[MDEV-23809] Server crash in JOIN_CACHE::free or in copy_fields, ASAN use-after-poison in JOIN::make_aggr_tables_info Created: 2020-09-24  Updated: 2023-11-27  Resolved: 2022-08-03

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.3.36, 10.4.26, 10.5.17, 10.6.9, 10.7.5, 10.8.4, 10.9.2

Type: Bug Priority: Blocker
Reporter: Elena Stepanova Assignee: Sergei Petrunia
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-26431 MariaDB Server use-after-poison Closed
Relates
relates to MDEV-28945 SIGSEGV in AGGR_OP::put_record and As... Closed
relates to MDEV-29228 Odd EXPLAIN FORMAT=JSON output for SE... Open
relates to MDEV-29237 Code get_best_combination() computes ... Open

 Description   

On one hand, it's a non-debug crash of a bad kind (usually when similar stack traces come from the real world, they are poorly resolved and the failures are not easily reproducible). On the other hand, the test case is very unrealistic. So, I don't expect it to be fixed soon, but it's good to have it filed, so that we can match similar observations with it.
UPD: The test case in the description is for 10.2 only. See comments for a test case for higher versions.

CREATE TABLE t1 (a INT);
 
INSERT INTO t1 VALUES (1),(2);
 
SELECT DISTINCT CASE CONVERT(EXPORT_SET(0, COLLATION(BENCHMARK(1, BIT_OR(0))),0),TIME) WHEN a THEN 1 END AS f FROM t1;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.2 debug 7c5519c1

 
#3  <signal handler called>
 
#4  0x0000563edc4a97a2 in JOIN_CACHE::free (this=0x8f8f8f8f8f8f8f8f) at /data/src/10.2/sql/sql_join_cache.h:673
 
#5  0x0000563edc47dd4c in st_join_table::cleanup (this=0x7f14100159a8) at /data/src/10.2/sql/sql_select.cc:11943
 
#6  0x0000563edc47ed5a in JOIN::cleanup (this=0x7f1410013d28, full=true) at /data/src/10.2/sql/sql_select.cc:12364
 
#7  0x0000563edc467c2d in JOIN::destroy (this=0x7f1410013d28) at /data/src/10.2/sql/sql_select.cc:3664
 
#8  0x0000563edc50ec7e in st_select_lex::cleanup (this=0x7f14100050c8) at /data/src/10.2/sql/sql_union.cc:1558
 
#9  0x0000563edc468201 in mysql_select (thd=0x7f1410000d90, tables=0x7f1410013610, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f1410013d08, unit=0x7f1410004988, select_lex=0x7f14100050c8) at /data/src/10.2/sql/sql_select.cc:3845
 
#10 0x0000563edc45c31a in handle_select (thd=0x7f1410000d90, lex=0x7f14100048c8, result=0x7f1410013d08, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
 
#11 0x0000563edc426eb8 in execute_sqlcom_select (thd=0x7f1410000d90, all_tables=0x7f1410013610) at /data/src/10.2/sql/sql_parse.cc:6218
 
#12 0x0000563edc41d77a in mysql_execute_command (thd=0x7f1410000d90) at /data/src/10.2/sql/sql_parse.cc:3524
 
#13 0x0000563edc42ac47 in mysql_parse (thd=0x7f1410000d90, rawbuf=0x7f14100126f8 "SELECT DISTINCT CASE CONVERT(EXPORT_SET(0, COLLATION(BENCHMARK(1, BIT_OR(0))),0),TIME) WHEN a THEN 1 END AS f FROM t1", length=117, parser_state=0x7f1421eb75f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7733
 
#14 0x0000563edc418f56 in dispatch_command (command=COM_QUERY, thd=0x7f1410000d90, packet=0x7f1410008b51 "", packet_length=117, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1823
 
#15 0x0000563edc417a51 in do_command (thd=0x7f1410000d90) at /data/src/10.2/sql/sql_parse.cc:1377
 
#16 0x0000563edc571695 in do_handle_one_connection (connect=0x563edfffc9d0) at /data/src/10.2/sql/sql_connect.cc:1336
 
#17 0x0000563edc5713fa in handle_one_connection (arg=0x563edfffc9d0) at /data/src/10.2/sql/sql_connect.cc:1241
 
#18 0x0000563edcd95a6c in pfs_spawn_thread (arg=0x563ee00055a0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
 
#19 0x00007f142826e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#20 0x00007f1427e48103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.2 ASAN 7c5519c1

 
==1843582==ERROR: AddressSanitizer: use-after-poison on address 0x62b000003760 at pc 0x7f0f4aba4f2d bp 0x7f0f3fce6b80 sp 0x7f0f3fce6328
 
WRITE of size 944 at 0x62b000003760 thread T5
 
    #0 0x7f0f4aba4f2c  (/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c)
 
    #1 0x5644d9edf101 in JOIN::make_aggr_tables_info() /data/src/10.2/sql/sql_select.cc:2680
 
    #2 0x5644d9ed9e5b in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:2246
 
    #3 0x5644d9ece69b in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1114
 
    #4 0x5644d9ee9cb1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3819
 
    #5 0x5644d9ec6aa1 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
 
    #6 0x5644d9e3ecaf in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6218
 
    #7 0x5644d9e2bab7 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3524
 
    #8 0x5644d9e48165 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7733
 
    #9 0x5644d9e21460 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1823
 
    #10 0x5644d9e1e23c in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1377
 
    #11 0x5644da1a1e99 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #12 0x5644da1a175c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #13 0x5644db521b3b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #14 0x7f0f4aa4c608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
 
    #15 0x7f0f4a628102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)
 
 
 
0x62b000003760 is located 13664 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
 
allocated by thread T5 here:
 
    #0 0x7f0f4ac4abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x5644db704ce9 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x5644db6d109e in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x5644db6ae139 in reset_root_defaults /data/src/10.2/mysys/my_alloc.c:147
 
    #4 0x5644d9d68c27 in THD::init_for_queries() /data/src/10.2/sql/sql_class.cc:1313
 
    #5 0x5644da1a10da in prepare_new_connection_state(THD*) /data/src/10.2/sql/sql_connect.cc:1172
 
    #6 0x5644da1a17a6 in thd_prepare_connection(THD*) /data/src/10.2/sql/sql_connect.cc:1256
 
    #7 0x5644da1a1dc4 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1326
 
    #8 0x5644da1a175c in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #9 0x5644db521b3b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #10 0x7f0f4aa4c608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f0f4ab77805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x5644db521f2c in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x5644d9bc6177 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x5644d9bddb07 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6518
 
    #4 0x5644d9bde298 in create_new_thread /data/src/10.2/sql/mysqld.cc:6588
 
    #5 0x5644d9bdf423 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6846
 
    #6 0x5644d9bdce79 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6137
 
    #7 0x5644d9bc4a5c in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7f0f4a52d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c) 
Shadow bytes around the buggy address:
 
  0x0c567fff8690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff86a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff86b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff86c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c567fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00[f7]00 00 f7
 
  0x0c567fff86f0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8720: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
 
  0x0c567fff8730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1843582==ABORTING

10.2 rel 7c5519c1

 
#5  <signal handler called>
 
#6  0x0000000000000002 in ?? ()
 
#7  0x00005653f7c1cf0e in copy_fields (param=0x7f90080128c0) at /data/src/10.2/sql/sql_select.cc:23502
 
#8  0x00005653f7c1d492 in end_write (join=0x7f9008010980, join_tab=0x7f9008012250, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:20259
 
#9  0x00005653f7c2b59a in AGGR_OP::put_record (this=<optimized out>) at /data/src/10.2/sql/sql_select.h:973
 
#10 sub_select_postjoin_aggr (join=0x7f9008010980, join_tab=<optimized out>, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:18577
 
#11 0x00005653f7bfddaf in evaluate_join_record (join=join@entry=0x7f9008010980, join_tab=join_tab@entry=0x7f9008011ea0, error=<optimized out>) at /data/src/10.2/sql/sql_select.cc:19076
 
#12 0x00005653f7c07b23 in sub_select (end_of_records=false, join_tab=0x7f9008011ea0, join=0x7f9008010980) at /data/src/10.2/sql/sql_select.cc:18856
 
#13 sub_select (join=0x7f9008010980, join_tab=0x7f9008011ea0, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:18791
 
#14 0x00005653f7c30757 in do_select (procedure=<optimized out>, join=0x7f9008010980) at /data/src/10.2/sql/sql_select.cc:18400
 
#15 JOIN::exec_inner (this=this@entry=0x7f9008010980) at /data/src/10.2/sql/sql_select.cc:3638
 
#16 0x00005653f7c309f7 in JOIN::exec (this=this@entry=0x7f9008010980) at /data/src/10.2/sql/sql_select.cc:3433
 
#17 0x00005653f7c30b3a in mysql_select (thd=0x7f9008000c48, tables=0x7f9008010268, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f9008010960, unit=0x7f9008004680, select_lex=0x7f9008004dc0) at /data/src/10.2/sql/sql_select.cc:3833
 
#18 0x00005653f7c314af in handle_select (thd=thd@entry=0x7f9008000c48, lex=lex@entry=0x7f90080045c0, result=result@entry=0x7f9008010960, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.2/sql/sql_select.cc:361
 
#19 0x00005653f7bc6b91 in execute_sqlcom_select (thd=0x7f9008000c48, all_tables=0x7f9008010268) at /data/src/10.2/sql/sql_parse.cc:6218
 
#20 0x00005653f7bd41f2 in mysql_execute_command (thd=0x7f9008000c48) at /data/src/10.2/sql/sql_parse.cc:3524
 
#21 0x00005653f7bd70eb in mysql_parse (thd=thd@entry=0x7f9008000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f9019ffb5b0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.2/sql/sql_parse.cc:7733
 
#22 0x00005653f7bda39d in dispatch_command (command=COM_QUERY, thd=0x7f9008000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.2/sql/sql_class.h:1095
 
#23 0x00005653f7bdb527 in do_command (thd=0x7f9008000c48) at /data/src/10.2/sql/sql_parse.cc:1377
 
#24 0x00005653f7cb3876 in do_handle_one_connection (connect=connect@entry=0x5653f96996f8) at /data/src/10.2/sql/sql_connect.cc:1336
 
#25 0x00005653f7cb39ef in handle_one_connection (arg=arg@entry=0x5653f96996f8) at /data/src/10.2/sql/sql_connect.cc:1241
 
#26 0x00005653f824a9b6 in pfs_spawn_thread (arg=0x5653f96a4e38) at /data/src/10.2/storage/perfschema/pfs.cc:1869
 
#27 0x00007f90203b3609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#28 0x00007f901ffa8103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible with at least MyISAM, InnoDB, Aria, on release, debug and ASAN builds as shown above.
Not reproducible on 10.1 or 10.3+.

 Comments   
Comment by Elena Stepanova [ 2021-06-10 ]

Similarly meaningless test case with similar effects, affecting all of 10.2-10.6:

CREATE TABLE t1 (a VARCHAR(8) NULL, b BIGINT);
 
INSERT INTO t1 (a,b) VALUES (NULL,NULL),('foo',NULL);
 
 
 
SELECT DISTINCT STRCMP((b > COLLATION(STDDEV_SAMP(15750))), a) AS f FROM t1;
 
 
 
# Cleanup
 
DROP TABLE t1;

ASAN error is similar on 10.2-10.6:

10.2 7a1eff0a

 
 
==1859240==ERROR: AddressSanitizer: use-after-poison on address 0x62b000003100 at pc 0x7fab59559f2d bp 0x7fab4e0e6cb0 sp 0x7fab4e0e6458
 
WRITE of size 944 at 0x62b000003100 thread T5
 
    #0 0x7fab59559f2c  (/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c)
 
    #1 0x55985aca169d in JOIN::make_aggr_tables_info() /data/src/10.2/sql/sql_select.cc:2693
 
    #2 0x55985ac9c3e1 in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:2259
 
    #3 0x55985ac90c21 in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1127
 
    #4 0x55985acac328 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3835
 
    #5 0x55985ac88eef in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
 
    #6 0x55985abffd5c in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
 
    #7 0x55985abed0e5 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
 
    #8 0x55985ac09271 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
 
    #9 0x55985abe2476 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #10 0x55985abdf241 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #11 0x55985af68faf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #12 0x55985af68872 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #13 0x55985c30ea01 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #14 0x7fab58f85608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #15 0x7fab58b61292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x62b000003100 is located 12032 bytes inside of 24716-byte region [0x62b000000200,0x62b00000628c)
 
allocated by thread T5 here:
 
    #0 0x7fab595ffbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x55985c42b4ee in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x55985c3f7477 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x55985c3d425b in reset_root_defaults /data/src/10.2/mysys/my_alloc.c:147
 
    #4 0x55985ab27fe7 in THD::init_for_queries() /data/src/10.2/sql/sql_class.cc:1316
 
    #5 0x55985af681e5 in prepare_new_connection_state(THD*) /data/src/10.2/sql/sql_connect.cc:1172
 
    #6 0x55985af688bc in thd_prepare_connection(THD*) /data/src/10.2/sql/sql_connect.cc:1256
 
    #7 0x55985af68eda in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1326
 
    #8 0x55985af68872 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #9 0x55985c30ea01 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #10 0x7fab58f85608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fab5952c805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x55985c30edf2 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x55985a983243 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x55985a99b19a in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
 
    #4 0x55985a99b935 in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
 
    #5 0x55985a99cad8 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
 
    #6 0x55985a99a4eb in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
 
    #7 0x55985a981afc in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fab58a660b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c) 
Shadow bytes around the buggy address:
 
  0x0c567fff85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff85e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff85f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c567fff8620:[f7]00 00 f7 00 00 f7 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8660: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c567fff8670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1859240==ABORTING

Non-ASAN debug build crashes on 10.2-10.5 and causes an assertion failure on 10.6:

10.2 7a1eff0a debug

 
#3  <signal handler called>
 
#4  0x00005645b1d43a28 in JOIN_CACHE::free (this=0x8f8f8f8f8f8f8f8f) at /data/src/10.2/sql/sql_join_cache.h:682
 
#5  0x00005645b1d17e0e in st_join_table::cleanup (this=0x7fc9d8015400) at /data/src/10.2/sql/sql_select.cc:11955
 
#6  0x00005645b1d18eae in JOIN::cleanup (this=0x7fc9d8013758, full=true) at /data/src/10.2/sql/sql_select.cc:12381
 
#7  0x00005645b1d18b45 in JOIN::join_free (this=0x7fc9d8013758) at /data/src/10.2/sql/sql_select.cc:12284
 
#8  0x00005645b1d28233 in do_select (join=0x7fc9d8013758, procedure=0x0) at /data/src/10.2/sql/sql_select.cc:18464
 
#9  0x00005645b1d01c0d in JOIN::exec_inner (this=0x7fc9d8013758) at /data/src/10.2/sql/sql_select.cc:3651
 
#10 0x00005645b1d010b4 in JOIN::exec (this=0x7fc9d8013758) at /data/src/10.2/sql/sql_select.cc:3446
 
#11 0x00005645b1d0228e in mysql_select (thd=0x7fc9d8000d90, tables=0x7fc9d8013038, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7fc9d8013738, unit=0x7fc9d8004988, select_lex=0x7fc9d80050d8) at /data/src/10.2/sql/sql_select.cc:3849
 
#12 0x00005645b1cf63e2 in handle_select (thd=0x7fc9d8000d90, lex=0x7fc9d80048c8, result=0x7fc9d8013738, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
 
#13 0x00005645b1cc0ad6 in execute_sqlcom_select (thd=0x7fc9d8000d90, all_tables=0x7fc9d8013038) at /data/src/10.2/sql/sql_parse.cc:6271
 
#14 0x00005645b1cb764a in mysql_execute_command (thd=0x7fc9d8000d90) at /data/src/10.2/sql/sql_parse.cc:3582
 
#15 0x00005645b1cc4892 in mysql_parse (thd=0x7fc9d8000d90, rawbuf=0x7fc9d8012708 "SELECT DISTINCT STRCMP((b > COLLATION(STDDEV_SAMP(15750))), a) AS f FROM t1", length=75, parser_state=0x7fc9e87f5560, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7793
 
#16 0x00005645b1cb2aed in dispatch_command (command=COM_QUERY, thd=0x7fc9d8000d90, packet=0x7fc9d8008b61 "", packet_length=75, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
 
#17 0x00005645b1cb15e8 in do_command (thd=0x7fc9d8000d90) at /data/src/10.2/sql/sql_parse.cc:1381
 
#18 0x00005645b1e0ca81 in do_handle_one_connection (connect=0x5645b499b0d0) at /data/src/10.2/sql/sql_connect.cc:1336
 
#19 0x00005645b1e0c7e6 in handle_one_connection (arg=0x5645b499b0d0) at /data/src/10.2/sql/sql_connect.cc:1241
 
#20 0x00005645b2638bf2 in pfs_spawn_thread (arg=0x5645b497e4d0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
 
#21 0x00007fc9eecf8609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#22 0x00007fc9ee8d4293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.6 1bd681c8 debug

 
mariadbd: /data/src/10.6/mysys/mf_iocache.c:428: reinit_io_cache: Assertion `info->type == READ_CACHE || info->type == WRITE_CACHE' failed.
 
210611  1:55:55 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00007f49678fcf36 in __GI___assert_fail (assertion=0x55845b8fb1d0 "info->type == READ_CACHE || info->type == WRITE_CACHE", file=0x55845b8faff0 "/data/src/10.6/mysys/mf_iocache.c", line=428, function=0x55845b8fb790 <__PRETTY_FUNCTION__.15116> "reinit_io_cache") at assert.c:101
 
#8  0x000055845b366175 in reinit_io_cache (info=0x7f49500193a0, type=READ_CACHE, seek_offset=0, use_async_io=0 '\000', clear_cache=0 '\000') at /data/src/10.6/mysys/mf_iocache.c:428
 
#9  0x000055845ac2ca52 in init_read_record (info=0x7f4950018af8, thd=0x7f4950000db8, table=0x7f49500faee8, select=0x7f4950019380, filesort=0x0, use_record_cache=1, print_error=true, disable_rr_cache=false) at /data/src/10.6/sql/records.cc:242
 
#10 0x000055845a7602e3 in join_init_read_record (tab=0x7f4950018a30) at /data/src/10.6/sql/sql_select.cc:21957
 
#11 0x000055845a75ddbe in sub_select (join=0x7f49500173d0, join_tab=0x7f4950018a30, end_of_records=false) at /data/src/10.6/sql/sql_select.cc:20993
 
#12 0x000055845a75d32c in do_select (join=0x7f49500173d0, procedure=0x0) at /data/src/10.6/sql/sql_select.cc:20543
 
#13 0x000055845a730b51 in JOIN::exec_inner (this=0x7f49500173d0) at /data/src/10.6/sql/sql_select.cc:4726
 
#14 0x000055845a72fbc7 in JOIN::exec (this=0x7f49500173d0) at /data/src/10.6/sql/sql_select.cc:4504
 
#15 0x000055845a731501 in mysql_select (thd=0x7f4950000db8, tables=0x7f49500163e0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f49500173a8, unit=0x7f4950005130, select_lex=0x7f49500156b8) at /data/src/10.6/sql/sql_select.cc:4982
 
#16 0x000055845a7207ad in handle_select (thd=0x7f4950000db8, lex=0x7f4950005068, result=0x7f49500173a8, setup_tables_done_option=0) at /data/src/10.6/sql/sql_select.cc:544
 
#17 0x000055845a6e182c in execute_sqlcom_select (thd=0x7f4950000db8, all_tables=0x7f49500163e0) at /data/src/10.6/sql/sql_parse.cc:6242
 
#18 0x000055845a6d8ad5 in mysql_execute_command (thd=0x7f4950000db8) at /data/src/10.6/sql/sql_parse.cc:3937
 
#19 0x000055845a6e6676 in mysql_parse (thd=0x7f4950000db8, rawbuf=0x7f49500155c0 "SELECT DISTINCT STRCMP((b > COLLATION(STDDEV_SAMP(15750))), a) AS f FROM t1", length=75, parser_state=0x7f4962157480) at /data/src/10.6/sql/sql_parse.cc:8016
 
#20 0x000055845a6d2b00 in dispatch_command (command=COM_QUERY, thd=0x7f4950000db8, packet=0x7f495000b879 "", packet_length=75, blocking=true) at /data/src/10.6/sql/sql_parse.cc:1897
 
#21 0x000055845a6d14a5 in do_command (thd=0x7f4950000db8, blocking=true) at /data/src/10.6/sql/sql_parse.cc:1406
 
#22 0x000055845a88dcff in do_handle_one_connection (connect=0x55845eb93cb8, put_in_cache=true) at /data/src/10.6/sql/sql_connect.cc:1410
 
#23 0x000055845a88da5b in handle_one_connection (arg=0x55845eb91018) at /data/src/10.6/sql/sql_connect.cc:1312
 
#24 0x000055845adf97bd in pfs_spawn_thread (arg=0x55845eb93808) at /data/src/10.6/storage/perfschema/pfs.cc:2201
 
#25 0x00007f4967e14609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#26 0x00007f49679e8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Non-debug build crashes on 10.2-10.6:

10.2 7a1eff0a non-debug

 
#5  <signal handler called>
 
#6  0x0000000000000002 in ?? ()
 
#7  0x000055f291a4e11e in copy_fields (param=0x7f13f8012318) at /data/src/10.2/sql/sql_select.cc:23520
 
#8  0x000055f291a4e6a2 in end_write (join=0x7f13f80103b0, join_tab=0x7f13f8011ca8, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:20277
 
#9  0x000055f291a5c7fa in AGGR_OP::put_record (this=<optimized out>) at /data/src/10.2/sql/sql_select.h:973
 
#10 sub_select_postjoin_aggr (join=0x7f13f80103b0, join_tab=<optimized out>, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:18595
 
#11 0x000055f291a2efcf in evaluate_join_record (join=join@entry=0x7f13f80103b0, join_tab=join_tab@entry=0x7f13f80118f8, error=<optimized out>) at /data/src/10.2/sql/sql_select.cc:19094
 
#12 0x000055f291a38d43 in sub_select (end_of_records=false, join_tab=0x7f13f80118f8, join=0x7f13f80103b0) at /data/src/10.2/sql/sql_select.cc:18874
 
#13 sub_select (join=0x7f13f80103b0, join_tab=0x7f13f80118f8, end_of_records=<optimized out>) at /data/src/10.2/sql/sql_select.cc:18809
 
#14 0x000055f291a619c7 in do_select (procedure=<optimized out>, join=0x7f13f80103b0) at /data/src/10.2/sql/sql_select.cc:18418
 
#15 JOIN::exec_inner (this=this@entry=0x7f13f80103b0) at /data/src/10.2/sql/sql_select.cc:3651
 
#16 0x000055f291a61c67 in JOIN::exec (this=this@entry=0x7f13f80103b0) at /data/src/10.2/sql/sql_select.cc:3446
 
#17 0x000055f291a61daa in mysql_select (thd=0x7f13f8000c48, tables=0x7f13f800fc90, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x7f13f8010390, unit=0x7f13f8004680, select_lex=0x7f13f8004dd0) at /data/src/10.2/sql/sql_select.cc:3849
 
#18 0x000055f291a62747 in handle_select (thd=thd@entry=0x7f13f8000c48, lex=lex@entry=0x7f13f80045c0, result=result@entry=0x7f13f8010390, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.2/sql/sql_select.cc:361
 
#19 0x000055f2919f7d01 in execute_sqlcom_select (thd=0x7f13f8000c48, all_tables=0x7f13f800fc90) at /data/src/10.2/sql/sql_parse.cc:6271
 
#20 0x000055f291a0550a in mysql_execute_command (thd=<optimized out>) at /data/src/10.2/sql/sql_parse.cc:3582
 
#21 0x000055f291a0820b in mysql_parse (thd=thd@entry=0x7f13f8000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f1409e56520, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.2/sql/sql_parse.cc:7793
 
#22 0x000055f291a0b41d in dispatch_command (command=COM_QUERY, thd=0x7f13f8000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.2/sql/sql_class.h:1109
 
#23 0x000055f291a0c63d in do_command (thd=0x7f13f8000c48) at /data/src/10.2/sql/sql_parse.cc:1381
 
#24 0x000055f291ae59d6 in do_handle_one_connection (connect=connect@entry=0x55f2942fd2c8) at /data/src/10.2/sql/sql_connect.cc:1336
 
#25 0x000055f291ae5b4f in handle_one_connection (arg=arg@entry=0x55f2942fd2c8) at /data/src/10.2/sql/sql_connect.cc:1241
 
#26 0x000055f2920827b6 in pfs_spawn_thread (arg=0x55f29430e1b8) at /data/src/10.2/storage/perfschema/pfs.cc:1869
 
#27 0x00007f141035b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#28 0x00007f140ff52293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.3 75a65d32 non-debug

 
#3  <signal handler called>
 
#4  base_list_iterator::next_fast (this=<synthetic pointer>) at /data/src/10.3/sql/sql_list.h:442
 
#5  List_iterator_fast<Item>::operator++ (this=<synthetic pointer>) at /data/src/10.3/sql/sql_list.h:562
 
#6  copy_fields (param=0x7f124c012750) at /data/src/10.3/sql/sql_select.cc:24494
 
#7  0x00005608366f99e2 in end_write (join=0x7f124c0107f8, join_tab=0x7f124c012100, end_of_records=<optimized out>) at /data/src/10.3/sql/sql_select.cc:21231
 
#8  0x000056083670827a in AGGR_OP::put_record (this=<optimized out>) at /data/src/10.3/sql/sql_select.h:1030
 
#9  sub_select_postjoin_aggr (join=0x7f124c0107f8, join_tab=<optimized out>, end_of_records=<optimized out>) at /data/src/10.3/sql/sql_select.cc:19542
 
#10 0x00005608366d5489 in evaluate_join_record (join=join@entry=0x7f124c0107f8, join_tab=join_tab@entry=0x7f124c011d70, error=<optimized out>) at /data/src/10.3/sql/sql_select.cc:20040
 
#11 0x00005608366e3443 in sub_select (end_of_records=false, join_tab=0x7f124c011d70, join=0x7f124c0107f8) at /data/src/10.3/sql/sql_select.cc:19820
 
#12 sub_select (join=0x7f124c0107f8, join_tab=0x7f124c011d70, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:19755
 
#13 0x000056083670d7ce in do_select (procedure=<optimized out>, join=0x7f124c0107f8) at /data/src/10.3/sql/sql_select.cc:19360
 
#14 JOIN::exec_inner (this=this@entry=0x7f124c0107f8) at /data/src/10.3/sql/sql_select.cc:4138
 
#15 0x000056083670db37 in JOIN::exec (this=this@entry=0x7f124c0107f8) at /data/src/10.3/sql/sql_select.cc:3932
 
#16 0x000056083670dc82 in mysql_select (thd=0x7f124c000c48, tables=0x7f124c010088, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x7f124c0107d0, unit=0x7f124c004950, select_lex=0x7f124c0050e8) at /data/src/10.3/sql/sql_select.cc:4340
 
#17 0x000056083670e5cb in handle_select (thd=thd@entry=0x7f124c000c48, lex=lex@entry=0x7f124c004890, result=result@entry=0x7f124c0107d0, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.3/sql/sql_select.cc:372
 
#18 0x000056083669e621 in execute_sqlcom_select (thd=0x7f124c000c48, all_tables=0x7f124c010088) at /data/src/10.3/sql/sql_parse.cc:6339
 
#19 0x00005608366ac2f4 in mysql_execute_command (thd=<optimized out>) at /data/src/10.3/sql/sql_parse.cc:3870
 
#20 0x00005608366aee63 in mysql_parse (thd=0x7f124c000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.3/sql/sql_parse.cc:7870
 
#21 0x00005608366b123d in dispatch_command (command=COM_QUERY, thd=0x7f124c000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.3/sql/sql_class.h:1152
 
#22 0x00005608366b31ed in do_command (thd=0x7f124c000c48) at /data/src/10.3/sql/sql_parse.cc:1398
 
#23 0x000056083679b6e6 in do_handle_one_connection (connect=connect@entry=0x560838a6c288) at /data/src/10.3/sql/sql_connect.cc:1403
 
#24 0x000056083679b8bf in handle_one_connection (arg=arg@entry=0x560838a6c288) at /data/src/10.3/sql/sql_connect.cc:1308
 
#25 0x0000560836d7a796 in pfs_spawn_thread (arg=0x560838b50048) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#26 0x00007f126ddb4609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#27 0x00007f126dcdb293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.6 1bd681c8 non-debug

 
#3  <signal handler called>
 
#4  0x0000557a9df8dca0 in vtable for Duplicate_weedout_picker ()
 
#5  0x0000557a9d0a0621 in copy_fields (param=0x7f7c500147d0) at /data/src/10.6/sql/sql_select.cc:25767
 
#6  0x0000557a9d0a0b62 in end_write (join=0x7f7c50012750, join_tab=0x7f7c50014160, end_of_records=<optimized out>) at /data/src/10.6/sql/sql_select.cc:22461
 
#7  0x0000557a9d078567 in evaluate_join_record (join=0x7f7c50012750, join_tab=0x7f7c50013db0, error=<optimized out>) at /data/src/10.6/sql/sql_select.cc:21219
 
#8  0x0000557a9d08a1e3 in sub_select (end_of_records=false, join_tab=0x7f7c50013db0, join=0x7f7c50012750) at /data/src/10.6/sql/sql_select.cc:20996
 
#9  sub_select (join=0x7f7c50012750, join_tab=0x7f7c50013db0, end_of_records=<optimized out>) at /data/src/10.6/sql/sql_select.cc:20925
 
#10 0x0000557a9d0b774c in do_select (procedure=<optimized out>, join=0x7f7c50012750) at /data/src/10.6/sql/sql_select.cc:20543
 
#11 JOIN::exec_inner (this=0x7f7c50012750) at /data/src/10.6/sql/sql_select.cc:4726
 
#12 0x0000557a9d0b7b29 in JOIN::exec (this=this@entry=0x7f7c50012750) at /data/src/10.6/sql/sql_select.cc:4504
 
#13 0x0000557a9d0b5b9a in mysql_select (thd=0x7f7c50000c58, tables=0x7f7c50011760, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x7f7c50012728, unit=0x7f7c50004e10, select_lex=0x7f7c50010a38) at /data/src/10.6/sql/sql_select.cc:4982
 
#14 0x0000557a9d0b6367 in handle_select (thd=thd@entry=0x7f7c50000c58, lex=lex@entry=0x7f7c50004d48, result=result@entry=0x7f7c50012728, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.6/sql/sql_select.cc:544
 
#15 0x0000557a9d046b71 in execute_sqlcom_select (thd=0x7f7c50000c58, all_tables=0x7f7c50011760) at /data/src/10.6/sql/sql_parse.cc:6242
 
#16 0x0000557a9d054835 in mysql_execute_command (thd=0x7f7c50000c58) at /data/src/10.6/sql/sql_parse.cc:3937
 
#17 0x0000557a9d041ac5 in mysql_parse (thd=0x7f7c50000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /data/src/10.6/sql/sql_parse.cc:8016
 
#18 0x0000557a9d04d9ed in dispatch_command (command=COM_QUERY, thd=0x7f7c50000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /data/src/10.6/sql/sql_class.h:1340
 
#19 0x0000557a9d04f928 in do_command (thd=0x7f7c50000c58, blocking=blocking@entry=true) at /data/src/10.6/sql/sql_parse.cc:1406
 
#20 0x0000557a9d15e2d7 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /data/src/10.6/sql/sql_connect.cc:1410
 
#21 0x0000557a9d15e63d in handle_one_connection (arg=arg@entry=0x557aa0db2428) at /data/src/10.6/sql/sql_connect.cc:1312
 
#22 0x0000557a9d4e3e3d in pfs_spawn_thread (arg=0x557aa0d40e28) at /data/src/10.6/storage/perfschema/pfs.cc:2201
 
#23 0x00007f7c70eeb609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#24 0x00007f7c70ada293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Alice Sherepa [ 2021-08-27 ]

test case from MDEV-26431:

CREATE TABLE t1 (a BIGINT) AS SELECT 1 AS v3 UNION SELECT FALSE ;
 
 SELECT DISTINCT a IN ( COLLATION (AVG ('x'))) FROM t1 ;

fails on 10.2-10.6

10.2 228630f61ac10240c3671

 
210827 16:13:35 [ERROR] mysqld got signal 11 ;
 
 
 
Server version: 10.2.41-MariaDB-debug-log
 
 
 
sigaction.c:0(__restore_rt)[0x7f2c794c63c0]
 
sql/sql_join_cache.h:682(JOIN_CACHE::free())[0x55ab0db76ee2]
 
sql/sql_select.cc:11977(st_join_table::cleanup())[0x55ab0db4b21c]
 
sql/sql_select.cc:12403(JOIN::cleanup(bool))[0x55ab0db4c2bc]
 
sql/sql_select.cc:12307(JOIN::join_free())[0x55ab0db4bf53]
 
sql/sql_select.cc:18487(do_select(JOIN*, Procedure*))[0x55ab0db5b641]
 
sql/sql_select.cc:3651(JOIN::exec_inner())[0x55ab0db34f4b]
 
sql/sql_select.cc:3447(JOIN::exec())[0x55ab0db343f2]
 
sql/sql_select.cc:3851(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55ab0db355cc]
 
sql/sql_select.cc:361(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55ab0db29720]
 
sql/sql_parse.cc:6271(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55ab0daf3d86]
 
sql/sql_parse.cc:3582(mysql_execute_command(THD*))[0x55ab0daea8fa]
 
sql/sql_parse.cc:7793(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55ab0daf7b42]
 
sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55ab0dae5d9d]
 
sql/sql_parse.cc:1381(do_command(THD*))[0x55ab0dae4898]
 
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55ab0dc40661]
 
sql/sql_connect.cc:1242(handle_one_connection)[0x55ab0dc403c6]
 
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55ab0e469ec4]
 
nptl/pthread_create.c:478(start_thread)[0x7f2c794ba609]
 
x86_64/clone.S:97(__GI___clone)[0x7f2c79095293]
 
 
 
Query (0x7f2c1c012708): SELECT DISTINCT a IN ( COLLATION (AVG ('x'))) FROM t1

Comment by Steve Beattie [ 2022-07-01 ]

Hi, it appears the duplicate issue MDEV-26431 was assigned CVE-2022-32091.

(I'm just a messenger, not the person who allocated the CVE identifier.)

Comment by Sergei Golubchik [ 2022-07-02 ]

Thanks for the info!

Comment by Oleksandr Byelkin [ 2022-07-05 ]

Original test suite is not repeatable, but both in comments are

Comment by Oleksandr Byelkin [ 2022-07-06 ]

the address allocated as JOIN_TAB_RANGE but used as JOIN_TAB

Comment by Oleksandr Byelkin [ 2022-07-06 ] 

    if ((group_list &&
 
         (!test_if_subpart(group_list, order) || select_distinct)) ||
 
        (select_distinct && tmp_table_param.using_outer_summary_function))
 
    {					/* Must copy to another table */
 
      DBUG_PRINT("info",("Creating group table"));
 
 
 
      calc_group_buffer(this, group_list);
 
      count_field_types(select_lex, &tmp_table_param, tmp_all_fields1,
 
                        select_distinct && !group_list);
 
      tmp_table_param.hidden_field_count=
 
        tmp_all_fields1.elements - tmp_fields_list1.elements;
 
 
 
      curr_tab++;

in JOIN::make_aggr_tables_info step over last join tab (so overrun memory).

Comment by Oleksandr Byelkin [ 2022-07-06 ]

before we decided use only one temporary table so try to use second fails

Comment by Oleksandr Byelkin [ 2022-07-06 ]

JOIN::get_best_combination count only 1 aggr_tables when above trys to use 2

Comment by Oleksandr Byelkin [ 2022-07-06 ]
  • JOIN::get_best_combination have tmp_table_param.using_outer_summary_function set as FALSE so counts only 1 temporary table and allocate memory in JOIN_TAB array only for one temporary table
  • JOIN::create_postjoin_aggr_table (called from JOIN::make_aggr_tables_info) set tmp_table_param.using_outer_summary_function to true: 

      tmp_table_param.using_outer_summary_function=
    		 
        tab->tmp_table_param->using_outer_summary_function;

  • JOIN::make_aggr_tables_info later based on the new value of tmp_table_param.using_outer_summary_function thinks that we have 2 temporary tables allocated in JOIN_TABs array and overrun memory here: 

        /*
    		 
          If we have different sort & group then we must sort the data by group
    		 
          and copy it to another tmp table
    		 
          This code is also used if we are using distinct something
    		 
          we haven't been able to store in the temporary table yet
    		 
          like SEC_TO_TIME(SUM(...)).
    		 
        */
    		 
        if ((group_list &&
    		 
             (!test_if_subpart(group_list, order) || select_distinct)) ||
    		 
            (select_distinct && tmp_table_param.using_outer_summary_function))
    		 
        {					/* Must copy to another table */
    		 
          DBUG_PRINT("info",("Creating group table"));
    		 
    ...
    		 
         curr_tab++;
    		 
          aggr_tables++;
    		 
          bzero((void*)curr_tab, sizeof(JOIN_TAB));
    		 
    ...

    then probably memory is trashed taking into account "new" number of temporary tables.

Comment by Mingli-Yu [ 2022-07-07 ]

Does the version 10.8.3 have the issue? Thanks!

Comment by Alice Sherepa [ 2022-07-07 ]

Mingli-Yu yes, 10.8.3 is also affected

Comment by Sergei Petrunia [ 2022-07-26 ]

Indeed the logic in the code seems to be wrong:

using_outer_summary_function is checked in JOIN::get_best_combination(). But this variable is set at a much later phase in Create_tmp_table::add_fields().

Comment by Sergei Petrunia [ 2022-07-26 ]

using_outer_summary_function was introduced by 

commit 2cfc450bf78c2d951729d1a0e8f731c0d987b1d5
 
Author: Igor Babaev <igor@askmonty.org>
 
Date:   Tue Feb 9 12:35:59 2016 -0800
 
 
 
    This is the consolidated patch for mdev-8646:
 
    "Re-factor the code for post-join operations".
 
    
    The patch mainly contains the code ported from mysql-5.6 and
 
    created for two essential architectural changes:
 
    1. WL#5558: Resolve ORDER BY execution method at the optimization stage
 
    2. WL#6071: Inline tmp tables into the nested loops algorithm
 
...

It is a rename of using_indirect_summary_function, which was introduced in

commit ce2260586dc18bf2b46e5ede488db085da33edf9
 
Author: monty@donna.mysql.com <>
 
Date:   Sun Jan 28 21:35:50 2001 +0200
 
 
 
    Fixed ALTER TABLE on MERGE tables
 
    Fixed bug in DISTINCT

Comment by Sergei Petrunia [ 2022-07-27 ]

Another suspicious thing: JOIN::implicit_grouping=false for this query. I think it should be try. Changing the query slightly makes it true.

Comment by Sergei Petrunia [ 2022-07-27 ]

.. it's false, because the query actually has no aggregate functions:

SELECT DISTINCT a IN ( COLLATION (AVG ('x'))) FROM t1

Note AVG('X'). It's a constant, and the code in fix_fields() replaces it with a constant.

  $159 = 0x555557aff3c0 <dbug_item_print_buf> "t1.a = 0"

(the "a IN (b)" is replaced with a=b at parser level. Then, numeric comparison is used for the equality, and COLLATION(AVG('X')) is replaced with "0".)

Then, we have this:

(gdb) p item->args[0]
 
  $160 = (Item_aggregate_ref *) 0x7fff9c018d38
 
(gdb) p item->args[1]->with_sum_func()
 
  $161 = false


(gdb) p item->args[1]
 
  $162 = (Item_int_with_ref *) 0x7fff9c018cb8
 
(gdb) p item->args[1]->with_sum_func()
 
  $163 = false


(gdb) p item->args[0]->ref[0]
 
  $165 = (Item_field *) 0x7fff9c016dd8

Comment by Sergei Petrunia [ 2022-07-29 ]

Trying a similar example that works:

create table t1 (a int, b int);
 
insert into t1 select seq, seq from seq_1_to_10;
 
explain select distinct a, avg(1)+1 from t10;
 
+------+-------------+-------+------+---------------+------+---------+------+------+-------+
 
| id   | select_type | table | type | possible_keys | key  | key_len | ref  | rows | Extra |
 
+------+-------------+-------+------+---------------+------+---------+------+------+-------+
 
|    1 | SIMPLE      | t10   | ALL  | NULL          | NULL | NULL    | NULL | 6    |       |
 
+------+-------------+-------+------+---------------+------+---------+------+------+-------+

Note that this doesn't use temp.table. This is correct: implicit grouping operation doesn't require a temp table; after that we have just one row and do not need to remove duplicates.

Debugging this query:

In JOIN::get_best_combination(), select_distinct=true.
This causes aggr_tables=1.

Then, this code in JOIN::optimize_stage2(): (Denote as DISTINCT-REMOVAL)

  if (group || tmp_table_param.sum_func_count)
 
  {
 
    if (! hidden_group_fields && rollup.state == ROLLUP::STATE_NONE
 
        && !select_lex->have_window_funcs())
 
      select_distinct=0;
 
  }

sets select_distinct to 0.
(Here group=false, sum_func_count=1, hidden_group_fields=false)

Then we reach this line:

  need_tmp= test_if_need_tmp_table();

and get need_tmp=false.

Also, implicit_grouping=true for this query. It is set to true in JOIN::prepare(), JOIN::prepare_stage2():

  if (tmp_table_param.sum_func_count && !group_list)
 
  {
 
    implicit_grouping= TRUE;
 
    // Result will contain zero or one row - ordering is meaningless
 
    order= NULL;
 
  }

Comment by Sergei Petrunia [ 2022-07-29 ]

Now, debugging the failing query.

DISTINCT-REMOVAL doesn't fire because tmp_table_param.sum_func_count=0.
If I set select_distinct=0 manually, I get no grouping:

+-------------------------------+
 
| a IN ( COLLATION (AVG ('x'))) |
 
+-------------------------------+
 
|                          NULL |
 
|                          NULL |
 
+-------------------------------+

Comment by Sergei Petrunia [ 2022-08-03 ]

Ok, the description of the failure using this example query:

SELECT DISTINCT a IN ( COLLATION (AVG ('x'))) FROM t1 ;

The first component is: COLLATION(AVG('x')) is replaced with a constant here:

(gdb) wher
 
  #0  convert_const_to_int (thd=0x7fff7c000d50, field_item=0x7fff7c013978, item=0x7fff7c013eb8) at /home/psergey/dev-git/10.3-r3/sql/item_cmpfunc.cc:345
 
  #1  0x0000555555fbcea3 in Item_func::convert_const_compared_to_int_field (this=0x7fff7c013e20, thd=0x7fff7c000d50) at /home/psergey/dev-git/10.3-r3/sql/item_cmpfunc.cc:421
 
  #2  0x0000555555fbd073 in Item_func::setup_args_and_comparator (this=0x7fff7c013e20, thd=0x7fff7c000d50, cmp=0x7fff7c013ee0) at /home/psergey/dev-git/10.3-r3/sql/item_cmpfunc.cc:441
 
  #3  0x0000555555fbd239 in Item_bool_rowready_func2::fix_length_and_dec (this=0x7fff7c013e20) at /home/psergey/dev-git/10.3-r3/sql/item_cmpfunc.cc:474
 
  #4  0x0000555555ffcaff in Item_func::fix_fields (this=0x7fff7c013e20, thd=0x7fff7c000d50, ref=0x7fff7c013f90) at /home/psergey/dev-git/10.3-r3/sql/item_func.cc:370
 
  #5  0x0000555555b4a46c in Item::fix_fields_if_needed (this=0x7fff7c013e20, thd=0x7fff7c000d50, ref=0x7fff7c013f90) at /home/psergey/dev-git/10.3-r3/sql/item.h:829
 
  #6  0x0000555555b4a499 in Item::fix_fields_if_needed_for_scalar (this=0x7fff7c013e20, thd=0x7fff7c000d50, ref=0x7fff7c013f90) at /home/psergey/dev-git/10.3-r3/sql/item.h:833
 
  #7  0x0000555555bc473e in setup_fields (thd=0x7fff7c000d50, ref_pointer_array=..., fields=..., column_usage=MARK_COLUMNS_READ, sum_func_list=0x7fff7c014aa0, pre_fix=0x7fff7c0054d8, allow_sum_func=true) at /home/psergey/dev-git/10.3-r3/sql/sql_base.cc:7542
 
  #8  0x0000555555c9768f in JOIN::prepare (this=0x7fff7c014788, tables_init=0x7fff7c014028, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fff7c005398, unit_arg=0x7fff7c004c00) at /home/psergey/dev-git/10.3-r3/sql/sql_select.cc:1167
 
  #9  0x0000555555ca2fa9 in mysql_select (thd=0x7fff7c000d50, tables=0x7fff7c014028, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7fff7c014760, unit=0x7fff7c004c00, select_lex=0x7fff7c005398) at /home/psergey/dev-git/10.3-r3/sql/sql_select.cc:4346

Note that COLLATION() is important as its value is a constant regardless of whether its argument is a constant.

Because AVG('x') is removed from the select list, split_sum_func() is not called for it. And we have:

join->tmp_table_param.sum_func_count=0

Then, this if-branch is not taken in JOIN::prepare_stage2(): 

  if (tmp_table_param.sum_func_count && !group_list)
 
  {
 
    implicit_grouping= TRUE;
 
    // Result will contain zero or one row - ordering is meaningless
 
    order= NULL;
 
  }

We should have had implicit_grouping=TRUE.

Then, in JOIN::get_best_combination() we get aggr_tables=1.

Then, this branch in JOIN::optimize_stage2 is not taken:

  if (group || tmp_table_param.sum_func_count)
 
  {
 
    if (! hidden_group_fields && rollup.state == ROLLUP::STATE_NONE
 
        && !select_lex->have_window_funcs())
 
      select_distinct=0;
 
  }

We have select_distinct=true even if we should have had select_distinct=false.

Because of this, when we reach this code

  need_tmp= test_if_need_tmp_table();

we get need_tmp=true even if we should have gotten false.

Then, in JOIN::make_aggr_tables_info() we get into the "if (need_tmp)" branch
and into create_postjoin_aggr_table().

create_tmp_table() encounters an Item_func_eq representing "t1.a=0"
which however still has item->with_sum_func=true. It sets param->using_outer_summary_function:

	  /*
 
	    Mark that the we have ignored an item that refers to a summary
 
	    function. We need to know this if someone is going to use
 
	    DISTINCT on the result.
 
	  */
 
	  param->using_outer_summary_function=1;

which is then copied to join->tmp_table_param.using_outer_summary_function.

Then, we get into this branch:

    /*
 
      If we have different sort & group then we must sort the data by group
 
      and copy it to another tmp table
 
      This code is also used if we are using distinct something
 
      we haven't been able to store in the temporary table yet
 
      like SEC_TO_TIME(SUM(...)).
 
    */
 
    if ((group_list &&
 
         (!test_if_subpart(group_list, order) || select_distinct)) ||
 
        (select_distinct && tmp_table_param.using_outer_summary_function))
 
    {					/* Must copy to another table */
 
      DBUG_PRINT("info",("Creating group table"));

which causes a crash.

Comment by Sergei Petrunia [ 2022-08-03 ]

Filed MDEV-29237 about possible issues in the code in JOIN::get_best_combination().

Generated at Thu Feb 08 09:25:13 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.