[MDEV-38747] ASAN errors in Optimizer_hint_parser::Identifier::to_ident_cli - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 12.2
Fix Version/s: 12.2.2
Component/s: Optimizer
Labels:
None

Bug Category:
Not for Release Notes
Sprint:
Q1/2026 Server Development

Description

CREATE TABLE t (a INT);

INSERT INTO t VALUES (1),(2);

CREATE TEMPORARY TABLE tmp (b INT);

# Can be SELECT ... old.a, or SELECT ... * FROM sometable, etc.

CREATE TRIGGER tr AFTER DELETE ON t FOR EACH ROW CREATE OR REPLACE TEMPORARY TABLE tmp AS SELECT /*+ QB_NAME(xxxx) */ 1;

DELETE FROM t;

DROP TABLE t;

bb-12.2-release d653fcb564b6641ff8ec15531a4cd3255ae51fa9
==95028==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100001b254 at pc 0x5565cff81701 bp 0x7ffa56080b10 sp 0x7ffa56080b08
READ of size 1 at 0x61100001b254 thread T5
#0 0x5565cff81700 in Optimizer_hint_parser::Identifier::to_ident_cli() const /data/bld/release/bb-12.2-release-asan/sql/opt_hints_parser.h:321
#1 0x5565cff81b0d in Optimizer_hint_parser::Identifier::to_ident_sys(THD*) const /data/bld/release/bb-12.2-release-asan/sql/opt_hints_parser.h:327
#2 0x5565cff7c001 in Optimizer_hint_parser::Qb_name_hint::resolve(Parse_context*) const /data/bld/release/bb-12.2-release-asan/sql/opt_hints_parser.cc:782
#3 0x5565cff7f8aa in Optimizer_hint_parser::Hint_list::resolve(Parse_context*) const /data/bld/release/bb-12.2-release-asan/sql/opt_hints_parser.cc:1301
#4 0x5565cff90072 in LEX::resolve_optimizer_hints() /data/bld/release/bb-12.2-release-asan/sql/opt_hints.cc:1686
#5 0x5565cf751f1a in mysql_execute_command(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:3540
#6 0x5565cfe67f6c in sp_instr_stmt::exec_core(THD, unsigned int) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:1268
#7 0x5565cfe632df in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*, bool) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:418
#8 0x5565cfe6454f in sp_lex_keeper::validate_lex_and_exec_core(THD, unsigned int, bool, sp_lex_instr*) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:597
#9 0x5565cfe676e2 in sp_instr_stmt::execute(THD, unsigned int) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:1170
#10 0x5565cf4a9ba2 in sp_head::execute(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sp_head.cc:1294
#11 0x5565cf4acfe0 in sp_head::execute_trigger(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_grant_info) /data/bld/release/bb-12.2-release-asan/sql/sp_head.cc:1807
#12 0x5565cfac05be in Table_triggers_list::process_triggers(THD, trg_event_type, trg_action_time_type, bool, bool, List<Item>*) /data/bld/release/bb-12.2-release-asan/sql/sql_trigger.cc:2833
#13 0x5565cf63b592 in Sql_cmd_delete::delete_from_single_table(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_delete.cc:977
#14 0x5565cf647956 in Sql_cmd_delete::execute_inner(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_delete.cc:2170
#15 0x5565cf94b1b2 in Sql_cmd_dml::execute(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_select.cc:34850
#16 0x5565cf7575ca in mysql_execute_command(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:4434
#17 0x5565cf76face in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:7925
#18 0x5565cf746644 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:1896
#19 0x5565cf743345 in do_command(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:1432
#20 0x5565cfc4f69c in do_handle_one_connection(CONNECT*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_connect.cc:1503
#21 0x5565cfc4f1fb in handle_one_connection /data/bld/release/bb-12.2-release-asan/sql/sql_connect.cc:1415
#22 0x5565d09d99cb in pfs_spawn_thread /data/bld/release/bb-12.2-release-asan/storage/perfschema/pfs.cc:2198
#23 0x7ffa614a81c3 in start_thread nptl/pthread_create.c:442
#24 0x7ffa6152885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x61100001b254 is located 84 bytes inside of 224-byte region [0x61100001b200,0x61100001b2e0)
freed by thread T5 here:
#0 0x7ffa620b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x5565d17d9395 in my_free /data/bld/release/bb-12.2-release-asan/mysys/my_malloc.c:218
#2 0x5565cf355e19 in Binary_string::free_buffer() /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:266
#3 0x5565cf3563a1 in Binary_string::free() /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:721
#4 0x5565cf356205 in Binary_string::~Binary_string() /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:310
#5 0x5565cf356611 in String::~String() /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:833
#6 0x5565cfe66fea in sp_lex_instr::parse_expr(THD, sp_head, LEX*) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:1127
#7 0x5565cfe6429e in sp_lex_keeper::validate_lex_and_exec_core(THD, unsigned int, bool, sp_lex_instr*) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:570
#8 0x5565cfe676e2 in sp_instr_stmt::execute(THD, unsigned int) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:1170
#9 0x5565cf4a9ba2 in sp_head::execute(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sp_head.cc:1294
#10 0x5565cf4acfe0 in sp_head::execute_trigger(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_grant_info) /data/bld/release/bb-12.2-release-asan/sql/sp_head.cc:1807
#11 0x5565cfac05be in Table_triggers_list::process_triggers(THD, trg_event_type, trg_action_time_type, bool, bool, List<Item>*) /data/bld/release/bb-12.2-release-asan/sql/sql_trigger.cc:2833
#12 0x5565cf63b592 in Sql_cmd_delete::delete_from_single_table(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_delete.cc:977
#13 0x5565cf647956 in Sql_cmd_delete::execute_inner(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_delete.cc:2170
#14 0x5565cf94b1b2 in Sql_cmd_dml::execute(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_select.cc:34850
#15 0x5565cf7575ca in mysql_execute_command(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:4434
#16 0x5565cf76face in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:7925
#17 0x5565cf746644 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:1896
#18 0x5565cf743345 in do_command(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:1432
#19 0x5565cfc4f69c in do_handle_one_connection(CONNECT*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_connect.cc:1503
#20 0x5565cfc4f1fb in handle_one_connection /data/bld/release/bb-12.2-release-asan/sql/sql_connect.cc:1415
#21 0x5565d09d99cb in pfs_spawn_thread /data/bld/release/bb-12.2-release-asan/storage/perfschema/pfs.cc:2198
#22 0x7ffa614a81c3 in start_thread nptl/pthread_create.c:442

previously allocated by thread T5 here:
#0 0x7ffa620b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x5565d17d84f3 in my_malloc /data/bld/release/bb-12.2-release-asan/mysys/my_malloc.c:93
#2 0x5565cfa2fa38 in Binary_string::realloc_raw(unsigned long) /data/bld/release/bb-12.2-release-asan/sql/sql_string.cc:100
#3 0x5565cf3f921a in Binary_string::realloc_with_extra(unsigned long) /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:759
#4 0x5565cf3f936e in Binary_string::realloc_with_extra_if_needed(unsigned long) /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:771
#5 0x5565cf3f8e03 in Binary_string::append(char const*, unsigned long) /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:609
#6 0x5565cfa32490 in String::append(char const*, unsigned long) /data/bld/release/bb-12.2-release-asan/sql/sql_string.cc:564
#7 0x5565cf3f97a8 in String::append(st_mysql_const_lex_string const*) /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:1036
#8 0x5565cf3f97d2 in String::append(st_mysql_const_lex_string const&) /data/bld/release/bb-12.2-release-asan/sql/sql_string.h:1040
#9 0x5565cfe747f9 in sp_instr_stmt::get_query(String*) const /data/bld/release/bb-12.2-release-asan/sql/sp_instr.h:599
#10 0x5565cfe65bd0 in sp_lex_instr::parse_expr(THD, sp_head, LEX*) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:904
#11 0x5565cfe6429e in sp_lex_keeper::validate_lex_and_exec_core(THD, unsigned int, bool, sp_lex_instr*) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:570
#12 0x5565cfe676e2 in sp_instr_stmt::execute(THD, unsigned int) /data/bld/release/bb-12.2-release-asan/sql/sp_instr.cc:1170
#13 0x5565cf4a9ba2 in sp_head::execute(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sp_head.cc:1294
#14 0x5565cf4acfe0 in sp_head::execute_trigger(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, st_grant_info) /data/bld/release/bb-12.2-release-asan/sql/sp_head.cc:1807
#15 0x5565cfac05be in Table_triggers_list::process_triggers(THD, trg_event_type, trg_action_time_type, bool, bool, List<Item>*) /data/bld/release/bb-12.2-release-asan/sql/sql_trigger.cc:2833
#16 0x5565cf63b592 in Sql_cmd_delete::delete_from_single_table(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_delete.cc:977
#17 0x5565cf647956 in Sql_cmd_delete::execute_inner(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_delete.cc:2170
#18 0x5565cf94b1b2 in Sql_cmd_dml::execute(THD*) /data/bld/release/bb-12.2-release-asan/sql/sql_select.cc:34850
#19 0x5565cf7575ca in mysql_execute_command(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:4434
#20 0x5565cf76face in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:7925
#21 0x5565cf746644 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:1896
#22 0x5565cf743345 in do_command(THD*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_parse.cc:1432
#23 0x5565cfc4f69c in do_handle_one_connection(CONNECT*, bool) /data/bld/release/bb-12.2-release-asan/sql/sql_connect.cc:1503
#24 0x5565cfc4f1fb in handle_one_connection /data/bld/release/bb-12.2-release-asan/sql/sql_connect.cc:1415
#25 0x5565d09d99cb in pfs_spawn_thread /data/bld/release/bb-12.2-release-asan/storage/perfschema/pfs.cc:2198
#26 0x7ffa614a81c3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7ffa62049726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x5565d09d576d in my_thread_create /data/bld/release/bb-12.2-release-asan/storage/perfschema/my_thread.h:38
#2 0x5565d09d9dba in pfs_spawn_thread_v1 /data/bld/release/bb-12.2-release-asan/storage/perfschema/pfs.cc:2249
#3 0x5565cf32dbf0 in inline_mysql_thread_create /data/bld/release/bb-12.2-release-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x5565cf346a40 in create_thread_to_handle_connection(CONNECT*) /data/bld/release/bb-12.2-release-asan/sql/mysqld.cc:6280
#5 0x5565cf347065 in create_new_thread(CONNECT*) /data/bld/release/bb-12.2-release-asan/sql/mysqld.cc:6342
#6 0x5565cf347350 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/release/bb-12.2-release-asan/sql/mysqld.cc:6404
#7 0x5565cf347fd8 in handle_connections_sockets() /data/bld/release/bb-12.2-release-asan/sql/mysqld.cc:6516
#8 0x5565cf344bda in run_main_loop /data/bld/release/bb-12.2-release-asan/sql/mysqld.cc:5758
#9 0x5565cf34630f in mysqld_main(int, char**) /data/bld/release/bb-12.2-release-asan/sql/mysqld.cc:6181
#10 0x5565cf32ceb8 in main /data/bld/release/bb-12.2-release-asan/sql/main.cc:34
#11 0x7ffa61446249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/bld/release/bb-12.2-release-asan/sql/opt_hints_parser.h:321 in Optimizer_hint_parser::Identifier::to_ident_cli() const
Shadow bytes around the buggy address:
0x0c227fffb5f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffb600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c227fffb610: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fffb620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffb630: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
=>0x0c227fffb640: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c227fffb650: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c227fffb660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffb670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffb680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffb690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==95028==ABORTING

The failure started happening after this commit in 12.2.1 (even though it refers to an item which is still open, it was in fact in 12.2 RC):

commit 049ee29e7e28c1c7c3c41638adc54efa2cb10c2a (HEAD)

Commit:     Dave Gosselin

CommitDate: Mon Oct 27 10:29:22 2025 -0400

    MDEV-37260 Implicitly named query blocks, CREATE VIEW AS supports hints

Attachments

Issue Links

is caused by

MDEV-37260 New-style Optimizer Hints: milestone 3

Stalled

Activity

People

Assignee:: Dave Gosselin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2026-02-03 21:05

Updated:: 5 days ago 21:18

Resolved:: 5 days ago 18:51

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.