Details
-
Bug
-
Status: Open (View Workflow)
-
Critical
-
Resolution: Unresolved
-
11.8, 12.1
Description
CREATE FUNCTION f() RETURNS INT RETURN (1,2); |
PREPARE stmt FROM ' CREATE OR REPLACE TEMPORARY TABLE tmp AS SELECT REPEAT(f(),f()) AS x'; |
--error ER_ILLEGAL_PARAMETER_DATA_TYPES2_FOR_OPERATION
|
EXECUTE stmt; |
--error ER_ILLEGAL_PARAMETER_DATA_TYPES2_FOR_OPERATION
|
EXECUTE stmt; |
|
|
DROP FUNCTION f; |
|
11.8 76d257e883119cb0eba7ca4a189fd0a76bbbb4b3 |
==1773797==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000238710 at pc 0x7fbbb6a62571 bp 0x7fbba982bcd0 sp 0x7fbba982b480
|
READ of size 2 at 0x625000238710 thread T5
|
#0 0x7fbbb6a62570 in __interceptor_strnlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:403
|
#1 0x55959790649d in process_str_arg /data/bld/11.8-asan-ubsan/strings/my_vsnprintf.c:248
|
#2 0x55959790c091 in my_vsnprintf_ex /data/bld/11.8-asan-ubsan/strings/my_vsnprintf.c:718
|
#3 0x559597753859 in my_printf_error /data/bld/11.8-asan-ubsan/mysys/my_error.c:150
|
#4 0x559595437fd6 in Field::check_assignability_from(Type_handler const*, bool) const /data/bld/11.8-asan-ubsan/sql/field.cc:997
|
#5 0x5595939f2f8e in Item::check_assignability_to(Field const*, bool) const /data/bld/11.8-asan-ubsan/sql/item.h:1905
|
#6 0x559593c45406 in THD::sp_fix_func_item_for_assignment(Field const*, Item**) /data/bld/11.8-asan-ubsan/sql/sp_head.cc:420
|
#7 0x55959541890a in Field::sp_prepare_and_store_item(THD*, Item**) /data/bld/11.8-asan-ubsan/sql/field.cc:1513
|
#8 0x559593c4574a in THD::sp_eval_expr(Field*, Item**) /data/bld/11.8-asan-ubsan/sql/sp_head.cc:444
|
#9 0x559593ca9c52 in sp_rcontext::set_return_value(THD*, Item**) /data/bld/11.8-asan-ubsan/sql/sp_rcontext.cc:405
|
#10 0x559594dceacf in sp_instr_freturn::exec_core(THD*, unsigned int*) /data/bld/11.8-asan-ubsan/sql/sp_instr.cc:1670
|
#11 0x559594de17a8 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*, bool) /data/bld/11.8-asan-ubsan/sql/sp_instr.cc:350
|
#12 0x559594deed5b in sp_lex_keeper::validate_lex_and_exec_core(THD*, unsigned int*, bool, sp_lex_instr*) /data/bld/11.8-asan-ubsan/sql/sp_instr.cc:529
|
#13 0x559594df3aac in sp_instr_freturn::execute(THD*, unsigned int*) /data/bld/11.8-asan-ubsan/sql/sp_instr.cc:1627
|
#14 0x559593c70bbd in sp_head::execute(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sp_head.cc:1290
|
#15 0x559593c7de4e in sp_head::execute_function(THD*, Item**, unsigned int, Field*, sp_rcontext**, Query_arena*) /data/bld/11.8-asan-ubsan/sql/sp_head.cc:2058
|
#16 0x55959565c994 in Item_sp::execute_impl(THD*, Item**, unsigned int) /data/bld/11.8-asan-ubsan/sql/item.cc:3034
|
#17 0x55959565db79 in Item_sp::execute(THD*, bool*, Item**, unsigned int) /data/bld/11.8-asan-ubsan/sql/item.cc:2948
|
#18 0x55959597c8c7 in Item_func_sp::execute() /data/bld/11.8-asan-ubsan/sql/item_func.cc:6725
|
#19 0x5595959d1a0a in Item_func_sp::val_int() (/share8t/bld/11.8-asan-ubsan/sql/mariadbd+0x9deca0a)
|
#20 0x559595af7886 in Item_func_repeat::val_str(String*) /data/bld/11.8-asan-ubsan/sql/item_strfunc.cc:3515
|
#21 0x5595956856d3 in Item::save_str_in_field(Field*, bool) /data/bld/11.8-asan-ubsan/sql/item.cc:7148
|
#22 0x559594e1cafb in Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const /data/bld/11.8-asan-ubsan/sql/sql_type.cc:4406
|
#23 0x559595612147 in Item::save_in_field(Field*, bool) /data/bld/11.8-asan-ubsan/sql/item.cc:7206
|
#24 0x559593dba5f7 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /data/bld/11.8-asan-ubsan/sql/sql_base.cc:9506
|
#25 0x559593dbb322 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type, bool*) /data/bld/11.8-asan-ubsan/sql/sql_base.cc:9565
|
#26 0x559593f755f0 in select_create::store_values(List<Item>&, bool*) /data/bld/11.8-asan-ubsan/sql/sql_insert.cc:5359
|
#27 0x559593f9b4dc in select_insert::send_data(List<Item>&) /data/bld/11.8-asan-ubsan/sql/sql_insert.cc:4483
|
#28 0x5595944cb674 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/bld/11.8-asan-ubsan/sql/sql_class.h:6284
|
#29 0x5595944aeb06 in JOIN::exec_inner() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:4945
|
#30 0x5595944b14f3 in JOIN::exec() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:4862
|
#31 0x5595944a7c0b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:5390
|
#32 0x5595944a8dfb in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:633
|
#33 0x5595946b7cbf in Sql_cmd_create_table_like::execute(THD*) /data/bld/11.8-asan-ubsan/sql/sql_table.cc:13675
|
#34 0x55959418444f in mysql_execute_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:5885
|
#35 0x5595942731b9 in Prepared_statement::execute(String*, bool) /data/bld/11.8-asan-ubsan/sql/sql_prepare.cc:5093
|
#36 0x55959428561e in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/bld/11.8-asan-ubsan/sql/sql_prepare.cc:4457
|
#37 0x559594287a25 in mysql_sql_stmt_execute(THD*) /data/bld/11.8-asan-ubsan/sql/sql_prepare.cc:3464
|
#38 0x55959416a6d6 in mysql_execute_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:3991
|
#39 0x559594189080 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:7908
|
#40 0x55959419244d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1903
|
#41 0x55959419f358 in do_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1416
|
#42 0x5595949e8fff in do_handle_one_connection(CONNECT*, bool) /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1504
|
#43 0x5595949ea168 in handle_one_connection /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1416
|
#44 0x559596496a93 in pfs_spawn_thread /data/bld/11.8-asan-ubsan/storage/perfschema/pfs.cc:2198
|
#45 0x7fbbb56a81c3 in start_thread nptl/pthread_create.c:442
|
#46 0x7fbbb572885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x625000238710 is located 3600 bytes inside of 8184-byte region [0x625000237900,0x6250002398f8)
|
freed by thread T5 here:
|
#0 0x7fbbb6ab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
|
#1 0x55959776e566 in my_free /data/bld/11.8-asan-ubsan/mysys/my_malloc.c:218
|
#2 0x55959774109e in root_free /data/bld/11.8-asan-ubsan/mysys/my_alloc.c:77
|
#3 0x55959774317a in free_root /data/bld/11.8-asan-ubsan/mysys/my_alloc.c:517
|
#4 0x559593c4635e in sp_head::destroy(sp_head*) /data/bld/11.8-asan-ubsan/sql/sp_head.cc:535
|
#5 0x559593c3bce6 in hash_free_sp_head /data/bld/11.8-asan-ubsan/sql/sp_cache.cc:286
|
#6 0x5595976fe4c3 in my_hash_free_elements /data/bld/11.8-asan-ubsan/mysys/hash.c:135
|
#7 0x5595976ff2f9 in my_hash_reset /data/bld/11.8-asan-ubsan/mysys/hash.c:178
|
#8 0x559593c3d6e6 in sp_cache::clear() /data/bld/11.8-asan-ubsan/sql/sp_cache.cc:318
|
#9 0x559593c3d817 in Sp_caches::sp_caches_empty() /data/bld/11.8-asan-ubsan/sql/sp_cache.cc:334
|
#10 0x55959419a5de in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:2439
|
#11 0x55959419f358 in do_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1416
|
#12 0x5595949e8fff in do_handle_one_connection(CONNECT*, bool) /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1504
|
#13 0x5595949ea168 in handle_one_connection /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1416
|
#14 0x559596496a93 in pfs_spawn_thread /data/bld/11.8-asan-ubsan/storage/perfschema/pfs.cc:2198
|
#15 0x7fbbb56a81c3 in start_thread nptl/pthread_create.c:442
|
|
|
previously allocated by thread T5 here:
|
#0 0x7fbbb6ab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x55959776de0c in my_malloc /data/bld/11.8-asan-ubsan/mysys/my_malloc.c:93
|
#2 0x559597740f2a in root_alloc /data/bld/11.8-asan-ubsan/mysys/my_alloc.c:66
|
#3 0x5595977414dd in init_alloc_root /data/bld/11.8-asan-ubsan/mysys/my_alloc.c:178
|
#4 0x5595948a226f in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/11.8-asan-ubsan/sql/thr_malloc.cc:64
|
#5 0x559595f9ae53 in sp_compile /data/bld/11.8-asan-ubsan/sql/sp.cc:872
|
#6 0x559595fa1152 in Sp_handler::db_load_routine(THD*, Database_qualified_name const*, sp_head**, unsigned long long, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_sp_chistics const&, AUTHID const&, long long, long long, sp_package*, Stored_program_creation_ctx*) const /data/bld/11.8-asan-ubsan/sql/sp.cc:1025
|
#7 0x559595fa49d7 in Sp_handler::db_find_routine(THD*, Database_qualified_name const*, sp_head**) const /data/bld/11.8-asan-ubsan/sql/sp.cc:766
|
#8 0x559595fa4f28 in Sp_handler::db_find_and_cache_routine(THD*, Database_qualified_name const*, sp_head**) const /data/bld/11.8-asan-ubsan/sql/sp.cc:789
|
#9 0x559595fa563a in Sp_handler::sp_cache_routine(THD*, Database_qualified_name const*, sp_head**) const /data/bld/11.8-asan-ubsan/sql/sp.cc:2912
|
#10 0x559595fbe26b in Sroutine_hash_entry::sp_cache_routine(THD*, sp_head**) const /data/bld/11.8-asan-ubsan/sql/sp.cc:2872
|
#11 0x559593d9bf2e in open_and_process_routine /data/bld/11.8-asan-ubsan/sql/sql_base.cc:3887
|
#12 0x559593df4f92 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/bld/11.8-asan-ubsan/sql/sql_base.cc:4816
|
#13 0x559593df9e09 in open_tables /data/bld/11.8-asan-ubsan/sql/sql_base.h:275
|
#14 0x559593df9e09 in open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /data/bld/11.8-asan-ubsan/sql/sql_base.cc:5848
|
#15 0x559594242208 in mysql_test_create_table /data/bld/11.8-asan-ubsan/sql/sql_prepare.cc:1732
|
#16 0x5595942779d9 in check_prepared_statement /data/bld/11.8-asan-ubsan/sql/sql_prepare.cc:2300
|
#17 0x55959427db51 in Prepared_statement::prepare(char const*, unsigned int) /data/bld/11.8-asan-ubsan/sql/sql_prepare.cc:4225
|
#18 0x55959428209e in mysql_sql_stmt_prepare(THD*) /data/bld/11.8-asan-ubsan/sql/sql_prepare.cc:2794
|
#19 0x55959416a6c9 in mysql_execute_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:3986
|
#20 0x559594189080 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:7908
|
#21 0x55959419244d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1903
|
#22 0x55959419f358 in do_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1416
|
#23 0x5595949e8fff in do_handle_one_connection(CONNECT*, bool) /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1504
|
#24 0x5595949ea168 in handle_one_connection /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1416
|
#25 0x559596496a93 in pfs_spawn_thread /data/bld/11.8-asan-ubsan/storage/perfschema/pfs.cc:2198
|
#26 0x7fbbb56a81c3 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fbbb6a49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x559596492a4f in my_thread_create /data/bld/11.8-asan-ubsan/storage/perfschema/my_thread.h:38
|
#2 0x559596496f10 in pfs_spawn_thread_v1 /data/bld/11.8-asan-ubsan/storage/perfschema/pfs.cc:2249
|
#3 0x5595939d8b2b in inline_mysql_thread_create /data/bld/11.8-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
|
#4 0x5595939d8b2b in create_thread_to_handle_connection(CONNECT*) /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6265
|
#5 0x5595939eb63f in create_new_thread(CONNECT*) /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6327
|
#6 0x5595939eb867 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6389
|
#7 0x5595939ec4a8 in handle_connections_sockets() /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6501
|
#8 0x5595939ec954 in run_main_loop /data/bld/11.8-asan-ubsan/sql/mysqld.cc:5743
|
#9 0x5595939edf08 in mysqld_main(int, char**) /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6166
|
#10 0x5595939bed41 in main /data/bld/11.8-asan-ubsan/sql/main.cc:34
|
#11 0x7fbbb5646249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:403 in __interceptor_strnlen
|
Shadow bytes around the buggy address:
|
0x0c4a8003f090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c4a8003f0e0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f0f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c4a8003f130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1773797==ABORTING
|
The release build doesn't crash for me, but the look of the error message is not reassuring (sporadically):
|
11.8 76d257e883119cb0eba7ca4a189fd0a76bbbb4b3 |
EXECUTE stmt;
|
ERROR HY000: Cannot cast 'row' as 'int' in assignment of `f`
|
EXECUTE stmt;
|
ERROR HY000: Cannot cast 'row' as 'int' in assignment of `p\007F`
|
The ASAN failure started happening after this commit in 11.8 (between 11.8.3 and 11.8.4):
commit 21868be177fd5015bafb25dbb070d9aab25adfdf
|
Commit: Alexander Barkov
|
CommitDate: Tue Sep 9 11:43:57 2025 +0400
|
|
|
MDEV-26115 Crash when calling stored function in FOR loop argument
|
Attachments
Issue Links
- is caused by
-
-
- Closed
-