[MDEV-17120] Server crash in base_list::push_back or ASAN use-after-poison in multi_update::prepare upon 2nd execution of SP with erroneous UPDATE Created: 2018-09-02  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Data Manipulation - Update, Stored routines, Views
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-28096 MariaDB UAP issue Closed

 Description    

CREATE TABLE t (f INT);
 
CREATE ALGORITHM = MERGE VIEW v AS SELECT f FROM ( SELECT a2.f AS f FROM t AS a1, t AS a2 ) AS sq;
 
CREATE PROCEDURE sp() UPDATE v SET f = 1;
 
 
 
--error 1288
 
CALL sp;
 
--error 1288
 
CALL sp;
 
 
 
# Cleanup
 
DROP PROCEDURE sp;
 
DROP VIEW v;
 
DROP TABLE t;

10.2 af9649c72

 
#3  <signal handler called>
 
#4  0x0000564dc40e67f1 in base_list::push_back (this=0x8f8f8f8f8f8f8f8f, info=0x7fe01803ed48, mem_root=0x7fe0342782c0) at /data/src/10.2/sql/sql_list.h:218
 
#5  0x0000564dc40f5ca9 in List<Item>::push_back (this=0x8f8f8f8f8f8f8f8f, a=0x7fe01803ed48, mem_root=0x7fe0342782c0) at /data/src/10.2/sql/sql_list.h:531
 
#6  0x0000564dc42ad6e7 in multi_update::prepare (this=0x7fe01803eec0, not_used_values=..., lex_unit=0x7fe01815efa0) at /data/src/10.2/sql/sql_update.cc:1769
 
#7  0x0000564dc41fd1c9 in JOIN::prepare (this=0x7fe01803ef88, tables_init=0x7fe01815da10, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fe01815f6d8, unit_arg=0x7fe01815efa0) at /data/src/10.2/sql/sql_select.cc:1051
 
#8  0x0000564dc42068a3 in mysql_select (thd=0x7fe018000b00, tables=0x7fe01815da10, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=1342177408, result=0x7fe01803eec0, unit=0x7fe01815efa0, select_lex=0x7fe01815f6d8) at /data/src/10.2/sql/sql_select.cc:3782
 
#9  0x0000564dc42acc1c in mysql_multi_update (thd=0x7fe018000b00, table_list=0x7fe01815da10, fields=0x7fe01815f800, values=0x7fe01815fcd8, conds=0x0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x7fe01815efa0, select_lex=0x7fe01815f6d8, result=0x7fe034277950) at /data/src/10.2/sql/sql_update.cc:1604
 
#10 0x0000564dc41be8c4 in mysql_execute_command (thd=0x7fe018000b00) at /data/src/10.2/sql/sql_parse.cc:4357
 
#11 0x0000564dc45b49d6 in sp_instr_stmt::exec_core (this=0x7fe01815e1f0, thd=0x7fe018000b00, nextp=0x7fe0342781a4) at /data/src/10.2/sql/sp_head.cc:3246
 
#12 0x0000564dc45b4041 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7fe01815e230, thd=0x7fe018000b00, nextp=0x7fe0342781a4, open_tables=false, instr=0x7fe01815e1f0) at /data/src/10.2/sql/sp_head.cc:3009
 
#13 0x0000564dc45b4681 in sp_instr_stmt::execute (this=0x7fe01815e1f0, thd=0x7fe018000b00, nextp=0x7fe0342781a4) at /data/src/10.2/sql/sp_head.cc:3162
 
#14 0x0000564dc45af845 in sp_head::execute (this=0x7fe01815ce38, thd=0x7fe018000b00, merge_da_on_success=true) at /data/src/10.2/sql/sp_head.cc:1327
 
#15 0x0000564dc45b18d5 in sp_head::execute_procedure (this=0x7fe01815ce38, thd=0x7fe018000b00, args=0x7fe018005418) at /data/src/10.2/sql/sp_head.cc:2116
 
#16 0x0000564dc41ba7db in do_execute_sp (thd=0x7fe018000b00, sp=0x7fe01815ce38) at /data/src/10.2/sql/sql_parse.cc:2912
 
#17 0x0000564dc41c3bb0 in mysql_execute_command (thd=0x7fe018000b00) at /data/src/10.2/sql/sql_parse.cc:5825
 
#18 0x0000564dc41ca13d in mysql_parse (thd=0x7fe018000b00, rawbuf=0x7fe018012488 "CALL sp", length=7, parser_state=0x7fe034279200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8011
 
#19 0x0000564dc41b7a97 in dispatch_command (command=COM_QUERY, thd=0x7fe018000b00, packet=0x7fe01808cb81 "CALL sp", packet_length=7, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
 
#20 0x0000564dc41b63fa in do_command (thd=0x7fe018000b00) at /data/src/10.2/sql/sql_parse.cc:1378
 
#21 0x0000564dc4308785 in do_handle_one_connection (connect=0x564dc81acd70) at /data/src/10.2/sql/sql_connect.cc:1335
 
#22 0x0000564dc4308512 in handle_one_connection (arg=0x564dc81acd70) at /data/src/10.2/sql/sql_connect.cc:1241
 
#23 0x0000564dc472b7ac in pfs_spawn_thread (arg=0x564dc81b7ac0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#24 0x00007fe03b473494 in start_thread (arg=0x7fe03427a700) at pthread_create.c:333
 
#25 0x00007fe03985993f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Reproducible on debug- and non-debug builds of 10.2, 10.3, 10.4 with at least MyISAM and InnoDB.
ASAN shows a similar failure, use it in case non-ASAN build doesn't crash on whatever reason:

10.2 ASAN af9649c722

 
==26401==ERROR: AddressSanitizer: use-after-poison on address 0x6250000d60e0 at pc 0x55fd23c2bf63 bp 0x7fccbbc2e650 sp 0x7fccbbc2e648
 
READ of size 8 at 0x6250000d60e0 thread T5
 
    #0 0x55fd23c2bf62 in multi_update::prepare(List<Item>&, st_select_lex_unit*) /data/src/10.2/sql/sql_update.cc:1769
 
    #1 0x55fd23a67f50 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:1051
 
    #2 0x55fd23a81f8b in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3782
 
    #3 0x55fd23c2a34b in mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**) /data/src/10.2/sql/sql_update.cc:1604
 
    #4 0x55fd239d54b7 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4357
 
    #5 0x55fd24367265 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3246
 
    #6 0x55fd24365eb1 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3009
 
    #7 0x55fd24366b2f in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3162
 
    #8 0x55fd2435c430 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1327
 
    #9 0x55fd2436021d in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2116
 
    #10 0x55fd239cd48d in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2912
 
    #11 0x55fd239df843 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5825
 
    #12 0x55fd239ecf01 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8011
 
    #13 0x55fd239c794f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #14 0x55fd239c49f3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
 
    #15 0x55fd23d0923e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #16 0x55fd23d08c53 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #17 0x55fd2471a5c1 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #18 0x7fccc80b5493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #19 0x7fccc649b93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x6250000d60e0 is located 6112 bytes inside of 8268-byte region [0x6250000d4900,0x6250000d694c)
 
allocated by thread T5 here:
 
    #0 0x7fccc831f73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55fd2503d003 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55fd2500c1c4 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55fd24fed067 in alloc_root /data/src/10.2/mysys/my_alloc.c:242
 
    #4 0x55fd239fc409 in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned int) /data/src/10.2/sql/sql_class.h:987
 
    #5 0x55fd239cbe15 in alloc_query(THD*, char const*, unsigned int) /data/src/10.2/sql/sql_parse.cc:2647
 
    #6 0x55fd24366a1b in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3150
 
    #7 0x55fd2435c430 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1327
 
    #8 0x55fd2436021d in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2116
 
    #9 0x55fd239cd48d in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2912
 
    #10 0x55fd239df843 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5825
 
    #11 0x55fd239ecf01 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8011
 
    #12 0x55fd239c794f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #13 0x55fd239c49f3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
 
    #14 0x55fd23d0923e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #15 0x55fd23d08c53 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #16 0x55fd2471a5c1 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #17 0x7fccc80b5493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fccc82eebba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55fd2471ab89 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
 
    #2 0x55fd237c142e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55fd237d6318 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6454
 
    #4 0x55fd237d6a1d in create_new_thread /data/src/10.2/sql/mysqld.cc:6524
 
    #5 0x55fd237d7a34 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6799
 
    #6 0x55fd237d586d in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6073
 
    #7 0x55fd237bf7cf in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fccc63d32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/sql_update.cc:1769 multi_update::prepare(List<Item>&, st_select_lex_unit*)
 
Shadow bytes around the buggy address:
 
  0x0c4a80012bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4a80012bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4a80012be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4a80012bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4a80012c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c4a80012c10: 00 00 00 00 00 00 00 00 00 00 00 00[f7]f7 f7 f7
 
  0x0c4a80012c20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a80012c30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a80012c40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a80012c50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a80012c60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==26401==ABORTING



 Comments   
Comment by Alice Sherepa [ 2022-03-17 ]

Test from MDEV-28096:

create table t1 (a int);
 
create table t2 (c int);
 
 
 
create trigger t2 before insert on t1 for each row update t1 join t2 on 'x' natural join t2 t  set c = 1 ;
 
 
 
 --error 1292
 
 insert into t1 values (1) ;
 
 --error 1292
 
 insert into t1 values (1) ;

10.2 22fd31c5883622b5c7451cee7

 
Version: '10.2.44-MariaDB-debug-log'  
=================================================================
 
==489237==ERROR: AddressSanitizer: use-after-poison on address 0x62500011b080 at pc 0x55605dfe9b30 bp 0x7ff2668c9270 sp 0x7ff2668c9260
 
READ of size 8 at 0x62500011b080 thread T27
 
    #0 0x55605dfe9b2f in multi_update::prepare(List<Item>&, st_select_lex_unit*) /10.2/src/sql/sql_update.cc:1837
 
    #1 0x55605ddfc576 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.2/src/sql/sql_select.cc:1062
 
    #2 0x55605de18591 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.2/src/sql/sql_select.cc:3827
 
    #3 0x55605dfe7a12 in mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**) /10.2/src/sql/sql_update.cc:1647
 
    #4 0x55605dd5bd43 in mysql_execute_command(THD*) /10.2/src/sql/sql_parse.cc:4132
 
    #5 0x55605dba46cb in sp_instr_stmt::exec_core(THD*, unsigned int*) /10.2/src/sql/sp_head.cc:3337
 
    #6 0x55605dba3197 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /10.2/src/sql/sp_head.cc:3099
 
    #7 0x55605dba3f3f in sp_instr_stmt::execute(THD*, unsigned int*) /10.2/src/sql/sp_head.cc:3253
 
    #8 0x55605db98271 in sp_head::execute(THD*, bool) /10.2/src/sql/sp_head.cc:1326
 
    #9 0x55605db9a06b in sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) /10.2/src/sql/sp_head.cc:1742
 
    #10 0x55605dfbf6c8 in Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) /10.2/src/sql/sql_trigger.cc:2209
 
    #11 0x55605dc51918 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /10.2/src/sql/sql_base.cc:8420
 
    #12 0x55605dcf4a82 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /10.2/src/sql/sql_insert.cc:1010
 
    #13 0x55605dd5c428 in mysql_execute_command(THD*) /10.2/src/sql/sql_parse.cc:4217
 
    #14 0x55605dd74d03 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/src/sql/sql_parse.cc:7793
 
    #15 0x55605dd4df08 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/src/sql/sql_parse.cc:1827
 
    #16 0x55605dd4acd3 in do_command(THD*) /10.2/src/sql/sql_parse.cc:1381
 
    #17 0x55605e0d7409 in do_handle_one_connection(CONNECT*) /10.2/src/sql/sql_connect.cc:1336
 
    #18 0x55605e0d6ccc in handle_one_connection /10.2/src/sql/sql_connect.cc:1241
 
    #19 0x55605f477af3 in pfs_spawn_thread /10.2/src/storage/perfschema/pfs.cc:1869
 
    #20 0x7ff27d95b608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #21 0x7ff27d0c9162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
0x62500011b080 is located 1920 bytes inside of 8268-byte region [0x62500011a900,0x62500011c94c)
 
allocated by thread T27 here:
 
    #0 0x7ff27da83808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x55605f5959f8 in sf_malloc /10.2/src/mysys/safemalloc.c:118
 
    #2 0x55605f561993 in my_malloc /10.2/src/mysys/my_malloc.c:101
 
    #3 0x55605f53f005 in alloc_root /10.2/src/mysys/my_alloc.c:243
 
    #4 0x55605dd85b3e in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned int) /10.2/src/sql/sql_class.h:1012
 
    #5 0x55605dd52da1 in alloc_query(THD*, char const*, unsigned int) /10.2/src/sql/sql_parse.cc:2687
 
    #6 0x55605dba3e2b in sp_instr_stmt::execute(THD*, unsigned int*) /10.2/src/sql/sp_head.cc:3241
 
    #7 0x55605db98271 in sp_head::execute(THD*, bool) /10.2/src/sql/sp_head.cc:1326
 
    #8 0x55605db9a06b in sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) /10.2/src/sql/sp_head.cc:1742
 
    #9 0x55605dfbf6c8 in Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) /10.2/src/sql/sql_trigger.cc:2209
 
    #10 0x55605dc51918 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /10.2/src/sql/sql_base.cc:8420
 
    #11 0x55605dcf4a82 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /10.2/src/sql/sql_insert.cc:1010
 
    #12 0x55605dd5c428 in mysql_execute_command(THD*) /10.2/src/sql/sql_parse.cc:4217
 
    #13 0x55605dd74d03 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/src/sql/sql_parse.cc:7793
 
    #14 0x55605dd4df08 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/src/sql/sql_parse.cc:1827
 
    #15 0x55605dd4acd3 in do_command(THD*) /10.2/src/sql/sql_parse.cc:1381
 
    #16 0x55605e0d7409 in do_handle_one_connection(CONNECT*) /10.2/src/sql/sql_connect.cc:1336
 
    #17 0x55605e0d6ccc in handle_one_connection /10.2/src/sql/sql_connect.cc:1241
 
    #18 0x55605f477af3 in pfs_spawn_thread /10.2/src/storage/perfschema/pfs.cc:1869
 
    #19 0x7ff27d95b608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7ff27d9b0815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x55605f477ee4 in spawn_thread_v1 /10.2/src/storage/perfschema/pfs.cc:1919
 
    #2 0x55605daed293 in inline_mysql_thread_create /10.2/src/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x55605db051ea in create_thread_to_handle_connection(CONNECT*) /10.2/src/sql/mysqld.cc:6580
 
    #4 0x55605db05985 in create_new_thread /10.2/src/sql/mysqld.cc:6650
 
    #5 0x55605db06b17 in handle_connections_sockets() /10.2/src/sql/mysqld.cc:6908
 
    #6 0x55605db0453b in mysqld_main(int, char**) /10.2/src/sql/mysqld.cc:6199
 
    #7 0x55605daebb4c in main /10.2/src/sql/main.cc:25
 
    #8 0x7ff27cfce0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /10.2/src/sql/sql_update.cc:1837 in multi_update::prepare(List<Item>&, st_select_lex_unit*)
 
Shadow bytes around the buggy address:
 
  0x0c4a8001b5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4a8001b5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4a8001b5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4a8001b5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4a8001b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7
 
=>0x0c4a8001b610:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a8001b620: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a8001b630: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a8001b640: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a8001b650: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4a8001b660: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==489237==ABORTING
 
----------SERVER LOG END-------------
 
 

on non-debug build - sig.11:

Version: '10.6.7-MariaDB' 
220317 14:26:56 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.6.7-MariaDB
 
]
 
sql/signal_handler.cc:226(handle_fatal_signal)[0x56014ade9657]
 
sigaction.c:0(__restore_rt)[0x7f5d3db4c3c0]
 
sql/sql_list.h:195(base_list::push_back(void*, st_mem_root*))[0x56014ac7eb8e]
 
sql/sql_select.cc:1684(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x56014ac10d52]
 
sql/sql_select.cc:4986(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x56014ac24906]
 
sql/sql_class.h:4326(mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**))[0x56014ac7d3c6]
 
sql/sql_parse.cc:4498(mysql_execute_command(THD*, bool))[0x56014abc7c97]
 
sql/sp_head.cc:3778(sp_instr_stmt::exec_core(THD*, unsigned int*))[0x56014ab1f2e8]
 
sql/sp_head.cc:3511(sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*))[0x56014ab28226]
 
sql/sp_head.cc:3684(sp_instr_stmt::execute(THD*, unsigned int*))[0x56014ab28cbe]
 
sql/sp_head.cc:1437(sp_head::execute(THD*, bool))[0x56014ab23284]
 
psi/mysql_sp.h:79(sp_head::execute_trigger(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_grant_info*))[0x56014ab24216]
 
sql/sql_trigger.cc:2473(Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool))[0x56014ac67b75]
 
sql/sql_base.cc:8924(fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type))[0x56014ab5febb]
 
sql/sql_insert.cc:1066(mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x56014ab94139]
 
sql/sql_parse.cc:4567(mysql_execute_command(THD*, bool))[0x56014abc6f48]
 
sql/sql_parse.cc:8030(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x56014abc959b]
 
sql/sql_parse.cc:1955(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x56014abcb7e7]
 
sql/sql_parse.cc:1406(do_command(THD*, bool))[0x56014abcce83]
 
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x56014acc2be7]
 
sql/sql_connect.cc:1318(handle_one_connection)[0x56014acc2e84]
 
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x56014b0560cc]
 
nptl/pthread_create.c:478(start_thread)[0x7f5d3db40609]
 
??:0(clone)[0x7f5d3d72c163]
 
 
 
Query (0x7f5cf007fb90): update t1 join t2 on 'x' natural join t2 t  set c = 1


create table t1 (a int);
 
create table t2 (c int);
 
 
 
prepare stmt from "update t1 join t2 on 'x' natural join t2 t  set c = 1 ;";
 
 
 
--error 1292
 
execute stmt;
 
execute stmt;

Generated at Thu Feb 08 08:34:03 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.