2022-07-28 15:34:36 0 [Note] InnoDB: !!!!!!!! UNIV_DEBUG switched on !!!!!!!!! 2022-07-28 15:34:36 0 [Note] InnoDB: Compressed tables use zlib 1.2.11 2022-07-28 15:34:36 0 [Note] InnoDB: Number of transaction pools: 1 2022-07-28 15:34:36 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions 2022-07-28 15:34:36 0 [Note] InnoDB: Initializing buffer pool, total size = 128.000MiB, chunk size = 2.000MiB 2022-07-28 15:34:36 0 [Note] InnoDB: Completed initialization of buffer pool 2022-07-28 15:34:36 0 [Note] InnoDB: File system buffers for log disabled (block size=512 bytes) 2022-07-28 15:34:36 0 [Note] InnoDB: Starting crash recovery from checkpoint LSN=21049945400 2022-07-28 15:34:37 0 [Note] InnoDB: Starting final batch to recover 249 pages from redo log. 2022-07-28 15:34:37 0 [Note] InnoDB: 128 rollback segments are active. 2022-07-28 15:34:37 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1" 2022-07-28 15:34:37 0 [Note] InnoDB: Setting file './ibtmp1' size to 12.000MiB. Physically writing the file full; Please wait ... 2022-07-28 15:34:37 0 [Note] InnoDB: File './ibtmp1' size is now 12.000MiB. 2022-07-28 15:34:37 0 [Note] InnoDB: log sequence number 21055067613; transaction id 32654061 2022-07-28 15:34:37 0 [Note] InnoDB: Loading buffer pool(s) from /usr/local/mysql/data/ib_buffer_pool 2022-07-28 15:34:37 0 [Note] Plugin 'FEEDBACK' is disabled. 2022-07-28 15:34:37 0 [Note] InnoDB: Buffer pool(s) load completed at 220728 15:34:37 2022-07-28 15:34:37 0 [Note] Server socket created on IP: '0.0.0.0'. 2022-07-28 15:34:37 0 [Note] Server socket created on IP: '::'. 2022-07-28 15:34:37 0 [Note] /usr/local/mysql/bin/mysqld: ready for connections. Version: '10.10.0-MariaDB-debug' socket: '/tmp/mysql.sock' port: 3306 Source distribution ================================================================= ==3124==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000d34d8 at pc 0x5555573a0274 bp 0x7fffffffa6f0 sp 0x7fffffffa6e0 READ of size 8 at 0x61a0000d34d8 thread T0 #0 0x5555573a0273 in calc_group_buffer(TMP_TABLE_PARAM*, st_order*) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:25688 #1 0x5555573a06f1 in calc_group_buffer /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:25759 #2 0x5555572f598d in JOIN::optimize_stage2() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:2998 #3 0x5555572f0857 in JOIN::optimize_inner() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:2530 #4 0x5555572e947d in JOIN::optimize() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:1846 #5 0x55555730ab3f in mysql_select(THD*, TABLE_LIST*, List&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:5031 #6 0x5555572db134 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:579 #7 0x555557202063 in execute_sqlcom_select /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_parse.cc:6260 #8 0x5555571f09e0 in mysql_execute_command(THD*, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_parse.cc:3944 #9 0x55555720d0b1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_parse.cc:8036 #10 0x5555571e3d10 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_parse.cc:1991 #11 0x5555571dffdb in do_command(THD*, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_parse.cc:1407 #12 0x555557687a6f in do_handle_one_connection(CONNECT*, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_connect.cc:1418 #13 0x555556e44cd8 in handle_connection_in_main_thread(CONNECT*) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/mysqld.cc:5994 #14 0x555556e45568 in create_new_thread(CONNECT*) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/mysqld.cc:6074 #15 0x555556e4589b in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/mysqld.cc:6136 #16 0x555556e46178 in handle_connections_sockets() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/mysqld.cc:6260 #17 0x555556e44763 in mysqld_main(int, char**) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/mysqld.cc:5910 #18 0x555556e2c8c9 in main /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/main.cc:34 #19 0x7ffff5139c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #20 0x555556e2c7c9 in _start (/usr/local/mysql/bin/mariadbd+0x18d87c9) 0x61a0000d34d8 is located 600 bytes inside of 1156-byte region [0x61a0000d3280,0x61a0000d3704) freed by thread T0 here: #0 0x7ffff6ef67a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x555558f20923 in free_memory /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/safemalloc.c:297 #2 0x555558f1fdaa in sf_free /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/safemalloc.c:203 #3 0x555558eee361 in my_free /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/my_malloc.c:211 #4 0x555558ec86de in root_free /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/my_alloc.c:78 #5 0x555558ecae5b in free_root /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/my_alloc.c:495 #6 0x55555737b662 in free_tmp_table(THD*, TABLE*) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:20589 #7 0x55555734e613 in JOIN::cleanup(bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:14457 #8 0x55555734d8b4 in JOIN::join_free() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:14344 #9 0x55555737d511 in do_select /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:20870 #10 0x555557309314 in JOIN::exec_inner() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:4787 #11 0x555557306849 in JOIN::exec() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:4565 #12 0x555557d467ad in subselect_single_select_engine::exec() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/item_subselect.cc:4144 #13 0x555557d22c84 in Item_subselect::exec() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/item_subselect.cc:854 #14 0x555557d2cdf8 in Item_exists_subselect::val_int() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/item_subselect.cc:1838 #15 0x555557b7ae68 in Item_in_optimizer::val_int() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/item_cmpfunc.cc:1555 #16 0x5555578532e1 in Type_handler_int_result::Item_val_bool(Item*) const /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_type.cc:5100 #17 0x555556e55e29 in Item::val_bool() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/item.h:1687 #18 0x5555573c7ce9 in Item::eval_const_cond() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/item.h:1694 #19 0x5555573632ca in Item::remove_eq_conds(THD*, Item::cond_result*, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:18126 #20 0x555557361f88 in Item_cond::remove_eq_conds(THD*, Item::cond_result*, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:17949 #21 0x555557361f88 in Item_cond::remove_eq_conds(THD*, Item::cond_result*, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:17949 #22 0x55555736082c in optimize_cond /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:17676 #23 0x5555572ed82c in JOIN::optimize_inner() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:2231 #24 0x5555572e947d in JOIN::optimize() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:1846 #25 0x55555710e21e in mysql_derived_optimize /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_derived.cc:1064 #26 0x555557108527 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_derived.cc:200 #27 0x5555572ee9e6 in JOIN::optimize_inner() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:2322 #28 0x5555572e947d in JOIN::optimize() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:1846 #29 0x555557178afa in st_select_lex::optimize_unflattened_subqueries(bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_lex.cc:4916 previously allocated by thread T0 here: #0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x555558f1f794 in sf_malloc /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/safemalloc.c:126 #2 0x555558eed562 in my_malloc /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/my_malloc.c:90 #3 0x555558ec865a in root_alloc /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/my_alloc.c:66 #4 0x555558ec9e01 in alloc_root /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/mysys/my_alloc.c:332 #5 0x5555573c5e9e in Field::operator new(unsigned long, st_mem_root*) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/field.h:772 #6 0x555557865049 in Type_handler_long::make_table_field_from_def(TABLE_SHARE*, st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Bit_addr const&, Column_definition_attributes const*, unsigned int) const /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_type.cc:8156 #7 0x55555784b958 in Type_handler_int_result::make_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE_SHARE*) const /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_type.cc:3580 #8 0x55555784b686 in Type_handler::make_and_init_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_type.cc:3564 #9 0x555557366e67 in Item_result_field::create_tmp_field_ex_from_handler(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*, Type_handler const*) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:18662 #10 0x555556edfafb in Item_result_field::create_tmp_field_ex(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*) (/usr/local/mysql/bin/mariadbd+0x198bafb) #11 0x555557367773 in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:18747 #12 0x55555736c284 in Create_tmp_table::add_fields(THD*, TABLE*, TMP_TABLE_PARAM*, List&) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:19196 #13 0x555557374fe1 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:19827 #14 0x55555730109d in JOIN::create_postjoin_aggr_table(st_join_table*, List*, st_order*, bool, bool, bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:4068 #15 0x5555572fc8e7 in JOIN::make_aggr_tables_info() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:3643 #16 0x5555572f8256 in JOIN::optimize_stage2() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:3271 #17 0x5555572f0857 in JOIN::optimize_inner() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:2530 #18 0x5555572e947d in JOIN::optimize() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:1846 #19 0x555557178afa in st_select_lex::optimize_unflattened_subqueries(bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_lex.cc:4916 #20 0x55555779c181 in JOIN::optimize_constant_subqueries() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/opt_subselect.cc:5689 #21 0x5555572ec5cb in JOIN::optimize_inner() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:2166 #22 0x5555572e947d in JOIN::optimize() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:1846 #23 0x55555710e21e in mysql_derived_optimize /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_derived.cc:1064 #24 0x555557108527 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_derived.cc:200 #25 0x5555572ee9e6 in JOIN::optimize_inner() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:2322 #26 0x5555572e947d in JOIN::optimize() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:1846 #27 0x555557178afa in st_select_lex::optimize_unflattened_subqueries(bool) /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_lex.cc:4916 #28 0x55555779c181 in JOIN::optimize_constant_subqueries() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/opt_subselect.cc:5689 #29 0x5555572ec5cb in JOIN::optimize_inner() /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:2166 SUMMARY: AddressSanitizer: heap-use-after-free /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:25688 in calc_group_buffer(TMP_TABLE_PARAM*, st_order*) Shadow bytes around the buggy address: 0x0c3480012640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3480012650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3480012660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3480012670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3480012680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3480012690: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd 0x0c34800126a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c34800126b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c34800126c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c34800126d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c34800126e0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3124==ABORTING