Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6, 10.11, 11.4, 11.8
-
Can result in unexpected behaviour
-
Q3/2026 Server Maintenance
Description
SET SESSION storage_engine=CSV; |
CREATE TEMPORARY TABLE t1 (c INT) ENGINE=MYISAM; |
CREATE TEMPORARY TABLE t2 AS VALUES (1); |
CHECK TABLE t2; |
--ERROR ER_CRASHED_ON_USAGE
|
INSERT INTO t2 SELECT * FROM t2 ; |
--ERROR ER_ILLEGAL_HA
|
TRUNCATE t2; |
REPLACE INTO t1 SELECT * FROM t2; |
|
|
# Cleanup
|
DROP TABLE t1,t2 |
Leads to:
|
CS 10.11.18 6f1204ad849b72a997fd34ce44a522d76716c24d (Debug, UBASAN, Clang 18.1.3-11) Build 22/05/2026 |
==2057308==ERROR: AddressSanitizer: heap-use-after-free on address 0x51a0000406d4 at pc 0x5b44d7ade1c6 bp 0x6bb7f8289060 sp 0x6bb7f8289058
|
READ of size 1 at 0x51a0000406d4 thread T12
|
#0 0x5b44d7ade1c5 in ha_tina::rnd_init(bool) /test/10.11_dbg_san/storage/csv/ha_tina.cc:1219:14
|
#1 0x5b44d5aa55f3 in handler::ha_rnd_init(bool) /test/10.11_dbg_san/sql/handler.h:3445:22
|
#2 0x5b44d5a5dcc9 in handler::ha_rnd_init_with_error(bool) /test/10.11_dbg_san/sql/handler.cc:3831:7
|
#3 0x5b44d63da8e7 in init_read_record(READ_RECORD*, THD*, TABLE*, SQL_SELECT*, SORT_INFO*, int, bool, bool) /test/10.11_dbg_san/sql/records.cc:328:9
|
#4 0x5b44d6c5fffd in join_init_read_record(st_join_table*) /test/10.11_dbg_san/sql/sql_select.cc:24103:7
|
#5 0x5b44d6bde32f in sub_select(JOIN*, st_join_table*, bool) /test/10.11_dbg_san/sql/sql_select.cc:23074:12
|
#6 0x5b44d6c6bfa6 in do_select(JOIN*, Procedure*) /test/10.11_dbg_san/sql/sql_select.cc:22600:14
|
#7 0x5b44d6c6892a in JOIN::exec_inner() /test/10.11_dbg_san/sql/sql_select.cc:5023:50
|
#8 0x5b44d6c66422 in JOIN::exec() /test/10.11_dbg_san/sql/sql_select.cc:4807:3
|
#9 0x5b44d6be1f3f in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_dbg_san/sql/sql_select.cc:5285:9
|
#10 0x5b44d6be0a51 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/10.11_dbg_san/sql/sql_select.cc:601:10
|
#11 0x5b44d6aa4ebe in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:4858:16
|
#12 0x5b44d6a64fb4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8221:18
|
#13 0x5b44d6a5e4cd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1924:7
|
#14 0x5b44d6a66748 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1434:17
|
#15 0x5b44d71b3b5c in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1475:11
|
#16 0x5b44d71b3431 in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1387:5
|
#17 0x5b44d592000c in asan_thread_start(void*) crtstuff.c
|
#18 0x73d2ccc9caa3 in start_thread nptl/pthread_create.c:447:8
|
#19 0x73d2ccd29c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x51a0000406d4 is located 1108 bytes inside of 1232-byte region [0x51a000040280,0x51a000040750)
|
freed by thread T12 here:
|
#0 0x5b44d592228a in free (/test/UBASAN_MD220526-mariadb-10.11.18-linux-x86_64-dbg/bin/mariadbd+0x315928a) (BuildId: dea89182d263a18c)
|
#1 0x5b44d7adb875 in free_share(st_tina_share*) /test/10.11_dbg_san/storage/csv/ha_tina.cc:465:5
|
#2 0x5b44d7adbb1b in ha_tina::close() /test/10.11_dbg_san/storage/csv/ha_tina.cc:1018:3
|
|
|
previously allocated by thread T12 here:
|
#0 0x5b44d5922523 in malloc (/test/UBASAN_MD220526-mariadb-10.11.18-linux-x86_64-dbg/bin/mariadbd+0x3159523) (BuildId: dea89182d263a18c)
|
#1 0x5b44d86655cb in my_malloc /test/10.11_dbg_san/mysys/my_malloc.c:92:29
|
#2 0x5b44d7ad9eb8 in get_share(char const*, TABLE*) /test/10.11_dbg_san/storage/csv/ha_tina.cc:230:10
|
#3 0x5b44d7ad9eb8 in ha_tina::open(char const*, int, unsigned int) /test/10.11_dbg_san/storage/csv/ha_tina.cc:972:16
|
#4 0x5b44d5a4fe3a in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/10.11_dbg_san/sql/handler.cc:3531:7
|
|
|
Thread T12 created by T0 here:
|
#0 0x5b44d5907e95 in pthread_create (/test/UBASAN_MD220526-mariadb-10.11.18-linux-x86_64-dbg/bin/mariadbd+0x313ee95) (BuildId: dea89182d263a18c)
|
#1 0x5b44d59746fa in create_thread_to_handle_connection(CONNECT*) /test/10.11_dbg_san/sql/mysqld.cc:6214:19
|
#2 0x5b44d5975685 in handle_connections_sockets() /test/10.11_dbg_san/sql/mysqld.cc:6458:9
|
#3 0x5b44d5973967 in run_main_loop() /test/10.11_dbg_san/sql/mysqld.cc:5712:3
|
#4 0x73d2ccc2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#5 0x73d2ccc2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#6 0x5b44d58876d4 in _start (/test/UBASAN_MD220526-mariadb-10.11.18-linux-x86_64-dbg/bin/mariadbd+0x30be6d4) (BuildId: dea89182d263a18c)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /test/10.11_dbg_san/storage/csv/ha_tina.cc:1219:14 in ha_tina::rnd_init(bool)
|
Shadow bytes around the buggy address:
|
0x51a000040400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x51a000040480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x51a000040500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x51a000040580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x51a000040600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x51a000040680: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
|
0x51a000040700: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
|
0x51a000040780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x51a000040800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x51a000040880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x51a000040900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==2057308==ABORTING
|
Setup:
Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
SAN Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 opt 060426 6ffb219883725fabda83d77d68df88e16b3760ad ASAN|heap-use-after-free|storage/csv/ha_tina.cc|ha_tina::rnd_init|handler::ha_rnd_init|handler::ha_rnd_init_with_error|init_read_record
|
CS 10.11 dbg 220526 6f1204ad849b72a997fd34ce44a522d76716c24d ASAN|heap-use-after-free|storage/csv/ha_tina.cc|ha_tina::rnd_init|handler::ha_rnd_init|handler::ha_rnd_init_with_error|init_read_record
|
CS 10.11 opt 220526 6f1204ad849b72a997fd34ce44a522d76716c24d ASAN|heap-use-after-free|storage/csv/ha_tina.cc|ha_tina::rnd_init|handler::ha_rnd_init|handler::ha_rnd_init_with_error|init_read_record
|
CS 11.4 dbg 220526 19c59f2c79637cc360cc6d6b219ed9131124500d ASAN|heap-use-after-free|storage/csv/ha_tina.h|ha_tina::scan_time|handler::ha_scan_time|st_join_table::estimate_scan_time|make_join_statistics
|
CS 11.4 opt 220526 19c59f2c79637cc360cc6d6b219ed9131124500d ASAN|heap-use-after-free|storage/csv/ha_tina.h|ha_tina::scan_time|handler::ha_scan_time|st_join_table::estimate_scan_time|make_join_statistics
|
CS 11.8 dbg 220526 b494164767979072713fdeccc175ce3b3f5b1983 ASAN|heap-use-after-free|storage/csv/ha_tina.h|ha_tina::scan_time|handler::ha_scan_time|st_join_table::estimate_scan_time|make_join_statistics
|
CS 11.8 opt 220526 b494164767979072713fdeccc175ce3b3f5b1983 ASAN|heap-use-after-free|storage/csv/ha_tina.h|ha_tina::scan_time|handler::ha_scan_time|st_join_table::estimate_scan_time|make_join_statistics
|
CS 12.3 dbg 220526 66b3c6784689fbb65110a5b21efcb815a8bcde24 No bug found
|
CS 12.3 opt 220526 66b3c6784689fbb65110a5b21efcb815a8bcde24 No bug found
|
CS 13.0 dbg 210526 c8e8d33309606e682c98675d594dbd23ebc2ddf6 No bug found
|
CS 13.0 opt 210526 c8e8d33309606e682c98675d594dbd23ebc2ddf6 No bug found
|
ES 10.6 opt 150525 6111fbaf7bdcb6f1170f556ffd05d6e1a4159f62 ASAN|heap-use-after-free|storage/csv/ha_tina.cc|ha_tina::rnd_init|handler::ha_rnd_init|handler::ha_rnd_init_with_error|init_read_record
|
ES 11.4 dbg 150525 9cd12544ebfd0d52d2158af66b5aced58121cf1f ASAN|heap-use-after-free|storage/csv/ha_tina.h|ha_tina::scan_time|handler::ha_scan_time|st_join_table::estimate_scan_time|make_join_statistics
|
ES 11.4 opt 150525 9cd12544ebfd0d52d2158af66b5aced58121cf1f ASAN|heap-use-after-free|storage/csv/ha_tina.h|ha_tina::scan_time|handler::ha_scan_time|st_join_table::estimate_scan_time|make_join_statistics
|
ES 11.8 dbg 170226 405ee76b60c4ab82155f339136ed20d3b7363717 ASAN|heap-use-after-free|storage/csv/ha_tina.h|ha_tina::scan_time|handler::ha_scan_time|st_join_table::estimate_scan_time|make_join_statistics
|
ES 11.8 opt 170226 405ee76b60c4ab82155f339136ed20d3b7363717 ASAN|heap-use-after-free|storage/csv/ha_tina.h|ha_tina::scan_time|handler::ha_scan_time|st_join_table::estimate_scan_time|make_join_statistics
|