Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38706

Double free or corruption, ASAN errors in st_join_table::cleanup

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Duplicate
    • 10.11, 11.4, 11.8, 12.3
    • N/A
    • Optimizer
    • None
    • Not for Release Notes

    Description

      CREATE TABLE t1 (a INT);
      		 
      CREATE TABLE t2 (b INT);
      		 
      CREATE TABLE t3 (c INT);
      		 
       
      		 
      # Inserts are optional, fails with and without data
      		 
      INSERT INTO t1 VALUES (1),(2);
      		 
      INSERT INTO t2 VALUES (3),(4);
      		 
      INSERT INTO t3 VALUES (5),(6);
      		 
       
      		 
      EXPLAIN SELECT * FROM t1 WHERE a IN (SELECT b FROM t2 WHERE a IN ((SELECT c FROM t3 WHERE FALSE HAVING c < 0)));
      		 
       
      		 
      DROP TABLE t1, t2, t3;

      10.11 09657805d04dfe6dfe33fb4b3003e06b29c835bd

      		 
      ==4034058==ERROR: AddressSanitizer: heap-use-after-free on address 0x62d000276440 at pc 0x562178cf71ab bp 0x7f2713f738e0 sp 0x7f2713f738d8
      		 
      READ of size 8 at 0x62d000276440 thread T5
      		 
          #0 0x562178cf71aa in st_join_table::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15522
      		 
          #1 0x562178d63e23 in JOIN::cleanup(bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15998
      		 
          #2 0x562178d64fc5 in JOIN::destroy() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5052
      		 
          #3 0x56217909f2c0 in st_select_lex::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2835
      		 
          #4 0x5621790a0300 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2641
      		 
          #5 0x562178b0c16a in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6230
      		 
          #6 0x562178b10069 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
      		 
          #7 0x562178b19416 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
      		 
          #8 0x562178b2611b in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
      		 
          #9 0x56217932285d in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
      		 
          #10 0x5621793239ba in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
      		 
          #11 0x56217aca8458 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
      		 
          #12 0x7f271e0a81c3 in start_thread nptl/pthread_create.c:442
      		 
          #13 0x7f271e12885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x62d000276440 is located 64 bytes inside of 32760-byte region [0x62d000276400,0x62d00027e3f8)
      		 
      freed by thread T5 here:
      		 
          #0 0x7f271f4b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
      		 
          #1 0x56217bf6322f in my_free /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:217
      		 
          #2 0x56217bf36b67 in root_free /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:77
      		 
          #3 0x56217bf38c43 in free_root /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:517
      		 
          #4 0x562178cf6388 in free_tmp_table(THD*, TABLE*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:22363
      		 
          #5 0x562179543717 in cleanup_empty_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6487
      		 
          #6 0x562178d64380 in JOIN::cleanup(bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:16035
      		 
          #7 0x562178d64fc5 in JOIN::destroy() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5052
      		 
          #8 0x56217909f2c0 in st_select_lex::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2835
      		 
          #9 0x5621790a0300 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2641
      		 
          #10 0x56217899ac3f in st_select_lex_unit::cleanup_stranded_units() /data/bld/10.11-asan-ubsan/sql/sql_lex.cc:2998
      		 
          #11 0x56217909fa83 in st_select_lex_unit::cleanup() /data/bld/10.11-asan-ubsan/sql/sql_union.cc:2601
      		 
          #12 0x562178b0c16a in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6230
      		 
          #13 0x562178b10069 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
      		 
          #14 0x562178b19416 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
      		 
          #15 0x562178b2611b in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
      		 
          #16 0x56217932285d in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
      		 
          #17 0x5621793239ba in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
      		 
          #18 0x56217aca8458 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
      		 
          #19 0x7f271e0a81c3 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      previously allocated by thread T5 here:
      		 
          #0 0x7f271f4b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x56217bf62ad5 in my_malloc /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:92
      		 
          #2 0x56217bf369f3 in root_alloc /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:66
      		 
          #3 0x56217bf36fa6 in init_alloc_root /data/bld/10.11-asan-ubsan/mysys/my_alloc.c:178
      		 
          #4 0x5621791e6c8c in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/bld/10.11-asan-ubsan/sql/thr_malloc.cc:64
      		 
          #5 0x562178ce5dcd in Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:20737
      		 
          #6 0x562178d8678f in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:21598
      		 
          #7 0x562179539250 in create_dummy_tmp_table(THD*) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:5826
      		 
          #8 0x562179540d84 in execute_degenerate_jtbm_semi_join(THD*, TABLE_LIST*, Item_in_subselect*, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6268
      		 
          #9 0x5621795424cf in setup_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6422
      		 
          #10 0x56217954321c in setup_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*, List<Item>&) /data/bld/10.11-asan-ubsan/sql/opt_subselect.cc:6451
      		 
          #11 0x562178e155b9 in JOIN::optimize_inner() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:2456
      		 
          #12 0x562178e1939d in JOIN::optimize() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:1967
      		 
          #13 0x562178e1a748 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5271
      		 
          #14 0x562178e1d83b in mysql_explain_union(THD*, st_select_lex_unit*, select_result*) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:30248
      		 
          #15 0x562178aa8c03 in execute_sqlcom_select /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6402
      		 
          #16 0x562178aee00a in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:4042
      		 
          #17 0x562178b10069 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
      		 
          #18 0x562178b19416 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
      		 
          #19 0x562178b2611b in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
      		 
          #20 0x56217932285d in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
      		 
          #21 0x5621793239ba in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
      		 
          #22 0x56217aca8458 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
      		 
          #23 0x7f271e0a81c3 in start_thread nptl/pthread_create.c:442
      		 
       
      		 
      Thread T5 created by T0 here:
      		 
          #0 0x7f271f449726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
      		 
          #1 0x56217ac9dd24 in my_thread_create /data/bld/10.11-asan-ubsan/storage/perfschema/my_thread.h:52
      		 
          #2 0x56217aca564c in pfs_spawn_thread_v1 /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2252
      		 
          #3 0x562178370118 in inline_mysql_thread_create /data/bld/10.11-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x562178370118 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6146
      		 
          #5 0x562178381fa2 in create_new_thread(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6205
      		 
          #6 0x5621783821c0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6267
      		 
          #7 0x562178382e01 in handle_connections_sockets() /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6390
      		 
          #8 0x5621783832ad in run_main_loop /data/bld/10.11-asan-ubsan/sql/mysqld.cc:5646
      		 
          #9 0x562178384673 in mysqld_main(int, char**) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6047
      		 
          #10 0x562178357931 in main /data/bld/10.11-asan-ubsan/sql/main.cc:34
      		 
          #11 0x7f271e046249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/10.11-asan-ubsan/sql/sql_select.cc:15522 in st_join_table::cleanup()
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c5a80046c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c5a80046c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c5a80046c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c5a80046c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c5a80046c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      =>0x0c5a80046c80: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
      		 
        0x0c5a80046c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c5a80046ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c5a80046cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c5a80046cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c5a80046cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==4034058==ABORTING

      10.11 non-ASAN 09657805d04dfe6dfe33fb4b3003e06b29c835bd

      		 
      double free or corruption (out)
      		 
      260218 10:55:37 [ERROR] /share8t/bld/10.11-rel/sql/mariadbd got signal 6 ;

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-38474 Double free or corruption, ASAN heap-use-after-free in st_join_table::cleanup

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35816 ASAN: use-after-poison in st_select_lex::print

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Gosselin Dave Gosselin
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.