[MDEV-31912] ASAN errors in base_list_iterator::next_fast / JOIN::choose_tableless_subquery_plan on 2nd execution of SP - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.4, 10.5
Fix Version/s: 10.4, 10.5
Component/s: Optimizer, Stored routines
Labels:
- not-10.6+

Description

Set to Minor because only 10.4/10.5 are affected.

CREATE TABLE t1 (a INT);

CREATE TABLE t2 (b INT, c VARCHAR(1), KEY(c));

INSERT INTO t2 VALUES (1,'n'),(2, 'e');

CREATE TABLE t3 (d INT);

INSERT INTO t3 VALUES (1),(2);

CREATE PROCEDURE sp() SELECT * FROM t1 WHERE ('x', '0') IN (SELECT MIN(c), COUNT(*) FROM t2, t3 WHERE t3.d >= 0 AND 1 NOT IN (SELECT b FROM t2));

CALL sp;

CALL sp;

# Cleanup

DROP PROCEDURE sp;

DROP TABLE t1, t2, t3;

10.4 b2e312b0
==3472060==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000120468 at pc 0x55f8d79bbb47 bp 0x7f16af4b6b80 sp 0x7f16af4b6b78
READ of size 8 at 0x625000120468 thread T5
#0 0x55f8d79bbb46 in base_list_iterator::next_fast() /data/src/10.4/sql/sql_list.h:443
#1 0x55f8d824efd2 in List_iterator_fast<Item_sum>::operator++(int) /data/src/10.4/sql/sql_list.h:620
#2 0x55f8d867a2fd in Item_in_subselect::inject_in_to_exists_cond(JOIN*) /data/src/10.4/sql/item_subselect.cc:2742
#3 0x55f8d8191d25 in JOIN::choose_tableless_subquery_plan() /data/src/10.4/sql/opt_subselect.cc:6764
#4 0x55f8d7d5e065 in JOIN::optimize_stage2() /data/src/10.4/sql/sql_select.cc:3128
#5 0x55f8d7d5660c in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2394
#6 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
#7 0x55f8d7c2cb0d in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.4/sql/sql_lex.cc:4236
#8 0x55f8d818a1bb in JOIN::optimize_constant_subqueries() /data/src/10.4/sql/opt_subselect.cc:5636
#9 0x55f8d7d525f4 in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2048
#10 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
#11 0x55f8d7d7017e in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4812
#12 0x55f8d7d40fae in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
#13 0x55f8d7cb04d6 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6473
#14 0x55f8d7c9d9eb in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3976
#15 0x55f8d7a5e745 in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3694
#16 0x55f8d7a5ce66 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3424
#17 0x55f8d7a5dedc in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3600
#18 0x55f8d7a4f502 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1365
#19 0x55f8d7a555cf in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2371
#20 0x55f8d7c96d08 in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3062
#21 0x55f8d7c988a9 in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3304
#22 0x55f8d7cadeac in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
#23 0x55f8d7cb9726 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
#24 0x55f8d7c8f9f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#25 0x55f8d7c8c560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#26 0x55f8d808babf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#27 0x55f8d808b3d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#28 0x55f8d8cfb3cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#29 0x7f16b72a7fd3 in start_thread nptl/pthread_create.c:442
#30 0x7f16b73285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x625000120468 is located 2920 bytes inside of 8160-byte region [0x62500011f900,0x6250001218e0)
freed by thread T5 here:
#0 0x7f16b78b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x55f8d98455fb in my_free /data/src/10.4/mysys/my_malloc.c:222
#2 0x55f8d9822507 in free_root /data/src/10.4/mysys/my_alloc.c:421
#3 0x55f8d7a4fbd1 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1447
#4 0x55f8d7a555cf in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2371
#5 0x55f8d7c96d08 in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3062
#6 0x55f8d7c988a9 in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3304
#7 0x55f8d7cadeac in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
#8 0x55f8d7cb9726 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
#9 0x55f8d7c8f9f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#10 0x55f8d7c8c560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#11 0x55f8d808babf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#12 0x55f8d808b3d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#13 0x55f8d8cfb3cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#14 0x7f16b72a7fd3 in start_thread nptl/pthread_create.c:442

previously allocated by thread T5 here:
#0 0x7f16b78b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55f8d9844a5c in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#2 0x55f8d9821482 in alloc_root /data/src/10.4/mysys/my_alloc.c:251
#3 0x55f8d79bb6ae in Sql_alloc::operator new(unsigned long, st_mem_root*) /data/src/10.4/sql/sql_alloc.h:39
#4 0x55f8d87f2be1 in make_select(TABLE, unsigned long long, unsigned long long, Item, SORT_INFO, bool, int) /data/src/10.4/sql/opt_range.cc:1199
#5 0x55f8d7d579aa in JOIN::optimize_stage2() /data/src/10.4/sql/sql_select.cc:2490
#6 0x55f8d7d5660c in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2394
#7 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
#8 0x55f8d7c2cb0d in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.4/sql/sql_lex.cc:4236
#9 0x55f8d818a1bb in JOIN::optimize_constant_subqueries() /data/src/10.4/sql/opt_subselect.cc:5636
#10 0x55f8d7d525f4 in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2048
#11 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
#12 0x55f8d7c2cb0d in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.4/sql/sql_lex.cc:4236
#13 0x55f8d818a1bb in JOIN::optimize_constant_subqueries() /data/src/10.4/sql/opt_subselect.cc:5636
#14 0x55f8d7d525f4 in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2048
#15 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
#16 0x55f8d7d7017e in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4812
#17 0x55f8d7d40fae in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
#18 0x55f8d7cb04d6 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6473
#19 0x55f8d7c9d9eb in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3976
#20 0x55f8d7a5e745 in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3694
#21 0x55f8d7a5ce66 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3424
#22 0x55f8d7a5dedc in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3600
#23 0x55f8d7a4f502 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1365
#24 0x55f8d7a555cf in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2371
#25 0x55f8d7c96d08 in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3062
#26 0x55f8d7c988a9 in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3304
#27 0x55f8d7cadeac in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
#28 0x55f8d7cb9726 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
#29 0x55f8d7c8f9f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857

Thread T5 created by T0 here:
#0 0x7f16b7849726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55f8d8cfb7ba in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x55f8d7997f89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x55f8d79af690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
#4 0x55f8d79afddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
#5 0x55f8d79b02a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
#6 0x55f8d79b1155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
#7 0x55f8d79aedf3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
#8 0x55f8d79960b8 in main /data/src/10.4/sql/main.cc:25
#9 0x7f16b7246189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/sql_list.h:443 in base_list_iterator::next_fast()
Shadow bytes around the buggy address:
0x0c4a8001c030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a8001c080: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c4a8001c090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001c0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3472060==ABORTING

Reproducible on 10.4-10.5 with at least MyISAM and InnoDB.
Not reproducible on 10.6, the plan is different there.

Plans on 10.4
CREATE PROCEDURE sp() EXPLAIN EXTENDED SELECT * FROM t1 WHERE ('x', '0') IN (SELECT MIN(c), COUNT(*) FROM t2, t3 WHERE t3.d >= 0 AND 1 NOT IN (SELECT b FROM t2));
CALL sp;
id select_type table type possible_keys key key_len ref rows filtered Extra
1 PRIMARY NULL NULL NULL NULL NULL NULL NULL NULL Impossible WHERE noticed after reading const tables
2 SUBQUERY t2 index NULL c 4 NULL 2 100.00 Using index
2 SUBQUERY t3 ALL NULL NULL NULL NULL 2 100.00 Using where; Using join buffer (flat, BNL join)
3 SUBQUERY t2 ALL NULL NULL NULL NULL 2 100.00 Using where
Warnings:
Note 1003 /* select#1 */ select NULL AS `a` from `test`.`t1` where 0
CALL sp;
id select_type table type possible_keys key key_len ref rows filtered Extra
1 PRIMARY NULL NULL NULL NULL NULL NULL NULL NULL Impossible WHERE
2 SUBQUERY NULL NULL NULL NULL NULL NULL NULL NULL Impossible WHERE
3 SUBQUERY t2 ALL NULL NULL NULL NULL 2 100.00 Using where
Warnings:
Note 1003 /* select#1 */ select `test`.`t1`.`a` AS `a` from `test`.`t1` where 0

Plans on 10.6
CREATE PROCEDURE sp() EXPLAIN EXTENDED SELECT * FROM t1 WHERE ('x', '0') IN (SELECT MIN(c), COUNT(*) FROM t2, t3 WHERE t3.d >= 0 AND 1 NOT IN (SELECT b FROM t2));
CALL sp;
id select_type table type possible_keys key key_len ref rows filtered Extra
1 PRIMARY NULL NULL NULL NULL NULL NULL NULL NULL Impossible WHERE
2 SUBQUERY NULL NULL NULL NULL NULL NULL NULL NULL Impossible WHERE
3 SUBQUERY t2 ALL NULL NULL NULL NULL 2 100.00 Using where
Warnings:
Note 1003 /* select#1 */ select `test`.`t1`.`a` AS `a` from `test`.`t1` where 0
CALL sp;
id select_type table type possible_keys key key_len ref rows filtered Extra
1 PRIMARY NULL NULL NULL NULL NULL NULL NULL NULL Impossible WHERE
2 SUBQUERY NULL NULL NULL NULL NULL NULL NULL NULL Impossible WHERE
3 SUBQUERY t2 ALL NULL NULL NULL NULL 2 100.00 Using where
Warnings:
Note 1003 /* select#1 */ select `test`.`t1`.`a` AS `a` from `test`.`t1` where 0

Attachments

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2023-08-13 22:07

Updated:: 2023-08-13 22:09

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.