Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
-
None
Description
Not sure whom it should belong as it's a mix of binary logging, temporary tables, stored functions and prepared statements. Feel free to reassign as needed.
--source include/have_log_bin.inc
|
|
|
CREATE TEMPORARY TABLE t (a INT); |
--delimiter $
|
CREATE FUNCTION f() RETURNS INT NOT DETERMINISTIC BEGIN INSERT INTO t VALUES (1); RETURN 0; END $ |
--delimiter ;
|
EXECUTE IMMEDIATE "CREATE OR REPLACE TEMPORARY TABLE t AS SELECT f()"; |
|
|
# Cleanup
|
DROP FUNCTION f; |
|
10.4 956d6c4a ASAN |
==1159316==ERROR: AddressSanitizer: heap-use-after-free on address 0x62000003c088 at pc 0x559e1110f88d bp 0x7ff8d5c188b0 sp 0x7ff8d5c188a8
|
READ of size 8 at 0x62000003c088 thread T6
|
#0 0x559e1110f88c in THD::decide_logging_format(TABLE_LIST*) /data/src/10.4/sql/sql_class.cc:6075
|
#1 0x559e111791f3 in do_postlock /data/src/10.4/sql/sql_insert.cc:4549
|
#2 0x559e1117ef15 in TABLEOP_HOOKS::postlock(TABLE**, unsigned int) /data/src/10.4/sql/handler.h:2503
|
#3 0x559e11178b9a in select_create::create_table_from_items(THD*, List<Item>*, st_mysql_lock**, TABLEOP_HOOKS*) /data/src/10.4/sql/sql_insert.cc:4478
|
#4 0x559e1117973b in select_create::prepare(List<Item>&, st_select_lex_unit*) /data/src/10.4/sql/sql_insert.cc:4588
|
#5 0x559e112c298a in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1590
|
#6 0x559e112e4c85 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4789
|
#7 0x559e112b5cf4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
|
#8 0x559e1149d141 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.4/sql/sql_table.cc:11768
|
#9 0x559e11223234 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
|
#10 0x559e112825da in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:5024
|
#11 0x559e1127dc1a in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4493
|
#12 0x559e112836ed in Prepared_statement::execute_immediate(char const*, unsigned int) /data/src/10.4/sql/sql_prepare.cc:5148
|
#13 0x559e11274ac0 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.4/sql/sql_prepare.cc:3012
|
#14 0x559e11212d90 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3982
|
#15 0x559e1122ea36 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8008
|
#16 0x559e11204d79 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
|
#17 0x559e112018f2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
|
#18 0x559e11600899 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
|
#19 0x559e116001b0 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
|
#20 0x559e1226cb83 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#21 0x7ff8ddaa7fd3 in start_thread nptl/pthread_create.c:442
|
#22 0x7ff8ddb285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x62000003c088 is located 8 bytes inside of 3576-byte region [0x62000003c080,0x62000003ce78)
|
freed by thread T6 here:
|
#0 0x7ff8de0b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
|
#1 0x559e12db3328 in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#2 0x559e118092ac in THD::close_temporary_table(TABLE*) /data/src/10.4/sql/temporary_tables.cc:1242
|
#3 0x559e1180ac33 in THD::free_temporary_table(TABLE*) /data/src/10.4/sql/temporary_tables.cc:1491
|
#4 0x559e11805761 in THD::drop_temporary_table(TABLE*, bool*, bool) /data/src/10.4/sql/temporary_tables.cc:655
|
#5 0x559e1146caca in create_table_impl /data/src/10.4/sql/sql_table.cc:5038
|
#6 0x559e1146e22d in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.4/sql/sql_table.cc:5267
|
#7 0x559e1117814c in select_create::create_table_from_items(THD*, List<Item>*, st_mysql_lock**, TABLEOP_HOOKS*) /data/src/10.4/sql/sql_insert.cc:4398
|
#8 0x559e1117973b in select_create::prepare(List<Item>&, st_select_lex_unit*) /data/src/10.4/sql/sql_insert.cc:4588
|
#9 0x559e112c298a in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.4/sql/sql_select.cc:1590
|
#10 0x559e112e4c85 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4789
|
#11 0x559e112b5cf4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
|
#12 0x559e1149d141 in Sql_cmd_create_table_like::execute(THD*) /data/src/10.4/sql/sql_table.cc:11768
|
#13 0x559e11223234 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
|
#14 0x559e112825da in Prepared_statement::execute(String*, bool) /data/src/10.4/sql/sql_prepare.cc:5024
|
#15 0x559e1127dc1a in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.4/sql/sql_prepare.cc:4493
|
#16 0x559e112836ed in Prepared_statement::execute_immediate(char const*, unsigned int) /data/src/10.4/sql/sql_prepare.cc:5148
|
#17 0x559e11274ac0 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.4/sql/sql_prepare.cc:3012
|
#18 0x559e11212d90 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3982
|
#19 0x559e1122ea36 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8008
|
#20 0x559e11204d79 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
|
#21 0x559e112018f2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
|
#22 0x559e11600899 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
|
#23 0x559e116001b0 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
|
#24 0x559e1226cb83 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#25 0x7ff8ddaa7fd3 in start_thread nptl/pthread_create.c:442
|
|
|
previously allocated by thread T6 here:
|
#0 0x7ff8de0b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x559e12db2789 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#2 0x559e11808589 in THD::open_temporary_table(TMP_TABLE_SHARE*, char const*) /data/src/10.4/sql/temporary_tables.cc:1113
|
#3 0x559e118020fe in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, bool) /data/src/10.4/sql/temporary_tables.cc:74
|
#4 0x559e1146da34 in create_table_impl /data/src/10.4/sql/sql_table.cc:5195
|
#5 0x559e1146e22d in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /data/src/10.4/sql/sql_table.cc:5267
|
#6 0x559e1146f0d0 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /data/src/10.4/sql/sql_table.cc:5416
|
#7 0x559e1149d7dc in Sql_cmd_create_table_like::execute(THD*) /data/src/10.4/sql/sql_table.cc:11823
|
#8 0x559e11223234 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
|
#9 0x559e1122ea36 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8008
|
#10 0x559e11204d79 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
|
#11 0x559e112018f2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
|
#12 0x559e11600899 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
|
#13 0x559e116001b0 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
|
#14 0x559e1226cb83 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#15 0x7ff8ddaa7fd3 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T6 created by T0 here:
|
#0 0x7ff8de049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x559e1226cf70 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
|
#2 0x559e10f0df28 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
|
#3 0x559e10f2562e in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
|
#4 0x559e10f25d79 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
|
#5 0x559e10f26247 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
|
#6 0x559e10f270f3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
|
#7 0x559e10f24d91 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
|
#8 0x559e10f0c0b8 in main /data/src/10.4/sql/main.cc:25
|
#9 0x7ff8dda46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/sql_class.cc:6075 in THD::decide_logging_format(TABLE_LIST*)
|
Shadow bytes around the buggy address:
|
0x0c407ffff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
|
0x0c407ffff7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c407ffff7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c407ffff7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c407ffff800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c407ffff810: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c407ffff820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c407ffff830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c407ffff840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c407ffff850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c407ffff860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1159316==ABORTING
|
|
10.4 956d6c4a non-debug, non-ASAN |
#2 <signal handler called>
|
#3 0x0000555b0b9035c6 in handler::ha_table_flags (this=<optimized out>) at /data/src/10.4/sql/handler.h:3244
|
#4 THD::decide_logging_format (this=this@entry=0x7fb1c4000c58, tables=0x7fb1c40bb2b0) at /data/src/10.4/sql/sql_class.cc:6076
|
#5 0x0000555b0b91d26e in MY_HOOKS::do_postlock (this=0x7fb1e19c6a70, tables=0x7fb1e19c5728, count=1) at /data/src/10.4/sql/sql_insert.cc:4549
|
#6 0x0000555b0b91c8bc in TABLEOP_HOOKS::postlock (count=1, tables=0x7fb1e19c5728, this=0x7fb1e19c6a70) at /data/src/10.4/sql/handler.h:2503
|
#7 select_create::create_table_from_items (this=this@entry=0x7fb1c4010d50, thd=0x7fb1c4000c58, items=items@entry=0x7fb1e19c6a50, lock=lock@entry=0x7fb1e19c6a48, hooks=hooks@entry=0x7fb1e19c6a70) at /data/src/10.4/sql/sql_insert.cc:4478
|
#8 0x0000555b0b91cc09 in select_create::prepare (this=0x7fb1c4010d50, _values=..., u=0x7fb1c40b96b0) at /data/src/10.4/sql/sql_insert.cc:4588
|
#9 0x0000555b0b9a940e in JOIN::prepare (this=this@entry=0x7fb1c4010e48, tables_init=tables_init@entry=0x0, wild_num=wild_num@entry=0, conds_init=conds_init@entry=0x0, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=<optimized out>, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /data/src/10.4/sql/sql_select.cc:1590
|
#10 0x0000555b0b9bc099 in mysql_select (thd=thd@entry=0x7fb1c4000c58, tables=<optimized out>, wild_num=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=<optimized out>, select_options=<optimized out>, result=<optimized out>, unit=<optimized out>, select_lex=<optimized out>) at /data/src/10.4/sql/sql_select.cc:4789
|
#11 0x0000555b0b9bc414 in handle_select (thd=thd@entry=0x7fb1c4000c58, lex=lex@entry=0x7fb1c40b95f0, result=result@entry=0x7fb1c4010d50, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.4/sql/sql_select.cc:442
|
#12 0x0000555b0b9f83b4 in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x7fb1c4000c58) at /data/src/10.4/sql/sql_table.cc:11768
|
#13 0x0000555b0b94e980 in mysql_execute_command (thd=0x7fb1c4000c58) at /data/src/10.4/sql/sql_parse.cc:6216
|
#14 0x0000555b0b96a3d6 in Prepared_statement::execute (this=this@entry=0x7fb1c40c8fa8, expanded_query=expanded_query@entry=0x7fb1e19c81e0, open_cursor=open_cursor@entry=false) at /data/src/10.4/sql/sql_prepare.cc:5024
|
#15 0x0000555b0b96a555 in Prepared_statement::execute_loop (packet=<optimized out>, packet_end=<optimized out>, open_cursor=<optimized out>, expanded_query=0x7fb1e19c81e0, this=0x7fb1c40c8fa8) at /data/src/10.4/sql/sql_prepare.cc:4493
|
#16 Prepared_statement::execute_loop (this=0x7fb1c40c8fa8, expanded_query=0x7fb1e19c81e0, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /data/src/10.4/sql/sql_prepare.cc:4442
|
#17 0x0000555b0b96aa23 in Prepared_statement::execute_immediate (this=this@entry=0x7fb1c40c8fa8, query=<optimized out>, query_len=49) at /data/src/10.4/sql/sql_prepare.cc:5148
|
#18 0x0000555b0b96ac37 in mysql_sql_stmt_execute_immediate (thd=thd@entry=0x7fb1c4000c58) at /data/src/10.4/sql/sql_prepare.cc:3012
|
#19 0x0000555b0b94f83b in mysql_execute_command (thd=thd@entry=0x7fb1c4000c58) at /data/src/10.4/sql/sql_parse.cc:3982
|
#20 0x0000555b0b954ae1 in mysql_parse (thd=0x7fb1c4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.4/sql/sql_parse.cc:8008
|
#21 0x0000555b0b957485 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fb1c4000c58, packet=packet@entry=0x7fb1c4007de9 "EXECUTE IMMEDIATE \"CREATE OR REPLACE TEMPORARY TABLE t AS SELECT f()\"", packet_length=packet_length@entry=69, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:1958
|
#22 0x0000555b0b95932f in do_command (thd=0x7fb1c4000c58) at /data/src/10.4/sql/sql_parse.cc:1378
|
#23 0x0000555b0ba528ce in do_handle_one_connection (connect=connect@entry=0x555b0e0c8748) at /data/src/10.4/sql/sql_connect.cc:1420
|
#24 0x0000555b0ba529ed in handle_one_connection (arg=arg@entry=0x555b0e0c8748) at /data/src/10.4/sql/sql_connect.cc:1324
|
#25 0x0000555b0bde4b6b in pfs_spawn_thread (arg=0x555b0e01e128) at /data/src/10.4/storage/perfschema/pfs.cc:1869
|
#26 0x00007fb1e7aa7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
|
#27 0x00007fb1e7b285bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
Reproducible on all existing versions, also earlier minor releases.
Attachments
Activity
It still throws ASAN errors for me on the current 10.4 (9b5275b8).
Please make sure you have copied the very first line of the test case in the description, include/have_log_bin.inc. Without it it would fail exactly like it did for you.
CREATE TEMPORARY TABLE t (a INT);CREATE FUNCTION f() RETURNS INT NOT DETERMINISTIC BEGIN INSERT INTO t VALUES (1); RETURN 0; END $EXECUTE IMMEDIATE "CREATE OR REPLACE TEMPORARY TABLE t AS SELECT f()";main.test [ fail ]Test ended at 2023-09-26 11:55:33CURRENT_TEST: main.testmysqltest: At line 7: query 'EXECUTE IMMEDIATE "CREATE OR REPLACE TEMPORARY TABLE t AS SELECT f()"' failed: 1146: Table 'test.t' doesn't exist