Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
11.8, 12.2, 12.3
-
Can result in hang or crash
Description
stack trace is similar to MDEV-22832, but here the server crashes without changing the use_stat_tables value, and the issue only appears in 11.8+ builds
--source include/have_innodb.inc
|
|
|
CREATE TABLE t (a INT,b CHAR(8),KEY(a,b)) ENGINE=INNODB; |
SELECT MIN(b) FROM t WHERE b IS NULL GROUP BY a; |
|
|
#cleanup
|
DROP TABLE t; |
Leads to:
|
CS 12.3.0 5879c85f505d3a11d4b8f479f2437416d8a1d724 (Optimized, UBASAN, Clang 18.1.3-11) Build 15/12/2025 |
==185344==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5c7fc9d05fb4 at pc 0x5c7fc6458d56 bp 0x7d90f61f4be0 sp 0x7d90f61f43a0
|
READ of size 34 at 0x5c7fc9d05fb4 thread T10
|
#0 0x5c7fc6458d55 in __asan_memcpy (/test/UBASAN_MD151225-mariadb-12.3.0-linux-x86_64-opt/bin/mariadbd+0x291ed55) (BuildId: 24478d3c56907987)
|
#1 0x5c7fc9115ecf in memdup_root /test/12.3_opt_san/mysys/my_alloc.c:691:5
|
#2 0x5c7fc6edef30 in Query_arena::memdup(void const*, unsigned long) const /test/12.3_opt_san/sql/sql_class.h:1364:12
|
#3 0x5c7fc6edef30 in QUICK_RANGE::QUICK_RANGE(THD*, unsigned char const*, unsigned int, unsigned long, unsigned char const*, unsigned int, unsigned long, unsigned int) /test/12.3_opt_san/sql/opt_range.h:975:29
|
#4 0x5c7fc6eb54f0 in QUICK_GROUP_MIN_MAX_SELECT::add_range(SEL_ARG*) /test/12.3_opt_san/sql/opt_range.cc:16266:14
|
#5 0x5c7fc6eb4668 in TRP_GROUP_MIN_MAX::make_quick(PARAM*, bool, st_mem_root*) /test/12.3_opt_san/sql/opt_range.cc:15976:20
|
#6 0x5c7fc6e4af78 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool, Item_func::Bitmap) /test/12.3_opt_san/sql/opt_range.cc:3205:34
|
#7 0x5c7fc78cb698 in get_quick_record_count(THD*, SQL_SELECT*, TABLE*, Bitmap<64u> const*, unsigned long long, unsigned long long*) /test/12.3_opt_san/sql/sql_select.cc:5514:20
|
#8 0x5c7fc77a815c in make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*) /test/12.3_opt_san/sql/sql_select.cc:6248:15
|
#9 0x5c7fc778b63b in JOIN::optimize_inner() /test/12.3_opt_san/sql/sql_select.cc:2772:7
|
#10 0x5c7fc77854e8 in JOIN::optimize() /test/12.3_opt_san/sql/sql_select.cc:2025:10
|
#11 0x5c7fc77668d7 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/12.3_opt_san/sql/sql_select.cc:5436:19
|
#12 0x5c7fc7765270 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/12.3_opt_san/sql/sql_select.cc:636:10
|
#13 0x5c7fc76420c7 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/12.3_opt_san/sql/sql_parse.cc:6172:12
|
#14 0x5c7fc7622ca0 in mysql_execute_command(THD*, bool) /test/12.3_opt_san/sql/sql_parse.cc:3951:12
|
#15 0x5c7fc7604c30 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.3_opt_san/sql/sql_parse.cc:7895:18
|
#16 0x5c7fc75fbf84 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.3_opt_san/sql/sql_parse.cc:1878:7
|
#17 0x5c7fc7606ef6 in do_command(THD*, bool) /test/12.3_opt_san/sql/sql_parse.cc:1417:17
|
#18 0x5c7fc7d697ec in do_handle_one_connection(CONNECT*, bool) /test/12.3_opt_san/sql/sql_connect.cc:1503:11
|
#19 0x5c7fc7d69046 in handle_one_connection /test/12.3_opt_san/sql/sql_connect.cc:1415:5
|
#20 0x5c7fc645898c in asan_thread_start(void*) crtstuff.c
|
#21 0x7d91afa9caa3 in start_thread nptl/pthread_create.c:447:8
|
#22 0x7d91afb29c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x5c7fc9d05fb4 is located 0 bytes after global variable 'is_null_string' defined in '/test/12.3_opt_san/sql/opt_range.cc:137' (0x5c7fc9d05fa0) of size 20
|
SUMMARY: AddressSanitizer: global-buffer-overflow (/test/UBASAN_MD151225-mariadb-12.3.0-linux-x86_64-opt/bin/mariadbd+0x291ed55) (BuildId: 24478d3c56907987) in __asan_memcpy
|
[..]
|
Thread T10 created by T0 here:
|
#0 0x5c7fc6440815 in pthread_create (/test/UBASAN_MD151225-mariadb-12.3.0-linux-x86_64-opt/bin/mariadbd+0x2906815) (BuildId: 24478d3c56907987)
|
#1 0x5c7fc64ab371 in create_thread_to_handle_connection(CONNECT*) /test/12.3_opt_san/sql/mysqld.cc:6273:19
|
#2 0x5c7fc64ac55a in handle_connections_sockets() /test/12.3_opt_san/sql/mysqld.cc:6509:9
|
#3 0x5c7fc64aa6c0 in run_main_loop() /test/12.3_opt_san/sql/mysqld.cc:5751:3
|
#4 0x5c7fc64a20d2 in mysqld_main(int, char**) /test/12.3_opt_san/sql/mysqld.cc:6174:3
|
#5 0x7d91afa2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x7d91afa2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x5c7fc63c0054 in _start (/test/UBASAN_MD151225-mariadb-12.3.0-linux-x86_64-opt/bin/mariadbd+0x2886054) (BuildId: 24478d3c56907987)
|
|
|
==185344==ABORTING
|
Setup:
Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
SAN Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 dbg 050126 b64db51ad89d78e6a6f8bc238dd2e208b5f7aa92 No bug found
|
CS 10.6 opt 050126 b64db51ad89d78e6a6f8bc238dd2e208b5f7aa92 No bug found
|
CS 10.11 opt 050126 0ac1c08b1a72c0265fced2a1a2d0ca54c0846f0d No bug found
|
CS 11.4 dbg 171225 4cff562f3f89d4df03e09233d835d0451bc37cc4 No bug found
|
CS 11.4 opt 171225 4cff562f3f89d4df03e09233d835d0451bc37cc4 No bug found
|
CS 11.8 dbg 171225 a7528a6190807281d3224e4e67a9b76083a202a6 ASAN|global-buffer-overflow|mysys/my_alloc.c|__asan_memcpy|memdup_root|Query_arena::memdup|QUICK_RANGE::QUICK_RANGE
|
CS 11.8 opt 171225 a7528a6190807281d3224e4e67a9b76083a202a6 ASAN|global-buffer-overflow|mysys/my_alloc.c|__asan_memcpy|memdup_root|Query_arena::memdup|QUICK_RANGE::QUICK_RANGE
|
CS 12.2 dbg 171225 997d0c4dfc551ea54faa1e9b7d56f3a0ff2ca849 ASAN|global-buffer-overflow|mysys/my_alloc.c|__asan_memcpy|memdup_root|Query_arena::memdup|QUICK_RANGE::QUICK_RANGE
|
CS 12.2 opt 171225 997d0c4dfc551ea54faa1e9b7d56f3a0ff2ca849 ASAN|global-buffer-overflow|mysys/my_alloc.c|__asan_memcpy|memdup_root|Query_arena::memdup|QUICK_RANGE::QUICK_RANGE
|
CS 12.3 dbg 151225 5879c85f505d3a11d4b8f479f2437416d8a1d724 ASAN|global-buffer-overflow|mysys/my_alloc.c|__asan_memcpy|memdup_root|Query_arena::memdup|QUICK_RANGE::QUICK_RANGE
|
CS 12.3 opt 151225 5879c85f505d3a11d4b8f479f2437416d8a1d724 ASAN|global-buffer-overflow|mysys/my_alloc.c|__asan_memcpy|memdup_root|Query_arena::memdup|QUICK_RANGE::QUICK_RANGE
|