[MDEV-25058] ASAN use-after-poison in cmp_data / cmp_dtuple_rec_with_match_low Created: 2021-03-04  Updated: 2023-11-28

Status: Stalled
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.5, 10.6, 10.11, 11.0

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Note: I couldn't get rid of versioning in the test case, but I'm not entirely sure it's necessary, maybe after internal analysis a better test case can be created.

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (id INT PRIMARY KEY, a BINARY(16) NOT NULL DEFAULT '', KEY(a)) ENGINE=InnoDB WITH SYSTEM VERSIONING;
 
INSERT INTO t1 (id) VALUES (1),(2);
 
SELECT DISTINCT a, id FROM t1 WHERE a > 'foo' OR id = 10;
 
 
 
# Cleanup
 
DROP TABLE t1;

10.5 aa4f76be

 
==1096074==ERROR: AddressSanitizer: use-after-poison on address 0x6210000d5ed0 at pc 0x7f2506a40d00 bp 0x7f24f6f9c260 sp 0x7f24f6f9ba08
 
READ of size 16 at 0x6210000d5ed0 thread T13
 
    #0 0x7f2506a40cff  (/lib/x86_64-linux-gnu/libasan.so.5+0xdacff)
 
    #1 0x55849d9c0d03 in cmp_data(unsigned long, unsigned long, unsigned char const*, unsigned long, unsigned char const*, unsigned long) /data/src/10.5/storage/innobase/rem/rem0cmp.cc:322
 
    #2 0x55849d9bcc3d in cmp_dtuple_rec_with_match_low(dtuple_t const*, unsigned char const*, unsigned short const*, unsigned long, unsigned long*) /data/src/10.5/storage/innobase/rem/rem0cmp.cc:457
 
    #3 0x55849d941f37 in page_cur_search_with_match(buf_block_t const*, dict_index_t const*, dtuple_t const*, page_cur_mode_t, unsigned long*, unsigned long*, page_cur_t*, rtr_info*) /data/src/10.5/storage/innobase/page/page0cur.cc:452
 
    #4 0x55849dcadd03 in btr_cur_search_to_nth_level_func(dict_index_t*, unsigned long, dtuple_t const*, page_cur_mode_t, unsigned long, btr_cur_t*, rw_lock_t*, char const*, unsigned int, mtr_t*, unsigned long) /data/src/10.5/storage/innobase/btr/btr0cur.cc:1991
 
    #5 0x55849daf2859 in btr_pcur_open_with_no_init_func /data/src/10.5/storage/innobase/include/btr0pcur.ic:504
 
    #6 0x55849db0e5da in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /data/src/10.5/storage/innobase/row/row0sel.cc:4661
 
    #7 0x55849d6e3ecb in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /data/src/10.5/storage/innobase/handler/ha_innodb.cc:8774
 
    #8 0x55849cbe0396 in handler::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.5/sql/handler.h:3798
 
    #9 0x55849cbb0237 in handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /data/src/10.5/sql/handler.cc:3124
 
    #10 0x55849cbcb1a5 in handler::read_range_first(st_key_range const*, st_key_range const*, bool, bool) /data/src/10.5/sql/handler.cc:6199
 
    #11 0x55849cfd65e8 in QUICK_RANGE_SELECT::get_next_prefix(unsigned int, unsigned int, unsigned char*) /data/src/10.5/sql/opt_range.cc:12699
 
    #12 0x55849cfe9c5e in QUICK_GROUP_MIN_MAX_SELECT::next_prefix() /data/src/10.5/sql/opt_range.cc:15530
 
    #13 0x55849cfe8363 in QUICK_GROUP_MIN_MAX_SELECT::get_next() /data/src/10.5/sql/opt_range.cc:15272
 
    #14 0x55849d00ad4b in rr_quick /data/src/10.5/sql/records.cc:403
 
    #15 0x55849c1da7dd in READ_RECORD::read_record() /data/src/10.5/sql/records.h:80
 
    #16 0x55849c4eb7b1 in join_init_read_record(st_join_table*) /data/src/10.5/sql/sql_select.cc:21632
 
    #17 0x55849c4e4a9a in sub_select(JOIN*, st_join_table*, bool) /data/src/10.5/sql/sql_select.cc:20684
 
    #18 0x55849c4e2d7d in do_select /data/src/10.5/sql/sql_select.cc:20221
 
    #19 0x55849c46f634 in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4467
 
    #20 0x55849c46cc1f in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4247
 
    #21 0x55849c470ff3 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4720
 
    #22 0x55849c442831 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:417
 
    #23 0x55849c3abf9f in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6282
 
    #24 0x55849c39ae9a in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3978
 
    #25 0x55849c3b7299 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8063
 
    #26 0x55849c38d492 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
 
    #27 0x55849c389dbb in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
 
    #28 0x55849c7cc657 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
 
    #29 0x55849c7cbfbb in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
 
    #30 0x55849d4dbb72 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #31 0x7f2506523608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #32 0x7f25060f7292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x6210000d5ed0 is located 464 bytes inside of 4196-byte region [0x6210000d5d00,0x6210000d6d64)
 
allocated by thread T13 here:
 
    #0 0x7f2506a73bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x55849e17e0f9 in sf_malloc /data/src/10.5/mysys/safemalloc.c:121
 
    #2 0x55849e14b20e in my_malloc /data/src/10.5/mysys/my_malloc.c:90
 
    #3 0x55849e126fc2 in alloc_root /data/src/10.5/mysys/my_alloc.c:244
 
    #4 0x55849cfe5ac8 in QUICK_GROUP_MIN_MAX_SELECT::init() /data/src/10.5/sql/opt_range.cc:14930
 
    #5 0x55849cfe4915 in TRP_GROUP_MIN_MAX::make_quick(PARAM*, bool, st_mem_root*) /data/src/10.5/sql/opt_range.cc:14771
 
    #6 0x55849cf940b0 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /data/src/10.5/sql/opt_range.cc:3054
 
    #7 0x55849c4716f9 in get_quick_record_count /data/src/10.5/sql/sql_select.cc:4764
 
    #8 0x55849c478650 in make_join_statistics /data/src/10.5/sql/sql_select.cc:5495
 
    #9 0x55849c457127 in JOIN::optimize_inner() /data/src/10.5/sql/sql_select.cc:2256
 
    #10 0x55849c450607 in JOIN::optimize() /data/src/10.5/sql/sql_select.cc:1628
 
    #11 0x55849c470dfe in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5/sql/sql_select.cc:4706
 
    #12 0x55849c442831 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:417
 
    #13 0x55849c3abf9f in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6282
 
    #14 0x55849c39ae9a in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3978
 
    #15 0x55849c3b7299 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:8063
 
    #16 0x55849c38d492 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1889
 
    #17 0x55849c389dbb in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1370
 
    #18 0x55849c7cc657 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
 
    #19 0x55849c7cbfbb in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
 
    #20 0x55849d4dbb72 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #21 0x7f2506523608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T13 created by T0 here:
 
    #0 0x7f25069a0805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x55849d4d6b16 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
 
    #2 0x55849d4dbf65 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
 
    #3 0x55849c07e432 in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x55849c094222 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6012
 
    #5 0x55849c0948a1 in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6071
 
    #6 0x55849c094bfe in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6136
 
    #7 0x55849c09581d in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6263
 
    #8 0x55849c093a2f in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5658
 
    #9 0x55849c07cefc in main /data/src/10.5/sql/main.cc:25
 
    #10 0x7f2505ffc0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison (/lib/x86_64-linux-gnu/libasan.so.5+0xdacff) 
Shadow bytes around the buggy address:
 
  0x0c4280012b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4280012b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4280012ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4280012bb0: 00 00 00 00 f7 00 00 05 f7 00 00 00 04 f7 07 f7
 
  0x0c4280012bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c4280012bd0: f7 04 f7 00 00 00 00 00 f7 00[f7]00 f7 00 00 00
 
  0x0c4280012be0: 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4280012bf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4280012c00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4280012c10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4280012c20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1096074==ABORTING
 
210304 21:33:59 [ERROR] mysqld got signal 6 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.5.10-MariaDB-debug-log
 
key_buffer_size=1048576
 
read_buffer_size=131072
 
max_used_connections=1
 
max_threads=153
 
thread_count=1
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63744 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x62b00009a288
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f24f6fa2950 thread_stack 0x5fc00
 
??:0(__interceptor_tcgetattr)[0x7f25069d2d30]
 
mysys/stacktrace.c:212(my_print_stacktrace)[0x55849e15b856]
 
sql/signal_handler.cc:212(handle_fatal_signal)[0x55849cb948cb]
 
sigaction.c:0(__restore_rt)[0x7f250652f3c0]
 
??:0(gsignal)[0x7f250601b18b]
 
??:0(abort)[0x7f2505ffa859]
 
??:0(__sanitizer_set_report_fd)[0x7f2506a916a2]
 
??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f2506a9c24c]
 
??:0(__sanitizer_ptr_cmp)[0x7f2506a7d8ec]
 
??:0(__asan_on_error)[0x7f2506a7d363]
 
??:0(__sanitizer_weak_hook_memcmp)[0x7f2506a40d1f]
 
rem/rem0cmp.cc:322(cmp_data(unsigned long, unsigned long, unsigned char const*, unsigned long, unsigned char const*, unsigned long))[0x55849d9c0d04]
 
rem/rem0cmp.cc:457(cmp_dtuple_rec_with_match_low(dtuple_t const*, unsigned char const*, unsigned short const*, unsigned long, unsigned long*))[0x55849d9bcc3e]
 
page/page0cur.cc:452(page_cur_search_with_match(buf_block_t const*, dict_index_t const*, dtuple_t const*, page_cur_mode_t, unsigned long*, unsigned long*, page_cur_t*, rtr_info*))[0x55849d941f38]
 
btr/btr0cur.cc:1991(btr_cur_search_to_nth_level_func(dict_index_t*, unsigned long, dtuple_t const*, page_cur_mode_t, unsigned long, btr_cur_t*, rw_lock_t*, char const*, unsigned int, mtr_t*, unsigned long))[0x55849dcadd04]
 
include/btr0pcur.ic:504(btr_pcur_open_with_no_init_func(dict_index_t*, dtuple_t const*, page_cur_mode_t, unsigned long, btr_pcur_t*, rw_lock_t*, char const*, unsigned int, mtr_t*))[0x55849daf285a]
 
row/row0sel.cc:4661(row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long))[0x55849db0e5db]
 
handler/ha_innodb.cc:8774(ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function))[0x55849d6e3ecc]
 
sql/handler.h:3799(handler::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function))[0x55849cbe0397]
 
sql/handler.cc:3124(handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function))[0x55849cbb0238]
 
sql/handler.cc:6199(handler::read_range_first(st_key_range const*, st_key_range const*, bool, bool))[0x55849cbcb1a6]
 
sql/opt_range.cc:12699(QUICK_RANGE_SELECT::get_next_prefix(unsigned int, unsigned int, unsigned char*))[0x55849cfd65e9]
 
sql/opt_range.cc:15530(QUICK_GROUP_MIN_MAX_SELECT::next_prefix())[0x55849cfe9c5f]
 
sql/opt_range.cc:15272(QUICK_GROUP_MIN_MAX_SELECT::get_next())[0x55849cfe8364]
 
sql/records.cc:403(rr_quick(READ_RECORD*))[0x55849d00ad4c]
 
sql/records.h:80(READ_RECORD::read_record())[0x55849c1da7de]
 
sql/sql_select.cc:21632(join_init_read_record(st_join_table*))[0x55849c4eb7b2]
 
sql/sql_select.cc:20684(sub_select(JOIN*, st_join_table*, bool))[0x55849c4e4a9b]
 
sql/sql_select.cc:20221(do_select(JOIN*, Procedure*))[0x55849c4e2d7e]
 
sql/sql_select.cc:4467(JOIN::exec_inner())[0x55849c46f635]
 
sql/sql_select.cc:4248(JOIN::exec())[0x55849c46cc20]
 
sql/sql_select.cc:4722(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55849c470ff4]
 
sql/sql_select.cc:417(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55849c442832]
 
sql/sql_parse.cc:6282(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55849c3abfa0]
 
sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55849c39ae9b]
 
sql/sql_parse.cc:8063(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55849c3b729a]
 
sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55849c38d493]
 
sql/sql_parse.cc:1370(do_command(THD*))[0x55849c389dbc]
 
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55849c7cc658]
 
sql/sql_connect.cc:1314(handle_one_connection)[0x55849c7cbfbc]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55849d4dbb73]
 
nptl/pthread_create.c:478(start_thread)[0x7f2506523609]
 
??:0(clone)[0x7f25060f7293]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x62b0000a12a8): SELECT DISTINCT a, id FROM t1 WHERE a > 'foo' OR id = 10
 
 
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
 
 
 
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
 
information that should help you find out what is causing the crash.
 
Writing a core file...
 
Working directory at /dev/shm/var_auto_7G2c/mysqld.1/data
 
Resource Limits:
 
Limit                     Soft Limit           Hard Limit           Units     
Max cpu time              unlimited            unlimited            seconds   
Max file size             unlimited            unlimited            bytes     
Max data size             unlimited            unlimited            bytes     
Max stack size            8388608              unlimited            bytes     
Max core file size        0                    0                    bytes     
Max resident set          unlimited            unlimited            bytes     
Max processes             385874               385874               processes 
Max open files            1024                 1024                 files     
Max locked memory         67108864             67108864             bytes     
Max address space         unlimited            unlimited            bytes     
Max file locks            unlimited            unlimited            locks     
Max pending signals       385874               385874               signals   
Max msgqueue size         819200               819200               bytes     
Max nice priority         0                    0                    
Max realtime priority     0                    0                    
Max realtime timeout      unlimited            unlimited            us        
Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E

Reproducible on 10.5-10.6.
Couldn't reproduce on 10.4.
No obvious immediate problem on a non-ASAN build.

 Comments   
Comment by Marko Mäkelä [ 2021-03-05 ]

I checked this with rr record on ASAN and MSAN. On ASAN, it looked like the dtuple->fields[0].data had been set to something out-of-bounds here:

10.5 f6cb9e6e2dd0fb2e29a09030e74de7946139e1f4

 
#0  0x0000000001ff0a3a in dfield_set_data (field=0x6210000c0db0, 
    data=0x6210000c8258, len=16)
 
    at /mariadb/10.5m/storage/innobase/include/data0data.ic:93
 
#1  row_mysql_store_col_in_innobase_format (dfield=<optimized out>, 
    dfield@entry=0x6210000c0db0, 
    buf=0x6210000c0b68 '\276' <repeats 16 times>, " \342\005", 
    row_format_col=<optimized out>, row_format_col@entry=0, 
    mysql_data=<optimized out>, 
    mysql_data@entry=0x6210000c8258 "\177\377\377\377\017B?\377\276\276\276\276\276\276\276\276\177\377\377\377\017B?\377\276\276\276\276\276\276\276\276\001", col_len=16, comp=<optimized out>)
 
    at /mariadb/10.5m/storage/innobase/row/row0mysql.cc:559

So, I switched to an -O2 MSAN build:

10.5 f6cb9e6e2dd0fb2e29a09030e74de7946139e1f4

 
Version: '10.5.10-MariaDB-debug-log'  socket: '/dev/shm/10.5msan/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
 
Uninitialized bytes in __msan_check_mem_is_initialized at offset 8 inside [0x7040000180f0, 16)
 
==1409502==WARNING: MemorySanitizer: use-of-uninitialized-value
 
    #0 0x559c0a6b8afb in dtuple_validate(dtuple_t const*) /mariadb/10.5m/storage/innobase/data/data0data.cc:244:4
 
    #1 0x559c09ea8bc3 in page_cur_search_with_match(buf_block_t const*, dict_index_t const*, dtuple_t const*, page_cur_mode_t, unsigned long*, unsigned long*, page_cur_t*, rtr_info*) /mariadb/10.5m/storage/innobase/page/page0cur.cc:306:2
 
    #2 0x559c0a4fb4db in btr_cur_search_to_nth_level_func(dict_index_t*, unsigned long, dtuple_t const*, page_cur_mode_t, unsigned long, btr_cur_t*, rw_lock_t*, char const*, unsigned int, mtr_t*, unsigned long) /mariadb/10.5m/storage/innobase/btr/btr0cur.cc:1991:3
 
    #3 0x559c0a22f080 in btr_pcur_open_with_no_init_func(dict_index_t*, dtuple_t const*, page_cur_mode_t, unsigned long, btr_pcur_t*, rw_lock_t*, char const*, unsigned int, mtr_t*) /mariadb/10.5m/storage/innobase/include/btr0pcur.ic:504:8
 
    #4 0x559c0a22f080 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /mariadb/10.5m/storage/innobase/row/row0sel.cc:4661:9
 
    #5 0x559c09b4f9b5 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /mariadb/10.5m/storage/innobase/handler/ha_innodb.cc:8764:5
 
    #6 0x559c08b156d6 in handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /mariadb/10.5m/sql/handler.cc:3124:3
 
    #7 0x559c08b3e06c in handler::read_range_first(st_key_range const*, st_key_range const*, bool, bool) /mariadb/10.5m/sql/handler.cc:6199:13
 
    #8 0x559c091a4e6b in QUICK_RANGE_SELECT::get_next_prefix(unsigned int, unsigned int, unsigned char*) /mariadb/10.5m/sql/opt_range.cc:12699:19
 
    #9 0x559c091b40ce in QUICK_GROUP_MIN_MAX_SELECT::next_prefix() /mariadb/10.5m/sql/opt_range.cc:15530:39
 
    #10 0x559c091b2a43 in QUICK_GROUP_MIN_MAX_SELECT::get_next() /mariadb/10.5m/sql/opt_range.cc:15272:13
 
    #11 0x559c091f99a0 in rr_quick(READ_RECORD*) /mariadb/10.5m/sql/records.cc:403:37
 
    #12 0x559c0809cc52 in READ_RECORD::read_record() /mariadb/10.5m/sql/records.h:80:30
 
    #13 0x559c0809cc52 in join_init_read_record(st_join_table*) /mariadb/10.5m/sql/sql_select.cc:21725:27
 
    #14 0x559c08127948 in sub_select(JOIN*, st_join_table*, bool) /mariadb/10.5m/sql/sql_select.cc:20777:12
 
    #15 0x559c080a69f2 in do_select(JOIN*, Procedure*) /mariadb/10.5m/sql/sql_select.cc:20314:14
 
    #16 0x559c080a69f2 in JOIN::exec_inner() /mariadb/10.5m/sql/sql_select.cc:4467:50
 
    #17 0x559c080a2b05 in JOIN::exec() /mariadb/10.5m/sql/sql_select.cc:4247:3
 
    #18 0x559c08013deb in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /mariadb/10.5m/sql/sql_select.cc:4723:9
 
    #19 0x559c080129dc in handle_select(THD*, LEX*, select_result*, unsigned long) /mariadb/10.5m/sql/sql_select.cc:417:10
 
  Uninitialized value was created by a heap deallocation
 
    #0 0x559c07a22449 in free (/dev/shm/10.5msan/sql/mariadbd+0x717449)
 
    #1 0x559c0ac8becb in free_root /mariadb/10.5m/mysys/my_alloc.c:410:7

I was able to extract a better stack trace of the deallocation in rr replay by setting a watchpoint on the MSAN shadow byte which I found by single-stepping __msan_check_mem_is_initialized():

10.5 f6cb9e6e2dd0fb2e29a09030e74de7946139e1f4

 
#1  0x0000559c07a1e48a in __msan::MsanDeallocate(__sanitizer::StackTrace*, void*) ()
 
#2  0x0000559c07a224a5 in free ()
 
#3  0x0000559c0acb915f in my_free (ptr=<optimized out>) at /mariadb/10.5m/mysys/my_malloc.c:211
 
#4  0x0000559c0ac8becc in free_root (root=0x72b000060df0, MyFlags=<optimized out>) at /mariadb/10.5m/mysys/my_alloc.c:410
 
#5  0x0000559c07f11a6e in dispatch_command (command=<optimized out>, thd=<optimized out>, thd@entry=0x72b00005b018, packet=<optimized out>, packet@entry=0x72900008c019 "", packet_length=<optimized out>, 
    is_com_multi=<optimized out>, is_next_command=<optimized out>) at /mariadb/10.5m/sql/sql_parse.cc:2514
 
#6  0x0000559c07f1c287 in do_command (thd=<optimized out>) at /mariadb/10.5m/sql/sql_parse.cc:1370
 
#7  0x0000559c084cda9f in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /mariadb/10.5m/sql/sql_connect.cc:1410
 
#8  0x0000559c084cd295 in handle_one_connection (arg=0x2040000180c0) at /mariadb/10.5m/sql/sql_connect.cc:1312
 
#9  0x0000559c098600b6 in pfs_spawn_thread (arg=0x714000003c18) at /mariadb/10.5m/storage/perfschema/pfs.cc:2201
 
#10 0x00007fd974aceea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#11 0x00007fd97459fdef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I am not familiar with the code outside InnoDB, but it would appear that the memory for the search key is being freed prematurely.

Comment by Aleksey Midenkov [ 2021-12-28 ]

I have bootstrap failing with MSAN:

10.5 d62cbd586e1

 
==586779==WARNING: MemorySanitizer: use-of-uninitialized-value
 
    #0 0x3d12266 in process_str_arg /home/midenok/src/mariadb/10.5/build/../src/strings/my_vsnprintf.c:259:17
 
    #1 0x3d0d377 in my_vsnprintf_ex /home/midenok/src/mariadb/10.5/build/../src/strings/my_vsnprintf.c:696:11
 
    #2 0x1dec62f in vprint_msg_to_log(loglevel, char const*, __va_list_tag*) /home/midenok/src/mariadb/10.5/build/../src/sql/log.cc:9141:11
 
    #3 0x1dec36b in Log_to_file_event_handler::log_error(loglevel, char const*, __va_list_tag*) /home/midenok/src/mariadb/10.5/build/../src/sql/log.cc:1054:10
 
    #4 0x1de578c in LOGGER::error_log_print(loglevel, char const*, __va_list_tag*) /home/midenok/src/mariadb/10.5/build/../src/sql/log.cc:1165:34
 
    #5 0x1de578c in error_log_print(loglevel, char const*, __va_list_tag*) /home/midenok/src/mariadb/10.5/build/../src/sql/log.cc:6803
 
    #6 0x1de578c in sql_print_information_v(char const*, __va_list_tag*) /home/midenok/src/mariadb/10.5/build/../src/sql/log.cc:9196
 
    #7 0x1de578c in sql_print_information(char const*, ...) /home/midenok/src/mariadb/10.5/build/../src/sql/log.cc:9185
 
    #8 0x3262c8c in ib::info::~info() /home/midenok/src/mariadb/10.5/build/../src/storage/innobase/ut/ut0ut.cc:546:2
 
    #9 0x3716243 in SysTablespace::file_not_found(Datafile&, bool*) /home/midenok/src/mariadb/10.5/build/../src/storage/innobase/fsp/fsp0sysspace.cc
 
    #10 0x3717b17 in SysTablespace::check_file_spec(bool*, unsigned long) /home/midenok/src/mariadb/10.5/build/../src/storage/innobase/fsp/fsp0sysspace.cc:798:10
 
    #11 0x28f875a in innodb_init(void*) /home/midenok/src/mariadb/10.5/build/../src/storage/innobase/handler/ha_innodb.cc:4016:30
 
    #12 0x18dd780 in ha_initialize_handlerton(st_plugin_int*) /home/midenok/src/mariadb/10.5/build/../src/sql/handler.cc:645:31
 
    #13 0xc70fdf in plugin_initialize(st_mem_root*, st_plugin_int*, int*, char**, bool) /home/midenok/src/mariadb/10.5/build/../src/sql/sql_plugin.cc:1459:9
 
    #14 0xc6b536 in plugin_init(int*, char**, int) /home/midenok/src/mariadb/10.5/build/../src/sql/sql_plugin.cc:1751:15
 
    #15 0x74b116 in init_server_components() /home/midenok/src/mariadb/10.5/build/../src/sql/mysqld.cc:4889:7
 
    #16 0x74b116 in mysqld_main(int, char**) /home/midenok/src/mariadb/10.5/build/../src/sql/mysqld.cc:5481

Comment by Aleksey Midenkov [ 2022-01-05 ]

1. min_key was allocated with size 8:

#0  0x0000000000ec7c83 in QUICK_RANGE::QUICK_RANGE (this=0x7f7b9c94a2b0, thd=0x7f7b9c000d48, min_key_arg=0x7f7b9c944270 "\177\377\377\377\017B?\377\017B?", min_length_arg=7, min_keypart_map_arg=7, max_key_arg=0x7f7b9c944050 "\177\377\377\377\017B?\377\017B?", max_length_arg=7, max_keypart_map_arg=7, flag_arg=32) at /home/midenok/src/mariadb/10.5/src/sql/opt_range.h:769
 
#1  0x0000000000eb32b8 in get_quick_keys (param=0x7f7c0c068718, quick=0x7f7b9c94a030, key=0x7f7b9c014d20, key_tree=0x7f7b9c948600, min_key=0x7f7b9c944270 "\177\377\377\377\017B?\377\017B?", min_key_flag=0, max_key=0x7f7b9c944050 "\177\377\377\377\017B?\377\017B?", max_key_flag=0) at /home/midenok/src/mariadb/10.5/src/sql/opt_range.cc:11873
 
#2  0x0000000000ea982f in get_quick_select (param=0x7f7c0c068718, idx=1, key_tree=0x7f7b9c948600, mrr_flags=64, mrr_buf_size=0, parent_alloc=0x7f7b9c949f50) at /home/midenok/src/mariadb/10.5/src/sql/opt_range.cc:11751
 
#3  0x0000000000eb89c4 in TRP_GROUP_MIN_MAX::make_quick (this=0x7f7b9c949180, param=0x7f7c0c068718, retrieve_full_rows=true, parent_alloc=0x0) at /home/midenok/src/mariadb/10.5/src/sql/opt_range.cc:14827
 
#4  0x0000000000e9d08e in SQL_SELECT::test_quick_select (this=0x7f7b9c9478c0, thd=0x7f7b9c000d48, keys_to_use=..., prev_tables=0, limit=18446744073709551615, force_quick_range=false, ordered_output=false, remove_false_parts_of_where=true, only_single_index_range_scan=false) at /home/midenok/src/mariadb/10.5/src/sql/opt_range.cc:3055
 
#5  0x0000000000997365 in get_quick_record_count (thd=0x7f7b9c000d48, select=0x7f7b9c9478c0, table=0x7f7b9c018438, keys=0x7f7b9c946748, limit=18446744073709551615) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:4817
 
#6  0x000000000094edbc in make_join_statistics (join=0x7f7b9c944fa0, tables_list=..., keyuse_array=0x7f7b9c9452c0) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:5544
 
#7  0x000000000094936d in JOIN::optimize_inner (this=0x7f7b9c944fa0) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:2296
 
#8  0x0000000000943aa1 in JOIN::optimize (this=0x7f7b9c944fa0) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:1668
 
#9  0x000000000093ae2d in mysql_select (thd=0x7f7b9c000d48, tables=0x7f7b9c0139d0, fields=..., conds=0x7f7b9c014650, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f7b9c01f460, unit=0x7f7b9c004ee8, select_lex=0x7f7b9c01c960) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:4759
 
#10 0x000000000093a6cd in handle_select (thd=0x7f7b9c000d48, lex=0x7f7b9c004e20, result=0x7f7b9c01f460, setup_tables_done_option=0) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:444
 
#11 0x00000000008f543a in execute_sqlcom_select (thd=0x7f7b9c000d48, all_tables=0x7f7b9c0139d0) at /home/midenok/src/mariadb/10.5/src/sql/sql_parse.cc:6314
 
#12 0x00000000008eb018 in mysql_execute_command (thd=0x7f7b9c000d48) at /home/midenok/src/mariadb/10.5/src/sql/sql_parse.cc:4005
 
#13 0x00000000008e3bbc in mysql_parse (thd=0x7f7b9c000d48, rawbuf=0x7f7b9c01a350 "SELECT DISTINCT a, id FROM t1 WHERE a > 'foo' OR id = 10", length=56, parser_state=0x7f7c0c06c4f0, is_com_multi=false, is_next_command=false) at /home/midenok/src/mariadb/10.5/src/sql/sql_parse.cc:8100


764       QUICK_RANGE(THD *thd, const uchar *min_key_arg, uint min_length_arg,
 
765                   key_part_map min_keypart_map_arg,
 
766                   const uchar *max_key_arg, uint max_length_arg,
 
767                   key_part_map max_keypart_map_arg,
 
768                   uint flag_arg)
 
769         : min_key((uchar*) thd->memdup(min_key_arg, min_length_arg + 1)),
 
770           max_key((uchar*) thd->memdup(max_key_arg, max_length_arg + 1)),
 
771           min_length((uint16) min_length_arg),
 
772           max_length((uint16) max_length_arg),
 
773           flag((uint16) flag_arg),
 
774           min_keypart_map(min_keypart_map_arg),
 
775           max_keypart_map(max_keypart_map_arg)
 
776         {
 
777     #ifdef HAVE_valgrind
 
778           dummy=0;

2. key length calculated to 20:

3838      virtual int index_read_map(uchar * buf, const uchar * key,
 
3839                                 key_part_map keypart_map,
 
3840                                 enum ha_rkey_function find_flag)
 
3841      {
 
3842        uint key_len= calculate_key_len(table, active_index, key, keypart_map);
 
3843        return index_read(buf, key, key_len, find_flag);
 
3844      }

3. index_read is called with the buffer of min_key, but length 20

#0  ha_innobase::index_read (this=0x7f7b9c0226b0, buf=0x7f7b9c013920 "\377", key_ptr=0x7f7b9c94a320 "\177\377\377\377\017B?\377E", key_len=20, find_flag=HA_READ_KEY_EXACT) at /home/midenok/src/mariadb/10.5/src/storage/innobase/handler/ha_innodb.cc:8762
 
#1  0x0000000000cd86be in handler::index_read_map (this=0x7f7b9c0226b0, buf=0x7f7b9c013920 "\377", key=0x7f7b9c94a320 "\177\377\377\377\017B?\377E", keypart_map=3, find_flag=HA_READ_KEY_EXACT) at ../src/sql/handler.h:3843
 
#2  0x0000000000cc2524 in handler::ha_index_read_map (this=0x7f7b9c0226b0, buf=0x7f7b9c013920 "\377", key=0x7f7b9c94a320 "\177\377\377\377\017B?\377E", keypart_map=3, find_flag=HA_READ_KEY_EXACT) at ../src/sql/handler.cc:3137
 
#3  0x0000000000cce368 in handler::read_range_first (this=0x7f7b9c0226b0, start_key=0x7f7c0c069578, end_key=0x7f7c0c069558, eq_range_arg=true, sorted=true) at ../src/sql/handler.cc:6240
 
#4  0x0000000000eb6478 in QUICK_RANGE_SELECT::get_next_prefix (this=0x7f7b9c94a030, prefix_length=20, group_key_parts=2, cur_prefix=0x0) at /home/midenok/src/mariadb/10.5/src/sql/opt_range.cc:12742
 
#5  0x0000000000eba38e in QUICK_GROUP_MIN_MAX_SELECT::next_prefix (this=0x7f7b9c949e50) at /home/midenok/src/mariadb/10.5/src/sql/opt_range.cc:15573
 
#6  0x0000000000eb9e8e in QUICK_GROUP_MIN_MAX_SELECT::get_next (this=0x7f7b9c949e50) at /home/midenok/src/mariadb/10.5/src/sql/opt_range.cc:15315
 
#7  0x0000000000ed28f1 in rr_quick (info=0x7f7b9c949248) at /home/midenok/src/mariadb/10.5/src/sql/records.cc:403
 
#8  0x00000000008164ab in READ_RECORD::read_record (this=0x7f7b9c949248) at /home/midenok/src/mariadb/10.5/src/sql/records.h:80
 
#9  0x00000000009616f7 in join_init_read_record (tab=0x7f7b9c949180) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:21845
 
#10 0x00000000009862a5 in sub_select (join=0x7f7b9c944fa0, join_tab=0x7f7b9c949180, end_of_records=false) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:20877
 
#11 0x0000000000965b56 in do_select (join=0x7f7b9c944fa0, procedure=0x0) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:20414
 
#12 0x00000000009647cb in JOIN::exec_inner (this=0x7f7b9c944fa0) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:4516
 
#13 0x0000000000963595 in JOIN::exec (this=0x7f7b9c944fa0) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:4296
 
#14 0x000000000093af18 in mysql_select (thd=0x7f7b9c000d48, tables=0x7f7b9c0139d0, fields=..., conds=0x7f7b9c014650, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748609, result=0x7f7b9c01f460, unit=0x7f7b9c004ee8, select_lex=0x7f7b9c01c960) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:4773
 
#15 0x000000000093a6cd in handle_select (thd=0x7f7b9c000d48, lex=0x7f7b9c004e20, result=0x7f7b9c01f460, setup_tables_done_option=0) at /home/midenok/src/mariadb/10.5/src/sql/sql_select.cc:444
 
#16 0x00000000008f543a in execute_sqlcom_select (thd=0x7f7b9c000d48, all_tables=0x7f7b9c0139d0) at /home/midenok/src/mariadb/10.5/src/sql/sql_parse.cc:6314
 
#17 0x00000000008eb018 in mysql_execute_command (thd=0x7f7b9c000d48) at /home/midenok/src/mariadb/10.5/src/sql/sql_parse.cc:4005
 
#18 0x00000000008e3bbc in mysql_parse (thd=0x7f7b9c000d48, rawbuf=0x7f7b9c01a350 "SELECT DISTINCT a, id FROM t1 WHERE a > 'foo' OR id = 10", length=56, parser_state=0x7f7c0c06c4f0, is_com_multi=false, is_next_command=false) at /home/midenok/src/mariadb/10.5/src/sql/sql_parse.cc:8100

Comment by Alice Sherepa [ 2023-03-30 ]

also on 11.0:

11.0 b844a376ec1fb6ef0f981a07

 
=================================================================
 
==68909==ERROR: AddressSanitizer: use-after-poison on address 0x6210006542d9 at pc 0x563a59621f87 bp 0x7f370adfee20 sp 0x7f370adfee18
 
READ of size 1 at 0x6210006542d9 thread T37
 
    #0 0x563a59621f86 in mach_double_read /11.0/storage/innobase/include/mach0data.inl:569
 
    #1 0x563a59623f9d in cmp_data(unsigned long, unsigned long, bool, unsigned char const*, unsigned long, unsigned char const*, unsigned long) /11.0/storage/innobase/rem/rem0cmp.cc:231
 
    #2 0x563a59625322 in cmp_dtuple_rec_with_match_low(dtuple_t const*, unsigned char const*, dict_index_t const*, unsigned short const*, unsigned long, unsigned long*) /11.0/storage/innobase/rem/rem0cmp.cc:404
 
    #3 0x563a595b0798 in page_cur_search_with_match(dtuple_t const*, page_cur_mode_t, unsigned long*, unsigned long*, page_cur_t*, rtr_info*) /11.0/storage/innobase/page/page0cur.cc:407
 
    #4 0x563a598be5ac in btr_cur_t::search_leaf(dtuple_t const*, page_cur_mode_t, btr_latch_mode, mtr_t*) /11.0/storage/innobase/btr/btr0cur.cc:1252
 
    #5 0x563a596a526b in btr_pcur_open_with_no_init(dtuple_t const*, page_cur_mode_t, btr_latch_mode, btr_pcur_t*, mtr_t*) /11.0/storage/innobase/include/btr0pcur.inl:322
 
    #6 0x563a597680dc in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /11.0/storage/innobase/row/row0sel.cc:4795
 
    #7 0x563a59356419 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /11.0/storage/innobase/handler/ha_innodb.cc:8963
 
    #8 0x563a587546b8 in handler::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /11.0/sql/handler.h:4065
 
    #9 0x563a58910163 in handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /11.0/sql/handler.cc:3648
 
    #10 0x563a5892b5d7 in handler::read_range_first(st_key_range const*, st_key_range const*, bool, bool) /11.0/sql/handler.cc:6805
 
    #11 0x563a57cf0dc5 in QUICK_RANGE_SELECT::get_next_prefix(unsigned int, unsigned int, unsigned char*) /11.0/sql/opt_range.cc:13177
 
    #12 0x563a57d04016 in QUICK_GROUP_MIN_MAX_SELECT::next_prefix() /11.0/sql/opt_range.cc:16112
 
    #13 0x563a57d02823 in QUICK_GROUP_MIN_MAX_SELECT::get_next() /11.0/sql/opt_range.cc:15854
 
    #14 0x563a57d4a744 in rr_quick /11.0/sql/records.cc:403
 
    #15 0x563a57d18003 in READ_RECORD::read_record() /11.0/sql/records.h:81
 
    #16 0x563a581bcd8a in join_init_read_record(st_join_table*) /11.0/sql/sql_select.cc:24060
 
    #17 0x563a581b59fb in sub_select(JOIN*, st_join_table*, bool) /11.0/sql/sql_select.cc:23033
 
    #18 0x563a581b39cd in do_select /11.0/sql/sql_select.cc:22568
 
    #19 0x563a5813617a in JOIN::exec_inner() /11.0/sql/sql_select.cc:4895
 
    #20 0x563a5813356d in JOIN::exec() /11.0/sql/sql_select.cc:4672
 
    #21 0x563a58137b03 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /11.0/sql/sql_select.cc:5153
 
    #22 0x563a58107dda in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.0/sql/sql_select.cc:611
 
    #23 0x563a5802fcb7 in execute_sqlcom_select /11.0/sql/sql_parse.cc:6267
 
    #24 0x563a5801e4e2 in mysql_execute_command(THD*, bool) /11.0/sql/sql_parse.cc:3949
 
    #25 0x563a5803a552 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.0/sql/sql_parse.cc:7999
 
    #26 0x563a58010e40 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.0/sql/sql_parse.cc:1894
 
    #27 0x563a5800db49 in do_command(THD*, bool) /11.0/sql/sql_parse.cc:1407
 
    #28 0x563a584c3a2d in do_handle_one_connection(CONNECT*, bool) /11.0/sql/sql_connect.cc:1416
 
    #29 0x563a584c3383 in handle_one_connection /11.0/sql/sql_connect.cc:1318
 
    #30 0x563a59150aa6 in pfs_spawn_thread /11.0/storage/perfschema/pfs.cc:2201
 
    #31 0x7f373b257fa2 in start_thread /build/glibc-6iIyft/glibc-2.28/nptl/pthread_create.c:486
 
    #32 0x7f373ae6106e in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf906e)
 
 
 
0x6210006542d9 is located 473 bytes inside of 4228-byte region [0x621000654100,0x621000655184)
 
allocated by thread T37 here:
 
    #0 0x7f373b76c330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
 
    #1 0x563a59d5c2fd in sf_malloc /11.0/mysys/safemalloc.c:126
 
    #2 0x563a59d2acf8 in my_malloc /11.0/mysys/my_malloc.c:91
 
    #3 0x563a59d064a1 in root_alloc /11.0/mysys/my_alloc.c:71
 
    #4 0x563a59d07c60 in alloc_root /11.0/mysys/my_alloc.c:337
 
    #5 0x563a57d00048 in QUICK_GROUP_MIN_MAX_SELECT::init() /11.0/sql/opt_range.cc:15512
 
    #6 0x563a57cfeea8 in TRP_GROUP_MIN_MAX::make_quick(PARAM*, bool, st_mem_root*) /11.0/sql/opt_range.cc:15353
 
    #7 0x563a57cad2e6 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /11.0/sql/opt_range.cc:3129
 
    #8 0x563a58138186 in get_quick_record_count /11.0/sql/sql_select.cc:5197
 
    #9 0x563a5813f547 in make_join_statistics /11.0/sql/sql_select.cc:5954
 
    #10 0x563a5811cf92 in JOIN::optimize_inner() /11.0/sql/sql_select.cc:2572
 
    #11 0x563a58116054 in JOIN::optimize() /11.0/sql/sql_select.cc:1900
 
    #12 0x563a58137912 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /11.0/sql/sql_select.cc:5139
 
    #13 0x563a58107dda in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.0/sql/sql_select.cc:611
 
    #14 0x563a5802fcb7 in execute_sqlcom_select /11.0/sql/sql_parse.cc:6267
 
    #15 0x563a5801e4e2 in mysql_execute_command(THD*, bool) /11.0/sql/sql_parse.cc:3949
 
    #16 0x563a5803a552 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.0/sql/sql_parse.cc:7999
 
    #17 0x563a58010e40 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.0/sql/sql_parse.cc:1894
 
    #18 0x563a5800db49 in do_command(THD*, bool) /11.0/sql/sql_parse.cc:1407
 
    #19 0x563a584c3a2d in do_handle_one_connection(CONNECT*, bool) /11.0/sql/sql_connect.cc:1416
 
    #20 0x563a584c3383 in handle_one_connection /11.0/sql/sql_connect.cc:1318
 
    #21 0x563a59150aa6 in pfs_spawn_thread /11.0/storage/perfschema/pfs.cc:2201
 
    #22 0x7f373b257fa2 in start_thread /build/glibc-6iIyft/glibc-2.28/nptl/pthread_create.c:486
 
 
 
Thread T37 created by T0 here:
 
    #0 0x7f373b6d3db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x563a5914c5c6 in my_thread_create /11.0/storage/perfschema/my_thread.h:52
 
    #2 0x563a59150e95 in pfs_spawn_thread_v1 /11.0/storage/perfschema/pfs.cc:2252
 
    #3 0x563a57c5a782 in inline_mysql_thread_create /11.0/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x563a57c726b6 in create_thread_to_handle_connection(CONNECT*) /11.0/sql/mysqld.cc:6126
 
    #5 0x563a57c72d38 in create_new_thread(CONNECT*) /11.0/sql/mysqld.cc:6188
 
    #6 0x563a57c730aa in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.0/sql/mysqld.cc:6250
 
    #7 0x563a57c73aca in handle_connections_sockets() /11.0/sql/mysqld.cc:6374
 
    #8 0x563a57c71f1d in mysqld_main(int, char**) /11.0/sql/mysqld.cc:6021
 
    #9 0x563a57c597d4 in main /11.0/sql/main.cc:34
 
    #10 0x7f373ad8c09a in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /11.0/storage/innobase/include/mach0data.inl:569 in mach_double_read
 
Shadow bytes around the buggy address:
 
  0x0c42800c2800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c42800c2810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c42800c2820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c42800c2830: 00 00 00 00 f7 00 00 00 00 02 f7 00 00 00 00 02
 
  0x0c42800c2840: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c42800c2850: 00 f7 04 f7 00 00 00 00 00 f7 00[01]f7 00 01 f7
 
  0x0c42800c2860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c42800c2870: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c42800c2880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c42800c2890: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c42800c28a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==68909==ABORTING
 
SHUTDOWN_1680176860

Comment by Alice Sherepa [ 2023-05-03 ]

without system versioning:

--source include/have_innodb.inc
 
 
CREATE TABLE t1 ( c int, id int, b varbinary(30), d decimal, a binary(44),
 
  PRIMARY KEY (d,a,c), KEY  (id,c), KEY  (id,b,a), KEY  (d,c), KEY  (c,b)) ENGINE=InnoDB ;
 
 
 
INSERT INTO t1 VALUES (3,NULL,'',0.8,'p'),(2,NULL,'s',0.9,'x'),(184,0,'q',0.8,'j');
 
SELECT  DISTINCT * FROM t1 WHERE (c IN (1,2,3) OR id IN (1,2,3)) AND   a = 'O'  AND ( id<7  OR  c>3 );
 
DROP TABLE t1;


Version: '10.5.20-MariaDB-debug-log'  socket: '/home/alice/am/_depot/m-branch/m5-10.5-bld/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
 
=================================================================
 
==254461==ERROR: AddressSanitizer: use-after-poison on address 0x6210000daf6d at pc 0x7feed2c16d10 bp 0x7feebce65690 sp 0x7feebce64e38
 
READ of size 44 at 0x6210000daf6d thread T25
 
    #0 0x7feed2c16d0f in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:825
 
    #1 0x561bc41c6b15 in cmp_data /10.5/src/storage/innobase/rem/rem0cmp.cc:307
 
    #2 0x561bc41c74dc in cmp_dtuple_rec_with_match_low(dtuple_t const*, unsigned char const*, unsigned short const*, unsigned long, unsigned long*) /10.5/src/storage/innobase/rem/rem0cmp.cc:412
 
    #3 0x561bc414bdf4 in page_cur_search_with_match(buf_block_t const*, dict_index_t const*, dtuple_t const*, page_cur_mode_t, unsigned long*, unsigned long*, page_cur_t*, rtr_info*) /10.5/src/storage/innobase/page/page0cur.cc:454
 
    #4 0x561bc44c1e6b in btr_cur_search_to_nth_level(dict_index_t*, unsigned long, dtuple_t const*, page_cur_mode_t, unsigned long, btr_cur_t*, char const*, unsigned int, mtr_t*, unsigned long) /10.5/src/storage/innobase/btr/btr0cur.cc:1983
 
    #5 0x561bc4309573 in btr_pcur_open_with_no_init_func /10.5/src/storage/innobase/include/btr0pcur.inl:495
 
    #6 0x561bc4325df0 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.5/src/storage/innobase/row/row0sel.cc:4711
 
    #7 0x561bc3ee8354 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /10.5/src/storage/innobase/handler/ha_innodb.cc:8885
 
    #8 0x561bc347efca in handler::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /10.5/src/sql/handler.h:3785
 
    #9 0x561bc344de1b in handler::ha_index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /10.5/src/sql/handler.cc:3167
 
    #10 0x561bc3469385 in handler::read_range_first(st_key_range const*, st_key_range const*, bool, bool) /10.5/src/sql/handler.cc:6277
 
    #11 0x561bc387d5e0 in QUICK_RANGE_SELECT::get_next_prefix(unsigned int, unsigned int, unsigned char*) /10.5/src/sql/opt_range.cc:12761
 
    #12 0x561bc3890ca2 in QUICK_GROUP_MIN_MAX_SELECT::next_prefix() /10.5/src/sql/opt_range.cc:15603
 
    #13 0x561bc388f3a7 in QUICK_GROUP_MIN_MAX_SELECT::get_next() /10.5/src/sql/opt_range.cc:15345
 
    #14 0x561bc38b274b in rr_quick /10.5/src/sql/records.cc:403
 
    #15 0x561bc2a3f80b in READ_RECORD::read_record() /10.5/src/sql/records.h:80
 
    #16 0x561bc2d5f08b in join_init_read_record(st_join_table*) /10.5/src/sql/sql_select.cc:22084
 
    #17 0x561bc2d581ad in sub_select(JOIN*, st_join_table*, bool) /10.5/src/sql/sql_select.cc:21117
 
    #18 0x561bc2d56225 in do_select /10.5/src/sql/sql_select.cc:20650
 
    #19 0x561bc2ce0bd5 in JOIN::exec_inner() /10.5/src/sql/sql_select.cc:4587
 
    #20 0x561bc2cde1df in JOIN::exec() /10.5/src/sql/sql_select.cc:4367
 
    #21 0x561bc2ce2624 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.5/src/sql/sql_select.cc:4844
 
    #22 0x561bc2cb32b8 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.5/src/sql/sql_select.cc:450
 
    #23 0x561bc2c19062 in execute_sqlcom_select /10.5/src/sql/sql_parse.cc:6331
 
    #24 0x561bc2c07dd5 in mysql_execute_command(THD*) /10.5/src/sql/sql_parse.cc:4008
 
    #25 0x561bc2c2435c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/src/sql/sql_parse.cc:8106
 
    #26 0x561bc2bf9fb1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/src/sql/sql_parse.cc:1891
 
    #27 0x561bc2bf6923 in do_command(THD*) /10.5/src/sql/sql_parse.cc:1375
 
    #28 0x561bc30532b6 in do_handle_one_connection(CONNECT*, bool) /10.5/src/sql/sql_connect.cc:1416
 
    #29 0x561bc3052c1a in handle_one_connection /10.5/src/sql/sql_connect.cc:1318
 
    #30 0x561bc3cdd40b in pfs_spawn_thread /10.5/src/storage/perfschema/pfs.cc:2201
 
    #31 0x7feed262c608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #32 0x7feed21fd132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6210000daf6d is located 621 bytes inside of 4196-byte region [0x6210000dad00,0x6210000dbd64)
 
allocated by thread T25 here:
 
    #0 0x7feed2c49808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x561bc4993100 in sf_malloc /10.5/src/mysys/safemalloc.c:121
 
    #2 0x561bc49608fd in my_malloc /10.5/src/mysys/my_malloc.c:91
 
    #3 0x561bc493c679 in alloc_root /10.5/src/mysys/my_alloc.c:249
 
    #4 0x561bc388cb0c in QUICK_GROUP_MIN_MAX_SELECT::init() /10.5/src/sql/opt_range.cc:15003
 
    #5 0x561bc388b95d in TRP_GROUP_MIN_MAX::make_quick(PARAM*, bool, st_mem_root*) /10.5/src/sql/opt_range.cc:14844
 
    #6 0x561bc383a4c2 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /10.5/src/sql/opt_range.cc:3059
 
    #7 0x561bc2ce2d2a in get_quick_record_count /10.5/src/sql/sql_select.cc:4888
 
    #8 0x561bc2ce9bb3 in make_join_statistics /10.5/src/sql/sql_select.cc:5615
 
    #9 0x561bc2cc80e9 in JOIN::optimize_inner() /10.5/src/sql/sql_select.cc:2342
 
    #10 0x561bc2cc15c2 in JOIN::optimize() /10.5/src/sql/sql_select.cc:1700
 
    #11 0x561bc2ce242f in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.5/src/sql/sql_select.cc:4830
 
    #12 0x561bc2cb32b8 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.5/src/sql/sql_select.cc:450
 
    #13 0x561bc2c19062 in execute_sqlcom_select /10.5/src/sql/sql_parse.cc:6331
 
    #14 0x561bc2c07dd5 in mysql_execute_command(THD*) /10.5/src/sql/sql_parse.cc:4008
 
    #15 0x561bc2c2435c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/src/sql/sql_parse.cc:8106
 
    #16 0x561bc2bf9fb1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/src/sql/sql_parse.cc:1891
 
    #17 0x561bc2bf6923 in do_command(THD*) /10.5/src/sql/sql_parse.cc:1375
 
    #18 0x561bc30532b6 in do_handle_one_connection(CONNECT*, bool) /10.5/src/sql/sql_connect.cc:1416
 
    #19 0x561bc3052c1a in handle_one_connection /10.5/src/sql/sql_connect.cc:1318
 
    #20 0x561bc3cdd40b in pfs_spawn_thread /10.5/src/storage/perfschema/pfs.cc:2201
 
    #21 0x7feed262c608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T25 created by T0 here:
 
    #0 0x7feed2b76815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x561bc3cd8fe0 in my_thread_create /10.5/src/storage/perfschema/my_thread.h:52
 
    #2 0x561bc3cdd7fe in pfs_spawn_thread_v1 /10.5/src/storage/perfschema/pfs.cc:2252
 
    #3 0x561bc28dc822 in inline_mysql_thread_create /10.5/src/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x561bc28f2f0e in create_thread_to_handle_connection(CONNECT*) /10.5/src/sql/mysqld.cc:6060
 
    #5 0x561bc28f358d in create_new_thread(CONNECT*) /10.5/src/sql/mysqld.cc:6119
 
    #6 0x561bc28f38ea in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/src/sql/mysqld.cc:6184
 
    #7 0x561bc28f454c in handle_connections_sockets() /10.5/src/sql/mysqld.cc:6311
 
    #8 0x561bc28f271b in mysqld_main(int, char**) /10.5/src/sql/mysqld.cc:5706
 
    #9 0x561bc28db0bc in main /10.5/src/sql/main.cc:25
 
    #10 0x7feed2102082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: use-after-poison ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:825 in __interceptor_memcmp
 
Shadow bytes around the buggy address:
 
  0x0c4280013590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c42800135a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c42800135b0: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c42800135c0: 04 f7 00 00 00 00 00 00 00 00 00 00 00 04 f7 00
 
  0x0c42800135d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
 
=>0x0c42800135e0: 04 f7 00 00 00 00 00 f7 00 00 00 00 00[05]f7 00
 
  0x0c42800135f0: 00 00 00 00 05 f7 00 00 00 00 00 00 00 00 00 00
 
  0x0c4280013600: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
 
  0x0c4280013610: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4280013620: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c4280013630: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==254461==ABORTING

Generated at Thu Feb 08 09:34:48 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.