Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.11, 12.2
-
None
-
Can result in hang or crash
Description
--source include/have_innodb.inc
|
CREATE VIEW v AS SELECT 'a'; |
SELECT * FROM v WHERE a=SFORMAT ('a','a'); |
Leads to:
|
CS 10.11.15 63620ca6d88af5e3e758d768e7818ca1865736e6 (Debug, UBASAN, Clang 18.1.3-11) Build 08/10/2025 |
==1585590==ERROR: AddressSanitizer: use-after-poison on address 0x52d0000a168c at pc 0x5894a65fd660 bp 0x771695119730 sp 0x771695119728
|
READ of size 1 at 0x52d0000a168c thread T11
|
#0 0x5894a65fd65f in Binary_string::free_buffer() /test/10.11_dbg_san/sql/sql_string.h:305:9
|
#1 0x5894a65fd65f in Binary_string::free() /test/10.11_dbg_san/sql/sql_string.h:751:5
|
#2 0x5894a65fd65f in Binary_string::~Binary_string() /test/10.11_dbg_san/sql/sql_string.h:352:5
|
#3 0x5894a65fd65f in String::~String() /test/10.11_dbg_san/sql/sql_string.h:863:7
|
#4 0x5894a65fd65f in Item_func_sformat::~Item_func_sformat() /test/10.11_dbg_san/sql/item_strfunc.h:710:26
|
#5 0x5894a65fd69d in Item_func_sformat::~Item_func_sformat() /test/10.11_dbg_san/sql/item_strfunc.h:710:24
|
#6 0x5894a6dca0b8 in Query_arena::free_items() /test/10.11_dbg_san/sql/sql_class.cc:4023:16
|
#7 0x5894a6dc9375 in THD::cleanup_after_query() /test/10.11_dbg_san/sql/sql_class.cc:2386:3
|
#8 0x5894a718bc9e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1906:7
|
#9 0x5894a719a41d in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1419:17
|
#10 0x5894a78f230c in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1475:11
|
#11 0x5894a78f1bcb in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1387:5
|
#12 0x5894a5ff71ac in asan_thread_start(void*) crtstuff.c
|
#13 0x77176749caa3 in start_thread nptl/pthread_create.c:447:8
|
#14 0x771767529c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x52d0000a168c is located 4748 bytes inside of 32760-byte region [0x52d0000a0400,0x52d0000a83f8)
|
allocated by thread T11 here:
|
#0 0x5894a5ff96c3 in malloc (/test/UBASAN_MD081025-mariadb-10.11.15-linux-x86_64-dbg/bin/mariadbd+0x312a6c3) (BuildId: 56e6ba49f9c89867)
|
#1 0x5894a8e65e3e in my_malloc /test/10.11_dbg_san/mysys/my_malloc.c:92:29
|
#2 0x5894a8e343c2 in reset_root_defaults /test/10.11_dbg_san/mysys/my_alloc.c:247:30
|
#3 0x5894a6dba8d4 in THD::init_for_queries() /test/10.11_dbg_san/sql/sql_class.cc:1473:3
|
#4 0x5894a78f0b00 in prepare_new_connection_state(THD*) /test/10.11_dbg_san/sql/sql_connect.cc:1314:8
|
#5 0x5894a78f2bef in thd_prepare_connection(THD*) /test/10.11_dbg_san/sql/sql_connect.cc:1408:3
|
#6 0x5894a78f22f3 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1465:9
|
#7 0x5894a78f1bcb in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1387:5
|
#8 0x5894a5ff71ac in asan_thread_start(void*) crtstuff.c
|
|
|
Thread T11 created by T0 here:
|
#0 0x5894a5fdf035 in pthread_create (/test/UBASAN_MD081025-mariadb-10.11.15-linux-x86_64-dbg/bin/mariadbd+0x3110035) (BuildId: 56e6ba49f9c89867)
|
#1 0x5894a604b66a in create_thread_to_handle_connection(CONNECT*) /test/10.11_dbg_san/sql/mysqld.cc:6139:19
|
#2 0x5894a604c635 in handle_connections_sockets() /test/10.11_dbg_san/sql/mysqld.cc:6383:9
|
#3 0x5894a604a8ca in run_main_loop() /test/10.11_dbg_san/sql/mysqld.cc:5639:3
|
#4 0x5894a6040f62 in mysqld_main(int, char**) /test/10.11_dbg_san/sql/mysqld.cc:6040:3
|
#5 0x77176742a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x77176742a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x5894a5f5e874 in _start (/test/UBASAN_MD081025-mariadb-10.11.15-linux-x86_64-dbg/bin/mariadbd+0x308f874) (BuildId: 56e6ba49f9c89867)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/10.11_dbg_san/sql/sql_string.h:305:9 in Binary_string::free_buffer()
|
Shadow bytes around the buggy address:
|
0x52d0000a1400: 00 00 00 00 00 00 00 00 00 00 00 00 f7 04 f7 00
|
0x52d0000a1480: 02 f7 00 00 00 f7 00 00 f7 02 f7 00 00 00 00 00
|
0x52d0000a1500: 00 00 00 00 00 00 00 00 00 f7 04 f7 00 02 f7 00
|
0x52d0000a1580: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x52d0000a1600: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
|
=>0x52d0000a1680: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0000a1700: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0000a1780: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0000a1800: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x52d0000a1880: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 f7 00 00 00 00
|
0x52d0000a1900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1585590==ABORTING
|
grep: /test/UBASAN_MD081025-mariadb-10.11.15-linux-x86_64-opt/log/master.err: No such file or directory
grep: /test/UBASAN_MD081025-mariadb-10.11.15-linux-x86_64-opt/log/master.err: No such file or directory
Setup:
Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
SAN Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 dbg 290925 d891d23ec33fb8432b7cd9bf90b8a5b41fdbab42 No bug found
|
CS 10.6 opt 290925 d891d23ec33fb8432b7cd9bf90b8a5b41fdbab42 No bug found
|
CS 10.11 dbg 081025 63620ca6d88af5e3e758d768e7818ca1865736e6 ASAN|use-after-poison|sql/sql_string.h|Binary_string::free_buffer|Binary_string::free|Binary_string::~Binary_string|String::~String
|
CS 10.11 opt 081025 63620ca6d88af5e3e758d768e7818ca1865736e6 No bug found
|
CS 11.4 dbg 290925 62c70a8ae9f12edca3633c2d415e90e26fe694e8 No bug found
|
CS 11.4 opt 290925 62c70a8ae9f12edca3633c2d415e90e26fe694e8 No bug found
|
CS 11.8 dbg 290925 d203a8a5df95e2c5778a304a885fb7aedfbc095e No bug found
|
CS 11.8 opt 290925 d203a8a5df95e2c5778a304a885fb7aedfbc095e No bug found
|
CS 12.1 dbg 290925 667c5e0b002a24bc595d60955950200a588f4fb7 No bug found
|
CS 12.1 opt 290925 667c5e0b002a24bc595d60955950200a588f4fb7 No bug found
|
CS 12.2 dbg 290925 b8a77289639a3b10ada64cf892f02b5cecdb1603 ASAN|use-after-poison|sql/sql_string.h|Binary_string::free_buffer|Binary_string::free|Binary_string::~Binary_string|String::~String
|
CS 12.2 opt 290925 b8a77289639a3b10ada64cf892f02b5cecdb1603 ASAN|use-after-poison|sql/sql_string.h|Binary_string::free_buffer|Binary_string::free|Binary_string::~Binary_string|String::~String
|
ES 10.6 dbg 290925 ed866636069dda51daa8570497926ae43af8aa24 No bug found
|
ES 10.6 opt 290925 ed866636069dda51daa8570497926ae43af8aa24 No bug found
|
ES 11.4 dbg 290925 9dbe002d95a46a7a92aaedd2a23c1c1cbcf8340c No bug found
|
ES 11.4 opt 290925 9dbe002d95a46a7a92aaedd2a23c1c1cbcf8340c No bug found
|
ES 11.8 dbg 290925 543157202acd67ac9b0bb50e0b35bf7790e5467d No bug found
|
ES 11.8 opt 290925 543157202acd67ac9b0bb50e0b35bf7790e5467d No bug found
|