[MDEV-17936] Server crashes in Field::is_null upon 2nd execution of PS Created: 2018-12-08  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer, Prepared Statements
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8
Fix Version/s: 10.4, 10.5, 10.6, 11.0

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Note: INSERTs are not necessary for the failure, they are only here to make the test case non-degenerate.

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a INT) ENGINE=InnoDB;
 
INSERT INTO t1 VALUES (1),(2);
 
CREATE TABLE t2 (b INT) ENGINE=InnoDB;
 
INSERT INTO t1 VALUES (3),(4);
 
 
 
PREPARE stmt FROM "SELECT * FROM t1 WHERE 1 >= ANY (SELECT b FROM t2 GROUP BY b HAVING b >= 2) AND a IS NULL";
 
EXECUTE stmt;
 
EXECUTE stmt;
 
 
 
# Cleanup
 
DEALLOCATE PREPARE stmt;
 
DROP TABLE t1, t2;

10.2 5ec9b88e1

 
#3  <signal handler called>
 
#4  0x000055b4815e9e90 in Field::is_null (this=0x7f9db8038ba8, row_offset=0) at /data/src/10.2/sql/field.h:1130
 
#5  0x000055b48194502e in Item_field::val_int_result (this=0x7f9db8090388) at /data/src/10.2/sql/item.cc:2853
 
#6  0x000055b481958537 in Item_cache_int::cache_value (this=0x7f9db8013648) at /data/src/10.2/sql/item.cc:9573
 
#7  0x000055b481961202 in Item_cache::has_value (this=0x7f9db8013648) at /data/src/10.2/sql/item.h:5539
 
#8  0x000055b481958739 in Item_cache_int::val_int (this=0x7f9db8013648) at /data/src/10.2/sql/item.cc:9610
 
#9  0x000055b4819f013d in Item_singlerow_subselect::val_int (this=0x7f9db80132c8) at /data/src/10.2/sql/item_subselect.cc:1328
 
#10 0x000055b4819689d7 in Arg_comparator::compare_int_signed (this=0x7f9db8013580) at /data/src/10.2/sql/item_cmpfunc.cc:948
 
#11 0x000055b48197c100 in Arg_comparator::compare (this=0x7f9db8013580) at /data/src/10.2/sql/item_cmpfunc.h:87
 
#12 0x000055b48196b1ad in Item_func_le::val_int (this=0x7f9db80134c0) at /data/src/10.2/sql/item_cmpfunc.cc:1828
 
#13 0x000055b48196a657 in Item_in_optimizer::val_int (this=0x7f9db80919a0) at /data/src/10.2/sql/item_cmpfunc.cc:1574
 
#14 0x000055b481966850 in Item_func_nop_all::val_int (this=0x7f9db8091188) at /data/src/10.2/sql/item_cmpfunc.cc:367
 
#15 0x000055b481974975 in Item_cond::eval_not_null_tables (this=0x7f9db80125c0, opt_arg=0x0) at /data/src/10.2/sql/item_cmpfunc.cc:4681
 
#16 0x000055b48164e1d9 in Item_func_or_sum::walk (this=0x7f9db80125c0, processor=&virtual table offset 936, walk_subquery=false, arg=0x0) at /data/src/10.2/sql/item.h:4223
 
#17 0x000055b481974c7f in Item_cond::walk (this=0x7f9db80125c0, processor=&virtual table offset 936, walk_subquery=false, arg=0x0) at /data/src/10.2/sql/item_cmpfunc.cc:4753
 
#18 0x000055b4816a143a in st_select_lex::update_used_tables (this=0x7f9db808e0e0) at /data/src/10.2/sql/sql_lex.cc:4249
 
#19 0x000055b4816f1ce8 in JOIN::optimize_inner (this=0x7f9db80127e0) at /data/src/10.2/sql/sql_select.cc:1232
 
#20 0x000055b4816f169d in JOIN::optimize (this=0x7f9db80127e0) at /data/src/10.2/sql/sql_select.cc:1115
 
#21 0x000055b4816fab8a in mysql_select (thd=0x7f9db8000b00, tables=0x7f9db808f198, wild_num=0, fields=..., conds=0x7f9db80125c0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f9db8091558, unit=0x7f9db808d9a8, select_lex=0x7f9db808e0e0) at /data/src/10.2/sql/sql_select.cc:3802
 
#22 0x000055b4816eee51 in handle_select (thd=0x7f9db8000b00, lex=0x7f9db808d8e0, result=0x7f9db8091558, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:376
 
#23 0x000055b4816ba2e2 in execute_sqlcom_select (thd=0x7f9db8000b00, all_tables=0x7f9db808f198) at /data/src/10.2/sql/sql_parse.cc:6479
 
#24 0x000055b4816b0262 in mysql_execute_command (thd=0x7f9db8000b00) at /data/src/10.2/sql/sql_parse.cc:3485
 
#25 0x000055b4816dbd28 in Prepared_statement::execute (this=0x7f9db808c2e0, expanded_query=0x7f9dfc5f1560, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4799
 
#26 0x000055b4816da083 in Prepared_statement::execute_loop (this=0x7f9db808c2e0, expanded_query=0x7f9dfc5f1560, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4228
 
#27 0x000055b4816d7d36 in mysql_sql_stmt_execute (thd=0x7f9db8000b00) at /data/src/10.2/sql/sql_prepare.cc:3336
 
#28 0x000055b4816b02a7 in mysql_execute_command (thd=0x7f9db8000b00) at /data/src/10.2/sql/sql_parse.cc:3501
 
#29 0x000055b4816be1bd in mysql_parse (thd=0x7f9db8000b00, rawbuf=0x7f9db8012448 "EXECUTE stmt", length=12, parser_state=0x7f9dfc5f2200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8013
 
#30 0x000055b4816abaf5 in dispatch_command (command=COM_QUERY, thd=0x7f9db8000b00, packet=0x7f9db8095ec1 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1824
 
#31 0x000055b4816aa458 in do_command (thd=0x7f9db8000b00) at /data/src/10.2/sql/sql_parse.cc:1378
 
#32 0x000055b4817fcbc9 in do_handle_one_connection (connect=0x55b484989e20) at /data/src/10.2/sql/sql_connect.cc:1335
 
#33 0x000055b4817fc956 in handle_one_connection (arg=0x55b484989e20) at /data/src/10.2/sql/sql_connect.cc:1241
 
#34 0x000055b481c225ee in pfs_spawn_thread (arg=0x55b4848d52d0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#35 0x00007f9e12cc1494 in start_thread (arg=0x7f9dfc5f3700) at pthread_create.c:333
 
#36 0x00007f9e112c293f in clone () from /lib/x86_64-linux-gnu/libc.so.6

10.2 ASAN 5ec9b88e1

 
==15184==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000f5618 at pc 0x55b5408503b7 bp 0x7f0b6b828d50 sp 0x7f0b6b828d48
 
READ of size 8 at 0x6190000f5618 thread T27
 
    #0 0x55b5408503b6 in Field::is_null(long long) const /data/src/10.2/sql/field.h:1130
 
    #1 0x55b5410507cc in Item_field::val_int_result() /data/src/10.2/sql/item.cc:2853
 
    #2 0x55b541084ca1 in Item_cache_int::cache_value() /data/src/10.2/sql/item.cc:9573
 
    #3 0x55b54109a204 in Item_cache::has_value() /data/src/10.2/sql/item.h:5539
 
    #4 0x55b5410851b1 in Item_cache_int::val_int() /data/src/10.2/sql/item.cc:9610
 
    #5 0x55b5411e03d4 in Item_singlerow_subselect::val_int() /data/src/10.2/sql/item_subselect.cc:1328
 
    #6 0x55b5410acf6a in Arg_comparator::compare_int_signed() /data/src/10.2/sql/item_cmpfunc.cc:948
 
    #7 0x55b5410e5a38 in Arg_comparator::compare() /data/src/10.2/sql/item_cmpfunc.h:87
 
    #8 0x55b5410b5fdd in Item_func_le::val_int() /data/src/10.2/sql/item_cmpfunc.cc:1828
 
    #9 0x55b5410b3ca5 in Item_in_optimizer::val_int() /data/src/10.2/sql/item_cmpfunc.cc:1574
 
    #10 0x55b5410a5172 in Item_func_nop_all::val_int() /data/src/10.2/sql/item_cmpfunc.cc:367
 
    #11 0x55b5410d213d in Item_cond::eval_not_null_tables(void*) /data/src/10.2/sql/item_cmpfunc.cc:4681
 
    #12 0x55b54092d4b9 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /data/src/10.2/sql/item.h:4223
 
    #13 0x55b5410d29ce in Item_cond::walk(bool (Item::*)(void*), bool, void*) /data/src/10.2/sql/item_cmpfunc.cc:4753
 
    #14 0x55b5409f9774 in st_select_lex::update_used_tables() /data/src/10.2/sql/sql_lex.cc:4249
 
    #15 0x55b540ab2956 in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:1232
 
    #16 0x55b540ab15ca in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1115
 
    #17 0x55b540acb0bb in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3802
 
    #18 0x55b540aaa2d4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
 
    #19 0x55b540a2ceed in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6479
 
    #20 0x55b540a19bd2 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3485
 
    #21 0x55b540a7f0c4 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4799
 
    #22 0x55b540a7aa3f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4228
 
    #23 0x55b540a7566b in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3336
 
    #24 0x55b540a19c17 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3501
 
    #25 0x55b540a35bd7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8013
 
    #26 0x55b540a105c1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #27 0x55b540a0d665 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
 
    #28 0x55b540d5283a in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #29 0x55b540d5224f in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #30 0x55b54176ce1b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #31 0x7f0b7c000493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #32 0x7f0b7a60193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x6190000f5618 is located 152 bytes inside of 1100-byte region [0x6190000f5580,0x6190000f59cc)
 
freed by thread T27 here:
 
    #0 0x7f0b7c26a527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
 
    #1 0x55b54208e3f1 in free_memory /data/src/10.2/mysys/safemalloc.c:279
 
    #2 0x55b54208d9f7 in sf_free /data/src/10.2/mysys/safemalloc.c:197
 
    #3 0x55b54205cc86 in my_free /data/src/10.2/mysys/my_malloc.c:217
 
    #4 0x55b54203e2fc in free_root /data/src/10.2/mysys/my_alloc.c:399
 
    #5 0x55b540b2893f in free_tmp_table(THD*, TABLE*) /data/src/10.2/sql/sql_select.cc:18091
 
    #6 0x55b540b03f43 in JOIN::cleanup(bool) /data/src/10.2/sql/sql_select.cc:12283
 
    #7 0x55b540b033b9 in JOIN::join_free() /data/src/10.2/sql/sql_select.cc:12176
 
    #8 0x55b540b2a5c5 in do_select /data/src/10.2/sql/sql_select.cc:18352
 
    #9 0x55b540aca22c in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3621
 
    #10 0x55b540ac7ec1 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3416
 
    #11 0x55b5411f97bb in subselect_single_select_engine::exec() /data/src/10.2/sql/item_subselect.cc:3894
 
    #12 0x55b5411db133 in Item_subselect::exec() /data/src/10.2/sql/item_subselect.cc:722
 
    #13 0x55b5411dc2b7 in Item_in_subselect::exec() /data/src/10.2/sql/item_subselect.cc:902
 
    #14 0x55b5411e41d8 in Item_in_subselect::val_bool() /data/src/10.2/sql/item_subselect.cc:1766
 
    #15 0x55b5408534a7 in Item::val_bool_result() /data/src/10.2/sql/item.h:1201
 
    #16 0x55b5410b4649 in Item_in_optimizer::val_int() /data/src/10.2/sql/item_cmpfunc.cc:1656
 
    #17 0x55b5410a5172 in Item_func_nop_all::val_int() /data/src/10.2/sql/item_cmpfunc.cc:367
 
    #18 0x55b5410d15ac in Item_cond::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:4619
 
    #19 0x55b5409248cc in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.2/sql/sql_base.cc:7905
 
    #20 0x55b540aabfa4 in setup_without_group /data/src/10.2/sql/sql_select.cc:640
 
    #21 0x55b540aadfc3 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:825
 
    #22 0x55b540acb08f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3794
 
    #23 0x55b540aaa2d4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
 
    #24 0x55b540a2ceed in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6479
 
    #25 0x55b540a19bd2 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3485
 
    #26 0x55b540a7f0c4 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4799
 
    #27 0x55b540a7aa3f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4228
 
    #28 0x55b540a7566b in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3336
 
    #29 0x55b540a19c17 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3501
 
 
 
previously allocated by thread T27 here:
 
    #0 0x7f0b7c26a73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55b54208d167 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55b54205c3be in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55b54203d261 in alloc_root /data/src/10.2/mysys/my_alloc.c:242
 
    #4 0x55b54203ec32 in memdup_root /data/src/10.2/mysys/my_alloc.c:461
 
    #5 0x55b540f8870b in Field::make_new_field(st_mem_root*, TABLE*, bool) /data/src/10.2/sql/field.cc:2275
 
    #6 0x55b540b18a67 in create_tmp_field_from_field(THD*, Field*, char const*, TABLE*, Item_field*) /data/src/10.2/sql/sql_select.cc:16167
 
    #7 0x55b540b1a5f6 in create_tmp_field(THD*, TABLE*, Item*, Item::Type, Item***, Field**, Field**, bool, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:16428
 
    #8 0x55b540b1da19 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:16884
 
    #9 0x55b540ac3a23 in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:2957
 
    #10 0x55b540abfdd7 in JOIN::make_aggr_tables_info() /data/src/10.2/sql/sql_select.cc:2559
 
    #11 0x55b540abc40b in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:2230
 
    #12 0x55b540ab15ca in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1115
 
    #13 0x55b5411f8681 in subselect_single_select_engine::exec() /data/src/10.2/sql/item_subselect.cc:3811
 
    #14 0x55b5411db133 in Item_subselect::exec() /data/src/10.2/sql/item_subselect.cc:722
 
    #15 0x55b5411dc2b7 in Item_in_subselect::exec() /data/src/10.2/sql/item_subselect.cc:902
 
    #16 0x55b5411e41d8 in Item_in_subselect::val_bool() /data/src/10.2/sql/item_subselect.cc:1766
 
    #17 0x55b5408534a7 in Item::val_bool_result() /data/src/10.2/sql/item.h:1201
 
    #18 0x55b5410b4649 in Item_in_optimizer::val_int() /data/src/10.2/sql/item_cmpfunc.cc:1656
 
    #19 0x55b5410a5172 in Item_func_nop_all::val_int() /data/src/10.2/sql/item_cmpfunc.cc:367
 
    #20 0x55b5410d15ac in Item_cond::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:4619
 
    #21 0x55b5409248cc in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.2/sql/sql_base.cc:7905
 
    #22 0x55b540aabfa4 in setup_without_group /data/src/10.2/sql/sql_select.cc:640
 
    #23 0x55b540aadfc3 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:825
 
    #24 0x55b540acb08f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3794
 
    #25 0x55b540aaa2d4 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
 
    #26 0x55b540a2ceed in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6479
 
    #27 0x55b540a19bd2 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3485
 
    #28 0x55b540a7f0c4 in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:4799
 
    #29 0x55b540a7aa3f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4228
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f0b7c239bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55b54176d3e3 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
 
    #2 0x55b54080a5de in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55b54081f57b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
 
    #4 0x55b54081fc80 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
 
    #5 0x55b540820c97 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
 
    #6 0x55b54081ead0 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
 
    #7 0x55b54080897f in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7f0b7a5392b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/sql/field.h:1130 Field::is_null(long long) const
 
Shadow bytes around the buggy address:
 
  0x0c3280016a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280016a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280016a90: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280016aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280016ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c3280016ac0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280016ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280016ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280016af0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280016b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280016b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==15184==ABORTING

Not reproducible on 10.1.

 Comments   
Comment by Alice Sherepa [ 2020-05-25 ]

Similar with decimals:

  #0 0x64678e in Field::is_null(long long) const /10.2/sql/field.h:1134
 
    #1 0xe523b0 in Item_field::val_decimal_result(my_decimal*) /10.2/sql/item.cc:2907
 
    #2 0xe8aa18 in Item_cache_decimal::cache_value() /10.2/sql/item.cc:10026
 
    #3 0xe9d1a3 in Item_cache::has_value() /10.2/sql/item.h:5723
 
    #4 0xe8b069 in Item_cache_decimal::val_decimal(my_decimal*) /10.2/sql/item.cc:10066
 
    #5 0xfe4fcf in Item_singlerow_subselect::val_decimal(my_decimal*) /10.2/sql/item_subselect.cc:1363
 
    #6 0xeae4f9 in Arg_comparator::compare_decimal() /10.2/sql/item_cmpfunc.cc:885
 
    #7 0xee979c in Arg_comparator::compare() /10.2/sql/item_cmpfunc.h:87
 
    #8 0xeb9179 in Item_func_le::val_int() /10.2/sql/item_cmpfunc.cc:1843
 
    #9 0xeb6dfb in Item_in_optimizer::val_int() /10.2/sql/item_cmpfunc.cc:1589
 
    #10 0xea7f92 in Item_func_nop_all::val_int() /10.2/sql/item_cmpfunc.cc:367
 
    #11 0xe3c099 in Item::val_bool() /10.2/sql/item.cc:112
 
    #12 0x9808e9 in Item::eval_const_cond() /10.2/sql/item.h:1185
 
    #13 0xed4d16 in Item_cond::eval_not_null_tables(void*) /10.2/sql/item_cmpfunc.cc:4696
 
    #14 0x748043 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /10.2/sql/item.h:4378
 
    #15 0xed55e8 in Item_cond::walk(bool (Item::*)(void*), bool, void*) /10.2/sql/item_cmpfunc.cc:4768
 
    #16 0x814eb0 in st_select_lex::update_used_tables() /10.2/sql/sql_lex.cc:4254
 
    #17 0x8c9518 in JOIN::optimize_inner() /10.2/sql/sql_select.cc:1230
 
    #18 0x8c8194 in JOIN::optimize() /10.2/sql/sql_select.cc:1113
 
    #19 0x8e1abc in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.2/sql/sql_select.cc:3819
 
    #20 0x8c0db7 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.2/sql/sql_select.cc:373
 
    #21 0x84663c in execute_sqlcom_select /10.2/sql/sql_parse.cc:6226
 
    #22 0x834d02 in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:3532
 
    #23 0x89683d in Prepared_statement::execute(String*, bool) /10.2/sql/sql_prepare.cc:4837
 
    #24 0x8921f1 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /10.2/sql/sql_prepare.cc:4266
 
    #25 0x88ce4f in mysql_sql_stmt_execute(THD*) /10.2/sql/sql_prepare.cc:3374
 
    #26 0x834d47 in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:3548
 
    #27 0x84efaf in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:7741
 
    #28 0x82b5eb in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1832
 
    #29 0x82879c in do_command(THD*) /10.2/sql/sql_parse.cc:1386
 
    #30 0xb60670 in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
 
    #31 0xb60054 in handle_one_connection /10.2/sql/sql_connect.cc:1241
 
    #32 0x1d22f9f in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1869
 
    #33 0x7f7d1b3f86b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #34 0x7f7d1a88d41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Comment by Alice Sherepa [ 2023-03-07 ]

11.0 68542c6e5083a1e747696

 
Version: '11.0.2-MariaDB-debug-log'  
=================================================================
 
==579029==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00160cf38 at pc 0x5622dc3baa6d bp 0x7ff997ba7a70 sp 0x7ff997ba7a60
 
READ of size 8 at 0x61a00160cf38 thread T37
 
    #0 0x5622dc3baa6c in Field::is_null(long long) const /11.0/sql/field.h:1392
 
    #1 0x5622dd0513b4 in Item_field::str_result(String*) /11.0/sql/item.cc:3377
 
    #2 0x5622dd08e46b in Item_cache_str::cache_value() /11.0/sql/item.cc:10517
 
    #3 0x5622dcdb37a7 in Item_cache::has_value() /11.0/sql/item.h:7142
 
    #4 0x5622dd08e7a5 in Item_cache_str::val_str(String*) /11.0/sql/item.cc:10556
 
    #5 0x5622dd271331 in Item_singlerow_subselect::val_str(String*) /11.0/sql/item_subselect.cc:1480
 
    #6 0x5622dd0b0d50 in Arg_comparator::compare_string() /11.0/sql/item_cmpfunc.cc:771
 
    #7 0x5622dd0f5241 in Arg_comparator::compare() /11.0/sql/item_cmpfunc.h:103
 
    #8 0x5622dd0bd100 in Item_func_gt::val_int() /11.0/sql/item_cmpfunc.cc:1816
 
    #9 0x5622dd0ba456 in Item_in_optimizer::val_int() /11.0/sql/item_cmpfunc.cc:1569
 
    #10 0x5622dd0aa576 in Item_func_nop_all::val_int() /11.0/sql/item_cmpfunc.cc:263
 
    #11 0x5622dcd7d0fd in Type_handler_int_result::Item_val_bool(Item*) const /11.0/sql/sql_type.cc:5091
 
    #12 0x5622dc32a03d in Item::val_bool() /11.0/sql/item.h:1701
 
    #13 0x5622dc8c4b7d in Item::eval_const_cond() /11.0/sql/item.h:1708
 
    #14 0x5622dd0db584 in Item_cond::eval_not_null_tables(void*) /11.0/sql/item_cmpfunc.cc:5052
 
    #15 0x5622dc3bc9c9 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /11.0/sql/item.h:5482
 
    #16 0x5622dd0dc5fb in Item_cond::walk(bool (Item::*)(void*), bool, void*) /11.0/sql/item_cmpfunc.cc:5200
 
    #17 0x5622dc662c75 in st_select_lex::update_used_tables() /11.0/sql/sql_lex.cc:5343
 
    #18 0x5622dc7dac02 in JOIN::optimize_inner() /11.0/sql/sql_select.cc:2116
 
    #19 0x5622dc7d8c34 in JOIN::optimize() /11.0/sql/sql_select.cc:1900
 
    #20 0x5622dc7fa826 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /11.0/sql/sql_select.cc:5137
 
    #21 0x5622dc7ca690 in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.0/sql/sql_select.cc:611
 
    #22 0x5622dc6ec93c in execute_sqlcom_select /11.0/sql/sql_parse.cc:6267
 
    #23 0x5622dc6db1eb in mysql_execute_command(THD*, bool) /11.0/sql/sql_parse.cc:3949
 
    #24 0x5622dc78d155 in Prepared_statement::execute(String*, bool) /11.0/sql/sql_prepare.cc:5223
 
    #25 0x5622dc788253 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /11.0/sql/sql_prepare.cc:4646
 
    #26 0x5622dc78173f in mysql_sql_stmt_execute(THD*) /11.0/sql/sql_prepare.cc:3690
 
    #27 0x5622dc6db230 in mysql_execute_command(THD*, bool) /11.0/sql/sql_parse.cc:3965
 
    #28 0x5622dc6f76bf in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.0/sql/sql_parse.cc:7999
 
    #29 0x5622dc6cd915 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.0/sql/sql_parse.cc:1894
 
    #30 0x5622dc6ca651 in do_command(THD*, bool) /11.0/sql/sql_parse.cc:1407
 
    #31 0x5622dcb97200 in do_handle_one_connection(CONNECT*, bool) /11.0/sql/sql_connect.cc:1416
 
    #32 0x5622dcb96b5d in handle_one_connection /11.0/sql/sql_connect.cc:1318
 
    #33 0x5622dd7af6bd in pfs_spawn_thread /11.0/storage/perfschema/pfs.cc:2201
 
    #34 0x7ff9c4d13608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #35 0x7ff9c48e4132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x61a00160cf38 is located 184 bytes inside of 1156-byte region [0x61a00160ce80,0x61a00160d304)
 
freed by thread T37 here:
 
    #0 0x7ff9c52a140f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
 
    #1 0x5622de3e6ca4 in free_memory /11.0/mysys/safemalloc.c:297
 
    #2 0x5622de3e60e1 in sf_free /11.0/mysys/safemalloc.c:203
 
    #3 0x5622de3b3a93 in my_free /11.0/mysys/my_malloc.c:213
 
    #4 0x5622de38d798 in root_free /11.0/mysys/my_alloc.c:78
 
    #5 0x5622de390022 in free_root /11.0/mysys/my_alloc.c:501
 
    #6 0x5622dc876583 in free_tmp_table(THD*, TABLE*) /11.0/sql/sql_select.cc:22309
 
    #7 0x5622dc8474f6 in JOIN::cleanup(bool) /11.0/sql/sql_select.cc:15980
 
    #8 0x5622dc846812 in JOIN::join_free() /11.0/sql/sql_select.cc:15868
 
    #9 0x5622dc878544 in do_select /11.0/sql/sql_select.cc:22604
 
    #10 0x5622dc7f8f58 in JOIN::exec_inner() /11.0/sql/sql_select.cc:4893
 
    #11 0x5622dc7f6309 in JOIN::exec() /11.0/sql/sql_select.cc:4670
 
    #12 0x5622dd28f70e in subselect_single_select_engine::exec() /11.0/sql/item_subselect.cc:4157
 
    #13 0x5622dd26afcc in Item_subselect::exec() /11.0/sql/item_subselect.cc:812
 
    #14 0x5622dd26c5ce in Item_in_subselect::exec() /11.0/sql/item_subselect.cc:994
 
    #15 0x5622dd277820 in Item_in_subselect::val_bool() /11.0/sql/item_subselect.cc:1991
 
    #16 0x5622dc32a51b in Item::val_bool_result() /11.0/sql/item.h:1797
 
    #17 0x5622dd0baf15 in Item_in_optimizer::val_int() /11.0/sql/item_cmpfunc.cc:1651
 
    #18 0x5622dd0aa576 in Item_func_nop_all::val_int() /11.0/sql/item_cmpfunc.cc:263
 
    #19 0x5622dcd7d0fd in Type_handler_int_result::Item_val_bool(Item*) const /11.0/sql/sql_type.cc:5091
 
    #20 0x5622dc32a03d in Item::val_bool() /11.0/sql/item.h:1701
 
    #21 0x5622dc8c4b7d in Item::eval_const_cond() /11.0/sql/item.h:1708
 
    #22 0x5622dd0dac91 in Item_cond::fix_fields(THD*, Item**) /11.0/sql/item_cmpfunc.cc:4946
 
    #23 0x5622dc416b6e in Item::fix_fields_if_needed(THD*, Item**) /11.0/sql/item.h:1147
 
    #24 0x5622dc416ba8 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /11.0/sql/item.h:1156
 
    #25 0x5622dc54f4b8 in Item::fix_fields_if_needed_for_bool(THD*, Item**) /11.0/sql/item.h:1160
 
    #26 0x5622dc546421 in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /11.0/sql/sql_base.cc:8806
 
    #27 0x5622dc7cc6b9 in setup_without_group /11.0/sql/sql_select.cc:914
 
    #28 0x5622dc7d3e33 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /11.0/sql/sql_select.cc:1494
 
    #29 0x5622dc7fa78d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /11.0/sql/sql_select.cc:5126
 
 
 
previously allocated by thread T37 here:
 
    #0 0x7ff9c52a1808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x5622de3e5a95 in sf_malloc /11.0/mysys/safemalloc.c:126
 
    #2 0x5622de3b2c6d in my_malloc /11.0/mysys/my_malloc.c:91
 
    #3 0x5622de38d710 in root_alloc /11.0/mysys/my_alloc.c:66
 
    #4 0x5622de38eec6 in alloc_root /11.0/mysys/my_alloc.c:332
 
    #5 0x5622de390a61 in memdup_root /11.0/mysys/my_alloc.c:597
 
    #6 0x5622dcf4fe35 in Field::make_new_field(st_mem_root*, TABLE*, bool) /11.0/sql/field.cc:2551
 
    #7 0x5622dcf82eca in Field_string::make_new_field(st_mem_root*, TABLE*, bool) /11.0/sql/field.cc:7804
 
    #8 0x5622dcf502ee in Field::create_tmp_field(st_mem_root*, TABLE*, bool) /11.0/sql/field.cc:2607
 
    #9 0x5622dc8604c5 in Item_field::create_tmp_field_from_item_field(st_mem_root*, TABLE*, Item_ref*, Tmp_field_param const*) /11.0/sql/sql_select.cc:20246
 
    #10 0x5622dc860805 in Item_field::create_tmp_field_ex(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*) /11.0/sql/sql_select.cc:20263
 
    #11 0x5622dc861eee in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /11.0/sql/sql_select.cc:20441
 
    #12 0x5622dc866aaf in Create_tmp_table::add_fields(THD*, TABLE*, TMP_TABLE_PARAM*, List<Item>&) /11.0/sql/sql_select.cc:20877
 
    #13 0x5622dc86fb43 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /11.0/sql/sql_select.cc:21529
 
    #14 0x5622dc7f0acf in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>*, st_order*, bool, bool, bool) /11.0/sql/sql_select.cc:4161
 
    #15 0x5622dc7ec071 in JOIN::make_aggr_tables_info() /11.0/sql/sql_select.cc:3721
 
    #16 0x5622dc7e7842 in JOIN::optimize_stage2() /11.0/sql/sql_select.cc:3345
 
    #17 0x5622dc7dfe69 in JOIN::optimize_inner() /11.0/sql/sql_select.cc:2598
 
    #18 0x5622dc7d8c34 in JOIN::optimize() /11.0/sql/sql_select.cc:1900
 
    #19 0x5622dd28e470 in subselect_single_select_engine::exec() /11.0/sql/item_subselect.cc:4073
 
    #20 0x5622dd26afcc in Item_subselect::exec() /11.0/sql/item_subselect.cc:812
 
    #21 0x5622dd26c5ce in Item_in_subselect::exec() /11.0/sql/item_subselect.cc:994
 
    #22 0x5622dd277820 in Item_in_subselect::val_bool() /11.0/sql/item_subselect.cc:1991
 
    #23 0x5622dc32a51b in Item::val_bool_result() /11.0/sql/item.h:1797
 
    #24 0x5622dd0baf15 in Item_in_optimizer::val_int() /11.0/sql/item_cmpfunc.cc:1651
 
    #25 0x5622dd0aa576 in Item_func_nop_all::val_int() /11.0/sql/item_cmpfunc.cc:263
 
    #26 0x5622dcd7d0fd in Type_handler_int_result::Item_val_bool(Item*) const /11.0/sql/sql_type.cc:5091
 
    #27 0x5622dc32a03d in Item::val_bool() /11.0/sql/item.h:1701
 
    #28 0x5622dc8c4b7d in Item::eval_const_cond() /11.0/sql/item.h:1708
 
    #29 0x5622dd0dac91 in Item_cond::fix_fields(THD*, Item**) /11.0/sql/item_cmpfunc.cc:4946
 
 
 
Thread T37 created by T0 here:
 
    #0 0x7ff9c51ce815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x5622dd7ab29a in my_thread_create /11.0/storage/perfschema/my_thread.h:52
 
    #2 0x5622dd7afab0 in pfs_spawn_thread_v1 /11.0/storage/perfschema/pfs.cc:2252
 
    #3 0x5622dc2fff07 in inline_mysql_thread_create /11.0/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x5622dc3186fe in create_thread_to_handle_connection(CONNECT*) /11.0/sql/mysqld.cc:6125
 
    #5 0x5622dc318d7a in create_new_thread(CONNECT*) /11.0/sql/mysqld.cc:6184
 
    #6 0x5622dc3190e7 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.0/sql/mysqld.cc:6246
 
    #7 0x5622dc319add in handle_connections_sockets() /11.0/sql/mysqld.cc:6370
 
    #8 0x5622dc317f0b in mysqld_main(int, char**) /11.0/sql/mysqld.cc:6020
 
    #9 0x5622dc2ff00c in main /11.0/sql/main.cc:34
 
    #10 0x7ff9c47e9082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /11.0/sql/field.h:1392 in Field::is_null(long long) const
 
Shadow bytes around the buggy address:
 
  0x0c34802b9990: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c34802b99a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c34802b99b0: f7 f7 f7 f7 f7 f7 f7 fa fa fa fa fa fa fa fa fa
 
  0x0c34802b99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c34802b99d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c34802b99e0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
 
  0x0c34802b99f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c34802b9a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c34802b9a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c34802b9a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c34802b9a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==579029==ABORTING
 
SHUTDOWN_1678122988

Generated at Thu Feb 08 08:40:16 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.