[MDEV-39381] MariaDB debug build (ASAN) heap-use-after-free in st_join_table::cleanup - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 12.2.2
Fix Version/s: N/A
Component/s: Optimizer
Labels:
None
Environment:
ubuntu 22.04

Bug Category:
Can result in hang or crash
Sprint:
Q2/2026 Server Maintenance

Description

MariaDB debug build with ASAN (12.2.2-MariaDB-asan-debug) detects a heap-use-after-free error when executing a complex query with CTE, INTERSECT, and multiple subqueries. The error occurs in `st_join_table::cleanup()`.

DROP DATABASE IF EXISTS sqlcraft;

CREATE DATABASE sqlcraft;

USE sqlcraft;

CREATE TABLE IF NOT EXISTS t0(c0 REAL  UNIQUE) engine=MyISAM;

INSERT INTO t0 VALUES (-501726699);

INSERT INTO t0 VALUES (2091727896);

WITH tom38 AS (SELECT 1 AS c31 FROM (

    ( ( SELECT 1 AS c22 FROM ( t0 AS tom21 CROSS JOIN t0 AS tom22 ) WHERE ( ABS( b'101010' ) ) >> ( tom21.c0 ) GROUP BY tom22.c0 HAVING RAND( )  ) AS tom23  )

    LEFT JOIN

    ( ( SELECT 1 AS c26  FROM ( t0 AS tom28 , t0 AS tom29 ) WHERE  (  SELECT IFNULL(       X'68656C6C6F' , X'68656C6C6F' ) AS c27)IN (  SELECT COALESCE( X'68656C6C6F' ) AS c28 FROM t0 AS tom32 WHERE ( SELECT  IFNULL( '2025' , '2025' ) AS c29 FROM ( t0 AS tom33 , t0 AS tom34 ) LIMIT 1)IN ( SELECT MAX( '2025' ) AS c30 FROM t0 AS tom35  ) ) LIMIT 42 ) AS tom36 )

    ON true ))

SELECT 1 AS c39

INTERSECT SELECT 1 AS c41

FROM (SELECT  RAND( ) AS c40  FROM ( tom38 AS tom51 NATURAL JOIN t0 AS tom52 ) ) AS tom54

 LIMIT 42;

crash logs:

=================================================================

==14441==ERROR: AddressSanitizer: heap-use-after-free on address 0x52d000424440 at pc 0x5c37875e073f bp 0x733f3a3f51f0 sp 0x733f3a3f51e0

READ of size 8 at 0x52d000424440 thread T13

    #0 0x5c37875e073e in st_join_table::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:16819

    #1 0x5c37875e4cef in JOIN::cleanup(bool) /app/dbms/mariadb-12.2.2/sql/sql_select.cc:17372

    #2 0x5c378758e741 in JOIN::destroy() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:5160

    #3 0x5c378780a246 in st_select_lex::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2975

    #4 0x5c3787808b52 in st_select_lex_unit::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2781

    #5 0x5c378780a41f in st_select_lex::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2986

    #6 0x5c3787808b52 in st_select_lex_unit::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2781

    #7 0x5c378780a41f in st_select_lex::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2986

    #8 0x5c3787808b52 in st_select_lex_unit::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2781

    #9 0x5c378780a41f in st_select_lex::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2986

    #10 0x5c3787808b52 in st_select_lex_unit::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2781

    #11 0x5c37877eec56 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /app/dbms/mariadb-12.2.2/sql/sql_union.cc:46

    #12 0x5c378755cecd in handle_select(THD*, LEX*, select_result*, unsigned long long) /app/dbms/mariadb-12.2.2/sql/sql_select.cc:626

    #13 0x5c37874746cc in execute_sqlcom_select /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:6203

    #14 0x5c37874642ce in mysql_execute_command(THD*, bool) /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:3985

    #15 0x5c378747f706 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:7925

    #16 0x5c3787455c03 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:1896

    #17 0x5c378745289b in do_command(THD*, bool) /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:1432

    #18 0x5c378797dad8 in do_handle_one_connection(CONNECT*, bool) /app/dbms/mariadb-12.2.2/sql/sql_connect.cc:1503

    #19 0x5c378797d62b in handle_one_connection /app/dbms/mariadb-12.2.2/sql/sql_connect.cc:1415

    #20 0x5c3788835b09 in pfs_spawn_thread /app/dbms/mariadb-12.2.2/storage/perfschema/pfs.cc:2198

    #21 0x733f61c94ac2 in start_thread nptl/pthread_create.c:442

    #22 0x733f61d268cf  (/lib/x86_64-linux-gnu/libc.so.6+0x1268cf)

0x52d000424440 is located 64 bytes inside of 32760-byte region [0x52d000424400,0x52d00042c3f8)

freed by thread T13 here:

    #0 0x733f62ab4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127

    #1 0x5c37896912c1 in my_free /app/dbms/mariadb-12.2.2/mysys/my_malloc.c:218

    #2 0x5c3789660f1c in root_free /app/dbms/mariadb-12.2.2/mysys/my_alloc.c:77

    #3 0x5c3789663cb8 in free_root /app/dbms/mariadb-12.2.2/mysys/my_alloc.c:517

    #4 0x5c37876164d0 in free_tmp_table(THD*, TABLE*) /app/dbms/mariadb-12.2.2/sql/sql_select.cc:23840

    #5 0x5c3787abde82 in cleanup_empty_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*) /app/dbms/mariadb-12.2.2/sql/opt_subselect.cc:6716

    #6 0x5c37875e5208 in JOIN::cleanup(bool) /app/dbms/mariadb-12.2.2/sql/sql_select.cc:17409

    #7 0x5c378758e741 in JOIN::destroy() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:5160

    #8 0x5c378780a246 in st_select_lex::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2975

    #9 0x5c3787808b52 in st_select_lex_unit::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2781

    #10 0x5c37873c2228 in st_select_lex_unit::cleanup_stranded_units() /app/dbms/mariadb-12.2.2/sql/sql_lex.cc:3045

    #11 0x5c3787808578 in st_select_lex_unit::cleanup() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2741

    #12 0x5c37877eec56 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /app/dbms/mariadb-12.2.2/sql/sql_union.cc:46

    #13 0x5c378755cecd in handle_select(THD*, LEX*, select_result*, unsigned long long) /app/dbms/mariadb-12.2.2/sql/sql_select.cc:626

    #14 0x5c37874746cc in execute_sqlcom_select /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:6203

    #15 0x5c37874642ce in mysql_execute_command(THD*, bool) /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:3985

    #16 0x5c378747f706 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:7925

    #17 0x5c3787455c03 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:1896

    #18 0x5c378745289b in do_command(THD*, bool) /app/dbms/mariadb-12.2.2/sql/sql_parse.cc:1432

    #19 0x5c378797dad8 in do_handle_one_connection(CONNECT*, bool) /app/dbms/mariadb-12.2.2/sql/sql_connect.cc:1503

    #20 0x5c378797d62b in handle_one_connection /app/dbms/mariadb-12.2.2/sql/sql_connect.cc:1415

    #21 0x5c3788835b09 in pfs_spawn_thread /app/dbms/mariadb-12.2.2/storage/perfschema/pfs.cc:2198

    #22 0x733f61c94ac2 in start_thread nptl/pthread_create.c:442

previously allocated by thread T13 here:

    #0 0x733f62ab4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145

    #1 0x5c37896903c8 in my_malloc /app/dbms/mariadb-12.2.2/mysys/my_malloc.c:93

    #2 0x5c3789660e94 in root_alloc /app/dbms/mariadb-12.2.2/mysys/my_alloc.c:66

    #3 0x5c37896616dd in init_alloc_root /app/dbms/mariadb-12.2.2/mysys/my_alloc.c:178

    #4 0x5c37878c124e in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /app/dbms/mariadb-12.2.2/sql/thr_malloc.cc:64

    #5 0x5c3787602d62 in Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) /app/dbms/mariadb-12.2.2/sql/sql_select.cc:22143

    #6 0x5c378760eeb8 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /app/dbms/mariadb-12.2.2/sql/sql_select.cc:23031

    #7 0x5c3787ab9363 in create_dummy_tmp_table(THD*) /app/dbms/mariadb-12.2.2/sql/opt_subselect.cc:6055

    #8 0x5c3787abc80e in execute_degenerate_jtbm_semi_join(THD*, TABLE_LIST*, Item_in_subselect*, List<Item>&) /app/dbms/mariadb-12.2.2/sql/opt_subselect.cc:6497

    #9 0x5c3787abd4b0 in setup_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*, List<Item>&) /app/dbms/mariadb-12.2.2/sql/opt_subselect.cc:6651

    #10 0x5c3787abda8a in setup_jtbm_semi_joins(JOIN*, List<TABLE_LIST>*, List<Item>&) /app/dbms/mariadb-12.2.2/sql/opt_subselect.cc:6680

    #11 0x5c3787572050 in JOIN::optimize_inner() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:2543

    #12 0x5c378756c579 in JOIN::optimize() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:2021

    #13 0x5c378735ad98 in mysql_derived_optimize /app/dbms/mariadb-12.2.2/sql/sql_derived.cc:1048

    #14 0x5c378735544e in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /app/dbms/mariadb-12.2.2/sql/sql_derived.cc:203

    #15 0x5c378757274c in JOIN::optimize_inner() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:2588

    #16 0x5c378756c579 in JOIN::optimize() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:2021

    #17 0x5c378735ad98 in mysql_derived_optimize /app/dbms/mariadb-12.2.2/sql/sql_derived.cc:1048

    #18 0x5c378735544e in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /app/dbms/mariadb-12.2.2/sql/sql_derived.cc:203

    #19 0x5c378757274c in JOIN::optimize_inner() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:2588

    #20 0x5c378756c579 in JOIN::optimize() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:2021

    #21 0x5c378735ad98 in mysql_derived_optimize /app/dbms/mariadb-12.2.2/sql/sql_derived.cc:1048

    #22 0x5c378735544e in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /app/dbms/mariadb-12.2.2/sql/sql_derived.cc:203

    #23 0x5c378757274c in JOIN::optimize_inner() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:2588

    #24 0x5c378756c579 in JOIN::optimize() /app/dbms/mariadb-12.2.2/sql/sql_select.cc:2021

    #25 0x5c3787803227 in st_select_lex_unit::optimize() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2321

    #26 0x5c3787803e43 in st_select_lex_unit::exec_inner() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2369

    #27 0x5c3787803aba in st_select_lex_unit::exec() /app/dbms/mariadb-12.2.2/sql/sql_union.cc:2351

    #28 0x5c37877eec41 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /app/dbms/mariadb-12.2.2/sql/sql_union.cc:45

    #29 0x5c378755cecd in handle_select(THD*, LEX*, select_result*, unsigned long long) /app/dbms/mariadb-12.2.2/sql/sql_select.cc:626

Thread T13 created by T0 here:

    #0 0x733f62a58685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216

    #1 0x5c37888315fd in my_thread_create /app/dbms/mariadb-12.2.2/storage/perfschema/my_thread.h:38

    #2 0x5c3788835efc in pfs_spawn_thread_v1 /app/dbms/mariadb-12.2.2/storage/perfschema/pfs.cc:2249

    #3 0x5c378701c486 in inline_mysql_thread_create /app/dbms/mariadb-12.2.2/include/mysql/psi/mysql_thread.h:1139

    #4 0x5c3787036111 in create_thread_to_handle_connection(CONNECT*) /app/dbms/mariadb-12.2.2/sql/mysqld.cc:6280

    #5 0x5c37870367ba in create_new_thread(CONNECT*) /app/dbms/mariadb-12.2.2/sql/mysqld.cc:6342

    #6 0x5c3787036b2c in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /app/dbms/mariadb-12.2.2/sql/mysqld.cc:6404

    #7 0x5c3787037806 in handle_connections_sockets() /app/dbms/mariadb-12.2.2/sql/mysqld.cc:6516

    #8 0x5c3787034203 in run_main_loop /app/dbms/mariadb-12.2.2/sql/mysqld.cc:5758

    #9 0x5c378703594b in mysqld_main(int, char**) /app/dbms/mariadb-12.2.2/sql/mysqld.cc:6181

    #10 0x5c378701b70c in main /app/dbms/mariadb-12.2.2/sql/main.cc:34

    #11 0x733f61c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /app/dbms/mariadb-12.2.2/sql/sql_select.cc:16819 in st_join_table::cleanup()

Attachments

Issue Links

duplicates

MDEV-39209 use iterative cleanup for merged units to avoid stack overflow

Closed

Activity

People

Assignee:: Dave Gosselin

Reporter:: ammmkilo

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2026-04-20 08:30

Updated:: 2026-04-21 15:45

Resolved:: 2026-04-20 13:08

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.