Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5.26, 10.6, 10.11, 11.4, 11.8, 12.1(EOL)
-
None
-
None
Description
Running the following code
|
|
create table t1 (t1a int, t1b int, t1c int) engine=myisam; |
insert into t1 values (1, 1, 1), (2, 2, 2), (3, 3, 3); |
|
|
create table t2 (t2a int, t2b int, t2c int) engine=myisam; |
insert into t2 values (1, 1, 1), (2, 2, 2), (3, 3, 3); |
|
|
create table t3 (t3a int, t3b int, t3c int) engine=myisam; |
insert into t3 values (1, 1, 1), (2, 2, 2), (3, 3, 3); |
|
|
create table t4 (t4a int, t4b int, t4c int) engine=myisam; |
insert into t4 values (1, 1, 1), (2, 2, 2), (3, 3, 3); |
|
|
create table t5 (t5a int, t5b int, t5c int) engine=myisam; |
insert into t5 values (1, 1, 1), (2, 2, 2), (3, 3, 3); |
|
|
prepare s from ' |
select t1a from t1
|
where t1a in
|
(
|
select t2c from t2 where t2a >= some
|
(
|
select t3a from t3 where t1b=t3b
|
union
|
select t4a from t4 where t1a=t4b
|
)
|
union
|
select (select t5a from t5 where t1c=t5b and max(t4c)) from t4
|
)'; |
|
|
execute s; |
execute s; |
drop table t1, t2, t3, t4, t5; |
causes a use after free error here
#0 0x00005641a1d65575 in Item_cond::copy_andor_arguments (this=0x7fbf1c019de8, thd=0x7fbf1c003fc8, item=0x7fbf1c0c6dd8) at /home/rex/src/mariadb/server.10.5-head/sql/item_cmpfunc.cc:4933
|
#1 0x00005641a1d654ca in Item_cond_and::copy_andor_structure (this=0x7fbf1c0c6dd8, thd=0x7fbf1c003fc8) at /home/rex/src/mariadb/server.10.5-head/sql/item_cmpfunc.cc:4924
|
#2 0x00005641a198104a in reinit_stmt_before_use (thd=0x7fbf1c003fc8, lex=0x7fbf1c0be1b8) at /home/rex/src/mariadb/server.10.5-head/sql/sql_prepare.cc:3075
|
#3 0x00005641a1986b1a in Prepared_statement::execute (this=0x7fbf1c0cb0a8, expanded_query=0x7fbf11434750, open_cursor=false) at /home/rex/src/mariadb/server.10.5-head/sql/sql_prepare.cc:5109
|
#4 0x00005641a1984cce in Prepared_statement::execute_loop (this=0x7fbf1c0cb0a8, expanded_query=0x7fbf11434750, open_cursor=false, packet=0x0, packet_end=0x0) at /home/rex/src/mariadb/server.10.5-head/sql/sql_prepare.cc:4553
|
#5 0x00005641a19823ce in mysql_sql_stmt_execute (thd=0x7fbf1c003fc8) at /home/rex/src/mariadb/server.10.5-head/sql/sql_prepare.cc:3594
|
#6 0x00005641a19553d8 in mysql_execute_command (thd=0x7fbf1c003fc8) at /home/rex/src/mariadb/server.10.5-head/sql/sql_parse.cc:4046
|
#7 0x00005641a19639d0 in mysql_parse (thd=0x7fbf1c003fc8, rawbuf=0x7fbf1c019d70 "execute s", length=9, parser_state=0x7fbf11434f80, is_com_multi=false, is_next_command=false) at /home/rex/src/mariadb/server.10.5-head/sql/sql_parse.cc:8236
|
#8 0x00005641a194e7c2 in dispatch_command (command=COM_QUERY, thd=0x7fbf1c003fc8, packet=0x7fbf1c00ecd9 "execute s", packet_length=9, is_com_multi=false, is_next_command=false) at /home/rex/src/mariadb/server.10.5-head/sql/sql_parse.cc:1892
|
During the 1st execution, an Item is allocated during JOIN::prepare on the SELECT_LEX
{/* select#5 */ select (subquery#6) from t4}.
An item representing max(`test`.`t4`.`t4c`)) is present in select_lex->inner_sum_func_list.
item_sum->split_sum_func2() is called on this item, allocating a new Item in runtime memory.
At the end of this first execution, this new item is freed.
At the start of the 2nd execution, a pointer to this freed Item is used during reinit_stmt_before_use()