[MDEV-22600] Various ASAN use-after-poison errors or Assertion `prebuilt->mysql_prefix_len <= prebuilt->mysql_row_len' failed in row_sel_dequeue_cached_row_for_mysql upon SIMULTANEOUS_ASSIGNMENT and geometry Created: 2020-05-16  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: GIS, Variables
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Alexey Botchkov
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-22732 AddressSanitizer: use-after-poison up... Confirmed
relates to MDEV-19038 Server crashes in calc_row_difference... Closed

 Description    

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (pk INT AUTO_INCREMENT PRIMARY KEY, g GEOMETRY, i INT) ENGINE=InnoDB;
 
INSERT INTO t1 () VALUES (),(),(),(),(),(),(),();
 
SET SQL_MODE= 'SIMULTANEOUS_ASSIGNMENT';
 
--error ER_CANT_CREATE_GEOMETRY_OBJECT
 
UPDATE t1 SET i = NULL, g = 'foo';
 
SELECT * FROM t1 ORDER BY i;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.3 38d62189

 
mysqld: /data/src/10.3/storage/innobase/row/row0sel.cc:3723: void row_sel_dequeue_cached_row_for_mysql(byte*, row_prebuilt_t*): Assertion `prebuilt->mysql_prefix_len <= prebuilt->mysql_row_len' failed.
 
200517  2:00:24 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007f220650df12 in __GI___assert_fail (assertion=0x55a690ffe638 "prebuilt->mysql_prefix_len <= prebuilt->mysql_row_len", file=0x55a690ffd618 "/data/src/10.3/storage/innobase/row/row0sel.cc", line=3723, function=0x55a691001f40 <row_sel_dequeue_cached_row_for_mysql(unsigned char*, row_prebuilt_t*)::__PRETTY_FUNCTION__> "void row_sel_dequeue_cached_row_for_mysql(byte*, row_prebuilt_t*)") at assert.c:101
 
#8  0x000055a690854062 in row_sel_dequeue_cached_row_for_mysql (buf=0x7f21ac1654b0 "\377\005", prebuilt=0x7f21ac0a18e0) at /data/src/10.3/storage/innobase/row/row0sel.cc:3723
 
#9  0x000055a690855dc8 in row_search_mvcc (buf=0x7f21ac1654b0 "\377\005", mode=PAGE_CUR_UNSUPP, prebuilt=0x7f21ac0a18e0, match_mode=0, direction=1) at /data/src/10.3/storage/innobase/row/row0sel.cc:4315
 
#10 0x000055a690677a1e in ha_innobase::general_fetch (this=0x7f21ac0a1138, buf=0x7f21ac1654b0 "\377\005", direction=1, match_mode=0) at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9529
 
#11 0x000055a690677fa2 in ha_innobase::rnd_next (this=0x7f21ac0a1138, buf=0x7f21ac1654b0 "\377\005") at /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9738
 
#12 0x000055a6904488f4 in handler::ha_rnd_next (this=0x7f21ac0a1138, buf=0x7f21ac1654b0 "\377\005") at /data/src/10.3/sql/handler.cc:2847
 
#13 0x000055a69043bd58 in find_all_keys (thd=0x7f21ac000af0, param=0x7f220010a0b0, select=0x7f21ac0151b0, fs_info=0x7f21ac166ee0, buffpek_pointers=0x7f220010a2b0, tempfile=0x7f220010a140, pq=0x0, found_rows=0x7f21ac1670c0) at /data/src/10.3/sql/filesort.cc:774
 
#14 0x000055a69043a27b in filesort (thd=0x7f21ac000af0, table=0x7f21ac1858e0, filesort=0x7f21ac015380, tracker=0x7f21ac015a20, join=0x7f21ac0132e8, first_table_bit=1) at /data/src/10.3/sql/filesort.cc:268
 
#15 0x000055a6901ab1b5 in create_sort_index (thd=0x7f21ac000af0, join=0x7f21ac0132e8, tab=0x7f21ac0148a0, fsort=0x7f21ac015380) at /data/src/10.3/sql/sql_select.cc:22890
 
#16 0x000055a6901a545c in st_join_table::sort_table (this=0x7f21ac0148a0) at /data/src/10.3/sql/sql_select.cc:20656
 
#17 0x000055a6901a5037 in join_init_read_record (tab=0x7f21ac0148a0) at /data/src/10.3/sql/sql_select.cc:20597
 
#18 0x000055a6901a2dd2 in sub_select (join=0x7f21ac0132e8, join_tab=0x7f21ac0148a0, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:19678
 
#19 0x000055a6901a22be in do_select (join=0x7f21ac0132e8, procedure=0x0) at /data/src/10.3/sql/sql_select.cc:19221
 
#20 0x000055a690179213 in JOIN::exec_inner (this=0x7f21ac0132e8) at /data/src/10.3/sql/sql_select.cc:4102
 
#21 0x000055a6901785e6 in JOIN::exec (this=0x7f21ac0132e8) at /data/src/10.3/sql/sql_select.cc:3896
 
#22 0x000055a6901798f7 in mysql_select (thd=0x7f21ac000af0, tables=0x7f21ac012a20, wild_num=1, fields=..., conds=0x0, og_num=1, order=0x7f21ac0131a8, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f21ac0132c0, unit=0x7f21ac0049b8, select_lex=0x7f21ac005140) at /data/src/10.3/sql/sql_select.cc:4301
 
#23 0x000055a69016af44 in handle_select (thd=0x7f21ac000af0, lex=0x7f21ac0048f8, result=0x7f21ac0132c0, setup_tables_done_option=0) at /data/src/10.3/sql/sql_select.cc:370
 
#24 0x000055a6901328d6 in execute_sqlcom_select (thd=0x7f21ac000af0, all_tables=0x7f21ac012a20) at /data/src/10.3/sql/sql_parse.cc:6293
 
#25 0x000055a69012904f in mysql_execute_command (thd=0x7f21ac000af0) at /data/src/10.3/sql/sql_parse.cc:3820
 
#26 0x000055a690136be1 in mysql_parse (thd=0x7f21ac000af0, rawbuf=0x7f21ac012818 "SELECT * FROM t1 ORDER BY i", length=27, parser_state=0x7f220010b5e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7817
 
#27 0x000055a69012344f in dispatch_command (command=COM_QUERY, thd=0x7f21ac000af0, packet=0x7f21ac008c71 "", packet_length=27, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
 
#28 0x000055a690121d67 in do_command (thd=0x7f21ac000af0) at /data/src/10.3/sql/sql_parse.cc:1401
 
#29 0x000055a69029a017 in do_handle_one_connection (connect=0x55a693fc0250) at /data/src/10.3/sql/sql_connect.cc:1403
 
#30 0x000055a690299d79 in handle_one_connection (arg=0x55a693fc0250) at /data/src/10.3/sql/sql_connect.cc:1308
 
#31 0x000055a690c4e70c in pfs_spawn_thread (arg=0x55a693fdb200) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#32 0x00007f22084964a4 in start_thread (arg=0x7f220010c700) at pthread_create.c:456
 
#33 0x00007f22065cad0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Reproducible on 10.3-10.5.
The test case is not applicable to 10.2 due to SIMULTANEOUS_ASSIGNMENT.

Normal release build doesn't show any problem, but RelWithDebInfo build with ASAN does:

10.5 0186b0a0 RelWithDebInfo + ASAN

 
==7783==ERROR: AddressSanitizer: use-after-poison on address 0x619000114111 at pc 0x7f067f703f7f bp 0x7f066e2065a0 sp 0x7f066e205d50
 
READ of size 4 at 0x619000114111 thread T15
 
    #0 0x7f067f703f7e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
 
    #1 0x5580e3a6fde8 in row_sel_store_mysql_field /data/src/10.5/storage/innobase/row/row0sel.cc:2966
 
    #2 0x5580e3a70343 in row_sel_store_mysql_rec /data/src/10.5/storage/innobase/row/row0sel.cc:3146
 
    #3 0x5580e4ccc3a3 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /data/src/10.5/storage/innobase/row/row0sel.cc:5451
 
    #4 0x5580e4a8e57d in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:8973
 
    #5 0x5580e4a8ed96 in ha_innobase::index_first(unsigned char*) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:9346
 
    #6 0x5580e4a8ed96 in ha_innobase::rnd_next(unsigned char*) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:9439
 
    #7 0x5580e4281a55 in handler::ha_rnd_next(unsigned char*) /data/src/10.5/sql/handler.cc:2991
 
    #8 0x5580e426e821 in find_all_keys /data/src/10.5/sql/filesort.cc:892
 
    #9 0x5580e426e821 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /data/src/10.5/sql/filesort.cc:361
 
    #10 0x5580e3dfd5d8 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /data/src/10.5/sql/sql_select.cc:23870
 
    #11 0x5580e3dfde38 in st_join_table::sort_table() /data/src/10.5/sql/sql_select.cc:21599
 
    #12 0x5580e3dfdffb in join_init_read_record(st_join_table*) /data/src/10.5/sql/sql_select.cc:21538
 
    #13 0x5580e3dd1464 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20612
 
    #14 0x5580e3e4084e in do_select /data/src/10.5/sql/sql_select.cc:20149
 
    #15 0x5580e3e4084e in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4464
 
    #16 0x5580e3e414bd in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4245
 
    #17 0x5580e3e3ac56 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4669
 
    #18 0x5580e3e3d1bb in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:429
 
    #19 0x5580e3a42ece in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6172
 
    #20 0x5580e3d336a7 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3901
 
    #21 0x5580e3d46014 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7957
 
    #22 0x5580e3d2a706 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1840
 
    #23 0x5580e3d26176 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1359
 
    #24 0x5580e3fd3867 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1411
 
    #25 0x5580e3fd4576 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1313
 
    #26 0x5580e48d6e33 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #27 0x7f067f4914a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #28 0x7f067d5c5d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x619000114111 is located 401 bytes inside of 1008-byte region [0x619000113f80,0x619000114370)
 
allocated by thread T15 here:
 
    #0 0x7f067f768d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x5580e51df153 in my_malloc /data/src/10.5/mysys/my_malloc.c:88
 
 
 
Thread T15 created by T0 here:
 
    #0 0x7f067f6d7f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x5580e48d70aa in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:34
 
    #2 0x5580e48d70aa in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
 
 
 
SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e) 
Shadow bytes around the buggy address:
 
  0x0c328001a7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c328001a7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c328001a7f0: 00 00 00 00 00 00 f7 00 00 f7 01 f7 00 00 00 00
 
  0x0c328001a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328001a810: 00 00 00 00 00 00 00 00 00 02 f7 00 f7 00 00 05
 
=>0x0c328001a820: f7 01[f7]00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328001a830: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328001a840: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
 
  0x0c328001a850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328001a860: 00 00 00 00 00 00 00 00 f7 00 00 f7 f7 f7 fa fa
 
  0x0c328001a870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==7783==ABORTING
 
200517  2:03:38 [ERROR] mysqld got signal 6 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.5.4-MariaDB-log
 
key_buffer_size=1048576
 
read_buffer_size=131072
 
max_used_connections=1
 
max_threads=153
 
thread_count=2
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63597 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x62b00007e218
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f066e20a8e0 thread_stack 0x5fc00
 
??:0(backtrace)[0x7f067f6f4681]
 
mysys/stacktrace.c:307(my_print_stacktrace)[0x5580e51e7ac6]
 
sql/signal_handler.cc:210(handle_fatal_signal)[0x5580e4272df6]
 
??:0(__restore_rt)[0x7f067f49b0e0]
 
linux/raise.c:51(__GI_raise)[0x7f067d50ffff]
 
stdlib/abort.c:91(__GI_abort)[0x7f067d51142a]
 
??:0(__sanitizer_cov_trace_switch)[0x7f067f782329]
 
??:0(__asan_print_accumulated_stats)[0x7f067f7779ab]
 
??:0(__asan_unpoison_intra_object_redzone)[0x7f067f771b57]
 
??:0(__interceptor_if_indextoname)[0x7f067f703f9e]
 
/data/bld/10.5-rel-asan/bin/mariadbd(+0x8c5de9)[0x5580e3a6fde9]
 
row/row0sel.cc:2967(row_sel_store_mysql_field(unsigned char*, row_prebuilt_t*, unsigned char const*, dict_index_t const*, unsigned short const*, unsigned long, mysql_row_templ_t const*))[0x5580e3a70344]
 
row/row0sel.cc:3146(row_sel_store_mysql_rec(unsigned char*, row_prebuilt_t*, unsigned char const*, dtuple_t const*, bool, dict_index_t const*, unsigned short const*))[0x5580e4ccc3a4]
 
row/row0sel.cc:5451(row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long))[0x5580e4a8e57e]
 
handler/ha_innodb.cc:8975(ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function))[0x5580e4a8ed97]
 
handler/ha_innodb.cc:9351(ha_innobase::index_first(unsigned char*))[0x5580e4281a56]
 
sql/handler.cc:2991(handler::ha_rnd_next(unsigned char*))[0x5580e426e822]
 
sql/filesort.cc:892(find_all_keys)[0x5580e3dfd5d9]
 
sql/sql_select.cc:23872(create_sort_index(THD*, JOIN*, st_join_table*, Filesort*))[0x5580e3dfde39]
 
sql/sql_select.cc:21601(st_join_table::sort_table())[0x5580e3dfdffc]
 
sql/sql_select.cc:21538(join_init_read_record(st_join_table*))[0x5580e3dd1465]
 
sql/sql_select.cc:20613(sub_select(JOIN*, st_join_table*, bool))[0x5580e3e4084f]
 
sql/sql_select.cc:20150(do_select)[0x5580e3e414be]
 
sql/sql_select.cc:4246(JOIN::exec())[0x5580e3e3ac57]
 
sql/sql_select.cc:4671(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5580e3e3d1bc]
 
sql/sql_select.cc:429(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5580e3a42ecf]
 
sql/sql_parse.cc:6172(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5580e3d336a8]
 
sql/sql_parse.cc:3901(mysql_execute_command(THD*))[0x5580e3d46015]
 
sql/sql_parse.cc:7974(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5580e3d2a707]
 
sql/sql_parse.cc:1842(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5580e3d26177]
 
sql/sql_parse.cc:1359(do_command(THD*))[0x5580e3fd3868]
 
sql/sql_connect.cc:1411(do_handle_one_connection(CONNECT*, bool))[0x5580e3fd4577]
 
sql/sql_connect.cc:1317(handle_one_connection)[0x5580e48d6e34]
 
nptl/pthread_create.c:456(start_thread)[0x7f067f4914a4]
 
x86_64/clone.S:99(clone)[0x7f067d5c5d0f]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x62b000077238): SELECT * FROM t1 ORDER BY i
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
 
 
 
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
 
information that should help you find out what is causing the crash.
 
Writing a core file...
 
Working directory at /dev/shm/var_auto_gAa7/mysqld.1/d...
 
Resource Limits:
 
Limit                     Soft Limit           Hard Limit           Units     
Max cpu time              unlimited            unlimited            seconds   
Max file size             unlimited            unlimited            bytes     
Max data size             unlimited            unlimited            bytes     
Max stack size            8388608              unlimited            bytes     
Max core file size        0                    0                    bytes     
Max resident set          unlimited            unlimited            bytes     
Max processes             128123               128123               processes 
Max open files            1024                 1024                 files     
Max locked memory         65536                65536                bytes     
Max address space         unlimited            unlimited            bytes     
Max file locks            unlimited            unlimited            locks     
Max pending signals       128123               128123               signals   
Max msgqueue size         819200               819200               bytes     
Max nice priority         0                    0                    
Max realtime priority     0                    0                    
Max realtime timeout      unlimited            unlimited            us        
Core pattern: co...



 Comments   
Comment by Elena Stepanova [ 2020-05-25 ]

Almost identical test case, but with versioning, produces a different ASAN error:

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (s DATE, e DATE, g GEOMETRY, PERIOD FOR p(s,e)) ENGINE=InnoDB WITH SYSTEM VERSIONING;
 
SET SQL_MODE= 'SIMULTANEOUS_ASSIGNMENT';
 
INSERT INTO t1 (s,e) VALUES ('1999-12-13','2032-05-21');
 
--error ER_CANT_CREATE_GEOMETRY_OBJECT
 
UPDATE t1 SET s = 'k', g = 0;
 
UPDATE t1 SET e = '2036-07-23';
 
 
 
# Cleanup
 
DROP TABLE t1;

10.4 ASAN a4996f95

 
==32107==ERROR: AddressSanitizer: use-after-poison on address 0x6210000a6c6b at pc 0x55debe77d09c bp 0x7ff5e54f46c0 sp 0x7ff5e54f46b8
 
WRITE of size 1 at 0x6210000a6c6b thread T27
 
    #0 0x55debe77d09b in row_mysql_store_col_in_innobase_format(dfield_t*, unsigned char*, unsigned long, unsigned char const*, unsigned long, unsigned long) /data/src/10.4/storage/innobase/row/row0mysql.cc:437
 
    #1 0x55debe77dd51 in row_mysql_convert_row_to_innobase /data/src/10.4/storage/innobase/row/row0mysql.cc:629
 
    #2 0x55debe782928 in row_insert_for_mysql(unsigned char const*, row_prebuilt_t*, ins_mode_t) /data/src/10.4/storage/innobase/row/row0mysql.cc:1419
 
    #3 0x55debe49d9c5 in ha_innobase::write_row(unsigned char const*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:8007
 
    #4 0x55debdf7e2d7 in handler::ha_write_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6706
 
    #5 0x55debd750e18 in vers_insert_history_row(TABLE*) /data/src/10.4/sql/sql_insert.cc:1685
 
    #6 0x55debda6eea0 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.4/sql/sql_update.cc:1073
 
    #7 0x55debd7f7912 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4376
 
    #8 0x55debd80e082 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7900
 
    #9 0x55debd7e90cd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
 
    #10 0x55debd7e60ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
 
    #11 0x55debdb6b4e3 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #12 0x55debdb6ae97 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #13 0x7ff608f814a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #14 0x7ff6070b5d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x6210000a6c6b is located 1899 bytes inside of 4208-byte region [0x6210000a6500,0x6210000a7570)
 
allocated by thread T27 here:
 
    #0 0x7ff609258d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x55debe644895 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /data/src/10.4/storage/innobase/mem/mem0mem.cc:277
 
    #2 0x55debe774768 in mem_heap_create_func /data/src/10.4/storage/innobase/include/mem0mem.ic:375
 
    #3 0x55debe77f5a6 in row_create_prebuilt(dict_table_t*, unsigned long) /data/src/10.4/storage/innobase/row/row0mysql.cc:908
 
    #4 0x55debe492a65 in ha_innobase::open(char const*, int, unsigned int) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:6154
 
    #5 0x55debdf5f416 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /data/src/10.4/sql/handler.cc:2759
 
    #6 0x55debdab1538 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.4/sql/table.cc:3951
 
    #7 0x55debd686bef in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.4/sql/sql_base.cc:2086
 
    #8 0x55debd68f0b0 in open_and_process_table /data/src/10.4/sql/sql_base.cc:3850
 
    #9 0x55debd6916dc in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:4324
 
    #10 0x55debd696444 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:5226
 
    #11 0x55debd603069 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.4/sql/sql_base.h:505
 
    #12 0x55debd74b128 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:764
 
    #13 0x55debd7f85d9 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4528
 
    #14 0x55debd80e082 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7900
 
    #15 0x55debd7e90cd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
 
    #16 0x55debd7e60ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
 
    #17 0x55debdb6b4e3 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #18 0x55debdb6ae97 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #19 0x7ff608f814a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7ff6091c7f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x55debf12bebc in spawn_thread_noop /data/src/10.4/mysys/psi_noop.c:187
 
    #2 0x55debd5404e8 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55debd554981 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259
 
    #4 0x55debd555064 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329
 
    #5 0x55debd5553ef in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427
 
    #6 0x55debd556041 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585
 
    #7 0x55debd5541e3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917
 
    #8 0x55debd53e3cf in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7ff606fed2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/storage/innobase/row/row0mysql.cc:437 in row_mysql_store_col_in_innobase_format(dfield_t*, unsigned char*, unsigned long, unsigned char const*, unsigned long, unsigned long)
 
Shadow bytes around the buggy address:
 
  0x0c428000cd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c428000cd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c428000cd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c428000cd60: 00 00 f7 00 00 00 00 00 00 00 00 00 00 f7 00 00
 
  0x0c428000cd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c428000cd80: 00 00 00 00 00 00 00 f7 00 00 00 00 01[f7]00 00
 
  0x0c428000cd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c428000cda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
 
  0x0c428000cdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c428000cdc0: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
 
  0x0c428000cdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==32107==ABORTING

Comment by Elena Stepanova [ 2020-05-25 ]

And another similar one, yet another ASAN error:

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (s DATE, e DATE, g GEOMETRY, KEY(e)) ENGINE=InnoDB;
 
SET SQL_MODE= 'SIMULTANEOUS_ASSIGNMENT';
 
INSERT INTO t1 (s,e) VALUES ('1999-12-13','2032-05-21');
 
--error ER_CANT_CREATE_GEOMETRY_OBJECT
 
UPDATE t1 SET s = '2012-12-12', g = 1;
 
UPDATE t1 SET e = '2036-07-23';
 
 
 
# Cleanup
 
DROP TABLE t1;

10.4 ASAN a4996f95

 
==3078==ERROR: AddressSanitizer: use-after-poison on address 0x61900010f050 at pc 0x559e9f4c693a bp 0x7f556a4517d0 sp 0x7f556a4517c8
 
READ of size 1 at 0x61900010f050 thread T27
 
    #0 0x559e9f4c6939 in Field::is_null_in_record(unsigned char const*) const /data/src/10.4/sql/field.h:1172
 
    #1 0x559ea0012324 in calc_row_difference /data/src/10.4/storage/innobase/handler/ha_innodb.cc:8353
 
    #2 0x559ea0014a0d in ha_innobase::update_row(unsigned char const*, unsigned char const*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:8768
 
    #3 0x559e9faf1ef8 in handler::ha_update_row(unsigned char const*, unsigned char const*) /data/src/10.4/sql/handler.cc:6751
 
    #4 0x559e9f5e1d14 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.4/sql/sql_update.cc:1056
 
    #5 0x559e9f36a912 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4376
 
    #6 0x559e9f381082 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7900
 
    #7 0x559e9f35c0cd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
 
    #8 0x559e9f3590ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
 
    #9 0x559e9f6de4e3 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #10 0x559e9f6dde97 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #11 0x559ea0b40b0d in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #12 0x7f55820d64a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #13 0x7f558020ad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x61900010f050 is located 208 bytes inside of 1100-byte region [0x61900010ef80,0x61900010f3cc)
 
allocated by thread T27 here:
 
    #0 0x7f55823add28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x559ea0c72a97 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
 
    #2 0x559ea0c446ae in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #3 0x559ea0c24969 in alloc_root /data/src/10.4/mysys/my_alloc.c:250
 
    #4 0x559ea0c25d45 in strmake_root /data/src/10.4/mysys/my_alloc.c:480
 
    #5 0x559e9f621c96 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.4/sql/table.cc:3622
 
    #6 0x559e9f1f9bef in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.4/sql/sql_base.cc:2086
 
    #7 0x559e9f2020b0 in open_and_process_table /data/src/10.4/sql/sql_base.cc:3850
 
    #8 0x559e9f2046dc in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:4324
 
    #9 0x559e9f209444 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:5226
 
    #10 0x559e9f176069 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.4/sql/sql_base.h:505
 
    #11 0x559e9f2be128 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:764
 
    #12 0x559e9f36b5d9 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4528
 
    #13 0x559e9f381082 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7900
 
    #14 0x559e9f35c0cd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
 
    #15 0x559e9f3590ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
 
    #16 0x559e9f6de4e3 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
 
    #17 0x559e9f6dde97 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
 
    #18 0x559ea0b40b0d in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #19 0x7f55820d64a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f558231cf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x559ea0b40efa in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x559e9f0b34e8 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x559e9f0c7981 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259
 
    #4 0x559e9f0c8064 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329
 
    #5 0x559e9f0c83ef in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427
 
    #6 0x559e9f0c9041 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585
 
    #7 0x559e9f0c71e3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917
 
    #8 0x559e9f0b13cf in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f55801422e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.4/sql/field.h:1172 in Field::is_null_in_record(unsigned char const*) const
 
Shadow bytes around the buggy address:
 
  0x0c3280019db0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280019dc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280019dd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 04 fa fa fa fa fa fa
 
  0x0c3280019de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280019df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c3280019e00: 00 f7 03 f7 00 00 03 00 00 03[f7]00 00 00 00 f7
 
  0x0c3280019e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280019e20: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
 
  0x0c3280019e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280019e40: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280019e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==3078==ABORTING

Comment by Elena Stepanova [ 2020-05-30 ]

And now the test case without any relation to InnoDB. The common characteristic here is a combination of SIMULTANEOUS_ASSIGNMENT, geometry and a prior error on update. So, I'm changing components, summary and assignee.

CREATE TABLE t1 (a INT, b GEOMETRY);
 
INSERT INTO t1 () VALUES ();
 
SET SQL_MODE= 'SIMULTANEOUS_ASSIGNMENT,STRICT_ALL_TABLES';
 
--error WARN_DATA_TRUNCATED
 
UPDATE t1 SET a = '1-0', b = 'foo';
 
ALTER TABLE t1 FORCE;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.3 ASAN 19da9a51

 
==17506==ERROR: AddressSanitizer: use-after-poison on address 0x619000097560 at pc 0x55eca941ad08 bp 0x7fc4252de580 sp 0x7fc4252de578
 
READ of size 1 at 0x619000097560 thread T5
 
    #0 0x55eca941ad07 in Field::is_null_in_record(unsigned char const*) const /data/src/10.3/sql/field.h:1177
 
    #1 0x55eca9985e86 in Column_definition::Column_definition(THD*, Field*, Field*) /data/src/10.3/sql/field.cc:11122
 
    #2 0x55eca924ce5b in Create_field::Create_field(THD*, Field*, Field*) /data/src/10.3/sql/field.h:4773
 
    #3 0x55eca94e3bdf in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /data/src/10.3/sql/sql_table.cc:8115
 
    #4 0x55eca94ecd18 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.3/sql/sql_table.cc:9604
 
    #5 0x55eca963b6fe in Sql_cmd_alter_table::execute(THD*) /data/src/10.3/sql/sql_alter.cc:512
 
    #6 0x55eca92d23ef in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6030
 
    #7 0x55eca92dd776 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
 
    #8 0x55eca92b8137 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
 
    #9 0x55eca92b4fe3 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
 
    #10 0x55eca962c481 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #11 0x55eca962be48 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #12 0x55ecaaaa10d3 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
 
    #13 0x7fc43113e4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #14 0x7fc42f272d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x619000097560 is located 224 bytes inside of 1100-byte region [0x619000097480,0x6190000978cc)
 
allocated by thread T5 here:
 
    #0 0x7fc431415d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x55ecaabd14f0 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
 
    #2 0x55ecaaba30bf in my_malloc /data/src/10.3/mysys/my_malloc.c:101
 
    #3 0x55ecaab835e2 in alloc_root /data/src/10.3/mysys/my_alloc.c:250
 
    #4 0x55ecaab84c63 in memdup_root /data/src/10.3/mysys/my_alloc.c:492
 
    #5 0x55eca955e558 in TABLE_SHARE::init_from_binary_frm_image(THD*, bool, unsigned char const*, unsigned long) /data/src/10.3/sql/table.cc:1296
 
    #6 0x55eca95598c8 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /data/src/10.3/sql/table.cc:680
 
    #7 0x55eca97e29c2 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /data/src/10.3/sql/table_cache.cc:840
 
    #8 0x55eca9168174 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1839
 
    #9 0x55eca917118b in open_and_process_table /data/src/10.3/sql/sql_base.cc:3718
 
    #10 0x55eca9173416 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4187
 
    #11 0x55eca9178333 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:5084
 
    #12 0x55eca90e9c31 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.3/sql/sql_base.h:505
 
    #13 0x55eca9229f8a in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.3/sql/sql_insert.cc:760
 
    #14 0x55eca92c7003 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4454
 
    #15 0x55eca92dd776 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7818
 
    #16 0x55eca92b8137 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
 
    #17 0x55eca92b4fe3 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
 
    #18 0x55eca962c481 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #19 0x55eca962be48 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #20 0x55ecaaaa10d3 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
 
    #21 0x7fc43113e4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fc431384f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x55ecaaaa150f in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
 
    #2 0x55eca9021420 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55eca903690f in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6606
 
    #4 0x55eca9036ff2 in create_new_thread /data/src/10.3/sql/mysqld.cc:6676
 
    #5 0x55eca903800a in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6951
 
    #6 0x55eca9035ddf in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6228
 
    #7 0x55eca901fb3f in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7fc42f1aa2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /data/src/10.3/sql/field.h:1177 in Field::is_null_in_record(unsigned char const*) const
 
Shadow bytes around the buggy address:
 
  0x0c328000ae50: 00 00 f7 00 00 00 04 f7 00 00 f7 f7 f7 f7 f7 f7
 
  0x0c328000ae60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c328000ae70: f7 f7 f7 f7 f7 f7 f7 f7 f7 04 fa fa fa fa fa fa
 
  0x0c328000ae80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c328000ae90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c328000aea0: 00 f7 00 00 f7 01 f7 02 f7 00 00 01[f7]01 f7 00
 
  0x0c328000aeb0: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
 
  0x0c328000aec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000aed0: 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00
 
  0x0c328000aee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c328000aef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==17506==ABORTING

Comment by Elena Stepanova [ 2020-06-03 ]

A couple more stack traces, as I need them to be searchable in JIRA. I won't be adding new test cases, because they are all basically the same: GIS column => SIMULTANEOUS_ASSIGNMENT => error upon DML (usually ER_CANT_CREATE_GEOMETRY_OBJECT, but can be different) => further operation => crash.

10.3 2e1d10ec

 
#3  <signal handler called>
 
#4  0x000055a899029213 in TABLE::init (this=0x7fbb880742e0, thd=0x7fbb88000af0, tl=0x7fbb880129c8) at /data/src/10.3/sql/table.cc:4771
 
#5  0x000055a898e6e270 in open_table (thd=0x7fbb88000af0, table_list=0x7fbb880129c8, ot_ctx=0x7fbb9a36e910) at /data/src/10.3/sql/sql_base.cc:2052
 
#6  0x000055a898e71935 in open_and_process_table (thd=0x7fbb88000af0, tables=0x7fbb880129c8, counter=0x7fbb9a36e9a4, flags=0, prelocking_strategy=0x7fbb9a36ea28, has_prelocking_list=false, ot_ctx=0x7fbb9a36e910) at /data/src/10.3/sql/sql_base.cc:3718
 
#7  0x000055a898e72998 in open_tables (thd=0x7fbb88000af0, options=..., start=0x7fbb9a36e988, counter=0x7fbb9a36e9a4, flags=0, prelocking_strategy=0x7fbb9a36ea28) at /data/src/10.3/sql/sql_base.cc:4187
 
#8  0x000055a898e74ace in open_and_lock_tables (thd=0x7fbb88000af0, options=..., tables=0x7fbb880129c8, derived=true, flags=0, prelocking_strategy=0x7fbb9a36ea28) at /data/src/10.3/sql/sql_base.cc:5084
 
#9  0x000055a898e31d1f in open_and_lock_tables (thd=0x7fbb88000af0, tables=0x7fbb880129c8, derived=true, flags=0) at /data/src/10.3/sql/sql_base.h:505
 
#10 0x000055a898ec292d in mysql_insert (thd=0x7fbb88000af0, table_list=0x7fbb880129c8, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_REPLACE, ignore=false) at /data/src/10.3/sql/sql_insert.cc:760
 
#11 0x000055a898f07792 in mysql_execute_command (thd=0x7fbb88000af0) at /data/src/10.3/sql/sql_parse.cc:4454
 
#12 0x000055a898f132dd in mysql_parse (thd=0x7fbb88000af0, rawbuf=0x7fbb88012818 "REPLACE INTO app_periods_t15 (f,s,e) VALUES (NULL,'2032-10-31','2036-05-06'), ('','2004-05-04','2027-09-24') /* 100500 */", length=121, parser_state=0x7fbb9a36f5e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7818
 
#13 0x000055a898effb25 in dispatch_command (command=COM_QUERY, thd=0x7fbb88000af0, packet=0x7fbb881234e1 "REPLACE INTO app_periods_t15 (f,s,e) VALUES (NULL,'2032-10-31','2036-05-06'), ('','2004-05-04','2027-09-24') /*!100500 */", packet_length=121, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
 
#14 0x000055a898efe43d in do_command (thd=0x7fbb88000af0) at /data/src/10.3/sql/sql_parse.cc:1401
 
#15 0x000055a899076b4d in do_handle_one_connection (connect=0x55a89cfaa2e0) at /data/src/10.3/sql/sql_connect.cc:1403
 
#16 0x000055a8990768af in handle_one_connection (arg=0x55a89cfaa2e0) at /data/src/10.3/sql/sql_connect.cc:1308
 
#17 0x000055a899a2bf1c in pfs_spawn_thread (arg=0x55a89cfc5390) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#18 0x00007fbba20f94a4 in start_thread (arg=0x7fbb9a370700) at pthread_create.c:456
 
#19 0x00007fbba022dd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97


#3  <signal handler called>
 
#4  0x0000565472bf6213 in TABLE::init (this=0x7f321c081fc0, thd=0x7f321c000af0, tl=0x7f321c0129c8) at /data/src/10.3/sql/table.cc:4771
 
#5  0x0000565472d1850a in THD::open_temporary_table (this=0x7f321c000af0, tl=0x7f321c0129c8) at /data/src/10.3/sql/temporary_tables.cc:438
 
#6  0x0000565472d18606 in THD::open_temporary_tables (this=0x7f321c000af0, tl=0x7f321c0129c8) at /data/src/10.3/sql/temporary_tables.cc:475
 
#7  0x0000565472ad46c7 in mysql_execute_command (thd=0x7f321c000af0) at /data/src/10.3/sql/sql_parse.cc:4445
 
#8  0x0000565472ae02dd in mysql_parse (thd=0x7f321c000af0, rawbuf=0x7f321c012818 "REPLACE INTO app_periods_t15 (f,s,e) VALUES (NULL,'2032-10-31','2036-05-06'), ('','2004-05-04','2027-09-24') /* 100500 */", length=121, parser_state=0x7f322dcfd5e0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7818
 
#9  0x0000565472accb25 in dispatch_command (command=COM_QUERY, thd=0x7f321c000af0, packet=0x7f321c1234e1 "REPLACE INTO app_periods_t15 (f,s,e) VALUES (NULL,'2032-10-31','2036-05-06'), ('','2004-05-04','2027-09-24') /*!100500 */", packet_length=121, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
 
#10 0x0000565472acb43d in do_command (thd=0x7f321c000af0) at /data/src/10.3/sql/sql_parse.cc:1401
 
#11 0x0000565472c43b4d in do_handle_one_connection (connect=0x565476d152e0) at /data/src/10.3/sql/sql_connect.cc:1403
 
#12 0x0000565472c438af in handle_one_connection (arg=0x565476d152e0) at /data/src/10.3/sql/sql_connect.cc:1308
 
#13 0x00005654735f8f1c in pfs_spawn_thread (arg=0x565476d30390) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#14 0x00007f3235a874a4 in start_thread (arg=0x7f322dcfe700) at pthread_create.c:456
 
#15 0x00007f3233bbbd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Generated at Thu Feb 08 09:16:00 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.