Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32656

ASAN errors in base_list_iterator::next / setup_table_map upon 2nd execution of PS

    XMLWordPrintable

Details

    Description

      Set to blocker because it's a regression in the upcoming release.

      CREATE TABLE t1 (id BIGINT);
      		 
      INSERT INTO t1 VALUES (1),(2);
      		 
      CREATE VIEW v1 AS SELECT * FROM t1;
      		 
       
      		 
      CREATE TABLE t2 (a INT);
      		 
      INSERT INTO t2 VALUES (2),(3);
      		 
       
      		 
      CREATE TABLE t3 (b INT);
      		 
      INSERT INTO t3 VALUES (3),(4);
      		 
       
      		 
      PREPARE stmt FROM "UPDATE t2 SET a = 1 WHERE ('e','e') IN (SELECT v1.id, v1.id FROM v1 JOIN t3)";
      		 
      --error 0,ER_TRUNCATED_WRONG_VALUE
      		 
      EXECUTE stmt;
      		 
      --error 0,ER_TRUNCATED_WRONG_VALUE
      		 
      EXECUTE stmt;
      		 
       
      		 
      # Cleanup
      		 
      DROP VIEW v1;
      		 
      DROP TABLE t1, t2, t3;

      11.1 9b2a65e4

      		 
      ==1784303==ERROR: AddressSanitizer: use-after-poison on address 0x6290000e7b30 at pc 0x55f0d5b510c2 bp 0x7f06265b1a60 sp 0x7f06265b1a58
      		 
      READ of size 8 at 0x6290000e7b30 thread T5
      		 
          #0 0x55f0d5b510c1 in base_list_iterator::next() /data/src/11.1/sql/sql_list.h:431
      		 
          #1 0x55f0d5b7398e in List_iterator<TABLE_LIST>::operator++(int) /data/src/11.1/sql/sql_list.h:596
      		 
          #2 0x55f0d62653be in TABLE_LIST::reset_const_table() /data/src/11.1/sql/table.cc:9738
      		 
          #3 0x55f0d5ced7f5 in setup_table_map(TABLE*, TABLE_LIST*, unsigned int) /data/src/11.1/sql/sql_base.h:355
      		 
          #4 0x55f0d5cda216 in setup_table_attributes(THD*, TABLE_LIST*, TABLE_LIST*, unsigned int&) /data/src/11.1/sql/sql_base.cc:8228
      		 
          #5 0x55f0d5cda9d7 in setup_tables(THD*, Name_resolution_context*, List<TABLE_LIST>*, TABLE_LIST*, List<TABLE_LIST>&, bool, bool) /data/src/11.1/sql/sql_base.cc:8324
      		 
          #6 0x55f0d5cdba0b in setup_tables_and_check_access(THD*, Name_resolution_context*, List<TABLE_LIST>*, TABLE_LIST*, List<TABLE_LIST>&, bool, privilege_t, privilege_t, bool) /data/src/11.1/sql/sql_base.cc:8446
      		 
          #7 0x55f0d5f5eb21 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/11.1/sql/sql_select.cc:1443
      		 
          #8 0x55f0d6a13dc5 in subselect_single_select_engine::prepare(THD*) /data/src/11.1/sql/item_subselect.cc:3943
      		 
          #9 0x55f0d69ed69f in Item_subselect::fix_fields(THD*, Item**) /data/src/11.1/sql/item_subselect.cc:296
      		 
          #10 0x55f0d6a10bb2 in Item_in_subselect::fix_fields(THD*, Item**) /data/src/11.1/sql/item_subselect.cc:3602
      		 
          #11 0x55f0d5bb09f8 in Item::fix_fields_if_needed(THD*, Item**) /data/src/11.1/sql/item.h:1150
      		 
          #12 0x55f0d5bb0a2e in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /data/src/11.1/sql/item.h:1159
      		 
          #13 0x55f0d5ce7fdc in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/11.1/sql/item.h:1163
      		 
          #14 0x55f0d5cdf0f6 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/11.1/sql/sql_base.cc:8903
      		 
          #15 0x55f0d5f5846e in setup_without_group /data/src/11.1/sql/sql_select.cc:930
      		 
          #16 0x55f0d5f6005a in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/11.1/sql/sql_select.cc:1532
      		 
          #17 0x55f0d62001eb in Sql_cmd_update::prepare_inner(THD*) /data/src/11.1/sql/sql_update.cc:3006
      		 
          #18 0x55f0d604f87f in Sql_cmd_dml::prepare(THD*) /data/src/11.1/sql/sql_select.cc:33347
      		 
          #19 0x55f0d604fb4f in Sql_cmd_dml::execute(THD*) /data/src/11.1/sql/sql_select.cc:33400
      		 
          #20 0x55f0d5e717b9 in mysql_execute_command(THD*, bool) /data/src/11.1/sql/sql_parse.cc:4405
      		 
          #21 0x55f0d5f1a021 in Prepared_statement::execute(String*, bool) /data/src/11.1/sql/sql_prepare.cc:5036
      		 
          #22 0x55f0d5f152b8 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/11.1/sql/sql_prepare.cc:4437
      		 
          #23 0x55f0d5f0ea7f in mysql_sql_stmt_execute(THD*) /data/src/11.1/sql/sql_prepare.cc:3466
      		 
          #24 0x55f0d5e6ee42 in mysql_execute_command(THD*, bool) /data/src/11.1/sql/sql_parse.cc:3972
      		 
          #25 0x55f0d5e88e38 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/11.1/sql/sql_parse.cc:7782
      		 
          #26 0x55f0d5e6121d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/11.1/sql/sql_parse.cc:1892
      		 
          #27 0x55f0d5e5df5a in do_command(THD*, bool) /data/src/11.1/sql/sql_parse.cc:1405
      		 
          #28 0x55f0d63206cd in do_handle_one_connection(CONNECT*, bool) /data/src/11.1/sql/sql_connect.cc:1416
      		 
          #29 0x55f0d632008e in handle_one_connection /data/src/11.1/sql/sql_connect.cc:1318
      		 
          #30 0x55f0d6f255a1 in pfs_spawn_thread /data/src/11.1/storage/perfschema/pfs.cc:2201
      		 
          #31 0x7f062e0a8043 in start_thread nptl/pthread_create.c:442
      		 
          #32 0x7f062e12861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x6290000e7b30 is located 6448 bytes inside of 16400-byte region [0x6290000e6200,0x6290000ea210)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7f062e8b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x55f0d7b09a4c in my_malloc /data/src/11.1/mysys/my_malloc.c:93
      		 
          #2 0x55f0d7ae4d35 in root_alloc /data/src/11.1/mysys/my_alloc.c:71
      		 
          #3 0x55f0d7ae5d2a in reset_root_defaults /data/src/11.1/mysys/my_alloc.c:253
      		 
          #4 0x55f0d5d21950 in THD::init_for_queries() /data/src/11.1/sql/sql_class.cc:1392
      		 
          #5 0x55f0d631f972 in prepare_new_connection_state(THD*) /data/src/11.1/sql/sql_connect.cc:1245
      		 
          #6 0x55f0d632010f in thd_prepare_connection(THD*) /data/src/11.1/sql/sql_connect.cc:1339
      		 
          #7 0x55f0d6320627 in do_handle_one_connection(CONNECT*, bool) /data/src/11.1/sql/sql_connect.cc:1406
      		 
          #8 0x55f0d632008e in handle_one_connection /data/src/11.1/sql/sql_connect.cc:1318
      		 
          #9 0x55f0d6f255a1 in pfs_spawn_thread /data/src/11.1/storage/perfschema/pfs.cc:2201
      		 
          #10 0x7f062e0a8043 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f062e849726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x55f0d6f212dc in my_thread_create /data/src/11.1/storage/perfschema/my_thread.h:52
      		 
          #2 0x55f0d6f25990 in pfs_spawn_thread_v1 /data/src/11.1/storage/perfschema/pfs.cc:2252
      		 
          #3 0x55f0d5a9e84b in inline_mysql_thread_create /data/src/11.1/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x55f0d5ab680e in create_thread_to_handle_connection(CONNECT*) /data/src/11.1/sql/mysqld.cc:6155
      		 
          #5 0x55f0d5ab6e33 in create_new_thread(CONNECT*) /data/src/11.1/sql/mysqld.cc:6217
      		 
          #6 0x55f0d5ab711e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/11.1/sql/mysqld.cc:6279
      		 
          #7 0x55f0d5ab7aa2 in handle_connections_sockets() /data/src/11.1/sql/mysqld.cc:6403
      		 
          #8 0x55f0d5ab608b in mysqld_main(int, char**) /data/src/11.1/sql/mysqld.cc:6050
      		 
          #9 0x55f0d5a9d958 in main /data/src/11.1/sql/main.cc:34
      		 
          #10 0x7f062e0461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison /data/src/11.1/sql/sql_list.h:431 in base_list_iterator::next()
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c5280014f10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014f20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014f30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014f40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014f50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      =>0x0c5280014f60: f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014f70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014f90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014fa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x0c5280014fb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==1784303==ABORTING
      		 
      231101 23:00:11 [ERROR] mysqld got signal 6 ;
      		 
      This could be because you hit a bug. It is also possible that this binary
      		 
      or one of the libraries it was linked against is corrupt, improperly built,
      		 
      or misconfigured. This error can also be caused by malfunctioning hardware.
      		 
       
      		 
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
      		 
       
      		 
      We will try our best to scrape up some info that will hopefully help
      		 
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
      		 
       
      		 
      Server version: 11.1.3-MariaDB-debug-log source revision: 9b2a65e41aaa7d00d1fd7030ce168ed66e2fbf2d
      		 
      key_buffer_size=1048576
      		 
      read_buffer_size=131072
      		 
      max_used_connections=1
      		 
      max_threads=153
      		 
      thread_count=1
      		 
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63960 K  bytes of memory
      		 
      Hope that's ok; if not, decrease some variables in the equation.
      		 
       
      		 
      Thread pointer: 0x62c0000c0218
      		 
      Attempting backtrace. You can use the following information to find out
      		 
      where mysqld died. If you see no messages after this, something went
      		 
      terribly wrong...
      		 
      stack_bottom = 0x7f06265b5bd0 thread_stack 0x100000
      		 
      sanitizer_common/sanitizer_common_interceptors.inc:4277(__interceptor_backtrace.part.0)[0x7f062e851f31]
      		 
      mysys/stacktrace.c:215(my_print_stacktrace)[0x55f0d7b1ab8a]
      		 
      sql/signal_handler.cc:241(handle_fatal_signal)[0x55f0d676e377]
      		 
      libc_sigaction.c:0(__restore_rt)[0x7f062e05afd0]
      		 
      nptl/pthread_kill.c:44(__pthread_kill_implementation)[0x7f062e0a9d3c]
      		 
      posix/raise.c:27(__GI_raise)[0x7f062e05af32]
      		 
      stdlib/abort.c:81(__GI_abort)[0x7f062e045472]
      		 
      sanitizer_common/sanitizer_posix_libcdep.cpp:137(__sanitizer::Abort())[0x7f062e8d650f]
      		 
      sanitizer_common/sanitizer_termination.cpp:59(__sanitizer::Die())[0x7f062e8e2ba1]
      		 
      asan/asan_report.cpp:190(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7f062e8c1f5e]
      		 
      asan/asan_report.cpp:479(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7f062e8c14c6]
      		 
      asan/asan_rtl.cpp:123(__asan_report_load8)[0x7f062e8c25ac]
      		 
      sql/sql_list.h:431(base_list_iterator::next())[0x55f0d5b510c2]
      		 
      sql/sql_list.h:596(List_iterator<TABLE_LIST>::operator++(int))[0x55f0d5b7398f]
      		 
      sql/table.cc:9738(TABLE_LIST::reset_const_table())[0x55f0d62653bf]
      		 
      sql/sql_base.h:356(setup_table_map(TABLE*, TABLE_LIST*, unsigned int))[0x55f0d5ced7f6]
      		 
      sql/sql_base.cc:8230(setup_table_attributes(THD*, TABLE_LIST*, TABLE_LIST*, unsigned int&))[0x55f0d5cda217]
      		 
      sql/sql_base.cc:8324(setup_tables(THD*, Name_resolution_context*, List<TABLE_LIST>*, TABLE_LIST*, List<TABLE_LIST>&, bool, bool))[0x55f0d5cda9d8]
      		 
      sql/sql_base.cc:8446(setup_tables_and_check_access(THD*, Name_resolution_context*, List<TABLE_LIST>*, TABLE_LIST*, List<TABLE_LIST>&, bool, privilege_t, privilege_t, bool))[0x55f0d5cdba0c]
      		 
      sql/sql_select.cc:1443(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55f0d5f5eb22]
      		 
      sql/item_subselect.cc:3943(subselect_single_select_engine::prepare(THD*))[0x55f0d6a13dc6]
      		 
      sql/item_subselect.cc:296(Item_subselect::fix_fields(THD*, Item**))[0x55f0d69ed6a0]
      		 
      sql/item_subselect.cc:3602(Item_in_subselect::fix_fields(THD*, Item**))[0x55f0d6a10bb3]
      		 
      sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x55f0d5bb09f9]
      		 
      sql/item.h:1159(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55f0d5bb0a2f]
      		 
      sql/item.h:1164(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55f0d5ce7fdd]
      		 
      sql/sql_base.cc:8903(setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**))[0x55f0d5cdf0f7]
      		 
      sql/sql_select.cc:930(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*))[0x55f0d5f5846f]
      		 
      sql/sql_select.cc:1532(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55f0d5f6005b]
      		 
      sql/sql_update.cc:3006(Sql_cmd_update::prepare_inner(THD*))[0x55f0d62001ec]
      		 
      sql/sql_select.cc:33347(Sql_cmd_dml::prepare(THD*))[0x55f0d604f880]
      		 
      sql/sql_select.cc:33400(Sql_cmd_dml::execute(THD*))[0x55f0d604fb50]
      		 
      sql/sql_parse.cc:4405(mysql_execute_command(THD*, bool))[0x55f0d5e717ba]
      		 
      sql/sql_prepare.cc:5036(Prepared_statement::execute(String*, bool))[0x55f0d5f1a022]
      		 
      sql/sql_prepare.cc:4437(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x55f0d5f152b9]
      		 
      sql/sql_prepare.cc:3467(mysql_sql_stmt_execute(THD*))[0x55f0d5f0ea80]
      		 
      sql/sql_parse.cc:3973(mysql_execute_command(THD*, bool))[0x55f0d5e6ee43]
      		 
      sql/sql_parse.cc:7782(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55f0d5e88e39]
      		 
      sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55f0d5e6121e]
      		 
      sql/sql_parse.cc:1405(do_command(THD*, bool))[0x55f0d5e5df5b]
      		 
      sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x55f0d63206ce]
      		 
      sql/sql_connect.cc:1320(handle_one_connection)[0x55f0d632008f]
      		 
      perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55f0d6f255a2]
      		 
      nptl/pthread_create.c:442(start_thread)[0x7f062e0a8044]
      		 
      x86_64/clone3.S:83(clone3)[0x7f062e12861c]
      		 
       
      		 
      Trying to get some variables.
      		 
      Some pointers may be invalid and cause the dump to abort.
      		 
      Query (0x6290000e62d0): UPDATE t2 SET a = 1 WHERE ('e','e') IN (SELECT v1.id, v1.id FROM v1 JOIN t3)
      		 
       
      		 
      Connection ID (thread ID): 4
      		 
      Status: NOT_KILLED
      		 
       
      		 
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on
      		 
       
      		 
      The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
      		 
      information that should help you find out what is causing the crash.
      		 
      Writing a core file...
      		 
      Working directory at /dev/shm/var_auto_GwXo/mysqld.1/data
      		 
      Resource Limits:
      		 
      Limit                     Soft Limit           Hard Limit           Units     
      Max cpu time              unlimited            unlimited            seconds   
      Max file size             unlimited            unlimited            bytes     
      Max data size             unlimited            unlimited            bytes     
      Max stack size            8388608              unlimited            bytes     
      Max core file size        unlimited            unlimited            bytes     
      Max resident set          unlimited            unlimited            bytes     
      Max processes             256682               256682               processes 
      Max open files            65536                65536                files     
      Max locked memory         8421060608           8421060608           bytes     
      Max address space         unlimited            unlimited            bytes     
      Max file locks            unlimited            unlimited            locks     
      Max pending signals       256682               256682               signals   
      Max msgqueue size         819200               819200               bytes     
      Max nice priority         0                    0                    
      Max realtime priority     0                    0                    
      Max realtime timeout      unlimited            unlimited            us        
      Core pattern: core
      		 
       
      		 
      Kernel version: Linux version 6.1.0-13-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)

      The failure started happening on 11.1 after this merge:

      commit f031889ae43e01087266a2ff62cd13038f19ae3c
      		 
      Merge: e6ec2b3b527 9880006b5ba
      		 
      Author: Sergei Golubchik
      		 
      Date:   Sun Sep 24 01:46:43 2023 +0200
      		 
       
      		 
          Merge branch '11.0' into 11.1

      however I cannot reproduce it on 11.0, so cannot bisect further.

      Attachments

        Activity

          People

            sanja Oleksandr Byelkin
            elenst Elena Stepanova
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.