[MDEV-39449] Memory corruption (heap-buffer-overflow) in uint4korr and Gcalc_function::count_internal, apparent partial stack looping in Gcalc_function::count_internal and Assertion `(0)' failed in Item_func_spatial_precise_rel::val_bool - Jira

SELECT ST_COVEREDBY (ST_GEOMFROMTEXT ('POINT(0 0)'),ST_GEOMFROMTEXT ('POLYGON ((0 0,0 0,0 0,0 0,0 0))'));

CS 13.0.1 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 10/04/2026
==1542499==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7710162607a0 at pc 0x5f00bece07fd bp 0x6daf16af9e70 sp 0x6daf16af9e68
READ of size 4 at 0x7710162607a0 thread T14
#0 0x5f00bece07fc in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10
#1 0x5f00bece07fc in uint4korr(void const*) /test/13.0_opt_san/include/my_byteorder.h:121:3
#2 0x5f00bece07fc in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:128:14
#3 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#4 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#5 0x5f00bece0429 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:186:19
#6 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#7 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#8 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#9 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#10 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#11 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#12 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#13 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
...
...
...
#130 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#131 0x5f00bece03c9 in Gcalc_function::count_internal(char const, unsigned int, char const*) /test/13.0_opt_san/sql/gcalc_tools.cc:177:11
#132 0x5f00bd9158ff in Item_func_spatial_precise_rel::val_bool() /test/13.0_opt_san/sql/item_geofunc.cc:1586:16
#133 0x5f00bd50f43d in Item_bool_func::val_int() /test/13.0_opt_san/sql/item_cmpfunc.h:245:12
#134 0x5f00bee9a729 in Type_handler::Item_send_long(Item, Protocol, st_value*) const /test/13.0_opt_san/sql/sql_type.cc:7697:22
#135 0x5f00bdb22218 in Protocol::send_result_set_row(List<Item>*) /test/13.0_opt_san/sql/protocol.cc:1358:15
#136 0x5f00bddff01b in select_send::send_data(List<Item>&) /test/13.0_opt_san/sql/sql_class.cc:3410:17
#137 0x5f00bddfdeb1 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/13.0_opt_san/sql/sql_class.cc:3308:11
#138 0x5f00be4ac3aa in JOIN::exec_inner() /test/13.0_opt_san/sql/sql_select.cc:4996:22
#139 0x5f00be4aa93a in JOIN::exec() /test/13.0_opt_san/sql/sql_select.cc:4913:8
#140 0x5f00be40206d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/13.0_opt_san/sql/sql_select.cc:5439:21
#141 0x5f00be400535 in handle_select(THD, LEX, select_result*, unsigned long long) /test/13.0_opt_san/sql/sql_select.cc:636:10
#142 0x5f00be2a2908 in execute_sqlcom_select(THD, TABLE_LIST) /test/13.0_opt_san/sql/sql_parse.cc:6213:12
#143 0x5f00be285b3c in mysql_execute_command(THD*, bool) /test/13.0_opt_san/sql/sql_parse.cc:3989:12
#144 0x5f00be267d99 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/13.0_opt_san/sql/sql_parse.cc:7941:18
#145 0x5f00be25f317 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/13.0_opt_san/sql/sql_parse.cc:1898:7
#146 0x5f00be269f6e in do_command(THD*, bool) /test/13.0_opt_san/sql/sql_parse.cc:1432:17
#147 0x5f00beae541c in do_handle_one_connection(CONNECT*, bool) /test/13.0_opt_san/sql/sql_connect.cc:1503:11
#148 0x5f00beae4dfd in handle_one_connection /test/13.0_opt_san/sql/sql_connect.cc:1415:5
#149 0x5f00bf595975 in pfs_spawn_thread /test/13.0_opt_san/storage/perfschema/pfs.cc:2198:3
#150 0x5f00bd13e26a in asan_thread_start(void*) crtstuff.c
#151 0x79b01729ca93 in start_thread nptl/pthread_create.c:447:8
#152 0x79b017329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x7710162607a0 is located 0 bytes after 544-byte region [0x771016260580,0x7710162607a0)
allocated by thread T14 here:
#0 0x5f00bd1409e8 in malloc (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-opt/bin/mariadbd+0x37e49e8) (BuildId: 42bcdc55a750676f646e2dd80dc01535a8d1a9ef)
#1 0x5f00c053ac78 in my_malloc /test/13.0_opt_san/mysys/my_malloc.c:93:29
#2 0x5f00be75a6dc in Binary_string::realloc_raw(unsigned long) /test/13.0_opt_san/sql/sql_string.cc:100:32
#3 0x5f00be7613fa in Binary_string::realloc(unsigned long) /test/13.0_opt_san/sql/sql_string.h:750:9
#4 0x5f00be7613fa in Binary_string::reserve(unsigned long, unsigned long) /test/13.0_opt_san/sql/sql_string.cc:757:9
#5 0x5f00bd914c21 in Item_func_spatial_precise_rel::val_bool() /test/13.0_opt_san/sql/item_geofunc.cc:1476:26
#6 0x5f00bd50f43d in Item_bool_func::val_int() /test/13.0_opt_san/sql/item_cmpfunc.h:245:12
#7 0x5f00bee9a729 in Type_handler::Item_send_long(Item, Protocol, st_value*) const /test/13.0_opt_san/sql/sql_type.cc:7697:22
#8 0x5f00bdb22218 in Protocol::send_result_set_row(List<Item>*) /test/13.0_opt_san/sql/protocol.cc:1358:15
#9 0x5f00bddff01b in select_send::send_data(List<Item>&) /test/13.0_opt_san/sql/sql_class.cc:3410:17
#10 0x5f00bddfdeb1 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/13.0_opt_san/sql/sql_class.cc:3308:11
#11 0x5f00be4ac3aa in JOIN::exec_inner() /test/13.0_opt_san/sql/sql_select.cc:4996:22
#12 0x5f00be4aa93a in JOIN::exec() /test/13.0_opt_san/sql/sql_select.cc:4913:8
#13 0x5f00be40206d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/13.0_opt_san/sql/sql_select.cc:5439:21
#14 0x5f00be400535 in handle_select(THD, LEX, select_result*, unsigned long long) /test/13.0_opt_san/sql/sql_select.cc:636:10
#15 0x5f00be2a2908 in execute_sqlcom_select(THD, TABLE_LIST) /test/13.0_opt_san/sql/sql_parse.cc:6213:12
#16 0x5f00be285b3c in mysql_execute_command(THD*, bool) /test/13.0_opt_san/sql/sql_parse.cc:3989:12
#17 0x5f00be267d99 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/13.0_opt_san/sql/sql_parse.cc:7941:18
#18 0x5f00be25f317 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/13.0_opt_san/sql/sql_parse.cc:1898:7
#19 0x5f00be269f6e in do_command(THD*, bool) /test/13.0_opt_san/sql/sql_parse.cc:1432:17
#20 0x5f00beae541c in do_handle_one_connection(CONNECT*, bool) /test/13.0_opt_san/sql/sql_connect.cc:1503:11
#21 0x5f00beae4dfd in handle_one_connection /test/13.0_opt_san/sql/sql_connect.cc:1415:5
#22 0x5f00bf595975 in pfs_spawn_thread /test/13.0_opt_san/storage/perfschema/pfs.cc:2198:3
#23 0x5f00bd13e26a in asan_thread_start(void*) crtstuff.c

Thread T14 created by T0 here:
#0 0x5f00bd124965 in pthread_create (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-opt/bin/mariadbd+0x37c8965) (BuildId: 42bcdc55a750676f646e2dd80dc01535a8d1a9ef)
#1 0x5f00bf59603c in my_thread_create(unsigned long, pthread_attr_t const, void* ()(void), void*) /test/13.0_opt_san/storage/perfschema/my_thread.h:38:10
#2 0x5f00bf59603c in pfs_spawn_thread_v1 /test/13.0_opt_san/storage/perfschema/pfs.cc:2249:15
#3 0x5f00bd19d60e in inline_mysql_thread_create(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /test/13.0_opt_san/include/mysql/psi/mysql_thread.h:1139:11
#4 0x5f00bd19d60e in create_thread_to_handle_connection(CONNECT*) /test/13.0_opt_san/sql/mysqld.cc:6466:19
#5 0x5f00bd19f0a8 in handle_connections_sockets() /test/13.0_opt_san/sql/mysqld.cc:6702:9
#6 0x5f00bd19cc7a in run_main_loop() /test/13.0_opt_san/sql/mysqld.cc:5942:3
#7 0x5f00bd18f74b in mysqld_main(int, char**) /test/13.0_opt_san/sql/mysqld.cc:6371:3
#8 0x79b01722a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#9 0x79b01722a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#10 0x5f00bd09b274 in _start (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-opt/bin/mariadbd+0x373f274) (BuildId: 42bcdc55a750676f646e2dd80dc01535a8d1a9ef)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10 in memcpy
Shadow bytes around the buggy address:
0x771016260500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771016260580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x771016260600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x771016260680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x771016260700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x771016260780: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x771016260800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771016260880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771016260900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771016260980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771016260a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1542499==ABORTING

Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 100426 f39b634db715cd9dc1835653d1ce544df2aa1613 No bug found
CS 10.6 opt 100426 f39b634db715cd9dc1835653d1ce544df2aa1613 No bug found
CS 10.11 dbg 100426 ba774a0a90fac0163babe9d7a964aa36503e1711 No bug found
CS 10.11 opt 100426 ba774a0a90fac0163babe9d7a964aa36503e1711 No bug found
CS 11.4 dbg 100426 dc89915ad9bf3dcb67e66d2844c77ec0403373de No bug found
CS 11.4 opt 100426 dc89915ad9bf3dcb67e66d2844c77ec0403373de No bug found
CS 11.8 dbg 100426 e47db94aea7f0d6e0177e948486fc8860331f05f No bug found
CS 11.8 opt 100426 e47db94aea7f0d6e0177e948486fc8860331f05f No bug found
CS 12.3 dbg 100426 f5bb9922107672e88f7b5cbdb3d25151cc5744bb (0)\|SIGABRT\|Item_func_spatial_precise_rel::val_bool\|Item_bool_func::val_int\|Type_handler::Item_send_long\|Protocol::send_result_set_row
CS 12.3 opt 100426 f5bb9922107672e88f7b5cbdb3d25151cc5744bb ASAN\|heap-buffer-overflow\|include/x86_64-linux-gnu/bits/string_fortified.h\|memcpy\|uint4korr\|Gcalc_function::count_internal\|Gcalc_function::count_internal
CS 13.0 dbg 100426 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (0)\|SIGABRT\|Item_func_spatial_precise_rel::val_bool\|Item_bool_func::val_int\|Type_handler::Item_send_long\|Protocol::send_result_set_row
CS 13.0 opt 100426 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 ASAN\|heap-buffer-overflow\|include/x86_64-linux-gnu/bits/string_fortified.h\|memcpy\|uint4korr\|Gcalc_function::count_internal\|Gcalc_function::count_internal
ES 10.6 dbg 100426 84a80c8b38208d362225496da08d86d8d454e453 No bug found
ES 10.6 opt 100426 84a80c8b38208d362225496da08d86d8d454e453 No bug found
ES 11.4 dbg 100426 8b2bf17b733262409422ce7d039a0c021fc47077 No bug found
ES 11.4 opt 100426 8b2bf17b733262409422ce7d039a0c021fc47077 No bug found
ES 11.8 dbg 100426 854cae81f52e477c7777a51db26ba640d8755b81 No bug found
ES 11.8 opt 100426 854cae81f52e477c7777a51db26ba640d8755b81 No bug found
ES 12.3 dbg 220426 613a6253fe9efc12e166f83a97663ba263db8317 (0)\|SIGABRT\|Item_func_spatial_precise_rel::val_bool\|Item_bool_func::val_int\|Type_handler::Item_send_long\|Protocol::send_result_set_row
ES 12.3 opt 220426 613a6253fe9efc12e166f83a97663ba263db8317 ASAN\|heap-buffer-overflow\|sql/gcalc_tools.cc\|Gcalc_function::count_internal\|Gcalc_function::count_internal\|Gcalc_function::count_internal\|Gcalc_function::count_internal

CS 13.0.1 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (Debug, Clang 21.1.3-20250923) Build 10/04/2026
mariadbd: /test/13.0_dbg/sql/item_geofunc.cc:1572: virtual bool Item_func_spatial_precise_rel::val_bool(): Assertion `(0)' failed.

CS 13.0.1 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (Debug, Clang 21.1.3-20250923) Build 10/04/2026
Core was generated by `/test/MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGABRT, Aborted.
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 3362176)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x00007b60c8e4526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x00007b60c8e288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007b60c8e2881b in __assert_fail_base (fmt=0x7b60c8fd01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x651f3c8286a7 "(0)", file=file@entry=0x651f3c84713c "/test/13.0_dbg/sql/item_geofunc.cc", line=line@entry=1572, function=function@entry=0x651f3c79b247 "virtual bool Item_func_spatial_precise_rel::val_bool()") at ./assert/assert.c:94
#6 0x00007b60c8e3b507 in __assert_fail (assertion=0x651f3c8286a7 "(0)", file=0x651f3c84713c "/test/13.0_dbg/sql/item_geofunc.cc", line=1572, function=0x651f3c79b247 "virtual bool Item_func_spatial_precise_rel::val_bool()") at ./assert/assert.c:103
#7 0x0000651f3d1d1ad3 in Item_func_spatial_precise_rel::val_bool (this=0x735fe001ae60) at /test/13.0_dbg/sql/item_geofunc.cc:1572
#8 0x0000651f3d08b4aa in Item_bool_func::val_int (this=0x735fe001ae60)at /test/13.0_dbg/sql/item_cmpfunc.h:245
#9 0x0000651f3d75d975 in Type_handler::Item_send_long (this=0x651f3e551e48 <type_handler_bool>, item=0x735fe001ae60, protocol=0x735fe0001430, buf=0x7b60bd921240)at /test/13.0_dbg/sql/sql_type.cc:7697
#10 0x0000651f3d76e85d in Type_handler_long::Item_send (this=0x651f3e551e48 <type_handler_bool>, item=0x735fe001ae60, protocol=0x735fe0001430, buf=0x7b60bd921240)at /test/13.0_dbg/sql/sql_type.h:5953
#11 0x0000651f3cf857ed in Item::send (this=0x735fe001ae60, protocol=0x735fe0001430, buffer=0x7b60bd921240)at /test/13.0_dbg/sql/item.h:1243
#12 0x0000651f3d24259c in Protocol::send_result_set_row (this=0x735fe0001430, row_items=0x735fe001a680) at /test/13.0_dbg/sql/protocol.cc:1358
#13 0x0000651f3d30db5e in select_send::send_data (this=0x735fe001bad8, items=@0x735fe001a680: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x735fe001b0a0, last = 0x735fe001b0a0, elements = 1}, <No data fields>})at /test/13.0_dbg/sql/sql_class.cc:3410
#14 0x0000651f3d30d84f in select_result_sink::send_data_with_check (this=0x735fe001bad8, items=@0x735fe001a680: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x735fe001b0a0, last = 0x735fe001b0a0, elements = 1}, <No data fields>}, u=0x735fe0005270, sent=0) at /test/13.0_dbg/sql/sql_class.cc:3308
#15 0x0000651f3d4d6d12 in JOIN::exec_inner (this=0x735fe001bb00)at /test/13.0_dbg/sql/sql_select.cc:4996
#16 0x0000651f3d4d67b3 in JOIN::exec (this=0x735fe001bb00)at /test/13.0_dbg/sql/sql_select.cc:4913
#17 0x0000651f3d4b48bb in mysql_select (thd=0x735fe0000d58, tables=0x0, fields=@0x735fe001a680: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x735fe001b0a0, last = 0x735fe001b0a0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x735fe001bad8, unit=0x735fe0005270, select_lex=0x735fe001a3c8) at /test/13.0_dbg/sql/sql_select.cc:5439
#18 0x0000651f3d4b441d in handle_select (thd=0x735fe0000d58, lex=0x735fe0005190, result=0x735fe001bad8, setup_tables_done_option=0)at /test/13.0_dbg/sql/sql_select.cc:636
#19 0x0000651f3d45b6fa in execute_sqlcom_select (thd=0x735fe0000d58, all_tables=0x0) at /test/13.0_dbg/sql/sql_parse.cc:6213
#20 0x0000651f3d451b63 in mysql_execute_command (thd=0x735fe0000d58, is_called_from_prepared_stmt=false) at /test/13.0_dbg/sql/sql_parse.cc:3989
#21 0x0000651f3d44a9c8 in mysql_parse (thd=0x735fe0000d58, rawbuf=0x735fe001a298 "SELECT ST_COVEREDBY (ST_GEOMFROMTEXT ('POINT(0 0)'),ST_GEOMFROMTEXT ('POLYGON ((0 0,0 0,0 0,0 0,0 0))'))", length=104, parser_state=0x7b60bd9239f0) at /test/13.0_dbg/sql/sql_parse.cc:7941
#22 0x0000651f3d44811e in dispatch_command (command=COM_QUERY, thd=0x735fe0000d58, packet=0x735fe000b4b9 "", packet_length=104, blocking=true) at /test/13.0_dbg/sql/sql_parse.cc:1898
#23 0x0000651f3d44b44a in do_command (thd=0x735fe0000d58, blocking=true)at /test/13.0_dbg/sql/sql_parse.cc:1432
#24 0x0000651f3d64e70e in do_handle_one_connection (connect=0x651f3f84a698, put_in_cache=true) at /test/13.0_dbg/sql/sql_connect.cc:1503
#25 0x0000651f3d64e4f1 in handle_one_connection (arg=0x651f3f80e9c8)at /test/13.0_dbg/sql/sql_connect.cc:1415
#26 0x00007b60c8e9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#27 0x00007b60c8f29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 100426 f39b634db715cd9dc1835653d1ce544df2aa1613 No bug found
CS 10.6 opt 100426 f39b634db715cd9dc1835653d1ce544df2aa1613 No bug found
CS 10.11 dbg 100426 ba774a0a90fac0163babe9d7a964aa36503e1711 No bug found
CS 10.11 opt 100426 ba774a0a90fac0163babe9d7a964aa36503e1711 No bug found
CS 11.4 dbg 100426 dc89915ad9bf3dcb67e66d2844c77ec0403373de No bug found
CS 11.4 opt 100426 dc89915ad9bf3dcb67e66d2844c77ec0403373de No bug found
CS 11.8 dbg 100426 e47db94aea7f0d6e0177e948486fc8860331f05f No bug found
CS 11.8 opt 100426 e47db94aea7f0d6e0177e948486fc8860331f05f No bug found
CS 12.3 dbg 100426 f5bb9922107672e88f7b5cbdb3d25151cc5744bb (0)\|SIGABRT\|Item_func_spatial_precise_rel::val_bool\|Item_bool_func::val_int\|Type_handler::Item_send_long\|Type_handler_long::Item_send
CS 12.3 opt 100426 f5bb9922107672e88f7b5cbdb3d25151cc5744bb No bug found
CS 13.0 dbg 100426 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (0)\|SIGABRT\|Item_func_spatial_precise_rel::val_bool\|Item_bool_func::val_int\|Type_handler::Item_send_long\|Type_handler_long::Item_send
CS 13.0 opt 100426 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 No bug found
ES 10.6 dbg 100426 84a80c8b38208d362225496da08d86d8d454e453 No bug found
ES 10.6 opt 100426 84a80c8b38208d362225496da08d86d8d454e453 No bug found
ES 11.4 dbg 100426 8b2bf17b733262409422ce7d039a0c021fc47077 No bug found
ES 11.4 opt 100426 8b2bf17b733262409422ce7d039a0c021fc47077 No bug found
ES 11.8 dbg 100426 854cae81f52e477c7777a51db26ba640d8755b81 No bug found
ES 11.8 opt 100426 854cae81f52e477c7777a51db26ba640d8755b81 No bug found
ES 12.3 dbg 220426 613a6253fe9efc12e166f83a97663ba263db8317 (0)\|SIGABRT\|Item_func_spatial_precise_rel::val_bool\|Item_bool_func::val_int\|Type_handler::Item_send_long\|Type_handler_long::Item_send
ES 12.3 opt 220426 613a6253fe9efc12e166f83a97663ba263db8317 No bug found
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

Memory corruption (heap-buffer-overflow) in uint4korr and Gcalc_function::count_internal, apparent partial stack looping in Gcalc_function::count_internal and Assertion `(0)' failed in Item_func_spatial_precise_rel::val_bool

Details

Description

Attachments

Activity

People

Dates

Git Integration