[#MDEV-16603] Crash with set join_cache

--source include/have_innodb.inc

set join_cache_level=4;

CREATE TABLE t1 ( i1 int, v1 varchar(1)) ENGINE=InnoDB;

INSERT INTO t1 VALUES (7,'x');

CREATE TABLE t2 (i1 int, v1 varchar(1), KEY v1 (v1,i1)) ENGINE=InnoDB;

INSERT INTO t2 VALUES (NULL,'x'),(1,'x'),(3,'x'),(5,'x'),(8,'x'),(48,'x'),(228,'x'),(3,'y'),(1,'z'),(9,'z');

CREATE TABLE temp

SELECT t1.i1 AS f1, t1.v1 AS f2 FROM (t2 JOIN t1 ON (t1.v1 = t2.v1));

SELECT * FROM temp

WHERE (f1,f2) IN (SELECT t1.i1, t1.v1 FROM (t2 JOIN t1 ON (t1.v1 = t2.v1)));

Version: '5.5.61-MariaDB-debug'  socket: '/home/alice/git/5.5/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution

=================================================================

==26480==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500021b943 at pc 0x00000085deca bp 0x7f2cf8aa4910 sp 0x7f2cf8aa4900

WRITE of size 1 at 0x62500021b943 thread T15

    #0 0x85dec9 in TABLE::create_key_part_by_field(st_key_part_info*, Field*, unsigned int) /home/alice/git/5.5/sql/table.cc:5992

    #1 0x6f8d5c in create_hj_key_for_table /home/alice/git/5.5/sql/sql_select.cc:8065

    #2 0x6f8d5c in create_ref_for_key /home/alice/git/5.5/sql/sql_select.cc:8130

    #3 0x6fed1c in get_best_combination(JOIN*) /home/alice/git/5.5/sql/sql_select.cc:7936

    #4 0x7576ae in make_join_statistics /home/alice/git/5.5/sql/sql_select.cc:3864

    #5 0x760a64 in JOIN::optimize() /home/alice/git/5.5/sql/sql_select.cc:1255

    #6 0x76a843 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/5.5/sql/sql_select.cc:3112

    #7 0x76b0b5 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/5.5/sql/sql_select.cc:323

    #8 0x66d7dc in execute_sqlcom_select /home/alice/git/5.5/sql/sql_parse.cc:4678

    #9 0x68351e in mysql_execute_command(THD*) /home/alice/git/5.5/sql/sql_parse.cc:2224

    #10 0x695202 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/alice/git/5.5/sql/sql_parse.cc:5923

    #11 0x6985ff in dispatch_command(enum_server_command, THD*, char*, unsigned int) /home/alice/git/5.5/sql/sql_parse.cc:1066

    #12 0x69c6dd in do_command(THD*) /home/alice/git/5.5/sql/sql_parse.cc:793

    #13 0x8ce433 in do_handle_one_connection(THD*) /home/alice/git/5.5/sql/sql_connect.cc:1268

    #14 0x8ce6ac in handle_one_connection /home/alice/git/5.5/sql/sql_connect.cc:1184

    #15 0x144278f in pfs_spawn_thread /home/alice/git/5.5/storage/perfschema/pfs.cc:1015

    #16 0x7f2d06de26b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #17 0x7f2d0648d41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x62500021b943 is located 7 bytes to the right of 8252-byte region [0x625000219900,0x62500021b93c)

allocated by thread T15 here:

    #0 0x7f2d078e8602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)

    #1 0x1508d94 in sf_malloc /home/alice/git/5.5/mysys/safemalloc.c:105

Thread T15 created by T0 here:

    #0 0x7f2d07886253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)

    #1 0x1445d59 in spawn_thread_v1 /home/alice/git/5.5/storage/perfschema/pfs.cc:1038

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/alice/git/5.5/sql/table.cc:5992 TABLE::create_key_part_by_field(st_key_part_info*, Field*, unsigned int)

Shadow bytes around the buggy address:

  0x0c4a8003b6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c4a8003b6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c4a8003b6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c4a8003b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c4a8003b710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c4a8003b720: 00 00 00 00 00 f7 f7 04[fa]fa fa fa fa fa fa fa

  0x0c4a8003b730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c4a8003b740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c4a8003b750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c4a8003b760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c4a8003b770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

Server version: 10.1.35-MariaDB-debug

Thread pointer: 0x7f9338741008

stack_bottom = 0x7f93436d5230 thread_stack 0x48400

mysys/stacktrace.c:267(my_print_stacktrace)[0x564abc0767e9]

sql/signal_handler.cc:168(handle_fatal_signal)[0x564abb9b8363]

/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7f93428db390]

sql/sql_select.cc:9132(create_ref_for_key(JOIN*, st_join_table*, keyuse_t*, bool, unsigned long long))[0x564abb7c2240]

sql/sql_select.cc:8836(get_best_combination(JOIN*))[0x564abb7c13df]

sql/sql_select.cc:4264(make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*))[0x564abb7b629d]

sql/sql_select.cc:1388(JOIN::optimize_inner())[0x564abb7abb5e]

sql/sql_select.cc:1058(JOIN::optimize())[0x564abb7aa96a]

sql/sql_select.cc:3470(mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x564abb7b3303]

sql/sql_select.cc:388(handle_select(THD*, LEX*, select_result*, unsigned long))[0x564abb7a8a41]

sql/sql_parse.cc:5944(execute_sqlcom_select(THD*, TABLE_LIST*))[0x564abb77785f]

sql/sql_parse.cc:2990(mysql_execute_command(THD*))[0x564abb76da07]

sql/sql_parse.cc:7449(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x564abb77b397]

sql/sql_parse.cc:1494(dispatch_command(enum_server_command, THD*, char*, unsigned int))[0x564abb769aa4]

sql/sql_parse.cc:1121(do_command(THD*))[0x564abb768822]

sql/sql_connect.cc:1330(do_handle_one_connection(THD*))[0x564abb8a856f]

sql/sql_connect.cc:1243(handle_one_connection)[0x564abb8a82be]

perfschema/pfs.cc:1863(pfs_spawn_thread)[0x564abc00829c]

/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f93428d16ba]

x86_64/clone.S:111(clone)[0x7f9341f7c41d]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f932bdb9420): SELECT * FROM temp  WHERE (f1,f2) IN (SELECT t1.i1, t1.v1 FROM (t2 JOIN t1 ON (t1.v1 = t2.v1)))

Connection ID (thread ID): 3

Status: NOT_KILLED

Server version: 10.3.8-MariaDB-debug-log

Thread pointer: 0x7f16c8000b00

stack_bottom = 0x7f171c31be70 thread_stack 0x49000

mysys/stacktrace.c:269(my_print_stacktrace)[0x557e7670d783]

sql/signal_handler.cc:168(handle_fatal_signal)[0x557e75f5304e]

/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7f17222bf390]

sql/key.cc:158(key_copy(unsigned char*, unsigned char const*, st_key*, unsigned int, bool))[0x557e7605dc57]

sql/sql_join_cache.cc:3656(JOIN_CACHE_BNLH::get_matching_chain_by_join_key())[0x557e75e0ec85]

sql/sql_join_cache.cc:3691(JOIN_CACHE_BNLH::prepare_look_for_matches(bool))[0x557e75e0ed16]

sql/sql_join_cache.cc:2273(JOIN_CACHE::join_matching_records(bool))[0x557e75e0cc10]

sql/sql_join_cache.cc:2088(JOIN_CACHE::join_records(bool))[0x557e75e0c660]

sql/sql_select.cc:19039(sub_select_cache(JOIN*, st_join_table*, bool))[0x557e75cdbdfc]

sql/sql_select.cc:19210(sub_select(JOIN*, st_join_table*, bool))[0x557e75cdc007]

sql/sql_select.cc:18801(do_select(JOIN*, Procedure*))[0x557e75cdb7d1]

sql/sql_select.cc:4011(JOIN::exec_inner())[0x557e75cb4bb1]

sql/sql_select.cc:3806(JOIN::exec())[0x557e75cb4024]

sql/sql_select.cc:4212(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x557e75cb528b]

sql/sql_select.cc:382(handle_select(THD*, LEX*, select_result*, unsigned long))[0x557e75ca7436]

sql/sql_parse.cc:6541(execute_sqlcom_select(THD*, TABLE_LIST*))[0x557e75c71db6]

sql/sql_parse.cc:3764(mysql_execute_command(THD*))[0x557e75c6820f]

sql/sql_parse.cc:8076(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x557e75c75cfc]

sql/sql_parse.cc:1849(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x557e75c62ce4]

sql/sql_parse.cc:1392(do_command(THD*))[0x557e75c61701]

sql/sql_connect.cc:1402(do_handle_one_connection(CONNECT*))[0x557e75dc6a4d]

sql/sql_connect.cc:1309(handle_one_connection)[0x557e75dc679e]

perfschema/pfs.cc:1864(pfs_spawn_thread)[0x557e7669ddf4]

/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f17222b56ba]

x86_64/clone.S:111(clone)[0x7f172174a41d]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f16c8014cd8): SELECT * FROM temp  WHERE (f1,f2) IN (SELECT t1.i1, t1.v1 FROM (t2 JOIN t1 ON (t1.v1 = t2.v1)))

Connection ID (thread ID): 9

Status: NOT_KILLED

[MDEV-16603] Crash with set join_cache_level=4 Created: 2018-06-27 Updated: 2018-09-03 Resolved: 2018-06-30
Status:	Closed
Project:	MariaDB Server
Component/s:	Optimizer
Affects Version/s:	5.5, 10.0, 10.1, 10.2, 10.3
Fix Version/s:	5.5.61

[MDEV-16603] Crash with set join_cache_level=4 Created: 2018-06-27 Updated: 2018-09-03 Resolved: 2018-06-30