[MDEV-17699] AddressSanitizer: use-after-poison in base_list_iterator::next_fast Created: 2018-11-13  Updated: 2019-12-08  Resolved: 2019-12-05

Status: Closed
Project: MariaDB Server
Component/s: N/A
Affects Version/s: 10.4
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Alice Sherepa Assignee: Alice Sherepa
Resolution: Cannot Reproduce Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-17071 Server crashes in TABLE_LIST::get_tab... Confirmed

 Description    

create table t1 (i1 int, b1 blob not null, pk int not null, i2 int, c1 char(2)) engine=myisam;
 
insert into t1 values (null,'a',1,null,'a');
 
 
create table t2 (pk int not null primary key) engine=myisam;
 
insert into t2 values (1),(2),(3); 
 
 
create algorithm=temptable view v1 as select * from t2;
 
 
select  1 from (select * from t1) as tb1
 
	right join (t1 as a join t1 as b  on (b.c1 = a.c1)) on (b.b1 != a.i1) and (b.b1 != a.i2)
 
where b.pk in (select count(t2.pk) from (t2, v1));

10.4 47b7ca629f5e9146

 
 
AddressSanitizer: use-after-poison
 
    #0 0x5573a3925510 in base_list_iterator::next_fast() /10.4/sql/sql_list.h:433
 
    #1 0x5573a3b89974 in List_iterator_fast<Item_equal>::operator++(int) /10.4/sql/sql_list.h:560
 
    #2 0x5573a3cafb4e in substitute_for_best_equal_field /10.4/sql/sql_select.cc:15545
 
    #3 0x5573a3caf49e in substitute_for_best_equal_field /10.4/sql/sql_select.cc:15458
 
    #4 0x5573a3c53337 in JOIN::optimize_stage2() /10.4/sql/sql_select.cc:2351
 
    #5 0x5573a3c51921 in JOIN::optimize_inner() /10.4/sql/sql_select.cc:2193
 
    #6 0x5573a3c4b87a in JOIN::optimize() /10.4/sql/sql_select.cc:1551
 
    #7 0x5573a3c688f2 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/sql/sql_select.cc:4564
 
    #8 0x5573a3c3fa0b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/sql/sql_select.cc:424
 
    #9 0x5573a3bc4534 in execute_sqlcom_select /10.4/sql/sql_parse.cc:6604
 
    #10 0x5573a3bb12e6 in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3841
 
    #11 0x5573a3bcca12 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8157
 
    #12 0x5573a3ba54bf in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1829
 
    #13 0x5573a3ba23ba in do_command(THD*) /10.4/sql/sql_parse.cc:1358
 
    #14 0x5573a3f165c1 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1399
 
    #15 0x5573a3f15f8b in handle_one_connection /10.4/sql/sql_connect.cc:1302
 
    #16 0x5573a52d1d8c in pfs_spawn_thread /10.4/storage/perfschema/pfs.cc:1862
 
    #17 0x7fa8d4e4d6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #18 0x7fa8d40de41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)



 Comments   
Comment by Alice Sherepa [ 2019-12-05 ]

not reproducible on current 10.4 aab6cefe8dc132ec6a16e6af

Generated at Thu Feb 08 08:38:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.