[MDEV-38474] Double free or corruption, ASAN heap-use-after-free in st_join_table::cleanup - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.11, 11.4, 11.8, 12.2, 12.3
Fix Version/s: 12.3.2, 11.4.11, 11.8.7
Component/s: Optimizer
Labels:
- regression

Bug Category:
Can result in hang or crash

Description

Note that there are two test cases in the code block below, make sure they both pass before closing. I also recommend adding both to the regression suite.

# Test case 1, fails on 10.11+

CREATE TABLE t1 (a INT);

CREATE TABLE t2 (b INT);

CREATE TABLE t3 (c INT);

# Inserts are optional, fails with and without data

INSERT INTO t1 VALUES (1),(2);

INSERT INTO t2 VALUES (3),(4);

INSERT INTO t3 VALUES (5),(6);

EXPLAIN SELECT * FROM t1 WHERE a IN (SELECT b FROM t2 WHERE a IN ((SELECT c FROM t3 WHERE FALSE HAVING c < 0)));

DROP TABLE t1, t2, t3;

# Test case 2, fails on 11.4 but not on 10.11

CREATE TABLE t1 (a INT);

CREATE TABLE t2 (b INT);

CREATE TABLE t3 (c INT);

CREATE TABLE t4 (d INT PRIMARY KEY);

SET SQL_SAFE_UPDATES=1;

--error ER_UPDATE_WITHOUT_KEY_IN_SAFE_MODE

UPDATE t1 STRAIGHT_JOIN t2 SET a = 89 WHERE 9 IN (SELECT c FROM t3 WHERE c IN (SELECT MAX(d) FROM t4));

DROP TABLE t1, t2, t3, t4;

Stack trace from the 1st test case, with EXPLAIN SELECT:

10.11 09657805d04dfe6dfe33fb4b3003e06b29c835bd
==4034058==ERROR: AddressSanitizer: heap-use-after-free on address 0x62d000276440 at pc 0x562178cf71ab bp 0x7f2713f738e0 sp 0x7f2713f738d8
READ of size 8 at 0x62d000276440 thread T5
#0 0x562178cf71aa in st_join_table::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15522
#1 0x562178d63e23 in JOIN::cleanup(bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15998
#2 0x562178d64fc5 in JOIN::destroy() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5052
#3 0x56217909f2c0 in st_select_lex::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2835
#4 0x5621790a0300 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2641
#5 0x562178b0c16a in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6230
#6 0x562178b10069 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
#7 0x562178b19416 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
#8 0x562178b2611b in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
#9 0x56217932285d in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
#10 0x5621793239ba in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
#11 0x56217aca8458 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
#12 0x7f271e0a81c3 in start_thread nptl/pthread_create.c:442
#13 0x7f271e12885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x62d000276440 is located 64 bytes inside of 32760-byte region [0x62d000276400,0x62d00027e3f8)
freed by thread T5 here:
#0 0x7f271f4b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x56217bf6322f in my_free /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:217
#2 0x56217bf36b67 in root_free /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:77
#3 0x56217bf38c43 in free_root /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:517
#4 0x562178cf6388 in free_tmp_table(THD, TABLE) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:22363
#5 0x562179543717 in cleanup_empty_jtbm_semi_joins(JOIN, List<TABLE_LIST>) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6487
#6 0x562178d64380 in JOIN::cleanup(bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:16035
#7 0x562178d64fc5 in JOIN::destroy() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5052
#8 0x56217909f2c0 in st_select_lex::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2835
#9 0x5621790a0300 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2641
#10 0x56217899ac3f in st_select_lex_unit::cleanup_stranded_units() /data/bld/10.11-asan-ubsan/sql/sql_lex.cc:2998
#11 0x56217909fa83 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2601
#12 0x562178b0c16a in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6230
#13 0x562178b10069 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
#14 0x562178b19416 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
#15 0x562178b2611b in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
#16 0x56217932285d in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
#17 0x5621793239ba in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
#18 0x56217aca8458 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
#19 0x7f271e0a81c3 in start_thread nptl/pthread_create.c:442

previously allocated by thread T5 here:
#0 0x7f271f4b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x56217bf62ad5 in my_malloc /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:92
#2 0x56217bf369f3 in root_alloc /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:66
#3 0x56217bf36fa6 in init_alloc_root /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:178
#4 0x5621791e6c8c in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/10.11-asan-ubsan/sql/thr_malloc.cc:64
#5 0x562178ce5dcd in Create_tmp_table::start(THD, TMP_TABLE_PARAM, st_mysql_const_lex_string const*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:20737
#6 0x562178d8678f in create_tmp_table(THD, TMP_TABLE_PARAM, List<Item>&, st_order, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const, bool, bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:21598
#7 0x562179539250 in create_dummy_tmp_table(THD*) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:5826
#8 0x562179540d84 in execute_degenerate_jtbm_semi_join(THD, TABLE_LIST, Item_in_subselect*, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6268
#9 0x5621795424cf in setup_jtbm_semi_joins(JOIN, List<TABLE_LIST>, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6422
#10 0x56217954321c in setup_jtbm_semi_joins(JOIN, List<TABLE_LIST>, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6451
#11 0x562178e155b9 in JOIN::optimize_inner() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:2456
#12 0x562178e1939d in JOIN::optimize() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:1967
#13 0x562178e1a748 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5271
#14 0x562178e1d83b in mysql_explain_union(THD, st_select_lex_unit, select_result*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:30248
#15 0x562178aa8c03 in execute_sqlcom_select /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6402
#16 0x562178aee00a in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:4042
#17 0x562178b10069 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
#18 0x562178b19416 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
#19 0x562178b2611b in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
#20 0x56217932285d in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
#21 0x5621793239ba in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
#22 0x56217aca8458 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
#23 0x7f271e0a81c3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f271f449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x56217ac9dd24 in my_thread_create /data/bld/10.11-asan-ubsan/storage/perfschema/my_thread.h:52
#2 0x56217aca564c in pfs_spawn_thread_v1 /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2252
#3 0x562178370118 in inline_mysql_thread_create /data/bld/10.11-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
#4 0x562178370118 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6146
#5 0x562178381fa2 in create_new_thread(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6205
#6 0x5621783821c0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6267
#7 0x562178382e01 in handle_connections_sockets() /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6390
#8 0x5621783832ad in run_main_loop /data/bld/10.11-asan-ubsan/sql/mysqld.cc:5646
#9 0x562178384673 in mysqld_main(int, char**) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6047
#10 0x562178357931 in main /data/bld/10.11-asan-ubsan/sql/main.cc:34
#11 0x7f271e046249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15522 in st_join_table::cleanup()
Shadow bytes around the buggy address:
0x0c5a80046c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80046c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80046c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80046c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80046c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5a80046c80: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c5a80046c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5a80046ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5a80046cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5a80046cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5a80046cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4034058==ABORTING

Stack trace from the second test case, with UPDATE:

11.4 ASAN 678ff03ee7fca139454ce469aa448795f525cc00
==3499718==ERROR: AddressSanitizer: heap-use-after-free on address 0x62d000276440 at pc 0x55fb80934969 bp 0x7ff4835f42f0 sp 0x7ff4835f42e8
READ of size 8 at 0x62d000276440 thread T5
#0 0x55fb80934968 in st_join_table::cleanup() /data/bld/11.4-asan-ubsan/sql/sql_select.cc:16600
#1 0x55fb809a1191 in JOIN::cleanup(bool) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:17155
#2 0x55fb809a22d9 in JOIN::destroy() /data/bld/11.4-asan-ubsan/sql/sql_select.cc:5132
#3 0x55fb80cfe286 in st_select_lex::cleanup() /data/bld/11.4-asan-ubsan/sql/sql_union.cc:2925
#4 0x55fb80cff44b in st_select_lex_unit::cleanup() /data/bld/11.4-asan-ubsan/sql/sql_union.cc:2731
#5 0x55fb808bc041 in Sql_cmd_dml::execute(THD*) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:34575
#6 0x55fb8072cba7 in mysql_execute_command(THD*, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:4436
#7 0x55fb80747270 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:7945
#8 0x55fb80750660 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1923
#9 0x55fb8075d369 in do_command(THD*, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1433
#10 0x55fb80f85f69 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1497
#11 0x55fb80f870c6 in handle_one_connection /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1409
#12 0x55fb829d72ac in pfs_spawn_thread /data/bld/11.4-asan-ubsan/storage/perfschema/pfs.cc:2201
#13 0x7ff48eaa81c3 in start_thread nptl/pthread_create.c:442
#14 0x7ff48eb2885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x62d000276440 is located 64 bytes inside of 32760-byte region [0x62d000276400,0x62d00027e3f8)
freed by thread T5 here:
#0 0x7ff48feb76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x55fb83c91843 in my_free /data/bld/11.4-asan-ubsan/mysys/my_malloc.c:218
#2 0x55fb83c64bc4 in root_free /data/bld/11.4-asan-ubsan/mysys/my_alloc.c:77
#3 0x55fb83c66ca0 in free_root /data/bld/11.4-asan-ubsan/mysys/my_alloc.c:517
#4 0x55fb80933c88 in free_tmp_table(THD, TABLE) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:23596
#5 0x55fb811b3225 in cleanup_empty_jtbm_semi_joins(JOIN, List<TABLE_LIST>) /data/bld/11.4-asan-ubsan/sql/opt_subselect.cc:6677
#6 0x55fb809a16ee in JOIN::cleanup(bool) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:17192
#7 0x55fb809a22d9 in JOIN::destroy() /data/bld/11.4-asan-ubsan/sql/sql_select.cc:5132
#8 0x55fb80cfe286 in st_select_lex::cleanup() /data/bld/11.4-asan-ubsan/sql/sql_union.cc:2925
#9 0x55fb80cff44b in st_select_lex_unit::cleanup() /data/bld/11.4-asan-ubsan/sql/sql_union.cc:2731
#10 0x55fb805d485d in st_select_lex_unit::cleanup_stranded_units() /data/bld/11.4-asan-ubsan/sql/sql_lex.cc:3027
#11 0x55fb80cfebb1 in st_select_lex_unit::cleanup() /data/bld/11.4-asan-ubsan/sql/sql_union.cc:2691
#12 0x55fb808bc041 in Sql_cmd_dml::execute(THD*) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:34575
#13 0x55fb8072cba7 in mysql_execute_command(THD*, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:4436
#14 0x55fb80747270 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:7945
#15 0x55fb80750660 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1923
#16 0x55fb8075d369 in do_command(THD*, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1433
#17 0x55fb80f85f69 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1497
#18 0x55fb80f870c6 in handle_one_connection /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1409
#19 0x55fb829d72ac in pfs_spawn_thread /data/bld/11.4-asan-ubsan/storage/perfschema/pfs.cc:2201
#20 0x7ff48eaa81c3 in start_thread nptl/pthread_create.c:442

previously allocated by thread T5 here:
#0 0x7ff48feb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55fb83c910e9 in my_malloc /data/bld/11.4-asan-ubsan/mysys/my_malloc.c:93
#2 0x55fb83c64a50 in root_alloc /data/bld/11.4-asan-ubsan/mysys/my_alloc.c:66
#3 0x55fb83c65003 in init_alloc_root /data/bld/11.4-asan-ubsan/mysys/my_alloc.c:178
#4 0x55fb80e48bde in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/11.4-asan-ubsan/sql/thr_malloc.cc:64
#5 0x55fb80922d26 in Create_tmp_table::start(THD, TMP_TABLE_PARAM, st_mysql_const_lex_string const*) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:21928
#6 0x55fb809c43a4 in create_tmp_table(THD, TMP_TABLE_PARAM, List<Item>&, st_order, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const, bool, bool) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:22802
#7 0x55fb811a8d4e in create_dummy_tmp_table(THD*) /data/bld/11.4-asan-ubsan/sql/opt_subselect.cc:6016
#8 0x55fb811b0892 in execute_degenerate_jtbm_semi_join(THD, TABLE_LIST, Item_in_subselect*, List<Item>&) /data/bld/11.4-asan-ubsan/sql/opt_subselect.cc:6458
#9 0x55fb811b1fdd in setup_jtbm_semi_joins(JOIN, List<TABLE_LIST>, List<Item>&) /data/bld/11.4-asan-ubsan/sql/opt_subselect.cc:6612
#10 0x55fb811b2d2a in setup_jtbm_semi_joins(JOIN, List<TABLE_LIST>, List<Item>&) /data/bld/11.4-asan-ubsan/sql/opt_subselect.cc:6641
#11 0x55fb80a5d01f in JOIN::optimize_inner() /data/bld/11.4-asan-ubsan/sql/sql_select.cc:2521
#12 0x55fb80a61030 in JOIN::optimize() /data/bld/11.4-asan-ubsan/sql/sql_select.cc:2016
#13 0x55fb80a6c6c1 in Sql_cmd_dml::execute_inner(THD*) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:34624
#14 0x55fb80d81349 in Sql_cmd_update::execute_inner(THD*) /data/bld/11.4-asan-ubsan/sql/sql_update.cc:3129
#15 0x55fb808bc01d in Sql_cmd_dml::execute(THD*) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:34568
#16 0x55fb8072cba7 in mysql_execute_command(THD*, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:4436
#17 0x55fb80747270 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:7945
#18 0x55fb80750660 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1923
#19 0x55fb8075d369 in do_command(THD*, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1433
#20 0x55fb80f85f69 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1497
#21 0x55fb80f870c6 in handle_one_connection /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1409
#22 0x55fb829d72ac in pfs_spawn_thread /data/bld/11.4-asan-ubsan/storage/perfschema/pfs.cc:2201
#23 0x7ff48eaa81c3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7ff48fe49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55fb829ccb78 in my_thread_create /data/bld/11.4-asan-ubsan/storage/perfschema/my_thread.h:52
#2 0x55fb829d44a0 in pfs_spawn_thread_v1 /data/bld/11.4-asan-ubsan/storage/perfschema/pfs.cc:2252
#3 0x55fb7ffc3912 in inline_mysql_thread_create /data/bld/11.4-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
#4 0x55fb7ffc3912 in create_thread_to_handle_connection(CONNECT*) /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6177
#5 0x55fb7ffd5a19 in create_new_thread(CONNECT*) /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6239
#6 0x55fb7ffd5c37 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6301
#7 0x55fb7ffd6878 in handle_connections_sockets() /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6413
#8 0x55fb7ffd6d24 in run_main_loop /data/bld/11.4-asan-ubsan/sql/mysqld.cc:5656
#9 0x55fb7ffd82c7 in mysqld_main(int, char**) /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6078
#10 0x55fb7ffaaad1 in main /data/bld/11.4-asan-ubsan/sql/main.cc:34
#11 0x7ff48ea46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/11.4-asan-ubsan/sql/sql_select.cc:16600 in st_join_table::cleanup()
Shadow bytes around the buggy address:
0x0c5a80046c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80046c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80046c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80046c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a80046c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5a80046c80: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c5a80046c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5a80046ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5a80046cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5a80046cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5a80046cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3499718==ABORTING

11.4 678ff03ee7fca139454ce469aa448795f525cc00 RelWithDebInfo
double free or corruption (out)
260103 20:19:38 [ERROR] /share8t/bld/11.4-rel/sql/mariadbd got signal 6 ;

The failures started happening after this commit in 10.11.15:

commit 34a8209d66579d71d2a6fb6d154473693152117d

Author: Dave Gosselin

Date:   Fri Sep 19 13:17:06 2025 -0400

    MDEV-35816 ASAN use-after-poison in st_select_lex::print

Since the UPDATE variation is only reproducible on 11.4, it started happening after the corresponding merge in 11.4.

Attachments

Issue Links

is caused by

MDEV-35816 ASAN: use-after-poison in st_select_lex::print

Closed

is duplicated by

MDEV-38706 Double free or corruption, ASAN errors in st_join_table::cleanup

Closed

Activity

People

Assignee:: Dave Gosselin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2026-01-03 18:26

Updated:: 2026-03-09 15:38

Resolved:: 2026-03-09 15:37

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.