Details
Description
Run these queries in debug build:
CREATE TEMPORARY TABLE t0 ( c33 TEXT NOT NULL , INDEX i0 ( c33 ( 24 ) ) ) ; |
INSERT INTO t0 VALUES ( 71 ) , ( -79 ) ; |
ALTER TABLE t0 ADD COLUMN c23 INT AFTER c33 ; |
INSERT INTO t0 VALUES ( 29 , 102 ) , ( -7962263225263025638 , 82 ) ; |
SELECT t1 . c24 AS c21 FROM ( SELECT c33 AS c24 FROM t0 ) AS t1 JOIN t0 ON ( SELECT ORD ( + EXISTS ( SELECT -52 AS c10 UNION SELECT + BIT_OR( c24 ) | LENGTH ( '#-_ic<JFkjm`vI9%=W/R?Ij]H^LQkfP PUq9' ) AS c44 FROM t0 WHERE c33 < -76 AND c33 < 0 AND c24 < -113 GROUP BY c33 ) ) << VARIANCE( c24 ) AS c16 FROM t0 GROUP BY c24 LIMIT 1 ) * CONVERT ( 115 , CHAR ) % RAND ( ) * RADIANS ( t0 . c33 ) / LTRIM ( -85 ) << RAND ( ) / RAND ( t0 . c23 ) << t0 . c33 & 'g*$\'>N`@R7_N[%m)v:3t<~qv_4oU{ac@' - SUBSTRING( 63 , 'D_Vj76G?l =>;y>w+9RI4_#xLEzC><!"@}:?B;:7ow9xM`' , '4Xl`2eL6&Ky&zY.@(8$nR%+c$FCP\'AH}G$|MI&\'#?4"{:(d-QPco]ZQ' ) - INSTR ( ROUND ( -5073911722588624130 , 61 ) SOUNDS LIKE TRIM( TRAILING FROM -98 ) AND RAND ( ) , -101 < RAND ( ) ) ^ DEGREES ( 3091623748526794021 ) + RAND ( ) = t0 . c23 ; |
Will trigger heap-use-after-free.
ASAN info:
|
=================================================================
|
==81176==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190001083c0 at pc 0x000001604c57 bp 0x7fffd1c121e0 sp 0x7fffd1c121d8
|
READ of size 8 at 0x6190001083c0 thread T16
|
#0 0x1604c56 in Item_sum_bit::reset_field() /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949:3
|
#1 0xc98d3f in init_tmptable_sum_functions(Item_sum**) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763:11
|
#2 0xc98d3f in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138:3
|
#3 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
|
#4 0xbe340e in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23481:9
|
#5 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#6 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#7 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#8 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
|
#9 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
|
#10 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8
|
#11 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19
|
#12 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15
|
#13 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3
|
#14 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26
|
#15 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26
|
#16 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26
|
#17 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26
|
#18 0x145e1d5 in Item_func_hybrid_field_type::val_decimal_from_real_op(my_decimal*) /home/wx/mariadb-11.3.0/sql/item_func.cc:859:27
|
#19 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16
|
#20 0x14c3c28 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2202:12
|
#21 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26
|
#22 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18
|
#23 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34
|
#24 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26
|
#25 0x1318ed1 in Item::val_decimal_from_int(my_decimal*) /home/wx/mariadb-11.3.0/sql/item.cc:343:16
|
#26 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16
|
#27 0x1413a98 in Func_handler_bit_and_dec_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4846:10
|
#28 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26
|
#29 0x13ae82e in Arg_comparator::compare_int_unsigned_signed() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1015:37
|
#30 0x13b5ea1 in Arg_comparator::compare() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104:33
|
#31 0x13b5ea1 in Item_func_eq::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780:18
|
#32 0xf99b3f in SQL_SELECT::skip_record(THD*) /home/wx/mariadb-11.3.0/sql/opt_range.h:1914:13
|
#33 0xf99b3f in JOIN_CACHE::check_match(unsigned char*) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2560:45
|
#34 0xf8f7d8 in JOIN_CACHE::generate_full_extensions(unsigned char*) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2503:7
|
#35 0xf8f321 in JOIN_CACHE::join_matching_records(bool) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2403:13
|
#36 0xf8e694 in JOIN_CACHE::join_records(bool) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2158:9
|
#37 0xc9da16 in sub_select_cache(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23192:16
|
#38 0xc4536b in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22963:14
|
#39 0xc4536b in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#40 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#41 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
|
#42 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
|
#43 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
|
#44 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
|
#45 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
|
#46 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
|
#47 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
|
#48 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
|
#49 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
|
#50 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
|
#51 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
|
#52 0x7ffff770f132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
 |
0x6190001083c0 is located 576 bytes inside of 1040-byte region [0x619000108180,0x619000108590)
|
freed by thread T16 here:
|
#0 0x7ca37d in free (/usr/local/mysql/bin/mariadbd+0x7ca37d)
|
#1 0x2290b64 in root_free /home/wx/mariadb-11.3.0/mysys/my_alloc.c:83:5
|
#2 0x2290b64 in free_root /home/wx/mariadb-11.3.0/mysys/my_alloc.c:515:7
|
#3 0xc3da3d in free_tmp_table(THD*, TABLE*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22713:3
|
#4 0xff1235 in Expression_cache_tmptable::disable_cache() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:62:3
|
#5 0xff1235 in Expression_cache_tmptable::init() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:176:3
|
#6 0x136b52a in Item_cache_wrapper::init_on_demand() /home/wx/mariadb-11.3.0/sql/item.cc:8775:19
|
#7 0x136b52a in Item_cache_wrapper::check_cache() /home/wx/mariadb-11.3.0/sql/item.cc:8899:5
|
#8 0x136b52a in Item_cache_wrapper::val_str(String*) /home/wx/mariadb-11.3.0/sql/item.cc:9017:22
|
#9 0x1479db3 in Item_func_ord::val_int() /home/wx/mariadb-11.3.0/sql/item_func.cc:3283:24
|
#10 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18
|
#11 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34
|
#12 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26
|
#13 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16
|
#14 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30
|
#15 0xc98fc5 in copy_funcs(Item**, THD const*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11
|
#16 0xc98fc5 in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25140:7
|
#17 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
|
#18 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9
|
#19 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#20 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#21 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#22 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
|
#23 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
|
#24 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8
|
#25 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19
|
#26 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15
|
#27 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3
|
#28 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26
|
#29 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26
|
#30 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26
|
#31 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26
|
#32 0x145e1d5 in Item_func_hybrid_field_type::val_decimal_from_real_op(my_decimal*) /home/wx/mariadb-11.3.0/sql/item_func.cc:859:27
|
#33 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16
|
#34 0x14c3c28 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2202:12
|
#35 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26
|
#36 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18
|
#37 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34
|
#38 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26
|
 |
previously allocated by thread T16 here:
|
#0 0x7ca5fd in malloc (/usr/local/mysql/bin/mariadbd+0x7ca5fd)
|
#1 0x22a6308 in my_malloc /home/wx/mariadb-11.3.0/mysys/my_malloc.c:89:29
|
#2 0x228fff9 in root_alloc /home/wx/mariadb-11.3.0/mysys/my_alloc.c:71:10
|
#3 0x228fff9 in alloc_root /home/wx/mariadb-11.3.0/mysys/my_alloc.c:339:29
|
#4 0x10f83ec in Field::operator new(unsigned long, st_mem_root*) /home/wx/mariadb-11.3.0/sql/field.h:771:12
|
#5 0x10f83ec in Type_handler_long::make_table_field_from_def(TABLE_SHARE*, st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Bit_addr const&, Column_definition_attributes const*, unsigned int) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:8134:10
|
#6 0x10cac4a in Type_handler_int_result::make_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE_SHARE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3573:10
|
#7 0x110c447 in Type_handler::make_and_init_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3558:17
|
#8 0x110c447 in Item::tmp_table_field_from_field_type(st_mem_root*, TABLE*) /home/wx/mariadb-11.3.0/sql/item.h:914:15
|
#9 0x110c447 in Item::create_tmp_field_ex_simple(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*) /home/wx/mariadb-11.3.0/sql/item.h:935:12
|
#10 0x110c447 in Item_cache::create_tmp_field_ex(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*) /home/wx/mariadb-11.3.0/sql/item.h:7119:12
|
#11 0xc8940f in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:20823:24
|
#12 0xc8c548 in Create_tmp_table::add_fields(THD*, TABLE*, TMP_TABLE_PARAM*, List<Item>&) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21261:9
|
#13 0xc36790 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21920:13
|
#14 0xff0d1e in Expression_cache_tmptable::init() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:121:22
|
#15 0x136b52a in Item_cache_wrapper::init_on_demand() /home/wx/mariadb-11.3.0/sql/item.cc:8775:19
|
#16 0x136b52a in Item_cache_wrapper::check_cache() /home/wx/mariadb-11.3.0/sql/item.cc:8899:5
|
#17 0x136b52a in Item_cache_wrapper::val_str(String*) /home/wx/mariadb-11.3.0/sql/item.cc:9017:22
|
#18 0x1479db3 in Item_func_ord::val_int() /home/wx/mariadb-11.3.0/sql/item_func.cc:3283:24
|
#19 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18
|
#20 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34
|
#21 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26
|
#22 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16
|
#23 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30
|
#24 0xc98fc5 in copy_funcs(Item**, THD const*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11
|
#25 0xc98fc5 in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25140:7
|
#26 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
|
#27 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9
|
#28 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#29 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#30 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#31 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
|
#32 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
|
#33 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8
|
#34 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19
|
#35 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15
|
#36 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3
|
#37 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26
|
#38 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26
|
#39 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26
|
#40 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26
|
 |
Thread T16 created by T0 here:
|
#0 0x7b502a in pthread_create (/usr/local/mysql/bin/mariadbd+0x7b502a)
|
#1 0x1a00edd in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52:10
|
#2 0x1a00edd in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252:15
|
#3 0x80e649 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139:11
|
#4 0x80e649 in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150:19
|
#5 0x80f608 in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212:3
|
#6 0x80f608 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274:5
|
#7 0x80caa8 in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398:9
|
#8 0x8051de in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045:3
|
#9 0x7ffff7614082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
|
 |
SUMMARY: AddressSanitizer: heap-use-after-free /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949:3 in Item_sum_bit::reset_field()
|
Shadow bytes around the buggy address:
|
0x0c3280019020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c3280019030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280019040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280019050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280019060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c3280019070: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
|
0x0c3280019080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c3280019090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c32800190a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c32800190b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c32800190c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==81176==ABORTING
|
And will randomly trigger Segmentation fault in release build.
GDB info:
Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.
|
[Switching to Thread 0x7fffe011a700 (LWP 45883)]
|
0x00005555560be1d9 in Item_sum_bit::reset_field (this=0x7fff94093470)
|
at /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949
|
2949 int8store(result_field->ptr, bits);
|
 |
#0 0x00005555560be1d9 in Item_sum_bit::reset_field (this=0x7fff94093470)
|
at /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949
|
#1 0x0000555555dda6ad in init_tmptable_sum_functions (func_ptr=0x7fff94079d50)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763
|
#2 end_unique_update (join=0x7fff94076e60, join_tab=0x7fff94085b88,
|
end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138
|
#3 0x0000555555dad6d4 in evaluate_join_record (join=join@entry=0x7fff94076e60,
|
join_tab=join_tab@entry=0x7fff94085710, error=<optimized out>)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677
|
#4 0x0000555555dbf7fb in sub_select (join=0x7fff94076e60, join_tab=0x7fff94085710,
|
end_of_records=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444
|
#5 0x0000555555df19b2 in do_select (procedure=<optimized out>, join=0x7fff94076e60)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
|
#6 JOIN::exec_inner (this=this@entry=0x7fff94076e60)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
|
#7 0x0000555555df1d78 in JOIN::exec (this=0x7fff94076e60)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
|
#8 0x00005555560b1422 in subselect_single_select_engine::exec (this=0x7fff940964c0)
|
at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159
|
#9 0x00005555560b040c in Item_subselect::exec (this=0x7fff94096330)
|
at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
|
#10 0x00005555560afd03 in Item_singlerow_subselect::val_int (this=0x7fff94096330)
|
at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462
|
#11 0x0000555555fefb79 in Item_cache_int::cache_value (this=0x7fff9408ae98)
|
at /home/wx/mariadb-11.3.0/sql/item.cc:10161
|
#12 0x000055555600536c in Item_cache_wrapper::cache (this=0x7fff9408adf0)
|
at /home/wx/mariadb-11.3.0/sql/item.cc:8915
|
#13 Item_cache_wrapper::val_real (this=0x7fff9408adf0)
|
at /home/wx/mariadb-11.3.0/sql/item.cc:8996
|
#14 Item_cache_wrapper::val_real (this=0x7fff9408adf0)
|
at /home/wx/mariadb-11.3.0/sql/item.cc:8979
|
#15 0x000055555604b141 in Item_func_mul::real_op (this=0x7fff94096688)
|
at /home/wx/mariadb-11.3.0/sql/item_func.cc:1370
|
#16 0x000055555604d0b1 in Item_func_mod::real_op (this=0x7fff94071bb8)
|
at /home/wx/mariadb-11.3.0/sql/item_func.cc:1700
|
#17 0x000055555604b141 in Item_func_mul::real_op (this=0x7fff94071e90)
|
at /home/wx/mariadb-11.3.0/sql/item_func.cc:1370
|
c#18 0x000055555604cd41 in Item_func_div::real_op (this=0x7fff94072100)
|
at /home/wx/mariadb-11.3.0/sql/item_func.cc:1502
|
#19 0x000055555604e29a in Item_func_hybrid_field_type::val_decimal_from_real_op (
|
this=0x7fff94072100, dec=0x7fffe01180d8) at /home/wx/mariadb-11.3.0/sql/item_func.cc:859
|
#20 0x0000555555f2d79f in VDec::VDec (this=0x7fffe01180d0, item=<optimized out>)
|
at /home/wx/mariadb-11.3.0/sql/sql_type.cc:293
|
#21 0x000055555605a294 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null (
|
this=<optimized out>, item=0x7fff94072568)
|
at /home/wx/mariadb-11.3.0/sql/item_func.cc:2202
|
#22 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,
|
item=0x7fff94072568) at /home/wx/mariadb-11.3.0/sql/item_func.h:696
|
#23 0x0000555556056fd8 in Item::to_longlong_null (this=0x7fff94072568)
|
at /home/wx/mariadb-11.3.0/sql/item.h:1452
|
#24 Func_handler_shift_left_int_to_ulonglong::to_longlong_null (this=<optimized out>,
|
item=0x7fff94072750) at /home/wx/mariadb-11.3.0/sql/item_func.cc:2189
|
#25 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,
|
item=0x7fff94072750) at /home/wx/mariadb-11.3.0/sql/item_func.h:696
|
#26 0x0000555555ff7aba in Item::val_decimal_from_int (this=0x7fff94072750,
|
decimal_value=0x7fffe0118208) at /home/wx/mariadb-11.3.0/sql/item.cc:343
|
#27 0x0000555555f2d79f in VDec::VDec (this=0x7fffe0118200, item=<optimized out>)
|
at /home/wx/mariadb-11.3.0/sql/sql_type.cc:293
|
#28 0x0000555556029e48 in Func_handler_bit_and_dec_to_ulonglong::to_longlong_null (
|
this=<optimized out>, item=0x7fff94074228)
|
at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4846
|
#29 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,
|
item=0x7fff94074228) at /home/wx/mariadb-11.3.0/sql/item_func.h:696
|
#30 0x00005555560107fd in Arg_comparator::compare_int_unsigned_signed (this=0x7fff940744c8)
|
at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1015
|
#31 0x0000555556010caf in Arg_comparator::compare (this=<optimized out>)
|
at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104
|
#32 Item_func_eq::val_int (this=<optimized out>)
|
at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780
|
#33 0x0000555555ec7e3c in SQL_SELECT::skip_record (this=<optimized out>, thd=0x7fff94000c58)
|
at /home/wx/mariadb-11.3.0/sql/opt_range.h:1914
|
#34 JOIN_CACHE::check_match (rec_ptr=0x7fff9409679c "\003", this=0x7fff9407ca58)
|
at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2560
|
#35 JOIN_CACHE::generate_full_extensions (this=0x7fff9407ca58, rec_ptr=0x7fff9409679c "\003")
|
at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2503
|
#36 0x0000555555ec8297 in JOIN_CACHE::join_matching_records (this=0x7fff9407ca58,
|
skip_last=false) at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2403
|
#37 0x0000555555ec7bf3 in JOIN_CACHE::join_records (this=this@entry=0x7fff9407ca58,
|
skip_last=skip_last@entry=false) at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2158
|
#38 0x0000555555dbfcba in sub_select_cache (join=0x7fff94075b18, join_tab=0x7fff94083b48,
|
end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23192
|
#39 0x0000555555df1814 in do_select (procedure=<optimized out>, join=0x7fff94075b18)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22963
|
#40 JOIN::exec_inner (this=this@entry=0x7fff94075b18)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
|
#41 0x0000555555df1d78 in JOIN::exec (this=this@entry=0x7fff94075b18)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
|
#42 0x0000555555defe1c in mysql_select (thd=thd@entry=0x7fff94000c58, tables=0x7fff94014ed0,
|
fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0,
|
select_options=<optimized out>, result=0x7fff94074ef8, unit=0x7fff94004ee8,
|
select_lex=0x7fff940132d0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249
|
#43 0x0000555555df0607 in handle_select (thd=thd@entry=0x7fff94000c58,
|
lex=lex@entry=0x7fff94004e08, result=result@entry=0x7fff94074ef8,
|
setup_tables_done_option=setup_tables_done_option@entry=0)
|
at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
|
#44 0x0000555555d6de41 in execute_sqlcom_select (thd=thd@entry=0x7fff94000c58,
|
all_tables=0x7fff94014ed0) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
|
#45 0x0000555555d7c2aa in mysql_execute_command (thd=thd@entry=0x7fff94000c58,
|
is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)
|
at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
|
#46 0x0000555555d68c27 in mysql_parse (thd=0x7fff94000c58, rawbuf=<optimized out>,
|
length=<optimized out>, parser_state=<optimized out>)
|
at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
|
#47 0x0000555555d74fdd in dispatch_command (command=command@entry=COM_QUERY,
|
thd=thd@entry=0x7fff94000c58, packet=packet@entry=0x7fff94008509 "",
|
packet_length=packet_length@entry=792, blocking=blocking@entry=true)
|
at /home/wx/mariadb-11.3.0/sql/sql_class.h:251
|
#48 0x0000555555d7721e in do_command (thd=0x7fff94000c58, blocking=blocking@entry=true)
|
at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
|
#49 0x0000555555e9a617 in do_handle_one_connection (connect=<optimized out>,
|
connect@entry=0x555557e0e4a8, put_in_cache=put_in_cache@entry=true)
|
at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
|
#50 0x0000555555e9a94d in handle_one_connection (arg=arg@entry=0x555557e0e4a8)
|
at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
|
#51 0x00005555561e658d in pfs_spawn_thread (arg=0x555557db7f98)
|
at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
|
#52 0x00007ffff7b48609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
|
#53 0x00007ffff7719133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
|
Attachments
Issue Links
- is duplicated by
-
MDEV-32402 Heap-Use-Sfter-Free at /mariadb-11.3.0/sql/item_sum.cc:2958
-
- Closed
-