Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38685

Table corruption, Assertion `length <= copy->to_length - 2', ASAN errors with GROUP BY and indexed virtual columns

    XMLWordPrintable

Details

    • Q2/2026 Server Maintenance

    Description

      CREATE TABLE t (c VARBINARY(1024), vc VARBINARY(1024) AS (c) VIRTUAL, KEY(vc(8)));
      		 
      INSERT INTO t (c) VALUES ('0123456789'),('1234567890');
      		 
      select c, vc, COUNT(*) cnt FROM t GROUP BY c, vc HAVING cnt > 1;
      		 
       
      		 
      DROP TABLE t;

      main non-debug 5bcc115d773caac07d4afd42252e08f3905452b0

      		 
      mysqltest: At line 3: query 'select c, vc, COUNT(*) cnt FROM t GROUP BY c, vc HAVING cnt > 1' failed: HA_ERR_WRONG_IN_RECORD (127): Got error '127 "Table file is corrupted"' for '#sql-temptable-ea2fa-4-f.MAI'

      main 5bcc115d773caac07d4afd42252e08f3905452b0

      		 
      mariadbd: /data/bld/main-asan-ubsan/sql/field_conv.cc:580: void do_varstring2_no_truncation(const Copy_field*): Assertion `length <= copy->to_length - 2' failed.
      		 
      260205 21:05:57 [ERROR] /share8t/bld/main-asan-ubsan/sql/mariadbd got signal 6 ;
      		 
       
      		 
      #10 0x00007fa2fbc53eb2 in __GI___assert_fail (assertion=0x5593bed459a0 "length <= copy->to_length - 2", file=0x5593bed45780 "/data/bld/main-asan-ubsan/sql/field_conv.cc", line=580, function=0x5593bed45940 "void do_varstring2_no_truncation(const Copy_field*)") at ./assert/assert.c:101
      		 
      #11 0x00005593bbfa2b6a in do_varstring2_no_truncation (copy=0x62d0000ff5f8) at /data/bld/main-asan-ubsan/sql/field_conv.cc:580
      		 
      #12 0x00005593bbf9e74c in do_copy_null (copy=0x62d0000ff5f8) at /data/bld/main-asan-ubsan/sql/field_conv.cc:248
      		 
      #13 0x00005593badaa03c in copy_fields (param=0x62d0000ff540) at /data/bld/main-asan-ubsan/sql/sql_select.cc:29695
      		 
      #14 0x00005593badae1f8 in end_unique_update (join=0x62d0000fc778, join_tab=0x62d0000fe7d8, end_of_records=<optimized out>) at /data/bld/main-asan-ubsan/sql/sql_select.cc:26346
      		 
      #15 0x00005593badbe3bd in AGGR_OP::put_record (this=this@entry=0x62d0000ff8e8, end_of_records=end_of_records@entry=false) at /data/bld/main-asan-ubsan/sql/sql_select.cc:33706
      		 
      #16 0x00005593badc007f in AGGR_OP::put_record (this=0x62d0000ff8e8) at /data/bld/main-asan-ubsan/sql/sql_select.h:1195
      		 
      #17 sub_select_postjoin_aggr (join=0x62d0000fc778, join_tab=0x62d0000fe7d8, end_of_records=<optimized out>) at /data/bld/main-asan-ubsan/sql/sql_select.cc:24241
      		 
      #18 0x00005593bad259c1 in evaluate_join_record (join=join@entry=0x62d0000fc778, join_tab=join_tab@entry=0x62d0000fe360, error=error@entry=0) at /data/bld/main-asan-ubsan/sql/sql_select.cc:24790
      		 
      #19 0x00005593bad58a9f in sub_select (join=<optimized out>, join_tab=<optimized out>, end_of_records=<optimized out>) at /data/bld/main-asan-ubsan/sql/sql_select.cc:24557
      		 
      #20 0x00005593badf794f in do_select (join=join@entry=0x62d0000fc778, procedure=<optimized out>) at /data/bld/main-asan-ubsan/sql/sql_select.cc:24068
      		 
      #21 0x00005593baecbe6f in JOIN::exec_inner (this=this@entry=0x62d0000fc778) at /data/bld/main-asan-ubsan/sql/sql_select.cc:5125
      		 
      #22 0x00005593baecc413 in JOIN::exec (this=this@entry=0x62d0000fc778) at /data/bld/main-asan-ubsan/sql/sql_select.cc:4913
      		 
      #23 0x00005593baec311e in mysql_select (thd=thd@entry=0x62c0000b0218, tables=<optimized out>, fields=..., conds=conds@entry=0x0, og_num=og_num@entry=2, order=order@entry=0x0, group=<optimized out>, having=<optimized out>, proc_param=<optimized out>, select_options=<optimized out>, result=<optimized out>, unit=<optimized out>, select_lex=<optimized out>) at /data/bld/main-asan-ubsan/sql/sql_select.cc:5439
      		 
      #24 0x00005593baec4266 in handle_select (thd=thd@entry=0x62c0000b0218, lex=lex@entry=0x62c0000b4758, result=result@entry=0x62d0000fc748, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/bld/main-asan-ubsan/sql/sql_select.cc:636
      		 
      #25 0x00005593bab35bc8 in execute_sqlcom_select (thd=thd@entry=0x62c0000b0218, all_tables=<optimized out>) at /data/bld/main-asan-ubsan/sql/sql_parse.cc:6217
      		 
      #26 0x00005593bab761f0 in mysql_execute_command (thd=thd@entry=0x62c0000b0218, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /data/bld/main-asan-ubsan/sql/sql_parse.cc:3967
      		 
      #27 0x00005593bab95571 in mysql_parse (thd=thd@entry=0x62c0000b0218, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7fa2efb98a10) at /data/bld/main-asan-ubsan/sql/sql_parse.cc:7945
      		 
      #28 0x00005593bab9e687 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x62c0000b0218, packet=packet@entry=0x6290002b2219 "", packet_length=packet_length@entry=63, blocking=blocking@entry=true) at /data/bld/main-asan-ubsan/sql/sql_parse.cc:1896
      		 
      #29 0x00005593babab63b in do_command (thd=thd@entry=0x62c0000b0218, blocking=blocking@entry=true) at /data/bld/main-asan-ubsan/sql/sql_parse.cc:1432
      		 
      #30 0x00005593bb412146 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x6080000082b8, put_in_cache=put_in_cache@entry=true) at /data/bld/main-asan-ubsan/sql/sql_connect.cc:1503
      		 
      #31 0x00005593bb4132af in handle_one_connection (arg=0x6080000082b8) at /data/bld/main-asan-ubsan/sql/sql_connect.cc:1415
      		 
      #32 0x00005593bd070dc1 in pfs_spawn_thread (arg=0x617000007798) at /data/bld/main-asan-ubsan/storage/perfschema/pfs.cc:2198
      		 
      #33 0x00007fa2fbca81c4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      		 
      #34 0x00007fa2fbd2885c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

      The failure started happening after this commit in 12.1.1:

      commit 8cdee25952763a0401e4c2a4d61e92c13499bdc6
      		 
      Author: Yuchen Pei <ycp@mariadb.com>
      		 
      Date:   Wed Jun 4 11:43:30 2025 +1000
      		 
       
      		 
           MDEV-36132 Substitute vcol expressions with indexed vcol fields in ORDER BY and GROUP BY

      With a different non-simplified test case, also ASAN errors occur on a non-debug ASAN build:

      main 5bcc115d773caac07d4afd42252e08f3905452b0

      		 
      ==959568==ERROR: AddressSanitizer: use-after-poison on address 0x62d0003852f0 at pc 0x5634d01b780f bp 0x7f0d9e7f9ba0 sp 0x7f0d9e7f9b98
      		 
      READ of size 1 at 0x62d0003852f0 thread T5
      		 
          #0 0x5634d01b780e in my_hash_sort_bin /data/bld/main-rel-asan/strings/ctype-bin.c:287
      		 
          #1 0x5634cf8b9140 in my_ci_hash_sort /data/bld/main-rel-asan/include/m_ctype.h:1478
      		 
          #2 0x5634cf8b9140 in hp_hashnr /data/bld/main-rel-asan/storage/heap/hp_hash.c:273
      		 
          #3 0x5634cf8b9140 in hp_search /data/bld/main-rel-asan/storage/heap/hp_hash.c:123
      		 
          #4 0x5634cf8be30d in heap_rkey /data/bld/main-rel-asan/storage/heap/hp_rkey.c:63
      		 
          #5 0x5634cec96a06 in handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /data/bld/main-rel-asan/sql/handler.cc:4132
      		 
          #6 0x5634ce4827a9 in end_update /data/bld/main-rel-asan/sql/sql_select.cc:26283
      		 
          #7 0x5634ce857447 in JOIN_CACHE::generate_full_extensions(unsigned char*) /data/bld/main-rel-asan/sql/sql_join_cache.cc:2538
      		 
          #8 0x5634ce859201 in JOIN_CACHE::join_null_complements(bool) /data/bld/main-rel-asan/sql/sql_join_cache.cc:2686
      		 
          #9 0x5634ce85617d in JOIN_CACHE::join_records(bool) /data/bld/main-rel-asan/sql/sql_join_cache.cc:2223
      		 
          #10 0x5634ce41fec9 in sub_select_cache(JOIN*, st_join_table*, bool) /data/bld/main-rel-asan/sql/sql_select.cc:24300
      		 
          #11 0x5634ce50060c in do_select /data/bld/main-rel-asan/sql/sql_select.cc:24070
      		 
          #12 0x5634ce50060c in JOIN::exec_inner() /data/bld/main-rel-asan/sql/sql_select.cc:5125
      		 
          #13 0x5634ce502039 in JOIN::exec() /data/bld/main-rel-asan/sql/sql_select.cc:4913
      		 
          #14 0x5634ce4faf94 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/main-rel-asan/sql/sql_select.cc:5439
      		 
          #15 0x5634ce1cfc33 in mysql_derived_fill /data/bld/main-rel-asan/sql/sql_derived.cc:1331
      		 
          #16 0x5634ce1ce976 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/bld/main-rel-asan/sql/sql_derived.cc:203
      		 
          #17 0x5634ce41e13c in st_join_table::preread_init() /data/bld/main-rel-asan/sql/sql_select.cc:17041
      		 
          #18 0x5634ce41f0ef in sub_select(JOIN*, st_join_table*, bool) /data/bld/main-rel-asan/sql/sql_select.cc:24504
      		 
          #19 0x5634ce3e1c8a in evaluate_join_record /data/bld/main-rel-asan/sql/sql_select.cc:24790
      		 
          #20 0x5634ce41eaee in sub_select(JOIN*, st_join_table*, bool) /data/bld/main-rel-asan/sql/sql_select.cc:24557
      		 
          #21 0x5634ce500ba3 in do_select /data/bld/main-rel-asan/sql/sql_select.cc:24068
      		 
          #22 0x5634ce500ba3 in JOIN::exec_inner() /data/bld/main-rel-asan/sql/sql_select.cc:5125
      		 
          #23 0x5634ce502039 in JOIN::exec() /data/bld/main-rel-asan/sql/sql_select.cc:4913
      		 
          #24 0x5634ce4faf94 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/main-rel-asan/sql/sql_select.cc:5439
      		 
          #25 0x5634ce4fcba8 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/main-rel-asan/sql/sql_select.cc:636
      		 
          #26 0x5634ce2d73c5 in execute_sqlcom_select /data/bld/main-rel-asan/sql/sql_parse.cc:6217
      		 
          #27 0x5634ce3102bf in mysql_execute_command(THD*, bool) /data/bld/main-rel-asan/sql/sql_parse.cc:3967
      		 
          #28 0x5634ce316471 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/main-rel-asan/sql/sql_parse.cc:7945
      		 
          #29 0x5634ce31daf3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/main-rel-asan/sql/sql_parse.cc:1896
      		 
          #30 0x5634ce3246de in do_command(THD*, bool) /data/bld/main-rel-asan/sql/sql_parse.cc:1432
      		 
          #31 0x5634ce7a5c7c in do_handle_one_connection(CONNECT*, bool) /data/bld/main-rel-asan/sql/sql_connect.cc:1503
      		 
          #32 0x5634ce7a6474 in handle_one_connection /data/bld/main-rel-asan/sql/sql_connect.cc:1415
      		 
          #33 0x5634cf65f247 in pfs_spawn_thread /data/bld/main-rel-asan/storage/perfschema/pfs.cc:2198
      		 
          #34 0x7f0da98a81c3 in start_thread nptl/pthread_create.c:442
      		 
          #35 0x7f0da992885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x62d0003852f0 is located 3824 bytes inside of 32760-byte region [0x62d000384400,0x62d00038c3f8)
      		 
      allocated by thread T5 here:
      		 
          #0 0x7f0da9eb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x5634d015b803 in my_malloc /data/bld/main-rel-asan/mysys/my_malloc.c:93
      		 
          #2 0x5634d0145375 in root_alloc /data/bld/main-rel-asan/mysys/my_alloc.c:66
      		 
          #3 0x5634d0145375 in init_alloc_root /data/bld/main-rel-asan/mysys/my_alloc.c:178
      		 
          #4 0x5634ce710694 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/main-rel-asan/sql/thr_malloc.cc:64
      		 
          #5 0x5634ce43cb9f in Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) /data/bld/main-rel-asan/sql/sql_select.cc:22137
      		 
          #6 0x5634ce455f01 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/bld/main-rel-asan/sql/sql_select.cc:23009
      		 
          #7 0x5634ce48f1da in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /data/bld/main-rel-asan/sql/sql_select.cc:4408
      		 
          #8 0x5634ce491380 in JOIN::make_aggr_tables_info() /data/bld/main-rel-asan/sql/sql_select.cc:3968
      		 
          #9 0x5634ce4ee895 in JOIN::optimize_stage2() /data/bld/main-rel-asan/sql/sql_select.cc:3576
      		 
          #10 0x5634ce4f8ef9 in JOIN::optimize_inner() /data/bld/main-rel-asan/sql/sql_select.cc:2789
      		 
          #11 0x5634ce4fa9fb in JOIN::optimize() /data/bld/main-rel-asan/sql/sql_select.cc:2016
      		 
          #12 0x5634ce1d0437 in mysql_derived_optimize /data/bld/main-rel-asan/sql/sql_derived.cc:1048
      		 
          #13 0x5634ce1ce976 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/bld/main-rel-asan/sql/sql_derived.cc:203
      		 
          #14 0x5634ce4f6066 in JOIN::optimize_inner() /data/bld/main-rel-asan/sql/sql_select.cc:2583
      		 
          #15 0x5634ce4fa9fb in JOIN::optimize() /data/bld/main-rel-asan/sql/sql_select.cc:2016
      		 
          #16 0x5634ce4fae54 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/main-rel-asan/sql/sql_select.cc:5425
      		 
          #17 0x5634ce4fcba8 in handle_select(THD*, LEX*, select_result*, unsigned long long) /data/bld/main-rel-asan/sql/sql_select.cc:636
      		 
          #18 0x5634ce2d73c5 in execute_sqlcom_select /data/bld/main-rel-asan/sql/sql_parse.cc:6217
      		 
          #19 0x5634ce3102bf in mysql_execute_command(THD*, bool) /data/bld/main-rel-asan/sql/sql_parse.cc:3967
      		 
          #20 0x5634ce316471 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/main-rel-asan/sql/sql_parse.cc:7945
      		 
          #21 0x5634ce31daf3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/main-rel-asan/sql/sql_parse.cc:1896
      		 
          #22 0x5634ce3246de in do_command(THD*, bool) /data/bld/main-rel-asan/sql/sql_parse.cc:1432
      		 
          #23 0x5634ce7a5c7c in do_handle_one_connection(CONNECT*, bool) /data/bld/main-rel-asan/sql/sql_connect.cc:1503
      		 
          #24 0x5634ce7a6474 in handle_one_connection /data/bld/main-rel-asan/sql/sql_connect.cc:1415
      		 
          #25 0x5634cf65f247 in pfs_spawn_thread /data/bld/main-rel-asan/storage/perfschema/pfs.cc:2198
      		 
          #26 0x7f0da98a81c3 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f0da9e49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x5634cf65f4bd in my_thread_create /data/bld/main-rel-asan/storage/perfschema/my_thread.h:38
      		 
          #2 0x5634cf65f4bd in pfs_spawn_thread_v1 /data/bld/main-rel-asan/storage/perfschema/pfs.cc:2249
      		 
          #3 0x5634cdef56f1 in inline_mysql_thread_create /data/bld/main-rel-asan/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x5634cdef56f1 in create_thread_to_handle_connection(CONNECT*) /data/bld/main-rel-asan/sql/mysqld.cc:6462
      		 
          #5 0x5634cdf03fac in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/main-rel-asan/sql/mysqld.cc:6586
      		 
          #6 0x5634cdf04bf7 in handle_connections_sockets() /data/bld/main-rel-asan/sql/mysqld.cc:6698
      		 
          #7 0x5634cdf0673b in run_main_loop /data/bld/main-rel-asan/sql/mysqld.cc:5940
      		 
          #8 0x5634cdf0673b in mysqld_main(int, char**) /data/bld/main-rel-asan/sql/mysqld.cc:6363
      		 
          #9 0x7f0da9846249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison /data/bld/main-rel-asan/strings/ctype-bin.c:287 in my_hash_sort_bin
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c5a80068a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c5a80068a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c5a80068a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c5a80068a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c5a80068a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c5a80068a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f7]00
      		 
        0x0c5a80068a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c5a80068a70: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
      		 
        0x0c5a80068a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c5a80068a90: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
      		 
        0x0c5a80068aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==959568==ABORTING

      The test case is attached for re-checking after the fix.

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-36132 Optimizer support for functional indexes: handle GROUP/ORDER BY

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-24899 ASAN use-after-poison in get_suffix or wrong result and corrupt values upon GROUP_CONCAT with virtual columns

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              ycp Yuchen Pei
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.