations (TABLE_LISTs in the parent select)
- Conversion of Item_exists_subselect into Item_in_subselect.
- ...
one thing these transformations do is to move Items from one expression to another.
Note that they operate on Item trees which include "transient" items.
As a result, the query data structure is spaghetti of "permanent" and "transient" items.
3. Cleanup is performed
A cleanup operation frees the transient items and attempts to undo all the changes
that were made to the query data structures by Name Resolution.
(my speculation: why can't transient items be permanent? Because we can't do name resolution for them? Need to elaborate on this)
Thanks for the notes psergei, it is a higher level description and corroborates well with my analysis in [1].
Moving on to fixing it for the purpose this ticket, i.e. for exists2in and decorrelate-in transformations, with the risk of duplicating the work on MDEV-30073, I can think of two ways:
1. At the beginning of the transformation, detect whether transient items will cause problems, and skip the transformation if so. My patch for this ticket follows this idea, but the implementation is deemed inefficient, and it is not clear whether people want this as a temporary measure before MDEV-30073 is fixed.
2. During JOIN::prepare(), create permanent Item_refs etc. instead of transient ones. I don't know whether this would be a valid idea, because in the first place I don't know why they were created as transient.
I can confirm that bb-10.4-mdev-30073
34083cf34bc26a5cd95e56feffd01466f9f4917f passes the test in the
description.
igor Can you rebase your patch on 11.3 so that we can test
MDEV-22534 patches on top?
Additional testcase:
CREATE TABLE t1 (a INT,b INT,PRIMARY KEY(a)); |
CREATE TABLE t2 (a1 INT); |
PREPARE s FROM 'SELECT * FROM t1 HAVING 0 IN (SELECT a FROM t2 WHERE a IN (SELECT a FROM t2 WHERE b=a))'; |
EXECUTE s; |
SELECT a FROM t1; |
EXECUTE s; |
Leads to:
|
CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Optimized) Build 15/02/2025 |
Core was generated by `/test/MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x0000000000000006 in ?? ()
|
[Current thread is 1 (LWP 1521327)]
|
(gdb) bt
|
#0 0x0000000000000006 in ?? ()
|
#1 0x000055e5593ea1ef in Item::fix_fields_if_needed (this=0x14a674018ec8, thd=0x14a674000c68, ref=0x14a6740319b0) at /test/11.8_opt/sql/item.h:1168
|
#2 Item_func::fix_fields (this=0x14a674031928, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_func.cc:348
|
#3 0x000055e5593c1ede in Item::fix_fields_if_needed (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1168
|
#4 Item::fix_fields_if_needed_for_scalar (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1177
|
#5 Item::fix_fields_if_needed_for_bool (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1181
|
#6 Item_cond::fix_fields (this=0x14a6740175a8, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_cmpfunc.cc:5138
|
#7 0x000055e5590a4d84 in Item::fix_fields_if_needed (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1168
|
#8 Item::fix_fields_if_needed_for_scalar (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1177
|
#9 Item::fix_fields_if_needed_for_bool (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1181
|
#10 setup_conds (thd=0x14a674000c68, tables=tables@entry=0x14a67402cea8, leaves=<optimized out>, conds=0x14a674018448)at /test/11.8_opt/sql/sql_base.cc:8885
|
#11 0x000055e55914bc89 in setup_without_group (thd=0x14a674018ec8, ref_pointer_array={m_array = 0x14a674030c18, m_size = 9}, tables=0x14a67402cea8, leaves=<error reading variable: Cannot access memory at address 0x1>, fields=@0x14a67402cb20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402ce58, last = 0x14a67402ce58, elements = 1}, <No data fields>}, all_fields=@0x14a674018360: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402ce58, last = 0x14a67402ce58, elements = 1}, <No data fields>}, conds=0x14a674018448, order=0x0, group=0x0, win_specs=@0x14a67402cce8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55e55a34b340 <end_of_list>, last = 0x14a67402cce8, elements = 0}, <No data fields>}, win_funcs=@0x14a67402cd08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55e55a34b340 <end_of_list>, last = 0x14a67402cd08, elements = 0}, <No data fields>}, hidden_group_fields=0x14a67401830f)at /test/11.8_opt/sql/sql_select.cc:955
|
#12 0x000055e55914b0cb in JOIN::prepare (this=0x14a674017fc0, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14a67402c868, unit_arg=0x14a67402f3e8)at /test/11.8_opt/sql/sql_select.cc:1577
|
#13 0x000055e559458b01 in subselect_single_select_engine::prepare (this=0x14a67402fe70, thd=0x14a674000c68)at /test/11.8_opt/sql/item_subselect.cc:3981
|
#14 0x000055e55944fd5c in Item_subselect::fix_fields (this=this@entry=0x14a67402fc38, thd_param=thd_param@entry=0x14a674000c68, ref=ref@entry=0x14a674030f50) at /test/11.8_opt/sql/item_subselect.cc:294
|
#15 0x000055e55945803c in Item_in_subselect::fix_fields (this=0x14a67402fc38, thd_arg=0x14a674000c68, ref=0x14a674030f50)at /test/11.8_opt/sql/item_subselect.cc:3620
|
#16 0x000055e5593b8792 in Item::fix_fields_if_needed (this=0x14a674018ec8, thd=0x14a674000c68, ref=0x14a6740319b0) at /test/11.8_opt/sql/item.h:1168
|
#17 Item_in_optimizer::fix_fields (this=0x14a674030ec8, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_cmpfunc.cc:1507
|
#18 0x000055e55914b34d in Item::fix_fields_if_needed (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1168
|
#19 Item::fix_fields_if_needed_for_scalar (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1177
|
#20 Item::fix_fields_if_needed_for_bool (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1181
|
#21 JOIN::prepare (this=this@entry=0x14a6740177f8, tables_init=tables_init@entry=0x14a67402c0a8, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=false, group_init=0x0, having_init=0x14a674030ec8, proc_param_init=0x0, select_lex_arg=0x14a67402ba70, unit_arg=0x14a674029cc8)at /test/11.8_opt/sql/sql_select.cc:1634
|
#22 0x000055e559147261 in mysql_select (thd=thd@entry=0x14a674000c68, tables=0x14a67402c0a8, fields=@0x14a67402bd28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402c058, last = 0x14a6740309b8, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x14a674030ec8, proc_param=0x0, select_options=<optimized out>, result=0x14a674030720, unit=0x14a674029cc8, select_lex=0x14a67402ba70)at /test/11.8_opt/sql/sql_select.cc:5350
|
#23 0x000055e559147019 in handle_select (thd=thd@entry=0x14a674000c68, lex=lex@entry=0x14a674029be8, result=result@entry=0x14a674030720, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.8_opt/sql/sql_select.cc:633
|
#24 0x000055e5591145ee in execute_sqlcom_select (thd=thd@entry=0x14a674000c68, all_tables=0x14a67402c0a8) at /test/11.8_opt/sql/sql_parse.cc:6191
|
#25 0x000055e559112ae0 in mysql_execute_command (thd=0x14a674000c68, is_called_from_prepared_stmt=true) at /test/11.8_opt/sql/sql_parse.cc:3979
|
#26 0x000055e5591378d6 in Prepared_statement::execute (this=this@entry=0x14a674021a18, expanded_query=expanded_query@entry=0x14a6c21b2d88, open_cursor=false)at /test/11.8_opt/sql/sql_prepare.cc:5084
|
#27 0x000055e5591359a2 in Prepared_statement::execute_loop (this=this@entry=0x14a674021a18, expanded_query=expanded_query@entry=0x14a6c21b2d88, open_cursor=<optimized out>, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/11.8_opt/sql/sql_prepare.cc:4448
|
#28 0x000055e5591357e0 in mysql_sql_stmt_execute (thd=thd@entry=0x14a674000c68)at /test/11.8_opt/sql/sql_prepare.cc:3460
|
#29 0x000055e5591100fc in mysql_execute_command (thd=thd@entry=0x14a674000c68, is_called_from_prepared_stmt=false) at /test/11.8_opt/sql/sql_parse.cc:3995
|
#30 0x000055e55910b341 in mysql_parse (thd=thd@entry=0x14a674000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14a6c21b3430)at /test/11.8_opt/sql/sql_parse.cc:7915
|
#31 0x000055e5591097d0 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14a674000c68, packet=packet@entry=0x14a6740088a9 "EXECUTE s", packet_length=packet_length@entry=9, blocking=true)at /test/11.8_opt/sql/sql_parse.cc:1902
|
#32 0x000055e55910b751 in do_command (thd=thd@entry=0x14a674000c68, blocking=true) at /test/11.8_opt/sql/sql_parse.cc:1415
|
#33 0x000055e559236f8d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e55c563e28, put_in_cache=true)at /test/11.8_opt/sql/sql_connect.cc:1415
|
#34 0x000055e559236d4f in handle_one_connection (arg=arg@entry=0x55e55c563e28)at /test/11.8_opt/sql/sql_connect.cc:1327
|
#35 0x000055e5595bbe29 in pfs_spawn_thread (arg=0x55e55c510718)at /test/11.8_opt/storage/perfschema/pfs.cc:2198
|
#36 0x000014a6ce29ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
|
#37 0x000014a6ce329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
As well as a variety of other stacks. All stacks seen:
SIGABRT|__gnu_cxx::__verbose_terminate_handler|__cxxabiv1::__terminate|std::terminate|__cxxabiv1::__cxa_pure_virtual
|
SIGSEGV|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed|Item::fix_fields_if_needed_for_scalar
|
SIGSEGV|Item::print_parenthesised|Item_func::print_op|Item_bool_rowready_func2::print|Item::print_parenthesised
|
SIGSEGV|Item_func::fix_func_arg|Item_func::fix_fields|Item_cond::fix_fields|st_select_lex::setup_conds
|
As well as various UBSAN and ASAN issues (scroll down in each log to see details):
|
CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Optimized, UBASAN, Clang) Build 15/02/2025 |
/test/11.8_opt_san/sql/item_func.cc:348:19: runtime error: member call on address 0x52d0003c1f20 which does not point to an object of type 'Item'
|
0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big
|
b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00
|
^~~~~~~~~~~~~~~~~~~~~~~
|
possibly invalid vptr
|
#0 0x563742b1b477 in Item_func::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_func.cc:348:19
|
#1 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#2 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12
|
#3 0x563742a6754d in Item_cond::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15
|
#4 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#5 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12
|
#6 0x5637418472c2 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19
|
#7 0x563741c1f912 in setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*) /test/11.8_opt_san/sql/sql_select.cc:955:8
|
#8 0x563741c18e27 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1577:7
|
#9 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13
|
#10 0x563742d1140a in Item_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:294:22
|
#11 0x563742d4e297 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:3620:23
|
#12 0x563742a293b8 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16
|
#13 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#14 0x563741c19cc3 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1634:33
|
#15 0x563741c0bd4c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5350:21
|
#16 0x563741c0ad90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
|
#17 0x563741af66b1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6191:12
|
#18 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12
|
#19 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14
|
#20 0x563741b9ff1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10
|
#21 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16
|
#22 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5
|
#23 0x563741ab8600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18
|
#24 0x563741aaf8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
|
#25 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
|
#26 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
|
#27 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
|
#28 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#29 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8
|
#30 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item_func.cc:348:19
|
/test/11.8_opt_san/sql/item.h:1168:12: runtime error: member call on address 0x52d0003c1f20 which does not point to an object of type 'Item'
|
0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big
|
b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00
|
^~~~~~~~~~~~~~~~~~~~~~~
|
possibly invalid vptr
|
#0 0x5637416b3fa6 in Item::fix_fields_if_needed(THD*, Item**) /test/11.8_opt_san/sql/item.h:1168:12
|
#1 0x563742b1b0f7 in Item_func::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_func.cc:348:19
|
#2 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#3 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12
|
#4 0x563742a6754d in Item_cond::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15
|
#5 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#6 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12
|
#7 0x5637418472c2 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19
|
#8 0x563741c1f912 in setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*) /test/11.8_opt_san/sql/sql_select.cc:955:8
|
#9 0x563741c18e27 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1577:7
|
#10 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13
|
#11 0x563742d1140a in Item_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:294:22
|
#12 0x563742d4e297 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:3620:23
|
#13 0x563742a293b8 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16
|
#14 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#15 0x563741c19cc3 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1634:33
|
#16 0x563741c0bd4c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5350:21
|
#17 0x563741c0ad90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
|
#18 0x563741af66b1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6191:12
|
#19 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12
|
#20 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14
|
#21 0x563741b9ff1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10
|
#22 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16
|
#23 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5
|
#24 0x563741ab8600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18
|
#25 0x563741aaf8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
|
#26 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
|
#27 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
|
#28 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
|
#29 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#30 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8
|
#31 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item.h:1168:12
|
/test/11.8_opt_san/sql/item.h:1089:20: runtime error: member access within address 0x52d0003c1f20 which does not point to an object of type 'const Item'
|
0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big
|
b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00
|
^~~~~~~~~~~~~~~~~~~~~~~
|
possibly invalid vptr
|
#0 0x5637416b3fd4 in Item::fixed() const /test/11.8_opt_san/sql/item.h:1089:20
|
#1 0x5637416b3fd4 in Item::fix_fields_if_needed(THD*, Item**) /test/11.8_opt_san/sql/item.h:1168:12
|
#2 0x563742b1b0f7 in Item_func::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_func.cc:348:19
|
#3 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#4 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12
|
#5 0x563742a6754d in Item_cond::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15
|
#6 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#7 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12
|
#8 0x5637418472c2 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19
|
#9 0x563741c1f912 in setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*) /test/11.8_opt_san/sql/sql_select.cc:955:8
|
#10 0x563741c18e27 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1577:7
|
#11 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13
|
#12 0x563742d1140a in Item_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:294:22
|
#13 0x563742d4e297 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:3620:23
|
#14 0x563742a293b8 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16
|
#15 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#16 0x563741c19cc3 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1634:33
|
#17 0x563741c0bd4c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5350:21
|
#18 0x563741c0ad90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
|
#19 0x563741af66b1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6191:12
|
#20 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12
|
#21 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14
|
#22 0x563741b9ff1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10
|
#23 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16
|
#24 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5
|
#25 0x563741ab8600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18
|
#26 0x563741aaf8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
|
#27 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
|
#28 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
|
#29 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
|
#30 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#31 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8
|
#32 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item.h:1089:20
|
=================================================================
|
==1604938==ERROR: AddressSanitizer: use-after-poison on address 0x52d0003c1f88 at pc 0x5637416b3f88 bp 0x1488572ff5d0 sp 0x1488572ff5c8
|
READ of size 1 at 0x52d0003c1f88 thread T9
|
#0 0x5637416b3f87 in Item::fixed() const /test/11.8_opt_san/sql/item.h:1089:20
|
#1 0x5637416b3f87 in Item::fix_fields_if_needed(THD*, Item**) /test/11.8_opt_san/sql/item.h:1168:12
|
#2 0x563742b1b0f7 in Item_func::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_func.cc:348:19
|
#3 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#4 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12
|
#5 0x563742a6754d in Item_cond::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15
|
#6 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#7 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12
|
#8 0x5637418472c2 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19
|
#9 0x563741c1f912 in setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*) /test/11.8_opt_san/sql/sql_select.cc:955:8
|
#10 0x563741c18e27 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1577:7
|
#11 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13
|
#12 0x563742d1140a in Item_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:294:22
|
#13 0x563742d4e297 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:3620:23
|
#14 0x563742a293b8 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16
|
#15 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12
|
#16 0x563741c19cc3 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1634:33
|
#17 0x563741c0bd4c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5350:21
|
#18 0x563741c0ad90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
|
#19 0x563741af66b1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6191:12
|
#20 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12
|
#21 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14
|
#22 0x563741b9ff1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10
|
#23 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16
|
#24 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5
|
#25 0x563741ab8600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18
|
#26 0x563741aaf8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
|
#27 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
|
#28 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
|
#29 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
|
#30 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#31 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8
|
#32 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x52d0003c1f88 is located 7048 bytes inside of 32760-byte region [0x52d0003c0400,0x52d0003c83f8)
|
allocated by thread T9 here:
|
#0 0x5637414feeb3 in malloc (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1e71eb3) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54)
|
#1 0x563743f4fb62 in my_malloc /test/11.8_opt_san/mysys/my_malloc.c:93:29
|
#2 0x563743f2b913 in reset_root_defaults /test/11.8_opt_san/mysys/my_alloc.c:247:30
|
#3 0x56374189b834 in THD::init_for_queries() /test/11.8_opt_san/sql/sql_class.cc:1526:3
|
#4 0x56374213f790 in prepare_new_connection_state(THD*) /test/11.8_opt_san/sql/sql_connect.cc:1253:8
|
#5 0x563742142fa7 in thd_prepare_connection(THD*) /test/11.8_opt_san/sql/sql_connect.cc:1348:3
|
#6 0x563742140f41 in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1405:9
|
#7 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
|
#8 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
|
|
|
Thread T9 created by T0 here:
|
#0 0x5637414e4825 in pthread_create (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1e57825) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54)
|
#1 0x56374154f7b1 in create_thread_to_handle_connection(CONNECT*) /test/11.8_opt_san/sql/mysqld.cc:6261:19
|
#2 0x56374155099a in handle_connections_sockets() /test/11.8_opt_san/sql/mysqld.cc:6497:9
|
#3 0x56374154eb00 in run_main_loop() /test/11.8_opt_san/sql/mysqld.cc:5739:3
|
#4 0x563741545f21 in mysqld_main(int, char**) /test/11.8_opt_san/sql/mysqld.cc:6162:3
|
#5 0x14888422a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x14888422a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x563741464064 in _start (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1dd7064) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/11.8_opt_san/sql/item.h:1089:20 in Item::fixed() const
|
Shadow bytes around the buggy address:
|
0x52d0003c1d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1d80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1f00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x52d0003c1f80: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1604938==ABORTING
|
250219 14:09:58 [ERROR] /test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd got signal 6 ;
|
|
CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Debug, UBASAN, Clang) Build 15/02/2025 |
/test/11.8_dbg_san/sql/item_func.cc:645:22: runtime error: member call on address 0x52d0003c1f40 which does not point to an object of type 'Item'
|
0x52d0003c1f40: note: object has invalid vptr
|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ba fc a3 1a 56 00 00 07 00 00 00
|
^~~~~~~~~~~~~~~~~~~~~~~
|
invalid vptr
|
#0 0x561aa0346c1d in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22
|
#1 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5
|
#2 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11
|
#3 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9
|
#4 0x561a9f39671d in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1442:3
|
#5 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13
|
#6 0x561aa054cdd6 in Item_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:294:22
|
#7 0x561aa0594244 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23
|
#8 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16
|
#9 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_dbg_san/sql/item.h:1177:12
|
#10 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1634:33
|
#11 0x561a9f38b6b2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5350:21
|
#12 0x561a9f38a102 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
|
#13 0x561a9f25f107 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
|
#14 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12
|
#15 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14
|
#16 0x561a9f30f6b7 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10
|
#17 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16
|
#18 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5
|
#19 0x561a9f21a628 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
|
#20 0x561a9f20e6eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7
|
#21 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17
|
#22 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
|
#23 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
|
#24 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#25 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8
|
#26 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_dbg_san/sql/item_func.cc:645:22
|
/test/11.8_dbg_san/sql/item.cc:512:21: runtime error: member call on address 0x52d0003c1f40 which does not point to an object of type 'Item'
|
0x52d0003c1f40: note: object has invalid vptr
|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ba fc a3 1a 56 00 00 07 00 00 00
|
^~~~~~~~~~~~~~~~~~~~~~~
|
invalid vptr
|
#0 0x561aa01294c5 in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:512:21
|
#1 0x561aa0346ac8 in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22
|
#2 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5
|
#3 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11
|
#4 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9
|
#5 0x561a9f39671d in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1442:3
|
#6 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13
|
#7 0x561aa054cdd6 in Item_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:294:22
|
#8 0x561aa0594244 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23
|
#9 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16
|
#10 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_dbg_san/sql/item.h:1177:12
|
#11 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1634:33
|
#12 0x561a9f38b6b2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5350:21
|
#13 0x561a9f38a102 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
|
#14 0x561a9f25f107 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
|
#15 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12
|
#16 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14
|
#17 0x561a9f30f6b7 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10
|
#18 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16
|
#19 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5
|
#20 0x561a9f21a628 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
|
#21 0x561a9f20e6eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7
|
#22 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17
|
#23 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
|
#24 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
|
#25 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#26 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8
|
#27 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_dbg_san/sql/item.cc:512:21
|
=================================================================
|
==1617400==ERROR: AddressSanitizer: use-after-poison on address 0x52d0003c1f40 at pc 0x561aa012956d bp 0x14c2b90ff670 sp 0x14c2b90ff668
|
READ of size 8 at 0x52d0003c1f40 thread T12
|
#0 0x561aa012956c in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:512:21
|
#1 0x561aa0346ac8 in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22
|
#2 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5
|
#3 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11
|
#4 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9
|
#5 0x561a9f39671d in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1442:3
|
#6 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13
|
#7 0x561aa054cdd6 in Item_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:294:22
|
#8 0x561aa0594244 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23
|
#9 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16
|
#10 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_dbg_san/sql/item.h:1177:12
|
#11 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1634:33
|
#12 0x561a9f38b6b2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5350:21
|
#13 0x561a9f38a102 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
|
#14 0x561a9f25f107 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
|
#15 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12
|
#16 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14
|
#17 0x561a9f30f6b7 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10
|
#18 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16
|
#19 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5
|
#20 0x561a9f21a628 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
|
#21 0x561a9f20e6eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7
|
#22 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17
|
#23 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
|
#24 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
|
#25 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#26 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8
|
#27 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x52d0003c1f40 is located 6976 bytes inside of 32760-byte region [0x52d0003c0400,0x52d0003c83f8)
|
allocated by thread T12 here:
|
#0 0x561a9ec142b3 in malloc (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x24fa2b3) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5)
|
#1 0x561aa19fa7cd in my_malloc /test/11.8_dbg_san/mysys/my_malloc.c:93:29
|
#2 0x561aa19c7d62 in reset_root_defaults /test/11.8_dbg_san/mysys/my_alloc.c:247:30
|
#3 0x561a9efeeeb4 in THD::init_for_queries() /test/11.8_dbg_san/sql/sql_class.cc:1526:3
|
#4 0x561a9f8e4593 in prepare_new_connection_state(THD*) /test/11.8_dbg_san/sql/sql_connect.cc:1253:8
|
#5 0x561a9f8e7fcb in thd_prepare_connection(THD*) /test/11.8_dbg_san/sql/sql_connect.cc:1348:3
|
#6 0x561a9f8e5ce3 in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1405:9
|
#7 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
|
#8 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o
|
|
|
Thread T12 created by T0 here:
|
#0 0x561a9ebf9c25 in pthread_create (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x24dfc25) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5)
|
#1 0x561a9ec65e9a in create_thread_to_handle_connection(CONNECT*) /test/11.8_dbg_san/sql/mysqld.cc:6261:19
|
#2 0x561a9ec66e65 in handle_connections_sockets() /test/11.8_dbg_san/sql/mysqld.cc:6497:9
|
#3 0x561a9ec650fa in run_main_loop() /test/11.8_dbg_san/sql/mysqld.cc:5739:3
|
#4 0x561a9ec5bc51 in mysqld_main(int, char**) /test/11.8_dbg_san/sql/mysqld.cc:6162:3
|
#5 0x14c2e902a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x14c2e902a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x561a9eb79464 in _start (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x245f464) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/11.8_dbg_san/sql/item.cc:512:21 in Item::print_parenthesised(String*, enum_query_type, precedence)
|
Shadow bytes around the buggy address:
|
0x52d0003c1c80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1d80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x52d0003c1f00: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c1f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0003c2180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1617400==ABORTING
|
250219 14:10:14 [ERROR] /test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd got signal 6 ;
|
All *SAN bugs seen:
SIGABRT|__sanitizer::Abort|__sanitizer::Die|__asan::ScopedInErrorReport::~ScopedInErrorReport|__asan::ReportGenericError
|
ASAN|use-after-poison|sql/item.h|Item::fixed|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar
|
ASAN|use-after-poison|sql/item.cc|Item::print_parenthesised|Item::print_parenthesised|Item_cond::print|dbug_print_item
|
ASAN|use-after-poison|sql/item.h|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool
|
ASAN|use-after-poison|sql/item.cc|Item::print_parenthesised|Item_func::print_op|Item::print_parenthesised|Item_cond::print
|
UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.h|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool
|
UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.cc|Item::print_parenthesised|Item::print_parenthesised|Item_cond::print|dbug_print_item
|
UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.cc|Item::print_parenthesised|Item_func::print_op|Item::print_parenthesised|Item_cond::print
|
UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item_func.cc|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool|Item_cond::fix_fields
|
UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item_func.cc|Item_func::print_op|Item::print_parenthesised|Item_cond::print|dbug_print_item
|
UBSAN|member access within address X which does not point to an object of type 'const Item'|sql/item.h|Item::fixed|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar
|
I can provide full stacks for each issue if needed.
Bug confirmed present in:
MariaDB: 10.5.29 (dbg), 10.5.29 (opt), 10.6.22 (dbg), 10.6.22 (opt), 10.11.12 (dbg), 10.11.12 (opt), 11.4.6 (dbg), 11.4.6 (opt), 11.8.1 (dbg), 11.8.1 (opt), 12.0.0 (dbg), 12.0.0 (opt)
MySQL: 5.7.44 (dbg), 5.7.44 (opt)
Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 8.0.36 (dbg), 8.0.36 (opt), 9.1.0 (dbg), 9.1.0 (opt)
Note the bug was present in MySQL 5.7.
Clang Setup:
Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before following these steps
|
# Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools
|
sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
Confirmed in 10.4+
Leads to:
11.1.0 4e5b771e980edfdad5c5414aa62c81d409d585a4 (Optimized)
Core was generated by `/test/MD120523-mariadb-11.1.0-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.Program terminated with signal SIGABRT, Aborted.#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=23341469865536)at ./nptl/pthread_kill.c:44[Current thread is 1 (Thread 0x153a9c051640 (LWP 3081877))](gdb) bt#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=23341469865536) at ./nptl/pthread_kill.c:44#1 __pthread_kill_internal (signo=6, threadid=23341469865536) at ./nptl/pthread_kill.c:78#2 __GI___pthread_kill (threadid=23341469865536, signo=signo@entry=6) at ./nptl/pthread_kill.c:89#3 0x0000153ab4042476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26#4 0x0000153ab40287f3 in __GI_abort () at ./stdlib/abort.c:79#5 0x0000153ab44a2bbe in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6#6 0x0000153ab44ae24c in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6#7 0x0000153ab44ae2b7 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6#8 0x0000153ab44aefe5 in __cxa_pure_virtual () from /lib/x86_64-linux-gnu/libstdc++.so.6#9 0x00005634a4a42cf9 in Item_func::check_argument_types_like_args0 (this=0x153a30029378) at /test/11.1_opt/sql/item_func.cc:148#10 0x00005634a4a3dc11 in Item_func::fix_fields (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item_func.cc:359#11 Item_func::fix_fields (this=0x153a30029378, thd=0x153a30000c68, ref=<optimized out>) at /test/11.1_opt/sql/item_func.cc:316#12 0x00005634a4a16b29 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item.h:1147#13 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item.h:1145#14 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item.h:1156#15 Item::fix_fields_if_needed_for_bool (ref=<optimized out>, thd=0x153a30000c68, this=0x153a30029378) at /test/11.1_opt/sql/item.h:1160#16 Item_cond::fix_fields (this=0x153a30010810, thd=0x153a30000c68, ref=<optimized out>) at /test/11.1_opt/sql/item_cmpfunc.cc:4937#17 0x00005634a470bae7 in Item::fix_fields_if_needed (ref=0x153a300116b8, thd=0x153a30000c68, this=0x153a30010810) at /test/11.1_opt/sql/item.h:1145#18 Item::fix_fields_if_needed (ref=0x153a300116b8, thd=0x153a30000c68, this=0x153a30010810) at /test/11.1_opt/sql/item.h:1145#19 Item::fix_fields_if_needed_for_scalar (ref=0x153a300116b8, thd=0x153a30000c68, this=0x153a30010810) at /test/11.1_opt/sql/item.h:1156#20 Item::fix_fields_if_needed_for_bool (ref=0x153a300116b8, thd=0x153a30000c68, this=0x153a30010810) at /test/11.1_opt/sql/item.h:1160#21 setup_conds (thd=thd@entry=0x153a30000c68, tables=tables@entry=0x153a30024c68, leaves=@0x153a30024860: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153a30011820, last = 0x153a30011830, elements = 2}, <No data fields>}, conds=conds@entry=0x153a300116b8) at /test/11.1_opt/sql/sql_base.cc:8861#22 0x00005634a47dd5af in setup_without_group (reserved=0x153a30024a34, hidden_group_fields=0x153a3001157f, win_funcs=@0x153a30024ad0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5634a59228d0 <end_of_list>, last = 0x153a30024ad0, elements = 0}, <No data fields>}, win_specs=@0x153a30024ab8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5634a59228d0 <end_of_list>, last = 0x153a30024ab8, elements = 0}, <No data fields>}, group=0x0, order=0x0, conds=0x153a300116b8, all_fields=@0x153a300115d0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153a30024c20, last = 0x153a30024c20, elements = 1}, <No data fields>}, fields=@0x153a30024900: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153a30024c20, last = 0x153a30024c20, elements = 1}, <No data fields>}, leaves=@0x153a30024860: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x153a30011820, last = 0x153a30011830, elements = 2}, <No data fields>}, tables=0x153a30024c68, ref_pointer_array=<optimized out>, thd=0x153a30000c68) at /test/11.1_opt/sql/sql_select.cc:914#23 JOIN::prepare (this=0x153a30011228, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x153a30024640, unit_arg=0x153a30026fc0) at /test/11.1_opt/sql/sql_select.cc:1494#24 0x00005634a4ab3878 in subselect_single_select_engine::prepare (this=0x153a30027a28, thd=0x153a30000c68) at /test/11.1_opt/sql/sql_lex.h:1379#25 0x00005634a4ab2f3d in Item_subselect::fix_fields (this=this@entry=0x153a300277f8, thd_param=thd_param@entry=0x153a30000c68, ref=ref@entry=0x153a30028ab8) at /test/11.1_opt/sql/item_subselect.cc:296#26 0x00005634a4ab3245 in Item_in_subselect::fix_fields (this=0x153a300277f8, thd_arg=0x153a30000c68, ref=0x153a30028ab8) at /test/11.1_opt/sql/item_subselect.cc:3602#27 0x00005634a4a126bd in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x153a30000c68, this=<optimized out>) at /test/11.1_opt/sql/item.h:1147#28 Item::fix_fields_if_needed (ref=<optimized out>, thd=0x153a30000c68, this=<optimized out>) at /test/11.1_opt/sql/item.h:1145#29 Item_in_optimizer::fix_fields (this=0x153a30028a30, thd=0x153a30000c68, ref=<optimized out>) at /test/11.1_opt/sql/item_cmpfunc.cc:1379#30 0x00005634a47ddb66 in Item::fix_fields_if_needed (ref=0x153a30010c70, thd=0x153a30000c68, this=0x153a30028a30) at /test/11.1_opt/sql/item.h:1147#31 Item::fix_fields_if_needed (ref=0x153a30010c70, thd=0x153a30000c68, this=0x153a30028a30) at /test/11.1_opt/sql/item.h:1145#32 Item::fix_fields_if_needed_for_scalar (ref=0x153a30010c70, thd=0x153a30000c68, this=0x153a30028a30) at /test/11.1_opt/sql/item.h:1156#33 Item::fix_fields_if_needed_for_bool (ref=0x153a30010c70, thd=0x153a30000c68, this=0x153a30028a30) at /test/11.1_opt/sql/item.h:1160#34 JOIN::prepare (this=0x153a30010a60, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/11.1_opt/sql/sql_select.cc:1552#35 0x00005634a47f04ea in mysql_select (thd=0x153a30000c68, tables=0x153a30023e80, fields=<optimized out>, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x153a30028a30, proc_param=0x0, select_options=<optimized out>, result=0x153a300282c0, unit=0x153a30021bb8, select_lex=0x153a30023860) at /test/11.1_opt/sql/sql_select.cc:5132#36 0x00005634a47f07a4 in handle_select (thd=thd@entry=0x153a30000c68, lex=lex@entry=0x153a30021ad8, result=result@entry=0x153a300282c0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.1_opt/sql/sql_select.cc:611#37 0x00005634a476a485 in execute_sqlcom_select (thd=0x153a30000c68, all_tables=0x153a30023e80) at /test/11.1_opt/sql/sql_parse.cc:6024#38 0x00005634a4778ed4 in mysql_execute_command (thd=0x153a30000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/11.1_opt/sql/sql_parse.cc:3944#39 0x00005634a479b32a in Prepared_statement::execute (this=0x153a30016b98, expanded_query=0x153a9c04f650, open_cursor=<optimized out>) at /test/11.1_opt/sql/sql_prepare.cc:4992#40 0x00005634a479b541 in Prepared_statement::execute_loop (packet=<optimized out>, packet_end=<optimized out>, open_cursor=<optimized out>, expanded_query=0x153a9c04f650, this=0x153a30016b98) at /test/11.1_opt/sql/sql_prepare.cc:4415#41 Prepared_statement::execute_loop (this=0x153a30016b98, expanded_query=0x153a9c04f650, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /test/11.1_opt/sql/sql_prepare.cc:4364#42 0x00005634a479b85b in mysql_sql_stmt_execute (thd=thd@entry=0x153a30000c68) at /test/11.1_opt/sql/sql_prepare.cc:3456#43 0x00005634a47783a0 in mysql_execute_command (thd=0x153a30000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.1_opt/sql/sql_parse.cc:3960#44 0x00005634a477a424 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x153a30000c68) at /test/11.1_opt/sql/sql_parse.cc:7760#45 mysql_parse (thd=0x153a30000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.1_opt/sql/sql_parse.cc:7682#46 0x00005634a477ca02 in dispatch_command (command=COM_QUERY, thd=0x153a30000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.1_opt/sql/sql_parse.cc:1989#47 0x00005634a477e1a0 in do_command (thd=0x153a30000c68, blocking=blocking@entry=true) at /test/11.1_opt/sql/sql_parse.cc:1405#48 0x00005634a4897787 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5634a81f47c8, put_in_cache=put_in_cache@entry=true) at /test/11.1_opt/sql/sql_connect.cc:1416#49 0x00005634a4897a5d in handle_one_connection (arg=0x5634a81f47c8) at /test/11.1_opt/sql/sql_connect.cc:1318#50 0x0000153ab4094b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442#51 0x0000153ab4126a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:8111.1.0 4e5b771e980edfdad5c5414aa62c81d409d585a4 (Debug)
Core was generated by `/test/MD120523-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.Program terminated with signal SIGSEGV, Segmentation fault.#0 0x0000560c415a3ff2 in Item::print_parenthesised (this=this@entry=0x14d3ec014868, str=str@entry=0x14d48404fbb0,query_type=query_type@entry=QT_EXPLAIN, parent_prec=CMP_PRECEDENCE)at /test/11.1_dbg/sql/item.cc:495[Current thread is 1 (Thread 0x14d484052640 (LWP 3106785))](gdb) bt#0 0x0000560c415a3ff2 in Item::print_parenthesised (this=this@entry=0x14d3ec014868, str=str@entry=0x14d48404fbb0, query_type=query_type@entry=QT_EXPLAIN, parent_prec=CMP_PRECEDENCE) at /test/11.1_dbg/sql/item.cc:495#1 0x0000560c4160f839 in Item_func::print_op (this=0x14d3ec030b38, str=0x14d48404fbb0, query_type=QT_EXPLAIN) at /test/11.1_dbg/sql/item_func.cc:633#2 0x0000560c411bae97 in Item_bool_rowready_func2::print (this=<optimized out>, str=<optimized out>, query_type=<optimized out>) at /test/11.1_dbg/sql/item_cmpfunc.h:550#3 0x0000560c415a4010 in Item::print_parenthesised (this=this@entry=0x14d3ec030b38, str=str@entry=0x14d48404fbb0, query_type=query_type@entry=QT_EXPLAIN, parent_prec=AND_PRECEDENCE) at /test/11.1_dbg/sql/item.cc:498#4 0x0000560c415c81ec in Item_cond::print (this=0x14d3ec013200, str=0x14d48404fbb0, query_type=QT_EXPLAIN) at /test/11.1_dbg/sql/item_cmpfunc.cc:5390#5 0x0000560c415b4e35 in dbug_print_item (item=0x14d3ec013200) at /test/11.1_dbg/sql/item.cc:10892#6 0x0000560c4132100c in JOIN::prepare (this=0x14d3ec013c28, tables_init=<optimized out>, conds_init=<optimized out>, og_num=0, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14d3ec02be00, unit_arg=0x14d3ec02e780) at /test/11.1_dbg/sql/sql_select.cc:1379#7 0x0000560c4168a6f5 in subselect_single_select_engine::prepare (this=0x14d3ec02f1e8, thd=0x14d3ec000d58) at /test/11.1_dbg/sql/sql_lex.h:1379#8 0x0000560c41689bb1 in Item_subselect::fix_fields (this=this@entry=0x14d3ec02efb8, thd_param=thd_param@entry=0x14d3ec000d58, ref=ref@entry=0x14d3ec030278) at /test/11.1_dbg/sql/item_subselect.cc:296#9 0x0000560c4168a223 in Item_in_subselect::fix_fields (this=0x14d3ec02efb8, thd_arg=0x14d3ec000d58, ref=0x14d3ec030278) at /test/11.1_dbg/sql/item_subselect.cc:3602#10 0x0000560c415d1a0d in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x14d3ec000d58, this=<optimized out>) at /test/11.1_dbg/sql/item.h:1147#11 Item_in_optimizer::fix_fields (this=0x14d3ec0301f0, thd=0x14d3ec000d58, ref=<optimized out>) at /test/11.1_dbg/sql/item_cmpfunc.cc:1379#12 0x0000560c413202a0 in Item::fix_fields_if_needed (ref=0x14d3ec013668, thd=<optimized out>, this=0x14d3ec0301f0) at /test/11.1_dbg/sql/item.h:1147#13 Item::fix_fields_if_needed_for_scalar (ref=0x14d3ec013668, thd=<optimized out>, this=0x14d3ec0301f0) at /test/11.1_dbg/sql/item.h:1156#14 Item::fix_fields_if_needed_for_bool (ref=0x14d3ec013668, thd=<optimized out>, this=0x14d3ec0301f0) at /test/11.1_dbg/sql/item.h:1160#15 JOIN::prepare (this=this@entry=0x14d3ec013450, tables_init=tables_init@entry=0x14d3ec02b640, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/11.1_dbg/sql/sql_select.cc:1552#16 0x0000560c41336f01 in mysql_select (thd=thd@entry=0x14d3ec000d58, tables=0x14d3ec02b640, fields=@0x14d3ec02b2e0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d3ec02b5f8, last = 0x14d3ec02b5f8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x14d3ec0301f0, proc_param=0x0, select_options=2201187781376, result=0x14d3ec02fa80, unit=0x14d3ec029378, select_lex=0x14d3ec02b020) at /test/11.1_dbg/sql/sql_select.cc:5132#17 0x0000560c41337102 in handle_select (thd=thd@entry=0x14d3ec000d58, lex=lex@entry=0x14d3ec029298, result=result@entry=0x14d3ec02fa80, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.1_dbg/sql/sql_select.cc:611#18 0x0000560c4129d3bc in execute_sqlcom_select (thd=thd@entry=0x14d3ec000d58, all_tables=0x14d3ec02b640) at /test/11.1_dbg/sql/sql_parse.cc:6024#19 0x0000560c412a8a1c in mysql_execute_command (thd=0x14d3ec000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:3944#20 0x0000560c412d4f60 in Prepared_statement::execute (this=this@entry=0x14d3ec024d08, expanded_query=expanded_query@entry=0x14d484050c90, open_cursor=open_cursor@entry=false) at /test/11.1_dbg/sql/sql_prepare.cc:4992#21 0x0000560c412d52fc in Prepared_statement::execute_loop (this=this@entry=0x14d3ec024d08, expanded_query=expanded_query@entry=0x14d484050c90, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/11.1_dbg/sql/sql_prepare.cc:4415#22 0x0000560c412d5939 in mysql_sql_stmt_execute (thd=thd@entry=0x14d3ec000d58) at /test/11.1_dbg/sql/sql_prepare.cc:3456#23 0x0000560c412a8a79 in mysql_execute_command (thd=thd@entry=0x14d3ec000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.1_dbg/sql/sql_parse.cc:3960#24 0x0000560c412aefad in mysql_parse (thd=thd@entry=0x14d3ec000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14d484051230) at /test/11.1_dbg/sql/sql_parse.cc:7760#25 0x0000560c412b1141 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14d3ec000d58, packet=packet@entry=0x14d3ec00ae49 "EXECUTE st", packet_length=packet_length@entry=10, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_class.h:242#26 0x0000560c412b2f9d in do_command (thd=0x14d3ec000d58, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:1405#27 0x0000560c41404e5a in do_handle_one_connection (connect=<optimized out>, connect@entry=0x560c44cdb1f8, put_in_cache=put_in_cache@entry=true) at /test/11.1_dbg/sql/sql_connect.cc:1416#28 0x0000560c414050b9 in handle_one_connection (arg=0x560c44cdb1f8) at /test/11.1_dbg/sql/sql_connect.cc:1318#29 0x000014d49ba94b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442#30 0x000014d49bb26a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81Bug confirmed present in:
MariaDB: 10.4.30 (dbg), 10.4.30 (opt), 10.5.21 (dbg), 10.5.21 (opt), 10.6.14 (dbg), 10.6.14 (opt), 10.9.7 (dbg), 10.9.7 (opt), 10.10.5 (dbg), 10.10.5 (opt), 10.11.4 (dbg), 10.11.4 (opt), 11.0.2 (dbg), 11.0.2 (opt), 11.1.0 (dbg), 11.1.0 (opt)
Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 8.0.33 (dbg), 8.0.33 (opt)