Details
-
Bug
-
Status: In Review (View Workflow)
-
Critical
-
Resolution: Unresolved
-
10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL), 11.8, 12.0
Description
--source include/have_innodb.inc
|
--source include/have_query_cache.inc
|
--source include/have_partition.inc
|
SET sql_mode=''; |
SET GLOBAL query_cache_type=DEMAND; |
CREATE TABLE t1 (c1 SMALLINT NULL, c2 BINARY (25) NOT NULL, c3 TINYINT(4) NULL, c4 BINARY (15) NOT NULL PRIMARY KEY, c5 SMALLINT NOT NULL UNIQUE KEY,c6 DECIMAL(10,8) NOT NULL DEFAULT 3.141592) ENGINE=InnoDB; |
SET GLOBAL query_cache_size=81920; |
--error ER_BAD_FIELD_ERROR
|
SELECT * FROM t1 WHERE b=1 AND c=1; |
SET SESSION query_cache_type=1; |
DROP TABLE t1; |
CREATE TABLE t1 (c1 INT NOT NULL, c2 CHAR(5)) ENGINE=InnoDB PARTITION BY LINEAR KEY(c1) PARTITIONS 99; |
SELECT * FROM t1 WHERE c1 <='1998-12-29 00:00:00' ORDER BY c1,c2; |
--error ER_BAD_FIELD_ERROR
|
SELECT GROUP_CONCAT(a SEPARATOR '###') AS NAMES FROM t1 HAVING LEFT(NAMES, 1)='J'; |
SELECT * FROM t1; |
SELECT COUNT(*) FROM t1; |
--error ER_BAD_FIELD_ERROR
|
SELECT C.a, c.a FROM t1 c, t1 C; |
SELECT * FROM t1 WHERE c1 <='1998-12-29 00:00:00' ORDER BY c1,c2; |
CREATE TABLE bug19145a (e ENUM ('a','b','c') DEFAULT 'b', s SET('x', 'y', 'z') DEFAULT 'y') ENGINE=RocksDB; |
--error ER_BAD_FIELD_ERROR
|
SELECT * FROM t1 WHERE c1 <> 0 ORDER BY c1,c6 DESC; |
DROP DATABASE test; |
Leads to a variety of issues, including double free or corruption (!prev), a variety of crashing/asserting stacks and/or a hang.
A non-exhaustive selection of issues seen, one per line:
double free or corruption (!prev)
|
SIGSEGV|__strcmp_avx2|_ma_test_if_reopen|maria_open|ha_maria::open
|
SIGSEGV|my_free|_ma_end_block_record|maria_close|closefrm
|
SIGSEGV|my_free|my_hash_free_elements|my_hash_free|Session_sysvars_tracker::vars_list::free_hash
|
SIGSEGV|open_table|open_and_process_table|open_tables|open_and_lock_tables
|
SIGSEGV|get_lock_data|mysql_lock_tables|lock_tables|open_and_lock_tables
|
SIGSEGV|extra_cb|ha_partition::loop_partitions|ha_partition::extra|close_thread_tables
|
SIGABRT|__libc_message|malloc_printerr|_int_free|__GI___libc_free
|
SIGSEGV|strmake_root|Query_arena::strmake_lex_string|Query_arena::strmake_lex_cstring|Query_arena::strmake_lex_cstring
|
SIGSEGV|TABLE_SHARE::period_info_t::start_field|period_get_condition|st_select_lex::vers_setup_conds|JOIN::prepare
|
SIGSEGV|MDL_lock::hog_lock_types_bitmap|MDL_lock::reschedule_waiters|MDL_lock::remove_ticket|MDL_context::release_lock
|
SIGSEGV|bitmap_fast_test_and_set|TABLE::mark_column_with_deps|insert_fields|setup_wild
|
SIGSEGV|ha_partition::register_query_cache_dependant_tables|Query_cache::register_tables_from_list|Query_cache::register_all_tables|Query_cache::store_query
|
SIGSEGV|handler::ha_external_lock|ha_partition::external_lock|handler::ha_external_lock|handler::ha_external_unlock
|
SIGSEGV|handler::ha_thd|ha_innobase::table_flags|handler::ha_external_lock|ha_partition::external_lock
|
SIGSEGV|open_table|open_and_process_table|open_tables|open_and_lock_tables
|
SIGSEGV|strmake_root|Query_arena::strmake_lex_string|Query_arena::strmake_lex_cstring|Query_arena::strmake_lex_cstring
|
SIGSEGV|query_cache_table_get_key|my_hash_key|hashcmp|my_hash_first_from_hash_value
|
SIGSEGV|__strlen_evex|dict_sys_t::find_tabledict0dict.cc|hash_cell_t::find<dict_table_t,|dict_sys_t::find_table
|
table_block_data->m_cached_query_count == 0|SIGABRT|Query_cache::unlink_table|Query_cache::register_all_tables|Query_cache::store_query|execute_sqlcom_select
|
table_block_data->m_cached_query_count >= 0|SIGABRT|Query_cache::unlink_table|Query_cache::register_all_tables|Query_cache::store_query|execute_sqlcom_select
|
reinterpret_cast<size_t>(ptr) % Alignment == 0|SIGABRT|my_assume_aligned<8, LF_SLIST*>|my_assume_aligned<8, LF_SLIST*>|l_find|l_search
|
ASAN|heap-buffer-overflow|sql/sql_cache.cc|Query_cache_block::init|Query_cache::split_block|Query_cache::allocate_block|Query_cache::write_block_data
|
UBSAN|addition of unsigned offset to 0x5310000495f8 overflowed to Y|strings/ctype-bin.c|my_hash_sort_bin|my_ci_hash_sort|my_hash_sort|rec_hashnr
|
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Confirmed
-
Activity
The ASAN stack seen here, as well as the variety of different outcomes (inc double free or corruption), differs from MDEV-23256. It may prove to have the same underlying bug/cause.
ASAN|heap-buffer-overflow|sql/sql_cache.cc|Query_cache_block::init|Query_cache::split_block|Query_cache::allocate_block|Query_cache::write_block_data
|
However, unlike the SIGSEGV/asserting stacks and the double free warnings, which have all proven semi-random (though are regularly repeated), the ASAN stack seen for the MTR testcase in the original description has proven very stable/reliable, so it would likely be a good start for debugging.
This further reduced MTR testcase gives the same ASAN outcome, but may not produce the variety of other outcomes
--source include/have_innodb.inc
|
--source include/have_query_cache.inc
|
--source include/have_partition.inc
|
SET GLOBAL query_cache_type=DEMAND; |
SET GLOBAL query_cache_size= 81920; |
SET SESSION query_cache_type = 1; |
CREATE TABLE t1 (c1 INT NOT NULL, c2 CHAR(5)) ENGINE=InnoDB PARTITION BY LINEAR KEY(c1) PARTITIONS 99; |
SELECT * FROM t1 WHERE c1 <= '1998-12-29 00:00:00' ORDER BY c1,c2; |
--error ER_BAD_FIELD_ERROR
|
SELECT GROUP_CONCAT(a SEPARATOR '###') AS names FROM t1 HAVING LEFT(names, 1) ='J'; |
SELECT * FROM t1 ; |
SELECT COUNT(*) FROM t1 ; |
--error ER_BAD_FIELD_ERROR
|
SELECT C.a, c.a FROM t1 c, t1 C; |
SELECT COUNT(c1) AS value FROM t1 WHERE c1 IS NOT NULL; |
SELECT * FROM t1 WHERE c1 <> 0 ORDER BY c1,c6 DESC; |
|
11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN) |
ASAN|heap-buffer-overflow|sql/sql_cache.cc|Query_cache_block::init|Query_cache::split_block|Query_cache::allocate_block|Query_cache::write_block_data
|
Please test any fixes with the original description testcase also.
Hi sanja! This memory corruption bug continues to be regularly seen during testing. One issue is that it can generate many different stacks, including in InnoDB. A fix would be appreciated.
An additional MTR testcase which will yield a variety of stacks as well as a previously unseen UBSAN stack:
--source include/have_innodb.inc
|
--source include/have_partition.inc
|
SET GLOBAL query_cache_type=DEMAND; |
SET GLOBAL table_open_cache=FALSE; |
SET GLOBAL query_cache_size=81920; |
SET SESSION query_cache_type=1; |
CREATE TABLE t1 (c1 INT NOT NULL, c2 CHAR(5)) ENGINE=InnoDB PARTITION BY LINEAR KEY(c1) PARTITIONS 99; |
SELECT * FROM t1 WHERE c1 <='1'; |
--error ER_BAD_FIELD_ERROR
|
SELECT GROUP_CONCAT(a SEPARATOR '###') AS NAMES FROM t1 HAVING LEFT(NAMES, 1)='J'; |
SELECT * FROM t1; |
SELECT COUNT(*) FROM t1; |
--error ER_BAD_FIELD_ERROR
|
SELECT C.a, c.a FROM t1 c, t1 C; |
SELECT COUNT(c1) AS VALUE FROM t1 WHERE c1 IS NOT NULL; |
SELECT * FROM t1 WHERE c1 <> 0 ORDER BY c1,c6 DESC; |
SELECT * FROM t1 WHERE c1 <> 0 ORDER BY c1,c6 DESC; |
The UBSAN stack is as follows:
|
CS 12.0.0 c92add291e636c797e6d6ddca605905541b2a441 (Optimized, UBASAN, Clang) Build 15/02/2025 |
/test/12.0_opt_san/strings/ctype-bin.c:280:26: runtime error: addition of unsigned offset to 0x5310000495f8 overflowed to 0x531000047c50
|
#0 0x563f46638af4 in my_hash_sort_bin /test/12.0_opt_san/strings/ctype-bin.c:280:26
|
#1 0x563f4654cf42 in my_ci_hash_sort /test/12.0_opt_san/include/m_ctype.h:1440:3
|
#2 0x563f4654cf42 in my_hash_sort /test/12.0_opt_san/mysys/hash.c:48:3
|
#3 0x563f465507b8 in rec_hashnr /test/12.0_opt_san/mysys/hash.c:229:10
|
#4 0x563f465507b8 in my_hash_delete /test/12.0_opt_san/mysys/hash.c:574:28
|
#5 0x563f43ecb335 in Query_cache::store_query(THD*, TABLE_LIST*) /test/12.0_opt_san/sql/sql_cache.cc:1560:4
|
#6 0x563f441566a1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/12.0_opt_san/sql/sql_parse.cc:6190:7
|
#7 0x563f441377cd in mysql_execute_command(THD*, bool) /test/12.0_opt_san/sql/sql_parse.cc:3979:12
|
#8 0x563f44118600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.0_opt_san/sql/sql_parse.cc:7915:18
|
#9 0x563f4410f8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.0_opt_san/sql/sql_parse.cc:1902:7
|
#10 0x563f4411a8c6 in do_command(THD*, bool) /test/12.0_opt_san/sql/sql_parse.cc:1415:17
|
#11 0x563f447a0b4c in do_handle_one_connection(CONNECT*, bool) /test/12.0_opt_san/sql/sql_connect.cc:1415:11
|
#12 0x563f447a03a6 in handle_one_connection /test/12.0_opt_san/sql/sql_connect.cc:1327:5
|
#13 0x563f43b5c99c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#14 0x14dea4e9ca93 in start_thread nptl/pthread_create.c:447:8
|
#15 0x14dea4f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: pointer-overflow /test/12.0_opt_san/strings/ctype-bin.c:280:26
|
And at the same time, the previously seen ASAN heap-buffer-overflow shows:
|
CS 12.0.0 c92add291e636c797e6d6ddca605905541b2a441 (Optimized, UBASAN, Clang) Build 15/02/2025 |
==1204450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x53100004c630 at pc 0x563f43ec6f08 bp 0x14de74efffc0 sp 0x14de74efffb8
|
WRITE of size 8 at 0x53100004c630 thread T12
|
#0 0x563f43ec6f07 in Query_cache_block::init(unsigned long) /test/12.0_opt_san/sql/sql_cache.cc:826:10
|
#1 0x563f43ec6f07 in Query_cache::split_block(Query_cache_block*, unsigned long) /test/12.0_opt_san/sql/sql_cache.cc:3786:14
|
#2 0x563f43ecd405 in Query_cache::allocate_block(unsigned long, char, unsigned long) /test/12.0_opt_san/sql/sql_cache.cc:3678:7
|
#3 0x563f43ecd405 in Query_cache::write_block_data(unsigned long, unsigned char*, unsigned long, Query_cache_block::block_type, unsigned int) /test/12.0_opt_san/sql/sql_cache.cc:3034:29
|
#4 0x563f43edea13 in Query_cache::insert_table(THD*, unsigned long, char const*, Query_cache_block_table*, unsigned long, unsigned char, unsigned char, char (*)(THD*, char const*, unsigned int, unsigned long long*), unsigned long long, char) /test/12.0_opt_san/sql/sql_cache.cc:3549:18
|
#5 0x563f45b40450 in ha_partition::reg_query_cache_dependant_table(THD*, char*, unsigned int, char*, unsigned int, unsigned char, Query_cache*, Query_cache_block_table**, handler*, unsigned int*) /test/12.0_opt_san/sql/ha_partition.cc:2630:15
|
#6 0x563f45b414ce in ha_partition::register_query_cache_dependant_tables(THD*, Query_cache*, Query_cache_block_table**, unsigned int*) /test/12.0_opt_san/sql/ha_partition.cc:2721:11
|
#7 0x563f43ede481 in Query_cache::register_tables_from_list(THD*, TABLE_LIST*, unsigned int, Query_cache_block_table**) /test/12.0_opt_san/sql/sql_cache.cc:3442:11
|
#8 0x563f43ecd9a6 in Query_cache::register_all_tables(THD*, Query_cache_block*, TABLE_LIST*, unsigned int) /test/12.0_opt_san/sql/sql_cache.cc:3477:6
|
#9 0x563f43ecb168 in Query_cache::store_query(THD*, TABLE_LIST*) /test/12.0_opt_san/sql/sql_cache.cc:1556:7
|
#10 0x563f441566a1 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/12.0_opt_san/sql/sql_parse.cc:6190:7
|
#11 0x563f441377cd in mysql_execute_command(THD*, bool) /test/12.0_opt_san/sql/sql_parse.cc:3979:12
|
#12 0x563f44118600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.0_opt_san/sql/sql_parse.cc:7915:18
|
#13 0x563f4410f8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.0_opt_san/sql/sql_parse.cc:1902:7
|
#14 0x563f4411a8c6 in do_command(THD*, bool) /test/12.0_opt_san/sql/sql_parse.cc:1415:17
|
#15 0x563f447a0b4c in do_handle_one_connection(CONNECT*, bool) /test/12.0_opt_san/sql/sql_connect.cc:1415:11
|
#16 0x563f447a03a6 in handle_one_connection /test/12.0_opt_san/sql/sql_connect.cc:1327:5
|
#17 0x563f43b5c99c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#18 0x14dea4e9ca93 in start_thread nptl/pthread_create.c:447:8
|
#19 0x14dea4f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x53100004c630 is located 72 bytes after 65000-byte region [0x53100003c800,0x53100004c5e8)
|
allocated by thread T12 here:
|
#0 0x563f43b5eeb3 in malloc (/test/UBASAN_MD150225-mariadb-12.0.0-linux-x86_64-opt/bin/mariadbd+0x1e71eb3) (BuildId: d7a847000a0026d09c454f2e233983cb2b9ffca1)
|
#1 0x563f465af752 in my_malloc /test/12.0_opt_san/mysys/my_malloc.c:93:29
|
#2 0x563f43ec82a7 in Query_cache::init_cache() /test/12.0_opt_san/sql/sql_cache.cc:2658:9
|
#3 0x563f43ec7b44 in Query_cache::resize(unsigned long) /test/12.0_opt_san/sql/sql_cache.cc:1335:25
|
#4 0x563f4480bf24 in fix_query_cache_size(sys_var*, THD*, enum_var_type) /test/12.0_opt_san/sql/sys_vars.cc:3395:38
|
#5 0x563f43d010d4 in sys_var::update(THD*, set_var*) /test/12.0_opt_san/sql/set_var.cc:212:21
|
#6 0x563f43d09746 in set_var::update(THD*) /test/12.0_opt_san/sql/set_var.cc:871:23
|
#7 0x563f43d072bd in sql_set_variables(THD*, List<set_var_base>*, bool) /test/12.0_opt_san/sql/set_var.cc:752:20
|
#8 0x563f4413dc22 in mysql_execute_command(THD*, bool) /test/12.0_opt_san/sql/sql_parse.cc:4884:9
|
#9 0x563f44118600 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.0_opt_san/sql/sql_parse.cc:7915:18
|
#10 0x563f4410f8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.0_opt_san/sql/sql_parse.cc:1902:7
|
#11 0x563f4411a8c6 in do_command(THD*, bool) /test/12.0_opt_san/sql/sql_parse.cc:1415:17
|
#12 0x563f447a0b4c in do_handle_one_connection(CONNECT*, bool) /test/12.0_opt_san/sql/sql_connect.cc:1415:11
|
#13 0x563f447a03a6 in handle_one_connection /test/12.0_opt_san/sql/sql_connect.cc:1327:5
|
#14 0x563f43b5c99c in asan_thread_start(void*) asan_interceptors.cpp.o
|
|
|
Thread T12 created by T0 here:
|
#0 0x563f43b44825 in pthread_create (/test/UBASAN_MD150225-mariadb-12.0.0-linux-x86_64-opt/bin/mariadbd+0x1e57825) (BuildId: d7a847000a0026d09c454f2e233983cb2b9ffca1)
|
#1 0x563f43baf7b1 in create_thread_to_handle_connection(CONNECT*) /test/12.0_opt_san/sql/mysqld.cc:6261:19
|
#2 0x563f43bb099a in handle_connections_sockets() /test/12.0_opt_san/sql/mysqld.cc:6497:9
|
#3 0x563f43baeb00 in run_main_loop() /test/12.0_opt_san/sql/mysqld.cc:5739:3
|
#4 0x563f43ba5f21 in mysqld_main(int, char**) /test/12.0_opt_san/sql/mysqld.cc:6162:3
|
#5 0x14dea4e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x14dea4e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x563f43ac4064 in _start (/test/UBASAN_MD150225-mariadb-12.0.0-linux-x86_64-opt/bin/mariadbd+0x1dd7064) (BuildId: d7a847000a0026d09c454f2e233983cb2b9ffca1)
|
|
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/12.0_opt_san/sql/sql_cache.cc:826:10 in Query_cache_block::init(unsigned long)
|
Shadow bytes around the buggy address:
|
0x53100004c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x53100004c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x53100004c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x53100004c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x53100004c580: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
|
=>0x53100004c600: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
|
0x53100004c680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x53100004c700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x53100004c780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x53100004c800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x53100004c880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1204450==ABORTING
|
Please review
```
61ba3b4885d (HEAD -> bb-10.5-midenok2, mariadb/bb-10.5-midenok2) MDEV-34075 corruption when query cache cannot allocate block
```
ASAN sees the issue as heap-buffer-overflow in Query_cache_block::init:
11.3.3 2d9f91a9c8692b2532ee2f475ae10a1b66009f73 (Optimized, UBASAN)
==1655558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100004c638 at pc 0x5571129dcf0e bp 0x152ccdb291d0 sp 0x152ccdb291c0WRITE of size 8 at 0x63100004c638 thread T11#0 0x5571129dcf0d in Query_cache_block::init(unsigned long) /test/11.3_opt_san/sql/sql_cache.cc:827#1 0x5571129e3587 in Query_cache::split_block(Query_cache_block*, unsigned long) /test/11.3_opt_san/sql/sql_cache.cc:3792#2 0x5571129e5029 in Query_cache::allocate_block(unsigned long, char, unsigned long) /test/11.3_opt_san/sql/sql_cache.cc:3684#3 0x5571129e5141 in Query_cache::write_block_data(unsigned long, unsigned char*, unsigned long, Query_cache_block::block_type, unsigned int) /test/11.3_opt_san/sql/sql_cache.cc:3040#4 0x5571129e7585 in Query_cache::insert_table(THD*, unsigned long, char const*, Query_cache_block_table*, unsigned long, unsigned char, unsigned char, char (*)(THD*, char const*, unsigned int, unsigned long long*), unsigned long long, char) /test/11.3_opt_san/sql/sql_cache.cc:3555#5 0x557115810e6c in ha_partition::reg_query_cache_dependant_table(THD*, char*, unsigned int, char*, unsigned int, unsigned char, Query_cache*, Query_cache_block_table**, handler*, unsigned int*) /test/11.3_opt_san/sql/ha_partition.cc:2621#6 0x5571158122e2 in ha_partition::register_query_cache_dependant_tables(THD*, Query_cache*, Query_cache_block_table**, unsigned int*) /test/11.3_opt_san/sql/ha_partition.cc:2712#7 0x5571129e85fc in Query_cache::register_tables_from_list(THD*, TABLE_LIST*, unsigned int, Query_cache_block_table**) /test/11.3_opt_san/sql/sql_cache.cc:3448#8 0x5571129e901c in Query_cache::register_all_tables(THD*, Query_cache_block*, TABLE_LIST*, unsigned int) /test/11.3_opt_san/sql/sql_cache.cc:3483#9 0x5571129f7b96 in Query_cache::store_query(THD*, TABLE_LIST*) /test/11.3_opt_san/sql/sql_cache.cc:1557#10 0x557112d4f7fa in execute_sqlcom_select /test/11.3_opt_san/sql/sql_parse.cc:6093#11 0x557112db315c in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:3943#12 0x557112dc22cd in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7815#13 0x557112dcfbd9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893#14 0x557112dd9f43 in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406#15 0x557113746547 in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1437#16 0x557113748f3c in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1339#17 0x152cef48f189 in start_thread nptl/pthread_create.c:444#18 0x152cef51dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:810x63100004c638 is located 80 bytes to the right of 65000-byte region [0x63100003c800,0x63100004c5e8)allocated by thread T11 here:#0 0x5571124ef9af in malloc (/test/UBASAN_MD250424-mariadb-11.3.3-linux-x86_64-opt/bin/mariadbd+0x7f3e9af)#1 0x557116ad5ef5 in my_malloc /test/11.3_opt_san/mysys/my_malloc.c:93#2 0x5571129dfcff in Query_cache::init_cache() /test/11.3_opt_san/sql/sql_cache.cc:2664#3 0x5571129e156f in Query_cache::resize(unsigned long) /test/11.3_opt_san/sql/sql_cache.cc:1336#4 0x5571137daffe in fix_query_cache_size /test/11.3_opt_san/sql/sys_vars.cc:3235#5 0x5571127468da in sys_var::update(THD*, set_var*) /test/11.3_opt_san/sql/set_var.cc:208#6 0x55711274a138 in set_var::update(THD*) /test/11.3_opt_san/sql/set_var.cc:851#7 0x557112752619 in sql_set_variables(THD*, List<set_var_base>*, bool) /test/11.3_opt_san/sql/set_var.cc:733#8 0x557112daaca6 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:4805#9 0x557112dc22cd in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7815#10 0x557112dcfbd9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893#11 0x557112dd9f43 in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406#12 0x557113746547 in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1437#13 0x557113748f3c in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1339#14 0x152cef48f189 in start_thread nptl/pthread_create.c:444Thread T11 created by T0 here:#0 0x55711247b035 in pthread_create (/test/UBASAN_MD250424-mariadb-11.3.3-linux-x86_64-opt/bin/mariadbd+0x7eca035)#1 0x55711254f1dd in create_thread_to_handle_connection(CONNECT*) /test/11.3_opt_san/sql/mysqld.cc:6166#2 0x55711256217b in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.3_opt_san/sql/mysqld.cc:6290#3 0x55711256308f in handle_connections_sockets() /test/11.3_opt_san/sql/mysqld.cc:6414#4 0x557112566158 in mysqld_main(int, char**) /test/11.3_opt_san/sql/mysqld.cc:6061#5 0x152cef423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58SUMMARY: AddressSanitizer: heap-buffer-overflow /test/11.3_opt_san/sql/sql_cache.cc:827 in Query_cache_block::init(unsigned long)Shadow bytes around the buggy address:0x0c6280001870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c6280001880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c6280001890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c62800018a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0c62800018b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa=>0x0c62800018c0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa0x0c62800018d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c62800018e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c62800018f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c6280001900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c6280001910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cb==1655558==ABORTING