[MDEV-32401] expression cache lead to crash if table of wrong type created and the cache switched off - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Review (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: Optimizer, Server
Labels:
None
Environment:
Ubuntu 20.04

Description

Run these queries in debug build:

CREATE TEMPORARY TABLE t0 ( c33 TEXT NOT NULL , INDEX i0 ( c33 ( 24 ) ) ) ;

INSERT INTO t0 VALUES ( 71 ) , ( -79 ) ;

ALTER TABLE t0 ADD COLUMN c23 INT AFTER c33 ;

INSERT INTO t0 VALUES ( 29 , 102 ) , ( -7962263225263025638 , 82 ) ;

SELECT t1 . c24 AS c21 FROM ( SELECT c33 AS c24 FROM t0 ) AS t1 JOIN t0 ON ( SELECT ORD ( + EXISTS ( SELECT -52 AS c10 UNION SELECT + BIT_OR( c24 ) | LENGTH ( '#-_ic<JFkjm`vI9%=W/R?Ij]H^LQkfP PUq9' ) AS c44 FROM t0 WHERE c33 < -76 AND c33 < 0 AND c24 < -113 GROUP BY c33 ) ) << VARIANCE( c24 ) AS c16 FROM t0 GROUP BY c24 LIMIT 1 ) * CONVERT ( 115 , CHAR ) % RAND ( ) * RADIANS ( t0 . c33 ) / LTRIM ( -85 ) << RAND ( ) / RAND ( t0 . c23 ) << t0 . c33 & 'g*$\'>N`@R7_N[%m)v:3t<~qv_4oU{ac@' - SUBSTRING( 63 , 'D_Vj76G?l =>;y>w+9RI4_#xLEzC><!"@}:?B;:7ow9xM`' , '4Xl`2eL6&Ky&zY.@(8$nR%+c$FCP\'AH}G$|MI&\'#?4"{:(d-QPco]ZQ' ) - INSTR ( ROUND ( -5073911722588624130 , 61 ) SOUNDS LIKE TRIM( TRAILING FROM -98 ) AND RAND ( ) , -101 < RAND ( ) ) ^ DEGREES ( 3091623748526794021 ) + RAND ( ) = t0 . c23 ;

Will trigger heap-use-after-free.

ASAN info:

=================================================================

==81176==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190001083c0 at pc 0x000001604c57 bp 0x7fffd1c121e0 sp 0x7fffd1c121d8

READ of size 8 at 0x6190001083c0 thread T16

    #0 0x1604c56 in Item_sum_bit::reset_field() /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949:3

    #1 0xc98d3f in init_tmptable_sum_functions(Item_sum**) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763:11

    #2 0xc98d3f in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138:3

    #3 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11

    #4 0xbe340e in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23481:9

    #5 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14

    #6 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50

    #7 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8

    #8 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23

    #9 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21

    #10 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8

    #11 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19

    #12 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15

    #13 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3

    #14 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #15 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26

    #16 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #17 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26

    #18 0x145e1d5 in Item_func_hybrid_field_type::val_decimal_from_real_op(my_decimal*) /home/wx/mariadb-11.3.0/sql/item_func.cc:859:27

    #19 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16

    #20 0x14c3c28 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2202:12

    #21 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #22 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18

    #23 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34

    #24 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #25 0x1318ed1 in Item::val_decimal_from_int(my_decimal*) /home/wx/mariadb-11.3.0/sql/item.cc:343:16

    #26 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16

    #27 0x1413a98 in Func_handler_bit_and_dec_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4846:10

    #28 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #29 0x13ae82e in Arg_comparator::compare_int_unsigned_signed() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1015:37

    #30 0x13b5ea1 in Arg_comparator::compare() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104:33

    #31 0x13b5ea1 in Item_func_eq::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780:18

    #32 0xf99b3f in SQL_SELECT::skip_record(THD*) /home/wx/mariadb-11.3.0/sql/opt_range.h:1914:13

    #33 0xf99b3f in JOIN_CACHE::check_match(unsigned char*) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2560:45

    #34 0xf8f7d8 in JOIN_CACHE::generate_full_extensions(unsigned char*) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2503:7

    #35 0xf8f321 in JOIN_CACHE::join_matching_records(bool) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2403:13

    #36 0xf8e694 in JOIN_CACHE::join_records(bool) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2158:9

    #37 0xc9da16 in sub_select_cache(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23192:16

    #38 0xc4536b in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22963:14

    #39 0xc4536b in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50

    #40 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8

    #41 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21

    #42 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10

    #43 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12

    #44 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12

    #45 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18

    #46 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7

    #47 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17

    #48 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11

    #49 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5

    #50 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3

    #51 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

    #52 0x7ffff770f132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6190001083c0 is located 576 bytes inside of 1040-byte region [0x619000108180,0x619000108590)

freed by thread T16 here:

    #0 0x7ca37d in free (/usr/local/mysql/bin/mariadbd+0x7ca37d)

    #1 0x2290b64 in root_free /home/wx/mariadb-11.3.0/mysys/my_alloc.c:83:5

    #2 0x2290b64 in free_root /home/wx/mariadb-11.3.0/mysys/my_alloc.c:515:7

    #3 0xc3da3d in free_tmp_table(THD*, TABLE*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22713:3

    #4 0xff1235 in Expression_cache_tmptable::disable_cache() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:62:3

    #5 0xff1235 in Expression_cache_tmptable::init() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:176:3

    #6 0x136b52a in Item_cache_wrapper::init_on_demand() /home/wx/mariadb-11.3.0/sql/item.cc:8775:19

    #7 0x136b52a in Item_cache_wrapper::check_cache() /home/wx/mariadb-11.3.0/sql/item.cc:8899:5

    #8 0x136b52a in Item_cache_wrapper::val_str(String*) /home/wx/mariadb-11.3.0/sql/item.cc:9017:22

    #9 0x1479db3 in Item_func_ord::val_int() /home/wx/mariadb-11.3.0/sql/item_func.cc:3283:24

    #10 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18

    #11 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34

    #12 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #13 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16

    #14 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30

    #15 0xc98fc5 in copy_funcs(Item**, THD const*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11

    #16 0xc98fc5 in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25140:7

    #17 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11

    #18 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9

    #19 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14

    #20 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50

    #21 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8

    #22 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23

    #23 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21

    #24 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8

    #25 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19

    #26 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15

    #27 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3

    #28 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #29 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26

    #30 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #31 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26

    #32 0x145e1d5 in Item_func_hybrid_field_type::val_decimal_from_real_op(my_decimal*) /home/wx/mariadb-11.3.0/sql/item_func.cc:859:27

    #33 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16

    #34 0x14c3c28 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2202:12

    #35 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #36 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18

    #37 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34

    #38 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

previously allocated by thread T16 here:

    #0 0x7ca5fd in malloc (/usr/local/mysql/bin/mariadbd+0x7ca5fd)

    #1 0x22a6308 in my_malloc /home/wx/mariadb-11.3.0/mysys/my_malloc.c:89:29

    #2 0x228fff9 in root_alloc /home/wx/mariadb-11.3.0/mysys/my_alloc.c:71:10

    #3 0x228fff9 in alloc_root /home/wx/mariadb-11.3.0/mysys/my_alloc.c:339:29

    #4 0x10f83ec in Field::operator new(unsigned long, st_mem_root*) /home/wx/mariadb-11.3.0/sql/field.h:771:12

    #5 0x10f83ec in Type_handler_long::make_table_field_from_def(TABLE_SHARE*, st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Bit_addr const&, Column_definition_attributes const*, unsigned int) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:8134:10

    #6 0x10cac4a in Type_handler_int_result::make_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE_SHARE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3573:10

    #7 0x110c447 in Type_handler::make_and_init_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3558:17

    #8 0x110c447 in Item::tmp_table_field_from_field_type(st_mem_root*, TABLE*) /home/wx/mariadb-11.3.0/sql/item.h:914:15

    #9 0x110c447 in Item::create_tmp_field_ex_simple(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*) /home/wx/mariadb-11.3.0/sql/item.h:935:12

    #10 0x110c447 in Item_cache::create_tmp_field_ex(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*) /home/wx/mariadb-11.3.0/sql/item.h:7119:12

    #11 0xc8940f in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:20823:24

    #12 0xc8c548 in Create_tmp_table::add_fields(THD*, TABLE*, TMP_TABLE_PARAM*, List<Item>&) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21261:9

    #13 0xc36790 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21920:13

    #14 0xff0d1e in Expression_cache_tmptable::init() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:121:22

    #15 0x136b52a in Item_cache_wrapper::init_on_demand() /home/wx/mariadb-11.3.0/sql/item.cc:8775:19

    #16 0x136b52a in Item_cache_wrapper::check_cache() /home/wx/mariadb-11.3.0/sql/item.cc:8899:5

    #17 0x136b52a in Item_cache_wrapper::val_str(String*) /home/wx/mariadb-11.3.0/sql/item.cc:9017:22

    #18 0x1479db3 in Item_func_ord::val_int() /home/wx/mariadb-11.3.0/sql/item_func.cc:3283:24

    #19 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18

    #20 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34

    #21 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #22 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16

    #23 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30

    #24 0xc98fc5 in copy_funcs(Item**, THD const*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11

    #25 0xc98fc5 in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25140:7

    #26 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11

    #27 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9

    #28 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14

    #29 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50

    #30 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8

    #31 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23

    #32 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21

    #33 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8

    #34 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19

    #35 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15

    #36 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3

    #37 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #38 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26

    #39 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #40 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26

Thread T16 created by T0 here:

    #0 0x7b502a in pthread_create (/usr/local/mysql/bin/mariadbd+0x7b502a)

    #1 0x1a00edd in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52:10

    #2 0x1a00edd in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252:15

    #3 0x80e649 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139:11

    #4 0x80e649 in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150:19

    #5 0x80f608 in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212:3

    #6 0x80f608 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274:5

    #7 0x80caa8 in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398:9

    #8 0x8051de in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045:3

    #9 0x7ffff7614082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949:3 in Item_sum_bit::reset_field()

Shadow bytes around the buggy address:

  0x0c3280019020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280019030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c3280019070: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd

  0x0c3280019080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800190a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800190b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c32800190c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==81176==ABORTING

And will randomly trigger Segmentation fault in release build.
GDB info:

Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7fffe011a700 (LWP 45883)]

0x00005555560be1d9 in Item_sum_bit::reset_field (this=0x7fff94093470)

    at /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949

2949	  int8store(result_field->ptr, bits);

#0  0x00005555560be1d9 in Item_sum_bit::reset_field (this=0x7fff94093470)

    at /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949

#1  0x0000555555dda6ad in init_tmptable_sum_functions (func_ptr=0x7fff94079d50)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763

#2  end_unique_update (join=0x7fff94076e60, join_tab=0x7fff94085b88,

    end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138

#3  0x0000555555dad6d4 in evaluate_join_record (join=join@entry=0x7fff94076e60,

    join_tab=join_tab@entry=0x7fff94085710, error=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677

#4  0x0000555555dbf7fb in sub_select (join=0x7fff94076e60, join_tab=0x7fff94085710,

    end_of_records=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444

#5  0x0000555555df19b2 in do_select (procedure=<optimized out>, join=0x7fff94076e60)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961

#6  JOIN::exec_inner (this=this@entry=0x7fff94076e60)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941

#7  0x0000555555df1d78 in JOIN::exec (this=0x7fff94076e60)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718

#8  0x00005555560b1422 in subselect_single_select_engine::exec (this=0x7fff940964c0)

    at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159

#9  0x00005555560b040c in Item_subselect::exec (this=0x7fff94096330)

    at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812

#10 0x00005555560afd03 in Item_singlerow_subselect::val_int (this=0x7fff94096330)

    at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462

#11 0x0000555555fefb79 in Item_cache_int::cache_value (this=0x7fff9408ae98)

    at /home/wx/mariadb-11.3.0/sql/item.cc:10161

#12 0x000055555600536c in Item_cache_wrapper::cache (this=0x7fff9408adf0)

    at /home/wx/mariadb-11.3.0/sql/item.cc:8915

#13 Item_cache_wrapper::val_real (this=0x7fff9408adf0)

    at /home/wx/mariadb-11.3.0/sql/item.cc:8996

#14 Item_cache_wrapper::val_real (this=0x7fff9408adf0)

    at /home/wx/mariadb-11.3.0/sql/item.cc:8979

#15 0x000055555604b141 in Item_func_mul::real_op (this=0x7fff94096688)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:1370

#16 0x000055555604d0b1 in Item_func_mod::real_op (this=0x7fff94071bb8)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:1700

#17 0x000055555604b141 in Item_func_mul::real_op (this=0x7fff94071e90)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:1370

c#18 0x000055555604cd41 in Item_func_div::real_op (this=0x7fff94072100)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:1502

#19 0x000055555604e29a in Item_func_hybrid_field_type::val_decimal_from_real_op (

    this=0x7fff94072100, dec=0x7fffe01180d8) at /home/wx/mariadb-11.3.0/sql/item_func.cc:859

#20 0x0000555555f2d79f in VDec::VDec (this=0x7fffe01180d0, item=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_type.cc:293

#21 0x000055555605a294 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null (

    this=<optimized out>, item=0x7fff94072568)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:2202

#22 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,

    item=0x7fff94072568) at /home/wx/mariadb-11.3.0/sql/item_func.h:696

#23 0x0000555556056fd8 in Item::to_longlong_null (this=0x7fff94072568)

    at /home/wx/mariadb-11.3.0/sql/item.h:1452

#24 Func_handler_shift_left_int_to_ulonglong::to_longlong_null (this=<optimized out>,

    item=0x7fff94072750) at /home/wx/mariadb-11.3.0/sql/item_func.cc:2189

#25 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,

    item=0x7fff94072750) at /home/wx/mariadb-11.3.0/sql/item_func.h:696

#26 0x0000555555ff7aba in Item::val_decimal_from_int (this=0x7fff94072750,

    decimal_value=0x7fffe0118208) at /home/wx/mariadb-11.3.0/sql/item.cc:343

#27 0x0000555555f2d79f in VDec::VDec (this=0x7fffe0118200, item=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_type.cc:293

#28 0x0000555556029e48 in Func_handler_bit_and_dec_to_ulonglong::to_longlong_null (

    this=<optimized out>, item=0x7fff94074228)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4846

#29 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,

    item=0x7fff94074228) at /home/wx/mariadb-11.3.0/sql/item_func.h:696

#30 0x00005555560107fd in Arg_comparator::compare_int_unsigned_signed (this=0x7fff940744c8)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1015

#31 0x0000555556010caf in Arg_comparator::compare (this=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104

#32 Item_func_eq::val_int (this=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780

#33 0x0000555555ec7e3c in SQL_SELECT::skip_record (this=<optimized out>, thd=0x7fff94000c58)

    at /home/wx/mariadb-11.3.0/sql/opt_range.h:1914

#34 JOIN_CACHE::check_match (rec_ptr=0x7fff9409679c "\003", this=0x7fff9407ca58)

    at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2560

#35 JOIN_CACHE::generate_full_extensions (this=0x7fff9407ca58, rec_ptr=0x7fff9409679c "\003")

    at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2503

#36 0x0000555555ec8297 in JOIN_CACHE::join_matching_records (this=0x7fff9407ca58,

    skip_last=false) at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2403

#37 0x0000555555ec7bf3 in JOIN_CACHE::join_records (this=this@entry=0x7fff9407ca58,

    skip_last=skip_last@entry=false) at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2158

#38 0x0000555555dbfcba in sub_select_cache (join=0x7fff94075b18, join_tab=0x7fff94083b48,

    end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23192

#39 0x0000555555df1814 in do_select (procedure=<optimized out>, join=0x7fff94075b18)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22963

#40 JOIN::exec_inner (this=this@entry=0x7fff94075b18)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941

#41 0x0000555555df1d78 in JOIN::exec (this=this@entry=0x7fff94075b18)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718

#42 0x0000555555defe1c in mysql_select (thd=thd@entry=0x7fff94000c58, tables=0x7fff94014ed0,

    fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0,

    select_options=<optimized out>, result=0x7fff94074ef8, unit=0x7fff94004ee8,

    select_lex=0x7fff940132d0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249

#43 0x0000555555df0607 in handle_select (thd=thd@entry=0x7fff94000c58,

    lex=lex@entry=0x7fff94004e08, result=result@entry=0x7fff94074ef8,

    setup_tables_done_option=setup_tables_done_option@entry=0)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628

#44 0x0000555555d6de41 in execute_sqlcom_select (thd=thd@entry=0x7fff94000c58,

    all_tables=0x7fff94014ed0) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013

#45 0x0000555555d7c2aa in mysql_execute_command (thd=thd@entry=0x7fff94000c58,

    is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912

#46 0x0000555555d68c27 in mysql_parse (thd=0x7fff94000c58, rawbuf=<optimized out>,

    length=<optimized out>, parser_state=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734

#47 0x0000555555d74fdd in dispatch_command (command=command@entry=COM_QUERY,

    thd=thd@entry=0x7fff94000c58, packet=packet@entry=0x7fff94008509 "",

    packet_length=packet_length@entry=792, blocking=blocking@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_class.h:251

#48 0x0000555555d7721e in do_command (thd=0x7fff94000c58, blocking=blocking@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406

#49 0x0000555555e9a617 in do_handle_one_connection (connect=<optimized out>,

    connect@entry=0x555557e0e4a8, put_in_cache=put_in_cache@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445

#50 0x0000555555e9a94d in handle_one_connection (arg=arg@entry=0x555557e0e4a8)

    at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347

#51 0x00005555561e658d in pfs_spawn_thread (arg=0x555557db7f98)

    at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201

#52 0x00007ffff7b48609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0

#53 0x00007ffff7719133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

Attachments

Issue Links

is duplicated by

MDEV-32402 Heap-Use-Sfter-Free at /mariadb-11.3.0/sql/item_sum.cc:2958

Closed

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Xin Wen

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2023-10-10 03:22

Updated:: 2024-08-05 18:42

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.