Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL), 11.6(EOL)
Description
Split from MDEV-28345 as bar confirmed that - while this Spider testcase leads to a similar but not identical heap-use-after-free as in MDEV-28345 - it is a different bug. This issue does not readily reproduce in MTR. Note below note on MDEV-32759.
SET sql_buffer_result=1; |
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); |
CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; |
CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; |
CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; |
CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; |
INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); |
INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); |
SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); |
Previously led to:
|
11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN) |
==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410
|
READ of size 1 at 0x60800000d8e2 thread T34
|
#0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378
|
#1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469
|
#2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800
|
#3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929
|
#4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210
|
#5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281
|
#6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743
|
#7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354
|
#8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103
|
#9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853
|
#10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458
|
#11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899
|
#12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792
|
#13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396
|
#14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549
|
#15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727
|
#16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571
|
#17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452
|
#18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582
|
#19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741
|
#20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485
|
#21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252
|
#22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780
|
#23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
|
#24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
|
#25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157
|
#26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812
|
#27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441
|
#28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792
|
#29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396
|
#30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923
|
#31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949
|
#32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951
|
#33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630
|
#34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770
|
#35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019
|
#36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152
|
#37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953
|
#38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485
|
#39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252
|
#40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780
|
#41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
|
#42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
|
#43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157
|
#44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812
|
#45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484
|
#46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794
|
#47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520
|
#48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923
|
#49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031
|
#50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773
|
#51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103
|
#52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776
|
#53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493
|
#54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485
|
#55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100
|
#56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947
|
#57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186
|
#58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782
|
#59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
|
#60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
|
#61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
|
#62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
|
#63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
|
#64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
|
#65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
|
#66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
|
#67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
|
#68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
|
#69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
|
#70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442
|
#71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
|
|
0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900)
|
freed by thread T34 here:
|
#0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7)
|
#1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213
|
#2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183
|
#3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377
|
#4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380
|
#5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783
|
#6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994
|
#7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905
|
#8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944
|
#9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603
|
#10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514
|
#11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81
|
#12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269
|
#13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780
|
#14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
|
#15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
|
#16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
|
#17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
|
#18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
|
#19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
|
#20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
|
#21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
|
#22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
|
#23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
|
#24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
|
#25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442
|
|
|
previously allocated by thread T34 here:
|
#0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337)
|
#1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91
|
#2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231
|
#3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547
|
#4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378
|
#5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851
|
#6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944
|
#7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603
|
#8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514
|
#9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81
|
#10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276
|
#11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249
|
#12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780
|
#13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
|
#14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
|
#15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
|
#16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
|
#17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
|
#18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
|
#19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
|
#20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
|
#21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
|
#22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
|
#23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
|
#24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T34 created by T0 here:
|
#0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175)
|
#1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129
|
#2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191
|
#3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253
|
#4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377
|
#5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024
|
#6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34
|
#7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int
|
Shadow bytes around the buggy address:
|
0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd
|
0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2542380==ABORTING
|
And these UniqueID's/stacks across versions and build types:
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn
|
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod
|
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod
|
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
However, with newer builds we now (18/7/24) see only these:
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod
|
ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod
|
Which look like MDEV-32759, however no AVG() is used here.
Attachments
Issue Links
- relates to
-
-
- Confirmed
-
-
-
- Stalled
-
- split from
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link | This issue relates to TODO-3120 [ TODO-3120 ] |
| Description |
Split from {code:sql} SET sql_buffer_result=1; INSTALL PLUGIN Spider SONAME 'ha_spider.so'; CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); {code} Leads to: {noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)} ==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410 READ of size 1 at 0x60800000d8e2 thread T34 #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378 #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800 #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929 #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210 #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281 #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743 #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354 #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103 #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853 #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458 #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899 #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549 #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727 #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571 #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452 #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582 #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741 #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441 #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949 #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951 #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630 #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770 #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019 #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152 #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953 #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484 #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794 #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520 #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031 #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773 #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103 #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776 #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493 #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100 #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947 #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186 #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782 #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900) freed by thread T34 here: #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7) #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213 #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183 #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377 #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380 #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783 #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994 #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905 #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269 #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 previously allocated by thread T34 here: #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337) #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231 #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547 #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378 #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851 #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276 #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249 #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175) #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129 #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191 #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253 #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377 #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024 #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int Shadow bytes around the buggy address: 0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2542380==ABORTING {noformat} This testcase produces the following UniqueID's/stacks across versions and build types (all are new): {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} This issue does not readily reproduce in MTR; I can test this testcase against when a patch is ready to see if it is resolved also. |
Split from {code:sql} SET sql_buffer_result=1; INSTALL PLUGIN Spider SONAME 'ha_spider.so'; CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); {code} Leads to: {noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)} ==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410 READ of size 1 at 0x60800000d8e2 thread T34 #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378 #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800 #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929 #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210 #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281 #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743 #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354 #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103 #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853 #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458 #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899 #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549 #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727 #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571 #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452 #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582 #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741 #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441 #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949 #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951 #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630 #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770 #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019 #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152 #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953 #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484 #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794 #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520 #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031 #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773 #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103 #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776 #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493 #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100 #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947 #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186 #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782 #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900) freed by thread T34 here: #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7) #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213 #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183 #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377 #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380 #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783 #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994 #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905 #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269 #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 previously allocated by thread T34 here: #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337) #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231 #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547 #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378 #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851 #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276 #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249 #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175) #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129 #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191 #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253 #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377 #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024 #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int Shadow bytes around the buggy address: 0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2542380==ABORTING {noformat} This testcase produces the following UniqueID's/stacks across versions and build types (all are new): {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} This issue does not readily reproduce in MTR. |
| Link |
This issue split from |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.6 [ 24028 ] | |
| Fix Version/s | 10.11 [ 27614 ] | |
| Fix Version/s | 11.1 [ 28549 ] | |
| Fix Version/s | 11.2 [ 28603 ] | |
| Fix Version/s | 11.4 [ 29301 ] | |
| Fix Version/s | 11.5 [ 29506 ] | |
| Fix Version/s | 11.0 [ 28320 ] | |
| Affects Version/s | 10.5 [ 23123 ] | |
| Affects Version/s | 10.6 [ 24028 ] | |
| Affects Version/s | 10.11 [ 27614 ] | |
| Affects Version/s | 11.1 [ 28549 ] | |
| Affects Version/s | 11.2 [ 28603 ] | |
| Affects Version/s | 11.4 [ 29301 ] | |
| Affects Version/s | 11.5 [ 29506 ] | |
| Affects Version/s | 11.6 [ 29515 ] | |
| Affects Version/s | 11.0 [ 28320 ] |
| Description |
Split from {code:sql} SET sql_buffer_result=1; INSTALL PLUGIN Spider SONAME 'ha_spider.so'; CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); {code} Leads to: {noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)} ==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410 READ of size 1 at 0x60800000d8e2 thread T34 #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378 #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800 #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929 #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210 #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281 #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743 #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354 #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103 #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853 #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458 #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899 #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549 #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727 #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571 #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452 #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582 #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741 #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441 #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949 #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951 #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630 #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770 #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019 #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152 #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953 #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484 #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794 #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520 #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031 #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773 #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103 #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776 #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493 #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100 #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947 #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186 #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782 #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900) freed by thread T34 here: #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7) #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213 #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183 #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377 #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380 #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783 #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994 #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905 #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269 #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 previously allocated by thread T34 here: #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337) #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231 #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547 #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378 #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851 #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276 #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249 #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175) #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129 #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191 #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253 #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377 #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024 #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int Shadow bytes around the buggy address: 0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2542380==ABORTING {noformat} This testcase produces the following UniqueID's/stacks across versions and build types (all are new): {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} This issue does not readily reproduce in MTR. |
Split from {code:sql} SET sql_buffer_result=1; INSTALL PLUGIN Spider SONAME 'ha_spider.so'; CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); {code} Previously led to: {noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)} ==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410 READ of size 1 at 0x60800000d8e2 thread T34 #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378 #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800 #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929 #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210 #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281 #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743 #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354 #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103 #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853 #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458 #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899 #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549 #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727 #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571 #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452 #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582 #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741 #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441 #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949 #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951 #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630 #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770 #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019 #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152 #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953 #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484 #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794 #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520 #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031 #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773 #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103 #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776 #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493 #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100 #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947 #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186 #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782 #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900) freed by thread T34 here: #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7) #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213 #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183 #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377 #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380 #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783 #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994 #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905 #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269 #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 previously allocated by thread T34 here: #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337) #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231 #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547 #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378 #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851 #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276 #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249 #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175) #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129 #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191 #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253 #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377 #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024 #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int Shadow bytes around the buggy address: 0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2542380==ABORTING {noformat} And these UniqueID's/stacks across versions and build types: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} However, with newer builds we now (18/7/24) see: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} Which look like MDEV-32759. |
| Link | This issue relates to MDEV-32759 [ MDEV-32759 ] |
| Description |
Split from {code:sql} SET sql_buffer_result=1; INSTALL PLUGIN Spider SONAME 'ha_spider.so'; CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); {code} Previously led to: {noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)} ==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410 READ of size 1 at 0x60800000d8e2 thread T34 #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378 #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800 #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929 #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210 #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281 #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743 #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354 #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103 #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853 #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458 #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899 #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549 #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727 #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571 #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452 #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582 #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741 #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441 #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949 #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951 #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630 #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770 #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019 #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152 #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953 #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484 #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794 #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520 #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031 #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773 #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103 #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776 #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493 #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100 #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947 #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186 #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782 #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900) freed by thread T34 here: #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7) #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213 #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183 #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377 #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380 #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783 #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994 #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905 #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269 #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 previously allocated by thread T34 here: #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337) #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231 #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547 #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378 #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851 #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276 #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249 #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175) #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129 #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191 #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253 #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377 #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024 #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int Shadow bytes around the buggy address: 0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2542380==ABORTING {noformat} And these UniqueID's/stacks across versions and build types: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} However, with newer builds we now (18/7/24) see: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} Which look like MDEV-32759. |
Split from {code:sql} SET sql_buffer_result=1; INSTALL PLUGIN Spider SONAME 'ha_spider.so'; CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); {code} Previously led to: {noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)} ==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410 READ of size 1 at 0x60800000d8e2 thread T34 #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378 #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800 #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929 #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210 #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281 #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743 #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354 #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103 #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853 #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458 #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899 #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549 #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727 #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571 #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452 #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582 #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741 #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441 #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949 #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951 #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630 #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770 #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019 #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152 #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953 #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484 #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794 #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520 #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031 #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773 #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103 #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776 #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493 #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100 #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947 #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186 #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782 #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900) freed by thread T34 here: #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7) #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213 #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183 #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377 #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380 #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783 #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994 #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905 #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269 #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 previously allocated by thread T34 here: #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337) #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231 #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547 #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378 #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851 #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276 #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249 #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175) #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129 #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191 #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253 #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377 #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024 #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int Shadow bytes around the buggy address: 0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2542380==ABORTING {noformat} And these UniqueID's/stacks across versions and build types: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} However, with newer builds we now (18/7/24) see: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} Which look like MDEV-32759, however no AVG() is used here. |
| Description |
Split from {code:sql} SET sql_buffer_result=1; INSTALL PLUGIN Spider SONAME 'ha_spider.so'; CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); {code} Previously led to: {noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)} ==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410 READ of size 1 at 0x60800000d8e2 thread T34 #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378 #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800 #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929 #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210 #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281 #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743 #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354 #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103 #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853 #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458 #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899 #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549 #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727 #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571 #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452 #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582 #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741 #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441 #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949 #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951 #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630 #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770 #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019 #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152 #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953 #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484 #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794 #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520 #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031 #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773 #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103 #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776 #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493 #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100 #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947 #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186 #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782 #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900) freed by thread T34 here: #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7) #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213 #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183 #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377 #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380 #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783 #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994 #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905 #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269 #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 previously allocated by thread T34 here: #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337) #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231 #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547 #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378 #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851 #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276 #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249 #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175) #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129 #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191 #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253 #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377 #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024 #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int Shadow bytes around the buggy address: 0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2542380==ABORTING {noformat} And these UniqueID's/stacks across versions and build types: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} However, with newer builds we now (18/7/24) see: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} Which look like MDEV-32759, however no AVG() is used here. |
Split from {code:sql} SET sql_buffer_result=1; INSTALL PLUGIN Spider SONAME 'ha_spider.so'; CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE tm (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB; CREATE TABLE t1 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"'; CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "tm"'; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); INSERT INTO tm VALUES (0,1,0),(1,0,0),(2,0,0); SELECT * FROM t1 HAVING c1=(SELECT t.c1 AS c FROM t2 t ORDER BY (SELECT MIN(t1.c1+tt.c1) FROM t2 tt)); {code} Previously led to: {noformat:title=11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)} ==2542380==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000d8e2 at pc 0x55a6791cb837 bp 0x14a2c640c420 sp 0x14a2c640c410 READ of size 1 at 0x60800000d8e2 thread T34 #0 0x55a6791cb836 in my_strtod_int /test/11.0_dbg_san/strings/dtoa.c:1378 #1 0x55a6791cb836 in my_strtod /test/11.0_dbg_san/strings/dtoa.c:469 #2 0x55a6790d9b3f in my_strntod_8bit /test/11.0_dbg_san/strings/ctype-simple.c:800 #3 0x55a67683d3fa in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/11.0_dbg_san/include/m_ctype.h:929 #4 0x55a67683d3fa in Value_source::Converter_strntod::Converter_strntod(charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:210 #5 0x55a67683d3fa in Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn(THD*, Value_source::Warn_filter, charset_info_st const*, char const*, unsigned long) /test/11.0_dbg_san/sql/field.h:281 #6 0x55a67683d3fa in Field_blob::val_real() /test/11.0_dbg_san/sql/field.cc:8743 #7 0x55a676a17a18 in Item_field::val_real() /test/11.0_dbg_san/sql/item.cc:3354 #8 0x55a676f35ed8 in Item_func_plus::real_op() /test/11.0_dbg_san/sql/item_func.cc:1103 #9 0x55a6760d1826 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.0_dbg_san/sql/item_func.h:853 #10 0x55a6760d1826 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.0_dbg_san/sql/sql_type.cc:5458 #11 0x55a67517c7d5 in Item_func_hybrid_field_type::val_real() /test/11.0_dbg_san/sql/item_func.h:899 #12 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #13 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #14 0x55a67752d7e9 in Item_sum_min::add() /test/11.0_dbg_san/sql/item_sum.cc:2549 #15 0x55a6775a1e61 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727 #16 0x55a6753d5ac0 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571 #17 0x55a6753d5ac0 in Item_sum::reset_and_add() /test/11.0_dbg_san/sql/item_sum.h:452 #18 0x55a6753d5ac0 in init_sum_functions /test/11.0_dbg_san/sql/sql_select.cc:28582 #19 0x55a6755d34f6 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24741 #20 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #21 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #22 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #23 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #24 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #25 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #26 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #27 0x55a67743f1ec in Item_singlerow_subselect::val_real() /test/11.0_dbg_san/sql/item_subselect.cc:1441 #28 0x55a67495e58a in Item::val_result() /test/11.0_dbg_san/sql/item.h:1792 #29 0x55a6769f2049 in Item_cache_real::cache_value() /test/11.0_dbg_san/sql/item.cc:10396 #30 0x55a676af47d9 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #31 0x55a676af47d9 in Item_cache_wrapper::save_val(Field*) /test/11.0_dbg_san/sql/item.cc:8949 #32 0x55a676b10a25 in Item_cache_wrapper::save_in_result_field(bool) /test/11.0_dbg_san/sql/item.h:5951 #33 0x55a6755a073a in copy_funcs(Item**, THD const*) /test/11.0_dbg_san/sql/sql_select.cc:28630 #34 0x55a6755a0a2d in end_write /test/11.0_dbg_san/sql/sql_select.cc:24770 #35 0x55a67560b440 in AGGR_OP::put_record(bool) /test/11.0_dbg_san/sql/sql_select.cc:32019 #36 0x55a67560da5b in AGGR_OP::put_record() /test/11.0_dbg_san/sql/sql_select.h:1152 #37 0x55a67560da5b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22953 #38 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #39 0x55a6754bf299 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23252 #40 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #41 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #42 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #43 0x55a677453105 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157 #44 0x55a677463617 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812 #45 0x55a6774409a4 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484 #46 0x55a67495e7ba in Item::str_result(String*) /test/11.0_dbg_san/sql/item.h:1794 #47 0x55a676a26163 in Item_cache_str::cache_value() /test/11.0_dbg_san/sql/item.cc:10520 #48 0x55a676af7dc7 in Item_cache_wrapper::cache() /test/11.0_dbg_san/sql/item.cc:8923 #49 0x55a676af7dc7 in Item_cache_wrapper::val_str(String*) /test/11.0_dbg_san/sql/item.cc:9031 #50 0x55a676bf4ef7 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:773 #51 0x55a676c0323e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103 #52 0x55a676c0323e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1776 #53 0x55a67559dfa4 in end_send /test/11.0_dbg_san/sql/sql_select.cc:24493 #54 0x55a6753f83ef in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23485 #55 0x55a67560ca45 in AGGR_OP::end_send() /test/11.0_dbg_san/sql/sql_select.cc:32100 #56 0x55a67560dfa7 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22947 #57 0x55a6754bf352 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23186 #58 0x55a67566d277 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22782 #59 0x55a67566d277 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #60 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #61 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #62 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #63 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #64 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #65 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #66 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #67 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #68 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #69 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #70 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 #71 0x14a2eb3269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 0x60800000d8e2 is located 66 bytes inside of 96-byte region [0x60800000d8a0,0x60800000d900) freed by thread T34 here: #0 0x55a6748e8fe7 in __interceptor_free (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7963fe7) #1 0x55a679000a61 in my_free /test/11.0_dbg_san/mysys/my_malloc.c:213 #2 0x14a2c5852150 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:183 #3 0x14a2c59bcbcb in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:377 #4 0x14a2c59bccca in spider_db_mbase_row::~spider_db_mbase_row() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:380 #5 0x14a2c56cfaf5 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:2783 #6 0x14a2c56ec078 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3994 #7 0x14a2c58e33a9 in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5905 #8 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #9 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #10 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #11 0x55a6754bff49 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #12 0x55a6754bff49 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23269 #13 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #14 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #15 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #16 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #17 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #18 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #19 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #20 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #21 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #22 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #23 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #24 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #25 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 previously allocated by thread T34 here: #0 0x55a6748e9337 in __interceptor_malloc (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7964337) #1 0x55a679000703 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91 #2 0x14a2c5852583 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.0_dbg_san/storage/spider/spd_malloc.cc:231 #3 0x14a2c59d329f in spider_db_mbase_row::clone() /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:547 #4 0x14a2c56dab12 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:3378 #5 0x14a2c58e806f in ha_spider::rnd_next_internal(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5851 #6 0x14a2c58e9597 in ha_spider::rnd_next(unsigned char*) /test/11.0_dbg_san/storage/spider/ha_spider.cc:5944 #7 0x55a676957c84 in handler::ha_rnd_next(unsigned char*) /test/11.0_dbg_san/sql/handler.cc:3603 #8 0x55a674b28a8b in rr_sequential(READ_RECORD*) /test/11.0_dbg_san/sql/records.cc:514 #9 0x55a67558ed77 in READ_RECORD::read_record() /test/11.0_dbg_san/sql/records.h:81 #10 0x55a67558ed77 in join_init_read_record(st_join_table*) /test/11.0_dbg_san/sql/sql_select.cc:24276 #11 0x55a6754bf115 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23249 #12 0x55a67566d164 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22780 #13 0x55a67566d164 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900 #14 0x55a67566e916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677 #15 0x55a67565d0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158 #16 0x55a67566151c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616 #17 0x55a6751d3a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279 #18 0x55a675234ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949 #19 0x55a675264973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #20 0x55a675274707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #21 0x55a675282542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #22 0x55a675c578b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #23 0x55a675c58dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #24 0x14a2eb294b42 in start_thread nptl/pthread_create.c:442 Thread T34 created by T0 here: #0 0x55a67488d175 in pthread_create (/test/UBASAN_MD120523-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7908175) #1 0x55a67494398b in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6129 #2 0x55a674950e67 in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6191 #3 0x55a6749516e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6253 #4 0x55a674952738 in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6377 #5 0x55a674959ee7 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6024 #6 0x55a67492eeca in main /test/11.0_dbg_san/sql/main.cc:34 #7 0x14a2eb229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free /test/11.0_dbg_san/strings/dtoa.c:1378 in my_strtod_int Shadow bytes around the buggy address: 0x0c107fff9ac0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ad0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9ae0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff9af0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff9b00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff9b10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c107fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2542380==ABORTING {noformat} And these UniqueID's/stacks across versions and build types: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|Value_source::Converter_strntod::Converter_strntod|Value_source::Converter_strntod_with_warn::Converter_strntod_with_warn ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} However, with newer builds we now (18/7/24) see only these: {noformat} ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Value_source::Converter_strntod::Converter_strntod ASAN|heap-use-after-free|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod {noformat} Which look like MDEV-32759, however no AVG() is used here. |
| Link | This issue relates to MDEV-28374 [ MDEV-28374 ] |
| Link | This issue relates to MDEV-28374 [ MDEV-28374 ] |
| Link | This issue relates to MDEV-28374 [ MDEV-28374 ] |
| Fix Version/s | 11.1 [ 28549 ] |
| Fix Version/s | 11.5 [ 29506 ] |
| Fix Version/s | 11.2(EOL) [ 28603 ] |
| Assignee | Alexander Barkov [ bar ] | Yuchen Pei [ JIRAUSER52627 ] |