Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32410

make_aggr_tables_info: Use-After-Poison at /mariadb-11.3.0/sql/item.cc:3042

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
    • 10.5.28
    • Server
    • None
    • Ubuntu 20.04

    Description

      Run these queries in debug build:

      CREATE TABLE t0 ( c31 DOUBLE ( 178 , 27 ) ) ;
      INSERT INTO t0 VALUES ( DEFAULT ) , ( DEFAULT ) ;
      CREATE INDEX i0 ON t0 ( c31 ) ;
      INSERT INTO t0 VALUES ( -114 ) , ( 123 ) ;
      WITH t1 AS ( SELECT BIT_OR( ROUND ( -6977545922884371489 ) IN ( SELECT -47 AS c34 ) ) OVER ( PARTITION BY -7669982219226196112 ) | ORD ( 70 ) AS c27 , COUNT( DISTINCT REVERSE ( RAND ( ) % ASCII ( 78 ) ) >> CONVERT ( -13 , UNSIGNED ) % EXISTS ( SELECT RIGHT ( -102 , 'x6n}|yH-L1mmg' ) AS c51 , 62 AS c21 ) , RAND ( ) % HEX ( 1 ) - -127 = 54 NOT IN ( 51 , 48 , 8 <= -84 , RAND ( ) IS NOT NULL IS NOT TRUE ) ) << RAND ( ) & ( SELECT 80 AS c23 WHERE LOG ( -40 , -109 ) <= 43 HAVING RAND ( ) LIMIT 1 ) AS c3 ) SELECT t1 . c27 AS c58 FROM t1 LEFT OUTER JOIN t0 AS t2 ON TRUE WHERE EXISTS ( SELECT t3 . c17 AS c16 FROM ( SELECT BIN ( -60 ) ^ t1 . c27 AS c17 FROM t1 ) AS t3 JOIN t0 ON t3 . c17 = t1 . c27 WHERE CASE -122 WHEN 91 THEN 91 ELSE -97 END = c27 ) = 70 ;

      Will trigger use-after-poison.
      ASAN info:
      =================================================================
      ==90407==ERROR: AddressSanitizer: use-after-poison on address 0x619000177e30 at pc 0x00000133140a bp 0x7fffd24293c0 sp 0x7fffd24293b8
      READ of size 8 at 0x619000177e30 thread T15
      #0 0x1331409 in Item_field::Item_field(THD*, Field*) /home/wx/mariadb-11.3.0/sql/item.cc:3042:38
      #1 0x15ef5aa in Item_sum::get_tmp_table_item(THD*) /home/wx/mariadb-11.3.0/sql/item_sum.cc:563:33
      #2 0xc2f1a8 in change_refs_to_tmp_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, List<Item>&, unsigned int, List<Item>&) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28691:29
      #3 0xc2f1a8 in JOIN::make_aggr_tables_info() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3798:11
      #4 0xbfc65f in JOIN::optimize_stage2() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3438:9
      #5 0xc13910 in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650:9
      #6 0xbfc155 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944:10
      #7 0xa54c75 in mysql_derived_optimize(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1037:23
      #8 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
      #9 0xc1312c in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2442:6
      #10 0xbfc155 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944:10
      #11 0xbe4fde in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5235:19
      #12 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
      #13 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
      #14 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
      #15 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
      #16 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
      #17 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
      #18 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
      #19 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
      #20 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
      #21 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
      #22 0x7ffff770f132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      0x619000177e30 is located 944 bytes inside of 1040-byte region [0x619000177a80,0x619000177e90)
      allocated by thread T15 here:
      #0 0x7ca5fd in malloc (/usr/local/mysql/bin/mariadbd+0x7ca5fd)
      #1 0x22a6308 in my_malloc /home/wx/mariadb-11.3.0/mysys/my_malloc.c:89:29
      #2 0x228fff9 in root_alloc /home/wx/mariadb-11.3.0/mysys/my_alloc.c:71:10
      #3 0x228fff9 in alloc_root /home/wx/mariadb-11.3.0/mysys/my_alloc.c:339:29
      #4 0x10f862d in Field::operator new(unsigned long, st_mem_root*) /home/wx/mariadb-11.3.0/sql/field.h:771:12
      #5 0x10f862d in Type_handler_longlong::make_table_field_from_def(TABLE_SHARE*, st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Bit_addr const&, Column_definition_attributes const*, unsigned int) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:8156:10
      #6 0x10cac4a in Type_handler_int_result::make_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE_SHARE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3573:10
      #7 0x10caa4e in Type_handler::make_and_init_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3558:17
      #8 0xc871ec in Item::tmp_table_field_from_field_type(st_mem_root*, TABLE*) /home/wx/mariadb-11.3.0/sql/item.h:914:15
      #9 0xc871ec in Item::tmp_table_field_from_field_type_maybe_null(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:20534:16
      #10 0xc8940f in create_tmp_field(TABLE*, Item*, Item**, Field, Field*, bool, bool, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:20823:24
      #11 0xc8c548 in Create_tmp_table::add_fields(THD*, TABLE*, TMP_TABLE_PARAM*, List<Item>&) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21261:9
      #12 0xc36790 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21920:13
      #13 0xc38fed in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>, st_order, bool, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:4215:17
      #14 0xc2eab9 in JOIN::make_aggr_tables_info() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3775:9
      #15 0xbfc65f in JOIN::optimize_stage2() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3438:9
      #16 0xc13910 in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650:9
      #17 0xbfc155 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944:10
      #18 0xa54c75 in mysql_derived_optimize(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1037:23
      #19 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
      #20 0xc1312c in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2442:6
      #21 0xbfc155 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944:10
      #22 0xbe4fde in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5235:19
      #23 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
      #24 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
      #25 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
      #26 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
      #27 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
      #28 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
      #29 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
      #30 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
      #31 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
      #32 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

      Thread T15 created by T0 here:
      #0 0x7b502a in pthread_create (/usr/local/mysql/bin/mariadbd+0x7b502a)
      #1 0x1a00edd in my_thread_create(unsigned long*, pthread_attr_t const*, void* (void*), void*) /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52:10
      #2 0x1a00edd in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252:15
      #3 0x80e649 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (void*), void*) /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139:11
      #4 0x80e649 in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150:19
      #5 0x80f608 in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212:3
      #6 0x80f608 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274:5
      #7 0x80caa8 in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398:9
      #8 0x8051de in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045:3
      #9 0x7ffff7614082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

      SUMMARY: AddressSanitizer: use-after-poison /home/wx/mariadb-11.3.0/sql/item.cc:3042:38 in Item_field::Item_field(THD*, Field*)
      Shadow bytes around the buggy address:
      0x0c3280026f70: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280026f80: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
      0x0c3280026f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280026fa0: 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00
      0x0c3280026fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c3280026fc0: 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c3280026fd0: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3280026fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3280026ff0: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
      0x0c3280027000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3280027010: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Left alloca redzone: ca
      Right alloca redzone: cb
      Shadow gap: cc
      ==90407==ABORTING

      And run these queries in release build:

      CREATE TABLE t0 ( c4 INT , INDEX i0 ( c4 ASC ) ) ;
      INSERT INTO t0 VALUES ( DEFAULT ) , ( DEFAULT ) ;
      UPDATE t0 SET c4 = 77 WHERE c4 = EXISTS ( SELECT 5 = COUNT( DISTINCT CONVERT ( 334126326737020548 , UNSIGNED ) % RAND ( ) - RAND ( 2366243224093960513 ) << + EXISTS ( SELECT 31 AS c43 ) IS NULL , ROUND ( -111 , 6 ) SOUNDS LIKE TRIM( TRAILING FROM -60 ) AND RAND ( ) ) << MAX( DISTINCT SIN ( 127 ) + RAND ( ) << SQRT ( 56 NOT IN ( -54 , -29 , 50 ) ) - -81 ) OVER ( PARTITION BY 109 ) SOUNDS LIKE ~ UNHEX ( -51 ) / REPEAT ( 3 , SIN ( 128 ) IS TRUE ) >> INSTR ( 1431933883031988488 , 'yj/5|&,d]`4,}5dmO;PhHIzvu[F$al-c*PBf<tt_P!cu' ) % SIN ( 8875819709143325833 ) AS c11 , -16 AS c32 ) ORDER BY t0 . c4 ;

      Will trigger Segmentation fault.
      GDB info:
      Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.
      [Switching to Thread 0x7fffd242e300 (LWP 3328)]
      0x0000000001330ca6 in Item_field::Item_field (this=0x6290000b4360, thd=0x62b00016c218, f=0x61900008a608) at /home/wx/mariadb-11.3.0/sql/item.cc:3042
      3042 Lex_cstring_strlen(*f->table_name), f->field_name),
      (gdb) p *f->table_name
      Cannot access memory at address 0x0

      #0 0x0000000001330ca6 in Item_field::Item_field (this=0x6290000b9490, thd=0x62b00016c218, f=0x619000122e08) at /home/wx/mariadb-11.3.0/sql/item.cc:3042
      #1 0x00000000015ef5ab in Item_sum::get_tmp_table_item (this=<optimized out>, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/item_sum.cc:563
      #2 0x0000000000c2f1a9 in change_refs_to_tmp_fields (thd=<optimized out>, ref_pointer_array=..., res_selected_fields=..., res_all_fields=..., elements=2, all_fields=...) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:28691
      #3 JOIN::make_aggr_tables_info (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:3798
      #4 0x0000000000bfc660 in JOIN::optimize_stage2 (this=0x6290000b2908) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:3438
      #5 0x0000000000c13911 in JOIN::optimize_inner (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650
      #6 0x0000000000bfc156 in JOIN::optimize (this=0x6290000b2908) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
      #7 0x0000000000ab5421 in st_select_lex::optimize_unflattened_subqueries (this=<optimized out>, const_only=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:4916
      #8 0x0000000000e163fb in Sql_cmd_update::update_single_table (this=0x6290000920f8, thd=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_update.cc:421
      #9 0x0000000000e2cf6a in Sql_cmd_update::execute_inner (this=<optimized out>, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_update.cc:3065
      #10 0x0000000000cc40b2 in Sql_cmd_dml::execute (this=0x6290000920f8, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:33350
      #11 0x0000000000b2ce82 in mysql_execute_command (thd=0x62b00016c218, is_called_from_prepared_stmt=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:4361
      #12 0x0000000000b1fe79 in mysql_parse (thd=thd@entry=0x62b00016c218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, parser_state@entry=0x7fffd242ca80) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
      #13 0x0000000000b19069 in dispatch_command (command=<optimized out>, thd=0x62b00016c218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
      #14 0x0000000000b20b71 in do_command (thd=0x62b00016c218, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
      #15 0x0000000000f03476 in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
      #16 0x0000000000f02eb9 in handle_one_connection (arg=arg@entry=0x608001bcedb8) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
      #17 0x0000000001a00c1b in pfs_spawn_thread (arg=0x617000005498) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
      #18 0x00007ffff79f7609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
      #19 0x00007ffff770f133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32411 Item_sum arguments incorrectly reset to temp table fields which causes crash

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            alice Alice Sherepa added a comment -

            Thanks! I repeated as described on 10.4-11.2

            =================================================================
            		 
            ==1235153==ERROR: AddressSanitizer: use-after-poison on address 0x619000108ab0 at pc 0x560cfe371112 bp 0x7f093406c4e0 sp 0x7f093406c4d0
            		 
            READ of size 8 at 0x619000108ab0 thread T27
            		 
                #0 0x560cfe371111 in Item_field::Item_field(THD*, Field*) /10.4/src/sql/item.cc:2962
            		 
                #1 0x560cfdcdcb26 in Item_temptable_field::Item_temptable_field(THD*, Field*) /10.4/src/sql/item.h:3680
            		 
                #2 0x560cfe57ddbc in Item_sum::get_tmp_table_item(THD*) /10.4/src/sql/item_sum.cc:539
            		 
                #3 0x560cfdcb9fd3 in change_refs_to_tmp_fields /10.4/src/sql/sql_select.cc:26020
            		 
                #4 0x560cfdc129b7 in JOIN::make_aggr_tables_info() /10.4/src/sql/sql_select.cc:3507
            		 
                #5 0x560cfdc0e35e in JOIN::optimize_stage2() /10.4/src/sql/sql_select.cc:3150
            		 
                #6 0x560cfdc0659d in JOIN::optimize_inner() /10.4/src/sql/sql_select.cc:2394
            		 
                #7 0x560cfdbff2a8 in JOIN::optimize() /10.4/src/sql/sql_select.cc:1711
            		 
                #8 0x560cfda7338c in mysql_derived_optimize /10.4/src/sql/sql_derived.cc:1029
            		 
                #9 0x560cfda6db37 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.4/src/sql/sql_derived.cc:200
            		 
                #10 0x560cfdc0480d in JOIN::optimize_inner() /10.4/src/sql/sql_select.cc:2201
            		 
                #11 0x560cfdbff2a8 in JOIN::optimize() /10.4/src/sql/sql_select.cc:1711
            		 
                #12 0x560cfdc20292 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4812
            		 
                #13 0x560cfdbf0f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
            		 
                #14 0x560cfdb5cd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
            		 
                #15 0x560cfdb4a4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
            		 
                #16 0x560cfdb6625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
            		 
                #17 0x560cfdb3c680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
            		 
                #18 0x560cfdb391ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
            		 
                #19 0x560cfdf4756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
            		 
                #20 0x560cfdf46e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
            		 
                #21 0x560cfebf1d89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
            		 
                #22 0x7f094ac3a608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
            		 
                #23 0x7f094a80b132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
            		 
             
            		 
            0x619000108ab0 is located 1072 bytes inside of 1100-byte region [0x619000108680,0x619000108acc)
            		 
            allocated by thread T27 here:
            		 
                #0 0x7f094b238808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
            		 
                #1 0x560cff787758 in sf_malloc /10.4/src/mysys/safemalloc.c:118
            		 
                #2 0x560cff755cbc in my_malloc /10.4/src/mysys/my_malloc.c:101
            		 
                #3 0x560cff731c9b in alloc_root /10.4/src/mysys/my_alloc.c:258
            		 
                #4 0x560cfdcd9f66 in Field::operator new(unsigned long, st_mem_root*) /10.4/src/sql/field.h:636
            		 
                #5 0x560cfe0c1b1e in Type_handler_longlong::make_table_field(st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /10.4/src/sql/sql_type.cc:3222
            		 
                #6 0x560cfe0c1331 in Type_handler::make_and_init_table_field(st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /10.4/src/sql/sql_type.cc:3156
            		 
                #7 0x560cfd886f35 in Item::tmp_table_field_from_field_type(TABLE*) /10.4/src/sql/item.h:809
            		 
                #8 0x560cfdc7c3e8 in Item::tmp_table_field_from_field_type_maybe_null(TABLE*, Tmp_field_src*, Tmp_field_param const*, bool) /10.4/src/sql/sql_select.cc:18181
            		 
                #9 0x560cfd88a9d6 in Item_basic_value::create_tmp_field_ex(TABLE*, Tmp_field_src*, Tmp_field_param const*) /10.4/src/sql/item.h:2833
            		 
                #10 0x560cfdc7e9b1 in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /10.4/src/sql/sql_select.cc:18490
            		 
                #11 0x560cfdc81cb2 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /10.4/src/sql/sql_select.cc:18874
            		 
                #12 0x560cfdc16c5d in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /10.4/src/sql/sql_select.cc:3896
            		 
                #13 0x560cfdc124b9 in JOIN::make_aggr_tables_info() /10.4/src/sql/sql_select.cc:3484
            		 
                #14 0x560cfdc0e35e in JOIN::optimize_stage2() /10.4/src/sql/sql_select.cc:3150
            		 
                #15 0x560cfdc0659d in JOIN::optimize_inner() /10.4/src/sql/sql_select.cc:2394
            		 
                #16 0x560cfdbff2a8 in JOIN::optimize() /10.4/src/sql/sql_select.cc:1711
            		 
                #17 0x560cfda7338c in mysql_derived_optimize /10.4/src/sql/sql_derived.cc:1029
            		 
                #18 0x560cfda6db37 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.4/src/sql/sql_derived.cc:200
            		 
                #19 0x560cfdc0480d in JOIN::optimize_inner() /10.4/src/sql/sql_select.cc:2201
            		 
                #20 0x560cfdbff2a8 in JOIN::optimize() /10.4/src/sql/sql_select.cc:1711
            		 
                #21 0x560cfdc20292 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4812
            		 
                #22 0x560cfdbf0f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
            		 
                #23 0x560cfdb5cd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
            		 
                #24 0x560cfdb4a4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
            		 
                #25 0x560cfdb6625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
            		 
                #26 0x560cfdb3c680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
            		 
                #27 0x560cfdb391ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
            		 
                #28 0x560cfdf4756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
            		 
                #29 0x560cfdf46e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
            		 
             
            		 
            Thread T27 created by T0 here:
            		 
                #0 0x7f094b165815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
            		 
                #1 0x560cfebf217a in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
            		 
                #2 0x560cfd834f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
            		 
                #3 0x560cfd84d103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289
            		 
                #4 0x560cfd84d89e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359
            		 
                #5 0x560cfd84dd84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457
            		 
                #6 0x560cfd84ec40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615
            		 
                #7 0x560cfd84c808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947
            		 
                #8 0x560cfd832f3c in main /10.4/src/sql/main.cc:25
            		 
                #9 0x7f094a710082 in __libc_start_main ../csu/libc-start.c:308
            		 
             
            		 
            SUMMARY: AddressSanitizer: use-after-poison /10.4/src/sql/item.cc:2962 in Item_field::Item_field(THD*, Field*)
            		 
            Shadow bytes around the buggy address:
            		 
              0x0c3280019100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c3280019110: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
            		 
              0x0c3280019120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c3280019130: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c3280019140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
            =>0x0c3280019150: 00 f7 f7 f7 f7 f7[f7]f7 f7 04 fa fa fa fa fa fa
            		 
              0x0c3280019160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c3280019170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c3280019180: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c3280019190: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
            		 
              0x0c32800191a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
            Shadow byte legend (one shadow byte represents 8 application bytes):
            		 
              Addressable:           00
            		 
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
            		 
              Freed heap region:       fd
            		 
              Stack left redzone:      f1
            		 
              Stack mid redzone:       f2
            		 
              Stack right redzone:     f3
            		 
              Stack after return:      f5
            		 
              Stack use after scope:   f8
            		 
              Global redzone:          f9
            		 
              Global init order:       f6
            		 
              Poisoned by user:        f7
            		 
              Container overflow:      fc
            		 
              Array cookie:            ac
            		 
              Intra object redzone:    bb
            		 
              ASan internal:           fe
            		 
              Left alloca redzone:     ca
            		 
              Right alloca redzone:    cb
            		 
              Shadow gap:              cc
            		 
            ==1235153==ABORTING
            		 
            ----------SERVER LOG END-------------

            alice Alice Sherepa added a comment - Thanks! I repeated as described on 10.4-11.2 ================================================================= ==1235153==ERROR: AddressSanitizer: use-after-poison on address 0x619000108ab0 at pc 0x560cfe371112 bp 0x7f093406c4e0 sp 0x7f093406c4d0 READ of size 8 at 0x619000108ab0 thread T27 #0 0x560cfe371111 in Item_field::Item_field(THD*, Field*) /10.4/src/sql/item.cc:2962 #1 0x560cfdcdcb26 in Item_temptable_field::Item_temptable_field(THD*, Field*) /10.4/src/sql/item.h:3680 #2 0x560cfe57ddbc in Item_sum::get_tmp_table_item(THD*) /10.4/src/sql/item_sum.cc:539 #3 0x560cfdcb9fd3 in change_refs_to_tmp_fields /10.4/src/sql/sql_select.cc:26020 #4 0x560cfdc129b7 in JOIN::make_aggr_tables_info() /10.4/src/sql/sql_select.cc:3507 #5 0x560cfdc0e35e in JOIN::optimize_stage2() /10.4/src/sql/sql_select.cc:3150 #6 0x560cfdc0659d in JOIN::optimize_inner() /10.4/src/sql/sql_select.cc:2394 #7 0x560cfdbff2a8 in JOIN::optimize() /10.4/src/sql/sql_select.cc:1711 #8 0x560cfda7338c in mysql_derived_optimize /10.4/src/sql/sql_derived.cc:1029 #9 0x560cfda6db37 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.4/src/sql/sql_derived.cc:200 #10 0x560cfdc0480d in JOIN::optimize_inner() /10.4/src/sql/sql_select.cc:2201 #11 0x560cfdbff2a8 in JOIN::optimize() /10.4/src/sql/sql_select.cc:1711 #12 0x560cfdc20292 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4812 #13 0x560cfdbf0f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442 #14 0x560cfdb5cd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475 #15 0x560cfdb4a4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978 #16 0x560cfdb6625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012 #17 0x560cfdb3c680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857 #18 0x560cfdb391ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378 #19 0x560cfdf4756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420 #20 0x560cfdf46e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324 #21 0x560cfebf1d89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869 #22 0x7f094ac3a608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477 #23 0x7f094a80b132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)   0x619000108ab0 is located 1072 bytes inside of 1100-byte region [0x619000108680,0x619000108acc) allocated by thread T27 here: #0 0x7f094b238808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x560cff787758 in sf_malloc /10.4/src/mysys/safemalloc.c:118 #2 0x560cff755cbc in my_malloc /10.4/src/mysys/my_malloc.c:101 #3 0x560cff731c9b in alloc_root /10.4/src/mysys/my_alloc.c:258 #4 0x560cfdcd9f66 in Field::operator new(unsigned long, st_mem_root*) /10.4/src/sql/field.h:636 #5 0x560cfe0c1b1e in Type_handler_longlong::make_table_field(st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /10.4/src/sql/sql_type.cc:3222 #6 0x560cfe0c1331 in Type_handler::make_and_init_table_field(st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /10.4/src/sql/sql_type.cc:3156 #7 0x560cfd886f35 in Item::tmp_table_field_from_field_type(TABLE*) /10.4/src/sql/item.h:809 #8 0x560cfdc7c3e8 in Item::tmp_table_field_from_field_type_maybe_null(TABLE*, Tmp_field_src*, Tmp_field_param const*, bool) /10.4/src/sql/sql_select.cc:18181 #9 0x560cfd88a9d6 in Item_basic_value::create_tmp_field_ex(TABLE*, Tmp_field_src*, Tmp_field_param const*) /10.4/src/sql/item.h:2833 #10 0x560cfdc7e9b1 in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /10.4/src/sql/sql_select.cc:18490 #11 0x560cfdc81cb2 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /10.4/src/sql/sql_select.cc:18874 #12 0x560cfdc16c5d in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /10.4/src/sql/sql_select.cc:3896 #13 0x560cfdc124b9 in JOIN::make_aggr_tables_info() /10.4/src/sql/sql_select.cc:3484 #14 0x560cfdc0e35e in JOIN::optimize_stage2() /10.4/src/sql/sql_select.cc:3150 #15 0x560cfdc0659d in JOIN::optimize_inner() /10.4/src/sql/sql_select.cc:2394 #16 0x560cfdbff2a8 in JOIN::optimize() /10.4/src/sql/sql_select.cc:1711 #17 0x560cfda7338c in mysql_derived_optimize /10.4/src/sql/sql_derived.cc:1029 #18 0x560cfda6db37 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.4/src/sql/sql_derived.cc:200 #19 0x560cfdc0480d in JOIN::optimize_inner() /10.4/src/sql/sql_select.cc:2201 #20 0x560cfdbff2a8 in JOIN::optimize() /10.4/src/sql/sql_select.cc:1711 #21 0x560cfdc20292 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4812 #22 0x560cfdbf0f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442 #23 0x560cfdb5cd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475 #24 0x560cfdb4a4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978 #25 0x560cfdb6625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012 #26 0x560cfdb3c680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857 #27 0x560cfdb391ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378 #28 0x560cfdf4756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420 #29 0x560cfdf46e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324   Thread T27 created by T0 here: #0 0x7f094b165815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x560cfebf217a in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919 #2 0x560cfd834f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275 #3 0x560cfd84d103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289 #4 0x560cfd84d89e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359 #5 0x560cfd84dd84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457 #6 0x560cfd84ec40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615 #7 0x560cfd84c808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947 #8 0x560cfd832f3c in main /10.4/src/sql/main.cc:25 #9 0x7f094a710082 in __libc_start_main ../csu/libc-start.c:308   SUMMARY: AddressSanitizer: use-after-poison /10.4/src/sql/item.cc:2962 in Item_field::Item_field(THD*, Field*) Shadow bytes around the buggy address: 0x0c3280019100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280019110: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 0x0c3280019120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280019130: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 0x0c3280019140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3280019150: 00 f7 f7 f7 f7 f7[f7]f7 f7 04 fa fa fa fa fa fa 0x0c3280019160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280019170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280019180: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280019190: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 0x0c32800191a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1235153==ABORTING ----------SERVER LOG END-------------
            oleg.smirnov Oleg Smirnov added a comment -

            The test case given is covered by a fix for MDEV-32411. Closing this as a duplicate.

            oleg.smirnov Oleg Smirnov added a comment - The test case given is covered by a fix for MDEV-32411 . Closing this as a duplicate.

            People

              oleg.smirnov Oleg Smirnov
              Xin Wen Xin Wen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.