[#MDEV-25158] SIGSEGV in hp_rec_key_cmp and Assertion `curr_op_type != INTERSECT_ALL' failed on SELECT ... UNION SELECT, ASAN heap-use-after-free in ha_heap::find_unique

[MDEV-25158] SIGSEGV in hp_rec_key_cmp and Assertion `curr_op_type != INTERSECT_ALL' failed on SELECT ... UNION SELECT, ASAN heap-use-after-free in ha_heap::find_unique_row Created: 2021-03-16 Updated: 2023-11-28
Status:	Confirmed
Project:	MariaDB Server
Component/s:	Server
Affects Version/s:	10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s:	10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type:

Bug

Priority:

Major

Reporter:

Ramesh Sivaraman

Assignee:

Oleksandr Byelkin

Resolution:

Unresolved

Votes:

Labels:

ASAN, memory_corruption, not-10.2, not-10.3, not-10.4, regression

Attachments:

error.log

Issue Links:

Duplicate
is duplicated by	~~MDEV-32325~~	Server crashes at __nss_database_lookup	Closed
is duplicated by	~~MDEV-32328~~	Server crashes at select_unit::write_...	Closed
is duplicated by	~~MDEV-32330~~	Server crashes at select_unit_ext::se...	Closed

Description

SET SQL_MODE='ORACLE';

CREATE TABLE t (c CHAR(1)) ENGINE=InnoDB;

INSERT INTO t VALUES(0), (1), (1), (1), (1);

SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t;

Leads to:

10.6.0 8dd35a2507f8d63ca8df9335d2c6072d5c0e3b86 (Optimized)
Core was generated by `/test/MD160321-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x14b8807b0700 (LWP 3114391))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000055d2d41af26f in my_write_core (sig=sig@entry=11) at /test/10.6_opt/mysys/stacktrace.c:424
#2 0x000055d2d3c2a5e0 in handle_fatal_signal (sig=11) at /test/10.6_opt/sql/signal_handler.cc:331
#3 <signal handler called>
#4 0x000055d2d3f3c29f in hp_rec_key_cmp (keydef=keydef@entry=0x14b82804d9c8, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x14b82804cd58 "\377\376") at /test/10.6_opt/storage/heap/hp_hash.c:389
#5 0x000055d2d3f3a557 in ha_heap::find_unique_row (this=0x14b82804cec0, record=0x14b82804cd58 "\377\376", unique_idx=<optimized out>) at /test/10.6_opt/storage/heap/ha_heap.cc:813
#6 0x000055d2d3ad3f83 in select_unit_ext::send_data (this=0x14b828013a38, values=<optimized out>) at /test/10.6_opt/sql/sql_union.cc:670
#7 0x000055d2d3a72b5e in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x14b828012d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b8280131e8, last = 0x14b8280131e8, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.6_opt/sql/sql_class.h:5554
#8 select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x14b828012d70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b8280131e8, last = 0x14b8280131e8, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.6_opt/sql/sql_class.h:5544
#9 end_send (join=0x14b828014a28, join_tab=0x14b828051be8, end_of_records=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:21952
#10 0x000055d2d3a4a9de in evaluate_join_record (join=0x14b828014a28, join_tab=0x14b828051838, error=<optimized out>) at /test/10.6_opt/sql/sql_select.cc:20975
#11 0x000055d2d3a5bb9b in sub_select (end_of_records=false, join_tab=0x14b828051838, join=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:20752
#12 sub_select (join=0x14b828014a28, join_tab=0x14b828051838, end_of_records=false) at /test/10.6_opt/sql/sql_select.cc:20681
#13 0x000055d2d3a898c2 in do_select (procedure=<optimized out>, join=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:20299
#14 JOIN::exec_inner (this=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:4477
#15 0x000055d2d3a89c78 in JOIN::exec (this=0x14b828014a28) at /test/10.6_opt/sql/sql_select.cc:4257
#16 0x000055d2d3ad6edc in st_select_lex_unit::exec (this=0x14b828004c70) at /test/10.6_opt/sql/sql_union.cc:2235
#17 0x000055d2d3adaf18 in mysql_union (thd=thd@entry=0x14b828000c58, lex=lex@entry=0x14b828004ba8, result=result@entry=0x14b828013a10, unit=unit@entry=0x14b828004c70, setup_tables_done_option=<optimized out>) at /test/10.6_opt/sql/sql_union.cc:41
#18 0x000055d2d3a884da in handle_select (thd=thd@entry=0x14b828000c58, lex=lex@entry=0x14b828004ba8, result=result@entry=0x14b828013a10, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_opt/sql/sql_select.cc:407
#19 0x000055d2d3a18e8e in execute_sqlcom_select (thd=0x14b828000c58, all_tables=0x14b828010ba8) at /test/10.6_opt/sql/sql_parse.cc:6230
#20 0x000055d2d3a26de7 in mysql_execute_command (thd=0x14b828000c58) at /test/10.6_opt/sql/sql_parse.cc:3926
#21 0x000055d2d3a13dc4 in mysql_parse (thd=0x14b828000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.6_opt/sql/sql_parse.cc:7998
#22 0x000055d2d3a1fd2d in dispatch_command (command=COM_QUERY, thd=0x14b828000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.6_opt/sql/sql_class.h:1318
#23 0x000055d2d3a21db6 in do_command (thd=0x14b828000c58, blocking=blocking@entry=true) at /test/10.6_opt/sql/sql_parse.cc:1397
#24 0x000055d2d3b24557 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.6_opt/sql/sql_connect.cc:1410
#25 0x000055d2d3b248bd in handle_one_connection (arg=arg@entry=0x55d2d62dc148) at /test/10.6_opt/sql/sql_connect.cc:1312
#26 0x000055d2d3ea4f97 in pfs_spawn_thread (arg=0x55d2d6257f68) at /test/10.6_opt/storage/perfschema/pfs.cc:2201
#27 0x000014b884831609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#28 0x000014b884420293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.5.10 031b3dfc22c3d37769d49da902401b26a24f12b4 (Optimized)
Core was generated by `/test/MD160321-mariadb-10.5.10-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x154928a62700 (LWP 3115332))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x000056359cf64fdf in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:424
#2 0x000056359c985820 in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:331
#3 <signal handler called>
#4 0x000056359cca227f in hp_rec_key_cmp (keydef=keydef@entry=0x1548ec04ec28, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x1548ec04dfb8 "\377\376") at /test/10.5_opt/storage/heap/hp_hash.c:389
#5 0x000056359cca0537 in ha_heap::find_unique_row (this=0x1548ec04e120, record=0x1548ec04dfb8 "\377\376", unique_idx=<optimized out>) at /test/10.5_opt/storage/heap/ha_heap.cc:813
#6 0x000056359c8292f3 in select_unit_ext::send_data (this=0x1548ec013978, values=<optimized out>) at /test/10.5_opt/sql/sql_union.cc:670
#7 0x000056359c7c710e in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x1548ec012cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1548ec013128, last = 0x1548ec013128, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.5_opt/sql/sql_class.h:5328
#8 select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x1548ec012cb0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1548ec013128, last = 0x1548ec013128, elements = 1}, <No data fields>}, this=<optimized out>) at /test/10.5_opt/sql/sql_class.h:5318
#9 end_send (join=0x1548ec014968, join_tab=0x1548ec052de8, end_of_records=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:21973
#10 0x000056359c79edd0 in evaluate_join_record (join=join@entry=0x1548ec014968, join_tab=join_tab@entry=0x1548ec052a40, error=<optimized out>) at /test/10.5_opt/sql/sql_select.cc:21004
#11 0x000056359c7aff6b in sub_select (end_of_records=false, join_tab=0x1548ec052a40, join=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:20781
#12 sub_select (join=0x1548ec014968, join_tab=0x1548ec052a40, end_of_records=false) at /test/10.5_opt/sql/sql_select.cc:20710
#13 0x000056359c7de372 in do_select (procedure=<optimized out>, join=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:20315
#14 JOIN::exec_inner (this=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:4467
#15 0x000056359c7de728 in JOIN::exec (this=0x1548ec014968) at /test/10.5_opt/sql/sql_select.cc:4247
#16 0x000056359c82c36c in st_select_lex_unit::exec (this=0x1548ec004c48) at /test/10.5_opt/sql/sql_union.cc:2235
#17 0x000056359c8303a8 in mysql_union (thd=thd@entry=0x1548ec000c58, lex=lex@entry=0x1548ec004b80, result=result@entry=0x1548ec013950, unit=unit@entry=0x1548ec004c48, setup_tables_done_option=<optimized out>) at /test/10.5_opt/sql/sql_union.cc:41
#18 0x000056359c7dcf8a in handle_select (thd=thd@entry=0x1548ec000c58, lex=lex@entry=0x1548ec004b80, result=result@entry=0x1548ec013950, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:407
#19 0x000056359c76bc0e in execute_sqlcom_select (thd=0x1548ec000c58, all_tables=0x1548ec010ae8) at /test/10.5_opt/sql/sql_parse.cc:6308
#20 0x000056359c77a348 in mysql_execute_command (thd=0x1548ec000c58) at /test/10.5_opt/sql/sql_parse.cc:4004
#21 0x000056359c7667f6 in mysql_parse (thd=thd@entry=0x1548ec000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x154928a61420, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:8089
#22 0x000056359c772f97 in dispatch_command (command=COM_QUERY, thd=0x1548ec000c58, packet=0x1548ec008059 "SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t", packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_class.h:1257
#23 0x000056359c7753ba in do_command (thd=0x1548ec000c58) at /test/10.5_opt/sql/sql_parse.cc:1370
#24 0x000056359c87aac1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56359fe24c38, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1410
#25 0x000056359c87af3d in handle_one_connection (arg=arg@entry=0x56359fe24c38) at /test/10.5_opt/sql/sql_connect.cc:1312
#26 0x000056359cc09077 in pfs_spawn_thread (arg=0x56359fda2028) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#27 0x000015493edd1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#28 0x000015493e9c0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.10 (opt), 10.6.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.38 (opt), 10.3.29 (opt), 10.4.19 (opt)

Comments

Comment by Ramesh Sivaraman [ 2021-03-16 ]

Attaching ASAN log error.log

Comment by Ramesh Sivaraman [ 2021-05-25 ]

Getting different assertion if we do not insert values in table t

SET SQL_MODE='ORACLE';

CREATE TABLE t (c CHAR(1)) ENGINE=InnoDB;

SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t;

Leads to:

10.6.1 adb0fdb268c6b461a130c27f53a5244a3aa217e9 (Debug)
mysqld: /test/10.6_dbg/sql/sql_union.cc:761: virtual bool select_unit_ext::send_eof(): Assertion `curr_op_type != INTERSECT_ALL' failed.

10.6.1 adb0fdb268c6b461a130c27f53a5244a3aa217e9 (Debug)
Core was generated by `/test/MD170521-mariadb-10.6.1-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x1492ace8d700 (LWP 3652318))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00001492b82e1859 in __GI_abort () at abort.c:79
#2 0x00001492b82e1729 in __assert_fail_base (fmt=0x1492b8477588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55e0e8a66335 "curr_op_type != INTERSECT_ALL", file=0x55e0e8a65a40 "/test/10.6_dbg/sql/sql_union.cc", line=761, function=<optimized out>) at assert.c:92
#3 0x00001492b82f2f36 in __GI___assert_fail (assertion=assertion@entry=0x55e0e8a66335 "curr_op_type != INTERSECT_ALL", file=file@entry=0x55e0e8a65a40 "/test/10.6_dbg/sql/sql_union.cc", line=line@entry=761, function=function@entry=0x55e0e8a65d98 "virtual bool select_unit_ext::send_eof()") at assert.c:101
#4 0x000055e0e7e89905 in select_unit_ext::send_eof (this=0x149268017650) at /test/10.6_dbg/sql/sql_union.cc:761
#5 0x000055e0e7e20536 in do_select (procedure=<optimized out>, join=0x149268018698) at /test/10.6_dbg/sql/sql_select.cc:20460
#6 JOIN::exec_inner (this=this@entry=0x149268018698) at /test/10.6_dbg/sql/sql_select.cc:4609
#7 0x000055e0e7e20844 in JOIN::exec (this=0x149268018698) at /test/10.6_dbg/sql/sql_select.cc:4389
#8 0x000055e0e7e8c456 in st_select_lex_unit::exec (this=this@entry=0x149268005120) at /test/10.6_dbg/sql/sql_union.cc:2232
#9 0x000055e0e7e918b9 in mysql_union (thd=thd@entry=0x149268000db8, lex=lex@entry=0x149268005058, result=result@entry=0x149268017628, unit=unit@entry=0x149268005120, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_union.cc:41
#10 0x000055e0e7e1eb24 in handle_select (thd=thd@entry=0x149268000db8, lex=lex@entry=0x149268005058, result=result@entry=0x149268017628, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.6_dbg/sql/sql_select.cc:436
#11 0x000055e0e7d9248b in execute_sqlcom_select (thd=thd@entry=0x149268000db8, all_tables=0x1492680146e8) at /test/10.6_dbg/sql/sql_parse.cc:6245
#12 0x000055e0e7d9f374 in mysql_execute_command (thd=thd@entry=0x149268000db8) at /test/10.6_dbg/sql/sql_parse.cc:3940
#13 0x000055e0e7d8b5af in mysql_parse (thd=thd@entry=0x149268000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1492ace8c410) at /test/10.6_dbg/sql/sql_parse.cc:8019
#14 0x000055e0e7d9a3d3 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149268000db8, packet=packet@entry=0x14926800b799 "SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t", packet_length=packet_length@entry=67, blocking=blocking@entry=true) at /test/10.6_dbg/sql/sql_class.h:1333
#15 0x000055e0e7d9d7cc in do_command (thd=0x149268000db8, blocking=blocking@entry=true) at /test/10.6_dbg/sql/sql_parse.cc:1406
#16 0x000055e0e7ef7550 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e0ea396948, put_in_cache=put_in_cache@entry=true) at /test/10.6_dbg/sql/sql_connect.cc:1410
#17 0x000055e0e7ef7b55 in handle_one_connection (arg=arg@entry=0x55e0ea396948) at /test/10.6_dbg/sql/sql_connect.cc:1312
#18 0x000055e0e83abb00 in pfs_spawn_thread (arg=0x55e0ea280258) at /test/10.6_dbg/storage/perfschema/pfs.cc:2201
#19 0x00001492b87ef609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x00001492b83de293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.11 (dbg), 10.6.1 (dbg)

Comment by Roel Van de Paar [ 2022-02-19 ]

Additional differing stack with this testcase

SET sql_mode=ORACLE;

CREATE TABLE t (a INT) ENGINE=Memory;

SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t;

Leads to:

10.9.0 b5852ffbeebc3000982988383daeefb0549e058a (Debug)
mysqld: /test/10.9_dbg/sql/sql_union.cc:762: virtual bool select_unit_ext::send_eof(): Assertion `curr_op_type != INTERSECT_ALL' failed.

10.9.0 b5852ffbeebc3000982988383daeefb0549e058a (Debug)
Core was generated by `/test/MD140222-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x14b430106700 (LWP 2394142))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x000014b43976a859 in __GI_abort () at abort.c:79
#2 0x000014b43976a729 in __assert_fail_base (fmt=0x14b439900588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55c15e9699bd "curr_op_type != INTERSECT_ALL", file=0x55c15e9690c8 "/test/10.9_dbg/sql/sql_union.cc", line=762, function=<optimized out>) at assert.c:92
#3 0x000014b43977bf36 in __GI___assert_fail (assertion=assertion@entry=0x55c15e9699bd "curr_op_type != INTERSECT_ALL", file=file@entry=0x55c15e9690c8 "/test/10.9_dbg/sql/sql_union.cc", line=line@entry=762, function=function@entry=0x55c15e969420 "virtual bool select_unit_ext::send_eof()") at assert.c:101
#4 0x000055c15dd7822c in select_unit_ext::send_eof (this=0x14b3ac017368) at /test/10.9_dbg/sql/sql_union.cc:762
#5 0x000055c15dd0a9e4 in return_zero_rows (all_fields=<optimized out>, having=0x0, info=0x55c15e95b168 "no matching row in const table", select_options=<optimized out>, send_row=false, fields=@0x14b3ac016788: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b3ac016a78, last = 0x14b3ac016a78, elements = 1}, <No data fields>}, tables=@0x14b3ac016700: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14b3ac06cb30, last = 0x14b3ac06cb30, elements = 1}, <No data fields>}, result=0x14b3ac017368, join=0x14b3ac06c578) at /test/10.9_dbg/sql/sql_select.cc:14826
#6 JOIN::exec_inner (this=this@entry=0x14b3ac06c578) at /test/10.9_dbg/sql/sql_select.cc:4670
#7 0x000055c15dd0b8c0 in JOIN::exec (this=0x14b3ac06c578) at /test/10.9_dbg/sql/sql_select.cc:4527
#8 0x000055c15dd7aa28 in st_select_lex_unit::exec (this=this@entry=0x14b3ac0051c8) at /test/10.9_dbg/sql/sql_union.cc:2235
#9 0x000055c15dd7ef78 in mysql_union (thd=thd@entry=0x14b3ac000db8, lex=lex@entry=0x14b3ac0050f0, result=result@entry=0x14b3ac017340, unit=unit@entry=0x14b3ac0051c8, setup_tables_done_option=<optimized out>, setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_union.cc:42
#10 0x000055c15dd09ac2 in handle_select (thd=thd@entry=0x14b3ac000db8, lex=lex@entry=0x14b3ac0050f0, result=result@entry=0x14b3ac017340, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.9_dbg/sql/sql_select.cc:533
#11 0x000055c15dc69124 in execute_sqlcom_select (thd=thd@entry=0x14b3ac000db8, all_tables=0x14b3ac0144a0) at /test/10.9_dbg/sql/sql_parse.cc:6252
#12 0x000055c15dc7608b in mysql_execute_command (thd=thd@entry=0x14b3ac000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:3943
#13 0x000055c15dc62315 in mysql_parse (thd=thd@entry=0x14b3ac000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14b430105400) at /test/10.9_dbg/sql/sql_parse.cc:8027
#14 0x000055c15dc70fb1 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14b3ac000db8, packet=packet@entry=0x14b3ac00b889 "SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t", packet_length=packet_length@entry=67, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1362
#15 0x000055c15dc743f8 in do_command (thd=0x14b3ac000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1402
#16 0x000055c15ddeefc4 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c161b75eb8, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
#17 0x000055c15ddef5c9 in handle_one_connection (arg=arg@entry=0x55c161b75eb8) at /test/10.9_dbg/sql/sql_connect.cc:1312
#18 0x000055c15e275d67 in pfs_spawn_thread (arg=0x55c161ab8588) at /test/10.9_dbg/storage/perfschema/pfs.cc:2201
#19 0x000014b439c79609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x000014b439867293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.14 (dbg), 10.6.6 (dbg), 10.7.2 (dbg), 10.8.1 (dbg), 10.9.0 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (dbg), 10.4.23 (opt), 10.5.14 (opt), 10.6.6 (opt), 10.7.2 (opt), 10.8.1 (opt), 10.9.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.36 (dbg), 5.7.36 (opt), 8.0.27 (dbg), 8.0.27 (opt)

Comment by Roel Van de Paar [ 2022-02-19 ]

bar, I am assigning this to you as the author of the Oracle compatibility mode.

Comment by Roel Van de Paar [ 2022-02-19 ]

UniqueID's seen thus far

SIGSEGV|hp_rec_key_cmp|ha_heap::find_unique_row|select_unit_ext::send_data|select_result_sink::send_data_with_check

curr_op_type != INTERSECT_ALL|SIGABRT|select_unit_ext::send_eof|do_select|JOIN::exec_inner|JOIN::exec

curr_op_type != INTERSECT_ALL|SIGABRT|select_unit_ext::send_eof|return_zero_rows|JOIN::exec_inner|JOIN::exec

Comment by Ramesh Sivaraman [ 2022-02-21 ]

Found another crash with a slightly different stack.

SET GLOBAL sql_mode='ORACLE';

CREATE TABLE t0 (b INT KEY);

SET SESSION sql_mode=DEFAULT;

ALTER TABLE t0 ADD c0 INT NOT NULL FIRST;

INSERT INTO t0 VALUES (0,0);

SELECT * FROM t0 UNION SELECT * FROM t0 INTERSECT ALL SELECT * FROM t0;

unique_id
SIGSEGV\|__memcmp_avx2_movbe\|hp_rec_key_cmp\|ha_heap::find_unique_row\|select_unit_ext::send_data

10.8.0 f6b1e6fbae27842f78b28ad8ceb898e6008841d1 (Optimized)
Core was generated by `/test/GAL_MD100122-mariadb-10.8.0-linux-x86_64-opt/bin/mysqld --no-defaults --c'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x14d608129700 (LWP 2272739))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x00005641a2324e4f in my_write_core (sig=sig@entry=11) at /test/10.8_opt/mysys/stacktrace.c:424
#2 0x00005641a1dcc340 in handle_fatal_signal (sig=11) at /test/10.8_opt/sql/signal_handler.cc:345
#3 <signal handler called>
#4 __memcmp_avx2_movbe () at ../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:182
#5 0x00005641a20aba3f in hp_rec_key_cmp (keydef=keydef@entry=0x14d5b4054148, rec1=0x3 <error: Cannot access memory at address 0x3>, rec2=rec2@entry=0x14d5b4053120 "\377") at /test/10.8_opt/storage/heap/hp_hash.c:472
#6 0x00005641a20a9d27 in ha_heap::find_unique_row (this=0x14d5b4053200, record=0x14d5b4053120 "\377", unique_idx=<optimized out>) at /test/10.8_opt/storage/heap/ha_heap.cc:813
#7 0x00005641a1c526c3 in select_unit_ext::send_data (this=0x14d5b4013d88, values=<optimized out>) at /test/10.8_opt/sql/sql_union.cc:671
#8 0x00005641a1bed1fc in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, items=@0x14d5b4013258: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d5b4013548, last = 0x14d5b404f110, elements = 2}, <No data fields>}, this=<optimized out>) at /test/10.8_opt/sql/sql_class.h:5605
#9 select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=@0x14d5b4013258: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d5b4013548, last = 0x14d5b404f110, elements = 2}, <No data fields>}, this=<optimized out>) at /test/10.8_opt/sql/sql_class.h:5595
#10 end_send (join=0x14d5b404e8e8, join_tab=0x14d5b4056990, end_of_records=<optimized out>) at /test/10.8_opt/sql/sql_select.cc:22315
#11 0x00005641a1bc3c3c in evaluate_join_record (join=0x14d5b404e8e8, join_tab=0x14d5b40565e0, error=<optimized out>) at /test/10.8_opt/sql/sql_select.cc:21308
#12 0x00005641a1bd6623 in sub_select (end_of_records=false, join_tab=0x14d5b40565e0, join=0x14d5b404e8e8) at /test/10.8_opt/sql/sql_select.cc:21078
#13 sub_select (join=0x14d5b404e8e8, join_tab=0x14d5b40565e0, end_of_records=<optimized out>) at /test/10.8_opt/sql/sql_select.cc:21007
#14 0x00005641a1c04867 in do_select (procedure=<optimized out>, join=0x14d5b404e8e8) at /test/10.8_opt/sql/sql_select.cc:20623
#15 JOIN::exec_inner (this=0x14d5b404e8e8) at /test/10.8_opt/sql/sql_select.cc:4735
#16 0x00005641a1c04c29 in JOIN::exec (this=0x14d5b404e8e8) at /test/10.8_opt/sql/sql_select.cc:4513
#17 0x00005641a1c5509c in st_select_lex_unit::exec (this=0x14d5b4004ea0) at /test/10.8_opt/sql/sql_union.cc:2235
#18 0x00005641a1c589a8 in mysql_union (thd=thd@entry=0x14d5b4000c58, lex=lex@entry=0x14d5b4004dc8, result=result@entry=0x14d5b4013d60, unit=unit@entry=0x14d5b4004ea0, setup_tables_done_option=<optimized out>) at /test/10.8_opt/sql/sql_union.cc:42
#19 0x00005641a1c033bb in handle_select (thd=thd@entry=0x14d5b4000c58, lex=lex@entry=0x14d5b4004dc8, result=result@entry=0x14d5b4013d60, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.8_opt/sql/sql_select.cc:535
#20 0x00005641a1b835e1 in execute_sqlcom_select (thd=0x14d5b4000c58, all_tables=0x14d5b4010f70) at /test/10.8_opt/sql/sql_parse.cc:6252
#21 0x00005641a1b9194f in mysql_execute_command (thd=0x14d5b4000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:3943
#22 0x00005641a1b7e297 in mysql_parse (thd=0x14d5b4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.8_opt/sql/sql_parse.cc:8027
#23 0x00005641a1b8a4d5 in dispatch_command (command=COM_QUERY, thd=0x14d5b4000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.8_opt/sql/sql_class.h:1360
#24 0x00005641a1b8c6d8 in do_command (thd=0x14d5b4000c58, blocking=blocking@entry=true) at /test/10.8_opt/sql/sql_parse.cc:1402
#25 0x00005641a1cabdd7 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /test/10.8_opt/sql/sql_connect.cc:1418
#26 0x00005641a1cac12d in handle_one_connection (arg=arg@entry=0x5641a4e85cb8) at /test/10.8_opt/sql/sql_connect.cc:1312
#27 0x00005641a2017eed in pfs_spawn_thread (arg=0x5641a4e85d28) at /test/10.8_opt/storage/perfschema/pfs.cc:2201
#28 0x000014d61d4d8609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#29 0x000014d61d0c6293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Oleksandr Byelkin [ 2022-06-24 ]

Innodb is irrelevant here.

Comment by Roel Van de Paar [ 2023-08-09 ]

SET @@sql_mode='ORACLE';

CREATE TABLE t (a INT);

INSERT INTO t VALUES (1);

SELECT * FROM t UNION SELECT * FROM t INTERSECT ALL SELECT * FROM t;

Shows this ASAN heap-use-after-free in ha_heap::find_unique_row besides crashing:

11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Optimized, UBASAN)
==222611==ERROR: AddressSanitizer: heap-use-after-free on address 0x634000020820 at pc 0x55e76d683c0c bp 0x145fbfcc4420 sp 0x145fbfcc4410
READ of size 8 at 0x634000020820 thread T36
#0 0x55e76d683c0b in ha_heap::find_unique_row(unsigned char*, unsigned int) /data/11.2_opt_san/storage/heap/ha_heap.cc:872
#1 0x55e76b18f1b1 in select_unit_ext::send_data(List<Item>&) /data/11.2_opt_san/sql/sql_union.cc:691
#2 0x55e76adeffb3 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/11.2_opt_san/sql/sql_class.h:5762
#3 0x55e76adeffb3 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/11.2_opt_san/sql/sql_class.h:5752
#4 0x55e76adeffb3 in end_send /data/11.2_opt_san/sql/sql_select.cc:24704
#5 0x55e76ac93129 in evaluate_join_record /data/11.2_opt_san/sql/sql_select.cc:23671
#6 0x55e76ad25fce in sub_select(JOIN, st_join_table, bool) /data/11.2_opt_san/sql/sql_select.cc:23438
#7 0x55e76af0c5ee in do_select /data/11.2_opt_san/sql/sql_select.cc:22955
#8 0x55e76af0c5ee in JOIN::exec_inner() /data/11.2_opt_san/sql/sql_select.cc:4935
#9 0x55e76af117d3 in JOIN::exec() /data/11.2_opt_san/sql/sql_select.cc:4712
#10 0x55e76b1a394a in st_select_lex_unit::exec_inner() /data/11.2_opt_san/sql/sql_union.cc:2389
#11 0x55e76b1bca3c in mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long long) /data/11.2_opt_san/sql/sql_union.cc:45
#12 0x55e76af022b0 in handle_select(THD, LEX, select_result*, unsigned long long) /data/11.2_opt_san/sql/sql_select.cc:618
#13 0x55e76aa7e0a0 in execute_sqlcom_select /data/11.2_opt_san/sql/sql_parse.cc:6056
#14 0x55e76aae04aa in mysql_execute_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:3944
#15 0x55e76aaeefc2 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_opt_san/sql/sql_parse.cc:7800
#16 0x55e76aafa5e5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_opt_san/sql/sql_parse.cc:1892
#17 0x55e76ab061f8 in do_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:1405
#18 0x55e76b4274ac in do_handle_one_connection(CONNECT*, bool) /data/11.2_opt_san/sql/sql_connect.cc:1445
#19 0x55e76b429aac in handle_one_connection /data/11.2_opt_san/sql/sql_connect.cc:1347
#20 0x145fe4c94b42 in start_thread nptl/pthread_create.c:442
#21 0x145fe4d269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x634000020820 is located 32 bytes inside of 127008-byte region [0x634000020800,0x63400003f820)
freed by thread T36 here:
#0 0x55e76a24d507 in free (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7c40507)
#1 0x55e76d6acb6e in hp_free_level /data/11.2_opt_san/storage/heap/hp_block.c:151
#2 0x55e76d6aef94 in hp_clear_keys /data/11.2_opt_san/storage/heap/hp_clear.c:100
#3 0x55e76d6aef94 in heap_disable_indexes /data/11.2_opt_san/storage/heap/hp_clear.c:131
#4 0x55e76d688829 in ha_heap::disable_indexes(unsigned int) /data/11.2_opt_san/storage/heap/ha_heap.cc:527
#5 0x55e76d688829 in ha_heap::disable_indexes(unsigned int) /data/11.2_opt_san/storage/heap/ha_heap.cc:521
#6 0x55e76b186e36 in select_unit_ext::disable_index_if_needed(st_select_lex*) /data/11.2_opt_san/sql/sql_union.cc:486
#7 0x55e76b191089 in select_unit_ext::send_eof() /data/11.2_opt_san/sql/sql_union.cc:773
#8 0x55e76af0c40d in do_select /data/11.2_opt_san/sql/sql_select.cc:23010
#9 0x55e76af0c40d in JOIN::exec_inner() /data/11.2_opt_san/sql/sql_select.cc:4935
#10 0x55e76af117d3 in JOIN::exec() /data/11.2_opt_san/sql/sql_select.cc:4712
#11 0x55e76b1a394a in st_select_lex_unit::exec_inner() /data/11.2_opt_san/sql/sql_union.cc:2389
#12 0x55e76b1bca3c in mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long long) /data/11.2_opt_san/sql/sql_union.cc:45
#13 0x55e76af022b0 in handle_select(THD, LEX, select_result*, unsigned long long) /data/11.2_opt_san/sql/sql_select.cc:618
#14 0x55e76aa7e0a0 in execute_sqlcom_select /data/11.2_opt_san/sql/sql_parse.cc:6056
#15 0x55e76aae04aa in mysql_execute_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:3944
#16 0x55e76aaeefc2 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_opt_san/sql/sql_parse.cc:7800
#17 0x55e76aafa5e5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_opt_san/sql/sql_parse.cc:1892
#18 0x55e76ab061f8 in do_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:1405
#19 0x55e76b4274ac in do_handle_one_connection(CONNECT*, bool) /data/11.2_opt_san/sql/sql_connect.cc:1445
#20 0x55e76b429aac in handle_one_connection /data/11.2_opt_san/sql/sql_connect.cc:1347
#21 0x145fe4c94b42 in start_thread nptl/pthread_create.c:442

previously allocated by thread T36 here:
#0 0x55e76a24d857 in __interceptor_malloc (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7c40857)
#1 0x55e76e6f1454 in my_malloc /data/11.2_opt_san/mysys/my_malloc.c:89
#2 0x55e76d6aad54 in hp_get_new_block /data/11.2_opt_san/storage/heap/hp_block.c:81
#3 0x55e76d6a9ad8 in hp_find_free_hash /data/11.2_opt_san/storage/heap/hp_write.c:409
#4 0x55e76d6a9ad8 in hp_write_key /data/11.2_opt_san/storage/heap/hp_write.c:212
#5 0x55e76d6a7cb3 in heap_write /data/11.2_opt_san/storage/heap/hp_write.c:52
#6 0x55e76d67e324 in ha_heap::write_row(unsigned char const*) /data/11.2_opt_san/storage/heap/ha_heap.cc:298
#7 0x55e76b183b72 in handler::ha_write_tmp_row(unsigned char*) /data/11.2_opt_san/sql/sql_class.h:7531
#8 0x55e76b183b72 in select_unit::write_record() /data/11.2_opt_san/sql/sql_union.cc:416
#9 0x55e76b18e601 in select_unit_ext::send_data(List<Item>&) /data/11.2_opt_san/sql/sql_union.cc:704
#10 0x55e76adeffb3 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/11.2_opt_san/sql/sql_class.h:5762
#11 0x55e76adeffb3 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/11.2_opt_san/sql/sql_class.h:5752
#12 0x55e76adeffb3 in end_send /data/11.2_opt_san/sql/sql_select.cc:24704
#13 0x55e76ac93129 in evaluate_join_record /data/11.2_opt_san/sql/sql_select.cc:23671
#14 0x55e76ad25fce in sub_select(JOIN, st_join_table, bool) /data/11.2_opt_san/sql/sql_select.cc:23438
#15 0x55e76af0c5ee in do_select /data/11.2_opt_san/sql/sql_select.cc:22955
#16 0x55e76af0c5ee in JOIN::exec_inner() /data/11.2_opt_san/sql/sql_select.cc:4935
#17 0x55e76af117d3 in JOIN::exec() /data/11.2_opt_san/sql/sql_select.cc:4712
#18 0x55e76b1a394a in st_select_lex_unit::exec_inner() /data/11.2_opt_san/sql/sql_union.cc:2389
#19 0x55e76b1bca3c in mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long long) /data/11.2_opt_san/sql/sql_union.cc:45
#20 0x55e76af022b0 in handle_select(THD, LEX, select_result*, unsigned long long) /data/11.2_opt_san/sql/sql_select.cc:618
#21 0x55e76aa7e0a0 in execute_sqlcom_select /data/11.2_opt_san/sql/sql_parse.cc:6056
#22 0x55e76aae04aa in mysql_execute_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:3944
#23 0x55e76aaeefc2 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_opt_san/sql/sql_parse.cc:7800
#24 0x55e76aafa5e5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_opt_san/sql/sql_parse.cc:1892
#25 0x55e76ab061f8 in do_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:1405
#26 0x55e76b4274ac in do_handle_one_connection(CONNECT*, bool) /data/11.2_opt_san/sql/sql_connect.cc:1445
#27 0x55e76b429aac in handle_one_connection /data/11.2_opt_san/sql/sql_connect.cc:1347
#28 0x145fe4c94b42 in start_thread nptl/pthread_create.c:442

Thread T36 created by T0 here:
#0 0x55e76a1f1675 in pthread_create (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7be4675)
#1 0x55e76a2a634e in create_thread_to_handle_connection(CONNECT*) /data/11.2_opt_san/sql/mysqld.cc:6169
#2 0x55e76a2b92af in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/11.2_opt_san/sql/mysqld.cc:6293
#3 0x55e76a2ba207 in handle_connections_sockets() /data/11.2_opt_san/sql/mysqld.cc:6417
#4 0x55e76a2bd1ed in mysqld_main(int, char**) /data/11.2_opt_san/sql/mysqld.cc:6064
#5 0x145fe4c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/11.2_opt_san/storage/heap/ha_heap.cc:872 in ha_heap::find_unique_row(unsigned char*, unsigned int)
Shadow bytes around the buggy address:
0x0c687fffc0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c687fffc0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c687fffc0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c687fffc0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c687fffc0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c687fffc100: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==222611==ABORTING
230809 13:08:20 [ERROR] mysqld got signal 6 ;

11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Debug, UBASAN)
==222536==ERROR: AddressSanitizer: heap-use-after-free on address 0x634000020820 at pc 0x557f4e1a36ab bp 0x149a58b936f0 sp 0x149a58b936e0
READ of size 8 at 0x634000020820 thread T34
#0 0x557f4e1a36aa in ha_heap::find_unique_row(unsigned char*, unsigned int) /data/11.2_dbg_san/storage/heap/ha_heap.cc:872
#1 0x557f4b9f0047 in select_unit_ext::send_data(List<Item>&) /data/11.2_dbg_san/sql/sql_union.cc:691
#2 0x557f4b61b860 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/11.2_dbg_san/sql/sql_class.h:5762
#3 0x557f4b61b860 in end_send /data/11.2_dbg_san/sql/sql_select.cc:24704
#4 0x557f4b46f28a in evaluate_join_record /data/11.2_dbg_san/sql/sql_select.cc:23671
#5 0x557f4b53b03b in sub_select(JOIN, st_join_table, bool) /data/11.2_dbg_san/sql/sql_select.cc:23438
#6 0x557f4b6ebae4 in do_select /data/11.2_dbg_san/sql/sql_select.cc:22955
#7 0x557f4b6ebae4 in JOIN::exec_inner() /data/11.2_dbg_san/sql/sql_select.cc:4935
#8 0x557f4b6ed22c in JOIN::exec() /data/11.2_dbg_san/sql/sql_select.cc:4712
#9 0x557f4ba06283 in st_select_lex_unit::exec_inner() /data/11.2_dbg_san/sql/sql_union.cc:2389
#10 0x557f4ba0ac0b in st_select_lex_unit::exec() /data/11.2_dbg_san/sql/sql_union.cc:2292
#11 0x557f4ba2441b in mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long long) /data/11.2_dbg_san/sql/sql_union.cc:45
#12 0x557f4b6df0bf in handle_select(THD, LEX, select_result*, unsigned long long) /data/11.2_dbg_san/sql/sql_select.cc:618
#13 0x557f4b2531a8 in execute_sqlcom_select /data/11.2_dbg_san/sql/sql_parse.cc:6056
#14 0x557f4b2b3bca in mysql_execute_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:3944
#15 0x557f4b2dec10 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_dbg_san/sql/sql_parse.cc:7800
#16 0x557f4b2ee986 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1892
#17 0x557f4b2fc8cd in do_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1405
#18 0x557f4bcd6577 in do_handle_one_connection(CONNECT*, bool) /data/11.2_dbg_san/sql/sql_connect.cc:1445
#19 0x557f4bcd7a92 in handle_one_connection /data/11.2_dbg_san/sql/sql_connect.cc:1347
#20 0x149a7da94b42 in start_thread nptl/pthread_create.c:442
#21 0x149a7db269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x634000020820 is located 32 bytes inside of 127008-byte region [0x634000020800,0x63400003f820)
freed by thread T34 here:
#0 0x557f4a9a2017 in __interceptor_free (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-dbg/bin/mariadbd+0x7b96017)
#1 0x557f4f177e72 in my_free /data/11.2_dbg_san/mysys/my_malloc.c:217
#2 0x557f4e1bfb4a in hp_free_level /data/11.2_dbg_san/storage/heap/hp_block.c:151
#3 0x557f4e1bfd39 in hp_clear_keys /data/11.2_dbg_san/storage/heap/hp_clear.c:100
#4 0x557f4e1c0384 in heap_disable_indexes /data/11.2_dbg_san/storage/heap/hp_clear.c:131
#5 0x557f4e1a6879 in ha_heap::disable_indexes(unsigned int) /data/11.2_dbg_san/storage/heap/ha_heap.cc:527
#6 0x557f4caf0a5e in handler::ha_disable_indexes(unsigned int) /data/11.2_dbg_san/sql/handler.cc:5373
#7 0x557f4b9e7483 in select_unit_ext::disable_index_if_needed(st_select_lex*) /data/11.2_dbg_san/sql/sql_union.cc:486
#8 0x557f4b9f1a9c in select_unit_ext::send_eof() /data/11.2_dbg_san/sql/sql_union.cc:773
#9 0x557f4b6ec4a9 in do_select /data/11.2_dbg_san/sql/sql_select.cc:23010
#10 0x557f4b6ec4a9 in JOIN::exec_inner() /data/11.2_dbg_san/sql/sql_select.cc:4935
#11 0x557f4b6ed22c in JOIN::exec() /data/11.2_dbg_san/sql/sql_select.cc:4712
#12 0x557f4ba06283 in st_select_lex_unit::exec_inner() /data/11.2_dbg_san/sql/sql_union.cc:2389
#13 0x557f4ba0ac0b in st_select_lex_unit::exec() /data/11.2_dbg_san/sql/sql_union.cc:2292
#14 0x557f4ba2441b in mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long long) /data/11.2_dbg_san/sql/sql_union.cc:45
#15 0x557f4b6df0bf in handle_select(THD, LEX, select_result*, unsigned long long) /data/11.2_dbg_san/sql/sql_select.cc:618
#16 0x557f4b2531a8 in execute_sqlcom_select /data/11.2_dbg_san/sql/sql_parse.cc:6056
#17 0x557f4b2b3bca in mysql_execute_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:3944
#18 0x557f4b2dec10 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_dbg_san/sql/sql_parse.cc:7800
#19 0x557f4b2ee986 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1892
#20 0x557f4b2fc8cd in do_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1405
#21 0x557f4bcd6577 in do_handle_one_connection(CONNECT*, bool) /data/11.2_dbg_san/sql/sql_connect.cc:1445
#22 0x557f4bcd7a92 in handle_one_connection /data/11.2_dbg_san/sql/sql_connect.cc:1347
#23 0x149a7da94b42 in start_thread nptl/pthread_create.c:442

previously allocated by thread T34 here:
#0 0x557f4a9a2367 in __interceptor_malloc (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-dbg/bin/mariadbd+0x7b96367)
#1 0x557f4f177af8 in my_malloc /data/11.2_dbg_san/mysys/my_malloc.c:89
#2 0x557f4e1bf1a0 in hp_get_new_block /data/11.2_dbg_san/storage/heap/hp_block.c:81
#3 0x557f4e1bdb76 in hp_find_free_hash /data/11.2_dbg_san/storage/heap/hp_write.c:409
#4 0x557f4e1bdb76 in hp_write_key /data/11.2_dbg_san/storage/heap/hp_write.c:212
#5 0x557f4e1bc776 in heap_write /data/11.2_dbg_san/storage/heap/hp_write.c:52
#6 0x557f4e19bbc9 in ha_heap::write_row(unsigned char const*) /data/11.2_dbg_san/storage/heap/ha_heap.cc:298
#7 0x557f4b70bde8 in handler::ha_write_tmp_row(unsigned char*) /data/11.2_dbg_san/sql/sql_class.h:7531
#8 0x557f4b9e6326 in select_unit::write_record() /data/11.2_dbg_san/sql/sql_union.cc:416
#9 0x557f4b9eef43 in select_unit_ext::send_data(List<Item>&) /data/11.2_dbg_san/sql/sql_union.cc:661
#10 0x557f4b61b860 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/11.2_dbg_san/sql/sql_class.h:5762
#11 0x557f4b61b860 in end_send /data/11.2_dbg_san/sql/sql_select.cc:24704
#12 0x557f4b46f28a in evaluate_join_record /data/11.2_dbg_san/sql/sql_select.cc:23671
#13 0x557f4b53b03b in sub_select(JOIN, st_join_table, bool) /data/11.2_dbg_san/sql/sql_select.cc:23438
#14 0x557f4b6ebae4 in do_select /data/11.2_dbg_san/sql/sql_select.cc:22955
#15 0x557f4b6ebae4 in JOIN::exec_inner() /data/11.2_dbg_san/sql/sql_select.cc:4935
#16 0x557f4b6ed22c in JOIN::exec() /data/11.2_dbg_san/sql/sql_select.cc:4712
#17 0x557f4ba06283 in st_select_lex_unit::exec_inner() /data/11.2_dbg_san/sql/sql_union.cc:2389
#18 0x557f4ba0ac0b in st_select_lex_unit::exec() /data/11.2_dbg_san/sql/sql_union.cc:2292
#19 0x557f4ba2441b in mysql_union(THD, LEX, select_result, st_select_lex_unit, unsigned long long) /data/11.2_dbg_san/sql/sql_union.cc:45
#20 0x557f4b6df0bf in handle_select(THD, LEX, select_result*, unsigned long long) /data/11.2_dbg_san/sql/sql_select.cc:618
#21 0x557f4b2531a8 in execute_sqlcom_select /data/11.2_dbg_san/sql/sql_parse.cc:6056
#22 0x557f4b2b3bca in mysql_execute_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:3944
#23 0x557f4b2dec10 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_dbg_san/sql/sql_parse.cc:7800
#24 0x557f4b2ee986 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1892
#25 0x557f4b2fc8cd in do_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1405
#26 0x557f4bcd6577 in do_handle_one_connection(CONNECT*, bool) /data/11.2_dbg_san/sql/sql_connect.cc:1445
#27 0x557f4bcd7a92 in handle_one_connection /data/11.2_dbg_san/sql/sql_connect.cc:1347
#28 0x149a7da94b42 in start_thread nptl/pthread_create.c:442

Thread T34 created by T0 here:
#0 0x557f4a946185 in __interceptor_pthread_create (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-dbg/bin/mariadbd+0x7b3a185)
#1 0x557f4a9fac4e in create_thread_to_handle_connection(CONNECT*) /data/11.2_dbg_san/sql/mysqld.cc:6169
#2 0x557f4aa0c40f in create_new_thread(CONNECT*) /data/11.2_dbg_san/sql/mysqld.cc:6231
#3 0x557f4aa0cc8f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/11.2_dbg_san/sql/mysqld.cc:6293
#4 0x557f4aa0dcd6 in handle_connections_sockets() /data/11.2_dbg_san/sql/mysqld.cc:6417
#5 0x557f4aa127e9 in mysqld_main(int, char**) /data/11.2_dbg_san/sql/mysqld.cc:6064
#6 0x557f4a9e7f0a in main /data/11.2_dbg_san/sql/main.cc:34
#7 0x149a7da29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/11.2_dbg_san/storage/heap/ha_heap.cc:872 in ha_heap::find_unique_row(unsigned char*, unsigned int)
Shadow bytes around the buggy address:
0x0c687fffc0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c687fffc0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c687fffc0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c687fffc0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c687fffc0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c687fffc100: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c687fffc150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==222536==ABORTING
230809 13:08:18 [ERROR] mysqld got signal 6 ;

Stack/UniqueID summaries (opt first/dbg second):

ASAN|heap-use-after-free|storage/heap/ha_heap.cc|ha_heap::find_unique_row|select_unit_ext::send_data|select_result_sink::send_data_with_check|select_result_sink::send_data_with_check

ASAN|heap-use-after-free|storage/heap/ha_heap.cc|ha_heap::find_unique_row|select_unit_ext::send_data|select_result_sink::send_data_with_check|end_send

Comment by Alice Sherepa [ 2023-10-04 ]

test from ~~MDEV-32328~~

SELECT ( SELECT 1 UNION SELECT 1.000000 UNION ALL SELECT 1 EXCEPT ALL SELECT 1 EXCEPT ALL SELECT 1 UNION ALL SELECT 1 UNION ALL SELECT 1 ) ;

Server version: 11.2.2-MariaDB-debug-log source revision: daca468c682ede3b423359b4d835dcbe3d6251a8

asan/asan_report.cc:185(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7fc9f215d52c]

asan/asan_report.cc:462(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7fc9f215cfa3]

asan/asan_rtl.cc:119(__asan_report_load8)[0x7fc9f215ddeb]

heap/ha_heap.cc:872(ha_heap::find_unique_row(unsigned char*, unsigned int))[0x55dd6a88ad6f]

sql/sql_union.cc:676(select_unit_ext::send_data(List<Item>&))[0x55dd698e50a5]

sql/sql_class.h:5794(select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long))[0x55dd69781323]

sql/sql_select.cc:4807(JOIN::exec_inner())[0x55dd696a7a75]

sql/sql_select.cc:4720(JOIN::exec())[0x55dd696a6568]

sql/sql_union.cc:2389(st_select_lex_unit::exec_inner())[0x55dd698f4f93]

sql/sql_union.cc:2292(st_select_lex_unit::exec())[0x55dd698f3a07]

sql/item_subselect.cc:4187(subselect_union_engine::exec())[0x55dd6a19a7eb]

sql/item_subselect.cc:812(Item_subselect::exec())[0x55dd6a175491]

sql/item_subselect.cc:1484(Item_singlerow_subselect::val_str(String*))[0x55dd6a17b91d]

sql/sql_type.cc:7448(Type_handler::Item_send_str(Item*, Protocol*, st_value*) const)[0x55dd69c90480]

sql/sql_type.h:4967(Type_handler_decimal_result::Item_send(Item*, Protocol*, st_value*) const)[0x55dd69a11800]

sql/item.h:1239(Item::send(Protocol*, st_value*))[0x55dd691e62a8]

sql/protocol.cc:1332(Protocol::send_result_set_row(List<Item>*))[0x55dd692a6263]

sql/sql_class.cc:3129(select_send::send_data(List<Item>&))[0x55dd6944a7f0]

sql/sql_class.h:5794(select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long))[0x55dd69781323]

sql/sql_select.cc:4807(JOIN::exec_inner())[0x55dd696a7a75]

sql/sql_select.cc:4720(JOIN::exec())[0x55dd696a6568]

sql/sql_select.cc:5251(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55dd696aad73]

sql/sql_select.cc:628(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x55dd6967a21a]

sql/sql_parse.cc:6064(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55dd6959c001]

sql/sql_parse.cc:3955(mysql_execute_command(THD*, bool))[0x55dd6958cc53]

sql/sql_parse.cc:7810(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55dd695a6e7f]

sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55dd6957f226]

sql/sql_parse.cc:1406(do_command(THD*, bool))[0x55dd6957bf70]

sql/sql_connect.cc:1445(do_handle_one_connection(CONNECT*, bool))[0x55dd69a5abb1]

sql/sql_connect.cc:1349(handle_one_connection)[0x55dd69a5a50e]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55dd6a6c88f0]

nptl/pthread_create.c:478(start_thread)[0x7fc9f1bc6609]

Query (0x6290001092a8): SELECT ( SELECT 1 UNION SELECT 1.000000 UNION ALL SELECT 1 EXCEPT ALL SELECT 1 EXCEPT ALL SELECT 1 UNION ALL SELECT 1 UNION ALL SELECT 1 )

Version: '10.6.14-MariaDB'

231004 13:32:56 [ERROR] mysqld got signal 11 ;

Server version: 10.6.14-MariaDB source revision: c93754d45e5d9379e3e23d7ada1d5f21d2711f66

sigaction.c:0(__restore_rt)[0x7f6cbff25420]

heap/hp_write.c:143(next_free_record_pos)[0x55a51ed1eacb]

heap/ha_heap.cc:240(ha_heap::write_row(unsigned char const*))[0x55a51ed19f6c]

sql/sql_class.h:7466(handler::ha_write_tmp_row(unsigned char*))[0x55a51e84ff2f]

sql/sql_union.cc:418(select_unit::write_record())[0x55a51e8949d0]

sql/sql_union.cc:665(select_unit_ext::send_data(List<Item>&))[0x55a51e8953cd]

sql/sql_select.cc:4675(JOIN::exec_inner())[0x55a51e84d499]

sql/sql_select.cc:4591(JOIN::exec())[0x55a51e84da73]

sql/sql_union.cc:2249(st_select_lex_unit::exec())[0x55a51e89762c]

sql/item_subselect.cc:4124(subselect_union_engine::exec())[0x55a51eacfdce]

sql/item_subselect.cc:816(Item_subselect::exec())[0x55a51eacf60a]

sql/item_subselect.cc:1477(Item_singlerow_subselect::val_str(String*))[0x55a51ead024f]

sql/sql_type.cc:7457(Type_handler::Item_send_str(Item*, Protocol*, st_value*) const)[0x55a51e967f14]

sql/protocol.cc:1328(Protocol::send_result_set_row(List<Item>*))[0x55a51e72945d]

sql/sql_class.cc:3120(select_send::send_data(List<Item>&))[0x55a51e79bb12]

sql/sql_select.cc:4675(JOIN::exec_inner())[0x55a51e84d499]

sql/sql_select.cc:4591(JOIN::exec())[0x55a51e84da73]

sql/sql_select.cc:5071(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55a51e84bbfe]

sql/sql_select.cc:571(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55a51e84c464]

sql/sql_parse.cc:6274(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55a51e6a0069]

sql/sql_parse.cc:3949(mysql_execute_command(THD*, bool))[0x55a51e7ecb53]

sql/sql_parse.cc:8037(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55a51e7eeefb]

sql/sql_parse.cc:1955(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55a51e7f1338]

sql/sql_parse.cc:1411(do_command(THD*, bool))[0x55a51e7f2863]

sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x55a51e8eb387]

sql/sql_connect.cc:1324(handle_one_connection)[0x55a51e8eb624]

perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55a51ec87f3c]

nptl/pthread_create.c:478(start_thread)[0x7f6cbff19609]

Query (0x7f6c6c010b80): SELECT ( SELECT 1 UNION SELECT 1.000000 UNION ALL SELECT 1 EXCEPT ALL SELECT 1 EXCEPT ALL SELECT 1 UNION ALL SELECT 1 UNION ALL SELECT 1 )

Comment by Alice Sherepa [ 2023-10-09 ]

test from ~~MDEV-32325~~:

SELECT 28 UNION SELECT 3 UNION SELECT 1 UNION ALL SELECT 1 UNION ALL SELECT 1 EXCEPT ALL SELECT 1 ;

2023-10-09 16:30:01 0 [Note] Starting MariaDB 11.2.2-MariaDB-debug-log source revision 872ed5342d8f1ec02f8f8a7a25a606e4ff512234 as process 340455

Version: '11.2.2-MariaDB-debug-log'

=================================================================

==340455==ERROR: AddressSanitizer: heap-use-after-free on address 0x6310000b48f0 at pc 0x5569899c6ba1 bp 0x7eff8cce5ba0 sp 0x7eff8cce5b90

READ of size 8 at 0x6310000b48f0 thread T11

    #0 0x5569899c6ba0 in ha_heap::find_unique_row(unsigned char*, unsigned int) /11.2/src/storage/heap/ha_heap.cc:872

    #1 0x556988a20f04 in select_unit_ext::send_data(List<Item>&) /11.2/src/sql/sql_union.cc:676

    #2 0x5569888bd25a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /11.2/src/sql/sql_class.h:5794

    #3 0x5569887e39ac in JOIN::exec_inner() /11.2/src/sql/sql_select.cc:4809

    #4 0x5569887e249f in JOIN::exec() /11.2/src/sql/sql_select.cc:4720

    #5 0x556988a30df2 in st_select_lex_unit::exec_inner() /11.2/src/sql/sql_union.cc:2389

    #6 0x556988a2f866 in st_select_lex_unit::exec() /11.2/src/sql/sql_union.cc:2292

    #7 0x556988a1b499 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /11.2/src/sql/sql_union.cc:45

    #8 0x5569887b5e6f in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.2/src/sql/sql_select.cc:618

    #9 0x5569886d7f38 in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6064

    #10 0x5569886c8b8a in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3955

    #11 0x5569886e2db6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7810

    #12 0x5569886bb15d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1893

    #13 0x5569886b7ea7 in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1406

    #14 0x556988b968f8 in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1445

    #15 0x556988b96255 in handle_one_connection /11.2/src/sql/sql_connect.cc:1347

    #16 0x556989804721 in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201

    #17 0x7eff9bd71608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

    #18 0x7eff9b942132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x6310000b48f0 is located 240 bytes inside of 78764-byte region [0x6310000b4800,0x6310000c7bac)

freed by thread T11 here:

    #0 0x7eff9c2fe40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122

    #1 0x55698a446d30 in free_memory /11.2/src/mysys/safemalloc.c:297

    #2 0x55698a44616d in sf_free /11.2/src/mysys/safemalloc.c:203

    #3 0x55698a413c25 in my_free /11.2/src/mysys/my_malloc.c:217

    #4 0x5569899dd4a7 in hp_free_level /11.2/src/storage/heap/hp_block.c:151

    #5 0x5569899ddc13 in hp_clear_keys /11.2/src/storage/heap/hp_clear.c:100

    #6 0x5569899ddeb5 in heap_disable_indexes /11.2/src/storage/heap/hp_clear.c:131

    #7 0x5569899c3b96 in ha_heap::disable_indexes(unsigned int) /11.2/src/storage/heap/ha_heap.cc:527

    #8 0x55698904a4df in handler::ha_disable_indexes(unsigned int) /11.2/src/sql/handler.cc:5384

    #9 0x556988a1f601 in select_unit_ext::disable_index_if_needed(st_select_lex*) /11.2/src/sql/sql_union.cc:486

    #10 0x556988a21f58 in select_unit_ext::send_eof() /11.2/src/sql/sql_union.cc:773

    #11 0x5569887e3c10 in JOIN::exec_inner() /11.2/src/sql/sql_select.cc:4820

    #12 0x5569887e249f in JOIN::exec() /11.2/src/sql/sql_select.cc:4720

    #13 0x556988a30df2 in st_select_lex_unit::exec_inner() /11.2/src/sql/sql_union.cc:2389

    #14 0x556988a2f866 in st_select_lex_unit::exec() /11.2/src/sql/sql_union.cc:2292

    #15 0x556988a1b499 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /11.2/src/sql/sql_union.cc:45

    #16 0x5569887b5e6f in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.2/src/sql/sql_select.cc:618

    #17 0x5569886d7f38 in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6064

    #18 0x5569886c8b8a in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3955

    #19 0x5569886e2db6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7810

    #20 0x5569886bb15d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1893

    #21 0x5569886b7ea7 in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1406

    #22 0x556988b968f8 in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1445

    #23 0x556988b96255 in handle_one_connection /11.2/src/sql/sql_connect.cc:1347

    #24 0x556989804721 in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201

    #25 0x7eff9bd71608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T11 here:

    #0 0x7eff9c2fe808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144

    #1 0x55698a445b21 in sf_malloc /11.2/src/mysys/safemalloc.c:126

    #2 0x55698a412d72 in my_malloc /11.2/src/mysys/my_malloc.c:89

    #3 0x5569899dcdf5 in hp_get_new_block /11.2/src/storage/heap/hp_block.c:81

    #4 0x5569899dc4cc in hp_find_free_hash /11.2/src/storage/heap/hp_write.c:409

    #5 0x5569899db442 in hp_write_key /11.2/src/storage/heap/hp_write.c:212

    #6 0x5569899d9cb3 in heap_write /11.2/src/storage/heap/hp_write.c:52

    #7 0x5569899c1e6c in ha_heap::write_row(unsigned char const*) /11.2/src/storage/heap/ha_heap.cc:298

    #8 0x5569888bdd00 in handler::ha_write_tmp_row(unsigned char*) /11.2/src/sql/sql_class.h:7563

    #9 0x556988a1ee37 in select_unit::write_record() /11.2/src/sql/sql_union.cc:416

    #10 0x556988a20b42 in select_unit_ext::send_data(List<Item>&) /11.2/src/sql/sql_union.cc:661

    #11 0x5569888bd25a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /11.2/src/sql/sql_class.h:5794

    #12 0x5569887e39ac in JOIN::exec_inner() /11.2/src/sql/sql_select.cc:4809

    #13 0x5569887e249f in JOIN::exec() /11.2/src/sql/sql_select.cc:4720

    #14 0x556988a30df2 in st_select_lex_unit::exec_inner() /11.2/src/sql/sql_union.cc:2389

    #15 0x556988a2f866 in st_select_lex_unit::exec() /11.2/src/sql/sql_union.cc:2292

    #16 0x556988a1b499 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /11.2/src/sql/sql_union.cc:45

    #17 0x5569887b5e6f in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.2/src/sql/sql_select.cc:618

    #18 0x5569886d7f38 in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6064

    #19 0x5569886c8b8a in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3955

    #20 0x5569886e2db6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7810

    #21 0x5569886bb15d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1893

    #22 0x5569886b7ea7 in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1406

    #23 0x556988b968f8 in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1445

    #24 0x556988b96255 in handle_one_connection /11.2/src/sql/sql_connect.cc:1347

    #25 0x556989804721 in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201

    #26 0x7eff9bd71608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T11 created by T0 here:

    #0 0x7eff9c22b815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208

    #1 0x5569898002fe in my_thread_create /11.2/src/storage/perfschema/my_thread.h:52

    #2 0x556989804b14 in pfs_spawn_thread_v1 /11.2/src/storage/perfschema/pfs.cc:2252

    #3 0x5569882f8019 in inline_mysql_thread_create /11.2/src/include/mysql/psi/mysql_thread.h:1139

    #4 0x556988310aa5 in create_thread_to_handle_connection(CONNECT*) /11.2/src/sql/mysqld.cc:6169

    #5 0x556988311135 in create_new_thread(CONNECT*) /11.2/src/sql/mysqld.cc:6231

    #6 0x5569883114a2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.2/src/sql/mysqld.cc:6293

    #7 0x556988311e98 in handle_connections_sockets() /11.2/src/sql/mysqld.cc:6417

    #8 0x5569883102b2 in mysqld_main(int, char**) /11.2/src/sql/mysqld.cc:6064

    #9 0x5569882f70cc in main /11.2/src/sql/main.cc:34

    #10 0x7eff9b847082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /11.2/src/storage/heap/ha_heap.cc:872 in ha_heap::find_unique_row(unsigned char*, unsigned int)

Shadow bytes around the buggy address:

  0x0c628000e8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c628000e8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c628000e8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c628000e8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c628000e900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c628000e910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd

  0x0c628000e920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c628000e930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c628000e940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c628000e950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c628000e960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==340455==ABORTING

from ~~MDEV-32330~~

SELECT ( SELECT ( CASE WHEN 1 THEN 'x' END + 1 ) INTERSECT SELECT 1 UNION ALL SELECT 1 EXCEPT ALL SELECT 1 ) ;

Generated at Thu Feb 08 09:35:35 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-25158] SIGSEGV in hp_rec_key_cmp and Assertion `curr_op_type != INTERSECT_ALL' failed on SELECT ... UNION SELECT, ASAN heap-use-after-free in ha_heap::find_unique_row Created: 2021-03-16 Updated: 2023-11-28