[MDEV-18925] ASAN heap-use-after-free in Item_exists_subselect::is_top_level_item Created: 2019-03-14  Updated: 2021-01-29  Resolved: 2021-01-29

Status: Closed
Project: MariaDB Server
Component/s: Data Manipulation - Subquery
Affects Version/s: 10.2, 10.3
Fix Version/s: 10.2.37, 10.3.28

Type: Bug Priority: Major
Reporter: Alice Sherepa Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: None

Attachments: File dt.7z    
Issue Links:
Relates
relates to MDEV-18339 ASAN heap-buffer-overflow in Item_exi... Closed

 Description   

10.2 69abd43703fcf68c4cf1

 
==24741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000db2b1 at pc 0x55da1d1d8b7f bp 0x7fe1516c44b0 sp 0x7fe1516c44a0
 
READ of size 1 at 0x6290000db2b1 thread T33
 
    #0 0x55da1d1d8b7e in Item_exists_subselect::is_top_level_item() /10.2/src/sql/item_subselect.h:410
 
    #1 0x55da1d1d8b7e in Item_in_optimizer::is_top_level_item() /10.2/src/sql/item_cmpfunc.cc:1218
 
    #2 0x55da1d1d8bc0 in Item_in_optimizer::eval_not_null_tables(void*) /10.2/src/sql/item_cmpfunc.cc:1237
 
    #3 0x55da1cafd2f6 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /10.2/src/sql/item.h:4263
 
    #4 0x55da1d1c6df2 in Item_cond::walk(bool (Item::*)(void*), bool, void*) /10.2/src/sql/item_cmpfunc.cc:4751
 
    #5 0x55da1cbb243b in st_select_lex::update_used_tables() /10.2/src/sql/sql_lex.cc:4245
 
    #6 0x55da1cbb678e in st_select_lex::optimize_unflattened_subqueries(bool) /10.2/src/sql/sql_lex.cc:3862
 
    #7 0x55da1cf6b9f6 in JOIN::optimize_constant_subqueries() /10.2/src/sql/opt_subselect.cc:5341
 
    #8 0x55da1cce6eca in JOIN::optimize_inner() /10.2/src/sql/sql_select.cc:1337
 
    #9 0x55da1ccf4f7b in JOIN::optimize() /10.2/src/sql/sql_select.cc:1115
 
    #10 0x55da1ccfdc62 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.2/src/sql/sql_select.cc:3804
 
    #11 0x55da1ccfe5c7 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.2/src/sql/sql_select.cc:376
 
    #12 0x55da1cbbbf6b in execute_sqlcom_select /10.2/src/sql/sql_parse.cc:6525
 
    #13 0x55da1cbd7a18 in mysql_execute_command(THD*) /10.2/src/sql/sql_parse.cc:3537
 
    #14 0x55da1cbf04ac in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/src/sql/sql_parse.cc:8059
 
    #15 0x55da1cbf7292 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/src/sql/sql_parse.cc:1829
 
    #16 0x55da1cbfe428 in do_command(THD*) /10.2/src/sql/sql_parse.cc:1379
 
    #17 0x55da1ceb01a6 in do_handle_one_connection(CONNECT*) /10.2/src/sql/sql_connect.cc:1335
 
    #18 0x55da1ceb069e in handle_one_connection /10.2/src/sql/sql_connect.cc:1241
 
    #19 0x7fe1828176b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #20 0x7fe181ec241c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

it depends on the length of the query

SELECT alias1.`col_varchar_key` AS cfield1 FROM ( `view_A` AS alias1, `B` AS alias2 ) WHERE ( ( SELECT MIN( SQ1_alias1.`pk` ) AS SQ1_ifield1 FROM ( `D` AS SQ1_alias1 INNER JOIN ( `CC` AS SQ1_alias2 INNER JOIN `BB` AS SQ1_alias3 ON (SQ1_alias3.`col_varchar_key` = SQ1_alias2.`col_varchar_key` ) ) ON (SQ1_alias3.`col_varchar_key` = SQ1_alias2.`col_varchar_nokey` ) ) WHERE EXISTS ( SELECT SQL_SMALL_RESULT C_SQ1_alias1.`col_int_nokey` AS C_SQ1_ifield1 FROM `C` AS C_SQ1_alias1 WHERE C_SQ1_alias1.`col_varchar_key` > SQ1_alias3.`col_varchar_nokey` ) ) IS NULL ) AND alias1.`pk` IS NULL GROUP BY cfield1  /* QNO 41 CON_ID 17 */;



 Comments   
Comment by Elena Stepanova [ 2019-04-15 ]

Self-contained unsimplified test case which causes the same failure on 10.3:

--source include/have_innodb.inc
 
 
 
CREATE TABLE A (
 
               pk INTEGER AUTO_INCREMENT,
 
               col_int_nokey INTEGER /*! NULL */,
 
               col_int_key INTEGER,
 
               col_date_key DATE,
 
               col_date_nokey DATE /*! NULL */,
 
               col_time_key TIME,
 
               col_time_nokey TIME /*! NULL */,
 
               col_datetime_key DATETIME,
 
               col_datetime_nokey DATETIME /*! NULL */,
 
               col_varchar_key VARCHAR(1),
 
               col_varchar_nokey VARCHAR(1) /*! NULL */,
 
               PRIMARY KEY (pk),
 
               KEY (col_varchar_key, col_int_key)
 
           )  ENGINE=InnoDB;
 
CREATE VIEW view_A AS SELECT * FROM A;
 
CREATE TABLE BB (
 
               pk INTEGER AUTO_INCREMENT,
 
               col_int_nokey INTEGER /*! NULL */,
 
               col_int_key INTEGER,
 
               col_date_key DATE,
 
               col_date_nokey DATE /*! NULL */,
 
               col_time_key TIME,
 
               col_time_nokey TIME /*! NULL */,
 
               col_datetime_key DATETIME,
 
               col_datetime_nokey DATETIME /*! NULL */,
 
               col_varchar_key VARCHAR(1),
 
               col_varchar_nokey VARCHAR(1) /*! NULL */,
 
               PRIMARY KEY (pk),
 
               KEY (col_varchar_key, col_int_key)
 
           )  AUTO_INCREMENT=10 ENGINE=InnoDB;
 
CREATE VIEW view_BB AS SELECT * FROM BB;
 
CREATE TABLE CC (
 
               pk INTEGER AUTO_INCREMENT,
 
               col_int_nokey INTEGER /*! NULL */,
 
               col_int_key INTEGER,
 
               col_datetime_key DATETIME,
 
               col_varchar_key VARCHAR(1),
 
               col_varchar_nokey VARCHAR(1) /*! NULL */,
 
               PRIMARY KEY (pk),
 
               KEY (col_varchar_key, col_int_key)
 
           )  AUTO_INCREMENT=10 ENGINE=InnoDB;
 
 
 
SELECT alias1.`col_varchar_key` FROM ( `CC` AS alias1 INNER JOIN ( ( `CC` AS alias2 INNER JOIN `A` AS alias3 ON (alias3.`col_varchar_key` < alias2.`col_varchar_nokey` ) ) ) ON (( alias3.`pk` >= alias2.`pk` ) AND (alias3.`pk` <> alias2.`pk` ) ) ) WHERE ( 'f' != ANY ( SELECT SQ1_alias1.`col_varchar_nokey` AS SQ1_cfield1 FROM ( `A` AS SQ1_alias1 INNER JOIN `view_BB` AS SQ1_alias2 ON (SQ1_alias2.`col_int_nokey` = SQ1_alias1.`pk` ) ) WHERE ( SQ1_alias1.`pk` > SQ1_alias1.`col_int_key` AND EXISTS ( SELECT C_SQ1_alias1.`col_int_nokey` AS C_SQ1_ifield1 FROM `view_A` AS C_SQ1_alias1 WHERE C_SQ1_alias1.`pk` <> SQ1_alias1.`col_int_nokey` ) ) ) ) AND alias1.`col_int_nokey` = 6 AND 0 = 1 ORDER BY alias1.col_varchar_key;

10.3 ASAN 4dc10ec6

 
==4089==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000224471 at pc 0x557ede71c472 bp 0x7fa1ece4d1a0 sp 0x7fa1ece4d198
 
READ of size 1 at 0x62d000224471 thread T27
 
    #0 0x557ede71c471 in Item_exists_subselect::is_top_level_item() /data/src/10.3/sql/item_subselect.h:411
 
    #1 0x557edeaa885e in Item_in_optimizer::is_top_level_item() /data/src/10.3/sql/item_cmpfunc.cc:1164
 
    #2 0x557edeaa89f9 in Item_in_optimizer::eval_not_null_tables(void*) /data/src/10.3/sql/item_cmpfunc.cc:1183
 
    #3 0x557ede1b3a4b in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /data/src/10.3/sql/item.h:4698
 
    #4 0x557edeaca82e in Item_cond::walk(bool (Item::*)(void*), bool, void*) /data/src/10.3/sql/item_cmpfunc.cc:4744
 
    #5 0x557ede28e0af in st_select_lex::update_used_tables() /data/src/10.3/sql/sql_lex.cc:4443
 
    #6 0x557ede28ba9a in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.3/sql/sql_lex.cc:4044
 
    #7 0x557ede71711e in JOIN::optimize_constant_subqueries() /data/src/10.3/sql/opt_subselect.cc:5325
 
    #8 0x557ede37cb85 in JOIN::optimize_inner() /data/src/10.3/sql/sql_select.cc:1645
 
    #9 0x557ede37b1f9 in JOIN::optimize() /data/src/10.3/sql/sql_select.cc:1451
 
    #10 0x557ede395b15 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4225
 
    #11 0x557ede370820 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:385
 
    #12 0x557ede2f3951 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6548
 
    #13 0x557ede2e21c9 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3821
 
    #14 0x557ede2fc74f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8091
 
    #15 0x557ede2d6877 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1857
 
    #16 0x557ede2d38cd in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1403
 
    #17 0x557ede647461 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #18 0x557ede646e6d in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #19 0x557edf17d649 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #20 0x7fa1f8b9d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #21 0x7fa1f6b6593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x62d000224471 is located 77 bytes to the right of 32804-byte region [0x62d00021c400,0x62d000224424)
 
allocated by thread T27 here:
 
    #0 0x7fa1f8e0773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x557edfb2d199 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
 
    #2 0x557edfafda94 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
 
    #3 0x557edfadd340 in alloc_root /data/src/10.3/mysys/my_alloc.c:250
 
    #4 0x557ede434466 in Sql_alloc::operator new[](unsigned long, st_mem_root*) /data/src/10.3/sql/sql_alloc.h:37
 
    #5 0x557ede3e8cf7 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.3/sql/sql_select.cc:17270
 
    #6 0x557ede53428d in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.3/sql/sql_union.cc:375
 
    #7 0x557ede2313b7 in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.3/sql/sql_derived.cc:773
 
    #8 0x557ede22e4cb in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_derived.cc:199
 
    #9 0x557ede5af560 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/table.cc:8189
 
    #10 0x557ede26c68c in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_lex.h:3970
 
    #11 0x557ede28bf16 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/sql_lex.cc:4100
 
    #12 0x557ede3761a1 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:1000
 
    #13 0x557edec00d1f in subselect_single_select_engine::prepare(THD*) /data/src/10.3/sql/item_subselect.cc:3683
 
    #14 0x557edebe0a67 in Item_subselect::fix_fields(THD*, Item**) /data/src/10.3/sql/item_subselect.cc:276
 
    #15 0x557edebfd576 in Item_exists_subselect::fix_fields(THD*, Item**) /data/src/10.3/sql/item_subselect.cc:3270
 
    #16 0x557ede0a872c in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.3/sql/item.h:824
 
    #17 0x557ede0a875a in Item::fix_fields_if_needed_for_scalar(THD*, Item**) (/data/bld/10.3-asan/bin/mysqld+0xc1675a)
 
    #18 0x557ede1b295c in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/10.3/sql/item.h:832
 
    #19 0x557edeac9274 in Item_cond::fix_fields(THD*, Item**) /data/src/10.3/sql/item_cmpfunc.cc:4605
 
    #20 0x557ede0a872c in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.3/sql/item.h:824
 
    #21 0x557ede0a875a in Item::fix_fields_if_needed_for_scalar(THD*, Item**) (/data/bld/10.3-asan/bin/mysqld+0xc1675a)
 
    #22 0x557ede1b295c in Item::fix_fields_if_needed_for_bool(THD*, Item**) /data/src/10.3/sql/item.h:832
 
    #23 0x557ede1aac6a in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.3/sql/sql_base.cc:8191
 
    #24 0x557ede37249b in setup_without_group /data/src/10.3/sql/sql_select.cc:649
 
    #25 0x557ede37751a in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:1113
 
    #26 0x557edec00d1f in subselect_single_select_engine::prepare(THD*) /data/src/10.3/sql/item_subselect.cc:3683
 
    #27 0x557edebe0a67 in Item_subselect::fix_fields(THD*, Item**) /data/src/10.3/sql/item_subselect.cc:276
 
    #28 0x557edebfdfd1 in Item_in_subselect::fix_fields(THD*, Item**) /data/src/10.3/sql/item_subselect.cc:3336
 
    #29 0x557ede0a872c in Item::fix_fields_if_needed(THD*, Item**) /data/src/10.3/sql/item.h:824
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7fa1f8dd6bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x557edf17dc11 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
 
    #2 0x557ede03eef8 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x557ede05488e in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6589
 
    #4 0x557ede054f93 in create_new_thread /data/src/10.3/sql/mysqld.cc:6659
 
    #5 0x557ede055faa in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6934
 
    #6 0x557ede053d4b in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6211
 
    #7 0x557ede03cf7f in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7fa1f6a9d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.3/sql/item_subselect.h:411 Item_exists_subselect::is_top_level_item()
 
Shadow bytes around the buggy address:
 
  0x0c5a8003c830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5a8003c840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5a8003c850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5a8003c860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c5a8003c870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c5a8003c880: 00 f7 f7 f7 04 fa fa fa fa fa fa fa fa fa[fa]fa
 
  0x0c5a8003c890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5a8003c8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5a8003c8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5a8003c8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5a8003c8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==4089==ABORTING

Comment by Alice Sherepa [ 2019-04-26 ]

I failed to simplify elenst's test case, the same problem, as with MDEV-18339, it is depending on the length of the query. The test is reproducible on 10.3 acf6f92aa936fbfe75246 with Innodb, but passes on 10.2 9a5a86f293b6fe40ad60 (but please fix it in 10.2 also, initially I met it on 10.2) 

--source include/have_innodb.inc
 
 
CREATE TABLE A ( pk int , col_int_nokey int , col_int_key int, col_date_key date, col_date_nokey date , col_time_key time, col_time_nokey time , col_datetime_key datetime, col_datetime_nokey datetime , col_varchar_key varchar(1), col_varchar_nokey varchar(1))engine=innodb;
 
CREATE VIEW view_A AS SELECT * FROM A;
 
 
 
CREATE TABLE BB ( pk int , col_int_nokey int , col_int_key int, col_date_key date, col_date_nokey date , col_time_key time, col_time_nokey time , col_datetime_key datetime, col_datetime_nokey datetime , col_varchar_key varchar(1), col_varchar_nokey varchar(1)) engine=innodb;
 
CREATE VIEW view_BB AS SELECT * FROM BB;
 
 
 
CREATE TABLE CC ( pk int , col_int_nokey int , col_int_key int, col_varchar_key varchar(1), col_varchar_nokey varchar(1) )engine=innodb;
 
 
SELECT alias1.`col_varchar_key`
 
FROM (`CC` AS alias1 JOIN 
	((`CC` AS alias2 JOIN `A` AS alias3 ON (alias3.`col_varchar_key` = alias2.`col_varchar_nokey`))) 
	ON (alias3.`pk` = alias2.`pk` AND alias3.`pk` = alias2.`pk`))
 
WHERE ('f' != ANY (SELECT SQ1_alias1.`col_varchar_nokey` AS SQ1_cfield1 
	FROM (`A` AS SQ1_alias1 JOIN `view_BB` AS SQ1_alias2 ON (SQ1_alias2.`col_int_nokey` = SQ1_alias1.`pk`))
 
    WHERE (SQ1_alias1.`pk` > SQ1_alias1.`col_int_key` AND EXISTS 
    	(SELECT C_SQ1_alias1.`col_int_nokey` AS C_SQ1_ifield1 FROM `view_A` AS C_SQ1_alias1 
    		WHERE C_SQ1_alias1.`pk` <> SQ1_alias1.`col_int_nokey`))))
 
AND alias1.`col_int_nokey` = 6
 
AND 0 = 1
 
ORDER BY alias1.col_varchar_key;

Comment by Alice Sherepa [ 2019-07-11 ]

Not reproducible anymore with the test cases above, but the crash still happens:

10.3 099007c3c92d140562577

 
 
 
==4096==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000ada451 at pc 0x55e47cf5d94e bp 0x7f1adc9d9770 sp 0x7f1adc9d9760
 
READ of size 1 at 0x62d000ada451 thread T35
 
    #0 0x55e47cf5d94d in Item_exists_subselect::is_top_level_item() /10.3/sql/item_subselect.h:411
 
    #1 0x55e47d2d93d6 in Item_in_optimizer::is_top_level_item() /10.3/sql/item_cmpfunc.cc:1164
 
    #2 0x55e47d2d9573 in Item_in_optimizer::eval_not_null_tables(void*) /10.3/sql/item_cmpfunc.cc:1183
 
    #3 0x55e47ca1d24f in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /10.3/sql/item.h:4705
 
    #4 0x55e47ca1c35a in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /10.3/sql/item.h:2201
 
    #5 0x55e47ca1d12c in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /10.3/sql/item.h:4703
 
    #6 0x55e47d2fae56 in Item_cond::walk(bool (Item::*)(void*), bool, void*) /10.3/sql/item_cmpfunc.cc:4744
 
    #7 0x55e47caf251a in st_select_lex::update_used_tables() /10.3/sql/sql_lex.cc:4475
 
    #8 0x55e47caf0011 in st_select_lex::optimize_unflattened_subqueries(bool) /10.3/sql/sql_lex.cc:4076
 
    #9 0x55e47cf584f0 in JOIN::optimize_unflattened_subqueries() /10.3/sql/opt_subselect.cc:5302
 
    #10 0x55e47cbe2a99 in JOIN::optimize_stage2() /10.3/sql/sql_select.cc:2431
 
    #11 0x55e47cbdd701 in JOIN::optimize_inner() /10.3/sql/sql_select.cc:1915
 
    #12 0x55e47cbd9261 in JOIN::optimize() /10.3/sql/sql_select.cc:1452
 
    #13 0x55e47cbf359a in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.3/sql/sql_select.cc:4227
 
    #14 0x55e47cbcea5e in handle_select(THD*, LEX*, select_result*, unsigned long) /10.3/sql/sql_select.cc:385
 
    #15 0x55e47cb55915 in execute_sqlcom_select /10.3/sql/sql_parse.cc:6562
 
    #16 0x55e47cb443b0 in mysql_execute_command(THD*) /10.3/sql/sql_parse.cc:3818
 
    #17 0x55e47cb5e295 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.3/sql/sql_parse.cc:8105
 
    #18 0x55e47cb38d9d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.3/sql/sql_parse.cc:1858
 
    #19 0x55e47cb35f01 in do_command(THD*) /10.3/sql/sql_parse.cc:1404
 
    #20 0x55e47ce8cec1 in do_handle_one_connection(CONNECT*) /10.3/sql/sql_connect.cc:1402
 
    #21 0x55e47ce8c89e in handle_one_connection /10.3/sql/sql_connect.cc:1308
 
    #22 0x7f1b0db756b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #23 0x7f1b0d00a41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Comment by Elena Stepanova [ 2020-04-15 ]

Same problem with Valgrind, still reproducible:

$ perl ./mtr main.subselect_no_semijoin --valgrind

10.3 9aacda40 Valgrind

 
main.subselect_no_semijoin               w12 [ fail ]  Found warnings/errors in server log file!
 
        Test ended at 2020-04-15 14:02:49
 
line
 
==88010== Thread 6:
 
==88010== Invalid read of size 1
 
==88010==    at 0x8A85CE: Item_exists_subselect::is_top_level_item() (item_subselect.h:410)
 
==88010==    by 0x9BA151: Item_in_optimizer::is_top_level_item() (item_cmpfunc.cc:1233)
 
==88010==    by 0x9BA1FA: Item_in_optimizer::eval_not_null_tables(void*) (item_cmpfunc.cc:1252)
 
==88010==    by 0x68E712: Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) (item.h:4352)
 
==88010==    by 0x9C5867: Item_cond::walk(bool (Item::*)(void*), bool, void*) (item_cmpfunc.cc:4766)
 
==88010==    by 0x6E20A6: st_select_lex::update_used_tables() (sql_lex.cc:4244)
 
==88010==    by 0x6E1409: st_select_lex::optimize_unflattened_subqueries(bool) ==88010==    by 0x8A6633: JOIN::optimize_unflattened_subqueries() (opt_subselect.cc:5332)
 
==88010==    by 0x734DFA: JOIN::optimize_inner() (sql_select.cc:2071)
 
==88010==    by 0x7315C8: JOIN::optimize() (sql_select.cc:1113)
 
==88010==    by 0x73AC4C: mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3814)
 
==88010==    by 0x72ED2F: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)
 
==88010==    by 0x6FA0CC: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6224)
 
==88010==    by 0x6F0DB9: mysql_execute_command(THD*) (sql_parse.cc:3531)
 
==88010==    by 0x6FDF7F: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7739)
 
==88010==    by 0x6EC584: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1831)
 
==88010==  Address 0xd4ea5b1 is 31 bytes before a block of size 2,944 in arena "client"

Generated at Thu Feb 08 08:47:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.