Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38669

ASAN use-after-poison in Item_func_collect::add

    XMLWordPrintable

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Major
    • Resolution: Unresolved
    • 12.2
    • 12.2
    • GIS
    • None

    Description

      SELECT    st_collect('');


      Version: '12.2.2-MariaDB-asan-debug-log'  d640758b9478f4da9ac0023b1ac389ffc23aa9bb
      		 
      =================================================================
      		 
      ==1308714==ERROR: AddressSanitizer: use-after-poison on address 0x52d0001729c8 at pc 0x63094af2168d bp 0x74201e9f4320 sp 0x74201e9f4310
      		 
      READ of size 4 at 0x52d0001729c8 thread T11
      		 
          #0 0x63094af2168c in Item_func_collect::add() /12.2/src/sql/item_sum.cc:4648
      		 
          #1 0x63094af23fab in Aggregator_simple::add() /12.2/src/sql/item_sum.h:736
      		 
          #2 0x630949e40d13 in Item_sum::aggregator_add() /12.2/src/sql/item_sum.h:569
      		 
          #3 0x630949e40b63 in Item_sum::reset_and_add() /12.2/src/sql/item_sum.h:451
      		 
          #4 0x63094a38ee8b in init_sum_functions /12.2/src/sql/sql_select.cc:30151
      		 
          #5 0x63094a371cfa in end_send_group(JOIN*, st_join_table*, bool) /12.2/src/sql/sql_select.cc:26160
      		 
          #6 0x63094a361a50 in do_select /12.2/src/sql/sql_select.cc:23998
      		 
          #7 0x63094a2d884e in JOIN::exec_inner() /12.2/src/sql/sql_select.cc:5130
      		 
          #8 0x63094a2d5d5f in JOIN::exec() /12.2/src/sql/sql_select.cc:4918
      		 
          #9 0x63094a2da3e6 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /12.2/src/sql/sql_select.cc:5444
      		 
          #10 0x63094a2a7039 in handle_select(THD*, LEX*, select_result*, unsigned long long) /12.2/src/sql/sql_select.cc:636
      		 
          #11 0x63094a1bf6b1 in execute_sqlcom_select /12.2/src/sql/sql_parse.cc:6210
      		 
          #12 0x63094a1aed2e in mysql_execute_command(THD*, bool) /12.2/src/sql/sql_parse.cc:3967
      		 
          #13 0x63094a1ca7c8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /12.2/src/sql/sql_parse.cc:7932
      		 
          #14 0x63094a1a06e4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /12.2/src/sql/sql_parse.cc:1896
      		 
          #15 0x63094a19d374 in do_command(THD*, bool) /12.2/src/sql/sql_parse.cc:1432
      		 
          #16 0x63094a6c6ecd in do_handle_one_connection(CONNECT*, bool) /12.2/src/sql/sql_connect.cc:1503
      		 
          #17 0x63094a6c6a20 in handle_one_connection /12.2/src/sql/sql_connect.cc:1415
      		 
          #18 0x63094b4a8f6b in pfs_spawn_thread /12.2/src/storage/perfschema/pfs.cc:2198
      		 
          #19 0x74203765ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
      		 
          #20 0x74203669caa3 in start_thread nptl/pthread_create.c:447
      		 
          #21 0x742036729c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x52d0001729c8 is located 1480 bytes inside of 32760-byte region [0x52d000172400,0x52d00017a3f8)
      		 
      allocated by thread T11 here:
      		 
          #0 0x7420376fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x63094c2fde7c in my_malloc /12.2/src/mysys/my_malloc.c:93
      		 
          #2 0x63094c2cedae in root_alloc /12.2/src/mysys/my_alloc.c:66
      		 
          #3 0x63094c2cfdcb in reset_root_defaults /12.2/src/mysys/my_alloc.c:247
      		 
          #4 0x63094a02dbe8 in THD::init_for_queries() /12.2/src/sql/sql_class.cc:1552
      		 
          #5 0x63094a6c62c1 in prepare_new_connection_state(THD*) /12.2/src/sql/sql_connect.cc:1341
      		 
          #6 0x63094a6c6aa5 in thd_prepare_connection(THD*) /12.2/src/sql/sql_connect.cc:1436
      		 
          #7 0x63094a6c6e91 in do_handle_one_connection(CONNECT*, bool) /12.2/src/sql/sql_connect.cc:1493
      		 
          #8 0x63094a6c6a20 in handle_one_connection /12.2/src/sql/sql_connect.cc:1415
      		 
          #9 0x63094b4a8f6b in pfs_spawn_thread /12.2/src/storage/perfschema/pfs.cc:2198
      		 
          #10 0x74203765ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
      		 
          #11 0x74203669caa3 in start_thread nptl/pthread_create.c:447
      		 
       
      		 
      Thread T11 created by T0 here:
      		 
          #0 0x7420376f51f9 in pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:245
      		 
          #1 0x63094b4a4b8f in my_thread_create /12.2/src/storage/perfschema/my_thread.h:38
      		 
          #2 0x63094b4a935e in pfs_spawn_thread_v1 /12.2/src/storage/perfschema/pfs.cc:2249
      		 
          #3 0x630949d675bb in inline_mysql_thread_create /12.2/src/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x630949d815c4 in create_thread_to_handle_connection(CONNECT*) /12.2/src/sql/mysqld.cc:6280
      		 
          #5 0x630949d81c2f in create_new_thread(CONNECT*) /12.2/src/sql/mysqld.cc:6342
      		 
          #6 0x630949d81f5c in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /12.2/src/sql/mysqld.cc:6404
      		 
          #7 0x630949d82c6d in handle_connections_sockets() /12.2/src/sql/mysqld.cc:6516
      		 
          #8 0x630949d7f5e2 in run_main_loop /12.2/src/sql/mysqld.cc:5758
      		 
          #9 0x630949d80dfa in mysqld_main(int, char**) /12.2/src/sql/mysqld.cc:6181
      		 
          #10 0x630949d6685c in main /12.2/src/sql/main.cc:34
      		 
          #11 0x74203662a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
          #12 0x74203662a28a in __libc_start_main_impl ../csu/libc-start.c:360
      		 
          #13 0x630949d66774 in _start (/12.2-bld/sql/mariadbd+0x1c8d774) (BuildId: 17dcae8c926cfc9fa93d9997184236ecff620c76)
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison /12.2/src/sql/item_sum.cc:4648 in Item_func_collect::add()
      		 
      Shadow bytes around the buggy address:
      		 
        0x52d000172700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x52d000172780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x52d000172800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x52d000172880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x52d000172900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x52d000172980: 00 00 00 00 00 f7 00 00 f7[01]f7 00 00 00 00 00
      		 
        0x52d000172a00: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
      		 
        0x52d000172a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x52d000172b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x52d000172b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
      		 
        0x52d000172c00: 00 f7 00 00 00 00 00 03 f7 00 00 f7 00 00 00 00
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==1308714==ABORTING

      on-non debug - returns Null

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-34278 Implement the GIS function ST_Collect

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Gosselin Dave Gosselin
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.