Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.11, 11.4
-
None
Description
Reproducible, needs cleaning.
This was a regression between 10.11.14 and 10.11.15.
Possibly already filed, need to double-check.
# Remaining options: --mysqld=--character-set-server=utf8 --mysqld=--lower-case-table-names=1 |
# Basedir: /share8t/bld/release/bb-11.4-release-debug
|
# Search pattern(s): (?^s:handler::keyread_enabled)
|
|
|
--disable_abort_on_error
|
CREATE DATABASE IF NOT EXISTS advanced_db; |
CREATE TABLE advanced_db.t1_InnoDB (col_timestamp TIMESTAMP(3) NULL, col_varchar VARCHAR(1620) NULL, col_char BINARY(40) NOT NULL DEFAULT '', id BIGINT, col_int BIGINT(2) UNSIGNED NULL); |
CREATE VIEW advanced_db.view_t1_InnoDB AS SELECT * FROM advanced_db.t1_InnoDB; |
CREATE DATABASE IF NOT EXISTS simple_db; |
CREATE TABLE simple_db.A_Aria (pk INTEGER AUTO_INCREMENT, |
col_int_nokey INTEGER, |
col_int_key INTEGER, |
col_date_key DATE, |
col_varchar_key VARCHAR(1), |
PRIMARY KEY (pk ASC), |
KEY (col_varchar_key ASC, col_int_key)) AUTO_INCREMENT=30; |
CREATE VIEW simple_db.view_A_Aria AS SELECT * FROM simple_db.A_Aria; |
CREATE DATABASE IF NOT EXISTS outer_join_db; |
USE outer_join_db; |
CREATE TABLE P (pk integer auto_increment, |
col_varchar_10_latin1_key varchar(10) CHARACTER SET latin1, |
primary key (pk ASC), |
key (col_varchar_10_latin1_key)); |
EXPLAIN SELECT alias1.col_date_key AS field1 FROM simple_db.view_a_aria AS alias1 WHERE (alias1.col_varchar_key IN (SELECT DISTINCT SQ1_alias1.col_varchar AS SQ1_cfield1 FROM advanced_db.view_t1_innodb AS SQ1_alias1 WHERE alias1.col_int_key IN ((SELECT C_SQ1_alias1.pk AS C_SQ1_ifield1 FROM outer_join_db.p AS C_SQ1_alias1 WHERE C_SQ1_alias1.pk <> C_SQ1_alias1.pk HAVING C_SQ1_ifield1 <= 'k')))) AND alias1.col_int_nokey <= alias1.col_int_key GROUP BY field1; |
|
10.11 ca39e66060d4735f91fd46d9784b4c91ed6746aa non-debug |
Version: '10.11.16-MariaDB-log' socket: '/share8t/bld/10.11-rel/mysql-test/var/tmp/mysqld.1.sock' port: 19000 MariaDB Server
|
double free or corruption (out)
|
|
10.11 b29d3779e42f1cf65b1bbe84876767122dcc76c8 ASAN |
==2552273==ERROR: AddressSanitizer: heap-use-after-free on address 0x62d000294440 at pc 0x56211db60f81 bp 0x7f983f1c98e0 sp 0x7f983f1c98d8
|
READ of size 8 at 0x62d000294440 thread T5
|
#0 0x56211db60f80 in st_join_table::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15522
|
#1 0x56211dbcdbf9 in JOIN::cleanup(bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15998
|
#2 0x56211dbced9b in JOIN::destroy() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5052
|
#3 0x56211df09096 in st_select_lex::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2835
|
#4 0x56211df0a0d6 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2641
|
#5 0x56211d975f40 in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6230
|
#6 0x56211d979e3f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
|
#7 0x56211d9831ec in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
|
#8 0x56211d98fef1 in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
|
#9 0x56211e18c607 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
|
#10 0x56211e18d764 in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
|
#11 0x56211fb107a8 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
|
#12 0x7f98492a81c3 in start_thread nptl/pthread_create.c:442
|
#13 0x7f984932885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
|
|
0x62d000294440 is located 64 bytes inside of 32760-byte region [0x62d000294400,0x62d00029c3f8)
|
freed by thread T5 here:
|
#0 0x7f984a6b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
|
#1 0x562120dcb6d1 in my_free /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:217
|
#2 0x562120d9f009 in root_free /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:77
|
#3 0x562120da10e5 in free_root /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:517
|
#4 0x56211db6015e in free_tmp_table(THD*, TABLE*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:22363
|
#5 0x56211e3ad4bb in cleanup_empty_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6487
|
#6 0x56211dbce156 in JOIN::cleanup(bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:16035
|
#7 0x56211dbced9b in JOIN::destroy() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5052
|
#8 0x56211df09096 in st_select_lex::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2835
|
#9 0x56211df0a0d6 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2641
|
#10 0x56211d8053cb in st_select_lex_unit::cleanup_stranded_units() /data/bld/10.11-asan-ubsan/sql/sql_lex.cc:2998
|
#11 0x56211df09859 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2601
|
#12 0x56211d975f40 in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6230
|
#13 0x56211d979e3f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
|
#14 0x56211d9831ec in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
|
#15 0x56211d98fef1 in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
|
#16 0x56211e18c607 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
|
#17 0x56211e18d764 in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
|
#18 0x56211fb107a8 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
|
#19 0x7f98492a81c3 in start_thread nptl/pthread_create.c:442
|
|
|
previously allocated by thread T5 here:
|
#0 0x7f984a6b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
|
#1 0x562120dcaf77 in my_malloc /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:92
|
#2 0x562120d9ee95 in root_alloc /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:66
|
#3 0x562120d9f448 in init_alloc_root /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:178
|
#4 0x56211e050a42 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/10.11-asan-ubsan/sql/thr_malloc.cc:64
|
#5 0x56211db4fba3 in Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:20737
|
#6 0x56211dbf0565 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:21598
|
#7 0x56211e3a2ff4 in create_dummy_tmp_table(THD*) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:5826
|
#8 0x56211e3aab28 in execute_degenerate_jtbm_semi_join(THD*, TABLE_LIST*, Item_in_subselect*, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6268
|
#9 0x56211e3ac273 in setup_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6422
|
#10 0x56211e3acfc0 in setup_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6451
|
#11 0x56211dc7f38f in JOIN::optimize_inner() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:2456
|
#12 0x56211dc83173 in JOIN::optimize() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:1967
|
#13 0x56211dc8451e in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5271
|
#14 0x56211dc87611 in mysql_explain_union(THD*, st_select_lex_unit*, select_result*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:30248
|
#15 0x56211d9129d9 in execute_sqlcom_select /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6402
|
#16 0x56211d957de0 in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:4042
|
#17 0x56211d979e3f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
|
#18 0x56211d9831ec in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
|
#19 0x56211d98fef1 in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
|
#20 0x56211e18c607 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
|
#21 0x56211e18d764 in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
|
#22 0x56211fb107a8 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
|
#23 0x7f98492a81c3 in start_thread nptl/pthread_create.c:442
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f984a649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x56211fb06074 in my_thread_create /data/bld/10.11-asan-ubsan/storage/perfschema/my_thread.h:52
|
#2 0x56211fb0d99c in pfs_spawn_thread_v1 /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2252
|
#3 0x56211d1da118 in inline_mysql_thread_create /data/bld/10.11-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
|
#4 0x56211d1da118 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6146
|
#5 0x56211d1ebfa2 in create_new_thread(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6205
|
#6 0x56211d1ec1c0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6267
|
#7 0x56211d1ece01 in handle_connections_sockets() /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6390
|
#8 0x56211d1ed2ad in run_main_loop /data/bld/10.11-asan-ubsan/sql/mysqld.cc:5646
|
#9 0x56211d1ee673 in mysqld_main(int, char**) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6047
|
#10 0x56211d1c1931 in main /data/bld/10.11-asan-ubsan/sql/main.cc:34
|
#11 0x7f9849246249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15522 in st_join_table::cleanup()
|
Shadow bytes around the buggy address:
|
0x0c5a8004a830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5a8004a840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5a8004a850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5a8004a860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5a8004a870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c5a8004a880: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
|
0x0c5a8004a890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c5a8004a8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c5a8004a8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c5a8004a8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c5a8004a8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==2552273==ABORTING
|
The failure started happening after this commit in 10.11.15
commit 34a8209d66579d71d2a6fb6d154473693152117d
|
Author: Dave Gosselin
|
Date: Fri Sep 19 13:17:06 2025 -0400
|
|
|
MDEV-35816 ASAN use-after-poison in st_select_lex::print
|
|
For prepared statements with derived tables defined by CTEs, and
|