Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
-
Ubuntu 20.04
Description
Run these queries in debug build:
CREATE TABLE t0 ( c16 TEXT , c42 INT ) ; |
INSERT INTO t0 VALUES ( -57 , 60 ) , ( -5 , -28 ) ; |
CREATE INDEX i0 ON t0 ( c16 ) ; |
INSERT INTO t0 VALUES ( -9174437064508089785 , -87 ) , ( -43 , 41 ) ; |
SELECT t0 . c42 AS c42 FROM ( SELECT DISTINCT c16 AS c16 FROM t0 GROUP BY c42 , c16 HAVING RPAD ( c42 , MIN( EXISTS ( SELECT CONCAT ( -2 , 'Z<B > V]1ZJ0g>Mexwz4' ) = ALL ( SELECT c42 AS c42 FROM t0 HAVING TRIM( TRAILING FROM c16 ) ) AS c28 , ROW_NUMBER ( ) OVER ( PARTITION BY 0 , -42 , -79 , 19 , -33 , NOT COUNT( DISTINCT 3 , ~ UNHEX ( -107 ) / REPEAT ( 23 , SIN ( -40 ) IS TRUE ) >> INSTR ( -33 , '!`tH^uPn1i>3%REeyf:' ) % SIN ( -35 ) ) << RAND ( ) & TRIM( TRAILING FROM -32 ) , -863219839305554182 , -5 ) AS c2 FROM ( SELECT NULL AS c45 FROM t0 ) AS t1 ) ) * + EXISTS ( SELECT NOT t0 . c42 = RAND ( ) / TRIM( c42 FROM 'L9OhrY3btSEK,' ) IS NOT FALSE AS c25 ) , 'nHs|4XQyN%VoZ%@O|"k*1T@]96CjJmG.a%8=|8<{L"[' ) ) AS t2 JOIN t0 ON t0 . c42 = t2 . c16 ; |
Will trigger heap-use-after-free.
ASAN info:
=================================================================
|
==90846==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000dc28a at pc 0x000001527cb4 bp 0x7fffd24274f0 sp 0x7fffd24274e8
|
READ of size 1 at 0x6290000dc28a thread T15
|
#0 0x1527cb3 in Item_func_rtrim::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:2432:27
|
#1 0x150c0d8 in Item_str_func::val_real() /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:156:16
|
#2 0x10d6d80 in Type_handler_string_result::Item_val_bool(Item*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:5092:16
|
#3 0x13dc287 in Item_cond_and::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:5524:16
|
#4 0xc36c7c in end_send(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:24685:37
|
#5 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
|
#6 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9
|
#7 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#8 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#9 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#10 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
|
#11 0x15b4baa in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
|
#12 0x15b4baa in Item_in_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:994:3
|
#13 0x15be5df in Item_in_subselect::val_bool() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1991:7
|
#14 0x13b4fcb in Item_in_optimizer::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1664:17
|
#15 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19
|
#16 0x136cb0b in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15
|
#17 0x136cb0b in Item_cache_wrapper::val_bool() /home/wx/mariadb-11.3.0/sql/item.cc:9101:3
|
#18 0x13a5d60 in Item_func_not_all::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:222:24
|
#19 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16
|
#20 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30
|
#21 0xc9a3e6 in copy_funcs(Item**, THD const*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11
|
#22 0xc9a3e6 in end_write_group(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25267:11
|
#23 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
|
#24 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9
|
#25 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#26 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#27 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#28 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
|
#29 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
|
#30 0x15bda3c in Item_exists_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1840:24
|
#31 0x160307a in Item_sum_min_max::reset_field() /home/wx/mariadb-11.3.0/sql/item_sum.cc:2796:24
|
#32 0xc98d3f in init_tmptable_sum_functions(Item_sum**) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763:11
|
#33 0xc98d3f in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138:3
|
#34 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
|
#35 0xbe340e in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23481:9
|
#36 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#37 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#38 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#39 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
|
#40 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
|
#41 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
|
#42 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
|
#43 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
|
#44 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#45 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#46 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#47 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
|
#48 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
|
#49 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
|
#50 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
|
#51 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
|
#52 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
|
#53 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
|
#54 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
|
#55 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
|
#56 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
|
#57 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
|
#58 0x7ffff770f132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
|
0x6290000dc28a is located 138 bytes inside of 16512-byte region [0x6290000dc200,0x6290000e0280)
|
freed by thread T15 here:
|
#0 0x7ca37d in free (/usr/local/mysql/bin/mariadbd+0x7ca37d)
|
#1 0x1dd1e62 in mem_heap_free(mem_block_info_t*) /home/wx/mariadb-11.3.0/storage/innobase/include/mem0mem.inl:419:3
|
#2 0x1dd1e62 in row_mysql_prebuilt_free_blob_heap(row_prebuilt_t*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0mysql.cc:101:2
|
#3 0x1e2a5b3 in row_sel_store_mysql_rec(unsigned char*, row_prebuilt_t*, unsigned char const*, dtuple_t const*, bool, dict_index_t const*, unsigned short const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3148:3
|
#4 0x1e2513c in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:5689:9
|
#5 0x1bbb5a1 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9289:24
|
#6 0x12e9459 in handler::ha_rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/sql/handler.cc:3615:5
|
#7 0x8b8f83 in rr_sequential(READ_RECORD*) /home/wx/mariadb-11.3.0/sql/records.cc:513:35
|
#8 0xbe355b in READ_RECORD::read_record() /home/wx/mariadb-11.3.0/sql/records.h:81:30
|
#9 0xbe355b in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23461:18
|
#10 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#11 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#12 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#13 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
|
#14 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
|
#15 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
|
#16 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
|
#17 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
|
#18 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#19 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#20 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#21 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
|
#22 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
|
#23 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
|
#24 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
|
#25 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
|
#26 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
|
#27 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
|
#28 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
|
#29 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
|
#30 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
|
#31 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
|
|
|
previously allocated by thread T15 here:
|
#0 0x7ca5fd in malloc (/usr/local/mysql/bin/mariadbd+0x7ca5fd)
|
#1 0x1bfa497 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /home/wx/mariadb-11.3.0/storage/innobase/include/ut0new.h:375:11
|
#2 0x1cdd194 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/mem/mem0mem.cc:277:37
|
#3 0x1e38469 in mem_heap_create_func(unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/include/mem0mem.inl:377:10
|
#4 0x1e38469 in row_sel_store_mysql_field(unsigned char*, row_prebuilt_t*, unsigned char const*, dict_index_t const*, unsigned short const*, unsigned long, mysql_row_templ_t const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3089:27
|
#5 0x1e2a2ca in row_sel_store_mysql_rec(unsigned char*, row_prebuilt_t*, unsigned char const*, dtuple_t const*, bool, dict_index_t const*, unsigned short const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3235:8
|
#6 0x1e2513c in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:5689:9
|
#7 0x1bbaeb4 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9029:5
|
#8 0x1bbbdc3 in ha_innobase::index_first(unsigned char*) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9385:14
|
#9 0x1bbbdc3 in ha_innobase::rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9477:11
|
#10 0x12e9459 in handler::ha_rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/sql/handler.cc:3615:5
|
#11 0x8b8f83 in rr_sequential(READ_RECORD*) /home/wx/mariadb-11.3.0/sql/records.cc:513:35
|
#12 0xbe32cb in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23441:12
|
#13 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#14 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#15 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#16 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
|
#17 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
|
#18 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
|
#19 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
|
#20 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
|
#21 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
|
#22 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
|
#23 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
|
#24 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
|
#25 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
|
#26 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
|
#27 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
|
#28 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
|
#29 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
|
#30 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
|
#31 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
|
#32 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
|
#33 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
|
|
|
Thread T15 created by T0 here:
|
#0 0x7b502a in pthread_create (/usr/local/mysql/bin/mariadbd+0x7b502a)
|
#1 0x1a00edd in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52:10
|
#2 0x1a00edd in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252:15
|
#3 0x80e649 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139:11
|
#4 0x80e649 in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150:19
|
#5 0x80f608 in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212:3
|
#6 0x80f608 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274:5
|
#7 0x80caa8 in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398:9
|
#8 0x8051de in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045:3
|
#9 0x7ffff7614082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:2432:27 in Item_func_rtrim::val_str(String*)
|
Shadow bytes around the buggy address:
|
0x0c5280013800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5280013810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5280013820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5280013830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5280013840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c5280013850: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c5280013860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c5280013870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c5280013880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c5280013890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c52800138a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==90846==ABORTING
|
Attachments
Issue Links
- relates to
-
-
- Stalled
-
-
-
- Confirmed
-
Thank you!
I repeated on 10.4-11.2 with InnoDB, not with myisam.
--source include/have_innodb.inc);Version: '10.4.32-MariaDB-debug-log' source revision babd833685e1fd1da4411a0874ba1c98bb0b631d===================================================================680299==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290002c628a at pc 0x55fbba283b36 bp 0x7f5e7b315710 sp 0x7f5e7b315700READ of size 1 at 0x6290002c628a thread T27#0 0x55fbba283b35 in Item_func_rtrim::val_str(String*) /10.4/src/sql/item_strfunc.cc:2051#1 0x55fbba27155b in Item_str_func::val_int() /10.4/src/sql/item_strfunc.cc:159#2 0x55fbb9a1c3f9 in end_send /10.4/src/sql/sql_select.cc:22086#3 0x55fbb9a14a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129#4 0x55fbb9a13389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902#5 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423#6 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#7 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#8 0x55fbba2e1a0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032#9 0x55fbba2bca77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758#10 0x55fbba2c73ec in Item_exists_subselect::val_int() /10.4/src/sql/item_subselect.cc:1735#11 0x55fbb96080bd in Item::val_int_result() /10.4/src/sql/item.h:1557#12 0x55fbba12e6dc in Item_cache_int::cache_value() /10.4/src/sql/item.cc:10016#13 0x55fbba1472a7 in Item_cache_wrapper::cache() /10.4/src/sql/item.cc:8779#14 0x55fbba124303 in Item_cache_wrapper::val_str(String*) /10.4/src/sql/item.cc:8887#15 0x55fbba101ed2 in Item_copy_string::copy() /10.4/src/sql/item.cc:4997#16 0x55fbb9a37a51 in copy_fields(TMP_TABLE_PARAM*) /10.4/src/sql/sql_select.cc:25761#17 0x55fbb9a1e804 in end_send_group(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:22326#18 0x55fbb9a14a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129#19 0x55fbb9a13389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902#20 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423#21 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#22 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#23 0x55fbba2e1a0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032#24 0x55fbba2bca77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758#25 0x55fbba2c73ec in Item_exists_subselect::val_int() /10.4/src/sql/item_subselect.cc:1735#26 0x55fbba317bfc in Item_sum_min_max::reset_field() /10.4/src/sql/item_sum.cc:2762#27 0x55fbb9a3a7e4 in init_tmptable_sum_functions /10.4/src/sql/sql_select.cc:26090#28 0x55fbb9a209ec in end_unique_update /10.4/src/sql/sql_select.cc:22510#29 0x55fbb9a551be in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29615#30 0x55fbb9a64c6e in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x147cc6e)#31 0x55fbb9a120cc in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20607#32 0x55fbb9a14a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129#33 0x55fbb9a139ef in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20941#34 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423#35 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#36 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#37 0x55fbb99a0483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826#38 0x55fbb9970f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442#39 0x55fbb98dcd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475#40 0x55fbb98ca4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978#41 0x55fbb98e625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012#42 0x55fbb98bc680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857#43 0x55fbb98b91ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378#44 0x55fbb9cc756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420#45 0x55fbb9cc6e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324#46 0x55fbba971d89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869#47 0x7f5e91ee4608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477#48 0x7f5e91ab5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)0x6290002c628a is located 138 bytes inside of 16512-byte region [0x6290002c6200,0x6290002ca280)freed by thread T27 here:#0 0x7f5e924e240f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122#1 0x55fbbac77634 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /10.4/src/storage/innobase/mem/mem0mem.cc:416#2 0x55fbbade9159 in mem_heap_free /10.4/src/storage/innobase/include/mem0mem.inl:417#3 0x55fbbadf0732 in row_mysql_prebuilt_free_blob_heap(row_prebuilt_t*) /10.4/src/storage/innobase/row/row0mysql.cc:137#4 0x55fbbae8087b in row_sel_store_mysql_rec /10.4/src/storage/innobase/row/row0sel.cc:3106#5 0x55fbbae90c16 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.4/src/storage/innobase/row/row0sel.cc:5589#6 0x55fbbaa89ad2 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /10.4/src/storage/innobase/handler/ha_innodb.cc:9678#7 0x55fbbaa8ab01 in ha_innobase::rnd_next(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9888#8 0x55fbba09fd5f in handler::ha_rnd_next(unsigned char*) /10.4/src/sql/handler.cc:2904#9 0x55fbba4d8d48 in rr_sequential(READ_RECORD*) /10.4/src/sql/records.cc:485#10 0x55fbb9711db9 in READ_RECORD::read_record() /10.4/src/sql/records.h:70#11 0x55fbb9a1360c in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20921#12 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423#13 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#14 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#15 0x55fbb99a0483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826#16 0x55fbb9970f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442#17 0x55fbb98dcd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475#18 0x55fbb98ca4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978#19 0x55fbb98e625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012#20 0x55fbb98bc680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857#21 0x55fbb98b91ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378#22 0x55fbb9cc756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420#23 0x55fbb9cc6e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324#24 0x55fbba971d89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869#25 0x7f5e91ee4608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477previously allocated by thread T27 here:#0 0x7f5e924e2808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144#1 0x55fbbac76a31 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /10.4/src/storage/innobase/mem/mem0mem.cc:277#2 0x55fbbae68f52 in mem_heap_create_func /10.4/src/storage/innobase/include/mem0mem.inl:375#3 0x55fbbae8013c in row_sel_store_mysql_field /10.4/src/storage/innobase/row/row0sel.cc:3047#4 0x55fbbae81261 in row_sel_store_mysql_rec /10.4/src/storage/innobase/row/row0sel.cc:3178#5 0x55fbbae90c16 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.4/src/storage/innobase/row/row0sel.cc:5589#6 0x55fbbaa87196 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /10.4/src/storage/innobase/handler/ha_innodb.cc:9405#7 0x55fbbaa8a4eb in ha_innobase::index_first(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9787#8 0x55fbbaa8aa7b in ha_innobase::rnd_next(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9880#9 0x55fbba09fd5f in handler::ha_rnd_next(unsigned char*) /10.4/src/sql/handler.cc:2904#10 0x55fbba4d8d48 in rr_sequential(READ_RECORD*) /10.4/src/sql/records.cc:485#11 0x55fbb9711db9 in READ_RECORD::read_record() /10.4/src/sql/records.h:70#12 0x55fbb9a19fbc in join_init_read_record(st_join_table*) /10.4/src/sql/sql_select.cc:21851#13 0x55fbb9a131cd in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20899#14 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423#15 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#16 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#17 0x55fbb99a0483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826#18 0x55fbb9970f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442#19 0x55fbb98dcd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475#20 0x55fbb98ca4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978#21 0x55fbb98e625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012#22 0x55fbb98bc680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857#23 0x55fbb98b91ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378#24 0x55fbb9cc756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420#25 0x55fbb9cc6e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324#26 0x55fbba971d89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869#27 0x7f5e91ee4608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477Thread T27 created by T0 here:#0 0x7f5e9240f815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208#1 0x55fbba97217a in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919#2 0x55fbb95b4f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275#3 0x55fbb95cd103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289#4 0x55fbb95cd89e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359#5 0x55fbb95cdd84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457#6 0x55fbb95cec40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615#7 0x55fbb95cc808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947#8 0x55fbb95b2f3c in main /10.4/src/sql/main.cc:25#9 0x7f5e919ba082 in __libc_start_main ../csu/libc-start.c:308SUMMARY: AddressSanitizer: heap-use-after-free /10.4/src/sql/item_strfunc.cc:2051 in Item_func_rtrim::val_str(String*)Shadow bytes around the buggy address:0x0c5280050c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c5280050c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c5280050c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c5280050c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c5280050c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd=>0x0c5280050c50: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fdShadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc==680299==ABORTING----------SERVER LOG END---------------source include/have_innodb.inc);Version: '10.4.32-MariaDB-debug-log'===================================================================679980==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290002c6288 at pc 0x559e81d2dc27 bp 0x7fb259626560 sp 0x7fb259626550READ of size 1 at 0x6290002c6288 thread T27#0 0x559e81d2dc26 in internal_str2dec /10.4/src/strings/decimal.c:801#1 0x559e80b81db4 in str2my_decimal(unsigned int, char const*, unsigned long, charset_info_st const*, my_decimal*, char const**) /10.4/src/sql/my_decimal.cc:256#2 0x559e80791aa3 in Value_source::Converter_str2my_decimal::Converter_str2my_decimal(unsigned int, charset_info_st const*, char const*, unsigned long, my_decimal*) /10.4/src/sql/field.h:224#3 0x559e80791dc5 in Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn(THD*, Value_source::Warn_filter, unsigned int, charset_info_st const*, char const*, unsigned long, my_decimal*) /10.4/src/sql/field.h:276#4 0x559e807738ff in Field_blob::val_decimal(my_decimal*) /10.4/src/sql/field.cc:8619#5 0x559e808324d7 in Item_field::val_decimal_result(my_decimal*) /10.4/src/sql/item.cc:3364#6 0x559e8085bf45 in Item_ref::val_decimal(my_decimal*) /10.4/src/sql/item.cc:8448#7 0x559e8056b50f in VDec::VDec(Item*) /10.4/src/sql/sql_type.cc:195#8 0x559e80894c0c in Arg_comparator::compare_decimal() /10.4/src/sql/item_cmpfunc.cc:871#9 0x559e808d836d in Arg_comparator::compare() /10.4/src/sql/item_cmpfunc.h:104#10 0x559e808a0414 in Item_func_ne::val_int() /10.4/src/sql/item_cmpfunc.cc:1813#11 0x559e801593f9 in end_send /10.4/src/sql/sql_select.cc:22086#12 0x559e80151a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129#13 0x559e80150389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902#14 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423#15 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#16 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#17 0x559e80a1ea0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032#18 0x559e809f9a77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758#19 0x559e80a043ec in Item_exists_subselect::val_int() /10.4/src/sql/item_subselect.cc:1735#20 0x559e7fd450bd in Item::val_int_result() /10.4/src/sql/item.h:1557#21 0x559e8086b6dc in Item_cache_int::cache_value() /10.4/src/sql/item.cc:10016#22 0x559e808842a7 in Item_cache_wrapper::cache() /10.4/src/sql/item.cc:8779#23 0x559e80861303 in Item_cache_wrapper::val_str(String*) /10.4/src/sql/item.cc:8887#24 0x559e8083eed2 in Item_copy_string::copy() /10.4/src/sql/item.cc:4997#25 0x559e80174a51 in copy_fields(TMP_TABLE_PARAM*) /10.4/src/sql/sql_select.cc:25761#26 0x559e8015b804 in end_send_group(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:22326#27 0x559e80151a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129#28 0x559e80150389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902#29 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423#30 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#31 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#32 0x559e80a1ea0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032#33 0x559e809f9a77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758#34 0x559e80a043ec in Item_exists_subselect::val_int() /10.4/src/sql/item_subselect.cc:1735#35 0x559e80a54bfc in Item_sum_min_max::reset_field() /10.4/src/sql/item_sum.cc:2762#36 0x559e801777e4 in init_tmptable_sum_functions /10.4/src/sql/sql_select.cc:26090#37 0x559e8015d9ec in end_unique_update /10.4/src/sql/sql_select.cc:22510#38 0x559e801921be in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29615#39 0x559e801a1c6e in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x147cc6e)#40 0x559e8014f0cc in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20607#41 0x559e80151a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129#42 0x559e801509ef in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20941#43 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423#44 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#45 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#46 0x559e800dd483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826#47 0x559e800adf7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442#48 0x559e80019d7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475#49 0x559e800074f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978#50 0x559e8002325a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012#51 0x559e7fff9680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857#52 0x559e7fff61ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378#53 0x559e8040456c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420#54 0x559e80403e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324#55 0x559e810aed89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869#56 0x7fb2701f7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477#57 0x7fb26fdc8132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)0x6290002c6288 is located 136 bytes inside of 16512-byte region [0x6290002c6200,0x6290002ca280)freed by thread T27 here:#0 0x7fb2707f540f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122#1 0x559e813b4634 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /10.4/src/storage/innobase/mem/mem0mem.cc:416#2 0x559e81526159 in mem_heap_free /10.4/src/storage/innobase/include/mem0mem.inl:417#3 0x559e8152d732 in row_mysql_prebuilt_free_blob_heap(row_prebuilt_t*) /10.4/src/storage/innobase/row/row0mysql.cc:137#4 0x559e815bd87b in row_sel_store_mysql_rec /10.4/src/storage/innobase/row/row0sel.cc:3106#5 0x559e815cdc16 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.4/src/storage/innobase/row/row0sel.cc:5589#6 0x559e811c6ad2 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /10.4/src/storage/innobase/handler/ha_innodb.cc:9678#7 0x559e811c7b01 in ha_innobase::rnd_next(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9888#8 0x559e807dcd5f in handler::ha_rnd_next(unsigned char*) /10.4/src/sql/handler.cc:2904#9 0x559e80c15d48 in rr_sequential(READ_RECORD*) /10.4/src/sql/records.cc:485#10 0x559e7fe4edb9 in READ_RECORD::read_record() /10.4/src/sql/records.h:70#11 0x559e8015060c in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20921#12 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423#13 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#14 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#15 0x559e800dd483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826#16 0x559e800adf7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442#17 0x559e80019d7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475#18 0x559e800074f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978#19 0x559e8002325a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012#20 0x559e7fff9680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857#21 0x559e7fff61ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378#22 0x559e8040456c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420#23 0x559e80403e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324#24 0x559e810aed89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869#25 0x7fb2701f7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477previously allocated by thread T27 here:#0 0x7fb2707f5808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144#1 0x559e813b3a31 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /10.4/src/storage/innobase/mem/mem0mem.cc:277#2 0x559e815a5f52 in mem_heap_create_func /10.4/src/storage/innobase/include/mem0mem.inl:375#3 0x559e815bd13c in row_sel_store_mysql_field /10.4/src/storage/innobase/row/row0sel.cc:3047#4 0x559e815be261 in row_sel_store_mysql_rec /10.4/src/storage/innobase/row/row0sel.cc:3178#5 0x559e815cdc16 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.4/src/storage/innobase/row/row0sel.cc:5589#6 0x559e811c4196 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /10.4/src/storage/innobase/handler/ha_innodb.cc:9405#7 0x559e811c74eb in ha_innobase::index_first(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9787#8 0x559e811c7a7b in ha_innobase::rnd_next(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9880#9 0x559e807dcd5f in handler::ha_rnd_next(unsigned char*) /10.4/src/sql/handler.cc:2904#10 0x559e80c15d48 in rr_sequential(READ_RECORD*) /10.4/src/sql/records.cc:485#11 0x559e7fe4edb9 in READ_RECORD::read_record() /10.4/src/sql/records.h:70#12 0x559e80156fbc in join_init_read_record(st_join_table*) /10.4/src/sql/sql_select.cc:21851#13 0x559e801501cd in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20899#14 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423#15 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605#16 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387#17 0x559e800dd483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826#18 0x559e800adf7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442#19 0x559e80019d7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475#20 0x559e800074f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978#21 0x559e8002325a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012#22 0x559e7fff9680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857#23 0x559e7fff61ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378#24 0x559e8040456c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420#25 0x559e80403e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324#26 0x559e810aed89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869#27 0x7fb2701f7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477Thread T27 created by T0 here:#0 0x7fb270722815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208#1 0x559e810af17a in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919#2 0x559e7fcf1f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275#3 0x559e7fd0a103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289#4 0x559e7fd0a89e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359#5 0x559e7fd0ad84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457#6 0x559e7fd0bc40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615#7 0x559e7fd09808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947#8 0x559e7fceff3c in main /10.4/src/sql/main.cc:25#9 0x7fb26fccd082 in __libc_start_main ../csu/libc-start.c:308SUMMARY: AddressSanitizer: heap-use-after-free /10.4/src/strings/decimal.c:801 in internal_str2decShadow bytes around the buggy address:0x0c5280050c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c5280050c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c5280050c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c5280050c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c5280050c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd=>0x0c5280050c50: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c5280050ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fdShadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cbShadow gap: cc==679980==ABORTING----------SERVER LOG END-------------