[MDEV-35414] purecall in Item_cond::merge_sub_condition - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 11.6.1, 10.6, 10.11, 11.2(EOL), 11.4, 11.6(EOL)
Fix Version/s: 10.6, 10.11, 11.4
Component/s: Prepared Statements
Labels:
None
Environment:
winx64

Description

Version: '11.6.1-MariaDB'  socket: ''  port: 3306  mariadb.org binary distribution

Server version: 11.6.1-MariaDB source revision: 05fe3f1c186a221c4455b4d83a9d59f09f2dfadb

server.dll!my_parameter_handler()[my_init.c:377]

ucrtbase.dll!raise()

ucrtbase.dll!abort()

server.dll!_purecall()[purevirt.cpp:29]

server.dll!Item_cond::merge_sub_condition()[item_cmpfunc.cc:5174]

server.dll!Item_cond::fix_fields()[item_cmpfunc.cc:5090]

server.dll!setup_fields()[sql_base.cc:8096]

server.dll!mysql_do()[sql_do.cc:32]

server.dll!mysql_execute_command()[sql_parse.cc:3983]

server.dll!Prepared_statement::execute()[sql_prepare.cc:5050]

server.dll!Prepared_statement::execute_loop()[sql_prepare.cc:4427]

server.dll!mysql_sql_stmt_execute()[sql_prepare.cc:3447]

server.dll!mysql_execute_command()[sql_parse.cc:3971]

server.dll!mysql_parse()[sql_parse.cc:7873]

server.dll!dispatch_command()[sql_parse.cc:1894]

server.dll!do_command()[sql_parse.cc:1405]

server.dll!tp_callback()[threadpool_common.cc:249]

How to repeat:

prepare s from 'do (((select ((bit_and(1) over()) and (lower(pi()))))) and (year("b")));';

execute s;

execute s;

Attachments

Activity

Alice Sherepa added a comment - 2024-11-14 10:57 - edited

Thanks!
I repeated on 10.6-11.6, not reproducible on 10.5:

Version: '10.6.21-MariaDB-debug-log'  25be7da2024902dab7f048dd5e6c3418ea3c92f3

=================================================================

==332475==ERROR: AddressSanitizer: use-after-poison on address 0x62b00004db48 at pc 0x55bc81905f8c bp 0x7f0ace9357e0 sp 0x7f0ace9357d0

READ of size 8 at 0x62b00004db48 thread T11

    #0 0x55bc81905f8b in Item_cond::merge_sub_condition(List_iterator<Item>&) /10.6/src/sql/item_cmpfunc.cc:5134

    #1 0x55bc8190579b in Item_cond::fix_fields(THD*, Item**) /10.6/src/sql/item_cmpfunc.cc:5050

    #2 0x55bc80c6b992 in Item::fix_fields_if_needed(THD*, Item**) /10.6/src/sql/item.h:1173

    #3 0x55bc80c6b9cc in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /10.6/src/sql/item.h:1182

    #4 0x55bc80da1d94 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool, THD_WHERE) /10.6/src/sql/sql_base.cc:7777

    #5 0x55bc81d0c2d6 in mysql_do(THD*, List<Item>&) /10.6/src/sql/sql_do.cc:32

    #6 0x55bc80f3853b in mysql_execute_command(THD*, bool) /10.6/src/sql/sql_parse.cc:4028

    #7 0x55bc80fb059e in Prepared_statement::execute(String*, bool) /10.6/src/sql/sql_prepare.cc:5265

    #8 0x55bc80fab36c in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /10.6/src/sql/sql_prepare.cc:4671

    #9 0x55bc80fa4699 in mysql_sql_stmt_execute(THD*) /10.6/src/sql/sql_prepare.cc:3697

    #10 0x55bc80f38428 in mysql_execute_command(THD*, bool) /10.6/src/sql/sql_parse.cc:4015

    #11 0x55bc80f5570f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.6/src/sql/sql_parse.cc:8194

    #12 0x55bc80f2a29a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.6/src/sql/sql_parse.cc:1908

    #13 0x55bc80f26f5d in do_command(THD*, bool) /10.6/src/sql/sql_parse.cc:1421

    #14 0x55bc813c1b40 in do_handle_one_connection(CONNECT*, bool) /10.6/src/sql/sql_connect.cc:1407

    #15 0x55bc813c1693 in handle_one_connection /10.6/src/sql/sql_connect.cc:1319

    #16 0x55bc8209a8bb in pfs_spawn_thread /10.6/src/storage/perfschema/pfs.cc:2201

    #17 0x7f0ae50aa608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477

    #18 0x7f0ae4be5352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

0x62b00004db48 is located 2376 bytes inside of 24740-byte region [0x62b00004d200,0x62b0000532a4)

allocated by thread T11 here:

    #0 0x7f0ae56978ff in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69

    #1 0x55bc82e95778 in sf_malloc /10.6/src/mysys/safemalloc.c:126

    #2 0x55bc82e627a7 in my_malloc /10.6/src/mysys/my_malloc.c:91

    #3 0x55bc82e35b6b in reset_root_defaults /10.6/src/mysys/my_alloc.c:148

    #4 0x55bc80df0ace in THD::init_for_queries() /10.6/src/sql/sql_class.cc:1473

    #5 0x55bc813c0f43 in prepare_new_connection_state(THD*) /10.6/src/sql/sql_connect.cc:1246

    #6 0x55bc813c1718 in thd_prepare_connection(THD*) /10.6/src/sql/sql_connect.cc:1340

    #7 0x55bc813c1b04 in do_handle_one_connection(CONNECT*, bool) /10.6/src/sql/sql_connect.cc:1397

    #8 0x55bc813c1693 in handle_one_connection /10.6/src/sql/sql_connect.cc:1319

    #9 0x55bc8209a8bb in pfs_spawn_thread /10.6/src/storage/perfschema/pfs.cc:2201

    #10 0x7f0ae50aa608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477

Thread T11 created by T0 here:

    #0 0x7f0ae5603175 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:208

    #1 0x55bc82096478 in my_thread_create /10.6/src/storage/perfschema/my_thread.h:52

    #2 0x55bc8209acae in pfs_spawn_thread_v1 /10.6/src/storage/perfschema/pfs.cc:2252

    #3 0x55bc80be0ead in inline_mysql_thread_create /10.6/src/include/mysql/psi/mysql_thread.h:1139

    #4 0x55bc80bf95d8 in create_thread_to_handle_connection(CONNECT*) /10.6/src/sql/mysqld.cc:6060

    #5 0x55bc80bf9c2f in create_new_thread(CONNECT*) /10.6/src/sql/mysqld.cc:6119

    #6 0x55bc80bf9f5c in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.6/src/sql/mysqld.cc:6181

    #7 0x55bc80bfa961 in handle_connections_sockets() /10.6/src/sql/mysqld.cc:6305

    #8 0x55bc80bf77d5 in run_main_loop /10.6/src/sql/mysqld.cc:5563

    #9 0x55bc80bf8e22 in mysqld_main(int, char**) /10.6/src/sql/mysqld.cc:5961

    #10 0x55bc80be00ac in main /10.6/src/sql/main.cc:34

    #11 0x7f0ae4aea082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /10.6/src/sql/item_cmpfunc.cc:5134 in Item_cond::merge_sub_condition(List_iterator<Item>&)

Shadow bytes around the buggy address:

  0x62b00004d880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x62b00004d900: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x62b00004d980: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x62b00004da00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x62b00004da80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

=>0x62b00004db00: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7

  0x62b00004db80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x62b00004dc00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x62b00004dc80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x62b00004dd00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x62b00004dd80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==332475==ABORTING

prepare s from 'select ((select (avg(1) over()) and 4 ) and 5);';

execute s;

execute s;

Alice Sherepa added a comment - 2024-11-14 10:57 - edited Thanks! I repeated on 10.6-11.6, not reproducible on 10.5: Version: '10.6.21-MariaDB-debug-log' 25be7da2024902dab7f048dd5e6c3418ea3c92f3 ================================================================= ==332475==ERROR: AddressSanitizer: use-after-poison on address 0x62b00004db48 at pc 0x55bc81905f8c bp 0x7f0ace9357e0 sp 0x7f0ace9357d0 READ of size 8 at 0x62b00004db48 thread T11 #0 0x55bc81905f8b in Item_cond::merge_sub_condition(List_iterator<Item>&) /10.6/src/sql/item_cmpfunc.cc:5134 #1 0x55bc8190579b in Item_cond::fix_fields(THD*, Item**) /10.6/src/sql/item_cmpfunc.cc:5050 #2 0x55bc80c6b992 in Item::fix_fields_if_needed(THD*, Item**) /10.6/src/sql/item.h:1173 #3 0x55bc80c6b9cc in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /10.6/src/sql/item.h:1182 #4 0x55bc80da1d94 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool, THD_WHERE) /10.6/src/sql/sql_base.cc:7777 #5 0x55bc81d0c2d6 in mysql_do(THD*, List<Item>&) /10.6/src/sql/sql_do.cc:32 #6 0x55bc80f3853b in mysql_execute_command(THD*, bool) /10.6/src/sql/sql_parse.cc:4028 #7 0x55bc80fb059e in Prepared_statement::execute(String*, bool) /10.6/src/sql/sql_prepare.cc:5265 #8 0x55bc80fab36c in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /10.6/src/sql/sql_prepare.cc:4671 #9 0x55bc80fa4699 in mysql_sql_stmt_execute(THD*) /10.6/src/sql/sql_prepare.cc:3697 #10 0x55bc80f38428 in mysql_execute_command(THD*, bool) /10.6/src/sql/sql_parse.cc:4015 #11 0x55bc80f5570f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.6/src/sql/sql_parse.cc:8194 #12 0x55bc80f2a29a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.6/src/sql/sql_parse.cc:1908 #13 0x55bc80f26f5d in do_command(THD*, bool) /10.6/src/sql/sql_parse.cc:1421 #14 0x55bc813c1b40 in do_handle_one_connection(CONNECT*, bool) /10.6/src/sql/sql_connect.cc:1407 #15 0x55bc813c1693 in handle_one_connection /10.6/src/sql/sql_connect.cc:1319 #16 0x55bc8209a8bb in pfs_spawn_thread /10.6/src/storage/perfschema/pfs.cc:2201 #17 0x7f0ae50aa608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477 #18 0x7f0ae4be5352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e) 0x62b00004db48 is located 2376 bytes inside of 24740-byte region [0x62b00004d200,0x62b0000532a4) allocated by thread T11 here: #0 0x7f0ae56978ff in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x55bc82e95778 in sf_malloc /10.6/src/mysys/safemalloc.c:126 #2 0x55bc82e627a7 in my_malloc /10.6/src/mysys/my_malloc.c:91 #3 0x55bc82e35b6b in reset_root_defaults /10.6/src/mysys/my_alloc.c:148 #4 0x55bc80df0ace in THD::init_for_queries() /10.6/src/sql/sql_class.cc:1473 #5 0x55bc813c0f43 in prepare_new_connection_state(THD*) /10.6/src/sql/sql_connect.cc:1246 #6 0x55bc813c1718 in thd_prepare_connection(THD*) /10.6/src/sql/sql_connect.cc:1340 #7 0x55bc813c1b04 in do_handle_one_connection(CONNECT*, bool) /10.6/src/sql/sql_connect.cc:1397 #8 0x55bc813c1693 in handle_one_connection /10.6/src/sql/sql_connect.cc:1319 #9 0x55bc8209a8bb in pfs_spawn_thread /10.6/src/storage/perfschema/pfs.cc:2201 #10 0x7f0ae50aa608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477 Thread T11 created by T0 here: #0 0x7f0ae5603175 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:208 #1 0x55bc82096478 in my_thread_create /10.6/src/storage/perfschema/my_thread.h:52 #2 0x55bc8209acae in pfs_spawn_thread_v1 /10.6/src/storage/perfschema/pfs.cc:2252 #3 0x55bc80be0ead in inline_mysql_thread_create /10.6/src/include/mysql/psi/mysql_thread.h:1139 #4 0x55bc80bf95d8 in create_thread_to_handle_connection(CONNECT*) /10.6/src/sql/mysqld.cc:6060 #5 0x55bc80bf9c2f in create_new_thread(CONNECT*) /10.6/src/sql/mysqld.cc:6119 #6 0x55bc80bf9f5c in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.6/src/sql/mysqld.cc:6181 #7 0x55bc80bfa961 in handle_connections_sockets() /10.6/src/sql/mysqld.cc:6305 #8 0x55bc80bf77d5 in run_main_loop /10.6/src/sql/mysqld.cc:5563 #9 0x55bc80bf8e22 in mysqld_main(int, char**) /10.6/src/sql/mysqld.cc:5961 #10 0x55bc80be00ac in main /10.6/src/sql/main.cc:34 #11 0x7f0ae4aea082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: use-after-poison /10.6/src/sql/item_cmpfunc.cc:5134 in Item_cond::merge_sub_condition(List_iterator<Item>&) Shadow bytes around the buggy address: 0x62b00004d880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x62b00004d900: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x62b00004d980: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x62b00004da00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x62b00004da80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x62b00004db00: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 0x62b00004db80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x62b00004dc00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x62b00004dc80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x62b00004dd00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x62b00004dd80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==332475==ABORTING prepare s from 'select ((select (avg(1) over()) and 4 ) and 5);' ; execute s; execute s;

MariaDB Server

purecall in Item_cond::merge_sub_condition

Details

Description

Attachments

Activity

People

Dates

Git Integration