[MDEV-31269] Various SIGSEGV crashes, UBSAN issues and memory corruption on 2nd PS execution caused by exists-to-in - Jira

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.4, 11.8, 12.0
Fix Version/s: 10.5, 10.6, 10.11, 11.4, 11.8
Component/s: Optimizer, Prepared Statements
Labels:

Description

MTR testcase to reprod:

11.1 4e5b771e980edfdad5c5414aa62c81d409d585a4
set optimizer_switch=default;
CREATE TABLE t1 (a INT);
CREATE TABLE t2 (b INT);
PREPARE st FROM "
SELECT * FROM t2
HAVING 0 IN (
SELECT a FROM t1
WHERE EXISTS (
SELECT a FROM t1
WHERE b = a
)
)
";
EXECUTE st;
EXECUTE st;
drop table t1, t2;

Possibly caused by attempted reuse of items freed in query arena after the first execution. If we replace the first line with set optimizer_switch='exists_to_in=off'; then the test passes. The test also passes if we replace HAVING by WHERE.

trace:

mysys/stacktrace.c:215(my_print_stacktrace)[0x561ec390cefa]

sql/signal_handler.cc:238(handle_fatal_signal)[0x561ec30a10cb]

??:0(__restore_rt)[0x7fb3f1a26140]

sql/item.cc:495(Item::print_parenthesised(String*, enum_query_type, precedence))[0x561ec30c57f7]

sql/item_func.cc:634(Item_func::print_op(String*, enum_query_type))[0x561ec312d43e]

sql/item_cmpfunc.h:551(Item_bool_rowready_func2::print(String*, enum_query_type))[0x561ec2b7dc3d]

sql/item.cc:499(Item::print_parenthesised(String*, enum_query_type, precedence))[0x561ec30c584b]

sql/item_cmpfunc.cc:5385(Item_cond::print(String*, enum_query_type))[0x561ec310338e]

sql/item.cc:10894(dbug_print_item(Item*))[0x561ec30e6f31]

sql/sql_select.cc:1382(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x561ec2d2fc40]

sql/item_subselect.cc:3943(subselect_single_select_engine::prepare(THD*))[0x561ec31b74e7]

sql/item_subselect.cc:296(Item_subselect::fix_fields(THD*, Item**))[0x561ec31a941c]

sql/item_subselect.cc:3602(Item_in_subselect::fix_fields(THD*, Item**))[0x561ec31b63a2]

sql/item.h:1147(Item::fix_fields_if_needed(THD*, Item**))[0x561ec2ba1620]

sql/item_cmpfunc.cc:1379(Item_in_optimizer::fix_fields(THD*, Item**))[0x561ec30f59d7]

sql/item.h:1147(Item::fix_fields_if_needed(THD*, Item**))[0x561ec2ba1620]

sql/item.h:1156(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x561ec2ba1655]

sql/item.h:1161(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x561ec2c2a2cb]

sql/sql_select.cc:1552(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x561ec2d3085d]

sql/sql_select.cc:5132(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x561ec2d3da56]

sql/sql_select.cc:611(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x561ec2d2ca67]

sql/sql_parse.cc:6024(execute_sqlcom_select(THD*, TABLE_LIST*))[0x561ec2cd4abd]

sql/sql_parse.cc:3944(mysql_execute_command(THD*, bool))[0x561ec2cccd4b]

sql/sql_prepare.cc:4992(Prepared_statement::execute(String*, bool))[0x561ec2d12dcd]

sql/sql_prepare.cc:4415(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x561ec2d10f84]

sql/sql_prepare.cc:3457(mysql_sql_stmt_execute(THD*))[0x561ec2d0e647]

sql/sql_parse.cc:3961(mysql_execute_command(THD*, bool))[0x561ec2cccd90]

sql/sql_parse.cc:7760(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x561ec2cd96fa]

sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x561ec2cc6db0]

sql/sql_parse.cc:1405(do_command(THD*, bool))[0x561ec2cc5789]

sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x561ec2ea4fda]

sql/sql_connect.cc:1320(handle_one_connection)[0x561ec2ea4d45]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x561ec33a8fc4]

??:0(start_thread)[0x7fb3f1a1aea7]

??:0(clone)[0x7fb3f1216a2f]

Attachments

Issue Links

duplicates

MDEV-30073 Wrong result on 2nd execution of PS for query with NOT EXISTS

In Progress

Activity

Ascending order - Click to sort in descending order

View 8 older comments

Yuchen Pei added a comment - 2023-05-24 05:49

Updated patch after discussion with sanja - now it works with 10.4 and embedded.

https://github.com/MariaDB/server/commit/ffba2a85948

Yuchen Pei added a comment - 2023-05-24 05:49 Updated patch after discussion with sanja - now it works with 10.4 and embedded. https://github.com/MariaDB/server/commit/ffba2a85948

Sergei Petrunia added a comment - 2023-06-14 08:16

Simplified problem description

The problem is the interplay between Name Resolution and Permanent Transformations.

The failure scenario is:

Name Resolution creates "transient" Items (and may other objects)
Permanent query transformations are done.
This creates data structures that should survive until the end of statement life but alas they also contain "transient" Items.
Cleanup is performed. Transient items are cleaned/freed. Permanent rewrites remain in effect. We get invalid data structures.

Description of steps in greater detail

1. Name Resolution creates transient items.

When name resolution is performed, "transient" item objects are created: Item_ref, Item_direct_[view_]ref, etc.
(TODO: are there other transient data structures besides items? Like select lists?)

2. Permanent transformations are done

Permanent Transformation modifies query data structures.
The modification is typically hard to undo and so it should remain in force for the duration of the statement.
Examples of such transformations are:

Merging of mergeable VIEWs
Conversion of Item_in_subselect predicates into semi-join join operations (TABLE_LISTs in the parent select)
Conversion of Item_exists_subselect into Item_in_subselect.
...

one thing these transformations do is to move Items from one expression to another.
Note that they operate on Item trees which include "transient" items.

As a result, the query data structure is spaghetti of "permanent" and "transient" items.

3. Cleanup is performed

A cleanup operation frees the transient items and attempts to undo all the changes
that were made to the query data structures by Name Resolution.

(my speculation: why can't transient items be permanent? Because we can't do name resolution for them? Need to elaborate on this)

Sergei Petrunia added a comment - 2023-06-14 08:16 Simplified problem description The problem is the interplay between Name Resolution and Permanent Transformations. The failure scenario is: Name Resolution creates "transient" Items (and may other objects) Permanent query transformations are done. This creates data structures that should survive until the end of statement life but alas they also contain "transient" Items. Cleanup is performed. Transient items are cleaned/freed. Permanent rewrites remain in effect. We get invalid data structures. Description of steps in greater detail 1. Name Resolution creates transient items. When name resolution is performed, "transient" item objects are created: Item_ref, Item_direct_[view_]ref, etc. (TODO: are there other transient data structures besides items? Like select lists?) 2. Permanent transformations are done Permanent Transformation modifies query data structures. The modification is typically hard to undo and so it should remain in force for the duration of the statement. Examples of such transformations are: Merging of mergeable VIEWs Conversion of Item_in_subselect predicates into semi-join join operations (TABLE_LISTs in the parent select) Conversion of Item_exists_subselect into Item_in_subselect. ... one thing these transformations do is to move Items from one expression to another. Note that they operate on Item trees which include "transient" items. As a result, the query data structure is spaghetti of "permanent" and "transient" items. 3. Cleanup is performed A cleanup operation frees the transient items and attempts to undo all the changes that were made to the query data structures by Name Resolution. (my speculation: why can't transient items be permanent? Because we can't do name resolution for them? Need to elaborate on this)

Yuchen Pei added a comment - 2023-06-15 01:11

Thanks for the notes psergei, it is a higher level description and corroborates well with my analysis in [1].

[1] https://jira.mariadb.org/browse/MDEV-22534?focusedCommentId=258728&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-258728

Moving on to fixing it for the purpose this ticket, i.e. for exists2in and decorrelate-in transformations, with the risk of duplicating the work on MDEV-30073, I can think of two ways:

1. At the beginning of the transformation, detect whether transient items will cause problems, and skip the transformation if so. My patch for this ticket follows this idea, but the implementation is deemed inefficient, and it is not clear whether people want this as a temporary measure before MDEV-30073 is fixed.

2. During JOIN::prepare(), create permanent Item_refs etc. instead of transient ones. I don't know whether this would be a valid idea, because in the first place I don't know why they were created as transient.

Yuchen Pei added a comment - 2023-06-15 01:11 Thanks for the notes psergei , it is a higher level description and corroborates well with my analysis in [1] . [1] https://jira.mariadb.org/browse/MDEV-22534?focusedCommentId=258728&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-258728 Moving on to fixing it for the purpose this ticket, i.e. for exists2in and decorrelate-in transformations, with the risk of duplicating the work on MDEV-30073 , I can think of two ways: 1. At the beginning of the transformation, detect whether transient items will cause problems, and skip the transformation if so. My patch for this ticket follows this idea, but the implementation is deemed inefficient, and it is not clear whether people want this as a temporary measure before MDEV-30073 is fixed. 2. During JOIN::prepare(), create permanent Item_refs etc. instead of transient ones. I don't know whether this would be a valid idea, because in the first place I don't know why they were created as transient.

Yuchen Pei added a comment - 2023-09-11 06:57

I can confirm that bb-10.4-mdev-30073
34083cf34bc26a5cd95e56feffd01466f9f4917f passes the test in the
description.

igor Can you rebase your patch on 11.3 so that we can test
MDEV-22534 patches on top?

Yuchen Pei added a comment - 2023-09-11 06:57 I can confirm that bb-10.4-mdev-30073 34083cf34bc26a5cd95e56feffd01466f9f4917f passes the test in the description. igor Can you rebase your patch on 11.3 so that we can test MDEV-22534 patches on top?

Roel Van de Paar added a comment - 2025-02-19 03:15 - edited

Additional testcase:

CREATE TABLE t1 (a INT,b INT,PRIMARY KEY(a));

CREATE TABLE t2 (a1 INT);

PREPARE s FROM 'SELECT * FROM t1 HAVING 0 IN (SELECT a FROM t2 WHERE a IN (SELECT a FROM t2 WHERE b=a))';

EXECUTE s;

SELECT a FROM t1;

EXECUTE s;

Leads to:

CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Optimized) Build 15/02/2025
Core was generated by `/test/MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000000006 in ?? ()
[Current thread is 1 (LWP 1521327)]
(gdb) bt
#0 0x0000000000000006 in ?? ()
#1 0x000055e5593ea1ef in Item::fix_fields_if_needed (this=0x14a674018ec8, thd=0x14a674000c68, ref=0x14a6740319b0) at /test/11.8_opt/sql/item.h:1168
#2 Item_func::fix_fields (this=0x14a674031928, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_func.cc:348
#3 0x000055e5593c1ede in Item::fix_fields_if_needed (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1168
#4 Item::fix_fields_if_needed_for_scalar (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1177
#5 Item::fix_fields_if_needed_for_bool (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1181
#6 Item_cond::fix_fields (this=0x14a6740175a8, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_cmpfunc.cc:5138
#7 0x000055e5590a4d84 in Item::fix_fields_if_needed (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1168
#8 Item::fix_fields_if_needed_for_scalar (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1177
#9 Item::fix_fields_if_needed_for_bool (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1181
#10 setup_conds (thd=0x14a674000c68, tables=tables@entry=0x14a67402cea8, leaves=<optimized out>, conds=0x14a674018448)at /test/11.8_opt/sql/sql_base.cc:8885
#11 0x000055e55914bc89 in setup_without_group (thd=0x14a674018ec8, ref_pointer_array={m_array = 0x14a674030c18, m_size = 9}, tables=0x14a67402cea8, leaves=<error reading variable: Cannot access memory at address 0x1>, fields=@0x14a67402cb20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402ce58, last = 0x14a67402ce58, elements = 1}, <No data fields>}, all_fields=@0x14a674018360: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402ce58, last = 0x14a67402ce58, elements = 1}, <No data fields>}, conds=0x14a674018448, order=0x0, group=0x0, win_specs=@0x14a67402cce8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55e55a34b340 <end_of_list>, last = 0x14a67402cce8, elements = 0}, <No data fields>}, win_funcs=@0x14a67402cd08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55e55a34b340 <end_of_list>, last = 0x14a67402cd08, elements = 0}, <No data fields>}, hidden_group_fields=0x14a67401830f)at /test/11.8_opt/sql/sql_select.cc:955
#12 0x000055e55914b0cb in JOIN::prepare (this=0x14a674017fc0, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14a67402c868, unit_arg=0x14a67402f3e8)at /test/11.8_opt/sql/sql_select.cc:1577
#13 0x000055e559458b01 in subselect_single_select_engine::prepare (this=0x14a67402fe70, thd=0x14a674000c68)at /test/11.8_opt/sql/item_subselect.cc:3981
#14 0x000055e55944fd5c in Item_subselect::fix_fields (this=this@entry=0x14a67402fc38, thd_param=thd_param@entry=0x14a674000c68, ref=ref@entry=0x14a674030f50) at /test/11.8_opt/sql/item_subselect.cc:294
#15 0x000055e55945803c in Item_in_subselect::fix_fields (this=0x14a67402fc38, thd_arg=0x14a674000c68, ref=0x14a674030f50)at /test/11.8_opt/sql/item_subselect.cc:3620
#16 0x000055e5593b8792 in Item::fix_fields_if_needed (this=0x14a674018ec8, thd=0x14a674000c68, ref=0x14a6740319b0) at /test/11.8_opt/sql/item.h:1168
#17 Item_in_optimizer::fix_fields (this=0x14a674030ec8, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_cmpfunc.cc:1507
#18 0x000055e55914b34d in Item::fix_fields_if_needed (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1168
#19 Item::fix_fields_if_needed_for_scalar (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1177
#20 Item::fix_fields_if_needed_for_bool (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1181
#21 JOIN::prepare (this=this@entry=0x14a6740177f8, tables_init=tables_init@entry=0x14a67402c0a8, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=false, group_init=0x0, having_init=0x14a674030ec8, proc_param_init=0x0, select_lex_arg=0x14a67402ba70, unit_arg=0x14a674029cc8)at /test/11.8_opt/sql/sql_select.cc:1634
#22 0x000055e559147261 in mysql_select (thd=thd@entry=0x14a674000c68, tables=0x14a67402c0a8, fields=@0x14a67402bd28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402c058, last = 0x14a6740309b8, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x14a674030ec8, proc_param=0x0, select_options=<optimized out>, result=0x14a674030720, unit=0x14a674029cc8, select_lex=0x14a67402ba70)at /test/11.8_opt/sql/sql_select.cc:5350
#23 0x000055e559147019 in handle_select (thd=thd@entry=0x14a674000c68, lex=lex@entry=0x14a674029be8, result=result@entry=0x14a674030720, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.8_opt/sql/sql_select.cc:633
#24 0x000055e5591145ee in execute_sqlcom_select (thd=thd@entry=0x14a674000c68, all_tables=0x14a67402c0a8) at /test/11.8_opt/sql/sql_parse.cc:6191
#25 0x000055e559112ae0 in mysql_execute_command (thd=0x14a674000c68, is_called_from_prepared_stmt=true) at /test/11.8_opt/sql/sql_parse.cc:3979
#26 0x000055e5591378d6 in Prepared_statement::execute (this=this@entry=0x14a674021a18, expanded_query=expanded_query@entry=0x14a6c21b2d88, open_cursor=false)at /test/11.8_opt/sql/sql_prepare.cc:5084
#27 0x000055e5591359a2 in Prepared_statement::execute_loop (this=this@entry=0x14a674021a18, expanded_query=expanded_query@entry=0x14a6c21b2d88, open_cursor=<optimized out>, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/11.8_opt/sql/sql_prepare.cc:4448
#28 0x000055e5591357e0 in mysql_sql_stmt_execute (thd=thd@entry=0x14a674000c68)at /test/11.8_opt/sql/sql_prepare.cc:3460
#29 0x000055e5591100fc in mysql_execute_command (thd=thd@entry=0x14a674000c68, is_called_from_prepared_stmt=false) at /test/11.8_opt/sql/sql_parse.cc:3995
#30 0x000055e55910b341 in mysql_parse (thd=thd@entry=0x14a674000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14a6c21b3430)at /test/11.8_opt/sql/sql_parse.cc:7915
#31 0x000055e5591097d0 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14a674000c68, packet=packet@entry=0x14a6740088a9 "EXECUTE s", packet_length=packet_length@entry=9, blocking=true)at /test/11.8_opt/sql/sql_parse.cc:1902
#32 0x000055e55910b751 in do_command (thd=thd@entry=0x14a674000c68, blocking=true) at /test/11.8_opt/sql/sql_parse.cc:1415
#33 0x000055e559236f8d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e55c563e28, put_in_cache=true)at /test/11.8_opt/sql/sql_connect.cc:1415
#34 0x000055e559236d4f in handle_one_connection (arg=arg@entry=0x55e55c563e28)at /test/11.8_opt/sql/sql_connect.cc:1327
#35 0x000055e5595bbe29 in pfs_spawn_thread (arg=0x55e55c510718)at /test/11.8_opt/storage/perfschema/pfs.cc:2198
#36 0x000014a6ce29ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#37 0x000014a6ce329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

As well as a variety of other stacks. All stacks seen:

SIGABRT|__gnu_cxx::__verbose_terminate_handler|__cxxabiv1::__terminate|std::terminate|__cxxabiv1::__cxa_pure_virtual

SIGSEGV|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed|Item::fix_fields_if_needed_for_scalar

SIGSEGV|Item::print_parenthesised|Item_func::print_op|Item_bool_rowready_func2::print|Item::print_parenthesised

SIGSEGV|Item_func::fix_func_arg|Item_func::fix_fields|Item_cond::fix_fields|st_select_lex::setup_conds

As well as various UBSAN and ASAN issues (scroll down in each log to see details):

CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Optimized, UBASAN, Clang) Build 15/02/2025
/test/11.8_opt_san/sql/item_func.cc:348:19: runtime error: member call on address 0x52d0003c1f20 which does not point to an object of type 'Item'
0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big
b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
possibly invalid vptr
#0 0x563742b1b477 in Item_func::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_func.cc:348:19
#1 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#2 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.8_opt_san/sql/item.h:1181:12
#3 0x563742a6754d in Item_cond::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15
#4 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#5 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.8_opt_san/sql/item.h:1181:12
#6 0x5637418472c2 in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19
#7 0x563741c1f912 in setup_without_group(THD, Bounds_checked_array<Item>, TABLE_LIST, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item, st_order, st_order, List<Window_spec>&, List<Item_window_func>&, bool) /test/11.8_opt_san/sql/sql_select.cc:955:8
#8 0x563741c18e27 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_opt_san/sql/sql_select.cc:1577:7
#9 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13
#10 0x563742d1140a in Item_subselect::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_subselect.cc:294:22
#11 0x563742d4e297 in Item_in_subselect::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_subselect.cc:3620:23
#12 0x563742a293b8 in Item_in_optimizer::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16
#13 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#14 0x563741c19cc3 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_opt_san/sql/sql_select.cc:1634:33
#15 0x563741c0bd4c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_opt_san/sql/sql_select.cc:5350:21
#16 0x563741c0ad90 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
#17 0x563741af66b1 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_opt_san/sql/sql_parse.cc:6191:12
#18 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12
#19 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14
#20 0x563741b9ff1f in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10
#21 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16
#22 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5
#23 0x563741ab8600 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18
#24 0x563741aaf8c6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
#25 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
#26 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
#27 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
#28 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
#29 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8
#30 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item_func.cc:348:19
/test/11.8_opt_san/sql/item.h:1168:12: runtime error: member call on address 0x52d0003c1f20 which does not point to an object of type 'Item'
0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big
b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
possibly invalid vptr
#0 0x5637416b3fa6 in Item::fix_fields_if_needed(THD, Item*) /test/11.8_opt_san/sql/item.h:1168:12
#1 0x563742b1b0f7 in Item_func::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_func.cc:348:19
#2 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#3 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.8_opt_san/sql/item.h:1181:12
#4 0x563742a6754d in Item_cond::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15
#5 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#6 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.8_opt_san/sql/item.h:1181:12
#7 0x5637418472c2 in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19
#8 0x563741c1f912 in setup_without_group(THD, Bounds_checked_array<Item>, TABLE_LIST, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item, st_order, st_order, List<Window_spec>&, List<Item_window_func>&, bool) /test/11.8_opt_san/sql/sql_select.cc:955:8
#9 0x563741c18e27 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_opt_san/sql/sql_select.cc:1577:7
#10 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13
#11 0x563742d1140a in Item_subselect::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_subselect.cc:294:22
#12 0x563742d4e297 in Item_in_subselect::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_subselect.cc:3620:23
#13 0x563742a293b8 in Item_in_optimizer::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16
#14 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#15 0x563741c19cc3 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_opt_san/sql/sql_select.cc:1634:33
#16 0x563741c0bd4c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_opt_san/sql/sql_select.cc:5350:21
#17 0x563741c0ad90 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
#18 0x563741af66b1 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_opt_san/sql/sql_parse.cc:6191:12
#19 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12
#20 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14
#21 0x563741b9ff1f in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10
#22 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16
#23 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5
#24 0x563741ab8600 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18
#25 0x563741aaf8c6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
#26 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
#27 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
#28 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
#29 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
#30 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8
#31 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item.h:1168:12
/test/11.8_opt_san/sql/item.h:1089:20: runtime error: member access within address 0x52d0003c1f20 which does not point to an object of type 'const Item'
0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big
b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
possibly invalid vptr
#0 0x5637416b3fd4 in Item::fixed() const /test/11.8_opt_san/sql/item.h:1089:20
#1 0x5637416b3fd4 in Item::fix_fields_if_needed(THD, Item*) /test/11.8_opt_san/sql/item.h:1168:12
#2 0x563742b1b0f7 in Item_func::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_func.cc:348:19
#3 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#4 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.8_opt_san/sql/item.h:1181:12
#5 0x563742a6754d in Item_cond::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15
#6 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#7 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.8_opt_san/sql/item.h:1181:12
#8 0x5637418472c2 in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19
#9 0x563741c1f912 in setup_without_group(THD, Bounds_checked_array<Item>, TABLE_LIST, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item, st_order, st_order, List<Window_spec>&, List<Item_window_func>&, bool) /test/11.8_opt_san/sql/sql_select.cc:955:8
#10 0x563741c18e27 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_opt_san/sql/sql_select.cc:1577:7
#11 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13
#12 0x563742d1140a in Item_subselect::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_subselect.cc:294:22
#13 0x563742d4e297 in Item_in_subselect::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_subselect.cc:3620:23
#14 0x563742a293b8 in Item_in_optimizer::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16
#15 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#16 0x563741c19cc3 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_opt_san/sql/sql_select.cc:1634:33
#17 0x563741c0bd4c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_opt_san/sql/sql_select.cc:5350:21
#18 0x563741c0ad90 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
#19 0x563741af66b1 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_opt_san/sql/sql_parse.cc:6191:12
#20 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12
#21 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14
#22 0x563741b9ff1f in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10
#23 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16
#24 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5
#25 0x563741ab8600 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18
#26 0x563741aaf8c6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
#27 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
#28 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
#29 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
#30 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
#31 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8
#32 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item.h:1089:20
=================================================================
==1604938==ERROR: AddressSanitizer: use-after-poison on address 0x52d0003c1f88 at pc 0x5637416b3f88 bp 0x1488572ff5d0 sp 0x1488572ff5c8
READ of size 1 at 0x52d0003c1f88 thread T9
#0 0x5637416b3f87 in Item::fixed() const /test/11.8_opt_san/sql/item.h:1089:20
#1 0x5637416b3f87 in Item::fix_fields_if_needed(THD, Item*) /test/11.8_opt_san/sql/item.h:1168:12
#2 0x563742b1b0f7 in Item_func::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_func.cc:348:19
#3 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#4 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.8_opt_san/sql/item.h:1181:12
#5 0x563742a6754d in Item_cond::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15
#6 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#7 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD, Item*) /test/11.8_opt_san/sql/item.h:1181:12
#8 0x5637418472c2 in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19
#9 0x563741c1f912 in setup_without_group(THD, Bounds_checked_array<Item>, TABLE_LIST, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item, st_order, st_order, List<Window_spec>&, List<Item_window_func>&, bool) /test/11.8_opt_san/sql/sql_select.cc:955:8
#10 0x563741c18e27 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_opt_san/sql/sql_select.cc:1577:7
#11 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13
#12 0x563742d1140a in Item_subselect::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_subselect.cc:294:22
#13 0x563742d4e297 in Item_in_subselect::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_subselect.cc:3620:23
#14 0x563742a293b8 in Item_in_optimizer::fix_fields(THD, Item*) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16
#15 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_opt_san/sql/item.h:1177:12
#16 0x563741c19cc3 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_opt_san/sql/sql_select.cc:1634:33
#17 0x563741c0bd4c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_opt_san/sql/sql_select.cc:5350:21
#18 0x563741c0ad90 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
#19 0x563741af66b1 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_opt_san/sql/sql_parse.cc:6191:12
#20 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12
#21 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14
#22 0x563741b9ff1f in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10
#23 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16
#24 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5
#25 0x563741ab8600 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18
#26 0x563741aaf8c6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
#27 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
#28 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
#29 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
#30 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o
#31 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8
#32 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x52d0003c1f88 is located 7048 bytes inside of 32760-byte region [0x52d0003c0400,0x52d0003c83f8)
allocated by thread T9 here:
#0 0x5637414feeb3 in malloc (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1e71eb3) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54)
#1 0x563743f4fb62 in my_malloc /test/11.8_opt_san/mysys/my_malloc.c:93:29
#2 0x563743f2b913 in reset_root_defaults /test/11.8_opt_san/mysys/my_alloc.c:247:30
#3 0x56374189b834 in THD::init_for_queries() /test/11.8_opt_san/sql/sql_class.cc:1526:3
#4 0x56374213f790 in prepare_new_connection_state(THD*) /test/11.8_opt_san/sql/sql_connect.cc:1253:8
#5 0x563742142fa7 in thd_prepare_connection(THD*) /test/11.8_opt_san/sql/sql_connect.cc:1348:3
#6 0x563742140f41 in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1405:9
#7 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
#8 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o

Thread T9 created by T0 here:
#0 0x5637414e4825 in pthread_create (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1e57825) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54)
#1 0x56374154f7b1 in create_thread_to_handle_connection(CONNECT*) /test/11.8_opt_san/sql/mysqld.cc:6261:19
#2 0x56374155099a in handle_connections_sockets() /test/11.8_opt_san/sql/mysqld.cc:6497:9
#3 0x56374154eb00 in run_main_loop() /test/11.8_opt_san/sql/mysqld.cc:5739:3
#4 0x563741545f21 in mysqld_main(int, char**) /test/11.8_opt_san/sql/mysqld.cc:6162:3
#5 0x14888422a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x14888422a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x563741464064 in _start (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1dd7064) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54)

SUMMARY: AddressSanitizer: use-after-poison /test/11.8_opt_san/sql/item.h:1089:20 in Item::fixed() const
Shadow bytes around the buggy address:
0x52d0003c1d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c1d80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c1e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c1e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c1f00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x52d0003c1f80: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1604938==ABORTING
250219 14:09:58 [ERROR] /test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd got signal 6 ;

CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Debug, UBASAN, Clang) Build 15/02/2025
/test/11.8_dbg_san/sql/item_func.cc:645:22: runtime error: member call on address 0x52d0003c1f40 which does not point to an object of type 'Item'
0x52d0003c1f40: note: object has invalid vptr
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ba fc a3 1a 56 00 00 07 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
invalid vptr
#0 0x561aa0346c1d in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22
#1 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5
#2 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11
#3 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9
#4 0x561a9f39671d in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_dbg_san/sql/sql_select.cc:1442:3
#5 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13
#6 0x561aa054cdd6 in Item_subselect::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_subselect.cc:294:22
#7 0x561aa0594244 in Item_in_subselect::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23
#8 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16
#9 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_dbg_san/sql/item.h:1177:12
#10 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_dbg_san/sql/sql_select.cc:1634:33
#11 0x561a9f38b6b2 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_dbg_san/sql/sql_select.cc:5350:21
#12 0x561a9f38a102 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
#13 0x561a9f25f107 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
#14 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12
#15 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14
#16 0x561a9f30f6b7 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10
#17 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16
#18 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5
#19 0x561a9f21a628 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#20 0x561a9f20e6eb in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7
#21 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17
#22 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#23 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#24 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o
#25 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8
#26 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_dbg_san/sql/item_func.cc:645:22
/test/11.8_dbg_san/sql/item.cc:512:21: runtime error: member call on address 0x52d0003c1f40 which does not point to an object of type 'Item'
0x52d0003c1f40: note: object has invalid vptr
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ba fc a3 1a 56 00 00 07 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
invalid vptr
#0 0x561aa01294c5 in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:512:21
#1 0x561aa0346ac8 in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22
#2 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5
#3 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11
#4 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9
#5 0x561a9f39671d in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_dbg_san/sql/sql_select.cc:1442:3
#6 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13
#7 0x561aa054cdd6 in Item_subselect::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_subselect.cc:294:22
#8 0x561aa0594244 in Item_in_subselect::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23
#9 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16
#10 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_dbg_san/sql/item.h:1177:12
#11 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_dbg_san/sql/sql_select.cc:1634:33
#12 0x561a9f38b6b2 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_dbg_san/sql/sql_select.cc:5350:21
#13 0x561a9f38a102 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
#14 0x561a9f25f107 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
#15 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12
#16 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14
#17 0x561a9f30f6b7 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10
#18 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16
#19 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5
#20 0x561a9f21a628 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#21 0x561a9f20e6eb in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7
#22 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17
#23 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#24 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#25 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o
#26 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8
#27 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_dbg_san/sql/item.cc:512:21
=================================================================
==1617400==ERROR: AddressSanitizer: use-after-poison on address 0x52d0003c1f40 at pc 0x561aa012956d bp 0x14c2b90ff670 sp 0x14c2b90ff668
READ of size 8 at 0x52d0003c1f40 thread T12
#0 0x561aa012956c in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:512:21
#1 0x561aa0346ac8 in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22
#2 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5
#3 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11
#4 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9
#5 0x561a9f39671d in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_dbg_san/sql/sql_select.cc:1442:3
#6 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13
#7 0x561aa054cdd6 in Item_subselect::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_subselect.cc:294:22
#8 0x561aa0594244 in Item_in_subselect::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23
#9 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD, Item*) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16
#10 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.8_dbg_san/sql/item.h:1177:12
#11 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.8_dbg_san/sql/sql_select.cc:1634:33
#12 0x561a9f38b6b2 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_dbg_san/sql/sql_select.cc:5350:21
#13 0x561a9f38a102 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
#14 0x561a9f25f107 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
#15 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12
#16 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14
#17 0x561a9f30f6b7 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10
#18 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16
#19 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5
#20 0x561a9f21a628 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#21 0x561a9f20e6eb in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7
#22 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17
#23 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#24 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#25 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o
#26 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8
#27 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x52d0003c1f40 is located 6976 bytes inside of 32760-byte region [0x52d0003c0400,0x52d0003c83f8)
allocated by thread T12 here:
#0 0x561a9ec142b3 in malloc (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x24fa2b3) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5)
#1 0x561aa19fa7cd in my_malloc /test/11.8_dbg_san/mysys/my_malloc.c:93:29
#2 0x561aa19c7d62 in reset_root_defaults /test/11.8_dbg_san/mysys/my_alloc.c:247:30
#3 0x561a9efeeeb4 in THD::init_for_queries() /test/11.8_dbg_san/sql/sql_class.cc:1526:3
#4 0x561a9f8e4593 in prepare_new_connection_state(THD*) /test/11.8_dbg_san/sql/sql_connect.cc:1253:8
#5 0x561a9f8e7fcb in thd_prepare_connection(THD*) /test/11.8_dbg_san/sql/sql_connect.cc:1348:3
#6 0x561a9f8e5ce3 in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1405:9
#7 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#8 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o

Thread T12 created by T0 here:
#0 0x561a9ebf9c25 in pthread_create (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x24dfc25) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5)
#1 0x561a9ec65e9a in create_thread_to_handle_connection(CONNECT*) /test/11.8_dbg_san/sql/mysqld.cc:6261:19
#2 0x561a9ec66e65 in handle_connections_sockets() /test/11.8_dbg_san/sql/mysqld.cc:6497:9
#3 0x561a9ec650fa in run_main_loop() /test/11.8_dbg_san/sql/mysqld.cc:5739:3
#4 0x561a9ec5bc51 in mysqld_main(int, char**) /test/11.8_dbg_san/sql/mysqld.cc:6162:3
#5 0x14c2e902a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x14c2e902a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x561a9eb79464 in _start (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x245f464) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5)

SUMMARY: AddressSanitizer: use-after-poison /test/11.8_dbg_san/sql/item.cc:512:21 in Item::print_parenthesised(String*, enum_query_type, precedence)
Shadow bytes around the buggy address:
0x52d0003c1c80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c1d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c1d80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c1e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c1e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x52d0003c1f00: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
0x52d0003c1f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x52d0003c2180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1617400==ABORTING
250219 14:10:14 [ERROR] /test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd got signal 6 ;

All *SAN bugs seen:

SIGABRT|__sanitizer::Abort|__sanitizer::Die|__asan::ScopedInErrorReport::~ScopedInErrorReport|__asan::ReportGenericError

ASAN|use-after-poison|sql/item.h|Item::fixed|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar

ASAN|use-after-poison|sql/item.cc|Item::print_parenthesised|Item::print_parenthesised|Item_cond::print|dbug_print_item

ASAN|use-after-poison|sql/item.h|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool

ASAN|use-after-poison|sql/item.cc|Item::print_parenthesised|Item_func::print_op|Item::print_parenthesised|Item_cond::print

UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.h|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool

UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.cc|Item::print_parenthesised|Item::print_parenthesised|Item_cond::print|dbug_print_item

UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.cc|Item::print_parenthesised|Item_func::print_op|Item::print_parenthesised|Item_cond::print

UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item_func.cc|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool|Item_cond::fix_fields

UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item_func.cc|Item_func::print_op|Item::print_parenthesised|Item_cond::print|dbug_print_item

UBSAN|member access within address X which does not point to an object of type 'const Item'|sql/item.h|Item::fixed|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar

I can provide full stacks for each issue if needed.

Bug confirmed present in:
MariaDB: 10.5.29 (dbg), 10.5.29 (opt), 10.6.22 (dbg), 10.6.22 (opt), 10.11.12 (dbg), 10.11.12 (opt), 11.4.6 (dbg), 11.4.6 (opt), 11.8.1 (dbg), 11.8.1 (opt), 12.0.0 (dbg), 12.0.0 (opt)
MySQL: 5.7.44 (dbg), 5.7.44 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 8.0.36 (dbg), 8.0.36 (opt), 9.1.0 (dbg), 9.1.0 (opt)

Note the bug was present in MySQL 5.7.

Clang Setup:

Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before following these steps

     # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools

     sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

Roel Van de Paar added a comment - 2025-02-19 03:15 - edited Additional testcase: CREATE TABLE t1 (a INT ,b INT , PRIMARY KEY (a)); CREATE TABLE t2 (a1 INT ); PREPARE s FROM 'SELECT * FROM t1 HAVING 0 IN (SELECT a FROM t2 WHERE a IN (SELECT a FROM t2 WHERE b=a))' ; EXECUTE s; SELECT a FROM t1; EXECUTE s; Leads to: CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Optimized) Build 15/02/2025 Core was generated by `/test/MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000000006 in ?? () [Current thread is 1 (LWP 1521327)] (gdb) bt #0 0x0000000000000006 in ?? () #1 0x000055e5593ea1ef in Item::fix_fields_if_needed (this=0x14a674018ec8, thd=0x14a674000c68, ref=0x14a6740319b0) at /test/11.8_opt/sql/item.h:1168 #2 Item_func::fix_fields (this=0x14a674031928, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_func.cc:348 #3 0x000055e5593c1ede in Item::fix_fields_if_needed (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1168 #4 Item::fix_fields_if_needed_for_scalar (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1177 #5 Item::fix_fields_if_needed_for_bool (this=0x14a674031928, thd=0x14a674000c68, ref=0x14a6740176d0) at /test/11.8_opt/sql/item.h:1181 #6 Item_cond::fix_fields (this=0x14a6740175a8, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_cmpfunc.cc:5138 #7 0x000055e5590a4d84 in Item::fix_fields_if_needed (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1168 #8 Item::fix_fields_if_needed_for_scalar (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1177 #9 Item::fix_fields_if_needed_for_bool (this=0x14a6740175a8, thd=0x14a674000c68, ref=0x14a674018448) at /test/11.8_opt/sql/item.h:1181 #10 setup_conds (thd=0x14a674000c68, tables=tables@entry=0x14a67402cea8, leaves=<optimized out>, conds=0x14a674018448)at /test/11.8_opt/sql/sql_base.cc:8885 #11 0x000055e55914bc89 in setup_without_group (thd=0x14a674018ec8, ref_pointer_array={m_array = 0x14a674030c18, m_size = 9}, tables=0x14a67402cea8, leaves=<error reading variable: Cannot access memory at address 0x1>, fields=@0x14a67402cb20: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402ce58, last = 0x14a67402ce58, elements = 1}, <No data fields>}, all_fields=@0x14a674018360: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402ce58, last = 0x14a67402ce58, elements = 1}, <No data fields>}, conds=0x14a674018448, order=0x0, group=0x0, win_specs=@0x14a67402cce8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55e55a34b340 <end_of_list>, last = 0x14a67402cce8, elements = 0}, <No data fields>}, win_funcs=@0x14a67402cd08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55e55a34b340 <end_of_list>, last = 0x14a67402cd08, elements = 0}, <No data fields>}, hidden_group_fields=0x14a67401830f)at /test/11.8_opt/sql/sql_select.cc:955 #12 0x000055e55914b0cb in JOIN::prepare (this=0x14a674017fc0, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14a67402c868, unit_arg=0x14a67402f3e8)at /test/11.8_opt/sql/sql_select.cc:1577 #13 0x000055e559458b01 in subselect_single_select_engine::prepare (this=0x14a67402fe70, thd=0x14a674000c68)at /test/11.8_opt/sql/item_subselect.cc:3981 #14 0x000055e55944fd5c in Item_subselect::fix_fields (this=this@entry=0x14a67402fc38, thd_param=thd_param@entry=0x14a674000c68, ref=ref@entry=0x14a674030f50) at /test/11.8_opt/sql/item_subselect.cc:294 #15 0x000055e55945803c in Item_in_subselect::fix_fields (this=0x14a67402fc38, thd_arg=0x14a674000c68, ref=0x14a674030f50)at /test/11.8_opt/sql/item_subselect.cc:3620 #16 0x000055e5593b8792 in Item::fix_fields_if_needed (this=0x14a674018ec8, thd=0x14a674000c68, ref=0x14a6740319b0) at /test/11.8_opt/sql/item.h:1168 #17 Item_in_optimizer::fix_fields (this=0x14a674030ec8, thd=0x14a674000c68, ref=<optimized out>) at /test/11.8_opt/sql/item_cmpfunc.cc:1507 #18 0x000055e55914b34d in Item::fix_fields_if_needed (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1168 #19 Item::fix_fields_if_needed_for_scalar (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1177 #20 Item::fix_fields_if_needed_for_bool (this=0x14a674030ec8, thd=0x14a674000c68, ref=0x14a674017a00) at /test/11.8_opt/sql/item.h:1181 #21 JOIN::prepare (this=this@entry=0x14a6740177f8, tables_init=tables_init@entry=0x14a67402c0a8, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=false, group_init=0x0, having_init=0x14a674030ec8, proc_param_init=0x0, select_lex_arg=0x14a67402ba70, unit_arg=0x14a674029cc8)at /test/11.8_opt/sql/sql_select.cc:1634 #22 0x000055e559147261 in mysql_select (thd=thd@entry=0x14a674000c68, tables=0x14a67402c0a8, fields=@0x14a67402bd28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a67402c058, last = 0x14a6740309b8, elements = 2}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x14a674030ec8, proc_param=0x0, select_options=<optimized out>, result=0x14a674030720, unit=0x14a674029cc8, select_lex=0x14a67402ba70)at /test/11.8_opt/sql/sql_select.cc:5350 #23 0x000055e559147019 in handle_select (thd=thd@entry=0x14a674000c68, lex=lex@entry=0x14a674029be8, result=result@entry=0x14a674030720, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.8_opt/sql/sql_select.cc:633 #24 0x000055e5591145ee in execute_sqlcom_select (thd=thd@entry=0x14a674000c68, all_tables=0x14a67402c0a8) at /test/11.8_opt/sql/sql_parse.cc:6191 #25 0x000055e559112ae0 in mysql_execute_command (thd=0x14a674000c68, is_called_from_prepared_stmt=true) at /test/11.8_opt/sql/sql_parse.cc:3979 #26 0x000055e5591378d6 in Prepared_statement::execute (this=this@entry=0x14a674021a18, expanded_query=expanded_query@entry=0x14a6c21b2d88, open_cursor=false)at /test/11.8_opt/sql/sql_prepare.cc:5084 #27 0x000055e5591359a2 in Prepared_statement::execute_loop (this=this@entry=0x14a674021a18, expanded_query=expanded_query@entry=0x14a6c21b2d88, open_cursor=<optimized out>, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/11.8_opt/sql/sql_prepare.cc:4448 #28 0x000055e5591357e0 in mysql_sql_stmt_execute (thd=thd@entry=0x14a674000c68)at /test/11.8_opt/sql/sql_prepare.cc:3460 #29 0x000055e5591100fc in mysql_execute_command (thd=thd@entry=0x14a674000c68, is_called_from_prepared_stmt=false) at /test/11.8_opt/sql/sql_parse.cc:3995 #30 0x000055e55910b341 in mysql_parse (thd=thd@entry=0x14a674000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14a6c21b3430)at /test/11.8_opt/sql/sql_parse.cc:7915 #31 0x000055e5591097d0 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14a674000c68, packet=packet@entry=0x14a6740088a9 "EXECUTE s", packet_length=packet_length@entry=9, blocking=true)at /test/11.8_opt/sql/sql_parse.cc:1902 #32 0x000055e55910b751 in do_command (thd=thd@entry=0x14a674000c68, blocking=true) at /test/11.8_opt/sql/sql_parse.cc:1415 #33 0x000055e559236f8d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e55c563e28, put_in_cache=true)at /test/11.8_opt/sql/sql_connect.cc:1415 #34 0x000055e559236d4f in handle_one_connection (arg=arg@entry=0x55e55c563e28)at /test/11.8_opt/sql/sql_connect.cc:1327 #35 0x000055e5595bbe29 in pfs_spawn_thread (arg=0x55e55c510718)at /test/11.8_opt/storage/perfschema/pfs.cc:2198 #36 0x000014a6ce29ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #37 0x000014a6ce329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 As well as a variety of other stacks. All stacks seen: SIGABRT|__gnu_cxx::__verbose_terminate_handler|__cxxabiv1::__terminate|std::terminate|__cxxabiv1::__cxa_pure_virtual SIGSEGV|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed|Item::fix_fields_if_needed_for_scalar SIGSEGV|Item::print_parenthesised|Item_func::print_op|Item_bool_rowready_func2::print|Item::print_parenthesised SIGSEGV|Item_func::fix_func_arg|Item_func::fix_fields|Item_cond::fix_fields|st_select_lex::setup_conds As well as various UBSAN and ASAN issues (scroll down in each log to see details): CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Optimized, UBASAN, Clang) Build 15/02/2025 /test/11.8_opt_san/sql/item_func.cc:348:19: runtime error: member call on address 0x52d0003c1f20 which does not point to an object of type 'Item' 0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ possibly invalid vptr #0 0x563742b1b477 in Item_func::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_func.cc:348:19 #1 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #2 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12 #3 0x563742a6754d in Item_cond::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15 #4 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #5 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12 #6 0x5637418472c2 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19 #7 0x563741c1f912 in setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*) /test/11.8_opt_san/sql/sql_select.cc:955:8 #8 0x563741c18e27 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1577:7 #9 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13 #10 0x563742d1140a in Item_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:294:22 #11 0x563742d4e297 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:3620:23 #12 0x563742a293b8 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16 #13 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #14 0x563741c19cc3 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1634:33 #15 0x563741c0bd4c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5350:21 #16 0x563741c0ad90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10 #17 0x563741af66b1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6191:12 #18 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12 #19 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14 #20 0x563741b9ff1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10 #21 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16 #22 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5 #23 0x563741ab8600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18 #24 0x563741aaf8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7 #25 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17 #26 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11 #27 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5 #28 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o #29 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8 #30 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item_func.cc:348:19 /test/11.8_opt_san/sql/item.h:1168:12: runtime error: member call on address 0x52d0003c1f20 which does not point to an object of type 'Item' 0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ possibly invalid vptr #0 0x5637416b3fa6 in Item::fix_fields_if_needed(THD*, Item**) /test/11.8_opt_san/sql/item.h:1168:12 #1 0x563742b1b0f7 in Item_func::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_func.cc:348:19 #2 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #3 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12 #4 0x563742a6754d in Item_cond::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15 #5 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #6 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12 #7 0x5637418472c2 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19 #8 0x563741c1f912 in setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*) /test/11.8_opt_san/sql/sql_select.cc:955:8 #9 0x563741c18e27 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1577:7 #10 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13 #11 0x563742d1140a in Item_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:294:22 #12 0x563742d4e297 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:3620:23 #13 0x563742a293b8 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16 #14 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #15 0x563741c19cc3 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1634:33 #16 0x563741c0bd4c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5350:21 #17 0x563741c0ad90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10 #18 0x563741af66b1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6191:12 #19 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12 #20 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14 #21 0x563741b9ff1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10 #22 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16 #23 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5 #24 0x563741ab8600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18 #25 0x563741aaf8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7 #26 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17 #27 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11 #28 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5 #29 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o #30 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8 #31 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item.h:1168:12 /test/11.8_opt_san/sql/item.h:1089:20: runtime error: member access within address 0x52d0003c1f20 which does not point to an object of type 'const Item' 0x52d0003c1f20: note: object has a possibly invalid vptr: abs(offset to top) too big b0 52 00 00 c8 04 3c 00 d0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 56 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ possibly invalid vptr #0 0x5637416b3fd4 in Item::fixed() const /test/11.8_opt_san/sql/item.h:1089:20 #1 0x5637416b3fd4 in Item::fix_fields_if_needed(THD*, Item**) /test/11.8_opt_san/sql/item.h:1168:12 #2 0x563742b1b0f7 in Item_func::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_func.cc:348:19 #3 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #4 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12 #5 0x563742a6754d in Item_cond::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15 #6 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #7 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12 #8 0x5637418472c2 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19 #9 0x563741c1f912 in setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*) /test/11.8_opt_san/sql/sql_select.cc:955:8 #10 0x563741c18e27 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1577:7 #11 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13 #12 0x563742d1140a in Item_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:294:22 #13 0x563742d4e297 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:3620:23 #14 0x563742a293b8 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16 #15 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #16 0x563741c19cc3 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1634:33 #17 0x563741c0bd4c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5350:21 #18 0x563741c0ad90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10 #19 0x563741af66b1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6191:12 #20 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12 #21 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14 #22 0x563741b9ff1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10 #23 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16 #24 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5 #25 0x563741ab8600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18 #26 0x563741aaf8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7 #27 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17 #28 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11 #29 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5 #30 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o #31 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8 #32 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_opt_san/sql/item.h:1089:20 ================================================================= ==1604938==ERROR: AddressSanitizer: use-after-poison on address 0x52d0003c1f88 at pc 0x5637416b3f88 bp 0x1488572ff5d0 sp 0x1488572ff5c8 READ of size 1 at 0x52d0003c1f88 thread T9 #0 0x5637416b3f87 in Item::fixed() const /test/11.8_opt_san/sql/item.h:1089:20 #1 0x5637416b3f87 in Item::fix_fields_if_needed(THD*, Item**) /test/11.8_opt_san/sql/item.h:1168:12 #2 0x563742b1b0f7 in Item_func::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_func.cc:348:19 #3 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #4 0x563742a6754d in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12 #5 0x563742a6754d in Item_cond::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:5138:15 #6 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #7 0x5637418472c2 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /test/11.8_opt_san/sql/item.h:1181:12 #8 0x5637418472c2 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /test/11.8_opt_san/sql/sql_base.cc:8885:19 #9 0x563741c1f912 in setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*) /test/11.8_opt_san/sql/sql_select.cc:955:8 #10 0x563741c18e27 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1577:7 #11 0x563742d54e60 in subselect_single_select_engine::prepare(THD*) /test/11.8_opt_san/sql/item_subselect.cc:3981:13 #12 0x563742d1140a in Item_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:294:22 #13 0x563742d4e297 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_subselect.cc:3620:23 #14 0x563742a293b8 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_opt_san/sql/item_cmpfunc.cc:1507:16 #15 0x5637416b2a67 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_opt_san/sql/item.h:1177:12 #16 0x563741c19cc3 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_opt_san/sql/sql_select.cc:1634:33 #17 0x563741c0bd4c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5350:21 #18 0x563741c0ad90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10 #19 0x563741af66b1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6191:12 #20 0x563741ad77cd in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3979:12 #21 0x563741bb4809 in Prepared_statement::execute(String*, bool) /test/11.8_opt_san/sql/sql_prepare.cc:5084:14 #22 0x563741b9ff1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_opt_san/sql/sql_prepare.cc:4448:10 #23 0x563741b9f157 in mysql_sql_stmt_execute(THD*) /test/11.8_opt_san/sql/sql_prepare.cc:3460:16 #24 0x563741ad9d47 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3995:5 #25 0x563741ab8600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7915:18 #26 0x563741aaf8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7 #27 0x563741aba8c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17 #28 0x563742140f5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11 #29 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5 #30 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o #31 0x14888429ca93 in start_thread nptl/pthread_create.c:447:8 #32 0x148884329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 0x52d0003c1f88 is located 7048 bytes inside of 32760-byte region [0x52d0003c0400,0x52d0003c83f8) allocated by thread T9 here: #0 0x5637414feeb3 in malloc (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1e71eb3) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54) #1 0x563743f4fb62 in my_malloc /test/11.8_opt_san/mysys/my_malloc.c:93:29 #2 0x563743f2b913 in reset_root_defaults /test/11.8_opt_san/mysys/my_alloc.c:247:30 #3 0x56374189b834 in THD::init_for_queries() /test/11.8_opt_san/sql/sql_class.cc:1526:3 #4 0x56374213f790 in prepare_new_connection_state(THD*) /test/11.8_opt_san/sql/sql_connect.cc:1253:8 #5 0x563742142fa7 in thd_prepare_connection(THD*) /test/11.8_opt_san/sql/sql_connect.cc:1348:3 #6 0x563742140f41 in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1405:9 #7 0x5637421407b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5 #8 0x5637414fc99c in asan_thread_start(void*) asan_interceptors.cpp.o Thread T9 created by T0 here: #0 0x5637414e4825 in pthread_create (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1e57825) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54) #1 0x56374154f7b1 in create_thread_to_handle_connection(CONNECT*) /test/11.8_opt_san/sql/mysqld.cc:6261:19 #2 0x56374155099a in handle_connections_sockets() /test/11.8_opt_san/sql/mysqld.cc:6497:9 #3 0x56374154eb00 in run_main_loop() /test/11.8_opt_san/sql/mysqld.cc:5739:3 #4 0x563741545f21 in mysqld_main(int, char**) /test/11.8_opt_san/sql/mysqld.cc:6162:3 #5 0x14888422a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x14888422a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #7 0x563741464064 in _start (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd+0x1dd7064) (BuildId: f3e199ef88d6788e4e27c5ca38da7ab62bc11a54) SUMMARY: AddressSanitizer: use-after-poison /test/11.8_opt_san/sql/item.h:1089:20 in Item::fixed() const Shadow bytes around the buggy address: 0x52d0003c1d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c1d80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c1e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c1e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c1f00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x52d0003c1f80: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1604938==ABORTING 250219 14:09:58 [ERROR] /test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/bin/mariadbd got signal 6 ; CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Debug, UBASAN, Clang) Build 15/02/2025 /test/11.8_dbg_san/sql/item_func.cc:645:22: runtime error: member call on address 0x52d0003c1f40 which does not point to an object of type 'Item' 0x52d0003c1f40: note: object has invalid vptr 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ba fc a3 1a 56 00 00 07 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ invalid vptr #0 0x561aa0346c1d in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22 #1 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5 #2 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11 #3 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9 #4 0x561a9f39671d in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1442:3 #5 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13 #6 0x561aa054cdd6 in Item_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:294:22 #7 0x561aa0594244 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23 #8 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16 #9 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_dbg_san/sql/item.h:1177:12 #10 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1634:33 #11 0x561a9f38b6b2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5350:21 #12 0x561a9f38a102 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #13 0x561a9f25f107 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #14 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12 #15 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14 #16 0x561a9f30f6b7 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10 #17 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16 #18 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5 #19 0x561a9f21a628 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #20 0x561a9f20e6eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7 #21 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17 #22 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #23 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #24 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o #25 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8 #26 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_dbg_san/sql/item_func.cc:645:22 /test/11.8_dbg_san/sql/item.cc:512:21: runtime error: member call on address 0x52d0003c1f40 which does not point to an object of type 'Item' 0x52d0003c1f40: note: object has invalid vptr 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ba fc a3 1a 56 00 00 07 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ invalid vptr #0 0x561aa01294c5 in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:512:21 #1 0x561aa0346ac8 in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22 #2 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5 #3 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11 #4 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9 #5 0x561a9f39671d in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1442:3 #6 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13 #7 0x561aa054cdd6 in Item_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:294:22 #8 0x561aa0594244 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23 #9 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16 #10 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_dbg_san/sql/item.h:1177:12 #11 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1634:33 #12 0x561a9f38b6b2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5350:21 #13 0x561a9f38a102 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #14 0x561a9f25f107 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #15 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12 #16 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14 #17 0x561a9f30f6b7 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10 #18 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16 #19 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5 #20 0x561a9f21a628 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #21 0x561a9f20e6eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7 #22 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17 #23 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #24 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #25 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o #26 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8 #27 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/11.8_dbg_san/sql/item.cc:512:21 ================================================================= ==1617400==ERROR: AddressSanitizer: use-after-poison on address 0x52d0003c1f40 at pc 0x561aa012956d bp 0x14c2b90ff670 sp 0x14c2b90ff668 READ of size 8 at 0x52d0003c1f40 thread T12 #0 0x561aa012956c in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:512:21 #1 0x561aa0346ac8 in Item_func::print_op(String*, enum_query_type) /test/11.8_dbg_san/sql/item_func.cc:645:22 #2 0x561aa012949d in Item::print_parenthesised(String*, enum_query_type, precedence) /test/11.8_dbg_san/sql/item.cc:518:5 #3 0x561aa02915fa in Item_cond::print(String*, enum_query_type) /test/11.8_dbg_san/sql/item_cmpfunc.cc:5573:11 #4 0x561aa01eb2ec in dbug_print_item(Item*) /test/11.8_dbg_san/sql/item.cc:11296:9 #5 0x561a9f39671d in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1442:3 #6 0x561aa059c848 in subselect_single_select_engine::prepare(THD*) /test/11.8_dbg_san/sql/item_subselect.cc:3981:13 #7 0x561aa054cdd6 in Item_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:294:22 #8 0x561aa0594244 in Item_in_subselect::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_subselect.cc:3620:23 #9 0x561aa0246c25 in Item_in_optimizer::fix_fields(THD*, Item**) /test/11.8_dbg_san/sql/item_cmpfunc.cc:1507:16 #10 0x561a9edddcfb in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/11.8_dbg_san/sql/item.h:1177:12 #11 0x561a9f39a1bb in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/11.8_dbg_san/sql/sql_select.cc:1634:33 #12 0x561a9f38b6b2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5350:21 #13 0x561a9f38a102 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #14 0x561a9f25f107 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #15 0x561a9f24ae05 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3979:12 #16 0x561a9f3245be in Prepared_statement::execute(String*, bool) /test/11.8_dbg_san/sql/sql_prepare.cc:5084:14 #17 0x561a9f30f6b7 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.8_dbg_san/sql/sql_prepare.cc:4448:10 #18 0x561a9f30e77c in mysql_sql_stmt_execute(THD*) /test/11.8_dbg_san/sql/sql_prepare.cc:3460:16 #19 0x561a9f2425d4 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3995:5 #20 0x561a9f21a628 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #21 0x561a9f20e6eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1902:7 #22 0x561a9f21d04d in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1415:17 #23 0x561a9f8e5cfc in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #24 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #25 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o #26 0x14c2e909ca93 in start_thread nptl/pthread_create.c:447:8 #27 0x14c2e9129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 0x52d0003c1f40 is located 6976 bytes inside of 32760-byte region [0x52d0003c0400,0x52d0003c83f8) allocated by thread T12 here: #0 0x561a9ec142b3 in malloc (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x24fa2b3) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5) #1 0x561aa19fa7cd in my_malloc /test/11.8_dbg_san/mysys/my_malloc.c:93:29 #2 0x561aa19c7d62 in reset_root_defaults /test/11.8_dbg_san/mysys/my_alloc.c:247:30 #3 0x561a9efeeeb4 in THD::init_for_queries() /test/11.8_dbg_san/sql/sql_class.cc:1526:3 #4 0x561a9f8e4593 in prepare_new_connection_state(THD*) /test/11.8_dbg_san/sql/sql_connect.cc:1253:8 #5 0x561a9f8e7fcb in thd_prepare_connection(THD*) /test/11.8_dbg_san/sql/sql_connect.cc:1348:3 #6 0x561a9f8e5ce3 in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1405:9 #7 0x561a9f8e55b7 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #8 0x561a9ec11d9c in asan_thread_start(void*) asan_interceptors.cpp.o Thread T12 created by T0 here: #0 0x561a9ebf9c25 in pthread_create (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x24dfc25) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5) #1 0x561a9ec65e9a in create_thread_to_handle_connection(CONNECT*) /test/11.8_dbg_san/sql/mysqld.cc:6261:19 #2 0x561a9ec66e65 in handle_connections_sockets() /test/11.8_dbg_san/sql/mysqld.cc:6497:9 #3 0x561a9ec650fa in run_main_loop() /test/11.8_dbg_san/sql/mysqld.cc:5739:3 #4 0x561a9ec5bc51 in mysqld_main(int, char**) /test/11.8_dbg_san/sql/mysqld.cc:6162:3 #5 0x14c2e902a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x14c2e902a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #7 0x561a9eb79464 in _start (/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd+0x245f464) (BuildId: f23c726b1ad19a347fd8a9533b96424ce4c3dcb5) SUMMARY: AddressSanitizer: use-after-poison /test/11.8_dbg_san/sql/item.cc:512:21 in Item::print_parenthesised(String*, enum_query_type, precedence) Shadow bytes around the buggy address: 0x52d0003c1c80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c1d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c1d80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c1e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c1e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x52d0003c1f00: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 0x52d0003c1f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x52d0003c2180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1617400==ABORTING 250219 14:10:14 [ERROR] /test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-dbg/bin/mariadbd got signal 6 ; All *SAN bugs seen: SIGABRT|__sanitizer::Abort|__sanitizer::Die|__asan::ScopedInErrorReport::~ScopedInErrorReport|__asan::ReportGenericError ASAN|use-after-poison|sql/item.h|Item::fixed|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar ASAN|use-after-poison|sql/item.cc|Item::print_parenthesised|Item::print_parenthesised|Item_cond::print|dbug_print_item ASAN|use-after-poison|sql/item.h|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool ASAN|use-after-poison|sql/item.cc|Item::print_parenthesised|Item_func::print_op|Item::print_parenthesised|Item_cond::print UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.h|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.cc|Item::print_parenthesised|Item::print_parenthesised|Item_cond::print|dbug_print_item UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item.cc|Item::print_parenthesised|Item_func::print_op|Item::print_parenthesised|Item_cond::print UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item_func.cc|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar|Item::fix_fields_if_needed_for_bool|Item_cond::fix_fields UBSAN|member call on address X which does not point to an object of type 'Item'|sql/item_func.cc|Item_func::print_op|Item::print_parenthesised|Item_cond::print|dbug_print_item UBSAN|member access within address X which does not point to an object of type 'const Item'|sql/item.h|Item::fixed|Item::fix_fields_if_needed|Item_func::fix_fields|Item::fix_fields_if_needed_for_scalar I can provide full stacks for each issue if needed. Bug confirmed present in: MariaDB: 10.5.29 (dbg), 10.5.29 (opt), 10.6.22 (dbg), 10.6.22 (opt), 10.11.12 (dbg), 10.11.12 (opt), 11.4.6 (dbg), 11.4.6 (opt), 11.8.1 (dbg), 11.8.1 (opt), 12.0.0 (dbg), 12.0.0 (opt) MySQL: 5.7.44 (dbg), 5.7.44 (opt) Bug (or feature/syntax) confirmed not present in: MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 8.0.36 (dbg), 8.0.36 (opt), 9.1.0 (dbg), 9.1.0 (opt) Note the bug was present in MySQL 5.7. Clang Setup: Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions: # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before following these steps # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18 sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON Set before execution: export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

People

Assignee:: Rex Johnston

Reporter:: Yuchen Pei

Votes:: 1 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2023-05-15 00:19

Updated:: 2025-04-28 10:33

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server