[MDEV-18303] AddressSanitizer: heap-use-after-free in Field::eq Created: 2019-01-18  Updated: 2019-03-18

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.1
Fix Version/s: 10.1

Type: Bug Priority: Major
Reporter: Alice Sherepa Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None


 Description    

set session optimizer_switch ='orderby_uses_equalities=on';
 
 
 
create table t1 (v1 varchar(1)) ;
 
insert into t1 values ('x'),('g'),('o'),('g'),('v'),('m'),('x'),('c'),('z'),('i');
 
 
 
create table t2 (v1 varchar(1)) ;
 
 
 
create table t3 (v1 varchar(1));
 
insert into t3 values ('v'),('k'),('s'),('y'),('g'),('j'),('g'),('e'),('v'),('p');
 
 
 
select t2.v1 as f1
 
from t1 straight_join t2 on (t2.v1=t1.v1) where t2.v1 in (select min(t1.v1) from t3,t1)
 
order by f1;
 
 
 
drop table t1,t2,t3;

10.1 1d72db45a880d07fec5eda

 
 AddressSanitizer: heap-use-after-free on address 0x6190000a5610 at pc 0x55fac577ad8f bp 0x7f60487ce830 sp 0x7f60487ce820
 
READ of size 8 at 0x6190000a5610 thread T23
 
    #0 0x55fac577ad8e in Field::eq(Field*) /10.1/sql/field.h:781
 
    #1 0x55fac58541b9 in Item_equal::contains(Field*) /10.1/sql/item_cmpfunc.cc:6392
 
    #2 0x55fac53c4aa8 in compute_part_of_sort_key_for_equals(JOIN*, TABLE*, Item_field*, Bitmap<64u>*) /10.1/sql/sql_select.cc:20963
 
    #3 0x55fac53c5031 in test_if_skip_sort_order /10.1/sql/sql_select.cc:21064
 
    #4 0x55fac53e5a51 in create_sort_index /10.1/sql/sql_select.cc:21610
 
    #5 0x55fac5409f5b in JOIN::exec_inner() /10.1/sql/sql_select.cc:3240
 
    #6 0x55fac540b4b5 in JOIN::exec() /10.1/sql/sql_select.cc:2562
 
    #7 0x55fac540090c in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.1/sql/sql_select.cc:3499
 
    #8 0x55fac54010d6 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.1/sql/sql_select.cc:388
 
    #9 0x55fac52e21f8 in execute_sqlcom_select /10.1/sql/sql_parse.cc:5950
 
    #10 0x55fac52fab86 in mysql_execute_command(THD*) /10.1/sql/sql_parse.cc:2995
 
    #11 0x55fac53121e2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.1/sql/sql_parse.cc:7468
 
    #12 0x55fac5318753 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /10.1/sql/sql_parse.cc:1496
 
    #13 0x55fac531ed56 in do_command(THD*) /10.1/sql/sql_parse.cc:1124
 
    #14 0x55fac5595a11 in do_handle_one_connection(THD*) /10.1/sql/sql_connect.cc:1330
 
    #15 0x55fac5595efd in handle_one_connection /10.1/sql/sql_connect.cc:1242
 
    #16 0x55fac63bf791 in pfs_spawn_thread /10.1/storage/perfschema/pfs.cc:1861
 
    #17 0x7f605d9806b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #18 0x7f605d02b41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Reproducible with Innodb and MyIsam. Reproducible only on 10.1 with the current test


Generated at Thu Feb 08 08:43:04 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.