[MDEV-32237] ASAN errors in my_charlen_utf8 / Charset::charpos upon ROLLUP query - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
Fix Version/s: 10.5, 10.6, 10.11
Component/s: Character Sets
Labels:
None

Description

--source include/have_sequence.inc

CREATE TABLE t (a int, b char(120), c char(60)) CHARACTER SET utf8 COLLATE utf8_spanish2_ci;

INSERT INTO t (a) SELECT seq FROM seq_1_to_3000;

ALTER TABLE t ADD va VARCHAR(1024) GENERATED ALWAYS AS (a);

ANALYZE TABLE t;

SELECT SUBSTR(va, 1) AS f FROM t GROUP BY f WITH ROLLUP HAVING f != 0;

# Cleanup

DROP TABLE t;

10.4 1ee0d09a
==608960==ERROR: AddressSanitizer: unknown-crash on address 0x624000080f4b at pc 0x561cfd35585e bp 0x7f20fd0cfb20 sp 0x7f20fd0cfb18
READ of size 1 at 0x624000080f4b thread T5
#0 0x561cfd35585d in my_charlen_utf8 /data/src/10.4/strings/ctype-utf8.c:5203
#1 0x561cfd2f0c41 in my_ismbchar /data/src/10.4/include/m_ctype.h:1117
#2 0x561cfd2f264e in my_charpos_mb /data/src/10.4/strings/ctype-mb.c:325
#3 0x561cfbe1a9ac in Charset::charpos(char const, char const, unsigned long) const /data/src/10.4/sql/sql_string.h:157
#4 0x561cfbe1aa34 in String::charpos(long long, unsigned int) /data/src/10.4/sql/sql_string.h:1067
#5 0x561cfc03f777 in Item_func_substr::val_str(String*) /data/src/10.4/sql/item_strfunc.cc:1763
#6 0x561cfbf0fe37 in Cached_item_str::cmp() /data/src/10.4/sql/item_buff.cc:84
#7 0x561cfb81aeb8 in test_if_group_changed(List<Cached_item>&) /data/src/10.4/sql/sql_select.cc:25546
#8 0x561cfb803dcc in end_send_group(JOIN, st_join_table, bool) /data/src/10.4/sql/sql_select.cc:22304
#9 0x561cfb7fa192 in evaluate_join_record /data/src/10.4/sql/sql_select.cc:21116
#10 0x561cfb7f8ace in sub_select(JOIN, st_join_table, bool) /data/src/10.4/sql/sql_select.cc:20889
#11 0x561cfb7f691d in do_select /data/src/10.4/sql/sql_select.cc:20412
#12 0x561cfb7857ac in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4605
#13 0x561cfb782db3 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4387
#14 0x561cfb786e45 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4826
#15 0x561cfb7579c6 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
#16 0x561cfb6c6eee in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6475
#17 0x561cfb6b4403 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3978
#18 0x561cfb6d013e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8012
#19 0x561cfb6a63cd in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#20 0x561cfb6a2f3c in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#21 0x561cfbaa27d5 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#22 0x561cfbaa20ec in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#23 0x561cfc713287 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#24 0x7f2104ea7fd3 in start_thread nptl/pthread_create.c:442
#25 0x7f2104f285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x624000080f4b is located 3659 bytes inside of 7288-byte region [0x624000080100,0x624000081d78)
allocated by thread T5 here:
#0 0x7f21054b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x561cfd25cd1c in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#2 0x561cfd239742 in alloc_root /data/src/10.4/mysys/my_alloc.c:258
#3 0x561cfb9cfef4 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /data/src/10.4/sql/table.cc:3852
#4 0x561cfb521485 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.4/sql/sql_base.cc:2114
#5 0x561cfb52aaa6 in open_and_process_table /data/src/10.4/sql/sql_base.cc:3914
#6 0x561cfb52d562 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:4396
#7 0x561cfb53267e in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:5343
#8 0x561cfb48c4d1 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/src/10.4/sql/sql_base.h:503
#9 0x561cfb6c646e in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6396
#10 0x561cfb6b4403 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3978
#11 0x561cfb6d013e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8012
#12 0x561cfb6a63cd in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#13 0x561cfb6a2f3c in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#14 0x561cfbaa27d5 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#15 0x561cfbaa20ec in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#16 0x561cfc713287 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#17 0x7f2104ea7fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f2105449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x561cfc713674 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x561cfb3adf89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x561cfb3c56b6 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6289
#4 0x561cfb3c5e01 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6359
#5 0x561cfb3c62cf in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6457
#6 0x561cfb3c717b in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6615
#7 0x561cfb3c4e19 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5947
#8 0x561cfb3ac0b8 in main /data/src/10.4/sql/main.cc:25
#9 0x7f2104e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: unknown-crash /data/src/10.4/strings/ctype-utf8.c:5203 in my_charlen_utf8
Shadow bytes around the buggy address:
0x0c4880008190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c48800081a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c48800081b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c48800081c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c48800081d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c48800081e0: 00 00 00 00 00 00 00 00 00[03]00 00 00 00 00 00
0x0c48800081f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4880008200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4880008210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4880008220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4880008230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==608960==ABORTING

11.2 eece7f13
==609513==ERROR: AddressSanitizer: unknown-crash on address 0x6240000aef5b at pc 0x560b23ad14e0 bp 0x7f6e2eb40820 sp 0x7f6e2eb40818
READ of size 1 at 0x6240000aef5b thread T5
#0 0x560b23ad14df in my_charlen_utf8mb3 /data/src/11.2/strings/ctype-utf8.c:927
#1 0x560b23a647c9 in my_ismbchar /data/src/11.2/include/m_ctype.h:1818
#2 0x560b23a661a6 in my_charpos_mb /data/src/11.2/strings/ctype-mb.c:326
#3 0x560b2200de6c in charset_info_st::charpos(char const, char const, unsigned long) const /data/src/11.2/include/m_ctype.h:821
#4 0x560b225de6d5 in Charset::charpos(char const, char const, unsigned long) const /data/src/11.2/sql/sql_string.h:176
#5 0x560b225de73e in String::charpos(long long, unsigned int) /data/src/11.2/sql/sql_string.h:1138
#6 0x560b22807dfb in Item_func_substr::val_str(String*) /data/src/11.2/sql/item_strfunc.cc:2028
#7 0x560b226db3ff in Cached_item_str::cmp() /data/src/11.2/sql/item_buff.cc:84
#8 0x560b21eab669 in test_if_group_changed(List<Cached_item>&) /data/src/11.2/sql/sql_select.cc:28215
#9 0x560b21e94b93 in end_send_group(JOIN, st_join_table, bool) /data/src/11.2/sql/sql_select.cc:24936
#10 0x560b21e8a97a in evaluate_join_record /data/src/11.2/sql/sql_select.cc:23672
#11 0x560b21e891f6 in sub_select(JOIN, st_join_table, bool) /data/src/11.2/sql/sql_select.cc:23439
#12 0x560b21e86b38 in do_select /data/src/11.2/sql/sql_select.cc:22956
#13 0x560b21e06358 in JOIN::exec_inner() /data/src/11.2/sql/sql_select.cc:4935
#14 0x560b21e036e7 in JOIN::exec() /data/src/11.2/sql/sql_select.cc:4712
#15 0x560b21e07df8 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/11.2/sql/sql_select.cc:5243
#16 0x560b21dd7566 in handle_select(THD, LEX, select_result*, unsigned long long) /data/src/11.2/sql/sql_select.cc:628
#17 0x560b21cfe5fc in execute_sqlcom_select /data/src/11.2/sql/sql_parse.cc:6065
#18 0x560b21cef03b in mysql_execute_command(THD*, bool) /data/src/11.2/sql/sql_parse.cc:3955
#19 0x560b21d090d6 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/11.2/sql/sql_parse.cc:7811
#20 0x560b21ce1490 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/11.2/sql/sql_parse.cc:1893
#21 0x560b21cde1cd in do_command(THD*, bool) /data/src/11.2/sql/sql_parse.cc:1406
#22 0x560b221a9fab in do_handle_one_connection(CONNECT*, bool) /data/src/11.2/sql/sql_connect.cc:1445
#23 0x560b221a996c in handle_one_connection /data/src/11.2/sql/sql_connect.cc:1347
#24 0x560b22dd2651 in pfs_spawn_thread /data/src/11.2/storage/perfschema/pfs.cc:2201
#25 0x7f6e362a7fd3 in start_thread nptl/pthread_create.c:442
#26 0x7f6e363285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6240000aef5b is located 3675 bytes inside of 7304-byte region [0x6240000ae100,0x6240000afd88)
allocated by thread T5 here:
#0 0x7f6e36eb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x560b239bb189 in my_malloc /data/src/11.2/mysys/my_malloc.c:89
#2 0x560b239966c7 in root_alloc /data/src/11.2/mysys/my_alloc.c:71
#3 0x560b23997f1d in alloc_root /data/src/11.2/mysys/my_alloc.c:339
#4 0x560b220c274b in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /data/src/11.2/sql/table.cc:4323
#5 0x560b21b3a4c8 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/11.2/sql/sql_base.cc:2225
#6 0x560b21b4562f in open_and_process_table /data/src/11.2/sql/sql_base.cc:4155
#7 0x560b21b4817c in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/11.2/sql/sql_base.cc:4640
#8 0x560b21b4d1a7 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/src/11.2/sql/sql_base.cc:5614
#9 0x560b21b70e64 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/src/11.2/sql/sql_base.h:525
#10 0x560b21cfdab8 in execute_sqlcom_select /data/src/11.2/sql/sql_parse.cc:5985
#11 0x560b21cef03b in mysql_execute_command(THD*, bool) /data/src/11.2/sql/sql_parse.cc:3955
#12 0x560b21d090d6 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/11.2/sql/sql_parse.cc:7811
#13 0x560b21ce1490 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/11.2/sql/sql_parse.cc:1893
#14 0x560b21cde1cd in do_command(THD*, bool) /data/src/11.2/sql/sql_parse.cc:1406
#15 0x560b221a9fab in do_handle_one_connection(CONNECT*, bool) /data/src/11.2/sql/sql_connect.cc:1445
#16 0x560b221a996c in handle_one_connection /data/src/11.2/sql/sql_connect.cc:1347
#17 0x560b22dd2651 in pfs_spawn_thread /data/src/11.2/storage/perfschema/pfs.cc:2201
#18 0x7f6e362a7fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f6e36e49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x560b22dce38c in my_thread_create /data/src/11.2/storage/perfschema/my_thread.h:52
#2 0x560b22dd2a40 in pfs_spawn_thread_v1 /data/src/11.2/storage/perfschema/pfs.cc:2252
#3 0x560b2193083b in inline_mysql_thread_create /data/src/11.2/include/mysql/psi/mysql_thread.h:1139
#4 0x560b21948a11 in create_thread_to_handle_connection(CONNECT*) /data/src/11.2/sql/mysqld.cc:6169
#5 0x560b21949036 in create_new_thread(CONNECT*) /data/src/11.2/sql/mysqld.cc:6231
#6 0x560b21949321 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/11.2/sql/mysqld.cc:6293
#7 0x560b21949ca5 in handle_connections_sockets() /data/src/11.2/sql/mysqld.cc:6417
#8 0x560b2194828e in mysqld_main(int, char**) /data/src/11.2/sql/mysqld.cc:6064
#9 0x560b2192f948 in main /data/src/11.2/sql/main.cc:34
#10 0x7f6e36246189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: unknown-crash /data/src/11.2/strings/ctype-utf8.c:927 in my_charlen_utf8mb3
Shadow bytes around the buggy address:
0x0c488000dd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488000dda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488000ddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488000ddc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488000ddd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c488000dde0: 00 00 00 00 00 00 00 00 00 00 00[03]00 00 00 00
0x0c488000ddf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488000de00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488000de10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488000de20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488000de30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==609513==ABORTING

Attachments

Activity

People

Assignee:: Alexander Barkov

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2023-09-24 22:36

Updated:: 2024-09-10 15:35

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.