Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Critical
-
Resolution: Unresolved
-
11.8, 12.3, 13.0
-
Can result in hang or crash
Description
Ref 1st comment for reduced t/c
set sql_mode=''; |
CREATE TABLE t (c FLOAT(2,2) ZEROFILL,c2 SET('') CHARACTER SET'BINARY' COLLATE'BINARY',c3 DATE,KEY(c)); |
ALTER TABLE t MODIFY c2 LONGTEXT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; |
REPLACE INTO t (c,c2,c3) VALUES ('','r:$u4[Z3y[HmHZ5r{FCU*0#LJOZVb][s;rm7j3N - xca *^ kt-(LE (4UP~IC:%l9/','=DpF=s=G@=d_rqbvtsjhwtgai.N.P7u}3={qDy[Un=LPeqllXoQM % fs=&mXT=e:'); |
RENAME TABLE IF EXISTS t TO t4; |
CREATE TABLE t (c INT KEY,c2 VECTOR (4) NOT NULL,VECTOR INDEX (c2) M=4); |
(SELECT c2 FROM t) INTERSECT ALL (SELECT c2 FROM t4); |
Leads to:
|
CS 13.0.1 2c6903675f1c23363188ac3db039e4ba1cd1a670 (Debug, Clang 18.1.3-11) Build 23/04/2026 |
Core was generated by `/test/MD230426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x000062e30a54c7ed in collect_indexed_vcols_for_table (table=0x6c249817b020, vcol_fields=0x7425ac0d84b0)at /test/13.0_dbg/sql/opt_vcol_substitution.cc:141
|
141 if (field->vcol_info && vcol_fields->push_back(field))
|
[Current thread is 1 (LWP 582261)]
|
(gdb) bt
|
#0 0x000062e30a54c7ed in collect_indexed_vcols_for_table (table=0x6c249817b020, vcol_fields=0x7425ac0d84b0)at /test/13.0_dbg/sql/opt_vcol_substitution.cc:141
|
#1 0x000062e30a54c0bf in collect_indexed_vcols_for_join (join=0x6c249801ee08, vcol_fields=0x7425ac0d84b0)at /test/13.0_dbg/sql/opt_vcol_substitution.cc:162
|
#2 0x000062e30a54beae in substitute_indexed_vcols_for_join (join=0x6c249801ee08) at /test/13.0_dbg/sql/opt_vcol_substitution.cc:292
|
#3 0x000062e30a738b62 in JOIN::optimize_inner (this=0x6c249801ee08)at /test/13.0_dbg/sql/sql_select.cc:2472
|
#4 0x000062e30a73779d in JOIN::optimize (this=0x6c249801ee08)at /test/13.0_dbg/sql/sql_select.cc:2016
|
#5 0x000062e30a72f388 in mysql_select (thd=0x6c2498000d58, tables=0x6c24980052c0, fields=@0x6c2498005aa8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x6c249801edf8, last = 0x6c249801edf8, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2199023255552, result=0x6c249801d4b8, unit=0x6c2498005270, select_lex=0x6c249801ce68) at /test/13.0_dbg/sql/sql_select.cc:5425
|
#6 0x000062e30a828bf4 in st_select_lex_unit::exec_inner (this=0x6c2498005270)at /test/13.0_dbg/sql/sql_union.cc:2552
|
#7 0x000062e30a8229e1 in st_select_lex_unit::exec (this=0x6c2498005270)at /test/13.0_dbg/sql/sql_union.cc:2351
|
#8 0x000062e30a8202cb in mysql_union (thd=0x6c2498000d58, lex=0x6c2498005190, result=0x6c249801d4b8, unit=0x6c2498005270, setup_tables_done_option=0)at /test/13.0_dbg/sql/sql_union.cc:45
|
#9 0x000062e30a72ee2f in handle_select (thd=0x6c2498000d58, lex=0x6c2498005190, result=0x6c249801d4b8, setup_tables_done_option=0)at /test/13.0_dbg/sql/sql_select.cc:626
|
#10 0x000062e30a6d19f1 in execute_sqlcom_select (thd=0x6c2498000d58, all_tables=0x6c249801a830) at /test/13.0_dbg/sql/sql_parse.cc:6213
|
#11 0x000062e30a6c673c in mysql_execute_command (thd=0x6c2498000d58, is_called_from_prepared_stmt=false) at /test/13.0_dbg/sql/sql_parse.cc:3989
|
#12 0x000062e30a6be8e4 in mysql_parse (thd=0x6c2498000d58, rawbuf=0x6c249801a110 "(SELECT c2 FROM t) INTERSECT ALL (SELECT c2 FROM t4)", length=52, parser_state=0x7425ac0da9f0)at /test/13.0_dbg/sql/sql_parse.cc:7941
|
#13 0x000062e30a6bbc2d in dispatch_command (command=COM_QUERY, thd=0x6c2498000d58, packet=0x6c249800b4b9 "(SELECT c2 FROM t) INTERSECT ALL (SELECT c2 FROM t4)", packet_length=52, blocking=true) at /test/13.0_dbg/sql/sql_parse.cc:1898
|
#14 0x000062e30a6bf493 in do_command (thd=0x6c2498000d58, blocking=true)at /test/13.0_dbg/sql/sql_parse.cc:1432
|
#15 0x000062e30a8bc829 in do_handle_one_connection (connect=0x62e342fe6668, put_in_cache=true) at /test/13.0_dbg/sql/sql_connect.cc:1503
|
#16 0x000062e30a8bc5ce in handle_one_connection (arg=0x62e342f43738)at /test/13.0_dbg/sql/sql_connect.cc:1415
|
#17 0x00007425b009caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
|
#18 0x00007425b0129c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 dbg 230426 855ee88362e3664caafccb734b8196a77e4d7e68 No bug found
|
CS 10.6 opt 230426 855ee88362e3664caafccb734b8196a77e4d7e68 No bug found
|
CS 10.11 dbg 230426 c44f9c456f3b1761c8300d237ce6c139756a3fd9 No bug found
|
CS 10.11 opt 230426 c44f9c456f3b1761c8300d237ce6c139756a3fd9 No bug found
|
CS 11.4 dbg 230426 0d9db6bbcc5532e0bde0a63e5991cb5ebee060eb No bug found
|
CS 11.4 opt 230426 0d9db6bbcc5532e0bde0a63e5991cb5ebee060eb No bug found
|
CS 11.8 dbg 230426 d3767f9649a21a6478e8e784805f894497b93eaa SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
CS 11.8 opt 230426 d3767f9649a21a6478e8e784805f894497b93eaa SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
CS 12.3 dbg 230426 5d234b2aa891ad6be34fcfb2cf607f48efd93272 SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
CS 12.3 opt 230426 5d234b2aa891ad6be34fcfb2cf607f48efd93272 SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
CS 13.0 dbg 230426 2c6903675f1c23363188ac3db039e4ba1cd1a670 SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
CS 13.0 opt 230426 2c6903675f1c23363188ac3db039e4ba1cd1a670 SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
ES 10.6 dbg 230426 55cfada6c54d1b08f2372adc1369a5e5e76f472d No bug found
|
ES 10.6 opt 230426 55cfada6c54d1b08f2372adc1369a5e5e76f472d No bug found
|
ES 11.4 dbg 230426 90f707057d44f1b5c013a0c3672fd12f32ea7085 No bug found
|
ES 11.4 opt 230426 90f707057d44f1b5c013a0c3672fd12f32ea7085 No bug found
|
ES 11.8 dbg 230426 1499789de285a8109d68d79347de0281865b28f4 SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
ES 11.8 opt 230426 1499789de285a8109d68d79347de0281865b28f4 SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
ES 12.3 dbg 230426 613a6253fe9efc12e166f83a97663ba263db8317 SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
ES 12.3 opt 230426 613a6253fe9efc12e166f83a97663ba263db8317 SIGSEGV|collect_indexed_vcols_for_table|collect_indexed_vcols_for_join|substitute_indexed_vcols_for_join|JOIN::optimize_inner
|
And on UBASAN builds to:
|
CS 13.0.1 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 10/04/2026 |
==2025312==ERROR: AddressSanitizer: use-after-poison on address 0x76fcc33939b8 at pc 0x5fbb0799cc3a bp 0x6c2bc3aff8e0 sp 0x6c2bc3aff0a0
|
WRITE of size 55 at 0x76fcc33939b8 thread T14
|
#0 0x5fbb0799cc39 in __asan_memmove (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-opt/bin/mariadbd+0x37e2c39) (BuildId: 42bcdc55a750676f646e2dd80dc01535a8d1a9ef)
|
#1 0x5fbb0aea916b in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:36:10
|
#2 0x5fbb0aea916b in my_copy_8bit /test/13.0_opt_san/strings/ctype-simple.c:1267:5
|
#3 0x5fbb08fc2164 in charset_info_st::copy_fix(char*, unsigned long, char const*, unsigned long, unsigned long, MY_STRCOPY_STATUS*) const /test/13.0_opt_san/include/m_ctype.h:1119:12
|
#4 0x5fbb08fc2164 in String_copier::well_formed_copy(charset_info_st const*, char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long) /test/13.0_opt_san/sql/sql_string.cc:1132:26
|
#5 0x5fbb07bf343f in Field_longstr::well_formed_copy_with_check(char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long, bool, unsigned int*) /test/13.0_opt_san/sql/field.h:2369:26
|
#6 0x5fbb07bbd34d in Field_varstring::store(char const*, unsigned long, charset_info_st const*) /test/13.0_opt_san/sql/field.cc:8150:7
|
#7 0x5fbb09733e12 in Field_vector::store(char const*, unsigned long, charset_info_st const*) /test/13.0_opt_san/sql/sql_type_vector.cc:345:27
|
#8 0x5fbb07c0adad in Field::save_in_field_str(Field*) /test/13.0_opt_san/sql/field.h:768:16
|
#9 0x5fbb085f8891 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /test/13.0_opt_san/sql/sql_base.cc:9536:18
|
#10 0x5fbb090c418e in select_unit::send_data(List<Item>&) /test/13.0_opt_san/sql/sql_union.cc:122:3
|
#11 0x5fbb0865beb1 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/13.0_opt_san/sql/sql_class.cc:3308:11
|
#12 0x5fbb08cf2211 in end_send(JOIN*, st_join_table*, bool) /test/13.0_opt_san/sql/sql_select.cc:26080:9
|
#13 0x5fbb08dc7e97 in evaluate_join_record(JOIN*, st_join_table*, int) /test/13.0_opt_san/sql/sql_select.cc:24953:11
|
#14 0x5fbb08c5a958 in sub_select(JOIN*, st_join_table*, bool) /test/13.0_opt_san/sql/sql_select.cc:24720:9
|
#15 0x5fbb08d0e5e5 in do_select(JOIN*, Procedure*) /test/13.0_opt_san/sql/sql_select.cc:24231:14
|
#16 0x5fbb08d0b755 in JOIN::exec_inner() /test/13.0_opt_san/sql/sql_select.cc:5125:50
|
#17 0x5fbb08d0893a in JOIN::exec() /test/13.0_opt_san/sql/sql_select.cc:4913:8
|
#18 0x5fbb090db3cd in st_select_lex_unit::exec_inner() /test/13.0_opt_san/sql/sql_union.cc:2455:27
|
#19 0x5fbb090b7f9e in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/13.0_opt_san/sql/sql_union.cc:45:16
|
#20 0x5fbb08c5dffa in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/13.0_opt_san/sql/sql_select.cc:626:10
|
#21 0x5fbb08b00908 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/13.0_opt_san/sql/sql_parse.cc:6213:12
|
#22 0x5fbb08ae3b3c in mysql_execute_command(THD*, bool) /test/13.0_opt_san/sql/sql_parse.cc:3989:12
|
#23 0x5fbb08ac5d99 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/13.0_opt_san/sql/sql_parse.cc:7941:18
|
#24 0x5fbb08abd317 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/13.0_opt_san/sql/sql_parse.cc:1898:7
|
#25 0x5fbb08ac7f6e in do_command(THD*, bool) /test/13.0_opt_san/sql/sql_parse.cc:1432:17
|
#26 0x5fbb0934341c in do_handle_one_connection(CONNECT*, bool) /test/13.0_opt_san/sql/sql_connect.cc:1503:11
|
#27 0x5fbb09342dfd in handle_one_connection /test/13.0_opt_san/sql/sql_connect.cc:1415:5
|
#28 0x5fbb09df3975 in pfs_spawn_thread /test/13.0_opt_san/storage/perfschema/pfs.cc:2198:3
|
#29 0x5fbb0799c26a in asan_thread_start(void*) crtstuff.c
|
#30 0x782cc449ca93 in start_thread nptl/pthread_create.c:447:8
|
#31 0x782cc4529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
 |
0x76fcc33939b8 is located 5560 bytes inside of 32760-byte region [0x76fcc3392400,0x76fcc339a3f8)
|
allocated by thread T14 here:
|
#0 0x5fbb0799e9e8 in malloc (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-opt/bin/mariadbd+0x37e49e8) (BuildId: 42bcdc55a750676f646e2dd80dc01535a8d1a9ef)
|
#1 0x5fbb0ad98c78 in my_malloc /test/13.0_opt_san/mysys/my_malloc.c:93:29
|
#2 0x5fbb0ad6462e in init_alloc_root /test/13.0_opt_san/mysys/my_alloc.c:178:22
|
#3 0x5fbb091f1c69 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /test/13.0_opt_san/sql/thr_malloc.cc:64:3
|
#4 0x5fbb08d975c3 in Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) /test/13.0_opt_san/sql/sql_select.cc:22141:3
|
#5 0x5fbb08cf1abd in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /test/13.0_opt_san/sql/sql_select.cc:23029:22
|
#6 0x5fbb090c7f00 in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /test/13.0_opt_san/sql/sql_union.cc:355:17
|
#7 0x5fbb090be386 in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /test/13.0_opt_san/sql/sql_union.cc:1900:23
|
#8 0x5fbb090b7f7c in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/13.0_opt_san/sql/sql_union.cc:43:20
|
#9 0x5fbb08c5dffa in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/13.0_opt_san/sql/sql_select.cc:626:10
|
#10 0x5fbb08b00908 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/13.0_opt_san/sql/sql_parse.cc:6213:12
|
#11 0x5fbb08ae3b3c in mysql_execute_command(THD*, bool) /test/13.0_opt_san/sql/sql_parse.cc:3989:12
|
#12 0x5fbb08ac5d99 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/13.0_opt_san/sql/sql_parse.cc:7941:18
|
#13 0x5fbb08abd317 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/13.0_opt_san/sql/sql_parse.cc:1898:7
|
#14 0x5fbb08ac7f6e in do_command(THD*, bool) /test/13.0_opt_san/sql/sql_parse.cc:1432:17
|
#15 0x5fbb0934341c in do_handle_one_connection(CONNECT*, bool) /test/13.0_opt_san/sql/sql_connect.cc:1503:11
|
#16 0x5fbb09342dfd in handle_one_connection /test/13.0_opt_san/sql/sql_connect.cc:1415:5
|
#17 0x5fbb09df3975 in pfs_spawn_thread /test/13.0_opt_san/storage/perfschema/pfs.cc:2198:3
|
#18 0x5fbb0799c26a in asan_thread_start(void*) crtstuff.c
|
 |
Thread T14 created by T0 here:
|
#0 0x5fbb07982965 in pthread_create (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-opt/bin/mariadbd+0x37c8965) (BuildId: 42bcdc55a750676f646e2dd80dc01535a8d1a9ef)
|
#1 0x5fbb09df403c in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /test/13.0_opt_san/storage/perfschema/my_thread.h:38:10
|
#2 0x5fbb09df403c in pfs_spawn_thread_v1 /test/13.0_opt_san/storage/perfschema/pfs.cc:2249:15
|
#3 0x5fbb079fb60e in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /test/13.0_opt_san/include/mysql/psi/mysql_thread.h:1139:11
|
#4 0x5fbb079fb60e in create_thread_to_handle_connection(CONNECT*) /test/13.0_opt_san/sql/mysqld.cc:6466:19
|
#5 0x5fbb079fd0a8 in handle_connections_sockets() /test/13.0_opt_san/sql/mysqld.cc:6702:9
|
#6 0x5fbb079fac7a in run_main_loop() /test/13.0_opt_san/sql/mysqld.cc:5942:3
|
#7 0x5fbb079ed74b in mysqld_main(int, char**) /test/13.0_opt_san/sql/mysqld.cc:6371:3
|
#8 0x782cc442a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#9 0x782cc442a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#10 0x5fbb078f9274 in _start (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-opt/bin/mariadbd+0x373f274) (BuildId: 42bcdc55a750676f646e2dd80dc01535a8d1a9ef)
|
 |
SUMMARY: AddressSanitizer: use-after-poison (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-opt/bin/mariadbd+0x37e2c39) (BuildId: 42bcdc55a750676f646e2dd80dc01535a8d1a9ef) in __asan_memmove
|
Shadow bytes around the buggy address:
|
0x76fcc3393700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x76fcc3393780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x76fcc3393800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x76fcc3393880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x76fcc3393900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x76fcc3393980: f7 00 00 00 00 00 00[f7]00 00 00 00 f7 00 f7 00
|
0x76fcc3393a00: 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x76fcc3393a80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x76fcc3393b00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x76fcc3393b80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x76fcc3393c00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
 |
NOTE: the stack trace above identifies the code that *accessed* the poisoned memory.
|
To identify the code that *poisoned* the memory, try the experimental setting ASAN_OPTIONS=poison_history_size=<size>.
|
==2025312==ABORTING
|
|
CS 13.0.1 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (Debug, UBASAN, Clang 21.1.3-20250923) Build 10/04/2026 |
==2022806==ERROR: AddressSanitizer: use-after-poison on address 0x6eed9799dbb0 at pc 0x564192cbd09a bp 0x641c980ff7e0 sp 0x641c980fefa0
|
WRITE of size 55 at 0x6eed9799dbb0 thread T14
|
#0 0x564192cbd099 in __asan_memmove (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x4138099) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338)
|
#1 0x5641960e6cbb in my_copy_8bit /test/13.0_dbg_san/strings/ctype-simple.c:1267:5
|
#2 0x564194295720 in charset_info_st::copy_fix(char*, unsigned long, char const*, unsigned long, unsigned long, MY_STRCOPY_STATUS*) const /test/13.0_dbg_san/include/m_ctype.h:1119:12
|
#3 0x564194295720 in String_copier::well_formed_copy(charset_info_st const*, char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long) /test/13.0_dbg_san/sql/sql_string.cc:1132:26
|
#4 0x564192f1cf4f in Field_longstr::well_formed_copy_with_check(char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long, bool, unsigned int*) /test/13.0_dbg_san/sql/field.h:2369:26
|
#5 0x564192ee4560 in Field_varstring::store(char const*, unsigned long, charset_info_st const*) /test/13.0_dbg_san/sql/field.cc:8150:7
|
#6 0x5641949e3814 in Field_vector::store(char const*, unsigned long, charset_info_st const*) /test/13.0_dbg_san/sql/sql_type_vector.cc:345:27
|
#7 0x564192f399d1 in Field::save_in_field_str(Field*) /test/13.0_dbg_san/sql/field.h:768:16
|
#8 0x5641939045b1 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /test/13.0_dbg_san/sql/sql_base.cc:9536:18
|
#9 0x56419438f929 in select_unit::send_data(List<Item>&) /test/13.0_dbg_san/sql/sql_union.cc:122:3
|
#10 0x56419396c41b in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/13.0_dbg_san/sql/sql_class.cc:3308:11
|
#11 0x564193fe8c9f in end_send(JOIN*, st_join_table*, bool) /test/13.0_dbg_san/sql/sql_select.cc:26080:9
|
#12 0x5641940b5343 in evaluate_join_record(JOIN*, st_join_table*, int) /test/13.0_dbg_san/sql/sql_select.cc:24953:11
|
#13 0x564193f56d41 in sub_select(JOIN*, st_join_table*, bool) /test/13.0_dbg_san/sql/sql_select.cc:24720:9
|
#14 0x564194005158 in do_select(JOIN*, Procedure*) /test/13.0_dbg_san/sql/sql_select.cc:24231:14
|
#15 0x56419400214f in JOIN::exec_inner() /test/13.0_dbg_san/sql/sql_select.cc:5125:50
|
#16 0x564193fff318 in JOIN::exec() /test/13.0_dbg_san/sql/sql_select.cc:4913:8
|
#17 0x5641943a6a2e in st_select_lex_unit::exec_inner() /test/13.0_dbg_san/sql/sql_union.cc:2455:27
|
#18 0x564194383fd0 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/13.0_dbg_san/sql/sql_union.cc:45:16
|
#19 0x564193f59e16 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/13.0_dbg_san/sql/sql_select.cc:626:10
|
#20 0x564193dff9ed in execute_sqlcom_select(THD*, TABLE_LIST*) /test/13.0_dbg_san/sql/sql_parse.cc:6213:12
|
#21 0x564193dea535 in mysql_execute_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:3989:12
|
#22 0x564193dc421d in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/13.0_dbg_san/sql/sql_parse.cc:7941:18
|
#23 0x564193dbbfee in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1898:7
|
#24 0x564193dc65c4 in do_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1432:17
|
#25 0x5641945fe84c in do_handle_one_connection(CONNECT*, bool) /test/13.0_dbg_san/sql/sql_connect.cc:1503:11
|
#26 0x5641945fe355 in handle_one_connection /test/13.0_dbg_san/sql/sql_connect.cc:1415:5
|
#27 0x564192cbc6ca in asan_thread_start(void*) crtstuff.c
|
#28 0x701d98a9ca93 in start_thread nptl/pthread_create.c:447:8
|
#29 0x701d98b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
 |
0x6eed9799dbb0 is located 6064 bytes inside of 32760-byte region [0x6eed9799c400,0x6eed979a43f8)
|
allocated by thread T14 here:
|
#0 0x564192cbee48 in malloc (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x4139e48) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338)
|
#1 0x564195fc1196 in my_malloc /test/13.0_dbg_san/mysys/my_malloc.c:93:29
|
#2 0x564195f700c3 in init_alloc_root /test/13.0_dbg_san/mysys/my_alloc.c:178:22
|
#3 0x5641944b6179 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /test/13.0_dbg_san/sql/thr_malloc.cc:64:3
|
#4 0x5641940856cc in Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) /test/13.0_dbg_san/sql/sql_select.cc:22141:3
|
#5 0x564193fe84fd in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /test/13.0_dbg_san/sql/sql_select.cc:23029:22
|
#6 0x564194394043 in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /test/13.0_dbg_san/sql/sql_union.cc:355:17
|
#7 0x564194389dda in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /test/13.0_dbg_san/sql/sql_union.cc:1900:23
|
#8 0x564194383fbc in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/13.0_dbg_san/sql/sql_union.cc:43:20
|
#9 0x564193f59e16 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/13.0_dbg_san/sql/sql_select.cc:626:10
|
#10 0x564193dff9ed in execute_sqlcom_select(THD*, TABLE_LIST*) /test/13.0_dbg_san/sql/sql_parse.cc:6213:12
|
#11 0x564193dea535 in mysql_execute_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:3989:12
|
#12 0x564193dc421d in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/13.0_dbg_san/sql/sql_parse.cc:7941:18
|
#13 0x564193dbbfee in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1898:7
|
#14 0x564193dc65c4 in do_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1432:17
|
#15 0x5641945fe84c in do_handle_one_connection(CONNECT*, bool) /test/13.0_dbg_san/sql/sql_connect.cc:1503:11
|
#16 0x5641945fe355 in handle_one_connection /test/13.0_dbg_san/sql/sql_connect.cc:1415:5
|
#17 0x564192cbc6ca in asan_thread_start(void*) crtstuff.c
|
 |
Thread T14 created by T0 here:
|
#0 0x564192ca2dc5 in pthread_create (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x411ddc5) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338)
|
#1 0x564192d17eac in create_thread_to_handle_connection(CONNECT*) /test/13.0_dbg_san/sql/mysqld.cc:6466:19
|
#2 0x564192d18f35 in handle_connections_sockets() /test/13.0_dbg_san/sql/mysqld.cc:6702:9
|
#3 0x564192d1747a in run_main_loop() /test/13.0_dbg_san/sql/mysqld.cc:5942:3
|
#4 0x564192d0b89c in mysqld_main(int, char**) /test/13.0_dbg_san/sql/mysqld.cc:6371:3
|
#5 0x701d98a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x701d98a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x564192c196d4 in _start (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x40946d4) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338)
|
 |
SUMMARY: AddressSanitizer: use-after-poison (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x4138099) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338) in __asan_memmove
|
Shadow bytes around the buggy address:
|
0x6eed9799d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x6eed9799d980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x6eed9799da00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x6eed9799da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x6eed9799db00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
|
=>0x6eed9799db80: 00 00 00 00 00 00[f7]00 00 00 00 f7 00 f7 00 00
|
0x6eed9799dc00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x6eed9799dc80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x6eed9799dd00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x6eed9799dd80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x6eed9799de00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
 |
NOTE: the stack trace above identifies the code that *accessed* the poisoned memory.
|
To identify the code that *poisoned* the memory, try the experimental setting ASAN_OPTIONS=poison_history_size=<size>.
|
==2022806==ABORTING
|
Setup:
Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
SAN Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 dbg 100426 f39b634db715cd9dc1835653d1ce544df2aa1613 No bug found
|
CS 10.6 opt 100426 f39b634db715cd9dc1835653d1ce544df2aa1613 No bug found
|
CS 10.11 dbg 100426 ba774a0a90fac0163babe9d7a964aa36503e1711 No bug found
|
CS 10.11 opt 100426 ba774a0a90fac0163babe9d7a964aa36503e1711 No bug found
|
CS 11.4 dbg 100426 dc89915ad9bf3dcb67e66d2844c77ec0403373de No bug found
|
CS 11.4 opt 100426 dc89915ad9bf3dcb67e66d2844c77ec0403373de No bug found
|
CS 11.8 dbg 100426 e47db94aea7f0d6e0177e948486fc8860331f05f ASAN|use-after-poison|strings/ctype-simple.c|__asan_memmove|my_copy_8bit|charset_info_st::copy_fix|String_copier::well_formed_copy
|
CS 11.8 opt 100426 e47db94aea7f0d6e0177e948486fc8860331f05f ASAN|use-after-poison|include/x86_64-linux-gnu/bits/string_fortified.h|__asan_memmove|memmove|my_copy_8bit|charset_info_st::copy_fix
|
CS 12.3 dbg 100426 f5bb9922107672e88f7b5cbdb3d25151cc5744bb ASAN|use-after-poison|strings/ctype-simple.c|__asan_memmove|my_copy_8bit|charset_info_st::copy_fix|String_copier::well_formed_copy
|
CS 12.3 opt 100426 f5bb9922107672e88f7b5cbdb3d25151cc5744bb ASAN|use-after-poison|include/x86_64-linux-gnu/bits/string_fortified.h|__asan_memmove|memmove|my_copy_8bit|charset_info_st::copy_fix
|
CS 13.0 dbg 100426 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 ASAN|use-after-poison|strings/ctype-simple.c|__asan_memmove|my_copy_8bit|charset_info_st::copy_fix|String_copier::well_formed_copy
|
CS 13.0 opt 100426 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 ASAN|use-after-poison|include/x86_64-linux-gnu/bits/string_fortified.h|__asan_memmove|memmove|my_copy_8bit|charset_info_st::copy_fix
|
ES 10.6 dbg 100426 84a80c8b38208d362225496da08d86d8d454e453 No bug found
|
ES 10.6 opt 100426 84a80c8b38208d362225496da08d86d8d454e453 No bug found
|
ES 11.4 dbg 100426 8b2bf17b733262409422ce7d039a0c021fc47077 ASAN|use-after-poison|strings/ctype-simple.c|__asan_memmove|my_copy_8bit|charset_info_st::copy_fix|String_copier::well_formed_copy
|
ES 11.4 opt 100426 8b2bf17b733262409422ce7d039a0c021fc47077 ASAN|use-after-poison|include/x86_64-linux-gnu/bits/string_fortified.h|__asan_memmove|memmove|my_copy_8bit|charset_info_st::copy_fix
|
ES 11.8 dbg 100426 854cae81f52e477c7777a51db26ba640d8755b81 ASAN|use-after-poison|strings/ctype-simple.c|__asan_memmove|my_copy_8bit|charset_info_st::copy_fix|String_copier::well_formed_copy
|
ES 11.8 opt 100426 854cae81f52e477c7777a51db26ba640d8755b81 ASAN|use-after-poison|include/x86_64-linux-gnu/bits/string_fortified.h|__asan_memmove|memmove|my_copy_8bit|charset_info_st::copy_fix
|
ES 12.3 dbg 220426 613a6253fe9efc12e166f83a97663ba263db8317 ASAN|use-after-poison|strings/ctype-simple.c|__asan_memmove|my_copy_8bit|charset_info_st::copy_fix|String_copier::well_formed_copy
|
ES 12.3 opt 220426 613a6253fe9efc12e166f83a97663ba263db8317 ASAN|use-after-poison|include/x86_64-linux-gnu/bits/string_fortified.h|__asan_memmove|memmove|my_copy_8bit|charset_info_st::copy_fix
|
Attachments
Issue Links
- relates to
-
-
- Confirmed
-